[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4807

IPSP                                                             M. Baer
Internet-Draft                                              Sparta, Inc.
Expires: August 21, 2005                                      R. Charlet
                                                                    Self
                                                             W. Hardaker
                                                            Sparta, Inc.
                                                                R. Story
                                                     Revelstone Software
                                                                 C. Wang
                                                ARO/North Carolina State
                                                              University
                                                       February 20, 2005


            IPsec Security Policy Database Configuration MIB
                     draft-ietf-ipsp-spd-mib-02.txt

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 21, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract



Baer, et al.            Expires August 21, 2005                 [Page 1]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   This document defines a SMIv2 Management Information Base (MIB)
   module for configuring the security policy database of a device
   implementing the IPsec protocol.  The policy-based packet filtering
   and the corresponding execution of actions described in this document
   is of a more general nature than for IPsec configuration alone, such
   as for configuration of a firewall.  This MIB module is designed to
   be extensible with other enterprise or standards based defined packet
   filters and actions.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Internet-Standard Management Framework . . . . . . . . . .  3
   3.  Relationship to the DMTF Policy Model  . . . . . . . . . . . .  3
   4.  MIB Module Overview  . . . . . . . . . . . . . . . . . . . . .  4
     4.1   Usage Tutorial . . . . . . . . . . . . . . . . . . . . . .  5
       4.1.1   Notational conventions . . . . . . . . . . . . . . . .  5
       4.1.2   Implementing an example SPD policy . . . . . . . . . .  6
   5.  MIB definition . . . . . . . . . . . . . . . . . . . . . . . .  8
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 61
     6.1   Introduction . . . . . . . . . . . . . . . . . . . . . . . 61
     6.2   Protecting against in-authentic access . . . . . . . . . . 63
     6.3   Protecting against involuntary disclosure  . . . . . . . . 63
     6.4   Bootstrapping your configuration . . . . . . . . . . . . . 63
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 64
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 64
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
   9.1   Normative References . . . . . . . . . . . . . . . . . . . . 64
   9.2   Informative References . . . . . . . . . . . . . . . . . . . 65
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 66
       Intellectual Property and Copyright Statements . . . . . . . . 67




















Baer, et al.            Expires August 21, 2005                 [Page 2]


Internet-Draft        IPsec SPD configuration MIB          February 2005


1.  Introduction

   This document defines a MIB module for configuration of an IPsec
   security policy database (SPD).  The policy-based packet filtering
   and the corresponding execution of actions is of a more general
   nature than for IPsec configuration only, such as for configuration
   of a firewall.  It is possible to extend this MIB module and add
   other packet transforming actions that are performed conditionally on
   network traffic.

   Companion documents [RFCXXXX], [RFCYYYY] document actions which are
   specific to IPsec and IKE.  No IPsec or IKE specific actions are
   defined within this document.

   Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
   these values are determined.

2.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410]

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].

3.  Relationship to the DMTF Policy Model

   The Distributed Management Task Force (DMTF) has created an object
   oriented model of IPsec policy information known as the IPsec Policy
   Model White Paper [IPPMWP].  The "IPsec Configuration Policy Model"
   (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
   model.  The IPCP document describes a model for configuring IPsec.
   This MIB module is a task specific derivation (i.e.  an SMIv2
   instantiation) of the IPCP's IPsec configuration model for use with
   SNMPv3.

   The high-level areas where this MIB module diverges from the IPCP
   model are:

   o  Policies, Groups, Conditions, and some levels of Actions are
      generically named.  In other words, IPsec specific prefixes like



Baer, et al.            Expires August 21, 2005                 [Page 3]


Internet-Draft        IPsec SPD configuration MIB          February 2005


      "SA" (Security Association), or "IPsec" are not used.  This naming
      convention is used because packet classification and the matching
      of conditions to actions is more general than IPsec.  These tables
      could possibly be reused by other packet transforming actions
      which need to conditionally act on packets matching filters.

   o  Filters are implemented in a more generic and scalable manner,
      rather than enforcing the condition/filtering pairing of the IPCP
      and its restrictions upon the user.  This MIB module offers a
      compound filter object to provide for greater flexibility than the
      IPCP when creating complex filters.


4.  MIB Module Overview

   The MIB module is modularized into several different parts: rules,
   filters, and actions.

   The rules section connects endpoints and groups of rules together.
   This is made up of the spdEndpointToGroupTable,
   spdGroupContentsTable, and the spdRuleDefinitionTable.  Each row of
   the spdRuleDefinitionTable connects a filter to an action.  It should
   also be noted that by referencing the spdCompoundFilterTable, the
   spdRuleDefinitionTable's filter column can indicate a set of filters
   to be processed.  Likewise, by referencing the
   spdCompoundActionTable, the spdRuleDefinitionTable's action column
   can indicate multiple actions to be executed.

   This MIB is structured to allow for reuse through the future creation
   of extension tables that provide additional filters and/or actions.
   In fact, the companion documents to this one do just that to define
   IPsec and IKE specific actions to be used within this SPD
   configuration MIB.

   The filter section of the MIB module is composed of the different
   types of filters in the Policy Model.  It is made up of the
   spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
   spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
   spdCompoundFilterTable, spdIpsoHeaderFilterTable.

   The action section of this MIB module contains only the simple static
   actions required for the firewall processing that an IPsec SPD
   implementation requires (e.g.  accept, drop, log, ...).  The
   companion documents to this document define the complex actions
   necessary for IPsec and IKE negotiations.

   As may have been noticed above, the MIB uses recursion similarly in
   several different places.  In particular the spdGroupContentsTable,



Baer, et al.            Expires August 21, 2005                 [Page 4]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   the spdCompoundFilterTable / spdSubfiltersTable combination, and the
   spdCompoundActionTable / spdSubactionsTable combination can reference
   themselves.

   In the case of the spdGroupContentsTable, a row can indicate a rule
   (i.e.  a row in the spdRuleDefinitionTable) or a group (i.e.  another
   set of one or more rows in the spdGroupContentsTable).  In this way a
   group can contain a set of rules and sub-groups.  Sub-groups are just
   other groups defined in the spdGroupContentsTable.  There is no
   inherit MIB limit to the nesting of groups within groups.

   The spdCompoundFilterTable / spdSubfiltersTable combination and
   spdCompoundActionTable / spdSubactionsTable combination are designed
   almost identically with one being for filters and the other for
   actions respectively.  The following descriptions for the compound
   filter tables can be directly applied to the compound action tables.

   The combination of the tables spdCompoundFilterTable and
   spdSubfiltersTable allow a user to create a set of filters that can
   be treated by any table that references it as a single filter.  A row
   in the spdCompoundFilterTable has the basic configuration information
   for the compound filter.  It's name (spdCompFiltname) reference a set
   of rows in the spdSubfiltersTable.  Each row in spdSubfiltersTable
   points at a row in another filter table.  In this way, a set of
   ordered filters making up the compound filter is created.  Note that
   it is possible for one of these rows in the spdSubfiltersTable to
   point at a row in the spdCompoundFilterTable.  This recursion allows
   the creation of a filter set that include other filter sets within
   it.  There is no inherit MIB limit to the nesting of compound filters
   within compound filters.

4.1  Usage Tutorial

   In order to make use of the tables contained in this document, a
   general understanding of firewall processing is necessary.  The
   processing of the security policy database involves applying a set of
   firewall rules to an interface on a device.  The given set of rules
   to apply to any given interface is defined within the
   ipspEndpointToGroupTable table.  This table maps a given interface to
   a group of rules.  In this table, the interface itself is specified
   using its assigned address.  There is also one group of rules per
   direction (ingress and egress).

4.1.1  Notational conventions

   Notes about the following example operations:

   1.  All of the example operations in the following section make use



Baer, et al.            Expires August 21, 2005                 [Page 5]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       of default values for all columns not listed.  The operations and
       column values below are the minimal SNMP Varbinds that must be
       sent.

   2.  The example operations are formatted such that a row (i.e.  the
       table's Entry object) is operated on by using the indexes to that
       row and the column values for the that row.

   3.  The following is a generic example of the notation used in the
       following section's examples of this MIB's usage:

       rowEntry(index1     = value1,
                index2     = value2)
             = (column1        = column_value1,
                column2        = column_value2)

   4.  The following is a specific example of the notation used in the
       following section's examples of this MIB's usage.  In order to
       set the address status column to deprecated for a row in the
       IP-MIB::ipAddressTable with the index values of ipAddressAddrType
       = ipv4 and ipAddressAddr = 192.0.2.1.  The example notation would
       look like the following:

       ipAddressEntry(ipAddressAddrType = 1,           -- ipv4
                      ipAddressAddr     = 0x0a000001 ) -- 192.0.2.1
                   = (ipAddressStatus   = 2)           -- deprecated


4.1.2  Implementing an example SPD policy

   For our example, let us define and apply the following policy for all
   ingress traffic on a network interface:

   o  Drop all packets from the host 10.6.6.6.

   o  Accept all other packets.

   To do this, let us call the set of rules (as a group) "ingress" and
   apply them to the ingress traffic for the interface associated with
   the IPv4 address 10.0.0.1.  For these rules, let us apply a policy
   that accepts all traffic except for packets that arrive from a host
   with an IPv4 address of "10.6.6.6".  To achieve this policy, we would
   follow these steps:

   First, we need to create the rules to institute this policy.  To
   accomplish this, first we have to create the filter for the host.  We
   could do this using the following row insertion into the
   spdIpHeaderFilterTable table:



Baer, et al.            Expires August 21, 2005                 [Page 6]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   SpdIpHeaderFilterEntry(spdIpHeadFiltName = "10.6.6.6")
         = (spdIpHeadFiltType            = 0x80,        -- sourceAddress
            spdIpHeadFiltIPVersion       = 1,           -- IPv4
            spdIpHeadFiltSrcAddressBegin = 0x0a060606,
            spdIpHeadFiltSrcAddressEnd   = 0x0a060606,
            spdIpHeadFiltRowStatus       = 4)           -- createAndGo

   Next, we need to bind this filter to an action of "drop" in a new
   rule.  We can do this as follows:

   spdRuleDefinitionEntry(spdRuleDefName = "drop from 10.6.6.6")
         = (spdRuleDefFilter             =
                   spdIpHeadFiltType.8.49.48.46.54.46.54.46.54,
            spdRuleDefAction             = spdDropAction.0,
            spdRuleDefRowStatus          = 4)           -- createAndGo

   We also need a rule to accept all other packets:

   spdRuleDefinitionEntry(spdRuleDefName = "accept all")
         = (spdRuleDefFilter             = spdTrueFilter.0,
            spdRuleDefAction             = spdAcceptAction.0,
            spdRuleDefRowStatus          = 4)           -- createAndGo

   Now, we need to put these two rules into a group.  We will put the
   "accept all" rule at the very end (i.e.  assign it the highest
   priority number), so it is matched last.  Then, at an earlier
   priority (1000), we will insert the "drop from 10.6.6.6" rule.  We
   will do this by putting the rules into the group "ingress".

   SpdGroupContentsEntry(spdGroupContName     = "ingress",
                         spdGroupContPriority = 65535)
        = (spdGroupContComponentName          = "accept all",
           spdGroupContRowStatus              = 4)      -- createAndGo

   SpdGroupContentsEntry(spdGroupContName     = "ingress",
                         spdGroupContPriority = 1000)
        = (spdGroupContComponentName          = "drop from 10.6.6.6",
           spdGroupContRowStatus              = 4)      -- createAndGo

   Finally, we apply this group of rules to our interface:

   SpdEndpointToGroupEntry(spdEndGroupDirection = 1,    -- ingress
                           spdEndGroupIdentType = 4,    -- IPv4
                           spdEndGroupAddress   = 0x0a000001)

        = (spdEndGroupName = "ingress",
           spdEndGroupRowStatus = 4)                    -- createAndGo




Baer, et al.            Expires August 21, 2005                 [Page 7]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   This completes the necessary steps to implement the policy.  Once all
   of these rules have been applied, our policy should take effect.

5.  MIB definition


   IPSEC-SPD-MIB DEFINITIONS ::= BEGIN


   IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
       mib-2                        FROM SNMPv2-SMI
                                           --rfc2578

       TEXTUAL-CONVENTION, RowStatus, TruthValue,
       TimeStamp, StorageType, VariablePointer, DateAndTime
                                           FROM SNMPv2-TC
                                           --rfc2579

       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
                                           FROM SNMPv2-CONF
                                           --rfc2580

       SnmpAdminString                     FROM SNMP-FRAMEWORK-MIB
                                           --rfc3411

       InetAddressType, InetAddress
                                           FROM INET-ADDRESS-MIB
                                           --rfc3291

       diffServMIBMultiFieldClfrGroup, IfDirection,
       diffServMultiFieldClfrNextFree
                                           FROM DIFFSERV-MIB
                                           --rfc3289

       ;

   --
   -- module identity
   --

   spdMIB MODULE-IDENTITY
       LAST-UPDATED "200502170000Z"            -- 17 January 2005
       ORGANIZATION "IETF IP Security Policy Working Group"
       CONTACT-INFO "Michael Baer
                     Sparta, Inc.
                     Phone: +1 530 902 3131
                     Email: baerm@tislabs.com



Baer, et al.            Expires August 21, 2005                 [Page 8]


Internet-Draft        IPsec SPD configuration MIB          February 2005


                     Ricky Charlet
                     Email: rcharlet@alumni.calpoly.edu

                     Wes Hardaker
                     Sparta, Inc.
                     P.O. Box 382
                     Davis, CA  95617
                     Phone: +1 530 792 1913
                     Email: hardaker@tislabs.com

                     Robert Story
                     Revelstone Software
                     PO Box 1812
                     Tucker, GA 30085
                     Phone: +1 770 617 3722
                     Email: ipsp-mib@revelstone.com

                     Cliff Wang
                     SmartPipes Inc.
                     Suite 300, 565 Metro Place South
                     Dublin, OH 43017
                     Phone: +1 614 923 6241
                     E-Mail: cliffwang2000@yahoo.com"
       DESCRIPTION
        "This MIB module defines configuration objects for managing
         IPsec Security Policies.

         Copyright (C) The Internet Society (2005). This version of
         this MIB module is part of RFC ZZZZ, see the RFC itself for
         full legal notices."

   -- Revision History

       REVISION     "200502170000Z"            -- 17 January 2005
       DESCRIPTION  "Initial version, published as RFC ZZZZ."
       -- RFC-editor assigns ZZZZ

   -- xxx: To be assigned by IANA
       ::= { mib-2 xxx }

   --
   -- groups of related objects
   --

   spdConfigObjects         OBJECT IDENTIFIER
        ::= { spdMIB 1 }
   spdNotificationObjects   OBJECT IDENTIFIER
        ::= { spdMIB 2 }



Baer, et al.            Expires August 21, 2005                 [Page 9]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdConformanceObjects    OBJECT IDENTIFIER
        ::= { spdMIB 3 }
   spdActions                OBJECT IDENTIFIER
        ::= { spdMIB 4 }

   --
   -- Textual Conventions
   --

   SpdBooleanOperator ::= TEXTUAL-CONVENTION
       STATUS   current
       DESCRIPTION
           "The SpdBooleanOperator operator is used to specify
            whether sub-components in a decision making process are
            ANDed or ORed together to decide if the resulting
            expression is true or false."
       SYNTAX      INTEGER { or(1), and(2) }

   SpdAdminStatus ::= TEXTUAL-CONVENTION
       STATUS   current
       DESCRIPTION
           "The SpdAdminStatus is used to specify the administrative
            status of an object. Objects which are disabled must not
            be used by the packet processing engine."
       SYNTAX      INTEGER { enabled(1), disabled(2) }

   SpdIPPacketLogging ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS   current
       DESCRIPTION
           "SpdIPPacketLogging specifies whether or not an audit
            message should be logged when a packet is passed through a
            Security Association (SA) and if some of that packet should
            be included in the log event.  A value of '-1' indicates no
            logging.  A value of '0' or greater indicates that logging
            should be done and how many bytes of the beginning of the
            packet to place in the log. Values greater than the size of
            the packet being processed indicate that the entire packet
            should be sent.

            Examples:
            '-1' no logging
            '0'  log but do not include any of the packet in the log
            '20' log and include the first 20 bytes of the packet
                 in the log."

       SYNTAX      Integer32 (-1..65535)




Baer, et al.            Expires August 21, 2005                [Page 10]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   --
   -- Policy group definitions
   --

   spdLocalConfigObjects OBJECT IDENTIFIER
        ::= { spdConfigObjects 1 }

   spdIngressPolicyGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object indicates the policy group containing the
            global system policy that is to be applied on ingress
            packets (I.E., arriving at a interface) when a given
            endpoint does not contain a policy definition in the
            spdEndpointToGroupTable.  Its value can be used as an index
            into the spdGroupContentsTable to retrieve a list of
            policies.  A zero length string indicates no system wide
            policy exits and the default policy of 'drop' should be
            executed for ingress packets until one is imposed by either
            this object or by the endpoint processing a given packet."
       ::= { spdLocalConfigObjects 1 }

   spdEgressPolicyGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object indicates the policy group containing the
            global system policy that is to be applied on egress
            packets (I.E., leaving an interface) when a given endpoint
            does not contain a policy definition in the
            spdEndpointToGroupTable.  Its value can be used as an index
            into the spdGroupContentsTable to retrieve a list of
            policies.  A zero length string indicates no system wide
            policy exits and the default policy of 'drop' should be
            executed for egress packets until one is imposed by either
            this object or by the endpoint processing a given packet."
       ::= { spdLocalConfigObjects 2 }


   spdEndpointToGroupTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdEndpointToGroupEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table is used to map policy (groupings) onto an



Baer, et al.            Expires August 21, 2005                [Page 11]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            endpoint where traffic is to pass by.  Any policy group
            assigned to an endpoint is then used to control access
            to the traffic passing by it.

            If an endpoint has been configured with a policy group
            and no contained rule matches the ingress packet, the
            default action in this case shall be to drop the packet.

            If no policy group has been assigned to an endpoint,
            then the policy group specified by
            spdSystemPolicyGroupName should be used for the
            endpoint."
       ::= { spdConfigObjects 2 }

   spdEndpointToGroupEntry OBJECT-TYPE
       SYNTAX      SpdEndpointToGroupEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A mapping assigning a policy group to an endpoint."
       INDEX { spdEndGroupDirection, spdEndGroupIdentType,
              spdEndGroupAddress }
       ::= { spdEndpointToGroupTable 1 }

   SpdEndpointToGroupEntry ::= SEQUENCE {
       spdEndGroupDirection                      IfDirection,
       spdEndGroupIdentType                      InetAddressType,
       spdEndGroupAddress                        InetAddress,
       spdEndGroupName                           SnmpAdminString,
       spdEndGroupLastChanged                    TimeStamp,
       spdEndGroupStorageType                    StorageType,
       spdEndGroupRowStatus                      RowStatus
   }

   spdEndGroupDirection OBJECT-TYPE
       SYNTAX      IfDirection
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This object indicates which direction of packets crossing
            the interface should be associated with which
            spdEndGroupName object.  Ingress packets, or packets into
            the device match when this value is inbound(1).  Egress
            packets or packets out of the device match when this value
            is outbound(2)."
       ::= { spdEndpointToGroupEntry 1 }

   spdEndGroupIdentType OBJECT-TYPE



Baer, et al.            Expires August 21, 2005                [Page 12]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       SYNTAX      InetAddressType
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The Internet Protocol version of the address associated
            with a given endpoint.  All addresses are represented as an
            array of octets in network byte order.  When combined with
            the spdEndGroupAddress these objects can be used to
            uniquely identify an endpoint that a set of policy groups
            should be applied to.  Devices supporting IPv4 MUST support
            the ipv4 value, and devices supporting IPv6 MUST support
            the ipv6 value.

            Values of unknown, ipv4z, ipv6z and dns are not legal
            values for this object."
       ::= { spdEndpointToGroupEntry 2 }

   spdEndGroupAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The address of a given endpoint, the format of which is
            specified by the spdEndGroupIdentType object.

            Note: Since spdEndGroupIdentType currently only allows IPv4
            and IPv6 address this value should be either 4 or 16 octets
            long.  But Implementors should be aware that if the size of
            spdEndGroupAddress ever exceeds 115 octets, column instance
            OIDs in this table will have more than 128 sub-identifiers
            and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3."
       ::= { spdEndpointToGroupEntry 3 }


   spdEndGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The policy group name to apply to this endpoint.  The
            value of the spdEndGroupName object should then be used
            as an index into the spdGroupContentsTable to come up
            with a list of rules that MUST be applied to this
            endpoint."
       ::= { spdEndpointToGroupEntry 4 }

   spdEndGroupLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp



Baer, et al.            Expires August 21, 2005                [Page 13]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdEndpointToGroupEntry 5 }

   spdEndGroupStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdEndpointToGroupEntry 6 }

   spdEndGroupRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object is considered 'notReady' and may not be set to
            active until one or more active rows exist within the
            spdGroupContentsTable for the group referenced by the
            spdEndGroupName object."
       ::= { spdEndpointToGroupEntry 7 }

   --
   -- policy group definition table
   --

   spdGroupContentsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdGroupContentsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of rules and/or subgroups



Baer, et al.            Expires August 21, 2005                [Page 14]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            contained within a given policy group.  The entries are
            sorted by the spdGroupContPriority object and MUST be
            executed in order according to this value, starting with
            the lowest value.  Once a group item has been processed,
            the processor MUST stop processing this packet if an action
            was executed as a result of the processing of a given
            group.  Iterating into the next policy group item by
            finding the next largest spdGroupContPriority object shall
            only be done if no actions were run when processing the
            last item for a given packet."
       ::= { spdConfigObjects 3 }

   spdGroupContentsEntry OBJECT-TYPE
       SYNTAX      SpdGroupContentsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Defines a given sub-component within a policy group.  A
            sub-component is either a rule or another group as
            indicated by spdGroupContCompontentType and referenced by
            spdGroupContCompontentName."
       INDEX   { spdGroupContName, spdGroupContPriority }
       ::= { spdGroupContentsTable 1 }

   SpdGroupContentsEntry ::= SEQUENCE {
       spdGroupContName                        SnmpAdminString,
       spdGroupContPriority                    Integer32,
       spdGroupContFilter                      VariablePointer,
       spdGroupContComponentType               INTEGER,
       spdGroupContComponentName               SnmpAdminString,
       spdGroupContLastChanged                 TimeStamp,
       spdGroupContStorageType                 StorageType,
       spdGroupContRowStatus                   RowStatus
   }

   spdGroupContName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this group."
       ::= { spdGroupContentsEntry 1 }

   spdGroupContPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 15]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           "The priority (sequence number) of the sub-component in
            this group."
       ::= { spdGroupContentsEntry 2 }

   spdGroupContFilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdGroupContFilter points to a filter which is evaluated
            to determine whether the spdGroupContComponentName within
            this row should be exercised.  Managers can use this object
            to classify groups of rules or subgroups together in order
            to achieve a greater degree of control and optimization
            over the execution order of the items within the group.  If
            the filter evaluates to false, the rule or subgroup will be
            skipped and the next rule or subgroup will be evaluated
            instead.

            An example usage of this object would be to limit a
            group of rules to executing only when the IP packet
            being process is designated to be processed by IKE.
            This effectively creates a group of IKE specific rules.

            This MIB defines the following tables and scalars which
            may be pointed to by this column.  Implementations may
            choose to provide support for other filter tables or
            scalars as well:

                   diffServMultiFieldClfrTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentName exception should be
            returned.  If the table or scalar pointed to by the
            VariablePointer is not supported at all, then an
            inconsistentValue exception should be returned."
       DEFVAL { spdTrueFilterInstance }
       ::= { spdGroupContentsEntry 3 }

   spdGroupContComponentType OBJECT-TYPE
       SYNTAX      INTEGER { group(1), rule(2) }
       MAX-ACCESS  read-create
       STATUS      current



Baer, et al.            Expires August 21, 2005                [Page 16]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       DESCRIPTION
           "Indicates whether the spdGroupContComponentName object
            is the name of another group defined within the
            spdGroupContentsTable or is the name of a rule defined
            within the spdRuleDefinitionTable."
       DEFVAL { rule }
       ::= { spdGroupContentsEntry 4 }

   spdGroupContComponentName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name of the policy rule or subgroup contained within
            this group, as indicated by the spdGroupContComponentType
            object."
       ::= { spdGroupContentsEntry 5 }

   spdGroupContLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdGroupContentsEntry 6 }

   spdGroupContStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdGroupContentsEntry 7 }

   spdGroupContRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.



Baer, et al.            Expires August 21, 2005                [Page 17]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to active until the row to
            which the spdGroupContComponentName points to exists."
       ::= { spdGroupContentsEntry 8 }


   --
   -- policy definition table
   --

   spdRuleDefinitionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdRuleDefinitionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines a policy rule by associating a filter
            or a set of filters to an action to be executed."
       ::= { spdConfigObjects 4 }

   spdRuleDefinitionEntry OBJECT-TYPE
       SYNTAX      SpdRuleDefinitionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row defining a particular policy definition.  A rule
            definition binds a filter pointer to an action pointer."
       INDEX   { spdRuleDefName }
       ::= { spdRuleDefinitionTable 1 }

   SpdRuleDefinitionEntry ::= SEQUENCE {
       spdRuleDefName                          SnmpAdminString,
       spdRuleDefDescription                   SnmpAdminString,
       spdRuleDefFilter                        VariablePointer,
       spdRuleDefFilterNegated                 TruthValue,
       spdRuleDefAction                        VariablePointer,
       spdRuleDefAdminStatus                   SpdAdminStatus,
       spdRuleDefLastChanged                   TimeStamp,
       spdRuleDefStorageType                   StorageType,
       spdRuleDefRowStatus                     RowStatus
   }

   spdRuleDefName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 18]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           "spdRuleDefName is the administratively assigned name of
            the rule referred to by the spdGroupContComponentName
            object."
       ::= { spdRuleDefinitionEntry 1 }

   spdRuleDefDescription OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A user defined string.  This field may be used for
            administrative tracking purposes."
       DEFVAL { "" }
       ::= { spdRuleDefinitionEntry 2 }

   spdRuleDefFilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdRuleDefFilter points to a filter which is used to
            evaluate whether the action associated with this row should
            be fired or not.  The action will only fire if the filter
            referenced by this object evaluates to TRUE after first
            applying any negation required by the
            spdRuleDefFilterNegated object.

            This MIB defines the following tables and scalars which
            may be pointed to by this column.  Implementations may
            choose to provide support for other filter tables or
            scalars as well:

                   diffServMultiFieldClfrTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentName exception should be returned.
            If the table or scalar pointed to by the VariablePointer is
            not supported at all, then an inconsistentValue exception
            should be returned."
       ::= { spdRuleDefinitionEntry 3 }

   spdRuleDefFilterNegated OBJECT-TYPE
       SYNTAX      TruthValue



Baer, et al.            Expires August 21, 2005                [Page 19]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdRuleDefFilterNegated specifies whether the filter
            referenced by the spdRuleDefFilter object should be
            negated or not."
       DEFVAL { false }
       ::= { spdRuleDefinitionEntry 4 }

   spdRuleDefAction OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column points to the action to be taken.  It may,
            but is not limited to, point to a row in one of the
            following tables:

               spdCompoundActionTable
               ipsaSaPreconfiguredActionTable
               ipiaIkeActionTable
               ipiaIpsecActionTable

            It may also point to one of the scalar objects beneath
            spdStaticActions.

            If this object is set to a pointer to a row in an
            unsupported (or unknown) table, an inconsistentValue
            error should be returned.

            If this object is set to point to a non-existent row in
            an otherwise supported table, an inconsistentName error
            should be returned."
       ::= { spdRuleDefinitionEntry 5 }

   spdRuleDefAdminStatus OBJECT-TYPE
       SYNTAX      SpdAdminStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the current rule definition should be
            considered active.  If enabled, it should be evaluated
            when processing packets.  If disabled, packets should
            continue to be processed by the rest of the rules
            defined in the spdGroupContentsTable as if this rule's
            filters had effectively failed."
       DEFVAL { enabled }
       ::= { spdRuleDefinitionEntry 6 }



Baer, et al.            Expires August 21, 2005                [Page 20]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdRuleDefLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdRuleDefinitionEntry 7 }

   spdRuleDefStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdRuleDefinitionEntry 8 }

   spdRuleDefRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to active until the
            containing contitions, filters and actions have been
            defined.  Once active, it must remain active until no
            policyGroupContents entries are referencing it."
       ::= { spdRuleDefinitionEntry 9 }

   --
   -- Policy compound filter definition table
   --

   spdCompoundFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdCompoundFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current



Baer, et al.            Expires August 21, 2005                [Page 21]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       DESCRIPTION
           "A table defining a compound set of filters and their
            associated parameters.  A row in this table can either
            be pointed to by a spdRuleDefFilter object or by a
            ficSubFilter object."
       ::= { spdConfigObjects 5 }

   spdCompoundFilterEntry OBJECT-TYPE
       SYNTAX      SpdCompoundFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry in the spdCompoundFilterTable.  A filter
            defined by this table is considered to have a TRUE
            return value if and only if:

              spdCompFiltLogicType is AND and all of the sub-filters
              associated with it, as defined in the spdSubfiltersTable,
              are all true themselves (after applying any required
              negation as defined by the ficFilterIsNegated object).

              spdCompFiltLogicType is OR and at least one of the
              sub-filters associated with it, as defined in the
              spdSubfiltersTable, is true itself (after applying any
              required negation as defined by the ficFilterIsNegated
              object."
       INDEX       { spdCompFiltName }
       ::= { spdCompoundFilterTable 1 }

   SpdCompoundFilterEntry ::= SEQUENCE {
       spdCompFiltName                          SnmpAdminString,
       spdCompFiltDescription                   SnmpAdminString,
       spdCompFiltLogicType                     SpdBooleanOperator,
       spdCompFiltLastChanged                   TimeStamp,
       spdCompFiltStorageType                   StorageType,
       spdCompFiltRowStatus                     RowStatus
   }

   spdCompFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A user definable string.  You may use this field for
            your administrative tracking purposes."
       ::= { spdCompoundFilterEntry 1 }

   spdCompFiltDescription OBJECT-TYPE



Baer, et al.            Expires August 21, 2005                [Page 22]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A user definable string.  You may use this field for
            your administrative tracking purposes."
       DEFVAL { "" }
       ::= { spdCompoundFilterEntry 2 }


   spdCompFiltLogicType OBJECT-TYPE
       SYNTAX      SpdBooleanOperator
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the filters contained within this
            filter are functionally ANDed or ORed together."
       DEFVAL { and }
       ::= { spdCompoundFilterEntry 3 }

   spdCompFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdCompoundFilterEntry 4 }

   spdCompFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdCompoundFilterEntry 5 }

   spdCompFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current



Baer, et al.            Expires August 21, 2005                [Page 23]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            Once active, it may not have its value changed if any
            active rows in the spdRuleDefinitionTable are currently
            pointing at this row."
       ::= { spdCompoundFilterEntry 6 }

   --
   -- Policy filters in a cf table
   --

   spdSubfiltersTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdSubfiltersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines a list of filters contained within a
            given compound filter set defined in the
            spdCompoundFilterTable."
       ::= { spdConfigObjects 6 }

   spdSubfiltersEntry OBJECT-TYPE
       SYNTAX      SpdSubfiltersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry into the list of filters for a given compound
            filter."
       INDEX       {  spdCompFiltName, spdSubFiltPriority }
       ::= { spdSubfiltersTable 1 }

   SpdSubfiltersEntry ::= SEQUENCE {
       spdSubFiltPriority                      Integer32,
       spdSubFiltSubfilter                     VariablePointer,
       spdSubFiltSubfilterIsNegated            TruthValue,
       spdSubFiltLastChanged                   TimeStamp,
       spdSubFiltStorageType                   StorageType,
       spdSubFiltRowStatus                     RowStatus
   }

   spdSubFiltPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current



Baer, et al.            Expires August 21, 2005                [Page 24]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       DESCRIPTION
           "The priority of a given filter within a condition.
            Implementations MAY choose to follow the ordering
            indicated by the manager that created the rows in order
            to allow the manager to intelligently construct filter
            lists such that faster filters are evaluated first."
       ::= { spdSubfiltersEntry 1 }

   spdSubFiltSubfilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The location of the contained filter.  The value of this
            column should be a VariablePointer which references the
            properties for the filter to be included in this compound
            filter.

            This MIB defines the following tables and scalars which
            may be pointed to by this column.  Implementations may
            choose to provide support for other filter tables or
            scalars as well:

                   diffServMultiFieldClfrTable
                   spdIpsoHeaderFilterTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentName exception should be
            returned.  If the table or scalar pointed to by the
            VariablePointer is not supported at all, then an
            inconsistentValue exception should be returned."
       ::= { spdSubfiltersEntry 2 }

   spdSubFiltSubfilterIsNegated OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the result of applying this subfilter
            should be negated or not."
       DEFVAL { false }
       ::= { spdSubfiltersEntry 3 }




Baer, et al.            Expires August 21, 2005                [Page 25]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdSubFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdSubfiltersEntry 4 }

   spdSubFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdSubfiltersEntry 5 }

   spdSubFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object can not be made active until the filter
            referenced by the ficSubFilter object is both defined
            and is active.  An attempt to do so will result in an
            inconsistentValue error.

            If active, this object must remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met will result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the SpdCompoundFilterTable exists
                which has a matching spdCompFiltName.
            II. Or at least one other active row in this table has a



Baer, et al.            Expires August 21, 2005                [Page 26]


Internet-Draft        IPsec SPD configuration MIB          February 2005


                matching spdCompFiltName."
       ::= { spdSubfiltersEntry 6 }

   --
   -- Static Filters
   --

   spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }

   spdTrueFilter OBJECT-TYPE
           SYNTAX      Integer32
           MAX-ACCESS  read-only
           STATUS      current
           DESCRIPTION
               "This scalar indicates a (automatic) true result for
                a filter.  I.e. this is a filter that is always
                true, useful for adding as a default filter for a
                default action or a set of actions."
           ::= { spdStaticFilters 1 }


   spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }


   --
   -- Policy IP Offset filter definition table
   --

   spdIpOffsetFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdIpOffsetFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of filter definitions to be
            used within the spdRuleDefinitionTable or the
            spdSubfiltersTable."
       ::= { spdConfigObjects 8 }

   spdIpOffsetFilterEntry OBJECT-TYPE
       SYNTAX      SpdIpOffsetFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A definition of a particular filter."
       INDEX       {  spdIpOffFiltName }
       ::= { spdIpOffsetFilterTable 1 }

   SpdIpOffsetFilterEntry ::= SEQUENCE {



Baer, et al.            Expires August 21, 2005                [Page 27]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       spdIpOffFiltName                         SnmpAdminString,
       spdIpOffFiltOffset                       Integer32,
       spdIpOffFiltType                         INTEGER,
       spdIpOffFiltValue                        OCTET STRING,
       spdIpOffFiltLastChanged                  TimeStamp,
       spdIpOffFiltStorageType                  StorageType,
       spdIpOffFiltRowStatus                    RowStatus
   }

   spdIpOffFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name for this filter."
       ::= { spdIpOffsetFilterEntry 1 }

   spdIpOffFiltOffset OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This is the byte offset from the front of the IP packet
            where the value or arithmetic comparison is done.  A
            value of '0' indicates the first byte in the packet."
       ::= { spdIpOffsetFilterEntry 2 }

   spdIpOffFiltType OBJECT-TYPE
       SYNTAX INTEGER { equal(1),
                        notEqual(2),
                        arithmeticLess(3),
                        arithmeticGreaterOrEqual(4),
                        arithmeticGreater(5),
                        arithmeticLessOrEqual(6) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This defines the various tests that are used when
            evaluating a given filter.

            Once a row is 'active', this object's value may not be
            changed unless the column, spdIpOffFiltValue, has been
            appropriately configured.

            The various tests definable in this table are as follows:

            equal:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches



Baer, et al.            Expires August 21, 2005                [Page 28]


Internet-Draft        IPsec SPD configuration MIB          February 2005


                a value in the packet starting at the given offset in
                the packet and comparing the entire OCTET STRING of
                'spdIpOffFiltValue'.  Any numeric values compared this
                way are assumed to be unsigned integer values in
                network byte order of the same length as
                'spdIpOffFiltValue'.

            notEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
                not match a value in the packet starting at the given
                offset in the packet and comparing to the entire OCTET
                STRING of 'spdIpOffFiltValue'.  Any numeric values
                compared this way are assumed to be unsigned integer
                values in network byte order of the same length as
                'spdIpOffFiltValue'.

            arithmeticLess:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically less than ('<') the value starting at
                the given offset within the packet.  The value in the
                packet is assumed to be an unsigned integer in network
                byte order of the same length as 'spdIpOffFiltValue'.

            arithmeticGreaterOrEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically greater than or equal to ('>=') the
                value starting at the given offset within the packet.
                The value in the packet is assumed to be an unsigned
                integer in network byte order of the same length as
                'spdIpOffFiltValue'.

            arithmeticGreater:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically greater than ('>') the value starting at
                the given offset within the packet.  The value in the
                packet is assumed to be an unsigned integer in network
                byte order of the same length as 'spdIpOffFiltValue'.

            arithmeticLessOrEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically less than or equal to ('<=') the value
                starting at the given offset within the packet.  The
                value in the packet is assumed to be an unsigned
                integer in network byte order of the same length as
                'spdIpOffFiltValue'."

       ::= { spdIpOffsetFilterEntry 3 }




Baer, et al.            Expires August 21, 2005                [Page 29]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdIpOffFiltValue OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..1024))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdIpOffFiltValue is used for match comparisons of a
            packet at spdIpOffFiltOffset.  This object is only used
            if one of the match types is chosen in
            spdIpOffFiltType."
       ::= { spdIpOffsetFilterEntry 4 }

   spdIpOffFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdIpOffsetFilterEntry 5 }


   spdIpOffFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdIpOffsetFilterEntry 6 }

   spdIpOffFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            This object may not be set to active if the requirements
            of the spdIpOffFiltType object are not met.  In other
            words, if the associated value columns needed by a
            particular test have not been set, then attempting to
            change this row to an active state will result in an



Baer, et al.            Expires August 21, 2005                [Page 30]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            inconsistentValue error.  See the spdIpOffFiltType
            object description for further details.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdIpOffsetFilterEntry 7 }


   --
   -- Time/scheduling filter table
   --

   spdTimeFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdTimeFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Defines a table of filters which can be used to
            effectively enable or disable policies based on a valid
            time range."
       ::= { spdConfigObjects 9 }

   spdTimeFilterEntry OBJECT-TYPE
       SYNTAX      SpdTimeFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row describing a given time frame for which a policy
            may be filtered on to place the rule active or
            inactive."
       INDEX   { spdTimeFiltName }
       ::= { spdTimeFilterTable 1 }

   SpdTimeFilterEntry ::= SEQUENCE {
       spdTimeFiltName                 SnmpAdminString,
       spdTimeFiltPeriodStart          DateAndTime,
       spdTimeFiltPeriodEnd            DateAndTime,
       spdTimeFiltMonthOfYearMask      BITS,
       spdTimeFiltDayOfMonthMask       OCTET STRING,
       spdTimeFiltDayOfWeekMask        BITS,
       spdTimeFiltStartTimeOfDayMask   DateAndTime,
       spdTimeFiltStopTimeOfDayMask    DateAndTime,
       spdTimeFiltLastChanged          TimeStamp,
       spdTimeFiltStorageType          StorageType,
       spdTimeFiltRowStatus            RowStatus



Baer, et al.            Expires August 21, 2005                [Page 31]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   }

   spdTimeFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An administratively assigned name for this filter."
       ::= { spdTimeFilterEntry 1 }


   spdTimeFiltPeriodStart OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The starting time period for this filter.  In addition
            to a normal DateAndTime string, this object may be set
            to the OCTET STRING value THISANDPRIOR which indicates
            that the filter is valid from any time before now up
            until (at least) now."
       DEFVAL { '00000101000000002b0000'H }
       ::= { spdTimeFilterEntry 2 }

   spdTimeFiltPeriodEnd OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The ending time period for this filter.  In addition to
            a normal DateAndTime string, this object may be set to
            the OCTET STRING value THISANDFUTURE which indicates
            that the filter is valid without an ending date and/or
            time."
       DEFVAL { '99991231235959092b0000'H }
       ::= { spdTimeFilterEntry 3 }


   spdTimeFiltMonthOfYearMask OBJECT-TYPE
       SYNTAX      BITS { january(0), february(1), march(2),
                          april(3), may(4), june(5), july(6),
                          august(7), september(8), october(9),
                          november(10), december(11) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A bit mask which overlays the spdTimeFiltPeriodStart to
            spdTimeFiltPeriodEnd date range to further restrict the



Baer, et al.            Expires August 21, 2005                [Page 32]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            time period to a restricted set of months of the year."
       DEFVAL { { january, february, march, april, may, june, july,
                  august, september, october, november, december } }
       ::= { spdTimeFilterEntry 4 }

   spdTimeFiltDayOfMonthMask OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(4))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Defines which days of the month this time period is
            valid for.  It is a sequence of 32 BITS, where each BIT
            represents a corresponding day of the month starting
            from the left most bit being equal to the first day of
            the month.  The last bit in the string MUST be zero."
       DEFVAL { 'fffffffe'H }
       ::= { spdTimeFilterEntry 5 }

   spdTimeFiltDayOfWeekMask OBJECT-TYPE
       SYNTAX      BITS { monday(0), tuesday(1), wednesday(2),
                          thursday(3), friday(4), saturday(5),
                          sunday(6) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A bit mask which overlays the spdTimeFiltPeriodStart to
            spdTimeFiltPeriodEnd date range to further restrict the
            time period to a restricted set of days within a given
            week."
       DEFVAL { { monday, tuesday, wednesday, thursday, friday,
                  saturday, sunday } }
       ::= { spdTimeFilterEntry 6 }

   spdTimeFiltStartTimeOfDayMask OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates the starting time of day for which this filter
            evaluates to true.  The date portions of the DateAndTime
            TC are ignored for purposes of evaluating this mask and
            only the time specific portions are used."
       DEFVAL { '00000000000000002b0000'H }
       ::= { spdTimeFilterEntry 7 }

   spdTimeFiltStopTimeOfDayMask OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create



Baer, et al.            Expires August 21, 2005                [Page 33]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       STATUS      current
       DESCRIPTION
           "Indicates the ending time of day for which this filter
            evaluates to true.  The date portions of the DateAndTime TC
            are ignored for purposes of evaluating this mask and only
            the time specific portions are used.  If this starting and
            ending time values indicated by the
            spdTimeFiltStartTimeOfDayMask and
            spdTimeFiltStopTimeOfDayMask objects are equal, the filter
            is expected to be evaluated over the entire 24 hour
            period."
       DEFVAL { '00000000000000002b0000'H }
       ::= { spdTimeFilterEntry 8 }

   spdTimeFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdTimeFilterEntry 9 }

   spdTimeFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdTimeFilterEntry 10 }

   spdTimeFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this
            row.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt



Baer, et al.            Expires August 21, 2005                [Page 34]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdTimeFilterEntry 11 }

   --
   -- IPSO protection authority filtering
   --

   spdIpsoHeaderFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdIpsoHeaderFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of IPSO header filter
            definitions to be used within the spdRuleDefinitionTable or
            the spdSubfiltersTable.  IPSO headers and their values are
            described in RFC1108."
       ::= { spdConfigObjects 10 }

   spdIpsoHeaderFilterEntry OBJECT-TYPE
       SYNTAX      SpdIpsoHeaderFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A definition of a particular filter."
       INDEX       {  spdIpsoHeadFiltName }
       ::= { spdIpsoHeaderFilterTable 1 }

   SpdIpsoHeaderFilterEntry ::= SEQUENCE {
       spdIpsoHeadFiltName                     SnmpAdminString,
       spdIpsoHeadFiltType                     BITS,
       spdIpsoHeadFiltClassification           INTEGER,
       spdIpsoHeadFiltProtectionAuth           INTEGER,
       spdIpsoHeadFiltLastChanged              TimeStamp,
       spdIpsoHeadFiltStorageType              StorageType,
       spdIpsoHeadFiltRowStatus                RowStatus
   }

   spdIpsoHeadFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name for this filter."
       ::= { spdIpsoHeaderFilterEntry 1 }

   spdIpsoHeadFiltType OBJECT-TYPE



Baer, et al.            Expires August 21, 2005                [Page 35]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       SYNTAX      BITS { classificationLevel(0),
                          protectionAuthority(1) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The IPSO header fields to match the value against."
       ::= { spdIpsoHeaderFilterEntry 2 }

   spdIpsoHeadFiltClassification OBJECT-TYPE
       SYNTAX      INTEGER { topSecret(61), secret(90),
                             confidential(150), unclassified(171) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The IPSO classification header field value must match
            the value in this column if the classificationLevel bit
            is set in the spdIpsoHeadFiltType field.

            The values of these enumerations are defined by
            RFC1108."
       ::= { spdIpsoHeaderFilterEntry 3 }

   spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
       SYNTAX      INTEGER { genser(0), siopesi(1), sci(2),
                             nsa(3), doe(4) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The IPSO protection authority header field value must
            match the value in this column if the protection authority
            bit is set in the spdIpsoHeadFiltType field.

            The values of these enumerations are defined by RFC1108.
            Hence the reason the SMIv2 convention of not using 0 in
            enum lists is violated here."
       ::= { spdIpsoHeaderFilterEntry 4 }

   spdIpsoHeadFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdIpsoHeaderFilterEntry 5 }

   spdIpsoHeadFiltStorageType OBJECT-TYPE



Baer, et al.            Expires August 21, 2005                [Page 36]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdIpsoHeaderFilterEntry 6 }

   spdIpsoHeadFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            This object may not be set to active if the requirements of
            the spdIpsoHeadFiltType object are not met.  In other
            words, if the associated value columns needed by a
            particular test have not been set, then attempting to
            change this row to an active state will result in an
            inconsistentValue error.  See the spdIpsoHeadFiltType
            object description for further details.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdIpsoHeaderFilterEntry 7 }

   --
   -- compound actions table
   --

   spdCompoundActionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdCompoundActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Table used to allow multiple actions to be associated
            with a rule.  It uses the spdSubactionsTable to do
            this."
       ::= { spdConfigObjects 11 }



Baer, et al.            Expires August 21, 2005                [Page 37]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdCompoundActionEntry OBJECT-TYPE
       SYNTAX      SpdCompoundActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the spdCompoundActionTable."
       INDEX   { spdCompActName }
       ::= { spdCompoundActionTable 1 }

   SpdCompoundActionEntry ::= SEQUENCE {
       spdCompActName                      SnmpAdminString,
       spdCompActExecutionStrategy         INTEGER,
       spdCompActLastChanged               TimeStamp,
       spdCompActStorageType               StorageType,
       spdCompActRowStatus                 RowStatus
   }

   spdCompActName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned name of this
            compound action."
       ::= { spdCompoundActionEntry 1 }

   spdCompActExecutionStrategy OBJECT-TYPE
       SYNTAX      INTEGER { doAll(1),
                             doUntilSuccess(2),
                             doUntilFailure(3) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates how the sub-actions are executed
            based on the success of the actions as they finish
            executing.

            doAll           - run each sub-action regardless of the
                              exit status of the previous action.
                              This parent action is always
                              considered to have acted successfully.

            doUntilSuccess  - run each sub-action until one succeeds,
                              at which point stop processing the
                              sub-actions within this parent
                              compound action.  If one of the
                              sub-actions did execute successfully,
                              this parent action is also considered



Baer, et al.            Expires August 21, 2005                [Page 38]


Internet-Draft        IPsec SPD configuration MIB          February 2005


                              to have executed sucessfully.

            doUntilFailure  - run each sub-action until one fails,
                              at which point stop processing the
                              sub-actions within this compound
                              action.  If any sub-action fails, the
                              result of this parent action is
                              considered to have failed."
       DEFVAL { doUntilSuccess }
       ::= { spdCompoundActionEntry 2 }

   spdCompActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdCompoundActionEntry 3 }

   spdCompActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdCompoundActionEntry 4 }

   spdCompActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            Once a row in the spdCompoundActionTable has been made
            active, this object may not be set to destroy without
            first destroying all the contained rows listed in the



Baer, et al.            Expires August 21, 2005                [Page 39]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            spdSubactionsTable."
       ::= { spdCompoundActionEntry 5 }


   --
   -- actions contained within a compound action
   --

   spdSubactionsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdSubactionsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of the sub-actions within a
            given compound action.  Compound actions executing these
            actions MUST execute them in series based on the
            spdSubActPriority value, with the lowest value executing
            first."
       ::= { spdConfigObjects 12 }

   spdSubactionsEntry OBJECT-TYPE
       SYNTAX      SpdSubactionsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row containing a reference to a given compound-action
            sub-action."
       INDEX   { spdCompActName, spdSubActPriority }
       ::= { spdSubactionsTable 1 }

   SpdSubactionsEntry ::= SEQUENCE {
       spdSubActPriority                          Integer32,
       spdSubActSubActionName                     VariablePointer,
       spdSubActLastChanged                       TimeStamp,
       spdSubActStorageType                       StorageType,
       spdSubActRowStatus                         RowStatus
   }

   spdSubActPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority of a given sub-action within a compound
            action.  The order in which sub-actions should be
            executed are based on the value from this column, with
            the lowest numeric value executing first."
       ::= { spdSubactionsEntry 1 }



Baer, et al.            Expires August 21, 2005                [Page 40]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   spdSubActSubActionName OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column points to the action to be taken.  It may,
            but is not limited to, point to a row in one of the
            following tables:

               spdCompoundActionTable          - Allowing recursion
               ipsaSaPreconfiguredActionTable
               ipiaIkeActionTable
               ipiaIpsecActionTable

            It may also point to one of the scalar objects beneath
            spdStaticActions.

            If this object is set to a pointer to a row in an
            unsupported (or unknown) table, an inconsistentValue
            error should be returned.

            If this object is set to point to a non-existent row in
            an otherwise supported table, an inconsistentName error
            should be returned."
       ::= { spdSubactionsEntry 2 }

   spdSubActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdSubactionsEntry 3 }

   spdSubActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }



Baer, et al.            Expires August 21, 2005                [Page 41]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       ::= { spdSubactionsEntry 4 }

   spdSubActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met will result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the spdCompoundActionTable exists
                which has a matching spdCompActName.

            II. Or at least one other active row in this table has a
                matching spdCompActName."
       ::= { spdSubactionsEntry 5 }

   --
   -- Static Actions
   --

   -- these are static actions which can be pointed to by the
   -- spdRuleDefAction or the spdSubActSubActionName objects to
   -- drop, accept or reject packets.

   spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }

   spdDropAction    OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be dropped
            WITHOUT action/packet logging.  This object returns a
            value of 1 for IPsec policy implementations that support
            the drop static action."
       ::= { spdStaticActions 1 }

   spdDropActionLog OBJECT-TYPE
       SYNTAX      Integer32



Baer, et al.            Expires August 21, 2005                [Page 42]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be dropped
            WITH action/packet logging.  This object returns a value
            of 1 for IPsec policy implementations that support the
            drop static action with logging."
       ::= { spdStaticActions 2 }

   spdAcceptAction OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This Scalar indicates that a packet should be accepted
            (pass-through) WITHOUT action/packet logging.  This
            object returns a value of 1 for IPsec policy
            implementations that support the accept static action."
       ::= { spdStaticActions 3 }

   spdAcceptActionLog OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be accepted
            (pass-through) WITH action/packet logging.  This object
            returns a value of 1 for IPsec policy implementations
            that support the accept static action with logging."
       ::= { spdStaticActions 4 }

   --
   --
   -- Notification objects information
   --
   --

   spdNotificationVariables OBJECT IDENTIFIER ::=
      { spdNotificationObjects 1 }

   spdNotifications OBJECT IDENTIFIER ::=
      { spdNotificationObjects 0 }

   spdActionExecuted OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 43]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           "Points to the action instance that was executed that
            resulted in the notification being sent."
       ::= { spdNotificationVariables 1 }

   spdIPEndpointAddType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the interface type for the interface that the
            packet which triggered the notification is passing
            through."
       ::= { spdNotificationVariables 2 }

   spdIPEndpointAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the interface address for the interface that
            the packet which triggered the notification is passing
            through."
       ::= { spdNotificationVariables 3 }

   spdIPSourceType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the source address type of the packet which
            triggered the notification."
       ::= { spdNotificationVariables 4 }

   spdIPSourceAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the source address of the packet which
            triggered the notification."
       ::= { spdNotificationVariables 5 }

   spdIPDestinationType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the destination address type of the packet



Baer, et al.            Expires August 21, 2005                [Page 44]


Internet-Draft        IPsec SPD configuration MIB          February 2005


            which triggered the notification."
       ::= { spdNotificationVariables 6 }

   spdIPDestinationAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the destination address of the packet which
            triggered the notification."
       ::= { spdNotificationVariables 7 }

   spdPacketDirection OBJECT-TYPE
       SYNTAX      IfDirection
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Indicates if the packet which triggered the action in
            questions was ingress (inbound) our egress (outbound)."
       ::= { spdNotificationVariables 8 }

   spdPacketPart OBJECT-TYPE
       SYNTAX      OCTET STRING
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Is the front part of the packet that triggered this
            notification.  The initial size limit is determined by the
            smaller of the size indicated by 'SpdIPPacketLogging' and
            the size of the triggering packet.

            The final limit is determined by the SNMP packet size when
            sending the notification.  The maximum size that can be
            included will be the smaller of the initial size given
            above and the length that will fit in a single SNMP
            notification packet after the rest of the notification's
            objects and any other necessary packet data (headers
            encoding, etc...) has been included in the packet."
       ::= { spdNotificationVariables 9 }

   spdActionNotification NOTIFICATION-TYPE
       OBJECTS { spdActionExecuted, spdIPEndpointAddType,
                 spdIPEndpointAddress,
                 spdIPSourceType, spdIPSourceAddress,
                 spdIPDestinationType,
                 spdIPDestinationAddress,
                 spdPacketDirection }
       STATUS  current



Baer, et al.            Expires August 21, 2005                [Page 45]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       DESCRIPTION
           "Notification that an action was executed by a rule.
            Only actions with logging enabled will result in this
            notification getting sent.  The objects sent must include
            the spdActionExecuted object which will indicate which
            action was executed within the scope of the rule.
            Additionally the spdIPSourceType, spdIPSourceAddress,
            spdIPDestinationType, and spdIPDestinationAddress objects
            must be included to indicate the packet source and
            destination of the packet that triggered the action.
            Finally the spdIPEndpointAddType, spdIPEndpointAddress,
            and spdPacketDirection objects are included to indicate
            which interface the action was executed in association with
            and if the packet was ingress or egress through the
            endpoint.

            Note that compound actions with multiple executed
            subactions may result in multiple notifications being sent
            from a single rule execution."
       ::= { spdNotifications 1 }

   spdPacketNotification NOTIFICATION-TYPE
       OBJECTS { spdActionExecuted, spdIPEndpointAddType,
                 spdIPEndpointAddress,
                 spdIPSourceType, spdIPSourceAddress,
                 spdIPDestinationType,
                 spdIPDestinationAddress,
                 spdPacketDirection,
                 spdPacketPart }
       STATUS  current
       DESCRIPTION
           "Notification that a packet passed through an SA.  Only
            SA's created by actions with packet logging enabled will
            result in this notification getting sent.  The objects
            sent must include the spdActionExecuted which will
            indicate which action was executed within the scope of
            the rule.  Additionally, the spdIPSourceType,
            spdIPSourceAddress, spdIPDestinationType, and
            spdIPDestinationAddress, objects must be included to
            indicate the packet source and destination of the packet
            that triggered the action.  The spdIPEndpointAddType,
            spdIPEndpointAddress, and spdPacketDirection objects
            are included to indicate which endpoint the packet was
            associated with.  Finally, spdPacketPart is including
            for sending a variable sized part of the front of the
            packet depending on the value of SpdIPPacketLogging."

       ::= { spdNotifications 2 }



Baer, et al.            Expires August 21, 2005                [Page 46]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   --
   --
   -- Conformance information
   --
   --

   spdCompliances OBJECT IDENTIFIER
       ::= { spdConformanceObjects 1 }
   spdGroups OBJECT IDENTIFIER
       ::= { spdConformanceObjects 2 }

   --
   -- Compliance statements
   --
   --
   spdRuleFilterCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include
            an IPsec MIB implementation with Endpoint, Rules, and
            filters support."
       MODULE -- This Module
           MANDATORY-GROUPS { spdEndpointGroup,
                              spdGroupContentsGroup,
                              spdRuleDefinitionGroup,
                              spdStaticFilterGroup,
                              spdStaticActionGroup ,
                              diffServMIBMultiFieldClfrGroup }

           GROUP spdIpsecSystemPolicyNameGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support a system policy group
                name."

           GROUP spdCompoundFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound filters."

           GROUP spdIPOffsetFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IP Offset filters.  In
                general, this SHOULD be supported by a compliant
                IPsec Policy implementation."

           GROUP spdTimeFilterGroup



Baer, et al.            Expires August 21, 2005                [Page 47]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support time filters."

           GROUP spdIpsoHeaderFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IPSO Header filters."

           GROUP  spdCompoundActionGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound actions."

           OBJECT      spdEndGroupLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdGroupContComponentType
           SYNTAX      INTEGER {
                   rule(2)
           }
           DESCRIPTION
               "Support of the value group(1) is only required for
                implementations which support Policy Groups within
                Policy Groups."

           OBJECT      spdGroupContLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdRuleDefLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdCompFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdSubFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."




Baer, et al.            Expires August 21, 2005                [Page 48]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           OBJECT      spdIpOffFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdTimeFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdIpsoHeadFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdCompActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdSubActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      diffServMultiFieldClfrNextFree
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is not required for compliance."

       ::= { spdCompliances 1 }


   spdLoggingCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that support
            sending notifications when actions are invoked."
       MODULE -- This Module
           MANDATORY-GROUPS { spdActionLoggingObjectGroup,
                              spdActionNotificationGroup }

       ::= { spdCompliances 2 }

   --
   -- ReadOnly Compliances
   --
   spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE



Baer, et al.            Expires August 21, 2005                [Page 49]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include
            an IPsec MIB implementation with Endpoint, Rules, and
            filters support.

            If this MIB is implemented without support for read-create
            (i.e. in read-only), it is not in full compliance but it
            can claim read-only compliance. Such a device can then be
            monitored but can not be configured with this MIB."
       MODULE -- This Module
           MANDATORY-GROUPS { spdEndpointGroup,
                              spdGroupContentsGroup,
                              spdRuleDefinitionGroup,
                              spdStaticFilterGroup,
                              spdStaticActionGroup ,
                              diffServMIBMultiFieldClfrGroup }

           GROUP spdIpsecSystemPolicyNameGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support a system policy group
                name."

           GROUP spdCompoundFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound filters."

           GROUP spdIPOffsetFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IP Offset filters.  In
                general, this SHOULD be supported by a compliant
                IPsec Policy implementation."

           GROUP spdTimeFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support time filters."

           GROUP spdIpsoHeaderFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IPSO Header filters."

           GROUP  spdCompoundActionGroup
           DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 50]


Internet-Draft        IPsec SPD configuration MIB          February 2005


               "This group is mandatory for IPsec Policy
                implementations which support compound actions."

           OBJECT       spdAcceptAction
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdAcceptActionLog
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompActExecutionStrategy
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompActLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdCompActRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompActStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltDescription
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdCompFiltLogicType
           MIN-ACCESS   read-only
           DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 51]


Internet-Draft        IPsec SPD configuration MIB          February 2005


              "Write access is not required."

           OBJECT       spdCompFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdDropAction
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdDropActionLog
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEgressPolicyGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEndGroupLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdEndGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEndGroupRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEndGroupStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."




Baer, et al.            Expires August 21, 2005                [Page 52]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           OBJECT       spdGroupContComponentName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContComponentType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContFilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdGroupContRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIngressPolicyGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdIpOffFiltOffset
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltRowStatus



Baer, et al.            Expires August 21, 2005                [Page 53]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltValue
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltClassification
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdIpsoHeadFiltProtectionAuth
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltType
           MIN-ACCESS   read-only
           DESCRIPTION



Baer, et al.            Expires August 21, 2005                [Page 54]


Internet-Draft        IPsec SPD configuration MIB          February 2005


              "Write access is not required."

           OBJECT       spdRuleDefAction
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefAdminStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefDescription
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefFilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefFilterNegated
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdRuleDefRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."



Baer, et al.            Expires August 21, 2005                [Page 55]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           OBJECT       spdSubActRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActSubActionName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdSubFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltSubfilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltSubfilterIsNegated
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltDayOfMonthMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltDayOfWeekMask
           MIN-ACCESS   read-only



Baer, et al.            Expires August 21, 2005                [Page 56]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltLastChanged
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required.  This object is not
               required for compliance."

           OBJECT       spdTimeFiltMonthOfYearMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltPeriodEnd
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltPeriodStart
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltStartTimeOfDayMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltStopTimeOfDayMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTrueFilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."



Baer, et al.            Expires August 21, 2005                [Page 57]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       ::= { spdCompliances 3 }


   --
   --
   -- Compliance Groups Definitions
   --

   --
   -- Endpoint, Rule, Filter Compliance Groups
   --

   spdEndpointGroup OBJECT-GROUP
       OBJECTS {
           spdEndGroupName, spdEndGroupLastChanged,
           spdEndGroupStorageType, spdEndGroupRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Endpoint Table."
       ::= { spdGroups 1 }

   spdGroupContentsGroup OBJECT-GROUP
       OBJECTS {
           spdGroupContComponentType, spdGroupContFilter,
           spdGroupContComponentName, spdGroupContLastChanged,
           spdGroupContStorageType, spdGroupContRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Group Contents Table."
       ::= { spdGroups 2 }

   spdIpsecSystemPolicyNameGroup OBJECT-GROUP
       OBJECTS {
           spdIngressPolicyGroupName,
           spdEgressPolicyGroupName
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects represent the System
           Policy Group Names."
       ::= { spdGroups 3}

   spdRuleDefinitionGroup OBJECT-GROUP
       OBJECTS {



Baer, et al.            Expires August 21, 2005                [Page 58]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           spdRuleDefDescription, spdRuleDefFilter,
           spdRuleDefFilterNegated, spdRuleDefAction,
           spdRuleDefAdminStatus, spdRuleDefLastChanged,
           spdRuleDefStorageType, spdRuleDefRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy Rule
           Definition Table."
       ::= { spdGroups 4 }

   spdCompoundFilterGroup OBJECT-GROUP
       OBJECTS {
           spdCompFiltDescription, spdCompFiltLogicType,
           spdCompFiltLastChanged, spdCompFiltStorageType,
           spdCompFiltRowStatus, spdSubFiltSubfilter,
           spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
           spdSubFiltStorageType, spdSubFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Compound Filter Table and Sub-Filter Table Group."
       ::= { spdGroups 5 }

   spdStaticFilterGroup OBJECT-GROUP
           OBJECTS { spdTrueFilter }
        STATUS current
        DESCRIPTION
            "The static filter group.  Currently this is just a true
             filter."
       ::= { spdGroups 6 }

   spdIPOffsetFilterGroup OBJECT-GROUP
       OBJECTS {
           spdIpOffFiltOffset, spdIpOffFiltType,
           spdIpOffFiltValue, spdIpOffFiltLastChanged,
           spdIpOffFiltStorageType, spdIpOffFiltRowStatus
       }

       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy IP
           Offset Filter Table."
       ::= { spdGroups 7 }

   spdTimeFilterGroup OBJECT-GROUP
       OBJECTS {



Baer, et al.            Expires August 21, 2005                [Page 59]


Internet-Draft        IPsec SPD configuration MIB          February 2005


           spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd,
           spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
           spdTimeFiltDayOfWeekMask, spdTimeFiltStartTimeOfDayMask,
           spdTimeFiltStopTimeOfDayMask, spdTimeFiltLastChanged,
           spdTimeFiltStorageType, spdTimeFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy Time
           Filter Table."
       ::= { spdGroups 8 }

   spdIpsoHeaderFilterGroup OBJECT-GROUP
       OBJECTS {
           spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
           spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
           spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy IPSO
           Header Filter Table."
       ::= { spdGroups 9 }

   --
   -- action compliance groups
   --

   spdStaticActionGroup OBJECT-GROUP
       OBJECTS {
           spdDropAction, spdAcceptAction,
           spdDropActionLog, spdAcceptActionLog
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Static Actions."
       ::= { spdGroups 10 }

   spdCompoundActionGroup OBJECT-GROUP
       OBJECTS {
           spdCompActExecutionStrategy, spdCompActLastChanged,
           spdCompActStorageType,

           spdCompActRowStatus, spdSubActSubActionName,
           spdSubActLastChanged, spdSubActStorageType,
           spdSubActRowStatus
       }



Baer, et al.            Expires August 21, 2005                [Page 60]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       STATUS current
       DESCRIPTION
           "The IPsec Policy Compound Action Table and Actions In
            Compound Action Table Group."
       ::= { spdGroups 11 }

   spdActionLoggingObjectGroup OBJECT-GROUP
       OBJECTS {
           spdActionExecuted,
           spdIPEndpointAddType,   spdIPEndpointAddress,
           spdIPSourceType,        spdIPSourceAddress,
           spdIPDestinationType,   spdIPDestinationAddress,
           spdPacketDirection,     spdPacketPart
       }
       STATUS current
       DESCRIPTION
           "This group is made up of all the Notification objects for
           this MIB."
       ::= { spdGroups 12 }

   spdActionNotificationGroup NOTIFICATION-GROUP
       NOTIFICATIONS {
           spdActionNotification,
           spdPacketNotification
       }
       STATUS current
       DESCRIPTION
               "This group is made up of all the Notifications for this
               MIB."
       ::= { spdGroups 13 }


   END




6.  Security Considerations

6.1  Introduction

   This document defines a MIB module used to configure IPsec policy
   services.  Since IPsec provides security services it is important
   that the IPsec configuration data be at least as protected as the
   IPsec provided security service.  There are two main threats you need
   to thwart when configuring IPsec devices.

   1.  Malicious Configuration: only the official administrators should



Baer, et al.            Expires August 21, 2005                [Page 61]


Internet-Draft        IPsec SPD configuration MIB          February 2005


       be allowed to configure a device.  In other words,
       administrators' identities should be authenticated and their
       access rights checked before they are allowed to do device
       configuration.  The support for SET operations to the IPSP MIB in
       a non-secure environment, without proper protection, can have a
       negative effect on the security of the network traffic affected
       by the IPSP MIB.

   2.  Disclosure of Configuration:  Malicious parties should not be
       able to read configuration data while the data is in network
       transit.  Any knowledge about a device's IPsec policy
       configuration could help an unfriendly party compromise that
       device and/or the network(s) it protects.  It is thus important
       to control even GET access to these objects and possibly to even
       encrypt the values of these objects when sending them over the
       network via SNMP.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (e.g.  by using IPsec), earlier
   versions of SNMP have virtually no control as to who on the secure
   network is allowed to access and GET/SET (read/change/create/delete)
   the objects in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to GET or SET (change/create/delete) them.

   Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
   SNMP version 3.  The rest of this discussion assumes the use of
   SNMPv3.  This is a real strength, because it allows administrators
   the ability to load new IPsec configuration on a device and keep the
   conversation private and authenticated under the protection of SNMPv3
   before any IPsec protections are available.  Once initial
   establishment of IPsec configuration on a device has been achieved,
   it would be possible to set up IPsec SAs to then also provide
   security and integrity services to the configuration conversation.
   This may seem redundant at first, but will be shown to have a use for
   added privacy protection below.




Baer, et al.            Expires August 21, 2005                [Page 62]


Internet-Draft        IPsec SPD configuration MIB          February 2005


6.2  Protecting against in-authentic access

   The current SNMPv3 User Security Model provides for key based user
   authentication.  Typically, keys are derived from passwords (but are
   not required to be), and the keys are then used in HMAC algorithms
   (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
   data.  Each SNMP device keeps a (configured) list of users and keys.
   Under SNMPv3 user keys may be updated as often as an administrator
   cares to have users enter new passwords.  But Perfect Forward Secrecy
   for user keys is not yet provided by standards track documents,
   although RFC2786 defines an experimental method of doing so.

6.3  Protecting against involuntary disclosure

   While sending IPsec configuration data to a Policy Enforcement Point
   (PEP), there are a few critical parameters which MUST NOT be observed
   by third parties.  Specifically, except for public keys, keying
   information MUST NOT be allowed to be observed by third parties.
   This include IKE Pre-Shared Keys and possibly the private key of a
   public/private key pair for use in a PKI.  Were either of those
   parameters to be known to a third party, they could then impersonate
   the device to other IKE peers.  Aside from those critical parameters,
   policy administrators have an interest in not divulging any of their
   policy configuration.  Any knowledge about a device's configuration
   could help an unfriendly party compromise that device.  SNMPv3 offers
   privacy security services, but at the time this document was written,
   the only standardized encryption algorithm supported by SNMPv3 is the
   DES encryption algorithm.  Support for other (stronger) cryptographic
   algorithms is in the works and may be done as you read this (e.g.
   AES [RFC3826]).  Policy administrators SHOULD use a privacy security
   service to configure their IPsec policy which is at least as strong
   as the desired IPsec policy.  E.G., it is unwise to configure IPsec
   parameters implementing 3DES algorithms while only protecting that
   conversation with single DES.

6.4  Bootstrapping your configuration

   Most vendors will not ship new products with a default SNMPv3
   user/password pair, but it is possible.  If a device does ship with a
   default user/password pair, policy administrators SHOULD either
   change the password or configure a new user, deleting the default
   user (or at a minimum, restrict the access of the default user).
   Most SNMPv3 distributions should, hopefully, require an out-of-band
   initialization over a trusted medium, such as a local console
   connection.  If a product does install with default user/password
   information, these values should be changed before connecting to a
   network.




Baer, et al.            Expires August 21, 2005                [Page 63]


Internet-Draft        IPsec SPD configuration MIB          February 2005


7.  IANA Considerations

   Only two IANA considerations exist for this document.  The first is
   just the node number allocation of the IPSEC-SPD-MIB itself.

   The IPSEC-SPD-MIB also allows for extension action MIB's and
   allocates a node, spdActions, for them.  IANA would be responsible
   for allocating the values under this node.

8.  Acknowledgments

   Many other people contributed thoughts and ideas that influenced this
   MIB module.  Some special thanks are in order for the following
   people:

         Lindy Foster     (Sparta, Inc.)
         John Gillis      (ADC)
         Jamie Jason      (Intel Corporation)
         Roger Hartmuller (Sparta, Inc.)
         David Partain    (Ericsson)
         Lee Rafalow      (IBM)
         Jon Saperia      (JDS Consulting)
         Eric Vyncke      (Cisco Systems)


9.  References

9.1  Normative References

   [RFC3410]  Case, J., Mundy, R., Partain, D. and B. Stewart,
              "Introduction and Applicability Statements for
              Internet-Standard Management Framework", RFC 3410,
              December 2002.

   [RFC3411]  Harrington, D., Presuhn, R. and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3412]  Case, J., Harrington, D., Presuhn, R. and B. Wijnen,
              "Message Processing and Dispatching for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3412, December
              2002.

   [RFC3413]  Levi, D., Meyer, P. and B. Stewart, "Simple Network
              Management Protocol (SNMP) Applications", STD 62, RFC
              3413, December 2002.




Baer, et al.            Expires August 21, 2005                [Page 64]


Internet-Draft        IPsec SPD configuration MIB          February 2005


   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

   [RFC3415]  Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
              Access Control Model (VACM) for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3415, December
              2002.

   [RFC2578]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
              McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
              Management Information Version 2 (SMIv2)", STD 58, RFC
              2578, April 1999.

   [RFC2579]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
              McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
              Conventions for SMIv2", STD 58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Perkins, D. and J. Schoenwaelder,
              "Conformance Statements for SMIv2", STD 58, RFC 2580,
              April 1999.

   [RFC3585]  Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
              Policy Information Model", RFC 3585, August 2003.

9.2  Informative References

   [RFCXXXX]  Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
              Wang, "IPsec Security Policy IPsec Action MIB", December
              2002.

   [RFCYYYY]  Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
              Wang, "IPsec Security Policy IKE Action MIB", December
              2002.

   [IPPMWP]   Lortz, V. and L. Rafalow, "IPsec Policy Model White
              Paper", November 2000.

   [RFC3826]  Blumenthal, U., Maino, F. and K. McCloghrie, "The Advanced
              Encryption Standard (AES) Cipher Algorithm in the SNMP
              User-based Security Model", RFC 3826, June 2004.










Baer, et al.            Expires August 21, 2005                [Page 65]


Internet-Draft        IPsec SPD configuration MIB          February 2005


Authors' Addresses

   Michael Baer
   Sparta, Inc.
   7075 Samuel Morse Drive
   Columbia, MD  21046
   US

   EMail: baerm@tislabs.com


   Ricky Charlet
   Self

   EMail: rcharlet@alumni.calpoly.edu


   Wes Hardaker
   Sparta, Inc.
   P.O. Box 382
   Davis, CA  95617
   US

   Phone: +1 530 792 1913
   EMail: hardaker@tislabs.com


   Robert Story
   Revelstone Software
   PO Box 1812
   Tucker, GA  30085
   US

   EMail: ipsp-mib@revelstone.com


   Cliff Wang
   ARO/North Carolina State University
   4300 S. Miami Blvd
   RTP, NC  27709
   US

   EMail: cliffwangmail@yahoo.com








Baer, et al.            Expires August 21, 2005                [Page 66]


Internet-Draft        IPsec SPD configuration MIB          February 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Baer, et al.            Expires August 21, 2005                [Page 67]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/