[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02
IPSP M. Baer
Internet-Draft Sparta, Inc.
Intended status: Informational R. Charlet
Expires: April 22, 2007 Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
ARO/North Carolina State
University
October 19, 2006
IPsec Security Policy IPsec Action MIB
draft-ietf-ipsp-ipsecaction-mib-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 22, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Baer, et al. Expires April 22, 2007 [Page 1]
Internet-Draft IPsec IPsec Action MIB October 2006
Abstract
This document defines an SMIv2 Management Information Base (MIB)
module for configuring IPsec actions for the security policy database
(SPD) of a device that uses the IPsec Security Policy Database
Configuration MIB for configuring the IPSec protocol actions on that
device. The IPsec Action MIB integrates directly with the IPsec
Security Policy Database Configuration MIB and it is meant to work
within the framework of an action referenced by that MIB.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Internet-Standard Management Framework . . . . . . . . . . 3
4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4
7. Security Considerations . . . . . . . . . . . . . . . . . . . 40
7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 40
7.2. Protecting against unauthenticated access . . . . . . . . 41
7.3. Protecting against involuntary disclosure . . . . . . . . 42
7.4. Bootstrapping your configuration . . . . . . . . . . . . . 42
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43
10.1. Normative References . . . . . . . . . . . . . . . . . . . 43
10.2. Informative References . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44
Intellectual Property and Copyright Statements . . . . . . . . . . 46
Baer, et al. Expires April 22, 2007 [Page 2]
Internet-Draft IPsec IPsec Action MIB October 2006
1. Introduction
This document defines a MIB module for configuration of an IPsec
action within the IPsec security policy database (SPD). This module
works within the framework of the IPsec Security Policy Database
Configuration MIB (IPSEC-SPD-MIB) [RFCZZZZ]. It can be referenced as
an action by the IPSEC-SPD-MIB and is used to configure IPsec SA's
[RFC2401] that are created for network traffic between devices.
The companion document [RFCZZZZ], documents the IPsec Security Policy
Database Configuration MIB (IPSEC-SPD-MIB). For information
surrounding the configuration of IKE and its parameters, see the
companion document [RFCYYYY] which documents the IPsec Security
Policy IKE Action MIB.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
4. Relationship to the DMTF Policy Model
The Distributed Management Task Force has created an object oriented
model of IPsec policy information known as the IPsec Policy Model
White Paper [IPPMWP]. The "IPsec Configuration Policy Model" (IPCP)
[RFC3585] is based in large part on the DMTF's IPsec policy model.
The IPCP document describes a model for configuring IPsec. This MIB
module is a task specific derivation (i.e. an SMIv2 instantiation) of
the IPCP's IPsec configuration model for use over SNMPv3. This MIB
Baer, et al. Expires April 22, 2007 [Page 3]
Internet-Draft IPsec IPsec Action MIB October 2006
includes the necessary transform, negotiation, and IPsec action
information required to create an IPsec SA within the IPsec Policy
framework.
5. MIB Module Overview
The MIB module describes the necessary information to implement IPsec
actions and their associated Security Associations referred to by the
IPsec Security Policy Database Configuration MIB. A basic
understanding of IPsec processing, of the IPsec Configuration Policy
Model and of how actions fit in to the framework of the IPSEC-SPD-MIB
are required to use this MIB properly. When referring to an action
in this MIB from the IPSEC-SPD-MIB, the filters within the IPSEC-SPD-
MIB that are associated to the action are limited to those that are
supported by IPsec [RFC2401] and this MIB.
6. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3289], [RFC3411], [RFC4001].
IPSEC-IPSECACTION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32,
Unsigned32
FROM SNMPv2-SMI
-- [rfc2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp,
StorageType
FROM SNMPv2-TC
-- [rfc2579]
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
-- [rfc2580]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
-- [rfc3411]
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
-- [rfc4001]
Baer, et al. Expires April 22, 2007 [Page 4]
Internet-Draft IPsec IPsec Action MIB October 2006
spdActions, SpdIPPacketLogging, SpdAdminStatus
FROM IPSEC-SPD-MIB
-- [rfcZZZZ]
IfDirection
FROM DIFFSERV-MIB
-- [rfc3289]
;
--
-- module identity
--
ipsaMIB MODULE-IDENTITY
LAST-UPDATED "200610170000Z" -- 17 October 2006
ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer
P.O. Box 72682
Davis, CA 95617
Phone: +1 530 902 3131
Email: baerm@tislabs.com
Ricky Charlet
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
Phone: +1 770 617 3722
Email: rstory@sparta.com
Cliff Wang
ARO/North Carolina State University
4300 S. Miami Blvd.
RTP, NC 27709
E-Mail: cliffwangmail@yahoo.com"
DESCRIPTION
"The MIB module defines IPsec actions for managing IPsec
Security Policy.
Baer, et al. Expires April 22, 2007 [Page 5]
Internet-Draft IPsec IPsec Action MIB October 2006
Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC XXXX, see the RFC itself for
full legal notices."
-- Revision History
REVISION "200610170000Z" -- 17 October 2006
DESCRIPTION "Initial version, published as RFC XXXX."
-- RFC-editor assigns XXXX
::= { spdActions 1 }
--
-- groups of related objects
--
ipsaConfigObjects OBJECT IDENTIFIER
::= { ipsaMIB 1 }
ipsaNotificationObjects OBJECT IDENTIFIER
::= { ipsaMIB 2 }
ipsaConformanceObjects OBJECT IDENTIFIER
::= { ipsaMIB 3 }
--
-- Textual Conventions
--
IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "The Encapsulation Mode used as an IPsec DOI
SA Attributes definition in the Transform Payload
of a Phase II IKE negotiation. This set of
values defines encapsulation modes used for AH,
ESP, and IPCOMP when the associated Proposal Payload
has a Protocol-ID of 3 (ESP).
Unused values <= 61439 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
tunnel(1),
transport(2)
Values 61440-65535 are for private use."
SYNTAX Unsigned32 (0..65535)
Baer, et al. Expires April 22, 2007 [Page 6]
Internet-Draft IPsec IPsec Action MIB October 2006
IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "The IPsec DOI IPCOMP Transform Identifier is an
8-bit value which identifies a particular algorithm
to be used to provide IP-level compression before
ESP. It is used in the Tranform-ID field of a ISAKMP
Transform Payload for the IPsec DOI, when the
Protocol-Id of the associated Proposal Payload is 4
(IPCOMP).
The values 1-47 are reserved for algorithms for which
an RFC has been approved for publication.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
ipcompOui(1), -- proprietary compression
-- transform
ipcompDeflate(2), -- 'zlib' deflate algorithm
ipcompLzs(3), -- Stac Electronics LZS
ipcompLzjh(4) -- ITU-T V.44 packet method
The values 48-63 are reserved for private use amongst
cooperating systems.
The values 64-255 are reserved for future expansion."
REFERENCE "RFC 2407 sections 4.4.5 and 6.6,
RFC 3051"
SYNTAX Unsigned32 (0..255)
IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "The ESP Authentication Algorithm used in the IPsec
DOI as a SA Attributes definition in the Transform
Payload of Phase II of an IKE negotiation. This
set of values defines the AH authentication
algorithm, when the associated Proposal Payload has
a Protocol-ID of 2 (AH). This set of values
defines the ESP authentication algorithm, when the
associated Proposal Payload has a Protocol-ID
of 3 (ESP).
Unused values <= 61439 are reserved to IANA.
Currently assigned values at the time of this
writing:
Baer, et al. Expires April 22, 2007 [Page 7]
Internet-Draft IPsec IPsec Action MIB October 2006
none(0), -- reserved in DOI, used
-- in MIBs to reflect no
-- encryption used
hmacMd5(1), -- hashed MAC using MD5
hmacSha(2), -- hashed MAC using SHA-1
desMac(3), -- DES MAC
kpdk(4), -- RFC 1826
-- Key/Pad/Data/Key
hmacSha256(5), -- hashed MAC using SHA-256
hmacSha384(6), -- hashed MAC using SHA-384
hmacSha512(7), -- hashed MAC using SHA-512
hamcRipemd(8) -- hashed MAC using
-- RIPEMD-160-96
Values 61440-65535 are for private use.
In a MIB, a value of 0 indicates that ESP
has been negotiated without authentication."
REFERENCE "RFC 2407 section 4.5, RFC 2407 section 4.4.3.1,
RFC 1826, IANA, RFC 2857"
SYNTAX Unsigned32 (0..65535)
IpsecDoiEspTransform ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "The values of the IPsec DOI ESP Transform Identifier
which identify a particular algorithm to be used to
provide secrecy protection for ESP. It is used in
the Tranform-ID field of a ISAKMP Transform Payload
for the IPsec DOI, when the Protocol-Id of the
associated Proposal Payload is 2 (AH), 3 (ESP),
and 4 (IPCOMP).
Currently assigned values at the time of this
writing:
none(0), -- reserved in DOI, used
-- in MIBs to reflect no
-- encryption used
espDesIv64(1), -- DES-CBC transform defined
-- in RFC 1827 and RFC 1829
-- using a 64-bit IV
espDes(2), -- generic DES transform
-- using DES-CBC
esp3Des(3), -- generic triple-DES
-- transform
espRc5(4), -- RC5 transform
Baer, et al. Expires April 22, 2007 [Page 8]
Internet-Draft IPsec IPsec Action MIB October 2006
espIdea(5), -- IDEA transform
espCast(6), -- CAST transform
espBlowfish(7), -- BLOWFISH transform
esp3Idea(8), -- reserved for triple-IDEA
espDesIv32(9), -- DES-CBC transform defined
-- in RFC 1827 and RFC 1829
-- using a 32-bit IV
espRc4(10), -- reserved for RC4
espNull(11), -- no confidentiality
-- provided by ESP
espAes(12) -- NIST AES transform
The values 249-255 are reserved for private use
amongst cooperating systems."
REFERENCE "RFC 2407 sections 4.4.4 and 6.5,
IANA"
SYNTAX Unsigned32 (0..255)
IpsecDoiIdentType ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "The IPsec DOI Identification Type is an 8-bit value
which is used in the ID Type field as a discriminant
for interpretation of the variable-length
Identification Payload.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
idIpv4Addr(1), -- a single four (4) octet
-- IPv4 address
idFqdn(2), -- fully-qualified domain
-- name string
idUserFqdn(3), -- fully-qualified username
-- string
idIpv4AddrSubnet(4),
-- a range of IPv4 addresses,
-- represented by two
-- four (4) octet values,
-- where the first is an
-- address and the second
-- is a mask
idIpv6Addr(5), -- a single sixteen (16)
-- octet IPv6 address
idIpv6AddrSubnet(6),
-- a range of IPv6 addresses,
-- represented by two
Baer, et al. Expires April 22, 2007 [Page 9]
Internet-Draft IPsec IPsec Action MIB October 2006
-- sixteen (16) octet values,
-- where the first is an
-- address and the second
-- is a mask
idIpv4AddrRange(7), -- a range of IPv4 addresses,
-- represented by two
-- four (4) octet values,
-- where the first is the
-- beginning IPv4 address
-- and the second is the
-- ending IPv4 address
idIpv6AddrRange(8), -- a range of IPv6 addresses,
-- represented by two
-- sixteen (16) octet values,
-- where the first is the
-- beginning IPv6 address
-- and the second is the
-- ending IPv6 address
idDerAsn1Dn(9), -- the binary DER encoding of
-- ASN1 X.500
-- DistinguishedName
idDerAsn1Gn(10), -- the binary DER encoding of
-- ASN1 X.500 GeneralName
idKeyId(11) -- opaque byte stream which
-- may be used to pass
-- vendor-specific
-- information
The values 249-255 are reserved for private use
amongst cooperating systems."
REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9"
SYNTAX Unsigned32 (0..255)
IpsaCredentialType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IpsaCredentialType identifies the type of credential
contained in a corresponding IpsaIdentityFilter object."
SYNTAX INTEGER { reserved(0),
unknown(1),
sharedSecret(2),
x509(3),
kerberos(4) }
IpsaIdentityFilter ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IpsaIdentityFilter contains a string encoded Identity Type
Baer, et al. Expires April 22, 2007 [Page 10]
Internet-Draft IPsec IPsec Action MIB October 2006
value to be used in comparisons against an IKE Identity
payload. Wherever this TC is used, there SHOULD be an
accompanying column which uses the IpsecDoiIdentType TC to
specify the type of data in this object.
See the IpsecDoiIdentType TC for the supported identity
types available. Note that the IpsecDoiIdentType TC
sepcifies how to encode binary values, while this object
will contain human readable string versions."
SYNTAX OCTET STRING (SIZE(1..256))
--
-- Preconfigured Action Table
--
ipsaSaPreconfiguredActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaSaPreconfiguredActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is a list of non-negotiated IPsec actions (SAs)
that can be performed and contains or indicates the data
necessary to create such an SA."
::= { ipsaConfigObjects 1 }
ipsaSaPreconfiguredActionEntry OBJECT-TYPE
SYNTAX IpsaSaPreconfiguredActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"One entry in the ipsaSaPreconfiguredActionTable."
INDEX { ipsaSaPreActActionName, ipsaSaPreActSADirection }
::= { ipsaSaPreconfiguredActionTable 1 }
IpsaSaPreconfiguredActionEntry ::= SEQUENCE {
ipsaSaPreActActionName SnmpAdminString,
ipsaSaPreActSADirection IfDirection,
ipsaSaPreActActionDescription SnmpAdminString,
ipsaSaPreActActionLifetimeSec Unsigned32,
ipsaSaPreActActionLifetimeKB Unsigned32,
ipsaSaPreActDoActionLogging TruthValue,
ipsaSaPreActDoPacketLogging SpdIPPacketLogging,
ipsaSaPreActDFHandling INTEGER,
ipsaSaPreActActionType IpsecDoiEncapsulationMode,
ipsaSaPreActAHSPI Integer32,
ipsaSaPreActAHTransformName SnmpAdminString,
ipsaSaPreActAHSharedSecretName SnmpAdminString,
ipsaSaPreActESPSPI Integer32,
Baer, et al. Expires April 22, 2007 [Page 11]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaSaPreActESPTransformName SnmpAdminString,
ipsaSaPreActESPEncSecretName SnmpAdminString,
ipsaSaPreActESPAuthSecretName SnmpAdminString,
ipsaSaPreActIPCompSPI Integer32,
ipsaSaPreActIPCompTransformName SnmpAdminString,
ipsaSaPreActPeerGatewayIdName SnmpAdminString,
ipsaSaPreActLastChanged TimeStamp,
ipsaSaPreActStorageType StorageType,
ipsaSaPreActRowStatus RowStatus
}
ipsaSaPreActActionName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this
SaPreconfiguredActionEntry."
::= { ipsaSaPreconfiguredActionEntry 1 }
ipsaSaPreActSADirection OBJECT-TYPE
SYNTAX IfDirection
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indicates whether a row applies to egress
or ingress SAs"
::= { ipsaSaPreconfiguredActionEntry 2 }
ipsaSaPreActActionDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An administratively assigned string which can be used
to describe what the action does."
DEFVAL { "" }
::= { ipsaSaPreconfiguredActionEntry 3 }
ipsaSaPreActActionLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActActionLifetimeSec specifies how long in seconds
the security association derived from this action is used.
Baer, et al. Expires April 22, 2007 [Page 12]
Internet-Draft IPsec IPsec Action MIB October 2006
The default lifetime is 8 hours.
Note: the actual lifetime of the preconfigured SA will be
the lesser of the value of this object and of the value of
the MaxLifetimeSecs property of the associated transform.
A value of 0 indicates no time limit on the lifetime
of the SA."
DEFVAL { 28800 }
::= { ipsaSaPreconfiguredActionEntry 4 }
ipsaSaPreActActionLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActActionLifetimeKB specifies how long the
security association derived from this action is used.
After this value in KiloBytes has passed through the
security association, this SA SHOULD be destroyed.
Note: the actual lifetime of the preconfigured SA will be
the lesser of the value of this object and of the value of
the MaxLifetimeKB property of the associated transform.
The default value, '0', indicates no kilobyte limit."
DEFVAL { 0 }
::= { ipsaSaPreconfiguredActionEntry 5 }
ipsaSaPreActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActDoActionLogging specifies whether or not an
audit message SHOULD be logged when a preconfigured SA is
created."
DEFVAL { false }
::= { ipsaSaPreconfiguredActionEntry 6 }
ipsaSaPreActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActDoPacketLogging specifies whether or not an
audit message SHOULD be logged and if there is logging, how
many bytes of the packet to place in the notification."
Baer, et al. Expires April 22, 2007 [Page 13]
Internet-Draft IPsec IPsec Action MIB October 2006
DEFVAL { -1 }
::= { ipsaSaPreconfiguredActionEntry 7 }
ipsaSaPreActDFHandling OBJECT-TYPE
SYNTAX INTEGER {
copy(1), -- indicates copy the DF bit from the
-- internal to external IP header.
set(2), -- set the DF bit in the external IP
-- header to 1.
clear(3) -- clear the DF bit in the external IP
-- header to 0.
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies how to process the DF bit in packets
sent through the preconfigured SA. This object is not used
for transport SAs."
DEFVAL { copy }
::= { ipsaSaPreconfiguredActionEntry 8 }
ipsaSaPreActActionType OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the encapsulation mode to use for the
preconfigured SA: tunnel or transport mode."
DEFVAL { 1 }
::= { ipsaSaPreconfiguredActionEntry 9 }
ipsaSaPreActAHSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the AH SA."
::= { ipsaSaPreconfiguredActionEntry 10 }
ipsaSaPreActAHTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the AH transform to use as an
index into the AHTransformTable. A zero length value
indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 11 }
Baer, et al. Expires April 22, 2007 [Page 14]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaSaPreActAHSharedSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the AH SA."
::= { ipsaSaPreconfiguredActionEntry 12 }
ipsaSaPreActESPSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the ESP SA."
::= { ipsaSaPreconfiguredActionEntry 13 }
ipsaSaPreActESPTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the ESP transform to use as an
index into the ESPTransformTable. A zero length value
indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 14 }
ipsaSaPreActESPEncSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the encryption algorithm of the ESP
SA."
::= { ipsaSaPreconfiguredActionEntry 15 }
ipsaSaPreActESPAuthSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the authentication algorithm of the
ESP SA."
Baer, et al. Expires April 22, 2007 [Page 15]
Internet-Draft IPsec IPsec Action MIB October 2006
::= { ipsaSaPreconfiguredActionEntry 16 }
ipsaSaPreActIPCompSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the IPComp SA."
::= { ipsaSaPreconfiguredActionEntry 17 }
ipsaSaPreActIPCompTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the IPComp transform to use as
an index into the IPCompTransformTable. A zero length
value indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 18 }
ipsaSaPreActPeerGatewayIdName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the peer id name of the peer
gateway. This object can be used to look up the peer
gateway address in the ipsaPeerIdentityTable.
This object is only used when initiating a tunnel SA, and
is not used for transport SAs. If ipsaSaPreActActionType
specifies tunnel mode and this object is empty, the peer
gateway is determined from the source or destination of the
packet."
DEFVAL { "" }
::= { ipsaSaPreconfiguredActionEntry 19 }
ipsaSaPreActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
Baer, et al. Expires April 22, 2007 [Page 16]
Internet-Draft IPsec IPsec Action MIB October 2006
object SHOULD have a zero value."
::= { ipsaSaPreconfiguredActionEntry 20 }
ipsaSaPreActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaSaPreconfiguredActionEntry 21 }
ipsaSaPreActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaSaPreconfiguredActionEntry 22 }
--
-- AH transform definition table
--
ipsaAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaAhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the AH transforms which can be used to
build IPsec proposals."
::= { ipsaConfigObjects 2 }
Baer, et al. Expires April 22, 2007 [Page 17]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaAhTransformEntry OBJECT-TYPE
SYNTAX IpsaAhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry contains the attributes of one AH transform."
INDEX { ipsaAhTranName }
::= { ipsaAhTransformTable 1 }
IpsaAhTransformEntry ::= SEQUENCE {
ipsaAhTranName SnmpAdminString,
ipsaAhTranMaxLifetimeSec Unsigned32,
ipsaAhTranMaxLifetimeKB Unsigned32,
ipsaAhTranAlgorithm IpsecDoiAuthAlgorithm,
ipsaAhTranReplayProtection TruthValue,
ipsaAhTranReplayWindowSize Unsigned32,
ipsaAhTranLastChanged TimeStamp,
ipsaAhTranStorageType StorageType,
ipsaAhTranRowStatus RowStatus
}
ipsaAhTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this AH transform. This
row
will be referred to by an ipsaIpsecTransformsEntry."
::= { ipsaAhTransformEntry 1 }
ipsaAhTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranMaxLifetimeSec specifies how long in seconds the
security association derived from this transform SHOULD be
used.
A value of 0 indicates that the default lifetime of
8 hours SHOULD be used."
::= { ipsaAhTransformEntry 2 }
ipsaAhTranMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
Baer, et al. Expires April 22, 2007 [Page 18]
Internet-Draft IPsec IPsec Action MIB October 2006
STATUS current
DESCRIPTION
"ipsaAhTranMaxLifetimeKB specifies how long in kilobytes the
security association derived from this transform SHOULD be
used."
::= { ipsaAhTransformEntry 3 }
ipsaAhTranAlgorithm OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the AH algorithm for this transform."
::= { ipsaAhTransformEntry 4 }
ipsaAhTranReplayProtection OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranReplayProtection indicates whether or not anti
replay service is to be provided by this SA."
::= { ipsaAhTransformEntry 5 }
ipsaAhTranReplayWindowSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranReplayWindowSize indicates the size, in bits, of
the replay window to use if replay protection is true for
this transform. The window size is assumed to be a power
of two. If Replay Protection is false, this value can be
ignored."
::= { ipsaAhTransformEntry 6 }
ipsaAhTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
Baer, et al. Expires April 22, 2007 [Page 19]
Internet-Draft IPsec IPsec Action MIB October 2006
::= { ipsaAhTransformEntry 7 }
ipsaAhTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaAhTransformEntry 8 }
ipsaAhTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaAhTransformEntry 9 }
--
-- ESP transform definition table
--
ipsaEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaEspTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the ESP transforms which can be used
to build IPsec proposals"
::= { ipsaConfigObjects 3 }
Baer, et al. Expires April 22, 2007 [Page 20]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaEspTransformEntry OBJECT-TYPE
SYNTAX IpsaEspTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry contains the attributes of one ESP transform."
INDEX { ipsaEspTranName }
::= { ipsaEspTransformTable 1 }
IpsaEspTransformEntry ::= SEQUENCE {
ipsaEspTranName SnmpAdminString,
ipsaEspTranMaxLifetimeSec Unsigned32,
ipsaEspTranMaxLifetimeKB Unsigned32,
ipsaEspTranCipherTransformId IpsecDoiEspTransform,
ipsaEspTranCipherKeyLength Unsigned32,
ipsaEspTranCipherKeyRounds Unsigned32,
ipsaEspTranIntegrityAlgorithmId IpsecDoiAuthAlgorithm,
ipsaEspTranReplayPrevention TruthValue,
ipsaEspTranReplayWindowSize Unsigned32,
ipsaEspTranLastChanged TimeStamp,
ipsaEspTranStorageType StorageType,
ipsaEspTranRowStatus RowStatus
}
ipsaEspTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this particular espTransform be referred to by
an ipsaIpsecTransformsEntry."
::= { ipsaEspTransformEntry 1 }
ipsaEspTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranMaxLifetimeSec specifies how long in seconds the
security association derived from this transform SHOULD be
used.
A value of 0 indicates that the default lifetime of
8 hours SHOULD be used."
::= { ipsaEspTransformEntry 2 }
ipsaEspTranMaxLifetimeKB OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 21]
Internet-Draft IPsec IPsec Action MIB October 2006
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranMaxLifetimeKB specifies how long in kilobytes
the security association derived from this transform is
used."
::= { ipsaEspTransformEntry 3 }
ipsaEspTranCipherTransformId OBJECT-TYPE
SYNTAX IpsecDoiEspTransform
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the transform ID of the ESP cipher
algorithm."
::= { ipsaEspTransformEntry 4 }
ipsaEspTranCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies, in bits, the key length for
the ESP cipher algorithm."
::= { ipsaEspTransformEntry 5 }
ipsaEspTranCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the number of key rounds for
the ESP cipher algorithm."
::= { ipsaEspTransformEntry 6 }
ipsaEspTranIntegrityAlgorithmId OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the ESP integrity algorithm ID."
::= { ipsaEspTransformEntry 7 }
ipsaEspTranReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
Baer, et al. Expires April 22, 2007 [Page 22]
Internet-Draft IPsec IPsec Action MIB October 2006
STATUS current
DESCRIPTION
"ipsaEspTranReplayPrevention indicates whether or not
anti-replay service is to be provided by this SA."
::= { ipsaEspTransformEntry 8 }
ipsaEspTranReplayWindowSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranReplayWindowSize indicates the size, in bits, of
the replay window to use if replay protection is true for
this transform. The window size is assumed to be a power
of two. If Replay Protection is false, this value can be
ignored."
::= { ipsaEspTransformEntry 9 }
ipsaEspTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { ipsaEspTransformEntry 10 }
ipsaEspTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaEspTransformEntry 11 }
ipsaEspTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
Baer, et al. Expires April 22, 2007 [Page 23]
Internet-Draft IPsec IPsec Action MIB October 2006
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by a row in another table. An attempt to set it
to anything other than active while it is referenced by an
active row in another table MUST result in an
inconsistentValue error."
::= { ipsaEspTransformEntry 12 }
--
-- IP compression transform definition table
--
ipsaIpcompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaIpcompTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the IP compression transforms which
can be used to build IPsec proposals during negotiation of
a phase 2 SA."
::= { ipsaConfigObjects 4 }
ipsaIpcompTransformEntry OBJECT-TYPE
SYNTAX IpsaIpcompTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry contains the attributes of one IP compression
transform."
INDEX { ipsaIpcompTranName }
::= { ipsaIpcompTransformTable 1 }
IpsaIpcompTransformEntry ::= SEQUENCE {
ipsaIpcompTranName SnmpAdminString,
ipsaIpcompTranMaxLifetimeSec Unsigned32,
ipsaIpcompTranMaxLifetimeKB Unsigned32,
ipsaIpcompTranAlgorithm IpsecDoiIpcompTransform,
ipsaIpcompTranDictionarySize Unsigned32,
ipsaIpcompTranPrivateAlgorithm Unsigned32,
ipsaIpcompTranLastChanged TimeStamp,
Baer, et al. Expires April 22, 2007 [Page 24]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaIpcompTranStorageType StorageType,
ipsaIpcompTranRowStatus RowStatus
}
ipsaIpcompTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this ipsaIpcompTransformEntry."
::= { ipsaIpcompTransformEntry 1 }
ipsaIpcompTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaIpcompTranMaxLifetimeSec specifies how long in seconds
the security association derived from this transform SHOULD
be used.
A value of 0 indicates that the default lifetime of
8 hours SHOULD be used."
::= { ipsaIpcompTransformEntry 2 }
ipsaIpcompTranMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaIpcompTranMaxLifetimeKB specifies how long in kilobytes
the security association derived from this transform SHOULD
be used."
::= { ipsaIpcompTransformEntry 3 }
ipsaIpcompTranAlgorithm OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaIpcompTranAlgorithm specifies the transform ID of the
IP compression algorithm."
::= { ipsaIpcompTransformEntry 4 }
ipsaIpcompTranDictionarySize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
Baer, et al. Expires April 22, 2007 [Page 25]
Internet-Draft IPsec IPsec Action MIB October 2006
STATUS current
DESCRIPTION
"If the algorithm in ipsaIpcompTranAlgorithm requires a
dictionary size configuration parameter, then this is the
place to put it. This object specifies the log2 maximum
size of the dictionary for the compression algorithm."
::= { ipsaIpcompTransformEntry 5 }
ipsaIpcompTranPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If ipsaIpcompTranPrivateAlgorithm has a value other zero,
then it is up to the vendors implementation to determine
the meaning of this field and substitute a data compression
algorithm in place of ipsaIpcompTranAlgorithm."
::= { ipsaIpcompTransformEntry 6 }
ipsaIpcompTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { ipsaIpcompTransformEntry 7 }
ipsaIpcompTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaIpcompTransformEntry 8 }
ipsaIpcompTranRowStatus OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 26]
Internet-Draft IPsec IPsec Action MIB October 2006
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaIpcompTransformEntry 9 }
--
-- Credential Table
--
ipsaCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaCredentialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of credential values. Example of Credentials are
shared secrets, certificates or kerberos tickets."
::= { ipsaConfigObjects 5 }
ipsaCredentialEntry OBJECT-TYPE
SYNTAX IpsaCredentialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipsaCredentialTable."
INDEX { ipsaCredName }
::= { ipsaCredentialTable 1 }
IpsaCredentialEntry ::= SEQUENCE {
ipsaCredName SnmpAdminString,
ipsaCredType IpsaCredentialType,
ipsaCredCredential OCTET STRING,
ipsaCredSize Integer32,
ipsaCredMngName SnmpAdminString,
ipsaCredRemoteID OCTET STRING,
ipsaCredAdminStatus SpdAdminStatus,
ipsaCredLastChanged TimeStamp,
ipsaCredStorageType StorageType,
Baer, et al. Expires April 22, 2007 [Page 27]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaCredRowStatus RowStatus
}
ipsaCredName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the name for an entry in this table."
::= { ipsaCredentialEntry 1 }
ipsaCredType OBJECT-TYPE
SYNTAX IpsaCredentialType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the type of the credential for this
row."
::= { ipsaCredentialEntry 2 }
ipsaCredCredential OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the credential value.
If the size of the credential is greater than 1024, the
credential MUST be configured via the ipsaCredSegmentTable.
For credential type where the disclosure of the credential
would compromise the credential (e.g. shared secrets), when
this object is accessed for reading, it MUST return a null
length (0 length) string and MUST NOT return the configured
credential."
::= { ipsaCredentialEntry 3 }
ipsaCredSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value represents the size of the credential.
If this value is greater than 1024, the ipsaCreCredential
column will return an empty (0 length) string. In this
case, the value of the credential is retrived from the
ipsaCredSegmentTable.
Baer, et al. Expires April 22, 2007 [Page 28]
Internet-Draft IPsec IPsec Action MIB October 2006
For credential type where the disclosure of the credential
would compromise the credential (e.g. shared secrets), when
this object is accessed for reading, it MUST return a value
of 0 and MUST NOT return the size credential."
::= { ipsaCredentialEntry 4 }
ipsaCredMngName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the
ipsaIpsecCredMngServiceTable. For IDs that have no
credential management service, this value is left blank."
::= { ipsaCredentialEntry 5 }
ipsaCredRemoteID OBJECT-TYPE
SYNTAX OCTET STRING(SIZE(0..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the Identification (e.g. user name)
of the user of the key information on the remote site. If
there is no ID associated with this credential, the value
of this object SHOULD be the null string."
::= { ipsaCredentialEntry 6 }
ipsaCredAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates whether this credential is considered
active. Rows with a disabled status MUST NOT be used for
any purpose, including IKE or IPSEC processing.
For credentials whose size does not execeed the maximum
size for the ipsaCredCredential, it MAY be set to enabled
during row creation. For larger credentials, it SHOULD be
left as disabled until all rows have been uploaded to the
ipsaCredSegmentTable."
DEFVAL { disabled }
::= { ipsaCredentialEntry 7 }
ipsaCredLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
Baer, et al. Expires April 22, 2007 [Page 29]
Internet-Draft IPsec IPsec Action MIB October 2006
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { ipsaCredentialEntry 8 }
ipsaCredStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaCredentialEntry 9 }
ipsaCredRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaCredentialEntry 10 }
--
-- Credential Segement Value Table
--
ipsaCredentialSegmentTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaCredentialSegmentEntry
Baer, et al. Expires April 22, 2007 [Page 30]
Internet-Draft IPsec IPsec Action MIB October 2006
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of credential segments. This table is used for
credentials which are larger than the maximum size allowed
for ipsaCredCredential."
::= { ipsaConfigObjects 6 }
ipsaCredentialSegmentEntry OBJECT-TYPE
SYNTAX IpsaCredentialSegmentEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipsaCredentialSegmentTable."
INDEX { ipsaCredName, ipsaCredSegIndex }
::= { ipsaCredentialSegmentTable 1 }
IpsaCredentialSegmentEntry ::= SEQUENCE {
ipsaCredSegIndex Integer32,
ipsaCredSegValue OCTET STRING,
ipsaCredSegLastChanged TimeStamp,
ipsaCredSegStorageType StorageType,
ipsaCredSegRowStatus RowStatus
}
ipsaCredSegIndex OBJECT-TYPE
SYNTAX Integer32 (1..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the segment number for this segment.
By default, each segment will be 1024 octets. However, when
this table is accessed using a context of 'ipsa4096',
'ipsa8192' or 'ipsa16384' a segment size of 4096, 8192 or
16384 (respectively) will be used instead.
The number of rows which need to be retrieved or set can be
calculated by obtaining the value of the ipsaCredSize
column from the corresponding ipsaCredentialTable row and
dividing it by the segment size."
::= { ipsaCredentialSegmentEntry 1 }
ipsaCredSegValue OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 31]
Internet-Draft IPsec IPsec Action MIB October 2006
"This object represents one segment of the credential.
By default, each complete segment will be 1024 octets. (The
last row for a given credential might be smaller, if the
credential size is not a multiple of the segment size).
An implementation MAY optionally support segment sizes of
256, 4096, 8192 or the full object size when this table is
is accessed using a context of 'ipsaCred256',
'ipsaCred4096', 'ipsaCred8192' or 'ipsaCredFull'
(respectively).
The number of rows which need to be retrieved or set can be
calculated by obtaining the value of the ipsaCredSize
column from the corresponding ipsaCredentialTable row and
dividing it by the segment size."
::= { ipsaCredentialSegmentEntry 2 }
ipsaCredSegLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this credential was last
modified or created either through SNMP SETs or by some
other external means. Note that the last changed type will
be the same for all segemnts of the credential.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { ipsaCredentialSegmentEntry 3 }
ipsaCredSegStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The storage type for this row. This object is
read-only. Rows in this table have the same value as the
ipsaCrendStorageType for the corresponding row in the
ipsaCredentialTable.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaCredentialSegmentEntry 4 }
Baer, et al. Expires April 22, 2007 [Page 32]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaCredSegRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The segment of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaCredentialSegmentEntry 5 }
--
-- Peer Identity Table
--
ipsaPeerIdentityTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaPeerIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"PeerIdentity is used to represent the identities that are
used for peers to identify themselves in IKE phase I/II
negotiations. PeerIdentityTable aggregates the table
entries that provide mappings between identities and their
addresses."
::= { ipsaConfigObjects 7 }
ipsaPeerIdentityEntry OBJECT-TYPE
SYNTAX IpsaPeerIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"peerIdentity matches a peer's identity to its address."
INDEX { ipsaPeerIdName, ipsaPeerIdPriority }
::= { ipsaPeerIdentityTable 1 }
IpsaPeerIdentityEntry ::= SEQUENCE {
ipsaPeerIdName SnmpAdminString,
ipsaPeerIdPriority Integer32,
ipsaPeerIdType IpsecDoiIdentType,
ipsaPeerIdValue IpsaIdentityFilter,
ipsaPeerIdAddressType InetAddressType,
Baer, et al. Expires April 22, 2007 [Page 33]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaPeerIdAddress InetAddress,
ipsaPeerIdCredentialName SnmpAdminString,
ipsaPeerIdLastChanged TimeStamp,
ipsaPeerIdStorageType StorageType,
ipsaPeerIdRowStatus RowStatus
}
ipsaPeerIdName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned value that, together
with ipsaPeerIdPriority, uniquely identifies an entry in
this table."
::= { ipsaPeerIdentityEntry 1 }
ipsaPeerIdPriority OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object, along with ipsaPeerIdName, uniquely identifies
an entry in this table. The priority also indicates the
ordering of peer gateways from which to initiate or accept
SAs. The priority value is ordered from low to high. For
example, a row with a priority of 0 is used before a row
with a priority of 1, a 1 before a 2, etc...."
::= { ipsaPeerIdentityEntry 2 }
ipsaPeerIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaPeerIdType is an enumeration identifying the type of the
Identity value."
::= { ipsaPeerIdentityEntry 3 }
ipsaPeerIdValue OBJECT-TYPE
SYNTAX IpsaIdentityFilter
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaPeerIdValue contains an Identity filter to be used to
match against the identity payload in an IKE request, or
blank otherwise. If this value matches the value in the
identity payload, the credential for the peer can be found
Baer, et al. Expires April 22, 2007 [Page 34]
Internet-Draft IPsec IPsec Action MIB October 2006
using the ipsaPeerIdCredentialName as an index into the
credential table."
::= { ipsaPeerIdentityEntry 4 }
ipsaPeerIdAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipsaPeerIdAddressType specifies the format of
the ipsaPeerIdAddress property value."
::= { ipsaPeerIdentityEntry 5 }
ipsaPeerIdAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property PeerAddress specifies the IP address of the
peer. The format is specified by the
ipsaPeerIdAddressType."
::= { ipsaPeerIdentityEntry 6 }
ipsaPeerIdCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the ipsaCredentialTable
to look up the actual credential value and other credential
information. For peer IDs that have no associated
credential information, this value is left blank."
::= { ipsaPeerIdentityEntry 7 }
ipsaPeerIdLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { ipsaPeerIdentityEntry 8 }
Baer, et al. Expires April 22, 2007 [Page 35]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaPeerIdStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipsaPeerIdentityEntry 9 }
ipsaPeerIdRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipsaPeerIdentityEntry 10 }
--
--
-- Notification objects information
--
--
ipsaNotificationVariables OBJECT IDENTIFIER ::=
{ ipsaNotificationObjects 1 }
ipsaNotifications OBJECT IDENTIFIER ::=
{ ipsaNotificationObjects 0 }
--
--
-- Conformance information
--
Baer, et al. Expires April 22, 2007 [Page 36]
Internet-Draft IPsec IPsec Action MIB October 2006
--
ipsaCompliances OBJECT IDENTIFIER
::= { ipsaConformanceObjects 1 }
ipsaGroups OBJECT IDENTIFIER
::= { ipsaConformanceObjects 2 }
--
-- Compliance statements
--
--
ipsaIPsecCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IPsec MIB implementation and supports IPsec actions.
There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for
which we have the following compliance requirements,
expressed in OBJECT clause form in this description clause:
-- OBJECT ipsaPeerIdAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT ipsaPeerIdAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module
MANDATORY-GROUPS { ipsaPreconfiguredGroup, ipsaSharedGroup }
OBJECT ipsaSaPreActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaAhTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
Baer, et al. Expires April 22, 2007 [Page 37]
Internet-Draft IPsec IPsec Action MIB October 2006
burden on resource-constrained devices."
OBJECT ipsaEspTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaIpcompTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaPeerIdLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaCredLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaCredSegLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
::= { ipsaCompliances 1 }
--
--
-- Compliance Groups Definitions
--
ipsaPreconfiguredGroup OBJECT-GROUP
OBJECTS {
ipsaSaPreActActionDescription,
ipsaSaPreActActionLifetimeSec, ipsaSaPreActActionLifetimeKB,
ipsaSaPreActDoActionLogging, ipsaSaPreActDoPacketLogging,
ipsaSaPreActDFHandling, ipsaSaPreActActionType,
ipsaSaPreActAHSPI, ipsaSaPreActAHTransformName,
ipsaSaPreActAHSharedSecretName, ipsaSaPreActESPSPI,
Baer, et al. Expires April 22, 2007 [Page 38]
Internet-Draft IPsec IPsec Action MIB October 2006
ipsaSaPreActESPTransformName, ipsaSaPreActESPEncSecretName,
ipsaSaPreActESPAuthSecretName, ipsaSaPreActIPCompSPI,
ipsaSaPreActIPCompTransformName,
ipsaSaPreActPeerGatewayIdName, ipsaSaPreActLastChanged,
ipsaSaPreActStorageType, ipsaSaPreActRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support preconfigured
IPsec actions. These objects are from The Preconfigured
Action Table. This group also includes objects from the
shared tables: Peer Identity Table, Credential Table,
Credential Management Service Table and the AH, ESP, and
IPComp Transform Tables."
::= { ipsaGroups 1 }
ipsaSharedGroup OBJECT-GROUP
OBJECTS {
ipsaAhTranMaxLifetimeSec, ipsaAhTranMaxLifetimeKB,
ipsaAhTranAlgorithm, ipsaAhTranReplayProtection,
ipsaAhTranReplayWindowSize, ipsaAhTranLastChanged,
ipsaAhTranStorageType, ipsaAhTranRowStatus,
ipsaEspTranMaxLifetimeSec, ipsaEspTranMaxLifetimeKB,
ipsaEspTranCipherTransformId, ipsaEspTranCipherKeyLength,
ipsaEspTranCipherKeyRounds, ipsaEspTranIntegrityAlgorithmId,
ipsaEspTranReplayPrevention, ipsaEspTranReplayWindowSize,
ipsaEspTranLastChanged, ipsaEspTranStorageType,
ipsaEspTranRowStatus,
ipsaIpcompTranDictionarySize, ipsaIpcompTranAlgorithm,
ipsaIpcompTranMaxLifetimeSec, ipsaIpcompTranMaxLifetimeKB,
ipsaIpcompTranPrivateAlgorithm, ipsaIpcompTranLastChanged,
ipsaIpcompTranStorageType, ipsaIpcompTranRowStatus,
ipsaCredType, ipsaCredCredential, ipsaCredMngName,
ipsaCredSize, ipsaCredRemoteID, ipsaCredAdminStatus,
ipsaCredLastChanged, ipsaCredStorageType, ipsaCredRowStatus,
ipsaCredSegValue, ipsaCredSegLastChanged,
ipsaCredSegStorageType, ipsaCredSegRowStatus,
ipsaPeerIdValue, ipsaPeerIdType, ipsaPeerIdAddress,
ipsaPeerIdAddressType, ipsaPeerIdCredentialName,
ipsaPeerIdLastChanged, ipsaPeerIdStorageType,
ipsaPeerIdRowStatus
}
STATUS current
Baer, et al. Expires April 22, 2007 [Page 39]
Internet-Draft IPsec IPsec Action MIB October 2006
DESCRIPTION
"This group includes objects from tables expected
to be shared by other modules: Peer Identity Table,
Credential Table, Credential Management Service Table and
the AH, ESP, and IPComp Transform Tables."
::= { ipsaGroups 2 }
END
7. Security Considerations
7.1. Introduction
This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides network security services, all of its
configuration data (e.g. this entire MIB) SHOULD be as secure or more
secure than any of the security services IPsec provides. There are
two main threats you need to protect against when configuring IPsec
devices.
1. Malicious Configuration: This MIB configures network security
services. If an attacker has SET access to any part of this MIB,
the network security services configured by this MIB SHOULD be
considered broken. The network data sent through the associated
gateway should no longer be considered as protected by IPsec
(i.e., it is no longer confidential or authenticated).
Therefore, only the official administrators SHOULD be allowed to
configure a device. In other words, administrators' identities
SHOULD be authenticated and their access rights checked before
they are allowed to do device configuration. The support for SET
operations to the IPSEC-IPSECACTION MIB in a non-secure
environment, without proper protection, will invalidate the
security of the network traffic affected by the IPSEC-
IPSECACTION-MIB.
2. Disclosure of Configuration: In general, malicious parties SHOULD
NOT be able to read security configuration data while the data is
in network transit. An attacker reading the configuration data
may be able to find misconfigurations in the MIB that enable
attacks to the network or to the configured node. Since this
entire MIB is used for security configuration, it is highly
RECOMMENDED that only authorized administrators are allowed to
view data in this MIB. In particular, malicious users SHOULD be
prevented from reading SNMP packets containing this MIB's data.
SNMP GET data SHOULD be encrypted when sent across the network.
Baer, et al. Expires April 22, 2007 [Page 40]
Internet-Draft IPsec IPsec Action MIB October 2006
Also, only authorized administrators SHOULD be allowed SNMP GET
access to any of the MIB objects.
SNMP versions prior to SNMPv3 do not include adequate security. Even
if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure
network is allowed to access (i.e. read/change/create/delete) the
objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-IPSECACTION-MIB, you
SHOULD use SNMP version 3. The rest of this discussion assumes the
use of SNMPv3. This is a real strength, because it allows
administrators the ability to load new IPsec configuration on a
device and keep the conversation private and authenticated under the
protection of SNMPv3 before any IPsec protections are available.
Once initial establishment of IPsec configuration on a device has
been achieved, it would be possible to set up IPsec SAs to then also
provide security and integrity services to the configuration
conversation. This may seem redundant at first, but will be shown to
have a use for added privacy protection below.
7.2. Protecting against unauthenticated access
The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys in SNMPv3 is not yet provided by standards track
documents, although RFC2786 defines an experimental method of doing
so.
Baer, et al. Expires April 22, 2007 [Page 41]
Internet-Draft IPsec IPsec Action MIB October 2006
7.3. Protecting against involuntary disclosure
While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed
by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and may be done as you read this (e.g.
AES [RFC3826]). When configure IPsec policy using this MIB, policy
administrators SHOULD use a privacy security service that is at least
as strong as the desired IPsec policy. E.G., If an administrator
were to use this MIB to configure an IPsec connection that utilizes a
3DES algorithms, the SNMP communication configuring the connection
SHOULD be protected by an algorithm as strong or stronger than the
3DES algorithm.
7.4. Bootstrapping your configuration
Most vendors will not ship new products with a default SNMPv3 user/
password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console
connection.
8. IANA Considerations
Only one IANA consideration exist for this document. The
consideration is the node number allocation of the IPSEC-IPSECACTION-
MIB under the IPSEC-SPD-MIB MIB's spdActions node.
9. Acknowledgments
Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order for the following
Baer, et al. Expires April 22, 2007 [Page 42]
Internet-Draft IPsec IPsec Action MIB October 2006
people:
Lindy Foster (Sparta, Inc.)
John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson)
Lee Rafalow (IBM)
Jon Saperia (JDS Consulting)
John Shriver (Internap Network Services Corporation)
Eric Vyncke (Cisco Systems)
10. References
10.1. Normative References
[RFCZZZZ] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy Database Configuration MIB",
January 2004.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IKE Action MIB",
January 2004.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
Baer, et al. Expires April 22, 2007 [Page 43]
Internet-Draft IPsec IPsec Action MIB October 2006
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information
Base for the Differentiated Services Architecture",
RFC 3289, May 2002.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585,
August 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
10.2. Informative References
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", More Info http://www.dmtf.org/specs/cim.html,
November 2000.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004.
Authors' Addresses
Michael Baer
Sparta, Inc.
P.O. Box 72682
Davis, CA 95617
US
Email: baerm@tislabs.com
Ricky Charlet
Self
Email: rcharlet@alumni.calpoly.edu
Baer, et al. Expires April 22, 2007 [Page 44]
Internet-Draft IPsec IPsec Action MIB October 2006
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
US
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
US
Email: rstory@sparta.com
Cliff Wang
ARO/North Carolina State University
4300 S. Miami Blvd
RTP, NC 27709
US
Email: cliffwangmail@yahoo.com
Baer, et al. Expires April 22, 2007 [Page 45]
Internet-Draft IPsec IPsec Action MIB October 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Baer, et al. Expires April 22, 2007 [Page 46]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/