[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

Cisco Systems                                                   F. Baker
Internet-Draft                                             Cisco Systems
Expires: September 30, 2003                                   April 2003


                   Cisco Lawful Intercept Control MIB
                        draft-baker-slem-mib-00

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 except that the right to
   produce derivative works is not granted.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 30, 2003.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   Ths document describes an SNMP V3 MIB for controlling the Lawful
   Intercept architecture described in the associated document.
   Any comments on this document should be sent to:
    li-comment@external.cisco.com











Baker                  Expires September 30, 2003               [Page 1]


Internet-Draft                   LI-MIB                       April 2003


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Theory of Operations . . . . . . . . . . . . . . . . . . . . .  4
   2.1 Mediation Device Sessions  . . . . . . . . . . . . . . . . . .  4
   2.2 Intercepted Data Streams . . . . . . . . . . . . . . . . . . .  5
   3.  The Management Information Base  . . . . . . . . . . . . . . .  7
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 33
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34
       Normative References . . . . . . . . . . . . . . . . . . . . . 35
       Informative References . . . . . . . . . . . . . . . . . . . . 36
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 36
       Intellectual Property and Copyright Statements . . . . . . . . 37






































Baker                  Expires September 30, 2003               [Page 2]


Internet-Draft                   LI-MIB                       April 2003


1. Introduction

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [5].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [1], STD 58, RFC 2579 [2],  and STD 58, RFC 2580 [3].






































Baker                  Expires September 30, 2003               [Page 3]


Internet-Draft                   LI-MIB                       April 2003


2. Theory of Operations

   The essential information described in the Lawful Intercept MIB is
   the relationship between the Mediation Device and the Intercept
   Access Point, and the data which is diverted into that connection.

2.1 Mediation Device Sessions

   The Mediation Device, or MD, is, simply, the device which serves as a
   formal interface between the parties imposing the intercept and the
   network in which the intercept occurs. It is operated by a trusted
   administration, by definition, and has the responsibilities of

   o  Configuring Intercept Access Points (IAP, usually routers and
      switches) to intercept data to it,

   o  Accepting that data,

   o  Selecting a subset of the data to report to the appropriate
      authority, and

   o  Delivering the data to the authority.

   Each such session represents a separate and identifiable data stream,
   such as the traffic to and from a particular subscriber. If there are
   multiple intercepts in place for multiple agencies but requesting the
   same data, it  is preferable that the Mediation Device program the
   Intercept Access Point to intercept the data once, and have the
   Mediation Device deliver separate copied to the various agencies.
   However, it is imaginable that the data streams would be sufficiently
   different that it is simpler to understand them as separate intercept
   orders.

   A note on transports is in order. There are a number of ways to
   convey information from an intercepting device to the Mediation
   Device. One could simply dump Ethernet traffic onto a dedicated
   Ethernet port, encapsulate in UDP, encapsulate in UDP per the
   PacketCable specification, encapsulate in TCP or some other "normal"
   transport, or something else. One that Cisco has looked at closely is
   the use of the Nack-Oriented Retransmission feature of RTP, being
   discussed in the IETF. When standardized, this has the relatively
   nice attributes of being able to reliably deliver an intercepted data
   stream to a Mediation Device without many of the overheads or
   start-up issues of a TCP session.

   The key attributes of a session between a Mediation Device and an
   Intercept Access Point are:




Baker                  Expires September 30, 2003               [Page 4]


Internet-Draft                   LI-MIB                       April 2003


   Content ID: An identifier for the MD<->IAP Session.

   Destination Address Type: The type of address for the MD (IPv4 or
      IPv6).

   Destination Address: The address of the MD.

   Destination Port: The UDP port number to which data is sent.

   Source Interface: The interface (hardware and address)  the IAP will
      use to transmit the data.

   RTCP Port: If RTP NOR is used (future), the port number used for RTCP
      messages

   DSCP: The DSCP that intercept data will carry.

   Data Stream Type: If RTP NOR is used (future), the data type for
      data.

   Retransmission Stream Type: If RTP NOR is used (future), the data
      type for retransmissions.

   Time-out: The interval after which a session is dropped if
      communication to the MD is lost.

   Transport: The transport protocol used for intercepted data.

   Notification Enable: Whether notifications are in use for this
      session.

   Status: Controls to activate and de-activate sessions with the
      Mediation Device.


2.2 Intercepted Data Streams

   The data stream intercepted to the MD on a particular IAP must be
   specified. Depending on the relevant law and warrant, it may be
   necessary to intercept all data on a specified interface, all IP or
   Ethernet data to or from a specified address, or something as
   specific as a single voice out of a teleconference. The tables which
   describe this data are referred to as "stream tables".  In this MIB,
   we show a stream table for IP traffic and a stream table for Ethernet
   traffic; other stream tables are possible as well. The key elements
   of every stream table are:





Baker                  Expires September 30, 2003               [Page 5]


Internet-Draft                   LI-MIB                       April 2003


   Content ID: The Content ID of the Session with the MD that this data
      stream is associated with.

   Index: An enumeration of the data stream itself (there might be
      several).

   N-Tuple: Parameters that permit selection of the data stream
      according to the relevant architecture.

   Intercept Enable: It may be appropriate to enable and disable
      interception of a given data stream.

   Intercepted packet counter: Counts packets intercepted in this data
      stream.

   Intercepted Packet Drops: Counts packets that matched the criterion
      but could not be intercepted.

   Status: Controls to activate and de-activate streams.
































Baker                  Expires September 30, 2003               [Page 6]


Internet-Draft                   LI-MIB                       April 2003


3. The Management Information Base


   -- *****************************************************************
   -- CISCO-TAP-MIB.my:  Cisco intercept ("tap") MIB
   --
   -- December 2001, Fred Baker
   -- July 2002, Edward Pham
   --
   -- Copyright (c) 2001-2002 by Cisco Systems, Inc.
   -- All rights reserved.
   --
   -- *****************************************************************
   -- $Log:
   --
   -- *****************************************************************
   -- $Endlog$
   --

   CISCO-TAP-MIB DEFINITIONS ::= BEGIN

   IMPORTS
           MODULE-IDENTITY,
           OBJECT-TYPE,
           NOTIFICATION-TYPE,
           Integer32,
           Unsigned32
                   FROM SNMPv2-SMI
           MODULE-COMPLIANCE,
           OBJECT-GROUP,
           NOTIFICATION-GROUP
                   FROM SNMPv2-CONF
           InetAddressType,
           InetAddress,
           InetAddressPrefixLength,
           InetPortNumber
                   FROM INET-ADDRESS-MIB
           RowStatus,
           TruthValue,
           DateAndTime,
           MacAddress
                   FROM SNMPv2-TC
           SnmpAdminString
                   FROM SNMP-FRAMEWORK-MIB
           InterfaceIndexOrZero
                   FROM IF-MIB
           Dscp
                   FROM CISCO-QOS-PIB-MIB



Baker                  Expires September 30, 2003               [Page 7]


Internet-Draft                   LI-MIB                       April 2003


           ciscoMgmt
                   FROM CISCO-SMI;

   cTapMIB MODULE-IDENTITY
           LAST-UPDATED  "200207250000Z"
           ORGANIZATION  "Cisco Systems, Inc."
           CONTACT-INFO
                   "      Cisco Systems
                          Customer Service

                   Postal:170 W. Tasman Drive
                          San Jose, CA  95134
                          USA

                      Tel:+1 800 553-NETS

                   E-mail:li-comment@cisco.com"
           DESCRIPTION
                   "This module manages Cisco's intercept feature."
           REVISION        "200207250000Z"
           DESCRIPTION
                   "Initial version of this MIB module."
           ::= { ciscoMgmt 252 }

   cTapMIBNotifications OBJECT IDENTIFIER ::= { cTapMIB 0 }
   cTapMIBObjects       OBJECT IDENTIFIER ::= { cTapMIB 1 }
   cTapMIBConformance   OBJECT IDENTIFIER ::= { cTapMIB 2 }

   cTapMediationGroup   OBJECT IDENTIFIER ::= { cTapMIBObjects 1 }
   cTapStreamGroup      OBJECT IDENTIFIER ::= { cTapMIBObjects 2 }
   cTapDebugGroup       OBJECT IDENTIFIER ::= { cTapMIBObjects 3 }

   -- cTapMediationNewIndex is defined to allow a network manager
   -- to create a new Mediation Table entry and its corresponding
   -- Stream Table entries without necessarily knowing what other
   -- entries might exist.

   cTapMediationNewIndex OBJECT-TYPE
        SYNTAX     Integer32 (1..2147483647)
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
           "This object contains a value which may be used as an index
           value for a new cTapMediationEntry. Whenever read, the agent
           will change the value to a new non-conflicting value.  This is
           to reduce the probability of errors during creation of new
           cTapMediationTable entries."
        ::= { cTapMediationGroup 1 }



Baker                  Expires September 30, 2003               [Page 8]


Internet-Draft                   LI-MIB                       April 2003


   -- The Tap Mediation Table lists the applications, by address and
   -- port number, to which traffic may be intercepted. These may be
   -- on the same or different Mediation Devices.

   cTapMediationTable OBJECT-TYPE
        SYNTAX     SEQUENCE OF CTapMediationEntry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "This table lists the Mediation Devices with which the
           intercepting device communicates. These may be on the same or
           different Mediation Devices.

           This table is written by the Mediation Device, and is always
           volatile. This is because intercepts may disappear during a
           restart of the intercepting equipment."
        ::= { cTapMediationGroup 2 }

   cTapMediationEntry OBJECT-TYPE
        SYNTAX     CTapMediationEntry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "The entry describes a single session maintained with an
           application on a Mediation Device."
        INDEX      { cTapMediationContentId }
        ::= { cTapMediationTable 1 }

   CTapMediationEntry ::= SEQUENCE {
           cTapMediationContentId          Integer32,
           cTapMediationDestAddressType    InetAddressType,
           cTapMediationDestAddress        InetAddress,
           cTapMediationDestPort           InetPortNumber,
           cTapMediationSrcInterface       InterfaceIndexOrZero,
           cTapMediationRtcpPort           InetPortNumber,
           cTapMediationDscp               Dscp,
           cTapMediationDataType           Integer32,
           cTapMediationRetransmitType     Integer32,
           cTapMediationTimeout            DateAndTime,
           cTapMediationTransport          INTEGER,
           cTapMediationNotificationEnable TruthValue,
           cTapMediationStatus             RowStatus
   }

   cTapMediationContentId OBJECT-TYPE
        SYNTAX     Integer32 (1..2147483647)
        MAX-ACCESS not-accessible
        STATUS     current



Baker                  Expires September 30, 2003               [Page 9]


Internet-Draft                   LI-MIB                       April 2003


        DESCRIPTION
           "cTapMediationContentId is a session identifier, from the
           intercept application's perspective, and a content identifier
           from the Mediation Device's perspective. The Mediation Device
           is responsible for making sure these are unique, although the
           SNMP RowStatus row creation process will help by not allowing
           it to create conflicting entries. Before creating a new entry,
           a value for this variable may be obtained by reading
           cTapMediationNewIndex to reduce the probability of a value
           collision."
        ::= { cTapMediationEntry 1 }

   cTapMediationDestAddressType OBJECT-TYPE
        SYNTAX     InetAddressType
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The type of cTapMediationDestAddress."
        ::= { cTapMediationEntry 2 }

   cTapMediationDestAddress OBJECT-TYPE
        SYNTAX     InetAddress
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The IP Address of the Mediation Device's network interface
           to which to direct intercepted traffic."
        ::= { cTapMediationEntry 3 }

   cTapMediationDestPort OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The port number on the Mediation Device's network interface
           to which to direct intercepted traffic."
        ::= { cTapMediationEntry 4 }

   cTapMediationSrcInterface OBJECT-TYPE
        SYNTAX     InterfaceIndexOrZero
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The interface on the intercepting device from which to
           transmit intercepted data. If zero, any interface may be used
           according to normal IP practice."
        ::= { cTapMediationEntry 5 }




Baker                  Expires September 30, 2003              [Page 10]


Internet-Draft                   LI-MIB                       April 2003


   cTapMediationRtcpPort OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
           "The port number on the intercepting device to which the
           Mediation Devices directs RTCP Receiver Reports and Nacks.
           This object is only relevant when the value of
           cTapMediationTransport is 'rtpNack'.

           This port is assigned by the intercepting device, rather than
           by the Mediation Device or manager application.  The value of
           this MIB object has no effect before activating the
           cTapMediationEntry."
       ::= { cTapMediationEntry 6 }

   cTapMediationDscp OBJECT-TYPE
        SYNTAX     Dscp
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The Differentiated Services Code Point the intercepting
           device applies to the IP packets encapsulating the
           intercepted traffic."
        DEFVAL { 34 }        -- by default, AF41, code 100010
        ::= { cTapMediationEntry 7 }

   cTapMediationDataType OBJECT-TYPE
        SYNTAX     Integer32 (0..127)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "If RTP with Ack/Nack resilience is selected as a transport,
           the mediation process requires an RTP payload type for data
           transmissions, and a second RTP payload type for
           retransmissions.  This is the RTP payload type for
           transmissions.

           This object is only effective when the value of
           cTapMediationTransport is 'rtpNack'."
        DEFVAL { 0 }
        ::= { cTapMediationEntry 8 }

   cTapMediationRetransmitType OBJECT-TYPE
        SYNTAX     Integer32 (0..127)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION



Baker                  Expires September 30, 2003              [Page 11]


Internet-Draft                   LI-MIB                       April 2003


           "If RTP with Ack/Nack resilience is selected as a transport,
           the mediation process requires an RTP payload type for data
           transmissions, and a second RTP payload type for
           retransmissions.  This is the RTP payload type for
           retransmissions.

           This object is only effective when the value of
           cTapMediationTransport is 'rtpNack'."
        DEFVAL { 0 }
        ::= { cTapMediationEntry 9 }

   cTapMediationTimeout OBJECT-TYPE
        SYNTAX     DateAndTime
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The time at which this row and all related Stream Table rows
           should be automatically removed, and the intercept function
           cease. Since the initiating network manager may be the only
           device able to manage a specific intercept or know of its
           existence, this acts as a fail-safe for the failure or removal
           of the network manager. The object is only effective when the
           value of cTapMediationStatus is 'active'."
        ::= { cTapMediationEntry 10 }

   cTapMediationTransport OBJECT-TYPE
        SYNTAX     INTEGER {
                              udp(1),
                              rtpNack(2),
                              tcp(3),
                              sctp(4)
                   }
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The protocol used in transferring intercepted data to the
           Mediation Device. The following protocols may be supported:
                      udp:     PacketCable udp format
                      rtpNack: RTP with Nack resilience
                      tcp:     TCP with head of line blocking
                      sctp:    SCTP with head of line blocking "
        ::= { cTapMediationEntry 11 }

   cTapMediationNotificationEnable OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION



Baker                  Expires September 30, 2003              [Page 12]


Internet-Draft                   LI-MIB                       April 2003


           "This variable controls the generation of any notifications or
           informs by the MIB agent for this table entry."
        DEFVAL { true }
        ::= { cTapMediationEntry 12 }

   cTapMediationStatus OBJECT-TYPE
        SYNTAX     RowStatus
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
          "The status of this conceptual row. This object is used to
           manage creation, modification and deletion of rows in this
           table.

           cTapMediationTimeout may be modified at any time (even while the
           row is active). But when the row is active, the other writable
           objects may not be modified without setting its value to
           'notInService'.

           The entry may not be deleted or deactivated by setting its
           value to 'destroy' or 'notInService' if there is any associated
           entry in cTapStreamIpTable, or other such tables when such are
           defined."
        ::= { cTapMediationEntry 13 }

   --
   -- cTapMediationCapabilities
   --

   cTapMediationCapabilities  OBJECT-TYPE
        SYNTAX     BITS {
                            ipV4SrcInterface(0),
                            ipV6SrcInterface(1),
                            udp(2),
                            rtpNack(3),
                            tcp(4),
                            sctp(5)
                        }
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "This object displays the device capabilities with respect to
            certain fields in Mediation Device table. This may be dependent
            on hardware capabilities, software capabilities.
            The following values may be supported:
                ipV4SrcInterface:  SNMP ifIndex Value may be used to select
                                   the interface (denoted by
                                   cTapMediationSrcInterface) on the



Baker                  Expires September 30, 2003              [Page 13]


Internet-Draft                   LI-MIB                       April 2003


                                   intercepting device from which to
                                   transmit intercepted data to an IPv4
                                   address Mediation Device.

                ipV6SrcInterface:  SNMP ifIndex Value may be used to select
                                   the interface (denoted by
                                   cTapMediationSrcInterface) on the
                                   intercepting device from which to
                                   transmit intercepted data to an IPv6
                                   address Mediation Device.

                udp:               UDP may be used as transport protocol
                                   (denoted by cTapMediationTransport) in
                                   transferring intercepted data to the
                                   Mediation Device.

                rtcpNack:          RTP with Nack resilience may be used
                                   as transport protocol (denoted by
                                   cTapMediationTransport) in transferring
                                   intercepted data to the Mediation
                                   Device.

                tcp:               TCP may be used as transport protocol
                                   (denoted by cTapMediationTransport) in
                                   transferring intercepted data to the
                                   Mediation Device.

                sctp:              SCTP may be used as transport protocol
                                   (denoted by cTapMediationTransport) in
                                   transferring intercepted data to the
                                   Mediation Device."
        ::= { cTapMediationGroup 3 }
   --
   -- the stream tables
   --
   -- In the initial version of the MIB, only IPv4 and IPv6 intercept is
   -- defined. It is expected that in the future other types of intercepts
   -- may be required; these will be defined in tables like the
   -- cTapStreamIpTable with appropriate attributes. Such tables, when
   -- defined, will be used by the Mediation Entry in exactly the same way
   -- that the cTapStreamIpTable is used.
   --
   -- Such Tables all belong in cTapStreamGroup.
   --

   cTapStreamCapabilities  OBJECT-TYPE
        SYNTAX     BITS {
                            tapEnable(0),



Baker                  Expires September 30, 2003              [Page 14]


Internet-Draft                   LI-MIB                       April 2003


                            interface(1),
                            ipV4(2),
                            ipV6(3),
                            l4Port(4),
                            dscp(5),
                            dstMacAddr(6),
                            srcMacAddr(7),
                            ethernetPid(8),
                            dstLlcSap(9),
                            srcLlcSap(10)
                        }
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "This object displays what types of intercept streams can be
            configured on this type of device. This may be dependent on
            hardware capabilities, software capabilities. The following
            fields may be supported:
                interface:   SNMP ifIndex Value may be used to select
                             interception of all data crossing an
                             interface or set of interfaces.
                tapEnable:   set if table entries with
                             cTapStreamIpInterceptEnable set to 'false'
                             are used to pre-screen packets for intercept;
                             otherwise these entries are ignored.
                ipV4:        IPv4 Address or prefix may be used to select
                             traffic to be intercepted.
                ipV6:        IPv6 Address or prefix may be used to select
                             traffic to be intercepted.
                l4Port:      TCP/UDP Ports may be used to select traffic
                             to be intercepted.
                dscp:        DSCP may be used to select traffic to be
                             intercepted.
                dstMacAddr:  Destination MAC Address may be used to select
                             traffic to be intercepted.
                srcMacAddr:  Source MAC Address may be used to select
                             traffic to be intercepted.
                ethernetPid: Ethernet Protocol Identifier may be used to
                             select traffic to be intercepted.
                dstLlcSap:   IEEE 802.2 Destination SAP may be used to
                             select traffic to be intercepted.
                srcLlcSap:   IEEE 802.2 Source SAP may be used to select
                             traffic to be intercepted."
        ::= { cTapStreamGroup 1 }
   --
   -- The 'access list' for intercepting data at the IP network
   -- layer
   --



Baker                  Expires September 30, 2003              [Page 15]


Internet-Draft                   LI-MIB                       April 2003


   cTapStreamIpTable OBJECT-TYPE
        SYNTAX       SEQUENCE OF CTapStreamIpEntry
        MAX-ACCESS not-accessible
        STATUS       current
        DESCRIPTION
           "The Intercept Stream IP Table lists the IPv4 and IPv6 streams
           to be intercepted.  The same data stream may be required by
           multiple taps, and one might assume that often the intercepted
           stream is a small subset of the traffic that could be
           intercepted.

           This essentially provides options for packet selection, only
           some of which might be used. For example, if all traffic to or
           from a given interface is to be intercepted, one would
           configure an entry which lists the interface, and wild-card
           everything else.  If all traffic to or from a given IP Address
           is to be intercepted, one would configure two such entries
           listing the IP Address as source and destination respectively,
           and wild-card everything else.  If a particular voice on a
           teleconference is to be intercepted, on the other hand, one
           would extract the multicast (destination) IP address, the
           source IP Address, the protocol (UDP), and the source and
           destination ports from the call control exchange and list all
           necessary information.

           The first index indicates which Mediation Device the
           intercepted traffic will be diverted to. The second index
           permits multiple classifiers to be used together, such as
           having an IP address as source or destination. "
        ::= { cTapStreamGroup 2 }

   cTapStreamIpEntry OBJECT-TYPE
        SYNTAX     CTapStreamIpEntry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "A stream entry indicates a single data stream to be
           intercepted to a Mediation Device. Many selected data
           streams may go to the same application interface, and many
           application interfaces are supported."
        INDEX { cTapMediationContentId, cTapStreamIpIndex }
        ::= { cTapStreamIpTable 1 }

   CTapStreamIpEntry ::= SEQUENCE {
           cTapStreamIpIndex                 Integer32,
           cTapStreamIpInterface             Integer32,
           cTapStreamIpAddrType              InetAddressType,
           cTapStreamIpDestinationAddress    InetAddress,



Baker                  Expires September 30, 2003              [Page 16]


Internet-Draft                   LI-MIB                       April 2003


           cTapStreamIpDestinationLength     InetAddressPrefixLength,
           cTapStreamIpSourceAddress         InetAddress,
           cTapStreamIpSourceLength          InetAddressPrefixLength,
           cTapStreamIpTosByte               Integer32,
           cTapStreamIpTosByteMask           Integer32,
           cTapStreamIpFlowId                Integer32,
           cTapStreamIpProtocol              Integer32,
           cTapStreamIpDestL4PortMin         InetPortNumber,
           cTapStreamIpDestL4PortMax         InetPortNumber,
           cTapStreamIpSourceL4PortMin       InetPortNumber,
           cTapStreamIpSourceL4PortMax       InetPortNumber,
           cTapStreamIpInterceptEnable       TruthValue,
           cTapStreamIpInterceptedPackets    Counter32,
           cTapStreamIpInterceptDrops        Counter32,
           cTapStreamIpStatus                RowStatus
   }

   cTapStreamIpIndex OBJECT-TYPE
        SYNTAX     Integer32 (1..2147483647)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "The index of the stream itself."
        ::= { cTapStreamIpEntry 1 }

   cTapStreamIpInterface OBJECT-TYPE
        SYNTAX     Integer32 (-1 | 0 | 1..2147483647)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The ifIndex value of the interface over which traffic to be
           intercepted is received or transmitted. The interface may be
           physical or virtual. If this is the only parameter specified,
           and it is other than -1 or 0, all traffic on the selected
           interface will be chosen.

           If the value is zero, matching traffic may be received or
           transmitted on any interface.  Additional selection parameters
           must be selected to limit the scope of traffic intercepted.
           This is most useful on non-routing platforms or on intercepts
           placed elsewhere than a subscriber interface.

           If the value is -1, one or both of
           cTapStreamIpDestinationAddress and cTapStreamIpSourceAddress
           must be specified with prefix length greater than zero.
           Matching traffic on the interface pointed to by ipRouteIfIndex
           or ipCidrRouteIfIndex values associated with those values is
           intercepted, whichever is specified to be more focused than a



Baker                  Expires September 30, 2003              [Page 17]


Internet-Draft                   LI-MIB                       April 2003


           default route.  If routing changes, either by operator action
           or by routing protocol events, the interface will change with
           it. This is primarily intended for use on subscriber interfaces
           and other places where routing is guaranteed to be
           symmetrical.

           In both of these cases, it is possible to have the same packet
           selected for intersection on both its ingress and egress
           interface.  Nonetheless, only one instance of the packet is
           sent to the Mediation Device.

           This value must be set when creating a stream entry, either to
           select an interface, to select all interfaces, or to select the
           interface that routing chooses. Some platforms may not
           implement the entire range of options."
        REFERENCE  "RFC 1213, RFC 2096"
        ::= { cTapStreamIpEntry 2 }

   cTapStreamIpAddrType OBJECT-TYPE
        SYNTAX     InetAddressType
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The type of address, used in packet selection."
        DEFVAL     { ipv4 }
        ::= { cTapStreamIpEntry 3 }

   cTapStreamIpDestinationAddress OBJECT-TYPE
        SYNTAX     InetAddress
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The Destination address or prefix used in packet selection.
           This address will be of the type specified in
           cTapStreamIpAddrType."
        DEFVAL       { '00000000'H } -- 0.0.0.0
        ::= { cTapStreamIpEntry 4 }

   cTapStreamIpDestinationLength OBJECT-TYPE
        SYNTAX     InetAddressPrefixLength
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The length of the Destination Prefix. A value of zero causes
           all addresses to match.  This prefix length will be consistent
           with the type specified in cTapStreamIpAddrType."
        DEFVAL { 0 } -- by default, any destination address
        ::= { cTapStreamIpEntry 5 }



Baker                  Expires September 30, 2003              [Page 18]


Internet-Draft                   LI-MIB                       April 2003


   cTapStreamIpSourceAddress OBJECT-TYPE
        SYNTAX     InetAddress
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The Source Address used in packet selection. This address will
           be of the type specified in cTapStreamIpAddrType."
        DEFVAL       { '00000000'H } -- 0.0.0.0
        ::= { cTapStreamIpEntry 6 }

   cTapStreamIpSourceLength OBJECT-TYPE
        SYNTAX     InetAddressPrefixLength
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The length of the Source Prefix. A value of zero causes all
           addresses to match. This prefix length will be consistent with
           the type specified in cTapStreamIpAddrType."
        DEFVAL { 0 } -- by default, any source address
        ::= { cTapStreamIpEntry 7 }

   cTapStreamIpTosByte OBJECT-TYPE
        SYNTAX     Integer32 (0..255)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The value of the TOS byte, when masked with
           cTapStreamIpTosByteMask, of traffic to be intercepted.
           If cTapStreamIpTosByte & (~cTapStreamIpTosByteMask) != 0,
           configuration is rejected."
        DEFVAL { 0 }
        ::= { cTapStreamIpEntry 8 }

   cTapStreamIpTosByteMask OBJECT-TYPE
        SYNTAX     Integer32 (0..255)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The value of the TOS byte in an IPv4 or IPv6 header is ANDed
           with cTapStreamIpTosByteMask and compared with
           cTapStreamIpTosByte.

           If the values are equal, the comparison is equal. If the mask
           is zero and the TosByte value is zero, the result is to always
           accept."
        DEFVAL { 0 } -- by default, any DSCP or other TOS byte value
        ::= { cTapStreamIpEntry 9 }




Baker                  Expires September 30, 2003              [Page 19]


Internet-Draft                   LI-MIB                       April 2003


   cTapStreamIpFlowId OBJECT-TYPE
        SYNTAX     Integer32 (-1 | 0..1048575)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The flow identifier in an IPv6 header. -1 indicates that the
           Flow Id is unused."
        DEFVAL { -1 } -- by default, any flow identifier value
        ::= { cTapStreamIpEntry 10 }

   cTapStreamIpProtocol OBJECT-TYPE
        SYNTAX     Integer32 (-1 | 0..255)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The IP protocol to match against the IPv4 protocol number or
           the IPv6 Next- Header number in the packet. -1 means 'any IP
           protocol'."
        DEFVAL { -1 } -- by default, any IP protocol
        ::= { cTapStreamIpEntry 11 }

   cTapStreamIpDestL4PortMin OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The minimum value that the layer-4 destination port number in
           the packet must have in order to match.  This value must be
           equal to or less than the value specified for this entry in
           cTapStreamIpDestL4PortMax.

           If both cTapStreamIpDestL4PortMin and cTapStreamIpDestL4PortMax
           are at their default values, the port number is effectively
           unused."
        DEFVAL { 0 } -- by default, any transport layer port number
        ::= { cTapStreamIpEntry 12 }

   cTapStreamIpDestL4PortMax OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The maximum value that the layer-4 destination port number in
           the packet must have in order to match this classifier entry.
           This value must be equal to or greater than the value specified
           for this entry in cTapStreamIpDestL4PortMin.

           If both cTapStreamIpDestL4PortMin and cTapStreamIpDestL4PortMax



Baker                  Expires September 30, 2003              [Page 20]


Internet-Draft                   LI-MIB                       April 2003


           are at their default values, the port number is effectively
           unused."
        DEFVAL { 65535 } -- by default, any transport layer port number
        ::= { cTapStreamIpEntry 13 }

   cTapStreamIpSourceL4PortMin OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The minimum value that the layer-4 destination port number in
           the packet must have in order to match.  This value must be
           equal to or less than the value specified for this entry in
           cTapStreamIpSourceL4PortMax.

           If both cTapStreamIpSourceL4PortMin and
           cTapStreamIpSourceL4PortMax are at their default values, the
           port number is effectively unused."
        DEFVAL { 0 } -- by default, any transport layer port number
        ::= { cTapStreamIpEntry 14 }

   cTapStreamIpSourceL4PortMax OBJECT-TYPE
        SYNTAX     InetPortNumber
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The maximum value that the layer-4 destination port number in
           the packet must have in order to match this classifier entry.
           This value must be equal to or greater than the value specified
           for this entry in cTapStreamIpSourceL4PortMin.

           If both cTapStreamIpSourceL4PortMin and
           cTapStreamIpSourceL4PortMax are at their default values, the
           port number is effectively unused."
        DEFVAL { 65535 } -- by default, any transport layer port number
        ::= { cTapStreamIpEntry 15 }

   cTapStreamIpInterceptEnable OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "If 'true', the tap should intercept matching traffic.
            If 'false', this entry is used to pre-screen packets for
            intercept."
        DEFVAL { true }
        ::= { cTapStreamIpEntry 16 }




Baker                  Expires September 30, 2003              [Page 21]


Internet-Draft                   LI-MIB                       April 2003


   cTapStreamIpInterceptedPackets OBJECT-TYPE
        SYNTAX     Counter32
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
           "The number of packets matching this data stream specification
           that have been intercepted."
        ::= { cTapStreamIpEntry 17 }

   cTapStreamIpInterceptDrops OBJECT-TYPE
        SYNTAX     Counter32
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
           "The number of packets matching this data stream specification
           that, having been intercepted, were dropped in the lawful
           intercept process."
        ::= { cTapStreamIpEntry 18 }

   cTapStreamIpStatus OBJECT-TYPE
        SYNTAX     RowStatus
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The status of this conceptual row. This object manages
           creation, modification, and deletion of rows in this table.
           cTapStreamIpInterceptEnable may be modified any time even the
           value of this entry rowStatus object is 'active'.  When other
           rows must be changed, cTapStreamIpStatus must be first set to
           'notInService'."
        ::= { cTapStreamIpEntry 19 }

   --
   -- The "access list" for intercepting data at the IEEE 802
   -- link layer
   --

   cTapStream802Table OBJECT-TYPE
        SYNTAX       SEQUENCE OF CTapStream802Entry
        MAX-ACCESS not-accessible
        STATUS       current
        DESCRIPTION
           "The Intercept Stream 802 Table lists the IEEE 802 data streams
           to be intercepted.  The same data stream may be required by
           multiple taps, and one might assume that often the intercepted
           stream is a small subset of the traffic that could be
           intercepted.




Baker                  Expires September 30, 2003              [Page 22]


Internet-Draft                   LI-MIB                       April 2003


           This essentially provides options for packet selection, only
           some of which might be used. For example, if all traffic to or
           from a given interface is to be intercepted, one would
           configure an entry which lists the interface, and wild-card
           everything else.  If all traffic to or from a given MAC Address
           is to be intercepted, one would configure two such entries
           listing the MAC Address as source and destination respectively,
           and wild-card everything else.

           The first index indicates which Mediation Device the
           intercepted traffic will be diverted to. The second index
           permits multiple classifiers to be used together, such as
           having a MAC address as source or destination. "
        ::= { cTapStreamGroup 3 }

   cTapStream802Entry OBJECT-TYPE
        SYNTAX     CTapStream802Entry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "A stream entry indicates a single data stream to be
           intercepted to a Mediation Device. Many selected data
           streams may go to the same application interface, and many
           application interfaces are supported."
        INDEX { cTapMediationContentId, cTapStream802Index }
        ::= { cTapStream802Table 1 }

   CTapStream802Entry ::= SEQUENCE {
           cTapStream802Index                 Integer32,
           cTapStream802Fields                BITS,
           cTapStream802Interface             Integer32,
           cTapStream802DestinationAddress    MacAddress,
           cTapStream802SourceAddress         MacAddress,
           cTapStream802EthernetPid           Integer32,
           cTapStream802SourceLlcSap          Integer32,
           cTapStream802DestinationLlcSap     Integer32,
           cTapStream802InterceptEnable       TruthValue,
           cTapStream802InterceptedPackets    Counter32,
           cTapStream802InterceptDrops        Counter32,
           cTapStream802Status                RowStatus
   }

   cTapStream802Index OBJECT-TYPE
        SYNTAX     Integer32 (1..2147483647)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
           "The index of the stream itself."



Baker                  Expires September 30, 2003              [Page 23]


Internet-Draft                   LI-MIB                       April 2003


        ::= { cTapStream802Entry 1 }

   cTapStream802Fields  OBJECT-TYPE
        SYNTAX     BITS {
                            interface(0),
                            dstMacAddress(1),
                            srcMacAddress(2),
                            ethernetPid(3),
                            dstLlcSap(4),
                            srcLlcSap(5)
                        }
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "This object displays what attributes must be tested to
            identify traffic which requires interception. The packet
            matches if all flagged fields match.

                 interface:     indicates that traffic on the stated
                                interface is to be intercepted
                 dstMacAddress: indicates that traffic destined to a
                                given address should be intercepted
                 srcMacAddress: indicates that traffic sourced from a
                                given address should be intercepted
                 ethernetPid:   indicates that traffic with a stated
                                Ethernet Protocol Identifier should be
                                intercepted
                 dstLlcSap:     indicates that traffic with an certain
                                802.2 LLC Destination SAP should be
                                intercepted
                 srcLlcSap:     indicates that traffic with an certain
                                802.2 LLC Source SAP should be
                                intercepted

            At least one of the bits has to be set in order to activate an
            entry.  If the bit is not on, the corresponding MIB object
            value has no effect, and need not be specified when creating
            the entry."
        ::= { cTapStream802Entry 2 }

   cTapStream802Interface OBJECT-TYPE
        SYNTAX     Integer32 (-1 | 0 | 1..2147483647)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The ifIndex value of the interface over which traffic to be
           intercepted is received or transmitted. The interface may be
           physical or virtual. If this is the only parameter specified,



Baker                  Expires September 30, 2003              [Page 24]


Internet-Draft                   LI-MIB                       April 2003


           and it is other than -1 or 0, all traffic on the selected
           interface will be chosen.

           If the value is zero, matching traffic may be received or
           transmitted on any interface.  Additional selection parameters
           must be selected to limit the scope of traffic intercepted.
           This is most useful on non-routing platforms or on intercepts
           placed elsewhere than a subscriber interface.

           If the value is -1, one or both of
           cTapStream802DestinationAddress and cTapStream802SourceAddress
           must be specified.  Matching traffic on the interface pointed
           to by the dot1dTpFdbPort values associated with those values is
           intercepted, whichever is specified.  If dot1dTpFdbPort
           changes, either by operator action or by protocol events, the
           interface will change with it. This is primarily intended for
           use on subscriber interfaces and other places where routing is
           guaranteed to be symmetrical.

           In both of these cases, it is possible to have the same packet
           selected for intersection on both its ingress and egress
           interface.  Nonetheless, only one instance of the packet is
           sent to the Mediation Device.

           This value must be set when creating a stream entry, either to
           select an interface, to select all interfaces, or to select the
           interface that bridging learns. Some platforms may not
           implement the entire range of options."
        REFERENCE "RFC 1493"
        ::= { cTapStream802Entry 3 }

   cTapStream802DestinationAddress OBJECT-TYPE
        SYNTAX     MacAddress
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The Destination address used in packet selection."
        ::= { cTapStream802Entry 4 }

   cTapStream802SourceAddress OBJECT-TYPE
        SYNTAX     MacAddress
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The Source Address used in packet selection."
        ::= { cTapStream802Entry 5 }

   cTapStream802EthernetPid OBJECT-TYPE



Baker                  Expires September 30, 2003              [Page 25]


Internet-Draft                   LI-MIB                       April 2003


        SYNTAX     Integer32 (0..65535)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The value of the Ethernet Protocol Identifier, which may be
           found on Ethernet traffic or IEEE 802.2 SNAP traffic."
        ::= { cTapStream802Entry 6 }

   cTapStream802DestinationLlcSap OBJECT-TYPE
        SYNTAX     Integer32 (0..65535)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The value of the IEEE 802.2 Destination SAP."
        ::= { cTapStream802Entry 7 }

   cTapStream802SourceLlcSap OBJECT-TYPE
        SYNTAX     Integer32 (0..65535)
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The value of the IEEE 802.2 Source SAP."
        ::= { cTapStream802Entry 8 }

   cTapStream802InterceptEnable OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "If 'true', the tap enables interception of matching traffic.
            If cTapStreamCapabilities flag tapEnable is zero, this may not
            be set to 'false'."
        DEFVAL { true }
        ::= { cTapStream802Entry 9 }

   cTapStream802InterceptedPackets OBJECT-TYPE
        SYNTAX     Counter32
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
           "The number of packets matching this data stream specification
           that have been intercepted."
        ::= { cTapStream802Entry 10 }

   cTapStream802InterceptDrops OBJECT-TYPE
        SYNTAX     Counter32
        MAX-ACCESS read-only
        STATUS     current



Baker                  Expires September 30, 2003              [Page 26]


Internet-Draft                   LI-MIB                       April 2003


        DESCRIPTION
           "The number of packets matching this data stream specification
           that, having been intercepted, were dropped in the lawful
           intercept process."
        ::= { cTapStream802Entry 11 }

   cTapStream802Status OBJECT-TYPE
        SYNTAX     RowStatus
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
           "The status of this conceptual row. This object manages
           creation, modification, and deletion of rows in this table.
           cTapStream802InterceptEnable can be modified any time even the
           value of this entry rowStatus object is active.  When other
           rows must be changed, cTapStream802Status must be first set to
           'notInService'."
        ::= { cTapStream802Entry 12 }


   --
   -- The debug table
   --

   cTapDebugTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF CTapDebugEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table that contains Lawful Intercept debug information
           available on this device. This table is used to map an error
           code to a text message for further information."
       ::= { cTapDebugGroup 1 }

   cTapDebugEntry OBJECT-TYPE
       SYNTAX      CTapDebugEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A list of the debug messages."
       INDEX { cTapDebugIndex }
       ::= { cTapDebugTable 1 }


   CTapDebugEntry ::= SEQUENCE {
           cTapDebugIndex      Unsigned32,
           cTapDebugMessage    SnmpAdminString
   }



Baker                  Expires September 30, 2003              [Page 27]


Internet-Draft                   LI-MIB                       April 2003


   cTapDebugIndex OBJECT-TYPE
        SYNTAX        Unsigned32
        MAX-ACCESS    not-accessible
        STATUS        current
        DESCRIPTION
           "Indicates an error code."
        ::= { cTapDebugEntry 1 }

   cTapDebugMessage OBJECT-TYPE
        SYNTAX       SnmpAdminString
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
           "A text string contains the description of an error code."
        ::= { cTapDebugEntry 2 }




   -- notifications

   cTapMIBActive   NOTIFICATION-TYPE
        STATUS     current
        DESCRIPTION
           "This Notification is sent when an intercepting router or
           switch is first capable of intercepting a packet corresponding
           to a configured data stream. If the configured data stream is
           an IP one, the value of the corresponding cTapStreamIpStatus
           is included in this notification. If the configured data stream
           is an IEEE 802 one, the value of the corresponding
           cTapStream802Status is included in this notification.

           This notification may be generated in conjunction with the
           intercept application, which is designed to expect the
           notification to be sent as reliably as possible, e.g., through
           the use of a finite number of retransmissions until
           acknowledged, as and when such mechanisms are available; for
           example, with SNMPv3, this would be an InformRequest.  Filter
           installation can take a long period of time, during which call
           progress may be delayed."
        ::= { cTapMIBNotifications 1 }

   cTapMediationTimedOut NOTIFICATION-TYPE
        OBJECTS    { cTapMediationStatus }
        STATUS     current
        DESCRIPTION
           "When an intercept is autonomously removed by an intercepting
           device, such as due to the time specified in



Baker                  Expires September 30, 2003              [Page 28]


Internet-Draft                   LI-MIB                       April 2003


           cTapMediationTimeout arriving, the device notifies the manager
           of the action."
        ::= { cTapMIBNotifications 2 }

   cTapMediationDebug NOTIFICATION-TYPE
        OBJECTS    { cTapMediationContentId, cTapDebugIndex }
        STATUS     current
        DESCRIPTION
           "When there is intervention needed due to some events related
           to entries configured in cTapMediationTable, the device
           notifies the manager of the event.

           This notification may be generated in conjunction with the
           intercept application, which is designed to expect the
           notification to be sent as reliably as possible, e.g., through
           the use of a finite number of retransmissions until
           acknowledged, as and when such mechanisms are available; for
           example, with SNMPv3, this would be an InformRequest."
        ::= { cTapMIBNotifications 3 }

   cTapStreamIpDebug NOTIFICATION-TYPE
        OBJECTS    { cTapMediationContentId, cTapStreamIpIndex,
                     cTapDebugIndex }
        STATUS     current
        DESCRIPTION
           "When there is intervention needed due to some events related
           to entries configured in cTapStreamIpTable, the device
           notifies the manager of the event.

           This notification may be generated in conjunction with the
           intercept application, which is designed to expect the
           notification to be sent as reliably as possible, e.g., through
           the use of a finite number of retransmissions until
           acknowledged, as and when such mechanisms are available; for
           example, with SNMPv3, this would be an InformRequest."
        ::= { cTapMIBNotifications 4 }

   -- conformance information

   cTapMIBCompliances OBJECT IDENTIFIER ::= { cTapMIBConformance 1 }
   cTapMIBGroups      OBJECT IDENTIFIER ::= { cTapMIBConformance 2 }

   -- compliance statement

   cTapMIBCompliance MODULE-COMPLIANCE
        STATUS  current
        DESCRIPTION
           "The compliance statement for entities which implement the



Baker                  Expires September 30, 2003              [Page 29]


Internet-Draft                   LI-MIB                       April 2003


           Cisco Intercept MIB"
        MODULE        -- this module
           MANDATORY-GROUPS {
                   cTapMediationComplianceGroup,
                   cTapStreamComplianceGroup,
                   cTapMediationCpbComplianceGroup,
                   cTapNotificationGroup
           }
        ::= { cTapMIBCompliances 1 }

   -- units of conformance

   cTapMediationComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapMediationNewIndex,
           cTapMediationDestAddressType,
           cTapMediationDestAddress,
           cTapMediationDestPort,
           cTapMediationSrcInterface,
           cTapMediationRtcpPort,
           cTapMediationDscp,
           cTapMediationDataType,
           cTapMediationRetransmitType,
           cTapMediationTimeout,
           cTapMediationTransport,
           cTapMediationNotificationEnable,
           cTapMediationStatus
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for description of the data
           streams directed to a Mediation Device."
        ::= { cTapMIBGroups 1 }

   cTapStreamComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapStreamCapabilities
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for a description of the packets
           to select for interception."
        ::= { cTapMIBGroups 2 }

   cTapStreamIpComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapStreamIpInterface,
           cTapStreamIpAddrType,



Baker                  Expires September 30, 2003              [Page 30]


Internet-Draft                   LI-MIB                       April 2003


           cTapStreamIpDestinationAddress,
           cTapStreamIpDestinationLength,
           cTapStreamIpSourceAddress,
           cTapStreamIpSourceLength,
           cTapStreamIpTosByte,
           cTapStreamIpTosByteMask,
           cTapStreamIpFlowId,
           cTapStreamIpProtocol,
           cTapStreamIpDestL4PortMin,
           cTapStreamIpDestL4PortMax,
           cTapStreamIpSourceL4PortMin,
           cTapStreamIpSourceL4PortMax,
           cTapStreamIpInterceptEnable,
           cTapStreamIpInterceptedPackets,
           cTapStreamIpInterceptDrops,
           cTapStreamIpStatus
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for a description of IPv4 and IPv6
           packets to select for interception."
        ::= { cTapMIBGroups 3 }

   cTapStream802ComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapStream802Fields,
           cTapStream802Interface,
           cTapStream802DestinationAddress,
           cTapStream802SourceAddress,
           cTapStream802EthernetPid,
           cTapStream802SourceLlcSap,
           cTapStream802DestinationLlcSap,
           cTapStream802InterceptEnable,
           cTapStream802InterceptedPackets,
           cTapStream802InterceptDrops,
           cTapStream802Status
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for a description of IEEE 802
           packets to select for interception."
        ::= { cTapMIBGroups 4 }

   cTapNotificationGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
            cTapMIBActive,
            cTapMediationTimedOut,
            cTapMediationDebug,



Baker                  Expires September 30, 2003              [Page 31]


Internet-Draft                   LI-MIB                       April 2003


            cTapStreamIpDebug
        }
        STATUS     current
        DESCRIPTION
           "These notifications are used to present status from the
           intercepting device to the Mediation Device."
        ::= { cTapMIBGroups 5 }

   cTapMediationCpbComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapMediationCapabilities
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for a description of the
           mediation device to select for Lawful Intercept."
        ::= { cTapMIBGroups 6 }

   cTapDebugComplianceGroup OBJECT-GROUP
        OBJECTS {
           cTapDebugMessage
        }
        STATUS     current
        DESCRIPTION
           "These objects are necessary for debug information."
        ::= { cTapMIBGroups 7 }

   END























Baker                  Expires September 30, 2003              [Page 32]


Internet-Draft                   LI-MIB                       April 2003


4. Security Considerations

   Lawful Intercept can be viewed as the direct violation of the
   privacy, and therefore of the security, of the party under
   surveillance. This is a legal matter, not a technical one; the laws
   of a country and a warrant issued by a duly appointed authority in
   that country cause the feature to be deployed and to be used.

   The presence of the capability in a certain router or switch creates
   the possibility that it can be misused, either accidentally or on
   purpose. It may be misconfigured, causing unintended data to be
   intercepted, for example, or the target may come under a denial of
   service attack, resulting in an indirect denial of service attack on
   the Mediation Device. Intercepted data, if left in the clear, may
   betray information to an unintended party. As such, it is Cisco's
   position that appropriate security measures should be used by the
   agency deploying this feature. It should use appropriate
   configuration protocols, such as SNMPv3, and appropriate privacy
   management facilities, such as IPSEC ESP, on this data. It is also
   necessary to maintain close control of the visibility of the
   configuration, as this can have harmful effects both on the
   surveillance subject if leaked, and on the investigation if leaked to
   the subject.

   The considerations of RFC 2804 [4] are very important; it is for this
   reason that Cisco did not attempt to modify existing protocols, but
   created a separate feature for the interception of relevant
   information.























Baker                  Expires September 30, 2003              [Page 33]


Internet-Draft                   LI-MIB                       April 2003


5. Acknowledgements

   The authors worked among a large team of contributors at Cisco, too
   many to name here. And they might not want us to...















































Baker                  Expires September 30, 2003              [Page 34]


Internet-Draft                   LI-MIB                       April 2003


Normative References

   [1]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
        McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
        Management Information Version 2 (SMIv2)", STD 58, RFC 2578,
        April 1999.

   [2]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
        McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions
        for SMIv2", STD 58, RFC 2579, April 1999.

   [3]  McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance
        Statements for SMIv2", STD 58, RFC 2580, April 1999.






































Baker                  Expires September 30, 2003              [Page 35]


Internet-Draft                   LI-MIB                       April 2003


Informative References

   [4]  IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May 2000.

   [5]  Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction
        and Applicability Statements for Internet-Standard Management
        Framework", RFC 3410, December 2002.


Author's Address

   Fred Baker
   Cisco Systems
   1121 Via Del Rey
   Santa Barbara, CA  93117
   US

   Phone: +1-408-526-4257
   Fax:   +1-413-473-2403
   EMail: fred@cisco.com































Baker                  Expires September 30, 2003              [Page 36]


Internet-Draft                   LI-MIB                       April 2003


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Baker                  Expires September 30, 2003              [Page 37]


Internet-Draft                   LI-MIB                       April 2003


   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.











































Baker                  Expires September 30, 2003              [Page 38]


Html markup produced by rfcmarkup 1.128b, available from https://tools.ietf.org/tools/rfcmarkup/