idnits 2.17.1 draft-ietf-ipsp-ipsecpib-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 92 longer pages, the longest (page 10) being 61 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 786 has weird spacing: '...A time strin...' == Line 3723 has weird spacing: '... to the numbe...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: ipSecIkePeerEndpointIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "This attribute behaves like a logical NOT for the peer identity. If the value of this attribute is 'true', the peer identity whose type is specified by ipSecIkePeerEndpointIdentityType MUST not match the vaule specified by ipSecIkePeerEndpointValue." ::= { ipSecIkePeerEndpointEntry 4 } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: ipSecCredentialFieldsIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "This attribute behaves like a logical NOT for the credential field match. If the value of this attribute is 'true', the credential field specified by ipSecCredentialFieldsName MUST not match the vaule specified by ipSecCredentialFieldsValue." ::= { ipSecCredentialFieldsEntry 4 } -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2004) is 7314 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 24 looks like a reference -- Missing reference section? '2' on line 131 looks like a reference -- Missing reference section? '3' on line 136 looks like a reference -- Missing reference section? '7' on line 137 looks like a reference -- Missing reference section? '8' on line 137 looks like a reference -- Missing reference section? '10' on line 360 looks like a reference -- Missing reference section? '11' on line 137 looks like a reference -- Missing reference section? '12' on line 203 looks like a reference -- Missing reference section? '14' on line 137 looks like a reference -- Missing reference section? '9' on line 155 looks like a reference -- Missing reference section? '6' on line 150 looks like a reference -- Missing reference section? '13' on line 145 looks like a reference -- Missing reference section? '5' on line 4809 looks like a reference -- Missing reference section? '23' on line 4813 looks like a reference -- Missing reference section? 'A' on line 264 looks like a reference -- Missing reference section? 'B' on line 266 looks like a reference -- Missing reference section? 'RFC 2445' on line 754 looks like a reference -- Missing reference section? 'RFC2279' on line 801 looks like a reference -- Missing reference section? 'FRC3318' on line 2426 looks like a reference -- Missing reference section? 'RFC3318' on line 4176 looks like a reference -- Missing reference section? 'RFC3585' on line 2982 looks like a reference -- Missing reference section? 'RFC2408' on line 2790 looks like a reference -- Missing reference section? 'RFC2409' on line 3016 looks like a reference -- Missing reference section? 'RFC1108' on line 3944 looks like a reference -- Missing reference section? '15' on line 4809 looks like a reference -- Missing reference section? '24' on line 4813 looks like a reference -- Missing reference section? 'RFC2748' on line 4828 looks like a reference Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 30 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ipsp working group Man Li 3 Internet Draft Nokia 4 Expires October 2004 David Arneson 5 N/A 6 Avri Doria 7 ETRI 8 Jamie Jason 9 Intel 10 Cliff Wang 11 SmartPipe 12 Markus Stenberg 13 SSH 15 April 2004 17 IPsec Policy Information Base 18 draft-ietf-ipsp-ipsecpib-10.txt 20 Status of this Memo 22 This document is an Internet-Draft and is in full conformance with 23 all provisions of Section 10 of RFC2026 [1]. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. Internet-Drafts are draft documents valid for a maximum of 29 six months and may be updated, replaced, or obsoleted by other 30 documents at any time. It is inappropriate to use Internet-Drafts 31 as reference material or to cite them other than as "work in 32 progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 Copyright (C) The Internet Society (2004). All Rights Reserved. 40 Distribution of this memo is unlimited. 42 Abstract 44 This document describes a portion of the Policy Information Base 45 (PIB) for a device implementing the IP Security (IPsec) 46 Architecture. The provisioning classes defined here provide control 47 of IPsec policy. These provisioning classes can be used with other 48 non-IPsec provisioning classes (defined in other PIB modules) to 49 provide for a comprehensive policy controlled mapping of service 50 requirement to device capability and usage. 52 Li, et al Expires October 2004 1 53 Table of Contents 55 1. Introduction.......................................................3 56 2. Operation Overview.................................................3 57 3. Structure of IPsec PIB.............................................4 58 3.1 IPsec association group...........................................5 59 3.1.1 IPsec rules.....................................................5 60 3.1.2 IPsec actions...................................................6 61 3.1.3 IPsec associations..............................................6 62 3.1.4 IPsec proposals.................................................7 63 3.2 AH transform group................................................7 64 3.3 ESP transform group...............................................7 65 3.4 COMP transform group..............................................7 66 3.5 IKE association group.............................................7 67 3.6 Credential group..................................................8 68 3.7 Selector group....................................................8 69 3.8 Policy time period group..........................................9 70 3.9 Interface capability group.......................................10 71 4. Summary of the IPsec PIB..........................................10 72 4.1 ipSecAssociation group...........................................10 73 4.1.1 ipSecRuleTable.................................................10 74 4.1.2 ipSecActionSetTable............................................10 75 4.1.3 ipSecStaticActionTable.........................................10 76 4.1.4 ipSecNegotiationActionTable....................................10 77 4.1.5 ipSecAssociationTable..........................................10 78 4.1.6 ipSecProposalSetTable..........................................10 79 4.1.7 ipSecProposalTable.............................................10 80 4.2 ipSecAhTransform group...........................................10 81 4.2.1 ipSecAhTransformSetTable.......................................10 82 4.2.2 ipSecAhTransformTable..........................................10 83 4.3 ipSecEspTransform group..........................................10 84 4.3.1 ipSecEspTransformSetTable......................................11 85 4.3.2 ipSecEspTransformTable.........................................11 86 4.4 ipSecCompTransform group.........................................11 87 4.4.1 ipSecCompTransformSetTable.....................................11 88 4.4.2 ipSecCompTransformTable........................................11 89 4.5 ipSecIkeAssociation group........................................11 90 4.5.1 ipSecIkeRuleTable..............................................11 91 4.5.2 ipSecIkeActionSetTable.........................................11 92 4.5.3 ipSecIkeAssociationTable.......................................11 93 4.5.4 ipSecIkeProposalSetTable.......................................11 94 4.5.5 ipSecIkeProposalTable..........................................11 95 4.5.6 ipSecIkePeerEndpointTable......................................11 96 4.6 ipSecCredential group............................................11 97 4.6.1 ipSecCredentialSetTable........................................11 98 4.6.2 ipSecCredentialTable...........................................11 99 4.6.3 ipSecCredentialFieldsTable.....................................11 100 4.7 ipSecSelector group..............................................11 101 4.7.1 ipSecSelectorSetTable..........................................12 102 4.7.2 ipSecSelectorTable.............................................12 103 4.7.3 ipSecAddressTable..............................................12 104 4.7.4 ipSecL4PortTable...............................................12 106 Li, et al Expires October 2004 2 107 4.7.5 ipSecIpsoFilterSetTable........................................12 108 4.7.6 ipSecIpsoFilterTable...........................................12 109 4.8 ipSecPolicyTimePeriod group......................................12 110 4.8.1 ipSecRuleTimePeriodTable.......................................12 111 4.8.2 ipSecRuleTimePeriodSetTable....................................12 112 4.9 ipSecIfCapability group..........................................12 113 4.9.1 ipSecIfCapsTable...............................................12 114 4.10 ipSecPolicyPibConformance group.................................12 115 5. The IPsec PIB Module..............................................12 116 6. Security Considerations...........................................89 117 7. RFC Editor Considerations.........................................90 118 8. IANA Considerations...............................................90 119 9. Normative References..............................................90 120 10. Informative References...........................................92 121 11. Author's Addresses...............................................92 122 12. IPR Disclosure Acknowledgement...................................93 123 13. Full Copyright Statement.........................................93 125 Conventions used in this document 127 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 128 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 129 "OPTIONAL" in this document are to be interpreted as described in 130 RFC-2119 [2]. 132 1. Introduction 134 The policy rule classes (PRC) defined in this document contain 135 parameters for Internet Key Exchange (IKE) phase one and phase two 136 negotiations. Details of these parameters can be found in [3], 137 [7], [8], [10], [11], [12] and [14]. The PIB defined in this 138 document is based on the IPsec configuration policy model [12]. 139 The concept of "Roles" described in [9], which scales to large 140 networks, is adopted for distributing IPsec policy over the COPS- 141 PR protocol [6]. 143 2. Operation Overview 145 As defined in [13], the management entity that downloads policy to 146 IPsec-enabled devices will be called a Policy Decision Point (PDP) 147 and the target IPsec-enabled devices will be called Policy 148 Enforcement Points (PEP). 150 After connecting to a PDP using COPS-PR [6] that is an extension 151 of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes 152 (PRCs) it supports as well as any limitations related to the 153 implementations of theses classes and parameters. The PEP provides 154 the above information using the frwkPrcSupportTable and the 155 frwkCompLimitsTable defined in the framework PIB [9]. In addition, 156 the PEP also reports the interface type capabilities and role 157 combinations it supports using the frwkCapabilitySetTable and the 159 Li, et al Expires October 2004 3 160 frwkRoleComboTable. Each row of the frwkCapabilitySetTable 161 contains a capability set name and a reference to an instance of a 162 PRC that describes the capabilities of the interface type. The 163 capability instances may reside in the ipSecIfCapsTable or in a 164 class defined in another PIB. Each row of the frwkRoleComboTable 165 contains an interface capability set name and a role combination. 167 Based on the interface capabilities and role combinations, the PDP 168 provides the PEP with IPsec policy information. Later on, if any 169 of the interface capabilities or role combinations of the PEP 170 change, the PEP notifies the PDP. The PDP will then send a new set 171 of IPsec policy information to the PEP. In addition, if the policy 172 associated with a given interface capability and role combination 173 changes, the PDP will deliver the new IPsec policy to all the PEPs 174 that have registered with that interface capability and role 175 combination. 177 3. Structure of IPsec PIB 179 An IPsec policy consists of an ordered list of IPsec rules. Each 180 rule is composed of a set of conditions and a set of actions. If a 181 packet matches any of the conditions, the actions will be applied 182 accordingly. 184 The IPsec PIB module consists of nine groups. The selector group 185 describes conditions to be associated with IPsec rules. The IPsec 186 association group, Authentication Header (AH) transform group, 187 Encapsulating Security Payload (ESP) transform group, IP Payload 188 Compression Protocol (COMP) transform group, IKE association group 189 and the credential group together describe actions to be associated 190 with IPsec rules. The policy time period group specifies time 191 periods during which a rule is valid. The interface capability group 192 is used by a PEP to report the capabilities associated with its 193 interface types. 195 The IPsec PIB defined in this document is based on the IPsec 196 configuration policy information model [12]. The structure and 197 modularity of this PIB are similar to that of the IPsec 198 configuration policy model. It is easy to observe the mapping of 199 the IPsec association group, AH transform group, ESP transform 200 group, COMP transform group, IKE association group, the credential 201 group and the policy time period group into the configuration 202 model. Note that the policy time period condition is included in 203 the IPsec configuration policy information model [12] but it is 204 specified in the policy core information model[23]. The IPsec 205 selector group corresponds to the filters specified in the IPsec 206 configuration policy model but it is in a slightly different 207 structure in order to provide a scalable way of specifying a large 208 number of filters. 210 The modular design of the IPsec PIB provides many flexibilities. 211 For example, the key exchange protocol and selectors used in a 212 policy rule are specified by pointing to the corresponding policy 214 Li, et al Expires October 2004 4 215 rule classes. Hence, to use key exchange protocols or selectors 216 other than those specified in this PIB, simply direct the pointers 217 to the corresponding policy rule classes specified in other PIB 218 modules. 220 The nine IPsec PIB groups are discussed in the following sections. 222 3.1 IPsec association group 224 This group specifies IPsec Security Associations. 226 3.1.1 IPsec rules 228 The ipSecRuleTable is the starting point for specifying an IPsec 229 policy. It contains an ordered list of IPsec rules. Each rule is 230 associated with IfCapSetName, Roles and Direction attributes to 231 indicate the interface type and role combinations as well as the 232 direction of the interface to which this rule is to be applied. 233 Each rule points to a set of selectors and, optionally, a set of 234 IP Security Options (IPSO) filters to indicate the conditions 235 associated with this rule. In addition, each rule has a pointer to 236 a set of actions to indicate the actions associated with this 237 rule. Hence if a packet matches a selector in the selector set 238 and, if the reference to the IPSO filter set is not zero, it 239 matches a filter in the IPSO filter set, the action(s) associated 240 with this rule will be applied to the packet. 242 When a rule involves multiple actions, the ExecutionStrategy 243 attribute indicates how these actions are executed. A value of 244 "DoAll" means that all the actions MUST be applied to the packet 245 according to a predefined order. A value of "DoUntilSuccess" means 246 that the actions MUST be tried in sequence until a successful 247 execution of a single action. 249 For example, in a nested Security Associations (SA) case the 250 actions of an initiator's rule might be structured as: 252 ExecutionStrategy='Do All' 253 | 254 +---1--- IPsecTunnelAction // set up SA from host to gateway 255 | 256 +---2--- IPsecTransportAction // set up SA from host through 257 // tunnel to remote host 259 Another example, showing a rule with fallback actions might be 260 structured as: 262 ExecutionStrategy='Do Until Success' 263 | 264 +---1--- IPsecTunnelAction // set up SA from host to gateway [A] 265 | 266 +---2--- IPsecTunnelAction // set up SA from host to gateway [B] 268 Li, et al Expires October 2004 5 269 As an optional feature, IPsec associations may be established 270 without being prompted by IP packets. The AutoStart attribute 271 indicates if the IPsec association(s) of this rule should be set 272 up automatically. Support of this attribute is optional. 274 3.1.2 IPsec actions 276 IPsec actions may be of two types: Static Action and Negotiation 277 Action. 279 Static Actions do not require any negotiations. They include by- 280 pass, discard, IKE rejection, pre-configured transport and pre- 281 configured tunnel actions. The ipSecStaticActionTable specifies 282 IPsec Static Actions. For a pre-configured transport or pre- 283 configured tunnel action, it further points to a valid instance in 284 another class that describes a transform to be used, for example, 285 the ipSecEspTransformTable. In addition, the SPI used for the 286 transform is also defined in the table. 288 Negotiation Actions require negotiations in order to establish 289 Security Associations. They include transport and tunnel actions. 290 The ipSecNegotiationActionTable specifies IPsec Negotiation 291 Actions. It points to a valid instance in the 292 ipSecAssociationTable that further defines the IPsec association 293 to be established. For key exchange policy, the KeyExchangeId 294 points to a valid instance in another class that describes key 295 exchange procedures. If a single IKE phase one negotiation is used 296 for the key exchange, this attribute MUST point to an instance in 297 the ipSecIkeAssociationTable. If multiple IKE phase one 298 negotiations (e.g., with different modes) are to be tried until 299 success, this attribute SHOULD point to ipSecIkeRuleTable. For 300 other key exchange methods, this attribute MAY point to an 301 instance of a PRC defined in some other PIB module. 303 The ipSecActionSetTable specifies sets of actions. Actions within 304 a set form an ordered list. If an action within a set is a Static 305 Action, the ActionId MUST point to a valid instance in the 306 ipSecStaticActionTable. If the action is a Negotiation Action, the 307 ActionId MUST point to a valid instance in the 308 ipSecNegotiationActionTable. For other actions, the ActionId MAY 309 point to an instance of a PRC defined in some other PIB module. 311 3.1.3 IPsec associations 313 The ipSecAssociationTable specifies attributes associated with 314 IPsec associations. For each association, it points to a set of 315 proposals in the ipSecProposalSetTable that is associated with 316 this association. 318 The MinLifetimeSeconds and MinLifetimeKilobytes in the 319 ipSecAssociationTable indicate the lifetime to propose for the 320 IPsec association to be negotiated. They are different from the 322 Li, et al Expires October 2004 6 323 time periods indicated by the IpSecRuleTimePeriodGroupId in the 324 IpsecRuleTable. Those time periods specify when the given IPsec 325 rule is valid. 327 3.1.4 IPsec proposals 329 The ipSecProposalSetTable specifies sets of proposals. Proposals 330 within a set are ordered with a preference value. 332 The ipSecProposalTable specifies proposals. It points to sets of 333 ESP transforms, AH transforms and IP COMP transforms. Within a 334 proposal, sets of transforms of different types are logically 335 ANDed. Transforms of the same type within a transform set are to 336 be logically ORed. For example, if the proposal were 338 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 339 AH = { MD5, SHA-1 } 341 then the one sending the proposal would want the other side to 342 pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list 343 AND one from the AH transform list (preferably MD5). 345 3.2 AH transform group 347 The AH transform group describes sets of AH transforms. 349 3.3 ESP transform group 351 The ESP transform group describes sets of ESP transforms. 353 3.4 COMP transform group 355 The COMP transform group describes sets of COMP transforms. 357 3.5 IKE association group 359 This group specifies rules associated with IKE phase one 360 negotiation. The rules are IKEv1 rules as specified in [10]. 362 The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional 363 tables. Support of these tables is required only when a policy 364 contains: 366 - Multiple IKE phase one actions (e.g., with different exchange 367 modes) that are associated with one IPsec association. These 368 actions are to be tried in sequence till one success. 370 - IKE phase one actions that start automatically. 372 For the latter case, IKE rules may be distributed independently 373 and the IfCapSetName and Roles attributes in the ipSecIkeRuleTable 374 indicate the interface type and role combinations to which this 375 rule is to be applied. 377 Li, et al Expires October 2004 7 378 The ipSecIkeActionSetTable specifies sets of actions. Actions 379 within a set form an ordered list. 381 The ipSecIkeAssociationTable contains parameters associated with 382 IKE associations including the IKE identities to be used during 383 IKE phase one negotiation. It points to a set of credentials 384 specified in the ipSecCredentialTable. Any of the credentials in 385 this set may be used during IKE phase one negotiation. In 386 addition, each IKE association points to a set of IKE proposals to 387 be associated with this association. If the Authentication Method 388 for one or more of the IKE proposals is specified as PresharedKey 389 in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey 390 attribute contains the actual pre-shared key to be used for the 391 proposal(s). This attribute is optional. If this attribute is not 392 supported or contains a zero length octet, the pre-shared key MUST 393 be obtained through other methods. 395 The ipSecIkeProposalSetTable specifies sets of proposals. 396 Proposals within a set are ordered with a preference value.The 397 ipSecIkeProposalTable contains parameters associated with IKE 398 proposals. 400 The ipSecIkePeerEndpointTable specifies IKE peer endpoint 401 information that includes acceptable peer identity and credentials 402 for IKE phase one negotiation. It points to a set of credentials 403 specified in the ipSecCredentialSetTable. Any of the credentials 404 in the set is acceptable as a peer credential. 406 3.6 Credential group 408 This group specifies credentials to be used for IKE phase one 409 negotiations. 411 The ipSecCredentialSetTable specifies sets of credentials. The 412 ipSecCredentialTable and ipSecCredentialFieldsTable together 413 specify credentials. Each credential may contain multiple sub- 414 fields. For example, a certificate may contain a unique serial 415 number sub-field and an issuer name sub-field, etc. The 416 ipSecCredentialFieldsTable defines the sub-fields and their values 417 that MUST be matched against. The ipSecCredentialTable points to a 418 set of criteria defined in the ipSecCredentialFieldsTable. The 419 criteria MUST all be satisfied in order for a credential to be 420 considered as acceptable. Certificates may also be revoked. The 421 CrlDistributionPoint attribute in the ipSecCredentialTable 422 indicates the Certificate Revocation List (CRL) distribution point 423 where CRLs may be fetched. 425 3.7 Selector group 427 This group specifies the selectors for IPsec rules. 429 Li, et al Expires October 2004 8 430 The ipSecSelectorSetTable specifies sets of selectors. Selectors 431 within a set form an ordered list. The SelectorId attribute points 432 to a valid instance in another class that describes a selector. To 433 achieve scalability in policy distribution for large networks, it 434 SHOULD point to the ipSecSelectorTable. 436 The ipSecAddressTable specifies individual or ranges of IP 437 addresses and the ipSecL4PortTable specifies individual or ranges 438 of layer 4 ports. The ipSecSelectorTable has references to these 439 two tables. Each row in the selector class can represent multiple 440 selectors. These selectors are constructed as follows: 442 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 443 addresses from the ipSecAddressTable whose ipSecAddressGroupId 444 matches the ipSecSelectorSrcAddressGroupId. 446 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 447 addresses from the ipSecAddressTable whose ipSecAddressGroupId 448 matches the ipSecSelectorDstAddressGroupId. 450 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 451 or ranges of port whose ipSecL4PortGroupId matches the 452 ipSecSelectorSrcPortGroupId. 454 4. Substitute the ipSecSelectorDstPortGroupId with all the ports 455 or ranges of port whose ipSecL4PortGroupId matches the 456 ipSecSelectorDstPortGroupId. 458 5. Construct all the possible combinations of the above four 459 fields. Then add to the combinations the ipSecSelectorProtocol, 460 ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form 461 the list of selectors. 463 Selectors constructed from a single row have the same order within 464 a selector set. The order is indicated by the Order attribute of 465 the ipSecSelectorSetTable. The relative order among selectors 466 constructed from a single row is unspecified. This is not an issue 467 as long as these selectors are not over-lapping. 469 The use of references in the ipSecSelectorTable instead of real IP 470 addresses and port numbers reduces the number of bytes being 471 pushed down to the PEP. Grouping of IP addresses and layer 4 ports 472 serves the same purpose. 474 The ipSecIpsoFilterSetTable specifies sets of IPSO filters. 475 Filters within a set form an ordered list. The 476 ipSecIpsoFilterTable contains IPSO filters. 478 3.8 Policy time period group 480 This group specifies time periods during which a policy rule is 481 valid. The ipSecRuleTimePeriodTable specifies a single time period 483 Li, et al Expires October 2004 9 484 of a day (or days). The ipSecRuleTimePeriodSetTable allows the 485 specification of multiple time periods. 487 Implementation of this group is optional. 489 3.9 Interface capability group 491 PEPs may have different capabilities. For example, some PEPs 492 support nested Security Associations whereas others do not. This 493 group allows a PEP to specify the capabilities associated with its 494 different interface types. 496 For ease of reference, a concise summary of the groups and tables 497 is included in the next section. 499 4. Summary of the IPsec PIB 501 4.1 ipSecAssociation group 502 This group specifies IPsec Security Associations. 504 4.1.1 ipSecRuleTable 505 This class is the starting point for specifying an IPsec policy. 506 It contains an ordered list of IPsec rules. 508 4.1.2 ipSecActionSetTable 509 Specifies IPsec action sets. 511 4.1.3 ipSecStaticActionTable 512 Specifies IPsec static actions. 514 4.1.4 ipSecNegotiationActionTable 515 Specifies IPsec negotiation actions. 517 4.1.5 ipSecAssociationTable 518 Specifies IPsec associations. 520 4.1.6 ipSecProposalSetTable 521 Specifies IPsec proposal sets. 523 4.1.7 ipSecProposalTable 524 Specifies IPsec proposals. 526 4.2 ipSecAhTransform group 527 This group specifies AH Transforms. 529 4.2.1 ipSecAhTransformSetTable 530 Specifies AH transform sets. 532 4.2.2 ipSecAhTransformTable 533 Specifies AH transforms. 535 4.3 ipSecEspTransform group 536 This group specifies ESP Transforms. 538 Li, et al Expires October 2004 10 539 4.3.1 ipSecEspTransformSetTable 540 Specifies ESP transform sets. 542 4.3.2 ipSecEspTransformTable 543 Specifies ESP transforms. 545 4.4 ipSecCompTransform group 546 This group specifies Compression Transforms. 548 4.4.1 ipSecCompTransformSetTable 549 Specifies IP compression transform sets. 551 4.4.2 ipSecCompTransformTable 552 Specifies IP compression algorithms. 554 4.5 ipSecIkeAssociation group 555 This group specifies IKEv1 Security Associations. 557 4.5.1 ipSecIkeRuleTable 558 Specifies IKEv1 rules. 560 4.5.2 ipSecIkeActionSetTable 561 Specifies IKEv1 action sets. 563 4.5.3 ipSecIkeAssociationTable 564 Specifies IKEv1 associations. 566 4.5.4 ipSecIkeProposalSetTable 567 Specifies IKEv1 proposal sets. 569 4.5.5 ipSecIkeProposalTable 570 Specifies IKEv1 proposals. 572 4.5.6 ipSecIkePeerEndpointTable 573 Specifies IKEv1 peer endpoints. 575 4.6 ipSecCredential group 576 This group specifies credentials for IKEv1 phase one negotiations. 578 4.6.1 ipSecCredentialSetTable 579 Specifies credential sets. 581 4.6.2 ipSecCredentialTable 582 Specifies credentials. 584 4.6.3 ipSecCredentialFieldsTable 585 Specifies sets of credential sub-fields and their values to be 586 matched against. 588 4.7 ipSecSelector group 589 This group specifies selectors for IPsec associations. 591 Li, et al Expires October 2004 11 592 4.7.1 ipSecSelectorSetTable 593 Specifies IPsec selector sets. 595 4.7.2 ipSecSelectorTable 596 Specifies IPsec selectors. 598 4.7.3 ipSecAddressTable 599 Specifies IP addresses. 601 4.7.4 ipSecL4PortTable 602 Specifies layer four port numbers. 604 4.7.5 ipSecIpsoFilterSetTable 605 Specifies IPSO filter sets. 607 4.7.6 ipSecIpsoFilterTable 608 Specifies IPSO filters. 610 4.8 ipSecPolicyTimePeriod group 611 This group specifies the time periods during which a policy rule 612 is valid. 614 4.8.1 ipSecRuleTimePeriodTable 615 Specifies the time periods during which a policy rule is valid. 617 4.8.2 ipSecRuleTimePeriodSetTable 618 Specifies time period sets. 620 4.9 ipSecIfCapability group 621 This group specifies capabilities associated with interface types. 623 4.9.1 ipSecIfCapsTable 624 Specifies capabilities that may be associated with an interface of 625 a specific type. 627 4.10 ipSecPolicyPibConformance group 628 This group specifies requirements for conformance to the IPsec 629 Policy PIB. 631 5. The IPsec PIB Module 633 IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN 635 IMPORTS 636 Unsigned32, Unsigned64, MODULE-IDENTITY, 637 OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE, 638 OBJECT-GROUP, pib 639 FROM COPS-PR-SPPI --[RFC3159] 640 TruthValue 641 FROM SNMPv2-TC --[RFC2579] 642 InstanceId, ReferenceId, TagId, TagReferenceId, Prid 643 FROM COPS-PR-SPPI-TC --[RFC3159] 645 Li, et al Expires October 2004 12 646 SnmpAdminString 647 FROM SNMP-FRAMEWORK-MIB --[RFC3411] 648 InetAddress, InetAddressType, 649 InetAddressPrefixLength, InetPortNumber 650 FROM INET-ADDRESS-MIB --[RFC3291] 651 DscpOrAny 652 FROM DIFFSERV-DSCP-TC --[RFC3289] 653 IPv6FlowLabelOrAny 654 FROM IPV6-FLOW-LABEL-MIB --[RFC3595] 655 RoleCombination 656 FROM FRAMEWORK-TC-PIB --[RFC3318] 657 IpsecDoiIpcompTransform,IpsecDoiEspTransform, 658 IpsecDoiIdentType,IpsecDoiAuthAlgorithm 659 FROM IPSEC-IPSECACTION-MIB 660 --[draft-ietf-ipsp-ipsecaction-mib-00.txt] 661 IkeEncryptionAlgorithm,IkeAuthMethod,IkeHashAlgorithm, 662 IkeGroupDescription 663 FROM IPSEC-IKEACTION-MIB; 664 --[ draft-ietf-ipsp-ikeaction-mib-00.txt] 666 -- 667 -- module identity 668 -- 670 ipSecPolicyPib MODULE-IDENTITY 671 SUBJECT-CATEGORIES { xxxx (nn) } -- IPsec Client Type 672 -- to be assigned by IANA. Suggest to use ipSec for xxxx 673 LAST-UPDATED "200404041800Z" 674 ORGANIZATION "IETF ipsp WG" 675 CONTACT-INFO " 676 Man Li 677 Nokia 678 5 Wayside Road, 679 Burlington, MA 01803 680 Phone: +1 781 993 3923 681 Email: man.m.li@nokia.com 683 Avri Doria 684 ETRI 685 161 Gajeong-dong, Yuseong-gu 686 Deajeon 305-350 Korea 687 Email: avri@acm.org 689 Jamie Jason 690 Intel Corporation 691 MS JF3-206 692 2111 NE 25th Ave. 693 Hillsboro, OR 97124 694 Phone: +1 503 264 9531 695 Fax: +1 503 264 9428 696 Email: jamie.jason@intel.com 698 Cliff Wang 700 Li, et al Expires October 2004 13 701 SmartPipes Inc. 702 Suite 300, 565 Metro Place South 703 Dublin, OH 43017 704 Phone: +1 614 923 6241 705 Email: CWang@smartpipes.com 707 Markus Stenberg 708 SSH Communications Security Corp. 709 Fredrikinkatu 42 710 FIN-00100 Helsinki, Finland 711 Phone: +358 20 500 7466 712 Email: fingon@iki.fi" 714 DESCRIPTION 715 "This PIB module contains a set of policy rule classes that 716 describe IPsec policies. 718 Copyright (C) The Internet Society (2004). This version of this 719 PIB module is part of RFC xxxx; see the RFC itself for full legal 720 notices" 722 REVISION "200404041800Z" 723 DESCRIPTION 724 "Initial version, published as RFC xxxx." 725 -- xxxx to be assigned by IANA -- 726 ::= { pib yyy } -- yyy to be assigned by IANA -- 728 -- 729 -- Textual Conventions 730 -- 732 Unsigned16TC ::= TEXTUAL-CONVENTION 733 DISPLAY-HINT "d" 734 STATUS current 735 DESCRIPTION 736 "An unsigned 16 bit integer." 737 SYNTAX Unsigned32 (0..65535) 739 LocalOrUtcTimeTC ::= TEXTUAL-CONVENTION 740 STATUS current 741 DESCRIPTION 742 " Indicates whether to use local times or universal time (UTC) 743 times. " 744 SYNTAX INTEGER {localTime(1),utcTime(2)} 746 TimePeriodTC ::= TEXTUAL-CONVENTION 747 DISPLAY-HINT "255t" 748 STATUS current 749 DESCRIPTION 750 " An octet string that identifies an overall range of calendar 751 dates and times. It reuses the format for an explicit time period 753 Li, et al Expires October 2004 14 754 defined in [RFC 2445] : a string representing a starting date and 755 time, in which the character 'T' indicates the beginning of the 756 time portion, followed by the solidus character '/', followed by a 757 similar string representing an end date and time. The first date 758 indicates the beginning of the range, while the second date 759 indicates the end. Thus, the second date and time must be later 760 than the first. Date/times are expressed as substrings of the 761 form yyyymmddThhmmss. 763 There are also two special cases: 765 - If the first date/time is replaced with the string 766 THISANDPRIOR, then the property indicates that a policy rule is 767 valid [from now] until the date/time that appears after the '/'. 769 - If the second date/time is replaced with the string 770 THISANDFUTURE, then the property indicates that a policy rule 771 becomes valid on the date/time that appears before the '/', and 772 remains valid from that point on. 774 This information is represented using the ISO/IEC IS 10646-1 775 character set, encoded as an octet string using the UTF-8 776 transformation format described in [RFC2279]." 777 SYNTAX OCTET STRING 779 TimeOfDayTC ::= TEXTUAL-CONVENTION 780 DISPLAY-HINT "255t" 781 STATUS current 782 DESCRIPTION 783 " An octet string that specifies a range of times in a day. It 784 is formatted as follows: 786 A time string beginning with the character 'T', followed by the 787 solidus character '/', followed by a second time string. The 788 first time indicates the beginning of the range, while the second 789 time indicates the end. Times are expressed as substrings of the 790 form Thhmmss. 792 The second substring always identifies a later time than the first 793 substring. To allow for ranges that span midnight, however, the 794 value of the second string may be smaller than the value of the 795 first substring. Thus, T080000/T210000 identifies the range from 796 0800 until 2100, while T210000/T080000 identifies the range from 797 2100 until 0800 of the following day. 799 This information is represented using the ISO/IEC IS 10646-1 800 character set, encoded as an octet string using the UTF-8 801 transformation format described in [RFC2279]." 802 SYNTAX OCTET STRING 804 MonthOfYearTC ::= TEXTUAL-CONVENTION 805 STATUS current 806 DESCRIPTION 808 Li, et al Expires October 2004 15 809 "Defines months of a year" 810 SYNTAX BITS {january(0),february(1),march(2),april(3), 811 may(4),june(5),july(6),august(7),september(8), 812 october(9),november(10),december(11)} 814 DayOfWeekTC ::= TEXTUAL-CONVENTION 815 STATUS current 816 DESCRIPTION 817 "Defines days of a week" 818 SYNTAX BITS {sunday(0),monday(1),tuesday(2),wednesday(3), 819 thursday(4),friday(5),saturday(6)} 821 DayOfMonthTC ::= TEXTUAL-CONVENTION 822 STATUS current 823 DESCRIPTION 824 "Defines days of a month" 825 SYNTAX BITS 826 {first(0),second(1),third(2),fourth(3),fifth(4),sixth(5), 827 seventh(6),eighth(7),ninth(8),tenth(9),eleventh(10), 828 twelfth(11),thirteenth(12),fourteenth(13),fifteenth(14), 829 sixteenth(15),seventeenth(16),eighteenth(17),nineteenth(18), 830 twentieth(19),twenty-first(20),twenty-second(21), 831 twenty-third(22),twenty-fourth(23), twenty-fifth(24), 832 twenty-sixth(25), twenty-seventh(26),twenty-eighth(27), 833 twenty-ninth(28), thirty(29), thirty-first(30)} 835 IpSecOrderTC ::= TEXTUAL-CONVENTION 836 DISPLAY-HINT "d" 837 STATUS current 838 DESCRIPTION 839 "An unsigned 16 bit integer that defines the order of a set of 840 rules. A smaller value indicates a higher precedence order" 841 SYNTAX Unsigned32 (0..65535) 843 IpSecDirectionTC ::= TEXTUAL-CONVENTION 844 STATUS current 845 DESCRIPTION 846 "Specifies the direction of traffic to which an IPsec rule shall 847 be applied" 848 SYNTAX INTEGER {in(1),out(2),bi-directional(3)} 850 IpSecDFBitTC ::= TEXTUAL-CONVENTION 851 STATUS current 852 DESCRIPTION 853 " For tunnel security associations, this attribute specifies how 854 the DF bit is managed. Copy (1) indicates to copy the DF bit from 855 the internal IP header to the external IP header. Set (2) 856 indicates to set the DF bit of the external IP header to 1. Clear 857 (3) indicates to clear the DF bit of the external IP header to 0. 858 " 859 SYNTAX INTEGER {copy(1),set(2),clear(3)} 861 IpSecExchangeModeTC ::= TEXTUAL-CONVENTION 863 Li, et al Expires October 2004 16 864 STATUS current 865 DESCRIPTION 866 " Specifies the negotiation mode that the Internet Key Exchange 867 (IKE) server will use for phase one." 868 SYNTAX INTEGER {baseMode(0),mainMode(1),aggressiveMode(2)} 870 IpSecActionTC ::= TEXTUAL-CONVENTION 871 STATUS current 872 DESCRIPTION 873 " Specifies the IPsec action to be applied to the traffic. 874 transport(1) means that the packet should be protected with a 875 security association in transport mode. tunnel(2) means that the 876 packet should be protected with a security association in tunnel 877 mode." 878 SYNTAX INTEGER {transport(1),tunnel(2)} 880 IpSecCredTypeTC ::= TEXTUAL-CONVENTION 881 STATUS current 882 DESCRIPTION 883 " Specifies the type of credentials used for IKE phase one." 884 SYNTAX INTEGER {certificateX509(1),kerberosTicket(2)} 886 IpSecGranularityTC ::= TEXTUAL-CONVENTION 887 STATUS current 888 DESCRIPTION 889 "Specifies how the proposed selector for the security 890 association will be created. Subnet (0) indicates that the source 891 and destination subnet masks of the filter entry are used. Address 892 (1) indicates that only the source and destination IP addresses of 893 the triggering packet are used. Protocol(2) indicates that the 894 source and destination IP addresses and the IP protocol of the 895 triggering packet are used. Port (3) indicates that the source and 896 destination IP addresses and the IP protocol and the source and 897 destination layer 4 ports of the triggering packet are used. " 898 SYNTAX BITS {subnet(0),address(1),protocol(2),port(3)} 900 IpSecIpsoClassificationTC ::= TEXTUAL-CONVENTION 901 STATUS current 902 DESCRIPTION 903 " Specifies IP security options (IPSO) classification level." 904 REFERENCE "RFC 1108" 905 SYNTAX INTEGER {topSecret(61),secret(90), 906 confidential(150),unclassified(171)} 908 IpSecIpsoProtectionTC ::= TEXTUAL-CONVENTION 909 STATUS current 910 DESCRIPTION 911 " Specifies IPSO protection level." 912 REFERENCE "RFC 1108" 913 SYNTAX INTEGER {genser(0),siop-esi(1),sci(2), 914 nsa(3),doe(4)} 916 Li, et al Expires October 2004 17 917 -- 918 -- Object identifiers 919 -- 921 ipSecAssociation 922 OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 } 923 ipSecAhTransform 924 OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 } 925 ipSecEspTransform 926 OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 } 927 ipSecCompTransform 928 OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 } 929 ipSecIkeAssociation 930 OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 } 931 ipSecCredential 932 OBJECT IDENTIFIER ::= {ipSecPolicyPib 6 } 933 ipSecSelector 934 OBJECT IDENTIFIER ::= {ipSecPolicyPib 7 } 935 ipSecPolicyTimePeriod 936 OBJECT IDENTIFIER ::= {ipSecPolicyPib 8 } 937 ipSecIfCapability 938 OBJECT IDENTIFIER ::= {ipSecPolicyPib 9 } 939 ipSecPolicyPibConformance 940 OBJECT IDENTIFIER ::= {ipSecPolicyPib 10 } 942 -- 943 -- 944 -- The ipSecRuleTable 945 -- 947 ipSecRuleTable OBJECT-TYPE 948 SYNTAX SEQUENCE OF IpSecRuleEntry 949 PIB-ACCESS install 950 STATUS current 951 DESCRIPTION 952 "This class is the starting point for specifying an IPsec policy. 953 It contains an ordered list of IPsec rules. 955 For each entry: 957 1. ipSecRuleIfCapSetName must reference an existing capability set 958 name in frwkCapabilitySetTable [FRC3318] . 960 2. ipSecRuleRoles must reference an existing Role Combination in 961 frwkRoleComboTable [RFC3318]. 963 If any or both of these requirements is not satisfied, the entry 964 shall not be installed." 965 ::= { ipSecAssociation 1 } 967 Li, et al Expires October 2004 18 968 ipSecRuleEntry OBJECT-TYPE 969 SYNTAX IpSecRuleEntry 970 STATUS current 971 DESCRIPTION 972 "Specifies an instance of this class" 973 PIB-INDEX { ipSecRulePrid } 974 UNIQUENESS { 975 ipSecRuleIfCapSetName, 976 ipSecRuleRoles, 977 ipSecRuleOrder 978 } 979 ::= { ipSecRuleTable 1 } 981 IpSecRuleEntry ::= SEQUENCE { 982 ipSecRulePrid InstanceId, 983 ipSecRuleIfCapSetName SnmpAdminString, 984 ipSecRuleRoles RoleCombination, 985 ipSecRuleDirection IpSecDirectionTC, 986 ipSecRuleIpSecSelectorSetId TagReferenceId, 987 ipSecRuleIpSecIpsoFilterSetId TagReferenceId, 988 ipSecRuleIpSecActionSetId TagReferenceId, 989 ipSecRuleActionExecutionStrategy INTEGER, 990 ipSecRuleOrder IpSecOrderTC, 991 ipSecRuleLimitNegotiation INTEGER, 992 ipSecRuleAutoStart TruthValue, 993 ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId 994 } 996 ipSecRulePrid OBJECT-TYPE 997 SYNTAX InstanceId 998 STATUS current 999 DESCRIPTION 1000 "An integer index that uniquely identifies an instance of this 1001 class." 1002 ::= { ipSecRuleEntry 1 } 1004 ipSecRuleIfCapSetName OBJECT-TYPE 1005 SYNTAX SnmpAdminString 1006 STATUS current 1007 DESCRIPTION 1008 "The interface capability set to which this IPsec rule applies. 1009 The interface capability name specified by this attribute MUST 1010 exist in an entry of the frwkCapabilitySetTable [RFC3318] prior to 1011 association with an instance of this class. The 1012 frwkCapabilitySetCapability attribute of that entry shall in turn 1013 point to an entry in the ipSecIfCaps table." 1014 ::= { ipSecRuleEntry 2 } 1016 ipSecRuleRoles OBJECT-TYPE 1017 SYNTAX RoleCombination 1018 STATUS current 1019 DESCRIPTION 1021 Li, et al Expires October 2004 19 1022 "Specifies the role combination of the interface to which this 1023 IPsec rule should apply. There must exist an instance in the 1024 frwkRoleComboTable [RFC3318] specifying this role combination, 1025 together with the interface capability set specified by 1026 ipSecRuleIfCapSetName, prior to association with an instance of 1027 this class." 1028 ::= { ipSecRuleEntry 3 } 1030 ipSecRuleDirection OBJECT-TYPE 1031 SYNTAX IpSecDirectionTC 1032 STATUS current 1033 DESCRIPTION 1034 "Specifies the direction of traffic to which this rule should 1035 apply." 1036 ::= { ipSecRuleEntry 4 } 1038 ipSecRuleIpSecSelectorSetId OBJECT-TYPE 1039 SYNTAX TagReferenceId 1040 PIB-TAG { ipSecSelectorSetSelectorSetId } 1041 STATUS current 1042 DESCRIPTION 1043 "Identifies a set of selectors to be associated with this IPsec 1044 rule. " 1045 ::= { ipSecRuleEntry 5 } 1047 ipSecRuleIpSecIpsoFilterSetId OBJECT-TYPE 1048 SYNTAX TagReferenceId 1049 PIB-TAG { ipSecIpsoFilterSetFilterSetId } 1050 STATUS current 1051 DESCRIPTION 1052 "Identifies a set of IPSO filters to be associated with this IPsec 1053 rule. A value of zero indicates that there are no IPSO filters 1054 associated with this rule. 1056 When the value of this attribute is not zero, the set of IPSO 1057 filters is ANDed with the set of Selectors specified by 1058 ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a 1059 selector in the selector sets and a filter in the IPSO filter sets 1060 before the actions associated with this rule can be applied." 1061 ::= { ipSecRuleEntry 6 } 1063 ipSecRuleIpSecActionSetId OBJECT-TYPE 1064 SYNTAX TagReferenceId 1065 PIB-TAG { ipSecActionSetActionSetId } 1066 STATUS current 1067 DESCRIPTION 1068 "Identifies a set of IPsec actions to be associated with this 1069 rule." 1070 ::= { ipSecRuleEntry 7 } 1072 ipSecRuleActionExecutionStrategy OBJECT-TYPE 1073 SYNTAX INTEGER { 1074 doAll(1), 1076 Li, et al Expires October 2004 20 1077 doUntilSuccess(2) 1078 } 1079 STATUS current 1080 DESCRIPTION 1081 "Specifies the strategy to be used in executing the sequenced 1082 actions in the action set identified by ipSecRuleIpSecActionSetId. 1084 DoAll (1) causes the execution of all the actions in the action 1085 set according to their defined precedence order. The precedence 1086 order is specified by the ipSecActionSetOrder in the 1087 ipSecActionSetTable. 1089 DoUntilSuccess (2) causes the execution of actions according to 1090 their defined precedence order until a successful execution of a 1091 single action. The precedence order is specified by the 1092 ipSecActionSetOrder in the ipSecActionSetTable." 1093 ::= { ipSecRuleEntry 8 } 1095 ipSecRuleOrder OBJECT-TYPE 1096 SYNTAX IpSecOrderTC 1097 STATUS current 1098 DESCRIPTION 1099 "Specifies the precedence order of the rule within all the rules 1100 associated with {IfCapSetName, Roles}." 1101 ::= { ipSecRuleEntry 9 } 1103 ipSecRuleLimitNegotiation OBJECT-TYPE 1104 SYNTAX INTEGER { 1105 initiator(1), 1106 responder(2), 1107 both(3) 1108 } 1109 STATUS current 1110 DESCRIPTION 1111 "Limits the negotiation method. Before proceeding with a phase 2 1112 negotiation, the LimitNegotiation property of the IPsecRule is 1113 first checked to determine if the negotiation part indicated for 1114 the rule matches that of the current negotiation (Initiator, 1115 Responder, or Either). 1117 This attribute is ignored when an attempt is made to refresh an 1118 expiring security association (SA) since either side can initiate 1119 a refresh operation. The system can determine that the 1120 negotiation is a refresh operation by checking to see if the 1121 selector information matches that of an existing SA. If 1122 LimitNegotiation does not match and the selector corresponds to a 1123 new SA, the negotiation is stopped. " 1124 ::= { ipSecRuleEntry 10 } 1126 ipSecRuleAutoStart OBJECT-TYPE 1127 SYNTAX TruthValue 1128 STATUS current 1129 DESCRIPTION 1131 Li, et al Expires October 2004 21 1132 "Indicates if this rule shall be activated when it is 1133 instantiated, i.e., start negotiate or statically set security 1134 associations. If the value is changed to false later, there is no 1135 impact on the security associations that have already started. 1136 " 1137 ::= { ipSecRuleEntry 11 } 1139 ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE 1140 SYNTAX TagReferenceId 1141 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } 1142 STATUS current 1143 DESCRIPTION 1144 "Identifies an IPsec rule time period set, specified in 1145 ipSecRuleTimePeriodSetTable, that is associated with this rule. 1147 A value of zero indicates that this IPsec rule is always valid." 1148 ::= { ipSecRuleEntry 12 } 1150 -- 1151 -- 1152 -- The ipSecActionSetTable 1153 -- 1155 ipSecActionSetTable OBJECT-TYPE 1156 SYNTAX SEQUENCE OF IpSecActionSetEntry 1157 PIB-ACCESS install 1158 STATUS current 1159 DESCRIPTION 1160 "Specifies a set of IPsec actions." 1161 ::= { ipSecAssociation 2 } 1163 ipSecActionSetEntry OBJECT-TYPE 1164 SYNTAX IpSecActionSetEntry 1165 STATUS current 1166 DESCRIPTION 1167 "Specifies an instance of this class" 1168 PIB-INDEX { ipSecActionSetPrid } 1169 UNIQUENESS { 1170 ipSecActionSetActionSetId, 1171 ipSecActionSetOrder 1172 } 1173 ::= { ipSecActionSetTable 1 } 1175 IpSecActionSetEntry ::= SEQUENCE { 1176 ipSecActionSetPrid InstanceId, 1177 ipSecActionSetActionSetId TagId, 1178 ipSecActionSetActionId Prid, 1179 ipSecActionSetDoActionLogging TruthValue, 1180 ipSecActionSetDoPacketLogging TruthValue, 1181 ipSecActionSetOrder IpSecOrderTC 1182 } 1184 Li, et al Expires October 2004 22 1185 ipSecActionSetPrid OBJECT-TYPE 1186 SYNTAX InstanceId 1187 STATUS current 1188 DESCRIPTION 1189 "An integer index that uniquely identifies an instance of this 1190 class." 1191 ::= { ipSecActionSetEntry 1 } 1193 ipSecActionSetActionSetId OBJECT-TYPE 1194 SYNTAX TagId 1195 STATUS current 1196 DESCRIPTION 1197 "An IPsec action set is composed of one or more IPsec actions. 1198 Actions belonging to the same set have the same ActionSetId." 1199 ::= { ipSecActionSetEntry 2 } 1201 ipSecActionSetActionId OBJECT-TYPE 1202 SYNTAX Prid 1203 STATUS current 1204 DESCRIPTION 1205 "A pointer to a valid instance in another table that describes an 1206 action to be taken. 1208 For IPsec static actions, it MUST point to an instance in the 1209 ipSecStaticActionTable. For IPsec negotiation actions, it MUST 1210 point to an instance in the ipSecNegotiationActionTable. For other 1211 actions, it may point to an instance of a class specified by other 1212 PIB modules." 1213 ::= { ipSecActionSetEntry 3 } 1215 ipSecActionSetDoActionLogging OBJECT-TYPE 1216 SYNTAX TruthValue 1217 STATUS current 1218 DESCRIPTION 1219 "Specifies whether a log message is to be generated when the 1220 action is performed. This applies for ipSecNegotiationActions 1221 with the meaning of logging a message when the negotiation is 1222 attempted (with the success or failure result). This also applies 1223 for ipSecStaticAction only for PreconfiguredTransport action 1224 (ipSecStaticActionAction = 4) or PreconfiguredTunnel action 1225 (ipSecStaticActionAction = 5) with the meaning of logging a 1226 message when the preconfigured security association is actually 1227 installed in the security association database (SADB)." 1228 ::= { ipSecActionSetEntry 4 } 1230 ipSecActionSetDoPacketLogging OBJECT-TYPE 1231 SYNTAX TruthValue 1232 STATUS current 1233 DESCRIPTION 1234 "Specifies whether to log when the resulting security association 1235 is used to process a packet. For ipSecStaticActions, a log message 1236 is to be generated when the IPsecBypass (ipSecStaticActionAction = 1238 Li, et al Expires October 2004 23 1239 1), IpsecDiscard (ipSecStaticActionAction = 2) or IKEReject 1240 (ipSecStaticActionAction = 3) actions are executed. " 1241 ::= { ipSecActionSetEntry 5 } 1243 ipSecActionSetOrder OBJECT-TYPE 1244 SYNTAX IpSecOrderTC 1245 STATUS current 1246 DESCRIPTION 1247 "Specifies the precedence order of the action within the action 1248 set." 1249 ::= { ipSecActionSetEntry 6 } 1251 -- 1252 -- 1253 -- The ipSecStaticActionTable 1254 -- 1256 ipSecStaticActionTable OBJECT-TYPE 1257 SYNTAX SEQUENCE OF IpSecStaticActionEntry 1258 PIB-ACCESS install 1259 STATUS current 1260 DESCRIPTION 1261 "Specifies IPsec static actions." 1262 ::= { ipSecAssociation 3 } 1264 ipSecStaticActionEntry OBJECT-TYPE 1265 SYNTAX IpSecStaticActionEntry 1266 STATUS current 1267 DESCRIPTION 1268 "Specifies an instance of this class" 1269 PIB-INDEX { ipSecStaticActionPrid } 1270 UNIQUENESS { 1271 ipSecStaticActionAction, 1272 ipSecStaticActionTunnelEndpointId, 1273 ipSecStaticActionDfHandling, 1274 ipSecStaticActionSpi, 1275 ipSecStaticActionLifetimeSeconds, 1276 ipSecStaticActionLifetimeKilobytes, 1277 ipSecStaticActionSaTransformId 1278 } 1279 ::= { ipSecStaticActionTable 1 } 1281 IpSecStaticActionEntry ::= SEQUENCE { 1282 ipSecStaticActionPrid InstanceId, 1283 ipSecStaticActionAction INTEGER, 1284 ipSecStaticActionTunnelEndpointId ReferenceId, 1285 ipSecStaticActionDfHandling IpSecDFBitTC, 1286 ipSecStaticActionSpi Unsigned32, 1287 ipSecStaticActionLifetimeSeconds Unsigned32, 1288 ipSecStaticActionLifetimeKilobytes Unsigned64, 1289 ipSecStaticActionSaTransformId Prid 1290 } 1292 Li, et al Expires October 2004 24 1293 ipSecStaticActionPrid OBJECT-TYPE 1294 SYNTAX InstanceId 1295 STATUS current 1296 DESCRIPTION 1297 "An integer index that uniquely identifies an instance of this 1298 class." 1299 ::= { ipSecStaticActionEntry 1 } 1301 ipSecStaticActionAction OBJECT-TYPE 1302 SYNTAX INTEGER { 1303 byPass(1), 1304 discard(2), 1305 ikeRejection(3), 1306 preConfiguredTransport(4), 1307 preConfiguredTunnel(5) 1308 } 1309 STATUS current 1310 DESCRIPTION 1311 "Specifies the IPsec action to be applied to the traffic. byPass 1312 (1) means that packets are to be allowed to pass in the clear. 1313 discard (2) means that packets are to be discarded. ikeRejection 1314 (3) means that that an IKE negotiation should not even be 1315 attempted or continued. preConfiguredTransport (4) means that an 1316 IPsec transport SA is pre-configured. preConfiguredTunnel (5) 1317 means that an IPsec tunnel SA is pre-configured. " 1318 ::= { ipSecStaticActionEntry 2 } 1320 ipSecStaticActionTunnelEndpointId OBJECT-TYPE 1321 SYNTAX ReferenceId 1322 PIB-REFERENCES {ipSecAddressEntry } 1323 STATUS current 1324 DESCRIPTION 1325 "When ipSecStaticActionAction is preConfiguredTunnel (5), this 1326 attribute indicates the peer gateway IP address. This address MUST 1327 be a single endpoint address. 1329 When ipSecStaticActionAction is not preConfiguredTunnel, this 1330 attribute MUST be zero." 1331 ::= { ipSecStaticActionEntry 3 } 1333 ipSecStaticActionDfHandling OBJECT-TYPE 1334 SYNTAX IpSecDFBitTC 1335 STATUS current 1336 DESCRIPTION 1337 "When ipSecStaticActionAction is preConfiguredTunnel, this 1338 attribute specifies how the DF bit is managed. When 1339 ipSecStaticActionAction is not preConfiguredTunnel, this attribute 1340 MUST be ignored. " 1341 ::= { ipSecStaticActionEntry 4 } 1343 ipSecStaticActionSpi OBJECT-TYPE 1344 SYNTAX Unsigned32 1346 Li, et al Expires October 2004 25 1347 STATUS current 1348 DESCRIPTION 1349 "Specifies the Security Parameter Index (SPI) to be used with the 1350 SA Transform identified by ipSecStaticActionSaTransformId. 1352 When ipSecStaticActionAction is neither 1353 preConfiguredTransportAction nor preConfiguredTunnelAction, this 1354 attribute MUST be ignored." 1355 ::= { ipSecStaticActionEntry 5 } 1357 ipSecStaticActionLifetimeSeconds OBJECT-TYPE 1358 SYNTAX Unsigned32 1359 UNITS "seconds" 1360 STATUS current 1361 DESCRIPTION 1362 "Specifies the amount of time (in seconds) that a security 1363 association derived from this action should be used. When 1364 ipSecStaticActionAction is neither preConfiguredTransportAction 1365 nor preConfiguredTunnelAction, this attribute MUST be ignored. 1367 A value of zero indicates that there is not a lifetime in seconds 1368 associated with this action (i.e., infinite lifetime in seconds). 1369 This is consistent with [RFC3585]. 1371 The actual lifetime of the preconfigured SA will be the smallest 1372 of the value of this LifetimeSeconds property and of the value of 1373 the MaxLifetimeSeconds property of the associated SA Transform. 1374 Except if the value of this LifetimeSeconds property is zero, then 1375 there will be no lifetime associated to this SA. 1377 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1378 first lifetime to expire takes precedence." 1379 ::= { ipSecStaticActionEntry 6 } 1381 ipSecStaticActionLifetimeKilobytes OBJECT-TYPE 1382 SYNTAX Unsigned64 1383 UNITS "kilobytes" 1384 STATUS current 1385 DESCRIPTION 1386 "Specifies the SA lifetime in kilobytes. When 1387 ipSecStaticActionAction is neither preConfiguredTransportAction 1388 nor preConfiguredTunnelAction, this attribute MUST be ignored. 1390 A value of zero indicates that there is not a lifetime in byte 1391 count associated with this action (i.e., infinite lifetime in byte 1392 count). This is consistent with [RFC3585]. 1394 The actual lifetime of the preconfigured SA will be the smallest 1395 of the value of this LifetimeKilobytes property and of the value 1396 of the MaxLifetimeKilobytes property of the associated SA 1397 transform. Except if the value of this LifetimeKilobytes property 1398 is zero, then there will be no lifetime associated with this 1399 action. 1401 Li, et al Expires October 2004 26 1402 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1403 first lifetime to expire takes precedence. 1404 " 1405 ::= { ipSecStaticActionEntry 7 } 1407 ipSecStaticActionSaTransformId OBJECT-TYPE 1408 SYNTAX Prid 1409 STATUS current 1410 DESCRIPTION 1411 "A pointer to a valid instance in another table that describes an 1412 SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable." 1413 ::= { ipSecStaticActionEntry 8 } 1415 -- 1416 -- 1417 -- The ipSecNegotiationActionTable 1418 -- 1420 ipSecNegotiationActionTable OBJECT-TYPE 1421 SYNTAX SEQUENCE OF IpSecNegotiationActionEntry 1422 PIB-ACCESS install 1423 STATUS current 1424 DESCRIPTION 1425 "Specifies IPsec negotiation actions." 1426 ::= { ipSecAssociation 4 } 1428 ipSecNegotiationActionEntry OBJECT-TYPE 1429 SYNTAX IpSecNegotiationActionEntry 1430 STATUS current 1431 DESCRIPTION 1432 "Specifies an instance of this class" 1433 PIB-INDEX { ipSecNegotiationActionPrid } 1434 UNIQUENESS { 1435 ipSecNegotiationActionAction, 1436 ipSecNegotiationActionTunnelEndpointId, 1437 ipSecNegotiationActionDfHandling, 1438 ipSecNegotiationActionIpSecAssociationId, 1439 ipSecNegotiationActionKeyExchangeId 1440 } 1441 ::= { ipSecNegotiationActionTable 1 } 1443 IpSecNegotiationActionEntry ::= SEQUENCE { 1444 ipSecNegotiationActionPrid InstanceId, 1445 ipSecNegotiationActionAction IpSecActionTC, 1446 ipSecNegotiationActionTunnelEndpointId ReferenceId, 1447 ipSecNegotiationActionDfHandling IpSecDFBitTC, 1448 ipSecNegotiationActionIpSecAssociationId ReferenceId, 1449 ipSecNegotiationActionKeyExchangeId Prid 1450 } 1452 ipSecNegotiationActionPrid OBJECT-TYPE 1454 Li, et al Expires October 2004 27 1455 SYNTAX InstanceId 1456 STATUS current 1457 DESCRIPTION 1458 "An integer index that uniquely identifies an instance of this 1459 class." 1460 ::= { ipSecNegotiationActionEntry 1 } 1462 ipSecNegotiationActionAction OBJECT-TYPE 1463 SYNTAX IpSecActionTC 1464 STATUS current 1465 DESCRIPTION 1466 "Specifies the IPsec action to be applied to the traffic. If 1467 tunnel (2) is specified, ipSecActionTunnelEndpointId MUST also be 1468 specified." 1469 ::= { ipSecNegotiationActionEntry 2 } 1471 ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE 1472 SYNTAX ReferenceId 1473 PIB-REFERENCES {ipSecAddressEntry } 1474 STATUS current 1475 DESCRIPTION 1476 "When ipSecActionAction is tunnel (2), this attribute indicates 1477 the peer gateway IP address. This address MUST be a single 1478 endpoint address. 1480 When ipSecActionAction is not tunnel, this attribute MUST be 1481 zero." 1482 ::= { ipSecNegotiationActionEntry 3 } 1484 ipSecNegotiationActionDfHandling OBJECT-TYPE 1485 SYNTAX IpSecDFBitTC 1486 STATUS current 1487 DESCRIPTION 1488 "When ipSecActionAction is tunnel, this attribute specifies how 1489 the DF bit is managed. When ipSecActionAction is not tunnel, this 1490 attribute MUST be ignored. " 1491 ::= { ipSecNegotiationActionEntry 4 } 1493 ipSecNegotiationActionIpSecAssociationId OBJECT-TYPE 1494 SYNTAX ReferenceId 1495 PIB-REFERENCES {ipSecAssociationEntry } 1496 STATUS current 1497 DESCRIPTION 1498 "Pointer to a valid instance in the ipSecAssociationTable." 1499 ::= { ipSecNegotiationActionEntry 5 } 1501 ipSecNegotiationActionKeyExchangeId OBJECT-TYPE 1502 SYNTAX Prid 1503 STATUS current 1504 DESCRIPTION 1505 "A pointer to a valid instance in another table that describes key 1506 exchange associations. If a single IKEv1 phase one negotiation is 1507 used for the key exchange, this attribute MUST point to an 1509 Li, et al Expires October 2004 28 1510 instance in the ipSecIkeAssociationTable. If multiple IKEv1 phase 1511 one negotiations (e.g., with different modes) are to be tried 1512 until success, this attribute SHOULD point to ipSecIkeRuleTable. 1514 For other key exchange methods, this attribute may point to an 1515 instance of a PRC defined in some other PIB. 1517 A value of zeroDotZero means that there is no key exchange 1518 procedure associated." 1519 ::= { ipSecNegotiationActionEntry 6 } 1521 -- 1522 -- 1523 -- The ipSecAssociationTable 1524 -- 1526 ipSecAssociationTable OBJECT-TYPE 1527 SYNTAX SEQUENCE OF IpSecAssociationEntry 1528 PIB-ACCESS install 1529 STATUS current 1530 DESCRIPTION 1531 "Specifies IPsec associations." 1532 ::= { ipSecAssociation 5 } 1534 ipSecAssociationEntry OBJECT-TYPE 1535 SYNTAX IpSecAssociationEntry 1536 STATUS current 1537 DESCRIPTION 1538 "Specifies an instance of this class" 1539 PIB-INDEX { ipSecAssociationPrid } 1540 UNIQUENESS { 1541 ipSecAssociationMinLifetimeSeconds, 1542 ipSecAssociationMinLifetimeKilobytes, 1543 ipSecAssociationIdleDurationSeconds, 1544 ipSecAssociationUsePfs, 1545 ipSecAssociationUseKeyExchangeGroup, 1546 ipSecAssociationDhGroup, 1547 ipSecAssociationGranularity, 1548 ipSecAssociationProposalSetId 1549 } 1550 ::= { ipSecAssociationTable 1 } 1552 IpSecAssociationEntry ::= SEQUENCE { 1553 ipSecAssociationPrid InstanceId, 1554 ipSecAssociationMinLifetimeSeconds Unsigned32, 1555 ipSecAssociationMinLifetimeKilobytes Unsigned64, 1556 ipSecAssociationIdleDurationSeconds Unsigned32, 1557 ipSecAssociationUsePfs TruthValue, 1558 ipSecAssociationUseKeyExchangeGroup TruthValue, 1559 ipSecAssociationDhGroup IkeGroupDescription, 1560 ipSecAssociationGranularity IpSecGranularityTC, 1561 ipSecAssociationProposalSetId TagReferenceId 1563 Li, et al Expires October 2004 29 1564 } 1566 ipSecAssociationPrid OBJECT-TYPE 1567 SYNTAX InstanceId 1568 STATUS current 1569 DESCRIPTION 1570 "An integer index that uniquely identifies an instance of this 1571 class." 1572 ::= { ipSecAssociationEntry 1 } 1574 ipSecAssociationMinLifetimeSeconds OBJECT-TYPE 1575 SYNTAX Unsigned32 1576 UNITS "seconds" 1577 STATUS current 1578 DESCRIPTION 1579 "Specifies the minimum SA seconds lifetime that will be accepted 1580 from a peer while negotiating an SA based upon this action. 1581 A value of zero indicates that there is no minimum lifetime in 1582 seconds enforced. This is consistent with [RFC3585]. 1584 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1585 first lifetime to expire takes precedence." 1586 ::= { ipSecAssociationEntry 2 } 1588 ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE 1589 SYNTAX Unsigned64 1590 UNITS "kilobytes" 1591 STATUS current 1592 DESCRIPTION 1593 "Specifies the minimum kilobyte lifetime that will be accepted 1594 from a negotiating peer while negotiating an SA based upon this 1595 action. A value of zero indicates that there is no minimum 1596 lifetime in byte count enforced. This is consistent with 1597 [RFC3585]. 1599 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1600 first lifetime to expire takes precedence." 1601 ::= { ipSecAssociationEntry 3 } 1603 ipSecAssociationIdleDurationSeconds OBJECT-TYPE 1604 SYNTAX Unsigned32 1605 UNITS "seconds" 1606 STATUS current 1607 DESCRIPTION 1608 "Specifies how long, in seconds, a security association may remain 1609 unused before it is deleted. 1611 A value of zero indicates that idle detection should not be used 1612 for the security association (only the seconds and kilobyte 1613 lifetimes will be used). This is consistent with [RFC3585]. " 1614 ::= { ipSecAssociationEntry 4 } 1616 Li, et al Expires October 2004 30 1617 ipSecAssociationUsePfs OBJECT-TYPE 1618 SYNTAX TruthValue 1619 STATUS current 1620 DESCRIPTION 1621 "Specifies whether or not to use PFS when refreshing keys." 1622 ::= { ipSecAssociationEntry 5 } 1624 ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE 1625 SYNTAX TruthValue 1626 STATUS current 1627 DESCRIPTION 1628 "Specifies whether or not to use the same GroupId for phase 2 as 1629 was used in phase 1. If UsePFS is false, then this attribute is 1630 ignored. 1632 A value of true indicates that the phase 2 GroupId should be the 1633 same as phase 1. A value of false indicates that the group number 1634 specified by the ipSecAssociationDhGroup attribute SHALL be used 1635 for phase 2. " 1636 ::= { ipSecAssociationEntry 6 } 1638 ipSecAssociationDhGroup OBJECT-TYPE 1639 SYNTAX IkeGroupDescription 1640 STATUS current 1641 DESCRIPTION 1642 "Specifies the key exchange group to use for phase 2 when the 1643 property ipSecAssociationUsePfs is true and the property 1644 ipSecAssociationUseKeyExchangeGroup is false. 1646 " 1647 ::= { ipSecAssociationEntry 7 } 1649 ipSecAssociationGranularity OBJECT-TYPE 1650 SYNTAX IpSecGranularityTC 1651 STATUS current 1652 DESCRIPTION 1653 "Specifies how the proposed selector for the security association 1654 will be created." 1655 ::= { ipSecAssociationEntry 8 } 1657 ipSecAssociationProposalSetId OBJECT-TYPE 1658 SYNTAX TagReferenceId 1659 PIB-TAG { ipSecProposalSetProposalSetId } 1660 STATUS current 1661 DESCRIPTION 1662 "Identifies a set of IPsec proposals that is associated with this 1663 IPsec association." 1664 ::= { ipSecAssociationEntry 9 } 1666 -- 1667 -- 1668 -- The ipSecProposalSetTable 1670 Li, et al Expires October 2004 31 1671 -- 1673 ipSecProposalSetTable OBJECT-TYPE 1674 SYNTAX SEQUENCE OF IpSecProposalSetEntry 1675 PIB-ACCESS install 1676 STATUS current 1677 DESCRIPTION 1678 "Specifies IPsec proposal sets. Proposals within a set are ORed 1679 with preference order. " 1680 ::= { ipSecAssociation 6 } 1682 ipSecProposalSetEntry OBJECT-TYPE 1683 SYNTAX IpSecProposalSetEntry 1684 STATUS current 1685 DESCRIPTION 1686 "Specifies an instance of this class" 1687 PIB-INDEX { ipSecProposalSetPrid } 1688 UNIQUENESS { 1689 ipSecProposalSetProposalSetId, 1690 ipSecProposalSetOrder 1691 } 1692 ::= { ipSecProposalSetTable 1 } 1694 IpSecProposalSetEntry ::= SEQUENCE { 1695 ipSecProposalSetPrid InstanceId, 1696 ipSecProposalSetProposalSetId TagId, 1697 ipSecProposalSetProposalId ReferenceId, 1698 ipSecProposalSetOrder IpSecOrderTC 1699 } 1701 ipSecProposalSetPrid OBJECT-TYPE 1702 SYNTAX InstanceId 1703 STATUS current 1704 DESCRIPTION 1705 "An integer index that uniquely identifies an instance of this 1706 class." 1707 ::= { ipSecProposalSetEntry 1 } 1709 ipSecProposalSetProposalSetId OBJECT-TYPE 1710 SYNTAX TagId 1711 STATUS current 1712 DESCRIPTION 1713 "An IPsec proposal set is composed of one or more IPsec proposals. 1714 Proposals belonging to the same set have the same ProposalSetId." 1715 ::= { ipSecProposalSetEntry 2 } 1717 ipSecProposalSetProposalId OBJECT-TYPE 1718 SYNTAX ReferenceId 1719 PIB-REFERENCES {ipSecProposalEntry } 1720 STATUS current 1721 DESCRIPTION 1722 "A pointer to a valid instance in the ipSecProposalTable." 1723 ::= { ipSecProposalSetEntry 3 } 1725 Li, et al Expires October 2004 32 1726 ipSecProposalSetOrder OBJECT-TYPE 1727 SYNTAX IpSecOrderTC 1728 STATUS current 1729 DESCRIPTION 1730 "An integer that specifies the precedence order of the proposal 1731 identified by ipSecProposalSetProposalId in a proposal set. The 1732 proposal set is identified by ipSecProposalSetProposalSetId. 1733 Proposals within a set are ORed with preference order. " 1734 ::= { ipSecProposalSetEntry 4 } 1736 -- 1737 -- 1738 -- The ipSecProposalTable 1739 -- 1741 ipSecProposalTable OBJECT-TYPE 1742 SYNTAX SEQUENCE OF IpSecProposalEntry 1743 PIB-ACCESS install 1744 STATUS current 1745 DESCRIPTION 1746 "Specifies IPsec proposals. It has references to Encapsulating 1747 Security Payload (ESP), Authentication Header (AH) and IP Payload 1748 Compression Protocol (COMP) Transform sets. Within a proposal, 1749 different types of transforms are ANDed. Multiple transforms of 1750 the same type are ORed with preference order." 1751 ::= { ipSecAssociation 7 } 1753 ipSecProposalEntry OBJECT-TYPE 1754 SYNTAX IpSecProposalEntry 1755 STATUS current 1756 DESCRIPTION 1757 "Specifies an instance of this class" 1758 PIB-INDEX { ipSecProposalPrid } 1759 UNIQUENESS { 1760 ipSecProposalEspTransformSetId, 1761 ipSecProposalAhTransformSetId, 1762 ipSecProposalCompTransformSetId 1763 } 1764 ::= { ipSecProposalTable 1 } 1766 IpSecProposalEntry ::= SEQUENCE { 1767 ipSecProposalPrid InstanceId, 1768 ipSecProposalEspTransformSetId TagReferenceId, 1769 ipSecProposalAhTransformSetId TagReferenceId, 1770 ipSecProposalCompTransformSetId TagReferenceId 1771 } 1773 ipSecProposalPrid OBJECT-TYPE 1774 SYNTAX InstanceId 1775 STATUS current 1776 DESCRIPTION 1778 Li, et al Expires October 2004 33 1779 "An integer index that uniquely identifies an instance of this 1780 class." 1781 ::= { ipSecProposalEntry 1 } 1783 ipSecProposalEspTransformSetId OBJECT-TYPE 1784 SYNTAX TagReferenceId 1785 PIB-TAG { ipSecEspTransformSetTransformSetId } 1786 STATUS current 1787 DESCRIPTION 1788 "An integer that identifies a set of ESP transforms, specified in 1789 ipSecEspTransformSetTable, that is associated with this proposal." 1790 ::= { ipSecProposalEntry 2 } 1792 ipSecProposalAhTransformSetId OBJECT-TYPE 1793 SYNTAX TagReferenceId 1794 PIB-TAG { ipSecAhTransformSetTransformSetId } 1795 STATUS current 1796 DESCRIPTION 1797 "An integer that identifies an AH transform set, specified in 1798 ipSecAhTransformSetTable, that is associated with this proposal." 1799 ::= { ipSecProposalEntry 3 } 1801 ipSecProposalCompTransformSetId OBJECT-TYPE 1802 SYNTAX TagReferenceId 1803 PIB-TAG { ipSecCompTransformSetTransformSetId } 1804 STATUS current 1805 DESCRIPTION 1806 "An integer that identifies a set of IPComp transforms, specified 1807 in ipSecCompTransformSetTable, that is associated with this 1808 proposal." 1809 ::= { ipSecProposalEntry 4 } 1811 -- 1812 -- 1813 -- The ipSecAhTransformSetTable 1814 -- 1816 ipSecAhTransformSetTable OBJECT-TYPE 1817 SYNTAX SEQUENCE OF IpSecAhTransformSetEntry 1818 PIB-ACCESS install 1819 STATUS current 1820 DESCRIPTION 1821 "Specifies AH transform sets. Within a transform set, the 1822 transforms are ORed with preference order. " 1823 ::= { ipSecAhTransform 1 } 1825 ipSecAhTransformSetEntry OBJECT-TYPE 1826 SYNTAX IpSecAhTransformSetEntry 1827 STATUS current 1828 DESCRIPTION 1829 "Specifies an instance of this class" 1830 PIB-INDEX { ipSecAhTransformSetPrid } 1832 Li, et al Expires October 2004 34 1833 UNIQUENESS { 1834 ipSecAhTransformSetTransformSetId, 1835 ipSecAhTransformSetOrder 1836 } 1837 ::= { ipSecAhTransformSetTable 1 } 1839 IpSecAhTransformSetEntry ::= SEQUENCE { 1840 ipSecAhTransformSetPrid InstanceId, 1841 ipSecAhTransformSetTransformSetId TagId, 1842 ipSecAhTransformSetTransformId ReferenceId, 1843 ipSecAhTransformSetOrder IpSecOrderTC 1844 } 1846 ipSecAhTransformSetPrid OBJECT-TYPE 1847 SYNTAX InstanceId 1848 STATUS current 1849 DESCRIPTION 1850 "An integer index that uniquely identifies an instance of this 1851 class. " 1852 ::= { ipSecAhTransformSetEntry 1 } 1854 ipSecAhTransformSetTransformSetId OBJECT-TYPE 1855 SYNTAX TagId 1856 STATUS current 1857 DESCRIPTION 1858 "An AH transform set is composed of one or more AH transforms. 1859 Transforms belonging to the same set have the same 1860 TransformSetId." 1861 ::= { ipSecAhTransformSetEntry 2 } 1863 ipSecAhTransformSetTransformId OBJECT-TYPE 1864 SYNTAX ReferenceId 1865 PIB-REFERENCES {ipSecAhTransformEntry } 1866 STATUS current 1867 DESCRIPTION 1868 "A pointer to a valid instance in the ipSecAhTransformTable." 1869 ::= { ipSecAhTransformSetEntry 3 } 1871 ipSecAhTransformSetOrder OBJECT-TYPE 1872 SYNTAX IpSecOrderTC 1873 STATUS current 1874 DESCRIPTION 1875 "An integer that specifies the precedence order of the transform 1876 identified by ipSecAhTransformSetTransformId within a transform 1877 set. The transform set is identified by 1878 ipSecAhTransformSetTransformSetId. Transforms within a set are 1879 ORed with preference order." 1880 ::= { ipSecAhTransformSetEntry 4 } 1882 -- 1883 -- 1884 -- The ipSecAhTransformTable 1886 Li, et al Expires October 2004 35 1887 -- 1889 ipSecAhTransformTable OBJECT-TYPE 1890 SYNTAX SEQUENCE OF IpSecAhTransformEntry 1891 PIB-ACCESS install 1892 STATUS current 1893 DESCRIPTION 1894 "Specifies AH transforms." 1895 ::= { ipSecAhTransform 2 } 1897 ipSecAhTransformEntry OBJECT-TYPE 1898 SYNTAX IpSecAhTransformEntry 1899 STATUS current 1900 DESCRIPTION 1901 "Specifies an instance of this class" 1902 PIB-INDEX { ipSecAhTransformPrid } 1903 UNIQUENESS { 1904 ipSecAhTransformTransformId, 1905 ipSecAhTransformIntegrityKey, 1906 ipSecAhTransformUseReplayPrevention, 1907 ipSecAhTransformReplayPreventionWindowSize, 1908 ipSecAhTransformMaxLifetimeSeconds, 1909 ipSecAhTransformMaxLifetimeKilobytes 1910 } 1911 ::= { ipSecAhTransformTable 1 } 1913 IpSecAhTransformEntry ::= SEQUENCE { 1914 ipSecAhTransformPrid InstanceId, 1915 ipSecAhTransformTransformId IpsecDoiAuthAlgorithm, 1916 ipSecAhTransformIntegrityKey OCTET STRING, 1917 ipSecAhTransformUseReplayPrevention TruthValue, 1918 ipSecAhTransformReplayPreventionWindowSize Unsigned32, 1919 ipSecAhTransformMaxLifetimeSeconds Unsigned32, 1920 ipSecAhTransformMaxLifetimeKilobytes Unsigned64 1921 } 1923 ipSecAhTransformPrid OBJECT-TYPE 1924 SYNTAX InstanceId 1925 STATUS current 1926 DESCRIPTION 1927 "An integer index that uniquely identifies an instance of this 1928 class. " 1929 ::= { ipSecAhTransformEntry 1 } 1931 ipSecAhTransformTransformId OBJECT-TYPE 1932 SYNTAX IpsecDoiAuthAlgorithm 1933 STATUS current 1934 DESCRIPTION 1935 "Specifies the transform ID of the AH algorithm to propose." 1936 ::= { ipSecAhTransformEntry 2 } 1938 ipSecAhTransformIntegrityKey OBJECT-TYPE 1939 SYNTAX OCTET STRING 1941 Li, et al Expires October 2004 36 1942 STATUS current 1943 DESCRIPTION 1944 "When this AH transform instance is used for a Static Action, this 1945 attribute specifies the integrity key to be used. This attribute 1946 MUST be ignored when this AH transform instance is used for a 1947 Negotiation Action." 1948 ::= { ipSecAhTransformEntry 3 } 1950 ipSecAhTransformUseReplayPrevention OBJECT-TYPE 1951 SYNTAX TruthValue 1952 STATUS current 1953 DESCRIPTION 1954 "Specifies whether to enable replay prevention detection." 1955 ::= { ipSecAhTransformEntry 4 } 1957 ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE 1958 SYNTAX Unsigned32 1959 UNITS "bits" 1960 STATUS current 1961 DESCRIPTION 1962 "Specifies, in bits, the length of the sliding window used by the 1963 replay prevention detection mechanism. The value of this property 1964 is ignored if UseReplayPrevention is false. It is assumed that the 1965 window size will take a value that is a power of 2." 1966 ::= { ipSecAhTransformEntry 5 } 1968 ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE 1969 SYNTAX Unsigned32 1970 UNITS "seconds" 1971 STATUS current 1972 DESCRIPTION 1973 "Specifies the maximum amount of time to propose for a security 1974 association to remain valid. 1976 A value of zero indicates that the default of 8 hours be used. A 1977 non-zero value indicates the maximum seconds lifetime. This is 1978 consistent with [RFC3585]. 1980 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1981 first lifetime to expire takes precedence." 1982 ::= { ipSecAhTransformEntry 6 } 1984 ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE 1985 SYNTAX Unsigned64 1986 UNITS "kilobytes" 1987 STATUS current 1988 DESCRIPTION 1989 "Specifies the maximum kilobyte lifetime to propose for a security 1990 association to remain valid. 1992 A value of zero indicates that there should be no maximum kilobyte 1993 lifetime. A non-zero value specifies the desired kilobyte 1994 lifetime. This is consistent with [RFC3585]. 1996 Li, et al Expires October 2004 37 1997 When both the LifetimeSeconds and LifetimeKilobytes are used, the 1998 first lifetime to expire takes precedence." 1999 ::= { ipSecAhTransformEntry 7 } 2001 -- 2002 -- 2003 -- The ipSecEspTransformSetTable 2004 -- 2006 ipSecEspTransformSetTable OBJECT-TYPE 2007 SYNTAX SEQUENCE OF IpSecEspTransformSetEntry 2008 PIB-ACCESS install 2009 STATUS current 2010 DESCRIPTION 2011 "Specifies ESP transform sets. Within a transform set, the choices 2012 are ORed with preference order. " 2013 ::= { ipSecEspTransform 1 } 2015 ipSecEspTransformSetEntry OBJECT-TYPE 2016 SYNTAX IpSecEspTransformSetEntry 2017 STATUS current 2018 DESCRIPTION 2019 "Specifies an instance of this class" 2020 PIB-INDEX { ipSecEspTransformSetPrid } 2021 UNIQUENESS { 2022 ipSecEspTransformSetTransformSetId, 2023 ipSecEspTransformSetOrder 2024 } 2025 ::= { ipSecEspTransformSetTable 1 } 2027 IpSecEspTransformSetEntry ::= SEQUENCE { 2028 ipSecEspTransformSetPrid InstanceId, 2029 ipSecEspTransformSetTransformSetId TagId, 2030 ipSecEspTransformSetTransformId ReferenceId, 2031 ipSecEspTransformSetOrder IpSecOrderTC 2032 } 2034 ipSecEspTransformSetPrid OBJECT-TYPE 2035 SYNTAX InstanceId 2036 STATUS current 2037 DESCRIPTION 2038 "An integer index that uniquely identifies an instance of this 2039 class." 2040 ::= { ipSecEspTransformSetEntry 1 } 2042 ipSecEspTransformSetTransformSetId OBJECT-TYPE 2043 SYNTAX TagId 2044 STATUS current 2045 DESCRIPTION 2047 Li, et al Expires October 2004 38 2048 "An ESP transform set is composed of one or more ESP transforms. 2049 Transforms belonging to the same set have the same 2050 TransformSetId." 2051 ::= { ipSecEspTransformSetEntry 2 } 2053 ipSecEspTransformSetTransformId OBJECT-TYPE 2054 SYNTAX ReferenceId 2055 PIB-REFERENCES {ipSecEspTransformEntry } 2056 STATUS current 2057 DESCRIPTION 2058 "A pointer to a valid instance in the ipSecEspTransformTable." 2059 ::= { ipSecEspTransformSetEntry 3 } 2061 ipSecEspTransformSetOrder OBJECT-TYPE 2062 SYNTAX IpSecOrderTC 2063 STATUS current 2064 DESCRIPTION 2065 "An integer that specifies the precedence order of the transform 2066 identified by ipSecEspTransformSetTransformId within a transform 2067 set. The transform set is identified by 2068 ipSecEspTransformSetTransformSetId. Transforms within a set are 2069 ORed with preference order." 2070 ::= { ipSecEspTransformSetEntry 4 } 2072 -- 2073 -- 2074 -- The ipSecEspTransformTable 2075 -- 2077 ipSecEspTransformTable OBJECT-TYPE 2078 SYNTAX SEQUENCE OF IpSecEspTransformEntry 2079 PIB-ACCESS install 2080 STATUS current 2081 DESCRIPTION 2082 "Specifies ESP transforms." 2083 ::= { ipSecEspTransform 2 } 2085 ipSecEspTransformEntry OBJECT-TYPE 2086 SYNTAX IpSecEspTransformEntry 2087 STATUS current 2088 DESCRIPTION 2089 "Specifies an instance of this class" 2090 PIB-INDEX { ipSecEspTransformPrid } 2091 UNIQUENESS { 2092 ipSecEspTransformIntegrityTransformId, 2093 ipSecEspTransformCipherTransformId, 2094 ipSecEspTransformIntegrityKey, 2095 ipSecEspTransformCipherKey, 2096 ipSecEspTransformCipherKeyRounds, 2097 ipSecEspTransformCipherKeyLength, 2098 ipSecEspTransformUseReplayPrevention, 2099 ipSecEspTransformReplayPreventionWindowSize, 2101 Li, et al Expires October 2004 39 2102 ipSecEspTransformMaxLifetimeSeconds, 2103 ipSecEspTransformMaxLifetimeKilobytes 2104 } 2105 ::= { ipSecEspTransformTable 1 } 2107 IpSecEspTransformEntry ::= SEQUENCE { 2108 ipSecEspTransformPrid InstanceId, 2109 ipSecEspTransformIntegrityTransformId IpsecDoiAuthAlgorithm, 2110 ipSecEspTransformCipherTransformId IpsecDoiEspTransform, 2111 ipSecEspTransformIntegrityKey OCTET STRING, 2112 ipSecEspTransformCipherKey OCTET STRING, 2113 ipSecEspTransformCipherKeyRounds Unsigned16TC, 2114 ipSecEspTransformCipherKeyLength Unsigned16TC, 2115 ipSecEspTransformUseReplayPrevention TruthValue, 2116 ipSecEspTransformReplayPreventionWindowSize Unsigned32, 2117 ipSecEspTransformMaxLifetimeSeconds Unsigned32, 2118 ipSecEspTransformMaxLifetimeKilobytes Unsigned64 2119 } 2121 ipSecEspTransformPrid OBJECT-TYPE 2122 SYNTAX InstanceId 2123 STATUS current 2124 DESCRIPTION 2125 "An integer index that uniquely identifies an instance of this 2126 class." 2127 ::= { ipSecEspTransformEntry 1 } 2129 ipSecEspTransformIntegrityTransformId OBJECT-TYPE 2130 SYNTAX IpsecDoiAuthAlgorithm 2131 STATUS current 2132 DESCRIPTION 2133 "Specifies the transform ID of the ESP integrity algorithm to 2134 propose." 2135 ::= { ipSecEspTransformEntry 2 } 2137 ipSecEspTransformCipherTransformId OBJECT-TYPE 2138 SYNTAX IpsecDoiEspTransform 2139 STATUS current 2140 DESCRIPTION 2141 "Specifies the transform ID of the ESP encryption algorithm to 2142 propose." 2143 ::= { ipSecEspTransformEntry 3 } 2145 ipSecEspTransformIntegrityKey OBJECT-TYPE 2146 SYNTAX OCTET STRING 2147 STATUS current 2148 DESCRIPTION 2149 "When this ESP transform instance is used for a Static Action, 2150 this attribute specifies the integrity key to be used. This 2151 attribute MUST be ignored when this ESP transform instance is used 2152 for a Negotiation Action." 2153 ::= { ipSecEspTransformEntry 4 } 2155 Li, et al Expires October 2004 40 2156 ipSecEspTransformCipherKey OBJECT-TYPE 2157 SYNTAX OCTET STRING 2158 STATUS current 2159 DESCRIPTION 2160 "When this ESP transform instance is used for a Static Action, 2161 this attribute specifies the cipher key to be used. This attribute 2162 MUST be ignored when this ESP transform instance is used for a 2163 Negotiation Action." 2164 ::= { ipSecEspTransformEntry 5 } 2166 ipSecEspTransformCipherKeyRounds OBJECT-TYPE 2167 SYNTAX Unsigned16TC 2168 STATUS current 2169 DESCRIPTION 2170 "Specifies the number of key rounds for the ESP encryption 2171 algorithm. For encryption algorithms that use fixed number of key 2172 rounds, this value is ignored." 2173 ::= { ipSecEspTransformEntry 6 } 2175 ipSecEspTransformCipherKeyLength OBJECT-TYPE 2176 SYNTAX Unsigned16TC 2177 UNITS "bits" 2178 STATUS current 2179 DESCRIPTION 2180 "Specifies, in bits, the key length for the ESP encryption 2181 algorithm. For encryption algorithms that use fixed-length keys, 2182 this value is ignored." 2183 ::= { ipSecEspTransformEntry 7 } 2185 ipSecEspTransformUseReplayPrevention OBJECT-TYPE 2186 SYNTAX TruthValue 2187 STATUS current 2188 DESCRIPTION 2189 "Specifies whether to enable replay prevention detection." 2190 ::= { ipSecEspTransformEntry 8 } 2192 ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE 2193 SYNTAX Unsigned32 2194 UNITS "bits" 2195 STATUS current 2196 DESCRIPTION 2197 "Specifies, in bits, the length of the sliding window used by the 2198 replay prevention detection mechanism. The value of this property 2199 is ignored if UseReplayPrevention is false. It is assumed that the 2200 window size will take a value that is a power of 2." 2201 ::= { ipSecEspTransformEntry 9 } 2203 ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE 2204 SYNTAX Unsigned32 2205 UNITS "seconds" 2206 STATUS current 2207 DESCRIPTION 2209 Li, et al Expires October 2004 41 2210 "Specifies the maximum amount of time to propose for a security 2211 association to remain valid. 2213 A value of zero indicates that the default of 8 hours be used. A 2214 non-zero value indicates the maximum seconds lifetime. This is 2215 consistent with [RFC3585]. 2217 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2218 first lifetime to expire takes precedence." 2219 ::= { ipSecEspTransformEntry 10 } 2221 ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE 2222 SYNTAX Unsigned64 2223 UNITS "kilobytes" 2224 STATUS current 2225 DESCRIPTION 2226 "Specifies the maximum kilobyte lifetime to propose for a security 2227 association to remain valid. 2229 A value of zero indicates that there should be no maximum kilobyte 2230 lifetime. A non-zero value specifies the desired kilobyte 2231 lifetime. This is consistent with [RFC3585]. 2233 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2234 first lifetime to expire takes precedence." 2235 ::= { ipSecEspTransformEntry 11 } 2237 -- 2238 -- 2239 -- The ipSecCompTransformSetTable 2240 -- 2242 ipSecCompTransformSetTable OBJECT-TYPE 2243 SYNTAX SEQUENCE OF IpSecCompTransformSetEntry 2244 PIB-ACCESS install 2245 STATUS current 2246 DESCRIPTION 2247 "Specifies IP COMP transform sets. Within a transform set, the 2248 choices are ORed with preference order." 2249 ::= { ipSecCompTransform 1 } 2251 ipSecCompTransformSetEntry OBJECT-TYPE 2252 SYNTAX IpSecCompTransformSetEntry 2253 STATUS current 2254 DESCRIPTION 2255 "Specifies an instance of this class" 2256 PIB-INDEX { ipSecCompTransformSetPrid } 2257 UNIQUENESS { 2258 ipSecCompTransformSetTransformSetId, 2259 ipSecCompTransformSetOrder 2260 } 2261 ::= { ipSecCompTransformSetTable 1 } 2263 Li, et al Expires October 2004 42 2264 IpSecCompTransformSetEntry ::= SEQUENCE { 2265 ipSecCompTransformSetPrid InstanceId, 2266 ipSecCompTransformSetTransformSetId TagId, 2267 ipSecCompTransformSetTransformId ReferenceId, 2268 ipSecCompTransformSetOrder IpSecOrderTC 2269 } 2271 ipSecCompTransformSetPrid OBJECT-TYPE 2272 SYNTAX InstanceId 2273 STATUS current 2274 DESCRIPTION 2275 "An integer index that uniquely identifies an instance of this 2276 class." 2277 ::= { ipSecCompTransformSetEntry 1 } 2279 ipSecCompTransformSetTransformSetId OBJECT-TYPE 2280 SYNTAX TagId 2281 STATUS current 2282 DESCRIPTION 2283 "An IP COMP transform set is composed of one or more IP COMP 2284 transforms. Transforms belonging to the same set have the same 2285 TransformSetId." 2286 ::= { ipSecCompTransformSetEntry 2 } 2288 ipSecCompTransformSetTransformId OBJECT-TYPE 2289 SYNTAX ReferenceId 2290 PIB-REFERENCES {ipSecCompTransformEntry } 2291 STATUS current 2292 DESCRIPTION 2293 "A pointer to a valid instance in the ipSecCompTransformTable." 2294 ::= { ipSecCompTransformSetEntry 3 } 2296 ipSecCompTransformSetOrder OBJECT-TYPE 2297 SYNTAX IpSecOrderTC 2298 STATUS current 2299 DESCRIPTION 2300 "An integer that specifies the precedence order of the transform 2301 identified by ipSecCompTransformSetTransformId within a transform 2302 set. The transform set is identified by 2303 ipSecCompTransformSetTransformSetId. Transforms within a set are 2304 ORed with preference order." 2305 ::= { ipSecCompTransformSetEntry 4 } 2307 -- 2308 -- 2309 -- The ipSecCompTransformTable 2310 -- 2312 ipSecCompTransformTable OBJECT-TYPE 2313 SYNTAX SEQUENCE OF IpSecCompTransformEntry 2314 PIB-ACCESS install 2316 Li, et al Expires October 2004 43 2317 STATUS current 2318 DESCRIPTION 2319 "Specifies IP COMP algorithms." 2320 ::= { ipSecCompTransform 2 } 2322 ipSecCompTransformEntry OBJECT-TYPE 2323 SYNTAX IpSecCompTransformEntry 2324 STATUS current 2325 DESCRIPTION 2326 "Specifies an instance of this class" 2327 PIB-INDEX { ipSecCompTransformPrid } 2328 UNIQUENESS { 2329 ipSecCompTransformAlgorithm, 2330 ipSecCompTransformDictionarySize, 2331 ipSecCompTransformMaxLifetimeSeconds, 2332 ipSecCompTransformMaxLifetimeKilobytes 2333 } 2334 ::= { ipSecCompTransformTable 1 } 2336 IpSecCompTransformEntry ::= SEQUENCE { 2337 ipSecCompTransformPrid InstanceId, 2338 ipSecCompTransformAlgorithm IpsecDoiIpcompTransform, 2339 ipSecCompTransformDictionarySize Unsigned16TC, 2340 ipSecCompTransformMaxLifetimeSeconds Unsigned32, 2341 ipSecCompTransformMaxLifetimeKilobytes Unsigned64 2342 } 2344 ipSecCompTransformPrid OBJECT-TYPE 2345 SYNTAX InstanceId 2346 STATUS current 2347 DESCRIPTION 2348 "An integer index that uniquely identifies an instance of this 2349 class." 2350 ::= { ipSecCompTransformEntry 1 } 2352 ipSecCompTransformAlgorithm OBJECT-TYPE 2353 SYNTAX IpsecDoiIpcompTransform 2354 STATUS current 2355 DESCRIPTION 2356 "Specifies the transform ID of the IP COMP compression algorithm 2357 to propose." 2358 ::= { ipSecCompTransformEntry 2 } 2360 ipSecCompTransformDictionarySize OBJECT-TYPE 2361 SYNTAX Unsigned16TC 2362 STATUS current 2363 DESCRIPTION 2364 "Specifies the log2 maximum size of the dictionary for the 2365 compression algorithm. For compression algorithms that have pre- 2366 defined dictionary sizes, this value is ignored." 2367 ::= { ipSecCompTransformEntry 3 } 2369 ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE 2371 Li, et al Expires October 2004 44 2372 SYNTAX Unsigned32 2373 UNITS "seconds" 2374 STATUS current 2375 DESCRIPTION 2376 "Specifies the maximum amount of time to propose for a security 2377 association to remain valid. 2379 A value of zero indicates that the default of 8 hours be used. A 2380 non-zero value indicates the maximum seconds lifetime. This is 2381 consistent with [RFC3585]. 2383 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2384 first lifetime to expire takes precedence." 2385 ::= { ipSecCompTransformEntry 4 } 2387 ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE 2388 SYNTAX Unsigned64 2389 UNITS "kilobytes" 2390 STATUS current 2391 DESCRIPTION 2392 "Specifies the maximum kilobyte lifetime to propose for a security 2393 association to remain valid. 2395 A value of zero indicates that there should be no maximum kilobyte 2396 lifetime. A non-zero value specifies the desired kilobyte 2397 lifetime. This is consistent with [RFC3585]. 2399 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2400 first lifetime to expire takes precedence." 2401 ::= { ipSecCompTransformEntry 5 } 2403 -- 2404 -- 2405 -- The ipSecIkeRuleTable 2406 -- 2408 ipSecIkeRuleTable OBJECT-TYPE 2409 SYNTAX SEQUENCE OF IpSecIkeRuleEntry 2410 PIB-ACCESS install 2411 STATUS current 2412 DESCRIPTION 2413 "Specifies IKEv1 rules. This class is required only when 2414 specifying: 2416 - Multiple IKE phase one actions (e.g., with different exchange 2417 modes) that are associated with one IPsec association. These 2418 actions are to be tried in sequence till one success. 2420 - IKE phase one actions that start automatically. 2422 For each entry: 2424 Li, et al Expires October 2004 45 2425 1. ipSecIkeRuleIfCapSetName must reference an existing capability 2426 set name in frwkCapabilitySetTable [FRC3318] . 2428 2. ipSecIkeRuleRoles must reference an existing Role Combination 2429 in frwkRoleComboTable [RFC3318]. 2431 If any or both of these requirements is not satisfied, the entry 2432 shall not be installed." 2433 ::= { ipSecIkeAssociation 1 } 2435 ipSecIkeRuleEntry OBJECT-TYPE 2436 SYNTAX IpSecIkeRuleEntry 2437 STATUS current 2438 DESCRIPTION 2439 "Specifies an instance of this class" 2440 PIB-INDEX { ipSecIkeRulePrid } 2441 UNIQUENESS { 2442 ipSecIkeRuleIfCapSetName, 2443 ipSecIkeRuleRoles, 2444 ipSecIkeRuleIkeActionSetId, 2445 ipSecIkeRuleActionExecutionStrategy, 2446 ipSecIkeRuleLimitNegotiation, 2447 ipSecIkeRuleAutoStart, 2448 ipSecIkeRuleIpSecRuleTimePeriodGroupId 2449 } 2450 ::= { ipSecIkeRuleTable 1 } 2452 IpSecIkeRuleEntry ::= SEQUENCE { 2453 ipSecIkeRulePrid InstanceId, 2454 ipSecIkeRuleIfCapSetName SnmpAdminString, 2455 ipSecIkeRuleRoles RoleCombination, 2456 ipSecIkeRuleIkeActionSetId TagReferenceId, 2457 ipSecIkeRuleActionExecutionStrategy INTEGER, 2458 ipSecIkeRuleLimitNegotiation INTEGER, 2459 ipSecIkeRuleAutoStart TruthValue, 2460 ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId 2461 } 2463 ipSecIkeRulePrid OBJECT-TYPE 2464 SYNTAX InstanceId 2465 STATUS current 2466 DESCRIPTION 2467 "An integer index that uniquely identifies an instance of this 2468 class." 2469 ::= { ipSecIkeRuleEntry 1 } 2471 ipSecIkeRuleIfCapSetName OBJECT-TYPE 2472 SYNTAX SnmpAdminString 2473 STATUS current 2474 DESCRIPTION 2475 "The interface capability set to which this IKE rule applies. The 2476 interface capability name specified by this attribute must exist 2478 Li, et al Expires October 2004 46 2479 in the frwkCapabilitySetTable [RFC3318] prior to association with 2480 an instance of this class. 2482 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." 2483 ::= { ipSecIkeRuleEntry 2 } 2485 ipSecIkeRuleRoles OBJECT-TYPE 2486 SYNTAX RoleCombination 2487 STATUS current 2488 DESCRIPTION 2489 "Specifies the role combination of the interface to which this IKE 2490 rule should apply. There must exist an instance in the 2491 frwkRoleComboTable [RFC3318] specifying this role combination, 2492 together with the interface capability set specified by 2493 ipSecIkeRuleIfName, prior to association with an instance of this 2494 class. 2496 This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." 2497 ::= { ipSecIkeRuleEntry 3 } 2499 ipSecIkeRuleIkeActionSetId OBJECT-TYPE 2500 SYNTAX TagReferenceId 2501 PIB-TAG { ipSecIkeActionSetActionSetId } 2502 STATUS current 2503 DESCRIPTION 2504 "Identifies a set of IKE actions to be associated with this rule." 2505 ::= { ipSecIkeRuleEntry 4 } 2507 ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE 2508 SYNTAX INTEGER { 2509 doAll(1), 2510 doUntilSuccess(2) 2511 } 2512 STATUS current 2513 DESCRIPTION 2514 "Specifies the strategy to be used in executing the sequenced 2515 actions in the action set identified by ipSecRuleIpSecActionSetId. 2517 DoAll (1) causes the execution of all the actions in the action 2518 set according to their defined precedence order. The precedence 2519 order is specified by the ipSecActionSetOrder in 2520 ipSecIkeActionSetTable. 2522 DoUntilSuccess (2) causes the execution of actions according to 2523 their defined precedence order until a successful execution of a 2524 single action. The precedence order is specified by the 2525 ipSecActionSetOrder in ipSecIkeActionSetTable." 2526 ::= { ipSecIkeRuleEntry 5 } 2528 ipSecIkeRuleLimitNegotiation OBJECT-TYPE 2529 SYNTAX INTEGER { 2530 initiator(1), 2531 responder(2), 2533 Li, et al Expires October 2004 47 2534 both(3) 2535 } 2536 STATUS current 2537 DESCRIPTION 2538 "Limits the negotiation method. Before proceeding with a phase 1 2539 negotiation, this property is checked to determine if the 2540 negotiation role of the rule matches that defined for the 2541 negotiation being undertaken (e.g., Initiator, Responder, or 2542 Both). If this check fails (e.g. the current role is IKE responder 2543 while the rule specifies IKE initiator), then the IKE negotiation 2544 is stopped. Note that this only applies to new IKE phase 1 2545 negotiations and has no effect on either renegotiation or refresh 2546 operations with peers for which an established SA already exists." 2547 ::= { ipSecIkeRuleEntry 6 } 2549 ipSecIkeRuleAutoStart OBJECT-TYPE 2550 SYNTAX TruthValue 2551 STATUS current 2552 DESCRIPTION 2553 "Indicates if this rule should be automatically executed." 2554 ::= { ipSecIkeRuleEntry 7 } 2556 ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE 2557 SYNTAX TagReferenceId 2558 PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } 2559 STATUS current 2560 DESCRIPTION 2561 "Identifies a rule time period set, specified in 2562 ipSecRuleTimePeriodSetTable, that is associated with this rule. 2564 A value of zero indicates that this rule is always valid." 2565 ::= { ipSecIkeRuleEntry 8 } 2567 -- 2568 -- 2569 -- The ipSecIkeActionSetTable 2570 -- 2572 ipSecIkeActionSetTable OBJECT-TYPE 2573 SYNTAX SEQUENCE OF IpSecIkeActionSetEntry 2574 PIB-ACCESS install 2575 STATUS current 2576 DESCRIPTION 2577 "Specifies IKEv1 action sets." 2578 ::= { ipSecIkeAssociation 2 } 2580 ipSecIkeActionSetEntry OBJECT-TYPE 2581 SYNTAX IpSecIkeActionSetEntry 2582 STATUS current 2583 DESCRIPTION 2584 "Specifies an instance of this class" 2585 PIB-INDEX { ipSecIkeActionSetPrid } 2587 Li, et al Expires October 2004 48 2588 UNIQUENESS { 2589 ipSecIkeActionSetActionSetId, 2590 ipSecIkeActionSetOrder 2591 } 2592 ::= { ipSecIkeActionSetTable 1 } 2594 IpSecIkeActionSetEntry ::= SEQUENCE { 2595 ipSecIkeActionSetPrid InstanceId, 2596 ipSecIkeActionSetActionSetId TagId, 2597 ipSecIkeActionSetActionId ReferenceId, 2598 ipSecIkeActionSetOrder IpSecOrderTC 2599 } 2601 ipSecIkeActionSetPrid OBJECT-TYPE 2602 SYNTAX InstanceId 2603 STATUS current 2604 DESCRIPTION 2605 "An integer index that uniquely identifies an instance of this 2606 class." 2607 ::= { ipSecIkeActionSetEntry 1 } 2609 ipSecIkeActionSetActionSetId OBJECT-TYPE 2610 SYNTAX TagId 2611 STATUS current 2612 DESCRIPTION 2613 "An IKE action set is composed of one or more IKE actions. Actions 2614 belonging to the same set have the same ActionSetId." 2615 ::= { ipSecIkeActionSetEntry 2 } 2617 ipSecIkeActionSetActionId OBJECT-TYPE 2618 SYNTAX ReferenceId 2619 PIB-REFERENCES {ipSecIkeAssociationEntry } 2620 STATUS current 2621 DESCRIPTION 2622 "A pointer to a valid instance in the ipSecIkeAssociationTable." 2623 ::= { ipSecIkeActionSetEntry 3 } 2625 ipSecIkeActionSetOrder OBJECT-TYPE 2626 SYNTAX IpSecOrderTC 2627 STATUS current 2628 DESCRIPTION 2629 "Specifies the precedence order of the action within the action 2630 set." 2631 ::= { ipSecIkeActionSetEntry 4 } 2633 -- 2634 -- 2635 -- The ipSecIkeAssociationTable 2636 -- 2638 ipSecIkeAssociationTable OBJECT-TYPE 2639 SYNTAX SEQUENCE OF IpSecIkeAssociationEntry 2641 Li, et al Expires October 2004 49 2642 PIB-ACCESS install 2643 STATUS current 2644 DESCRIPTION 2645 "Specifies IKEv1 associations. " 2646 ::= { ipSecIkeAssociation 3 } 2648 ipSecIkeAssociationEntry OBJECT-TYPE 2649 SYNTAX IpSecIkeAssociationEntry 2650 STATUS current 2651 DESCRIPTION 2652 "Specifies an instance of this class" 2653 PIB-INDEX { ipSecIkeAssociationPrid } 2654 UNIQUENESS { 2655 ipSecIkeAssociationMinLiftetimeSeconds, 2656 ipSecIkeAssociationMinLifetimeKilobytes, 2657 ipSecIkeAssociationIdleDurationSeconds, 2658 ipSecIkeAssociationExchangeMode, 2659 ipSecIkeAssociationUseIkeIdentityType, 2660 ipSecIkeAssociationUseIkeIdentityValue, 2661 ipSecIkeAssociationIkePeerEndpoint, 2662 ipSecIkeAssociationPresharedKey, 2663 ipSecIkeAssociationVendorId, 2664 ipSecIkeAssociationAggressiveModeGroupId, 2665 ipSecIkeAssociationLocalCredentialId, 2666 ipSecIkeAssociationDoActionLogging, 2667 ipSecIkeAssociationIkeProposalSetId 2668 } 2669 ::= { ipSecIkeAssociationTable 1 } 2671 IpSecIkeAssociationEntry ::= SEQUENCE { 2672 ipSecIkeAssociationPrid InstanceId, 2673 ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, 2674 ipSecIkeAssociationMinLifetimeKilobytes Unsigned64, 2675 ipSecIkeAssociationIdleDurationSeconds Unsigned32, 2676 ipSecIkeAssociationExchangeMode IpSecExchangeModeTC, 2677 ipSecIkeAssociationUseIkeIdentityType IpsecDoiIdentType, 2678 ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, 2679 ipSecIkeAssociationIkePeerEndpoint ReferenceId, 2680 ipSecIkeAssociationPresharedKey OCTET STRING, 2681 ipSecIkeAssociationVendorId OCTET STRING, 2682 ipSecIkeAssociationAggressiveModeGroupId IkeGroupDescription, 2683 ipSecIkeAssociationLocalCredentialId TagReferenceId, 2684 ipSecIkeAssociationDoActionLogging TruthValue, 2685 ipSecIkeAssociationIkeProposalSetId TagReferenceId 2686 } 2688 ipSecIkeAssociationPrid OBJECT-TYPE 2689 SYNTAX InstanceId 2690 STATUS current 2691 DESCRIPTION 2692 "An integer index that uniquely identifies an instance of this 2693 class." 2694 ::= { ipSecIkeAssociationEntry 1 } 2696 Li, et al Expires October 2004 50 2697 ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE 2698 SYNTAX Unsigned32 2699 UNITS "seconds" 2700 STATUS current 2701 DESCRIPTION 2702 "Specifies the minimum SA seconds lifetime that will be accepted 2703 from a peer while negotiating an SA based upon this action. 2705 A value of zero indicates that there is no minimum lifetime in 2706 seconds enforced. This is consistent with [RFC3585]. 2708 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2709 first lifetime to expire takes precedence." 2710 ::= { ipSecIkeAssociationEntry 2 } 2712 ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE 2713 SYNTAX Unsigned64 2714 UNITS "kilobytes" 2715 STATUS current 2716 DESCRIPTION 2717 "Specifies the minimum kilobyte lifetime that will be accepted 2718 from a negotiating peer while negotiating an SA based upon this 2719 action. 2721 A value of zero indicates that there is no minimum lifetime in 2722 byte count enforced. This is consistent with [RFC3585]. 2724 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2725 first lifetime to expire takes precedence." 2726 ::= { ipSecIkeAssociationEntry 3 } 2728 ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE 2729 SYNTAX Unsigned32 2730 UNITS "seconds" 2731 STATUS current 2732 DESCRIPTION 2733 "Specifies how long, in seconds, a security association may remain 2734 unused before it is deleted. 2736 A value of zero indicates that idle detection should not be used 2737 for the security association (only the seconds and kilobyte 2738 lifetimes will be used). This is consistent with [RFC3585]. " 2739 ::= { ipSecIkeAssociationEntry 4 } 2741 ipSecIkeAssociationExchangeMode OBJECT-TYPE 2742 SYNTAX IpSecExchangeModeTC 2743 STATUS current 2744 DESCRIPTION 2745 "Specifies the negotiation mode that the IKE server will use for 2746 phase one." 2747 ::= { ipSecIkeAssociationEntry 5 } 2749 Li, et al Expires October 2004 51 2750 ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE 2751 SYNTAX IpsecDoiIdentType 2752 STATUS current 2753 DESCRIPTION 2754 "Specifies the type of IKE identity to use during IKE phase one 2755 negotiation." 2756 ::= { ipSecIkeAssociationEntry 6 } 2758 ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE 2759 SYNTAX OCTET STRING 2760 STATUS current 2761 DESCRIPTION 2762 "Specifies the ID payload value to be provided to the peer during 2763 IKE phase one negotiation." 2764 ::= { ipSecIkeAssociationEntry 7 } 2766 ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE 2767 SYNTAX ReferenceId 2768 PIB-REFERENCES {ipSecIkePeerEndpointEntry } 2769 STATUS current 2770 DESCRIPTION 2771 "Pointer to a valid instance in the ipSecIkePeerEndpointTable to 2772 indicate an IKE peer endpoint." 2773 ::= { ipSecIkeAssociationEntry 8 } 2775 ipSecIkeAssociationPresharedKey OBJECT-TYPE 2776 SYNTAX OCTET STRING 2777 STATUS current 2778 DESCRIPTION 2779 "This attribute specifies the preshared key or secret to use for 2780 IKE authentication. This is the key for all the IKE proposals of 2781 this association that set ipSecIkeProposalAuthenticationMethod to 2782 presharedKey(1)." 2783 ::= { ipSecIkeAssociationEntry 9 } 2785 ipSecIkeAssociationVendorId OBJECT-TYPE 2786 SYNTAX OCTET STRING 2787 STATUS current 2788 DESCRIPTION 2789 "Specifies the value to be used in the Vendor ID payload. It is a 2790 hash value as defined in [RFC2408] Section 3.16. 2792 A zero length OCTET STRING means that Vendor ID payload will be 2793 neither generated nor accepted. Otherwise, it means that a Vendor 2794 ID payload will be generated (when acting as an initiator) or is 2795 expected (when acting as a responder). " 2796 ::= { ipSecIkeAssociationEntry 10 } 2798 ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE 2799 SYNTAX IkeGroupDescription 2800 STATUS current 2801 DESCRIPTION 2803 Li, et al Expires October 2004 52 2804 "Specifies the group ID to be used for aggressive mode. This 2805 attribute is ignored unless the attribute 2806 ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). " 2807 ::= { ipSecIkeAssociationEntry 11 } 2809 ipSecIkeAssociationLocalCredentialId OBJECT-TYPE 2810 SYNTAX TagReferenceId 2811 PIB-TAG { ipSecCredentialSetSetId } 2812 STATUS current 2813 DESCRIPTION 2814 "Indicates a group of credentials. One of the credentials in the 2815 group MUST be used when establishing an IKE association with the 2816 peer endpoint." 2817 ::= { ipSecIkeAssociationEntry 12 } 2819 ipSecIkeAssociationDoActionLogging OBJECT-TYPE 2820 SYNTAX TruthValue 2821 STATUS current 2822 DESCRIPTION 2823 "Specifies whether a log message is to be generated when the 2824 negotiation is attempted (with the success or failure result)." 2825 ::= { ipSecIkeAssociationEntry 13 } 2827 ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE 2828 SYNTAX TagReferenceId 2829 PIB-TAG { ipSecIkeProposalSetProposalSetId } 2830 STATUS current 2831 DESCRIPTION 2832 "Identifies a set of IKE proposals that is associated with this 2833 IKE association." 2834 ::= { ipSecIkeAssociationEntry 14 } 2836 -- 2837 -- 2838 -- The ipSecIkeProposalSetTable 2839 -- 2841 ipSecIkeProposalSetTable OBJECT-TYPE 2842 SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry 2843 PIB-ACCESS install 2844 STATUS current 2845 DESCRIPTION 2846 "Specifies IKE proposal sets. Proposals within a set are ORed with 2847 preference order. " 2848 ::= { ipSecIkeAssociation 4 } 2850 ipSecIkeProposalSetEntry OBJECT-TYPE 2851 SYNTAX IpSecIkeProposalSetEntry 2852 STATUS current 2853 DESCRIPTION 2854 "Specifies an instance of this class" 2855 PIB-INDEX { ipSecIkeProposalSetPrid } 2857 Li, et al Expires October 2004 53 2858 UNIQUENESS { 2859 ipSecIkeProposalSetProposalSetId, 2860 ipSecIkeProposalSetOrder 2861 } 2862 ::= { ipSecIkeProposalSetTable 1 } 2864 IpSecIkeProposalSetEntry ::= SEQUENCE { 2865 ipSecIkeProposalSetPrid InstanceId, 2866 ipSecIkeProposalSetProposalSetId TagId, 2867 ipSecIkeProposalSetProposalId ReferenceId, 2868 ipSecIkeProposalSetOrder IpSecOrderTC 2869 } 2871 ipSecIkeProposalSetPrid OBJECT-TYPE 2872 SYNTAX InstanceId 2873 STATUS current 2874 DESCRIPTION 2875 "An integer index that uniquely identifies an instance of this 2876 class." 2877 ::= { ipSecIkeProposalSetEntry 1 } 2879 ipSecIkeProposalSetProposalSetId OBJECT-TYPE 2880 SYNTAX TagId 2881 STATUS current 2882 DESCRIPTION 2883 "An IKE proposal set is composed of one or more IKE proposals. 2884 Proposals belonging to the same set has the same ProposalSetId. " 2885 ::= { ipSecIkeProposalSetEntry 2 } 2887 ipSecIkeProposalSetProposalId OBJECT-TYPE 2888 SYNTAX ReferenceId 2889 PIB-REFERENCES {ipSecIkeProposalEntry } 2890 STATUS current 2891 DESCRIPTION 2892 "A pointer to a valid instance in the ipSecIkeProposalTable." 2893 ::= { ipSecIkeProposalSetEntry 3 } 2895 ipSecIkeProposalSetOrder OBJECT-TYPE 2896 SYNTAX IpSecOrderTC 2897 STATUS current 2898 DESCRIPTION 2899 "An integer that specifies the precedence order of the proposal 2900 identified by ipSecIkeProposalSetProposalId in a proposal set. The 2901 proposal set is identified by ipSecIkeProposalSetProposalSetId. 2902 Proposals within a set are ORed with preference order." 2903 ::= { ipSecIkeProposalSetEntry 4 } 2905 -- 2906 -- 2907 -- The ipSecIkeProposalTable 2908 -- 2910 Li, et al Expires October 2004 54 2911 ipSecIkeProposalTable OBJECT-TYPE 2912 SYNTAX SEQUENCE OF IpSecIkeProposalEntry 2913 PIB-ACCESS install 2914 STATUS current 2915 DESCRIPTION 2916 "Specifies IKEv1 proposals." 2917 ::= { ipSecIkeAssociation 5 } 2919 ipSecIkeProposalEntry OBJECT-TYPE 2920 SYNTAX IpSecIkeProposalEntry 2921 STATUS current 2922 DESCRIPTION 2923 "Specifies an instance of this class" 2924 PIB-INDEX { ipSecIkeProposalPrid } 2925 UNIQUENESS { 2926 ipSecIkeProposalMaxLifetimeSeconds, 2927 ipSecIkeProposalMaxLifetimeKilobytes, 2928 ipSecIkeProposalCipherAlgorithm, 2929 ipSecIkeProposalHashAlgorithm, 2930 ipSecIkeProposalAuthenticationMethod, 2931 ipSecIkeProposalPrfAlgorithm, 2932 ipSecIkeProposalIkeDhGroup 2933 } 2934 ::= { ipSecIkeProposalTable 1 } 2936 IpSecIkeProposalEntry ::= SEQUENCE { 2937 ipSecIkeProposalPrid InstanceId, 2938 ipSecIkeProposalMaxLifetimeSeconds Unsigned32, 2939 ipSecIkeProposalMaxLifetimeKilobytes Unsigned64, 2940 ipSecIkeProposalCipherAlgorithm IkeEncryptionAlgorithm, 2941 ipSecIkeProposalHashAlgorithm IkeHashAlgorithm, 2942 ipSecIkeProposalAuthenticationMethod IkeAuthMethod, 2943 ipSecIkeProposalPrfAlgorithm Unsigned16TC, 2944 ipSecIkeProposalIkeDhGroup IkeGroupDescription 2945 } 2947 ipSecIkeProposalPrid OBJECT-TYPE 2948 SYNTAX InstanceId 2949 STATUS current 2950 DESCRIPTION 2951 "An integer index that uniquely identifies an instance of this 2952 class." 2953 ::= { ipSecIkeProposalEntry 1 } 2955 ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE 2956 SYNTAX Unsigned32 2957 UNITS "seconds" 2958 STATUS current 2959 DESCRIPTION 2960 "Specifies the maximum amount of time to propose for a security 2961 association to remain valid. 2963 Li, et al Expires October 2004 55 2964 A value of zero indicates that the default of 8 hours be used. A 2965 non-zero value indicates the maximum seconds lifetime. This is 2966 consistent with [RFC3585]. 2968 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2969 first lifetime to expire takes precedence." 2970 ::= { ipSecIkeProposalEntry 2 } 2972 ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE 2973 SYNTAX Unsigned64 2974 UNITS "kilobytes" 2975 STATUS current 2976 DESCRIPTION 2977 "Specifies the maximum kilobyte lifetime to propose for a security 2978 association to remain valid. 2980 A value of zero indicates that there should be no maximum kilobyte 2981 lifetime. A non-zero value specifies the desired kilobyte 2982 lifetime. This is consistent with [RFC3585]. 2984 When both the LifetimeSeconds and LifetimeKilobytes are used, the 2985 first lifetime to expire takes precedence." 2986 ::= { ipSecIkeProposalEntry 3 } 2988 ipSecIkeProposalCipherAlgorithm OBJECT-TYPE 2989 SYNTAX IkeEncryptionAlgorithm 2990 STATUS current 2991 DESCRIPTION 2992 "Specifies the encryption algorithm to propose for the IKE 2993 association." 2994 ::= { ipSecIkeProposalEntry 4 } 2996 ipSecIkeProposalHashAlgorithm OBJECT-TYPE 2997 SYNTAX IkeHashAlgorithm 2998 STATUS current 2999 DESCRIPTION 3000 "Specifies the hash algorithm to propose for the IKE association." 3001 ::= { ipSecIkeProposalEntry 5 } 3003 ipSecIkeProposalAuthenticationMethod OBJECT-TYPE 3004 SYNTAX IkeAuthMethod 3005 STATUS current 3006 DESCRIPTION 3007 "Specifies the authentication method to propose for the IKE 3008 association." 3009 ::= { ipSecIkeProposalEntry 6 } 3011 ipSecIkeProposalPrfAlgorithm OBJECT-TYPE 3012 SYNTAX Unsigned16TC 3013 STATUS current 3014 DESCRIPTION 3015 "Specifies the Psuedo-Random Function (PRF) to propose for the IKE 3016 association. As indicated in [RFC2409], there are currently no 3018 Li, et al Expires October 2004 56 3019 negotiable pseudo-random functions defined in this document. 3020 Private use attribute values can be used for prf negotiation 3021 between consenting parties. " 3022 ::= { ipSecIkeProposalEntry 7 } 3024 ipSecIkeProposalIkeDhGroup OBJECT-TYPE 3025 SYNTAX IkeGroupDescription 3026 STATUS current 3027 DESCRIPTION 3028 "The value of this property indicates the Diffie-Hellman group 3029 number to propose for the IKE association. 3031 The value of this property is to be ignored when doing aggressive 3032 mode." 3033 ::= { ipSecIkeProposalEntry 8 } 3035 -- 3036 -- 3037 -- The ipSecIkePeerEndpointTable 3038 -- 3040 ipSecIkePeerEndpointTable OBJECT-TYPE 3041 SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry 3042 PIB-ACCESS install 3043 STATUS current 3044 DESCRIPTION 3045 "Specifies IKE peer endpoints." 3046 ::= { ipSecIkeAssociation 6 } 3048 ipSecIkePeerEndpointEntry OBJECT-TYPE 3049 SYNTAX IpSecIkePeerEndpointEntry 3050 STATUS current 3051 DESCRIPTION 3052 "Specifies an instance of this class" 3053 PIB-INDEX { ipSecIkePeerEndpointPrid } 3054 UNIQUENESS { 3055 ipSecIkePeerEndpointIdentityType, 3056 ipSecIkePeerEndpointIdentityValue, 3057 ipSecIkePeerEndpointIsNegated, 3058 ipSecIkePeerEndpointAddress, 3059 ipSecIkePeerEndpointCredentialSetId 3060 } 3061 ::= { ipSecIkePeerEndpointTable 1 } 3063 IpSecIkePeerEndpointEntry ::= SEQUENCE { 3064 ipSecIkePeerEndpointPrid InstanceId, 3065 ipSecIkePeerEndpointIdentityType IpsecDoiIdentType, 3066 ipSecIkePeerEndpointIdentityValue OCTET STRING, 3067 ipSecIkePeerEndpointIsNegated TruthValue, 3068 ipSecIkePeerEndpointAddress ReferenceId, 3069 ipSecIkePeerEndpointCredentialSetId TagReferenceId 3070 } 3072 Li, et al Expires October 2004 57 3073 ipSecIkePeerEndpointPrid OBJECT-TYPE 3074 SYNTAX InstanceId 3075 STATUS current 3076 DESCRIPTION 3077 "An integer index that uniquely identifies an instance of this 3078 class." 3079 ::= { ipSecIkePeerEndpointEntry 1 } 3081 ipSecIkePeerEndpointIdentityType OBJECT-TYPE 3082 SYNTAX IpsecDoiIdentType 3083 STATUS current 3084 DESCRIPTION 3085 "Specifies the type of identity that MUST be provided by the peer 3086 in the ID payload during IKE phase one negotiation." 3087 ::= { ipSecIkePeerEndpointEntry 2 } 3089 ipSecIkePeerEndpointIdentityValue OBJECT-TYPE 3090 SYNTAX OCTET STRING 3091 STATUS current 3092 DESCRIPTION 3093 "Specifies the value to be matched with the ID payload provided by 3094 the peer during IKE phase one negotiation. 3096 The syntax may need to be converted for comparison. If the 3097 ipSecIkePeerEndpointIdentityType is a DistinguishedName, the name 3098 in the ipSecIkePeerEndpointIdentityValue 3099 is represented by an ordinary string value, but this value must be 3100 converted into a DER-encoded string before matching against the 3101 values extracted from IKE ID payloads at runtime. The same 3102 applies to IPv4 & IPv6 addresses. 3104 Different Wildcards wildcard mechanisms can be used as well as the 3105 prefix notation for IPv4 addresses depending on the ID payload: 3107 - an IdentityValue of *@example.com will match an user FQDN ID 3108 payload of JDOE@EXAMPLE.COM 3110 - an IdentityValue of *.example.com will match a FQDN ID payload 3111 of WWW.EXAMPLE.COM 3113 - an IdentityValue of cn=*,ou=engineering,o=company,c=us will 3114 match a DER DN ID payload of cn=John Doe, ou=engineering, 3115 o=company, c=us 3117 - an IdentityValue of 192.0.2.0/24 will match an IPv4 address ID 3118 payload of 192.0.2.10. 3120 - an IdentityValue of 192.0.2.* will also match an IPv4 address ID 3121 payload of 192.0.2.10. 3123 Li, et al Expires October 2004 58 3124 The above wildcard mechanisms MUST be supported for all ID 3125 payloads supported by the local IKE entity. The character * 3126 replaces 0 or multiple instances of any character." 3127 ::= { ipSecIkePeerEndpointEntry 3 } 3129 ipSecIkePeerEndpointIsNegated OBJECT-TYPE 3130 SYNTAX TruthValue 3131 STATUS current 3132 DESCRIPTION 3133 "This attribute behaves like a logical NOT for the peer identity. 3134 If the value of this attribute is 'true', the peer identity whose 3135 type is specified by ipSecIkePeerEndpointIdentityType MUST not 3136 match the vaule specified by ipSecIkePeerEndpointValue." 3137 ::= { ipSecIkePeerEndpointEntry 4 } 3139 ipSecIkePeerEndpointAddress OBJECT-TYPE 3140 SYNTAX ReferenceId 3141 PIB-REFERENCES {ipSecAddressEntry } 3142 STATUS current 3143 DESCRIPTION 3144 "A pointer to a valid entry in the ipSecAddressTable to specify 3145 the endpoint address with which this PEP establishes IKE 3146 association. The pointed address MUST be a single endpoint 3147 address. This attribute is used only when the IKE association is 3148 to be started automatically. Hence, the value of this attribute 3149 MUST be zero if ipSecIkeRuleAutoStart is false." 3150 ::= { ipSecIkePeerEndpointEntry 5 } 3152 ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE 3153 SYNTAX TagReferenceId 3154 PIB-TAG { ipSecCredentialSetSetId } 3155 STATUS current 3156 DESCRIPTION 3157 "Identifies a set of credentials. Any one of the credentials in 3158 the set is acceptable as the IKE peer credential." 3159 ::= { ipSecIkePeerEndpointEntry 6 } 3161 -- 3162 -- 3163 -- The ipSecCredentialSetTable 3164 -- 3166 ipSecCredentialSetTable OBJECT-TYPE 3167 SYNTAX SEQUENCE OF IpSecCredentialSetEntry 3168 PIB-ACCESS install 3169 STATUS current 3170 DESCRIPTION 3171 "Specifies credential sets. 3173 For IKE peer credentials, any one of the credentials in the set is 3174 acceptable as peer credential during IEK phase 1 negotiation. For 3176 Li, et al Expires October 2004 59 3177 IKE local credentials, any one of the credentials in the set can 3178 be used in IKE phase 1 negotiation." 3179 ::= { ipSecCredential 1 } 3181 ipSecCredentialSetEntry OBJECT-TYPE 3182 SYNTAX IpSecCredentialSetEntry 3183 STATUS current 3184 DESCRIPTION 3185 "Specifies an instance of this class" 3186 PIB-INDEX { ipSecCredentialSetPrid } 3187 UNIQUENESS { 3188 ipSecCredentialSetSetId, 3189 ipSecCredentialSetCredentialId 3190 } 3191 ::= { ipSecCredentialSetTable 1 } 3193 IpSecCredentialSetEntry ::= SEQUENCE { 3194 ipSecCredentialSetPrid InstanceId, 3195 ipSecCredentialSetSetId TagId, 3196 ipSecCredentialSetCredentialId ReferenceId 3197 } 3199 ipSecCredentialSetPrid OBJECT-TYPE 3200 SYNTAX InstanceId 3201 STATUS current 3202 DESCRIPTION 3203 "An integer index that uniquely identifies an instance of this 3204 class." 3205 ::= { ipSecCredentialSetEntry 1 } 3207 ipSecCredentialSetSetId OBJECT-TYPE 3208 SYNTAX TagId 3209 STATUS current 3210 DESCRIPTION 3211 "A credential set is composed of one or more credentials. 3212 Credentials belonging to the same set have the same 3213 CredentialSetId." 3214 ::= { ipSecCredentialSetEntry 2 } 3216 ipSecCredentialSetCredentialId OBJECT-TYPE 3217 SYNTAX ReferenceId 3218 PIB-REFERENCES {ipSecCredentialEntry } 3219 STATUS current 3220 DESCRIPTION 3221 "A pointer to a valid instance in the ipSecCredentialTable." 3222 ::= { ipSecCredentialSetEntry 3 } 3224 -- 3225 -- 3226 -- The ipSecCredentialTable 3227 -- 3229 Li, et al Expires October 2004 60 3230 ipSecCredentialTable OBJECT-TYPE 3231 SYNTAX SEQUENCE OF IpSecCredentialEntry 3232 PIB-ACCESS install 3233 STATUS current 3234 DESCRIPTION 3235 "Specifies credentials." 3236 ::= { ipSecCredential 2 } 3238 ipSecCredentialEntry OBJECT-TYPE 3239 SYNTAX IpSecCredentialEntry 3240 STATUS current 3241 DESCRIPTION 3242 "Specifies an instance of this class" 3243 PIB-INDEX { ipSecCredentialPrid } 3244 UNIQUENESS { 3245 ipSecCredentialCredentialType, 3246 ipSecCredentialFieldsId, 3247 ipSecCredentialCrlDistributionPoint 3248 } 3249 ::= { ipSecCredentialTable 1 } 3251 IpSecCredentialEntry ::= SEQUENCE { 3252 ipSecCredentialPrid InstanceId, 3253 ipSecCredentialCredentialType IpSecCredTypeTC, 3254 ipSecCredentialFieldsId TagReferenceId, 3255 ipSecCredentialCrlDistributionPoint OCTET STRING 3256 } 3258 ipSecCredentialPrid OBJECT-TYPE 3259 SYNTAX InstanceId 3260 STATUS current 3261 DESCRIPTION 3262 "An integer index that uniquely identifies an instance of this 3263 class." 3264 ::= { ipSecCredentialEntry 1 } 3266 ipSecCredentialCredentialType OBJECT-TYPE 3267 SYNTAX IpSecCredTypeTC 3268 STATUS current 3269 DESCRIPTION 3270 "Specifies the type of credential to be matched." 3271 ::= { ipSecCredentialEntry 2 } 3273 ipSecCredentialFieldsId OBJECT-TYPE 3274 SYNTAX TagReferenceId 3275 PIB-TAG { ipSecCredentialFieldsSetId } 3276 STATUS current 3277 DESCRIPTION 3278 "Identifies a group of matching criteria to be used for the peer 3279 credential. The identified criteria MUST all be satisfied." 3280 ::= { ipSecCredentialEntry 3 } 3282 ipSecCredentialCrlDistributionPoint OBJECT-TYPE 3284 Li, et al Expires October 2004 61 3285 SYNTAX OCTET STRING 3286 STATUS current 3287 DESCRIPTION 3288 "When credential type is certificate X509, this attribute 3289 identifies the Certificate Revocation List (CRL) distribution 3290 point for this credential." 3291 ::= { ipSecCredentialEntry 4 } 3293 -- 3294 -- 3295 -- The ipSecCredentialFieldsTable 3296 -- 3298 ipSecCredentialFieldsTable OBJECT-TYPE 3299 SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry 3300 PIB-ACCESS install 3301 STATUS current 3302 DESCRIPTION 3303 "Specifies sets of credential sub-fields and their values to be 3304 matched against. " 3305 ::= { ipSecCredential 3 } 3307 ipSecCredentialFieldsEntry OBJECT-TYPE 3308 SYNTAX IpSecCredentialFieldsEntry 3309 STATUS current 3310 DESCRIPTION 3311 "Specifies an instance of this class" 3312 PIB-INDEX { ipSecCredentialFieldsPrid } 3313 UNIQUENESS { 3314 ipSecCredentialFieldsName, 3315 ipSecCredentialFieldsValue, 3316 ipSecCredentialFieldsIsNegated, 3317 ipSecCredentialFieldsSetId 3318 } 3319 ::= { ipSecCredentialFieldsTable 1 } 3321 IpSecCredentialFieldsEntry ::= SEQUENCE { 3322 ipSecCredentialFieldsPrid InstanceId, 3323 ipSecCredentialFieldsName SnmpAdminString, 3324 ipSecCredentialFieldsValue SnmpAdminString, 3325 ipSecCredentialFieldsIsNegated TruthValue, 3326 ipSecCredentialFieldsSetId TagId 3327 } 3329 ipSecCredentialFieldsPrid OBJECT-TYPE 3330 SYNTAX InstanceId 3331 STATUS current 3332 DESCRIPTION 3333 "An integer index that uniquely identifies an instance of this 3334 class." 3335 ::= { ipSecCredentialFieldsEntry 1 } 3337 Li, et al Expires October 2004 62 3338 ipSecCredentialFieldsName OBJECT-TYPE 3339 SYNTAX SnmpAdminString 3340 STATUS current 3341 DESCRIPTION 3342 "Specifies the sub-field of the credential to match with. This is 3343 the string representation of a X.509 certificate attribute, e.g. 3344 serialNumber, issuerName, subjectName, etc.." 3345 ::= { ipSecCredentialFieldsEntry 2 } 3347 ipSecCredentialFieldsValue OBJECT-TYPE 3348 SYNTAX SnmpAdminString 3349 STATUS current 3350 DESCRIPTION 3351 "Specifies the value to match with for the sub-field identified by 3352 ipSecCredentialFieldsName. A wildcard mechanism can be used in the 3353 Value string. E.g., if the Name is subjectName then a Value of 3354 cn=*,ou=engineering,o=foo,c=be will match successfully a 3355 certificate whose subject attribute is cn=Jane Doe, 3356 ou=engineering, o=foo, c=be. The wildcard character * can be used 3357 to represent 0 or several characters. 3359 If the ipSecCredentialFieldsName corresponds to a 3360 DistinguishedName, this value is represented by a string value. 3361 However, an implementation must convert this string to a DER- 3362 encoded string before matching against the values extracted from 3363 credentials at runtime. " 3364 ::= { ipSecCredentialFieldsEntry 3 } 3366 ipSecCredentialFieldsIsNegated OBJECT-TYPE 3367 SYNTAX TruthValue 3368 STATUS current 3369 DESCRIPTION 3370 "This attribute behaves like a logical NOT for the credential 3371 field match. If the value of this attribute is 'true', the 3372 credential field specified by ipSecCredentialFieldsName MUST not 3373 match the vaule specified by ipSecCredentialFieldsValue." 3374 ::= { ipSecCredentialFieldsEntry 4 } 3376 ipSecCredentialFieldsSetId OBJECT-TYPE 3377 SYNTAX TagId 3378 STATUS current 3379 DESCRIPTION 3380 "Specifies the set this criteria belongs to. All criteria within a 3381 set MUST all be satisfied." 3382 ::= { ipSecCredentialFieldsEntry 5 } 3384 -- 3385 -- 3386 -- The ipSecSelectorSetTable 3387 -- 3389 ipSecSelectorSetTable OBJECT-TYPE 3391 Li, et al Expires October 2004 63 3392 SYNTAX SEQUENCE OF IpSecSelectorSetEntry 3393 PIB-ACCESS install 3394 STATUS current 3395 DESCRIPTION 3396 "Specifies IPsec selector sets." 3397 ::= { ipSecSelector 1 } 3399 ipSecSelectorSetEntry OBJECT-TYPE 3400 SYNTAX IpSecSelectorSetEntry 3401 STATUS current 3402 DESCRIPTION 3403 "Specifies an instance of this class" 3404 PIB-INDEX { ipSecSelectorSetPrid } 3405 UNIQUENESS { 3406 ipSecSelectorSetSelectorSetId, 3407 ipSecSelectorSetOrder 3408 } 3409 ::= { ipSecSelectorSetTable 1 } 3411 IpSecSelectorSetEntry ::= SEQUENCE { 3412 ipSecSelectorSetPrid InstanceId, 3413 ipSecSelectorSetSelectorSetId TagId, 3414 ipSecSelectorSetSelectorId Prid, 3415 ipSecSelectorSetOrder IpSecOrderTC, 3416 ipSecSelectorSetIsNegated TruthValue 3417 } 3419 ipSecSelectorSetPrid OBJECT-TYPE 3420 SYNTAX InstanceId 3421 STATUS current 3422 DESCRIPTION 3423 "An integer index that uniquely identifies an instance of this 3424 class." 3425 ::= { ipSecSelectorSetEntry 1 } 3427 ipSecSelectorSetSelectorSetId OBJECT-TYPE 3428 SYNTAX TagId 3429 STATUS current 3430 DESCRIPTION 3431 "An IPsec selector set is composed of one or more IPsec selectors. 3432 Selectors belonging to the same set have the same SelectorSetId." 3433 ::= { ipSecSelectorSetEntry 2 } 3435 ipSecSelectorSetSelectorId OBJECT-TYPE 3436 SYNTAX Prid 3437 STATUS current 3438 DESCRIPTION 3439 "A pointer to a valid instance in another class that describes 3440 selectors. To use selectors defined in this IPsec PIB module, this 3441 attribute MUST point to an instance in ipSecSelectorTable. This 3442 attribute may also point to an instance in a selector or filter 3443 PRC defined in other PIB modules." 3444 ::= { ipSecSelectorSetEntry 3 } 3446 Li, et al Expires October 2004 64 3447 ipSecSelectorSetOrder OBJECT-TYPE 3448 SYNTAX IpSecOrderTC 3449 STATUS current 3450 DESCRIPTION 3451 "An integer that specifies the precedence order of the selectors 3452 identified by ipSecSelectorId within a selector set. The selector 3453 set is identified by ipSecSelectorSetId. " 3454 ::= { ipSecSelectorSetEntry 4 } 3456 ipSecSelectorSetIsNegated OBJECT-TYPE 3457 SYNTAX TruthValue 3458 STATUS current 3459 DESCRIPTION 3460 "If the value of this attribute is 'true', the filters pointed by 3461 ipSecSelectorSetSelectorId SHALL be negated." 3462 ::= { ipSecSelectorSetEntry 5 } 3464 -- 3465 -- 3466 -- The ipSecSelectorTable 3467 -- 3469 ipSecSelectorTable OBJECT-TYPE 3470 SYNTAX SEQUENCE OF IpSecSelectorEntry 3471 PIB-ACCESS install 3472 STATUS current 3473 DESCRIPTION 3474 "Specifies IPsec selectors. Each row in the selector table 3475 represents multiple selectors. These selectors are obtained as 3476 follows: 3478 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 3479 addresses from the ipSecAddressTable whose ipSecAddressGroupId 3480 matches the ipSecSelectorSrcAddressGroupId. 3482 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 3483 addresses from the ipSecAddressTable whose ipSecAddressGroupId 3484 matches the ipSecSelectorDstAddressGroupId. 3486 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3487 or ranges of port whose ipSecL4PortGroupId matches the 3488 ipSecSelectorSrcPortGroupId. 3490 4. Substitute the ipSecSelectorDstPortGroupId with all the ports 3491 or ranges of port whose ipSecL4PortGroupId matches the 3492 ipSecSelectorDstPortGroupId. 3494 5. Construct all the possible combinations of the above four 3495 fields. Then add to the combinations the ipSecSelectorProtocol, 3496 ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form 3497 all the selectors. 3499 Li, et al Expires October 2004 65 3500 The relative order of the selectors constructed from a single row 3501 is unspecified. " 3502 ::= { ipSecSelector 2 } 3504 ipSecSelectorEntry OBJECT-TYPE 3505 SYNTAX IpSecSelectorEntry 3506 STATUS current 3507 DESCRIPTION 3508 "Specifies an instance of this class" 3509 PIB-INDEX { ipSecSelectorPrid } 3510 UNIQUENESS { 3511 ipSecSelectorSrcAddressGroupId, 3512 ipSecSelectorSrcPortGroupId, 3513 ipSecSelectorDstAddressGroupId, 3514 ipSecSelectorDstPortGroupId, 3515 ipSecSelectorProtocol, 3516 ipSecSelectorDscp, 3517 ipSecSelectorFlowLabel 3518 } 3519 ::= { ipSecSelectorTable 1 } 3521 IpSecSelectorEntry ::= SEQUENCE { 3522 ipSecSelectorPrid InstanceId, 3523 ipSecSelectorSrcAddressGroupId TagReferenceId, 3524 ipSecSelectorSrcPortGroupId TagReferenceId, 3525 ipSecSelectorDstAddressGroupId TagReferenceId, 3526 ipSecSelectorDstPortGroupId TagReferenceId, 3527 ipSecSelectorProtocol Unsigned32, 3528 ipSecSelectorDscp DscpOrAny, 3529 ipSecSelectorFlowLabel IPv6FlowLabelOrAny 3530 } 3532 ipSecSelectorPrid OBJECT-TYPE 3533 SYNTAX InstanceId 3534 STATUS current 3535 DESCRIPTION 3536 "An integer index that uniquely identifies an instance of this 3537 class." 3538 ::= { ipSecSelectorEntry 1 } 3540 ipSecSelectorSrcAddressGroupId OBJECT-TYPE 3541 SYNTAX TagReferenceId 3542 PIB-TAG { ipSecAddressGroupId } 3543 STATUS current 3544 DESCRIPTION 3545 "Indicates source addresses. All addresses in ipSecAddressTable 3546 whose ipSecAddressGroupId matches this value are included as 3547 source addresses. 3549 A value of zero indicates wildcard address, i.e., any address 3550 matches." 3551 ::= { ipSecSelectorEntry 2 } 3553 Li, et al Expires October 2004 66 3554 ipSecSelectorSrcPortGroupId OBJECT-TYPE 3555 SYNTAX TagReferenceId 3556 PIB-TAG { ipSecL4PortGroupId } 3557 STATUS current 3558 DESCRIPTION 3559 "Indicates source layer 4 port numbers. All ports in ipSecL4Port 3560 whose ipSecL4PortGroupId matches this value are included. 3562 A value of zero indicates wildcard port, i.e., any port number 3563 matches." 3564 ::= { ipSecSelectorEntry 3 } 3566 ipSecSelectorDstAddressGroupId OBJECT-TYPE 3567 SYNTAX TagReferenceId 3568 PIB-TAG { ipSecAddressGroupId } 3569 STATUS current 3570 DESCRIPTION 3571 "Indicates destination addresses. All addresses in 3572 ipSecAddressTable whose ipSecAddressGroupId matches this value are 3573 included as destination addresses. 3575 A value of zero indicates wildcard address, i.e., any address 3576 matches." 3577 ::= { ipSecSelectorEntry 4 } 3579 ipSecSelectorDstPortGroupId OBJECT-TYPE 3580 SYNTAX TagReferenceId 3581 PIB-TAG { ipSecL4PortGroupId } 3582 STATUS current 3583 DESCRIPTION 3584 "Indicates destination layer 4 port numbers. All ports in 3585 ipSecL4Port whose ipSecL4PortGroupId matches this value are 3586 included. 3588 A value of zero indicates wildcard port, i.e., any port number 3589 matches." 3590 ::= { ipSecSelectorEntry 5 } 3592 ipSecSelectorProtocol OBJECT-TYPE 3593 SYNTAX Unsigned32 (0..255) 3594 STATUS current 3595 DESCRIPTION 3596 "The layer-4 protocol Id to match against the IPv4 protocol number 3597 or the IPv6 Next-Header number in the packet. A value of 255 means 3598 match all. Note the protocol number of 255 is reserved by IANA, 3599 and Next-Header number of 0 is used in IPv6." 3600 ::= { ipSecSelectorEntry 6 } 3602 ipSecSelectorDscp OBJECT-TYPE 3603 SYNTAX DscpOrAny 3604 STATUS current 3605 DESCRIPTION 3607 Li, et al Expires October 2004 67 3608 "The value that the DSCP in the packet can have and match this 3609 filter. A value of -1 indicates that a specific DSCP value has not 3610 been defined and thus all DSCP values are considered a match." 3611 ::= { ipSecSelectorEntry 7 } 3613 ipSecSelectorFlowLabel OBJECT-TYPE 3614 SYNTAX IPv6FlowLabelOrAny 3615 STATUS current 3616 DESCRIPTION 3617 "The flow identifier or flow label in an IPv6 packet header that 3618 may be used to discriminate traffic flows. The value of -1 is 3619 used to indicate a wildcard, i.e. any value." 3620 ::= { ipSecSelectorEntry 8 } 3622 -- 3623 -- 3624 -- The ipSecAddressTable 3625 -- 3627 ipSecAddressTable OBJECT-TYPE 3628 SYNTAX SEQUENCE OF IpSecAddressEntry 3629 PIB-ACCESS install 3630 STATUS current 3631 DESCRIPTION 3632 "This class allows the specification of a single IP address, a 3633 subnet consisting of an IP address and the prefix length, an IP 3634 address range, and a wild-card IP address. 3636 If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to 3637 specify a single IP address the values of ipSecAddressAddrMin and 3638 ipSecAddressAddrMax MUST be the same and the 3639 ipSecAddressAddrPrefixLength MUST have a value of 32 or greater 3640 (128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the 3641 values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the 3642 same and the ipSecAddressAddrPrefixLength MUST have a value 3643 between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP 3644 address range, the values of ipSecAddressAddrMin and 3645 ipSecAddressAddrMax MUST be different and the 3646 ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for 3647 'ipv6' or 'ipv6z') 3649 If the address type is 'dns', ipSecAddressAddrMin and 3650 ipSecAddressAddrMax MUST contain the same 'dns' address. The 3651 ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the 3652 address value to IPv4 or IPv6 addresses MUST be done by the PEP at 3653 install time. A dns name may be mapped into multiple single IP 3654 addresses. Each of them becomes a single row in the resulted 3655 address table. 3657 To specify a wild-card IP address, the 3658 ipSecAddressAddrPrefixLength MUST be zero. " 3659 ::= { ipSecSelector 3 } 3661 Li, et al Expires October 2004 68 3662 ipSecAddressEntry OBJECT-TYPE 3663 SYNTAX IpSecAddressEntry 3664 STATUS current 3665 DESCRIPTION 3666 "Specifies an instance of this class" 3667 PIB-INDEX { ipSecAddressPrid } 3668 UNIQUENESS { 3669 ipSecAddressAddressType, 3670 ipSecAddressAddrPrefixLength, 3671 ipSecAddressAddrMin, 3672 ipSecAddressAddrMax, 3673 ipSecAddressGroupId 3674 } 3675 ::= { ipSecAddressTable 1 } 3677 IpSecAddressEntry ::= SEQUENCE { 3678 ipSecAddressPrid InstanceId, 3679 ipSecAddressAddressType InetAddressType, 3680 ipSecAddressAddrPrefixLength InetAddressPrefixLength, 3681 ipSecAddressAddrMin InetAddress, 3682 ipSecAddressAddrMax InetAddress, 3683 ipSecAddressGroupId TagId 3684 } 3686 ipSecAddressPrid OBJECT-TYPE 3687 SYNTAX InstanceId 3688 STATUS current 3689 DESCRIPTION 3690 "An integer index that uniquely identifies an instance of this 3691 class." 3692 ::= { ipSecAddressEntry 1 } 3694 ipSecAddressAddressType OBJECT-TYPE 3695 SYNTAX InetAddressType 3696 STATUS current 3697 DESCRIPTION 3698 "Specifies the type of IP address. 3700 While other types of addresses are defined in the InetAddressType 3701 textual convention, an IP filter can only use IPv4 and IPv6 3702 addresses directly to classify traffic. All other InetAddressTypes 3703 require mapping to the corresponding Ipv4 or IPv6 address before 3704 being used to classify traffic. Therefore, this object as such is 3705 not limited to IPv4 and IPv6 addresses, i.e., it can be assigned 3706 any of the valid values defined in the InetAddressType TC, but the 3707 mapping of the address values to IPv4 or IPv6 addresses must be 3708 done by the PEP at install time. " 3709 ::= { ipSecAddressEntry 2 } 3711 ipSecAddressAddrPrefixLength OBJECT-TYPE 3712 SYNTAX InetAddressPrefixLength 3713 STATUS current 3715 Li, et al Expires October 2004 69 3716 DESCRIPTION 3717 "The length of a mask for the matching of IP address. This 3718 attribute is interpreted only if the InetAddressType is 'ipv4', 3719 'ipv4z', 'ipv6' or 'ipv6z'. 3721 Masks are constructed by setting bits in sequence from the most- 3722 significant bit downwards for ipSecAddressAddrPrefixLength bits 3723 length. All other bits in the mask, up to the number needed to 3724 fill the length of the address ipSecAddressAddrMin are cleared to 3725 zero. A zero bit in the mask then means that the corresponding bit 3726 in the address always matches. 3728 In IPv4 addresses, a length of 0 indicates a match of any address. 3729 When ipSecAddressAddrMin and ipSecAddressAddrMax have the same 3730 value, a length of 32 or greater indicates a match of a single 3731 host address, and a length between 0 and 32 indicates the use of a 3732 CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have 3733 different values, this attribute MUST have a value of 32 to 3734 indicate an IP address range. 3736 In IPv6 addresses, a length of 0 indicates a match of any address. 3737 When ipSecAddressAddrMin and ipSecAddressAddrMax have the same 3738 value, a length of 128 or greater indicates a match of a single 3739 host address, and a length between 0 and 128 indicates the use of 3740 a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax 3741 have different values, this attribute MUST have value of 128 in 3742 order to indicate an IP address range." 3743 ::= { ipSecAddressEntry 3 } 3745 ipSecAddressAddrMin OBJECT-TYPE 3746 SYNTAX InetAddress 3747 STATUS current 3748 DESCRIPTION 3749 "Specifies an IP address. The type of the address is specified by 3750 the ipSecAddressAddressType attribute. If the address type is 3751 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute 3752 ipSecAddressAddrPrefixLength indicates the number of bits that are 3753 relevant." 3754 ::= { ipSecAddressEntry 4 } 3756 ipSecAddressAddrMax OBJECT-TYPE 3757 SYNTAX InetAddress 3758 STATUS current 3759 DESCRIPTION 3760 "If a range of addresses is used then this specifies the ending 3761 address. The type of the address is specified by the 3762 ipSecAddressAddressType attribute. 3764 To specify a single IP addres or a subnet, this attribute MUST be 3765 the same as that of ipSecAddressAddrMin. 3767 When ipSecAddressAddressType is 'dns', this attribute MUST contain 3768 the same DNS address as ipSecAddressAddrMin" 3770 Li, et al Expires October 2004 70 3771 ::= { ipSecAddressEntry 5 } 3773 ipSecAddressGroupId OBJECT-TYPE 3774 SYNTAX TagId 3775 STATUS current 3776 DESCRIPTION 3777 "Specifies the group this IP address, address range or subnet 3778 address belongs to." 3779 ::= { ipSecAddressEntry 6 } 3781 -- 3782 -- 3783 -- The ipSecL4PortTable 3784 -- 3786 ipSecL4PortTable OBJECT-TYPE 3787 SYNTAX SEQUENCE OF IpSecL4PortEntry 3788 PIB-ACCESS install 3789 STATUS current 3790 DESCRIPTION 3791 "Specifies layer four port numbers." 3792 ::= { ipSecSelector 4 } 3794 ipSecL4PortEntry OBJECT-TYPE 3795 SYNTAX IpSecL4PortEntry 3796 STATUS current 3797 DESCRIPTION 3798 "Specifies an instance of this class" 3799 PIB-INDEX { ipSecL4PortPrid } 3800 UNIQUENESS { 3801 ipSecL4PortPortMin, 3802 ipSecL4PortPortMax, 3803 ipSecL4PortGroupId 3804 } 3805 ::= { ipSecL4PortTable 1 } 3807 IpSecL4PortEntry ::= SEQUENCE { 3808 ipSecL4PortPrid InstanceId, 3809 ipSecL4PortPortMin InetPortNumber, 3810 ipSecL4PortPortMax InetPortNumber, 3811 ipSecL4PortGroupId TagId 3812 } 3814 ipSecL4PortPrid OBJECT-TYPE 3815 SYNTAX InstanceId 3816 STATUS current 3817 DESCRIPTION 3818 "An integer index that uniquely identifies an instance of this 3819 class." 3820 ::= { ipSecL4PortEntry 1 } 3822 ipSecL4PortPortMin OBJECT-TYPE 3824 Li, et al Expires October 2004 71 3825 SYNTAX InetPortNumber 3826 STATUS current 3827 DESCRIPTION 3828 "Specifies a layer 4 port or the first layer 4 port number of a 3829 range of ports. The value of this attribute must be equal or less 3830 than that of ipSecL4PortPortMax. 3832 A value of zero indicates any port matches." 3833 ::= { ipSecL4PortEntry 2 } 3835 ipSecL4PortPortMax OBJECT-TYPE 3836 SYNTAX InetPortNumber 3837 STATUS current 3838 DESCRIPTION 3839 "Specifies the last layer 4 port in the range. If only a single 3840 port is specified, the value of this attribute must be equal to 3841 that of ipSecL4PortPortMin. Otherwise, the value of this attribute 3842 MUST be greater than that specified by ipSecL4PortPortMin. 3844 If ipSecL4PortPortMin is zero, this attribute MUST be ignored." 3845 ::= { ipSecL4PortEntry 3 } 3847 ipSecL4PortGroupId OBJECT-TYPE 3848 SYNTAX TagId 3849 STATUS current 3850 DESCRIPTION 3851 "Specifies the group this port or port range belongs to." 3852 ::= { ipSecL4PortEntry 4 } 3854 -- 3855 -- 3856 -- The ipSecIpsoFilterSetTable 3857 -- 3859 ipSecIpsoFilterSetTable OBJECT-TYPE 3860 SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry 3861 PIB-ACCESS install 3862 STATUS current 3863 DESCRIPTION 3864 "Specifies IP Security Options (IPSO) filter sets. Each set 3865 contains an ordered list of IPSO filters. Please refer to 3866 [RFC1108] for details on IPSO." 3867 ::= { ipSecSelector 5 } 3869 ipSecIpsoFilterSetEntry OBJECT-TYPE 3870 SYNTAX IpSecIpsoFilterSetEntry 3871 STATUS current 3872 DESCRIPTION 3873 "Specifies an instance of this class" 3874 PIB-INDEX { ipSecIpsoFilterSetPrid } 3875 UNIQUENESS { 3876 ipSecIpsoFilterSetFilterSetId, 3878 Li, et al Expires October 2004 72 3879 ipSecIpsoFilterSetOrder 3880 } 3881 ::= { ipSecIpsoFilterSetTable 1 } 3883 IpSecIpsoFilterSetEntry ::= SEQUENCE { 3884 ipSecIpsoFilterSetPrid InstanceId, 3885 ipSecIpsoFilterSetFilterSetId TagId, 3886 ipSecIpsoFilterSetFilterId ReferenceId, 3887 ipSecIpsoFilterSetOrder IpSecOrderTC, 3888 ipSecIpsoFilterSetIsNegated TruthValue 3889 } 3891 ipSecIpsoFilterSetPrid OBJECT-TYPE 3892 SYNTAX InstanceId 3893 STATUS current 3894 DESCRIPTION 3895 "An integer index that uniquely identifies an instance of this 3896 class." 3897 ::= { ipSecIpsoFilterSetEntry 1 } 3899 ipSecIpsoFilterSetFilterSetId OBJECT-TYPE 3900 SYNTAX TagId 3901 STATUS current 3902 DESCRIPTION 3903 "An IPSO filter set is composed of one or more IPSO filters. 3904 Filters belonging to the same set have the same FilterSetId." 3905 ::= { ipSecIpsoFilterSetEntry 2 } 3907 ipSecIpsoFilterSetFilterId OBJECT-TYPE 3908 SYNTAX ReferenceId 3909 PIB-REFERENCES {ipSecIpsoFilterEntry } 3910 STATUS current 3911 DESCRIPTION 3912 "A pointer to a valid instance in the ipSecIpsoFilterTable." 3913 ::= { ipSecIpsoFilterSetEntry 3 } 3915 ipSecIpsoFilterSetOrder OBJECT-TYPE 3916 SYNTAX IpSecOrderTC 3917 STATUS current 3918 DESCRIPTION 3919 "An integer that specifies the precedence order of the filter 3920 identified by ipSecIpsoFilterSetFilterId within a filter set. The 3921 filter set is identified by ipSecIpsoFilterSetFilterSetId." 3922 ::= { ipSecIpsoFilterSetEntry 4 } 3924 ipSecIpsoFilterSetIsNegated OBJECT-TYPE 3925 SYNTAX TruthValue 3926 STATUS current 3927 DESCRIPTION 3928 "If the value of this attribute is 'true', the filter pointed by 3929 ipSecIpsoFilterSetFilterId SHALL be negated." 3930 ::= { ipSecIpsoFilterSetEntry 5 } 3932 Li, et al Expires October 2004 73 3933 -- 3934 -- 3935 -- The ipSecIpsoFilterTable 3936 -- 3938 ipSecIpsoFilterTable OBJECT-TYPE 3939 SYNTAX SEQUENCE OF IpSecIpsoFilterEntry 3940 PIB-ACCESS install 3941 STATUS current 3942 DESCRIPTION 3943 "Specifies IP Security Options (IPSO) filters. Please refer to 3944 [RFC1108] for details on IPSO." 3945 ::= { ipSecSelector 6 } 3947 ipSecIpsoFilterEntry OBJECT-TYPE 3948 SYNTAX IpSecIpsoFilterEntry 3949 STATUS current 3950 DESCRIPTION 3951 "Specifies an instance of this class" 3952 PIB-INDEX { ipSecIpsoFilterPrid } 3953 UNIQUENESS { 3954 ipSecIpsoFilterMatchConditionType, 3955 ipSecIpsoFilterClassificationLevel, 3956 ipSecIpsoFilterProtectionAuthority 3957 } 3958 ::= { ipSecIpsoFilterTable 1 } 3960 IpSecIpsoFilterEntry ::= SEQUENCE { 3961 ipSecIpsoFilterPrid InstanceId, 3962 ipSecIpsoFilterMatchConditionType INTEGER, 3963 ipSecIpsoFilterClassificationLevel IpSecIpsoClassificationTC, 3964 ipSecIpsoFilterProtectionAuthority IpSecIpsoProtectionTC 3965 } 3967 ipSecIpsoFilterPrid OBJECT-TYPE 3968 SYNTAX InstanceId 3969 STATUS current 3970 DESCRIPTION 3971 "An integer index that uniquely identifies an instance of this 3972 class." 3973 ::= { ipSecIpsoFilterEntry 1 } 3975 ipSecIpsoFilterMatchConditionType OBJECT-TYPE 3976 SYNTAX INTEGER { 3977 classificationLevel(1), 3978 protectionAuthority(2) 3979 } 3980 STATUS current 3981 DESCRIPTION 3982 "Specifies the IPSO header field to be matched." 3983 ::= { ipSecIpsoFilterEntry 2 } 3985 Li, et al Expires October 2004 74 3986 ipSecIpsoFilterClassificationLevel OBJECT-TYPE 3987 SYNTAX IpSecIpsoClassificationTC 3988 STATUS current 3989 DESCRIPTION 3990 "Specifies the value for classification level to be matched 3991 against. This attribute MUST be ignored if 3992 ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)." 3993 ::= { ipSecIpsoFilterEntry 3 } 3995 ipSecIpsoFilterProtectionAuthority OBJECT-TYPE 3996 SYNTAX IpSecIpsoProtectionTC 3997 STATUS current 3998 DESCRIPTION 3999 "Specifies the value for protection authority to be matched 4000 against. This attribute MUST be ignored if 4001 ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority). 4002 " 4003 ::= { ipSecIpsoFilterEntry 4 } 4005 -- 4006 -- 4007 -- The ipSecRuleTimePeriodTable 4008 -- 4010 ipSecRuleTimePeriodTable OBJECT-TYPE 4011 SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry 4012 PIB-ACCESS install 4013 STATUS current 4014 DESCRIPTION 4015 "Specifies the time periods during which a policy rule is valid. 4016 The values of the first five attributes in a row are ANDed 4017 together to determine the validity period(s). If any of the five 4018 attributes is not present, it is treated as having value always 4019 enabled. " 4020 ::= { ipSecPolicyTimePeriod 1 } 4022 ipSecRuleTimePeriodEntry OBJECT-TYPE 4023 SYNTAX IpSecRuleTimePeriodEntry 4024 STATUS current 4025 DESCRIPTION 4026 "Specifies an instance of this class" 4027 PIB-INDEX { ipSecRuleTimePeriodPrid } 4028 UNIQUENESS { 4029 ipSecRuleTimePeriodTimePeriod, 4030 ipSecRuleTimePeriodMonthOfYearMask, 4031 ipSecRuleTimePeriodDayOfMonthMask, 4032 ipSecRuleTimePeriodDayOfWeekMask, 4033 ipSecRuleTimePeriodTimeOfDayMask, 4034 ipSecRuleTimePeriodLocalOrUtcTime 4035 } 4036 ::= { ipSecRuleTimePeriodTable 1 } 4038 Li, et al Expires October 2004 75 4039 IpSecRuleTimePeriodEntry ::= SEQUENCE { 4040 ipSecRuleTimePeriodPrid InstanceId, 4041 ipSecRuleTimePeriodTimePeriod TimePeriodTC, 4042 ipSecRuleTimePeriodMonthOfYearMask MonthOfYearTC, 4043 ipSecRuleTimePeriodDayOfMonthMask DayOfMonthTC, 4044 ipSecRuleTimePeriodDayOfWeekMask DayOfWeekTC, 4045 ipSecRuleTimePeriodTimeOfDayMask TimeOfDayTC, 4046 ipSecRuleTimePeriodLocalOrUtcTime LocalOrUtcTimeTC 4047 } 4049 ipSecRuleTimePeriodPrid OBJECT-TYPE 4050 SYNTAX InstanceId 4051 STATUS current 4052 DESCRIPTION 4053 "An integer index to uniquely identify an instance of this class" 4054 ::= { ipSecRuleTimePeriodEntry 1 } 4056 ipSecRuleTimePeriodTimePeriod OBJECT-TYPE 4057 SYNTAX TimePeriodTC 4058 STATUS current 4059 DESCRIPTION 4060 "Identifies an overall range of calendar dates and times over 4061 which a policy rule is valid." 4062 ::= { ipSecRuleTimePeriodEntry 2 } 4064 ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE 4065 SYNTAX MonthOfYearTC 4066 STATUS current 4067 DESCRIPTION 4068 "Specifies months of a year during which a policy is valid." 4069 ::= { ipSecRuleTimePeriodEntry 3 } 4071 ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE 4072 SYNTAX DayOfMonthTC 4073 STATUS current 4074 DESCRIPTION 4075 "Specifies days of a month during which a policy is valid." 4076 ::= { ipSecRuleTimePeriodEntry 4 } 4078 ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE 4079 SYNTAX DayOfWeekTC 4080 STATUS current 4081 DESCRIPTION 4082 "Specifies days of a week during which a policy is valid." 4083 ::= { ipSecRuleTimePeriodEntry 5 } 4085 ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE 4086 SYNTAX TimeOfDayTC 4087 STATUS current 4088 DESCRIPTION 4089 "Specifies a range of times in a day during which a policy is 4090 valid." 4091 ::= { ipSecRuleTimePeriodEntry 6 } 4093 Li, et al Expires October 2004 76 4094 ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE 4095 SYNTAX LocalOrUtcTimeTC 4096 STATUS current 4097 DESCRIPTION 4098 "Indicates whether the times represented in this class represent 4099 local times or UTC times. There is no provision for mixing of 4100 local times and UTC times: the value of this property applies to 4101 all of the other time-related properties." 4102 ::= { ipSecRuleTimePeriodEntry 7 } 4104 -- 4105 -- 4106 -- The ipSecRuleTimePeriodSetTable 4107 -- 4109 ipSecRuleTimePeriodSetTable OBJECT-TYPE 4110 SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry 4111 PIB-ACCESS install 4112 STATUS current 4113 DESCRIPTION 4114 "Specifies time period sets. The ipSecRuleTimePeriodTable can 4115 specify only a single time period within a day. This class enables 4116 the specification of multiple time periods within a day by 4117 grouping them into one set. " 4118 ::= { ipSecPolicyTimePeriod 2 } 4120 ipSecRuleTimePeriodSetEntry OBJECT-TYPE 4121 SYNTAX IpSecRuleTimePeriodSetEntry 4122 STATUS current 4123 DESCRIPTION 4124 "Specifies an instance of this class" 4125 PIB-INDEX { ipSecRuleTimePeriodSetPrid } 4126 UNIQUENESS { 4127 ipSecRuleTimePeriodSetRuleTimePeriodSetId, 4128 ipSecRuleTimePeriodSetRuleTimePeriodId 4129 } 4130 ::= { ipSecRuleTimePeriodSetTable 1 } 4132 IpSecRuleTimePeriodSetEntry ::= SEQUENCE { 4133 ipSecRuleTimePeriodSetPrid InstanceId, 4134 ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, 4135 ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId 4136 } 4138 ipSecRuleTimePeriodSetPrid OBJECT-TYPE 4139 SYNTAX InstanceId 4140 STATUS current 4141 DESCRIPTION 4142 "An integer index to uniquely identify an instance of this class" 4143 ::= { ipSecRuleTimePeriodSetEntry 1 } 4145 Li, et al Expires October 2004 77 4146 ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE 4147 SYNTAX TagId 4148 STATUS current 4149 DESCRIPTION 4150 "An integer that uniquely identifies an ipSecRuleTimePeriod set. " 4151 ::= { ipSecRuleTimePeriodSetEntry 2 } 4153 ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE 4154 SYNTAX ReferenceId 4155 PIB-REFERENCES {ipSecRuleTimePeriodEntry } 4156 STATUS current 4157 DESCRIPTION 4158 "An integer that identifies an ipSecRuleTimePeriod, specified by 4159 ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is 4160 included in this set." 4161 ::= { ipSecRuleTimePeriodSetEntry 3 } 4163 -- 4164 -- 4165 -- The ipSecIfCapsTable 4166 -- 4168 ipSecIfCapsTable OBJECT-TYPE 4169 SYNTAX SEQUENCE OF IpSecIfCapsEntry 4170 PIB-ACCESS notify 4171 STATUS current 4172 DESCRIPTION 4173 "Specifies capabilities that may be associated with an interface 4174 of a specific type. The instances of this class are referenced by 4175 the frwkCapabilitySetCapability attribute of the 4176 frwkCapabilitySetTable [RFC3318]." 4177 ::= { ipSecIfCapability 1 } 4179 ipSecIfCapsEntry OBJECT-TYPE 4180 SYNTAX IpSecIfCapsEntry 4181 STATUS current 4182 DESCRIPTION 4183 "Specifies an instance of this class" 4184 PIB-INDEX { ipSecIfCapsPrid } 4185 UNIQUENESS { 4186 ipSecIfCapsDirection, 4187 ipSecIfCapsMaxIpSecActions, 4188 ipSecIfCapsMaxIkeActions 4189 } 4190 ::= { ipSecIfCapsTable 1 } 4192 IpSecIfCapsEntry ::= SEQUENCE { 4193 ipSecIfCapsPrid InstanceId, 4194 ipSecIfCapsDirection INTEGER, 4195 ipSecIfCapsMaxIpSecActions Unsigned16TC, 4196 ipSecIfCapsMaxIkeActions Unsigned16TC 4197 } 4199 Li, et al Expires October 2004 78 4200 ipSecIfCapsPrid OBJECT-TYPE 4201 SYNTAX InstanceId 4202 STATUS current 4203 DESCRIPTION 4204 "An integer index that uniquely identifies an instance of this 4205 class." 4206 ::= { ipSecIfCapsEntry 1 } 4208 ipSecIfCapsDirection OBJECT-TYPE 4209 SYNTAX INTEGER { 4210 in(1), 4211 out(2), 4212 bi-directional(3) 4213 } 4214 STATUS current 4215 DESCRIPTION 4216 "Specifies the direction for which this capability applies." 4217 ::= { ipSecIfCapsEntry 2 } 4219 ipSecIfCapsMaxIpSecActions OBJECT-TYPE 4220 SYNTAX Unsigned16TC 4221 STATUS current 4222 DESCRIPTION 4223 "Specifies the maximum number of actions an IPsec action set may 4224 contain. IPsec action sets are specified by the 4225 ipSecActionSetTable. 4227 A value of zero indicates that there is no maximum limit." 4228 ::= { ipSecIfCapsEntry 3 } 4230 ipSecIfCapsMaxIkeActions OBJECT-TYPE 4231 SYNTAX Unsigned16TC 4232 STATUS current 4233 DESCRIPTION 4234 "Specifies the maximum number of actions an IKE action set may 4235 contain. IKE action sets are specified by the 4236 ipSecIkeActionSetTable. 4238 A value of zero indicates that there is no maximum limit." 4239 ::= { ipSecIfCapsEntry 4 } 4241 -- 4242 -- 4243 -- Conformance Section 4244 -- 4246 ipSecPolicyPibCompliances 4247 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } 4249 ipSecPolicyPibConformanceGroups 4250 OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } 4252 Li, et al Expires October 2004 79 4253 ipSecPolicyPibCompliance MODULE-COMPLIANCE 4254 STATUS current 4255 DESCRIPTION 4256 " Compliance statement" 4257 MODULE --this module 4258 MANDATORY-GROUPS { 4259 ipSecSaGroup, 4260 ipSecIkeGroup, 4261 ipSecSelectorGroup, 4262 ipSecIfCapsGroup 4263 } 4265 GROUP ipSecIkeRuleGroup 4266 DESCRIPTION 4267 "This group is mandatory if any of the following is supported: 1) 4268 multiple IKE phase one actions (e.g., with different exchange 4269 modes) are associated with an IPsec rule. These actions are to be 4270 tried in sequence till one success; 2) IKE phase one actions that 4271 start automatically." 4273 GROUP ipSecIkeActionSetGroup 4274 DESCRIPTION 4275 "This group is mandatory if any of the following is supported: 1) 4276 multiple IKE phase one actions (e.g., with different exchange 4277 modes) are associated with an IPsec rule. These actions are to be 4278 tried in sequence till one success; 2) IKE phase one actions that 4279 start automatically." 4281 GROUP ipSecIpsoFilterSetGroup 4282 DESCRIPTION 4283 "This group is mandatory if IPSO filter is supported." 4285 GROUP ipSecIpsoFilterGroup 4286 DESCRIPTION 4287 "This group is mandatory if IPSO filter is supported." 4289 GROUP ipSecRuleTimePeriodGroup 4290 DESCRIPTION 4291 "This group is mandatory if policy scheduling is supported." 4293 GROUP ipSecRuleTimePeriodSetGroup 4294 DESCRIPTION 4295 "This group is mandatory if policy scheduling is supported." 4297 OBJECT ipSecRuleIpSecIpsoFilterSetId 4298 PIB-MIN-ACCESS not-accessible 4299 DESCRIPTION 4300 " Support of this attribute is optional" 4302 OBJECT ipSecRuleLimitNegotiation 4303 PIB-MIN-ACCESS not-accessible 4304 DESCRIPTION 4306 Li, et al Expires October 2004 80 4307 " Support of this attribute is optional" 4309 OBJECT ipSecRuleAutoStart 4310 PIB-MIN-ACCESS not-accessible 4311 DESCRIPTION 4312 " Support of this attribute is optional" 4314 OBJECT ipSecRuleIpSecRuleTimePeriodGroupId 4315 PIB-MIN-ACCESS not-accessible 4316 DESCRIPTION 4317 " Support of this attribute is optional" 4319 OBJECT ipSecActionSetDoActionLogging 4320 PIB-MIN-ACCESS not-accessible 4321 DESCRIPTION 4322 " Support of this attribute is optional" 4324 OBJECT ipSecActionSetDoPacketLogging 4325 PIB-MIN-ACCESS not-accessible 4326 DESCRIPTION 4327 " Support of this attribute is optional" 4329 OBJECT ipSecAssociationMinLifetimeSeconds 4330 PIB-MIN-ACCESS not-accessible 4331 DESCRIPTION 4332 " Support of this attribute is optional" 4334 OBJECT ipSecAssociationMinLifetimeKilobytes 4335 PIB-MIN-ACCESS not-accessible 4336 DESCRIPTION 4337 " Support of this attribute is optional" 4339 OBJECT ipSecAssociationIdleDurationSeconds 4340 PIB-MIN-ACCESS not-accessible 4341 DESCRIPTION 4342 " Support of this attribute is optional" 4344 OBJECT ipSecAssociationUseKeyExchangeGroup 4345 PIB-MIN-ACCESS not-accessible 4346 DESCRIPTION 4347 " Support of this attribute is optional" 4349 OBJECT ipSecAssociationGranularity 4350 PIB-MIN-ACCESS not-accessible 4351 DESCRIPTION 4352 " Support of this attribute is optional" 4354 OBJECT ipSecAhTransformUseReplayPrevention 4355 PIB-MIN-ACCESS not-accessible 4356 DESCRIPTION 4357 " Support of this attribute is optional" 4359 OBJECT ipSecAhTransformReplayPreventionWindowSize 4361 Li, et al Expires October 2004 81 4362 PIB-MIN-ACCESS not-accessible 4363 DESCRIPTION 4364 " Support of this attribute is optional" 4366 OBJECT ipSecEspTransformCipherKeyRounds 4367 PIB-MIN-ACCESS not-accessible 4368 DESCRIPTION 4369 " Support of this attribute is optional" 4371 OBJECT ipSecEspTransformCipherKeyLength 4372 PIB-MIN-ACCESS not-accessible 4373 DESCRIPTION 4374 " Support of this attribute is optional" 4376 OBJECT ipSecEspTransformUseReplayPrevention 4377 PIB-MIN-ACCESS not-accessible 4378 DESCRIPTION 4379 " Support of this attribute is optional" 4381 OBJECT ipSecEspTransformReplayPreventionWindowSize 4382 PIB-MIN-ACCESS not-accessible 4383 DESCRIPTION 4384 " Support of this attribute is optional" 4386 OBJECT ipSecCompTransformDictionarySize 4387 PIB-MIN-ACCESS not-accessible 4388 DESCRIPTION 4389 " Support of this attribute is optional" 4391 OBJECT ipSecIkeAssociationMinLiftetimeSeconds 4392 PIB-MIN-ACCESS not-accessible 4393 DESCRIPTION 4394 " Support of this attribute is optional" 4396 OBJECT ipSecIkeAssociationMinLifetimeKilobytes 4397 PIB-MIN-ACCESS not-accessible 4398 DESCRIPTION 4399 " Support of this attribute is optional" 4401 OBJECT ipSecIkeAssociationIdleDurationSeconds 4402 PIB-MIN-ACCESS not-accessible 4403 DESCRIPTION 4404 " Support of this attribute is optional" 4406 OBJECT ipSecIkeAssociationPresharedKey 4407 PIB-MIN-ACCESS not-accessible 4408 DESCRIPTION 4409 " Support of this attribute is optional" 4411 OBJECT ipSecIkeAssociationVendorId 4412 PIB-MIN-ACCESS not-accessible 4413 DESCRIPTION 4414 " Support of this attribute is optional" 4416 Li, et al Expires October 2004 82 4417 OBJECT ipSecIkeAssociationAggressiveModeGroupId 4418 PIB-MIN-ACCESS not-accessible 4419 DESCRIPTION 4420 " Support of this attribute is optional" 4422 OBJECT ipSecIkeAssociationLocalCredentialId 4423 PIB-MIN-ACCESS not-accessible 4424 DESCRIPTION 4425 " Support of this attribute is optional" 4427 OBJECT ipSecIkeAssociationDoActionLogging 4428 PIB-MIN-ACCESS not-accessible 4429 DESCRIPTION 4430 " Support of this attribute is optional" 4432 OBJECT ipSecIkeProposalPrfAlgorithm 4433 PIB-MIN-ACCESS not-accessible 4434 DESCRIPTION 4435 " Support of this attribute is optional" 4437 OBJECT ipSecIkePeerEndpointAddress 4438 PIB-MIN-ACCESS not-accessible 4439 DESCRIPTION 4440 " Support of this attribute is optional" 4442 OBJECT ipSecIfCapsMaxIkeActions 4443 PIB-MIN-ACCESS not-accessible 4444 DESCRIPTION 4445 " Support of this attribute is optional" 4447 OBJECT ipSecRuleActionExecutionStrategy 4448 SYNTAX INTEGER { 4449 doAll(1) 4450 } 4451 DESCRIPTION 4452 " Support of doUntilSuccess(2) is not required" 4454 OBJECT ipSecStaticActionAction 4455 SYNTAX INTEGER { 4456 byPass(1), 4457 discard(2), 4458 preConfiguredTransport(4), 4459 preConfiguredTunnel(5) 4460 } 4461 DESCRIPTION 4462 " Support of ikeRejection(3) is not required" 4464 ::= { ipSecPolicyPibCompliances 1 } 4466 ipSecSaGroup OBJECT-GROUP 4467 OBJECTS { 4468 ipSecRulePrid, 4470 Li, et al Expires October 2004 83 4471 ipSecRuleIfCapSetName, 4472 ipSecRuleRoles, 4473 ipSecRuleDirection, 4474 ipSecRuleIpSecSelectorSetId, 4475 ipSecRuleIpSecIpsoFilterSetId, 4476 ipSecRuleIpSecActionSetId, 4477 ipSecRuleActionExecutionStrategy, 4478 ipSecRuleOrder, 4479 ipSecRuleLimitNegotiation, 4480 ipSecRuleAutoStart, 4481 ipSecRuleIpSecRuleTimePeriodGroupId, 4483 ipSecActionSetPrid, 4484 ipSecActionSetActionSetId, 4485 ipSecActionSetActionId, 4486 ipSecActionSetDoActionLogging, 4487 ipSecActionSetDoPacketLogging, 4488 ipSecActionSetOrder, 4490 ipSecStaticActionPrid, 4491 ipSecStaticActionAction, 4492 ipSecStaticActionTunnelEndpointId, 4493 ipSecStaticActionDfHandling, 4494 ipSecStaticActionSpi, 4495 ipSecStaticActionLifetimeSeconds, 4496 ipSecStaticActionLifetimeKilobytes, 4497 ipSecStaticActionSaTransformId, 4499 ipSecNegotiationActionPrid, 4500 ipSecNegotiationActionAction, 4501 ipSecNegotiationActionTunnelEndpointId, 4502 ipSecNegotiationActionDfHandling, 4503 ipSecNegotiationActionIpSecAssociationId, 4504 ipSecNegotiationActionKeyExchangeId, 4506 ipSecAssociationPrid, 4507 ipSecAssociationMinLifetimeSeconds, 4508 ipSecAssociationMinLifetimeKilobytes, 4509 ipSecAssociationIdleDurationSeconds, 4510 ipSecAssociationUsePfs, 4511 ipSecAssociationUseKeyExchangeGroup, 4512 ipSecAssociationDhGroup, 4513 ipSecAssociationGranularity, 4514 ipSecAssociationProposalSetId, 4516 ipSecProposalSetPrid, 4517 ipSecProposalSetProposalSetId, 4518 ipSecProposalSetProposalId, 4519 ipSecProposalSetOrder, 4521 ipSecProposalPrid, 4522 ipSecProposalEspTransformSetId, 4523 ipSecProposalAhTransformSetId, 4525 Li, et al Expires October 2004 84 4526 ipSecProposalCompTransformSetId, 4528 ipSecAhTransformSetPrid, 4529 ipSecAhTransformSetTransformSetId, 4530 ipSecAhTransformSetTransformId, 4531 ipSecAhTransformSetOrder, 4533 ipSecAhTransformPrid, 4534 ipSecAhTransformTransformId, 4535 ipSecAhTransformIntegrityKey, 4536 ipSecAhTransformUseReplayPrevention, 4537 ipSecAhTransformReplayPreventionWindowSize, 4538 ipSecAhTransformMaxLifetimeSeconds, 4539 ipSecAhTransformMaxLifetimeKilobytes, 4541 ipSecEspTransformSetPrid, 4542 ipSecEspTransformSetTransformSetId, 4543 ipSecEspTransformSetTransformId, 4544 ipSecEspTransformSetOrder, 4546 ipSecEspTransformPrid, 4547 ipSecEspTransformIntegrityTransformId, 4548 ipSecEspTransformCipherTransformId, 4549 ipSecEspTransformIntegrityKey, 4550 ipSecEspTransformCipherKey, 4551 ipSecEspTransformCipherKeyRounds, 4552 ipSecEspTransformCipherKeyLength, 4553 ipSecEspTransformUseReplayPrevention, 4554 ipSecEspTransformReplayPreventionWindowSize, 4555 ipSecEspTransformMaxLifetimeSeconds, 4556 ipSecEspTransformMaxLifetimeKilobytes, 4558 ipSecCompTransformSetPrid, 4559 ipSecCompTransformSetTransformSetId, 4560 ipSecCompTransformSetTransformId, 4561 ipSecCompTransformSetOrder, 4563 ipSecCompTransformPrid, 4564 ipSecCompTransformAlgorithm, 4565 ipSecCompTransformDictionarySize, 4566 ipSecCompTransformMaxLifetimeSeconds, 4567 ipSecCompTransformMaxLifetimeKilobytes 4568 } 4569 STATUS current 4570 DESCRIPTION 4571 "This group specifies IPsec phase two rules" 4572 ::= { ipSecPolicyPibConformanceGroups 1 } 4574 ipSecIkeGroup OBJECT-GROUP 4575 OBJECTS { 4576 ipSecIkeAssociationPrid, 4577 ipSecIkeAssociationMinLiftetimeSeconds, 4578 ipSecIkeAssociationMinLifetimeKilobytes, 4580 Li, et al Expires October 2004 85 4581 ipSecIkeAssociationIdleDurationSeconds, 4582 ipSecIkeAssociationExchangeMode, 4583 ipSecIkeAssociationUseIkeIdentityType, 4584 ipSecIkeAssociationUseIkeIdentityValue, 4585 ipSecIkeAssociationIkePeerEndpoint, 4586 ipSecIkeAssociationPresharedKey, 4587 ipSecIkeAssociationVendorId, 4588 ipSecIkeAssociationAggressiveModeGroupId, 4589 ipSecIkeAssociationLocalCredentialId, 4590 ipSecIkeAssociationDoActionLogging, 4591 ipSecIkeAssociationIkeProposalSetId, 4593 ipSecIkeProposalSetPrid, 4594 ipSecIkeProposalSetProposalSetId, 4595 ipSecIkeProposalSetProposalId, 4596 ipSecIkeProposalSetOrder, 4598 ipSecIkeProposalPrid, 4599 ipSecIkeProposalMaxLifetimeSeconds, 4600 ipSecIkeProposalMaxLifetimeKilobytes, 4601 ipSecIkeProposalCipherAlgorithm, 4602 ipSecIkeProposalHashAlgorithm, 4603 ipSecIkeProposalAuthenticationMethod, 4604 ipSecIkeProposalPrfAlgorithm, 4605 ipSecIkeProposalIkeDhGroup, 4607 ipSecIkePeerEndpointPrid, 4608 ipSecIkePeerEndpointIdentityType, 4609 ipSecIkePeerEndpointIdentityValue, 4610 ipSecIkePeerEndpointIsNegated, 4611 ipSecIkePeerEndpointAddress, 4612 ipSecIkePeerEndpointCredentialSetId, 4614 ipSecCredentialSetPrid, 4615 ipSecCredentialSetSetId, 4616 ipSecCredentialSetCredentialId, 4618 ipSecCredentialPrid, 4619 ipSecCredentialCredentialType, 4620 ipSecCredentialFieldsId, 4621 ipSecCredentialCrlDistributionPoint, 4623 ipSecCredentialFieldsPrid, 4624 ipSecCredentialFieldsName, 4625 ipSecCredentialFieldsValue, 4626 ipSecCredentialFieldsIsNegated, 4627 ipSecCredentialFieldsSetId 4628 } 4629 STATUS current 4630 DESCRIPTION 4631 "This group specifies IPsec phase one rules (IKEv1)" 4632 ::= { ipSecPolicyPibConformanceGroups 2 } 4634 Li, et al Expires October 2004 86 4635 ipSecSelectorGroup OBJECT-GROUP 4636 OBJECTS { 4637 ipSecSelectorSetPrid, 4638 ipSecSelectorSetSelectorSetId, 4639 ipSecSelectorSetSelectorId, 4640 ipSecSelectorSetOrder, 4641 ipSecSelectorSetIsNegated, 4643 ipSecSelectorPrid, 4644 ipSecSelectorSrcAddressGroupId, 4645 ipSecSelectorSrcPortGroupId, 4646 ipSecSelectorDstAddressGroupId, 4647 ipSecSelectorDstPortGroupId, 4648 ipSecSelectorProtocol, 4649 ipSecSelectorDscp, 4650 ipSecSelectorFlowLabel, 4652 ipSecAddressPrid, 4653 ipSecAddressAddressType, 4654 ipSecAddressAddrPrefixLength, 4655 ipSecAddressAddrMin, 4656 ipSecAddressAddrMax, 4657 ipSecAddressGroupId, 4659 ipSecL4PortPrid, 4660 ipSecL4PortPortMin, 4661 ipSecL4PortPortMax, 4662 ipSecL4PortGroupId 4663 } 4664 STATUS current 4665 DESCRIPTION 4666 "This group specifeis IPsec selectors" 4667 ::= { ipSecPolicyPibConformanceGroups 3 } 4669 ipSecIfCapsGroup OBJECT-GROUP 4670 OBJECTS { 4671 ipSecIfCapsPrid, 4672 ipSecIfCapsDirection, 4673 ipSecIfCapsMaxIpSecActions, 4674 ipSecIfCapsMaxIkeActions 4675 } 4676 STATUS current 4677 DESCRIPTION 4678 "This group spedifies IPsec interface capabilities" 4679 ::= { ipSecPolicyPibConformanceGroups 4 } 4681 ipSecIkeRuleGroup OBJECT-GROUP 4682 OBJECTS { 4683 ipSecIkeRulePrid, 4684 ipSecIkeRuleIfCapSetName, 4685 ipSecIkeRuleRoles, 4686 ipSecIkeRuleIkeActionSetId, 4687 ipSecIkeRuleActionExecutionStrategy, 4689 Li, et al Expires October 2004 87 4690 ipSecIkeRuleLimitNegotiation, 4691 ipSecIkeRuleAutoStart, 4692 ipSecIkeRuleIpSecRuleTimePeriodGroupId 4693 } 4694 STATUS current 4695 DESCRIPTION 4696 "Objects from the ipSecIkeRuleTable." 4697 ::= { ipSecPolicyPibConformanceGroups 5 } 4699 ipSecIkeActionSetGroup OBJECT-GROUP 4700 OBJECTS { 4701 ipSecIkeActionSetPrid, 4702 ipSecIkeActionSetActionSetId, 4703 ipSecIkeActionSetActionId, 4704 ipSecIkeActionSetOrder 4705 } 4706 STATUS current 4707 DESCRIPTION 4708 "Objects from the ipSecIkeActionSetTable." 4709 ::= { ipSecPolicyPibConformanceGroups 6 } 4711 ipSecIpsoFilterSetGroup OBJECT-GROUP 4712 OBJECTS { 4713 ipSecIpsoFilterSetPrid, 4714 ipSecIpsoFilterSetFilterSetId, 4715 ipSecIpsoFilterSetFilterId, 4716 ipSecIpsoFilterSetOrder, 4717 ipSecIpsoFilterSetIsNegated 4718 } 4719 STATUS current 4720 DESCRIPTION 4721 "Objects from the ipSecIpsoFilterSetTable." 4722 ::= { ipSecPolicyPibConformanceGroups 7 } 4724 ipSecIpsoFilterGroup OBJECT-GROUP 4725 OBJECTS { 4726 ipSecIpsoFilterPrid, 4727 ipSecIpsoFilterMatchConditionType, 4728 ipSecIpsoFilterClassificationLevel, 4729 ipSecIpsoFilterProtectionAuthority 4730 } 4731 STATUS current 4732 DESCRIPTION 4733 "Objects from the ipSecIpsoFilterTable." 4734 ::= { ipSecPolicyPibConformanceGroups 8 } 4736 ipSecRuleTimePeriodGroup OBJECT-GROUP 4737 OBJECTS { 4738 ipSecRuleTimePeriodPrid, 4739 ipSecRuleTimePeriodTimePeriod, 4740 ipSecRuleTimePeriodMonthOfYearMask, 4741 ipSecRuleTimePeriodDayOfMonthMask, 4742 ipSecRuleTimePeriodDayOfWeekMask, 4744 Li, et al Expires October 2004 88 4745 ipSecRuleTimePeriodTimeOfDayMask, 4746 ipSecRuleTimePeriodLocalOrUtcTime 4747 } 4748 STATUS current 4749 DESCRIPTION 4750 "Objects from the ipSecRuleTimePeriodTable." 4751 ::= { ipSecPolicyPibConformanceGroups 9 } 4753 ipSecRuleTimePeriodSetGroup OBJECT-GROUP 4754 OBJECTS { 4755 ipSecRuleTimePeriodSetPrid, 4756 ipSecRuleTimePeriodSetRuleTimePeriodSetId, 4757 ipSecRuleTimePeriodSetRuleTimePeriodId 4758 } 4759 STATUS current 4760 DESCRIPTION 4761 "Objects from the ipSecRuleTimePeriodSetTable." 4762 ::= { ipSecPolicyPibConformanceGroups 10 } 4764 END 4766 6. Security Considerations 4768 This document defines an IPsec PIB for configuring IPsec policies on 4769 IPsec enabled devices. As IPsec provides security services, it is 4770 critical that IPsec configuration data be protected at least as 4771 strongly as the desired IPsec policy. 4773 The ipSecEspTransformTable, ipSecAhTransformTable contain 4774 authentication and encryption keys for static IPsec security 4775 associations. These two attributes are ignored for IPsec security 4776 associations that are dynamically established. The 4777 ipSecIkeAssociationTable contains an optional pre-shared key for IKE 4778 authentication. Malicious access of the above PRCs can compromise 4779 the keys. As a result, they MUST NOT be observed by third parties. 4781 In addition, the PRCs in this PIB may contain information that may 4782 be sensitive from a business perspective, in that they may represent 4783 a customer's service contract or the filters that the service 4784 provider chooses to apply to a customer's traffic. All the tables 4785 except the ipSecIfCapsTable have a PIB-ACCESS clause of install. 4786 Malicious altering of the these PRCs may affect the IPsec behavior 4787 of the device being provisioned. Malicious access of the above PRCs 4788 also exposes policy information concerning how the device is 4789 provisioned. 4791 The ipSecIfCapsTable has a PIB-ACCESS clause of notify. Malicious 4792 access of the this PRC exposes information concerning the device 4793 being provisioned. 4795 The authentication and integrity of configuration information is of 4796 utmost importance to the security of a network. Administrators 4797 SHOULD carefully consider the potential threat environment involving 4799 Li, et al Expires October 2004 89 4800 PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD 4801 authenticate one another and SHOULD use a transport protocol that 4802 supports data integrity and authentication. Administrators SHOULD 4803 also carefully consider the importance of confidentiality of their 4804 configuration information, because it may reveal private or 4805 confidential information about customer access, business 4806 relationships, keys, etc. If these are concerns to the 4807 organization, then confidentiality SHOULD be used to transport the 4808 information. Administrators SHOULD use IPSEC or TLS between PDP and 4809 PEP as described in [5] and [15] to provide necessary protections. 4811 7. RFC Editor Considerations 4813 Normatively references [23][24]are Internet drafts. Please use their 4814 corresponding RFC numbers prior to publishing of this document as a 4815 RFC. 4817 8. IANA Considerations 4819 This document describes the ipSecPolicyPib Policy Information Base 4820 (PIB) module for registration under the "pib" branch registered with 4821 IANA. IANA has assigned PIB number for it under the "pib" 4822 branch. 4824 IANA Considerations for SUBJECT-CATEGORIES follow the same 4825 requirements as specified in [RFC2748] IANA Considerations for COPS 4826 Client Types. The IPsec PIB defines a new COPS Client Type. The IANA 4827 has assigned a COPS client type XXXXX (tbd) as described in 4828 [RFC2748] IANA Considerations. IANA has updated the registry 4829 (http://www.iana.org/assignments/cops-parameters) for COPS Client 4830 Types as a result. 4832 The authors suggest the use of "ipSec" as the name of the 4833 ClientType. 4835 9. Normative References 4837 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 4838 9, RFC 2026, October 1996. 4840 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 4841 Levels", BCP 14, RFC 2119, March 1997 4843 3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, 4844 November 1998. 4846 4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling 4847 Core Object Specification (iCalendar) ", RFC 2445, November 4848 1998. 4850 Li, et al Expires October 2004 90 4851 5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, 4852 "The COPS (Common Open Policy Service) Protocol", RFC 2748, 4853 January 2000. 4855 6. K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. 4856 Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage 4857 for Policy Provisioning", RFC 3084, March 2001. 4859 7. D. Piper, "The Internet IP Security Domain of Interpretation 4860 for ISAKMP", RFC 2407, November 1998. 4862 8. S. Kent, R. Atkinson, "IP Encapsulating Security Payload (ESP) 4863 ", RFC 2406, November 1998. 4865 9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. 4866 Smith, F. Reichmeyer "Framework Policy Information Base", 4867 RFC 3318, March 2003. 4869 10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE) ", 4870 RFC 2409, November 1998. 4872 11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload 4873 Compression Protocol (IPComp) ", RFC 2393, August 1998. 4875 12. J. Jason, L. Rafalow, E. Vyncke "IPsec Configuration Policy 4876 Model", RFC 3585, August 2003. 4878 13. A. Westerinen, et al "Terminology for Policy-Based 4879 Management", RFC 3198, November 2001. 4881 14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. 4882 Smith, F. Reichmeyer, "Structure of Policy Provisioning 4883 Information", RFC 3159, August 2001. 4885 15. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose, 4886 S. Waldbusser, "Structure of Management Information Version 2 4887 (SMIv2)", STD 58, RFC 2578, April 1999. 4889 16. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case,M. Rose, 4890 S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 4891 2579, April 1999. 4893 17. F. Baker, K. Chan, A. Smith, "Management Information Base for 4894 the Differentiated Services Architecture", RFC 3289, May 2002. 4896 18. M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder, 4897 "Textual Conventions for Internet Network Addresses.", RFC 4898 3291, May 2002. 4900 19. D. Harrington, R. Presuhn, B. Wijnen, "An Architecture for 4901 Describing Simple Network Management Protocol (SNMP) Management 4902 Frameworks", RFC 3411, December 2002. 4904 Li, et al Expires October 2004 91 4905 20. B. Wijnen, "Textual Conventions for Ipv6 Flow Label", RFC 3595, 4906 September 2003. 4908 21. S. Kent, "U.S. Department of Defense Security Options for the 4909 Internet Protocol", RFC 1108, November 1991. 4911 22. B. Moore, E. Ellesson, J. Strassner, A. Westerinen, "Policy 4912 Core Information Model -- Version 1 Specification", RFC 3060, 4913 February 2001. 4915 23. M. Baer, R. Charlet, W. Hardaker, R. Story, C. Wang, "IPsec 4916 Security Policy IPsec Action MIB", draft-ietf-ipsp-ipsecaction- 4917 mib-00.txt, January 2004. 4919 24. M. Baer, R. Charlet, W. Hardaker, R. Story, C. Wang, " IPsec 4920 Security Policy IKE Action MIB", draft-ietf-ipsp-ikeaction-mib- 4921 00.txt, January 2004. 4923 10. Informative References 4925 25. J. Walker, A. Kulkarni, "COPS Over TLS", draft-ietf-rap-cops- 4926 tls-04.txt, June 2002. 4928 11. Author's Addresses 4930 Man Li 4931 Nokia 4932 5 Wayside Road, 4933 Burlington, MA 01803 4934 Phone: +1 781 993 3923 4935 Email: man.m.li@nokia.com 4937 David Arneson 4938 Email: dla@mediaone.net 4940 Avri Doria 4941 ETRI 4942 161 Gajeong-dong, Yuseong-gu 4943 Deajeon 305-350 Korea 4944 Email: avri@acm.org 4946 Jamie Jason 4947 Intel Corporation 4948 MS JF3-206 4949 2111 NE 25th Ave. 4950 Hillsboro, OR 97124 4951 Phone: +1 503 264 9531 4952 Email: jamie.jason@intel.com 4954 Cliff Wang 4955 SmartPipes Inc. 4957 Li, et al Expires October 2004 92 4958 Suite 300, 565 Metro Place South 4959 Dublin, OH 43017 4960 Phone: +1 614 923 6241 4961 Email: CWang@smartpipes.com 4963 Markus Stenberg 4964 SSH Communications Security Corp. 4965 Fredrikinkatu 42 4966 FIN-00100 Helsinki, Finland 4967 Phone: +358 20 500 7466 4968 Email: fingon@iki.fi 4970 12. IPR Disclosure Acknowledgement 4972 By submitting this Internet-Draft, I certify that any applicable 4973 patent or other IPR claims of which I am aware have been disclosed, 4974 and any of which I become aware will be disclosed, in according with 4975 RFC 2668. 4977 13. Full Copyright Statement 4979 Copyright (C) The Internet Society (2004). All Rights Reserved. 4981 This document and translations of it may be copied and furnished 4982 to others, and derivative works that comment on or otherwise 4983 explain it or assist in its implementation may be prepared, 4984 copied, published and distributed, in whole or in part, without 4985 restriction of any kind, provided that the above copyright notice 4986 and this paragraph are included on all such copies and derivative 4987 works. However, this document itself may not be modified in any 4988 way, such as by removing the copyright notice or references to the 4989 Internet Society or other Internet organizations, except as needed 4990 for the purpose of developing Internet standards in which case the 4991 procedures for copyrights defined in the Internet Standards 4992 process must be followed, or as required to translate it into 4993 languages other than English. 4995 The limited permissions granted above are perpetual and will not 4996 be revoked by the Internet Society or its successors or assigns. 4998 This document and the information contained herein is provided on 4999 an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET 5000 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 5001 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 5002 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 5003 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 5005 Li, et al Expires October 2004 93