draft-ietf-ipsp-ipsecpib-00.txt   draft-ietf-ipsp-ipsecpib-01.txt 
INTERNET DRAFT Man Li
IPSP working group David Arneson ipsp working group Man Li
Expires January 2001 Nokia Internet Draft Nokia
Standards Track Expires May 2001 David Arneson
No Affiliation
Avri Doria Avri Doria
Nortel Networks Nortel Networks
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang
SmartPipe
IPSec Policy Information Base November 2000
<draft-ietf-ipsp-ipsecpib-00.txt> IPSec Policy Information Base
draft-ietf-ipsp-ipsecpib-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
Internet-Drafts are draft documents valid for a maximum of six documents at any time. It is inappropriate to use Internet- Drafts
months and may be updated, replaced, or obsoleted by other as reference material or to cite them other than as "work in
documents at any time. It is inappropriate to use Internet- progress."
Drafts as reference material or to cite them other than as "work
in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract 1. Abstract
This document specifies a set of policy rule classes (PRC) for This document specifies a set of policy rule classes (PRC) for
configuring IPSec services. Instances of these classes reside in a configuring IPSec policy at IPsec-enabled devices. Instances of
virtual information store called IPSec Policy Information Base (PIB). these classes reside in a virtual information store called IPSec
Policy Information Base (PIB). COPS protocol [COPS] with the
The COPS protocol [COPS] with the extensions for provisioning [COPS- extensions for provisioning [COPS-PR] may be used to transmit this
PR] may be used to transmit this IPSec policy information to IPSec- IPSec policy information to IPSec-enabled devices (e.g., gateways).
enabled devices (e.g., gateways) in order to configure VPN services.
The PRCs defined in this IPSec PIB are intended for use by the COPS- The PRCs defined in this IPSec PIB are intended for use by the COPS-
PR IPSec client type. They complement the PRCs defined in the PR IPSec client type. They complement the PRCs defined in the
Framework PIB [FR-PIB]. Framework PIB [FR-PIB].
1. Introduction 2. Conventions used in this document
The policy rule classes (PRC) defined in this document contain Li, et al Expires January, 2000 1
parameters for IKE phase one and phase two negotiations. The IPSec IPsec Policy Information Base October, 2000
PIB, when downloaded to IPSec-enabled devices, will enable them to
construct a Security Policy Database (SPD). The PRCs described in
this document are based on[IPSEC-IM][IKE][ESP][AH][DOI][IPCOMP][SPPI].
Please refer to [ARCH] for a description of IPSec architecture and
[PCIM][FR-PIB] for information about applying the concept of role
and role combination to policy management.
Following the policy framework convention, the management entity that The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
downloads policy to IPSec-enabled devices will be called a Policy "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
Decision Point (PDP) and the IPSec-enabled devices will be called this document are to be interpreted as described in RFC-2119 [2].
Policy Execution Points (PEP). On boot up, a PEP reports to a PDP,
among other things, its role or role combinations. The PDP then 3. Introduction
determines the IPSec PIB that should be downloaded to the PEP
according to the role description. Later on, if the role of the PEP The policy rule classes (PRC) defined in this document contain
changes, the PEP would notify the PDP with its new role and the PDP parameters for IKE phase one and phase two negotiations. They are
would send new PIB to the PEP. In addition, if policy associated with based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The rule
a particular role changes, PDP would download new PIB to all the PEPs and role approach proposed in [PCIM], which scales to large
that have registered with the particular role. networks, is adopted for distributing IPsec policy over COPS
protocol.
There is an ongoing effort in defining IPSec configuration policy There is an ongoing effort in defining IPSec configuration policy
model[IPSEC-IM]. The PIB defined in this document is not completely model[IPSEC-IM]. The PIB defined in this document is not completely
aligned with the information model. As work goes on, they should be aligned with the information model. As work goes on, they should be
aligned in the near future. aligned in the near future.
2. Descriptions of the IPSec PIB The PIB contained in this draft is written using SPPI as specified
in draft-ietf-rap-sppi-01.txt [SPPI]. It will be updated as SPPI
updates.
2.1 ipSecSelectorTable 4. Operation Overview
This table specifies IPSec selectors. The selectors form an ordered Following the policy framework convention [PCIM], the management
list and the ipSecSelectorOrder attribute defines the position of a entity that downloads policy to IPSec-enabled devices will be called
selector within the list. Each selector is associated with an IPSec a Policy Decision Point (PDP) and the target IPSec-enabled devices
action. An IP packet is compared with the ordered selector list and will be called Policy Execution Points (PEP).
the first match is selected. The action associated with that selector
is then applied to the packet.
Multiple selectors may be associated with the same action and, if On boot up, a PEP reports to a PDP, among other things, its role or
IPSec protection is required, the same IKE phase 1 and 2 negotiation role combinations. The PDP then determines the IPSec PIB that should
be downloaded to the PEP according to the role description. Later
on, if the role of the PEP changes, the PEP would notify the PDP
with its new role and the PDP would send new PIB to the PEP. In
addition, if policy associated with a particular role changes, PDP
would download new PIB to all the PEPs that have registered with the
particular role.
parameters. These selectors are grouped together and are given the IPsec policy that is pushed down to individual PEP consists of two
same selector group number as indicated by the ipSecSelectorGroup parts: IKE rules for IKE phase one negotiation and IPsec rules for
attribute. IKE phase two negotiation. These sets of rules may be pushed down
either together or independently. Hence a role is associated with
each set of rules. Figure 1 shows the relations between the tables
with an example.
In some situations, either the source or the destination address of a +----------------------+ +------------------------+
selector needs to be a wild card. Remote access is an example. A | ipSecSelectorEntries | | ipSecRuleTableEntries |
remote terminal is dynamically assigned an IP address by its ISP. | Group = 10 |< ------------SelectorGroupId = 10 |
That address cannot be known beforehand and hence need to be
specified as a wild-carded address in the IPSec policy. A wild-carded
IP address is specified with the combination of an all zero IP
address (e.g., IPv4 0.0.0.0) and an all zero address mask (e.g., IPv4
0.0.0.0).
Another type of wild-carded address is a so-called semi-wild-carded Li, et al Expires January, 2000 2
address. It indicates "all the addresses protected by the PEP IPsec Policy Information Base October, 2000
gateway". For a VPN that has well defined topology (e.g., fully
meshed), a selector stating "tcp traffic from all the addresses
protected by the PEP to network Z" can be downloaded to all the VPN
gateways without spelling out the different protected IP addresses
for different gateway. This simplifies PIB construction and network
management. A semi-wild-carded IP address is specified with the
combination of an all zero IP address and an all ones address mask
(e.g., IPv4 255.255.255.255).
2.2 ipSecActionTable +----------------------+ | ActionGroupId = 20 |
| Role = Finance_X |
+------------------------+
|
|
v
+---------------------------+ +------------------------+
| ipSecIkeRuleEntries | | ipSecActionEntries |
| Prid = 30 | | GroupId = 20 |
| IkeEndpointGroupId = 40 | | Action = Tunnel |
| | < --------- IkeRuleId = 30 |
| | | Role = Finance_X |
+---------------------------+ +------------------------+
| \ |
| \ |
v \ v
+---------------------------+ \ ipSecAssociation
| ipSecIkeEndpointEntries | \ and subsequent
| | \ tables
| GroupId = 40 | \
+---------------------------+ \
v
ipSecIkeAssociations
and subsequent tables
This table specifies the service to be provided to an IP packet. When a PEP reports to a PDP its roles,
Actions include Bypass, Discard, Transport and Tunnel. When tunnel is
specified, the IP address of the remote gateway to which the tunnel
is to be established should also be specified.
If Transport or Tunnel is specified, references to the - if the corresponding policy consists of IPsec rules only (i.e.,
ipSecSecurityAssociationTable and the ipSecIkeActionTable should also key management is not through IKE), the roles must match only those
be specified. These two tables provide details of IKE and IPSec in the ipSecRuleTable. In the ipSecActionTable referenced by the
associations. ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute
must be zero, indicating that no IKE associations are used. As a
result, the ipSecRuleTable and all subsequent referenced tables are
pushed down to the PEP.
2.3 ipSecRuleTable - if the corresponding policy consists of IKE rules only, the roles
must match only those in the ipSecIkeRuleTable. The
ipSecIkeEndpointTable indicates the peer endpoints with which to
establish IKE associations. Hence, the ipSecIkeRuleTable and all
subsequent referenced tables are pushed down to the PEP.
This table ties the role combinations, selector groups and IPSec - if the corresponding policy consists of both IPsec rules and IKE
action together. It specifies individual rule within a security rules (i.e., IKE association is established first and it is then
policy database. For each rule, it has references to a selector group used for IPsec association negotiation), the roles must match those
and to an IPSec action. Effectively, it says that if a packet matches in the ipSecRuleTable. Further more, in the ipSecActionTable
a selector in the pointed selector group, it should be provided with referenced by the ipSecRuleTable, the ipSecActionIkeRuleId
the service specified by the action. attributes must point to ipSecIkeRuleTable entries with the same
roles. In addition, if IPsec tunnel mode is required in an action,
the tunnel peer endpoint address must match an ipSecIkeEndpointId in
This table also references the ipSecPolicyTimePeriodGroupTable to Li, et al Expires January, 2000 3
specify the time periods during which a policy is valid. IPsec Policy Information Base October, 2000
2.4 ipSecIkeActionTable the ipSecIkeEndpointTable. If, on the other hand, IPsec transport
mode is required, the peer endpoint address of the IPsec association
must match an ipSecIkeEndpointId in the ipSecIkeEndpointTable. The
ipSecRuleTable and the ipSecIkeRuleTable as well as all subsequent
referenced tables are pushed down to the PEP.
This table specifies attributes associated with IKE Associations. It 4.1 Selector construction
also references a row in the ipSecIkeProposalGroupTable to specify
proposals the PEP should propose when establishing an IKE
association.
2.5 ipSecIkeProposalGroupTable The ipSecAddressTable specifies individual or a range of IP
addresses and the ipSecL4PortTable specifies individual or a range
of layer 4 ports. The ipSecSelectorTable has references to these two
tables. Each row in the selector table represents multiple
selectors. These selectors are constructed as follows:
This table specifies multiple IKE proposal groups. Within a group, 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
proposals are ORed with preference. addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields
together with the ipSecSelectorProtocol attribute to form a list of
five-tuple selectors
2.6 ipSecIkeProposalTable Selectors constructed from the same row inherit all the other
attributes of the row (e.g., ipSecSelectorGranularity)
This table specifies attributes associated with IKE proposals. The following is an example for building the selectors (only
relevant fields are shown). Suppose that the ipSecAddressTable is
populated with the following rows:
2.7 ipSecSecurityAssociationTable AddrMin AddrGroupId
1.2.3.4 1
1.2.3.18 1
5.6.7.1 2
5.6.7.8 2
This table specifies attributes associated with IPSec Associations. For every row in this example, the AddrMax is a zero length octet
It also references a row in the ipSecProposalGroupTable to specify indicating that each row specifies a single IP address.
proposals the PEP should propose when establishing an IPSec
association.
2.8 ipSecProposalGroupTable The Layer4PortTable is populated with the following rows:
This table specifies multiple proposal groups. Within a group, PortMin PortMax PortGroupId
proposals are Ored with preference. 112 150 1
99 0 2
2.9 ipSecProposalTable Li, et al Expires January, 2000 4
IPsec Policy Information Base October, 2000
This table specifies IPSec proposals. It references the The PortMax is zero in the second row indicating that a single port
ipSecEspTransformGroupTable, ipSecAhTransformGroupTable and is specified.
ipSecCompTransformGroupTable to specify transforms within each
proposal. Within a proposal, different transforms are ANDed.
2.10 ipSecEspTransformGroupTable The ipSecSelectorTable is populated with:
This table specifies multiple ESP transform groups. Within a SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order
transform group, the choices are ORed with preference order. 1 2 1 1 udp 1
1 2 2 2 tcp 2
2.11 ipSecEspTransformTable The following selectors are constructed:
This table specifies attributes associated with ESP transforms. srcAddr dstAddr protocol srcPort dstPort
1.2.3.4 5.6.7.1 UDP 112-150 112-150
1.2.3.4 5.6.7.8 UDP 112-150 112-150
1.2.3.18 5.6.7.1 UDP 112-150 112-150
1.2.3.18 5.6.7.8 UDP 112-150 112-150
1.2.3.4 5.6.7.1 TCP 99 99
1.2.3.4 5.6.7.8 TCP 99 99
1.2.3.18 5.6.7.1 TCP 99 99
1.2.3.18 5.6.7.8 TCP 99 99
2.12 ipSecAhTransformGroupTable The first four selectors are constructed from the first row of the
selector table whose order equals to 1. They may be ordered in any
way. However, all of them must be evaluated before the selectors
constructed from the second row because the order of the second row
equals to 2.
This table specifies multiple AH transform groups. Within a transform The use of references in the ipSecSelectorTable instead of spelling
group, the choices are ORed with preference order. out all the IP addresses and port numbers reduces the number of
bytes being pushed down to PEP. Grouping of IP addresses and layer
four ports serves the same purpose.
2.13 ipSecAhTransformTable 4.2 Start up condition
This table specifies attributes associated with AH transforms. The establishment of IKE or IPsec associations may be triggered in
several ways as indicated by ipSecSelectorStartupCondition and
ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and
ipSecIkeEndpointTable respectively. The triggers may be:
2.14 ipSecCompTransformGroupTable OnBoot: IPsec or IKE association is established after system boot.
To avoid both endpoints trying to set up the same association, only
the endpoint whose ipSecSelectorIsOriginator
(ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (IKE)
association establishment.
This table specifies multiple IPComp transform groups. Within a OnTraffic: IPsec association is established only when packets need
transform group, the choices are ORed with preference order. to be sent and there are no appropriate security associations to
protect the packets. If there is no IKE association to protect the
IPsec association negotiation, an IKE association should be set up
first.
2.15 ipSecCompTransformTable OnPolicy: IPsec or IKE association is established according to
ipSecRuleTimePeriodSetTable referenced by the corresponding rule. At
This table specifies attributes associated with IPComp transforms. Li, et al Expires January, 2000 5
IPsec Policy Information Base October, 2000
2.16 ipSecPolicyTimePeriodTable the time the policy becomes active, only the endpoint whose
ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true can
initiate the IPsec (IKE) association establishment.
A policy may be valid only for some given time periods. [FR-PIB] These triggers are not mutually exclusive.
describes a method for pre-provisioning of policy and later a PDP may
active the policy by a single decision message.
In large networks, it may be desirable to include policy valid 4.3 Multiple security associations, proposals and transforms
periods in the policy itself. It is then the responsibility of the
PEPs to activate and de-activate the policy according to the time
period specified. This table together with the
ipSecPolicyTimePeriodGroupTable provides a way to specify policy
valid periods
The attributes and their formats are the same as that of the Multiple IPsec security associations may be established to protect
PolicyTimePeriodCondition class in [PCIM}. This consistency should the same traffic between two end points. For example, to protect TCP
help in constructing the PIB from the information model or schema. traffic between hosts A and B, an IPsec security association in
transport mode may be established between hosts A and B. In
addition, an IPsec security association in tunnel mode may be set up
between host A and gateway C that protects the LAN host B resides.
2.17 ipSecPolicyTimePeriodGroupTable The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to
handle multiple security association establishments or actions. It
contains references to the actions specified in the
ipSecActionTable. All the actions in the ipSecActionTable whose
ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId must be
applied. The ipSecActionOrder indicates the order these actions
should be taken in setting up the security associations.
The ipSecPolicyTimePeriodTable is able to specify a single time During a security association negotiation, the initiating point may
period over multiple days (e.g., 8:00-10:00 am every Friday). This present multiple proposals in preference order. For IPsec security
table allows one to specify multiple time periods over multiple days association, every proposal may contain different protocols, e.g.,
(e.g., 8:00-10:00 am and 2:00-5:00 pm every Friday) by putting AH, ESP (A single proposal here is equivalent to multiple proposal
multiple rows of the ipSecPolicyTimePeriodTable into one group. payloads with the same proposal number as specified in [ISAKMP]).
Different protocols are ANDed. Each protocol, in turn, may contain
multiple transforms in preference order. The responder must select a
single proposal and a single transform for each protocol.
3. The IPSec PIB Multiple proposals are handled by the ipSecProposalSetTable and
ipSecIkeProposalSetTable. The ipSecProposalSetOrder and
ipSecIkeProposalSetOrder in these tables indicate preference.
IPSEC-BASE-PIB PIB-DEFINITIONS ::= BEGIN Multiple transforms within a protocol are handled by
ipSecAhTransformSetTable, ipSecEspTransformSetTable and
ipSecCompTransformSetTable. The IpSecAhTransformSetOrder,
ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
tables indicate preferences.
5. Summary of the IPSec PIB
The IPSec PIB consists of several groups that are summarized in the
following:
ipSecSelector Group
This group specifies the selectors for IPSec associations.
ipSecAssociation Group
Li, et al Expires January, 2000 6
IPsec Policy Information Base October, 2000
This group specifies attributes related to IPSec Security
Associations
IpSecIkeAssociation Group
This group specifies attributes related to IKE Security Associations
IpSecEspTransform Group
This group specifies attributes related to ESP Transform.
IpSecAhTransform Group
This group specifies attributes related to AH Transform
IpSecCompTransform Group
This group specifies attributes related to IPSecComp Transform
IpSecPolicyTimePeriod Group
This group specifies the time periods during which a policy rule is
valid.
6. The IPSec PIB
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, MODULE-IDENTITY, OBJECT-TYPE MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
OBJECT-IDENTITY OBJECT-IDENTITY
FROM SNMPv2-SMI FROM SNMPv2-SMI
TruthValue, TEXTUAL-CONVENTION TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
PolicyInstanceId, PolicyReferenceId PolicyInstanceId, PolicyReferenceId, PolicyTagId, PolicyTagReference
FROM COPS-PR-SPPI; FROM COPS-PR-SPPI;
RoleCombination RoleCombination
FROM POLICY-FRAMEWORK-PIB; FROM POLICY-FRAMEWORK-PIB;
OBJECT-GROUP
From SNMPv2-CONF;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
CLIENT-TYPE { tbd -- IPSec Client Type } SUBJECT-CATEGORY { tbd -- IPSec Client Type }
LAST-UPDATED "200007101800Z" LAST-UPDATED "200010101800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Nortel Networks Nortel Networks
600 Technology Park Drive 600 Technology Park Drive
Li, et al Expires January, 2000 7
IPsec Policy Information Base October, 2000
Billerica, MA 01821 Billerica, MA 01821
Phone: +1 401 663 5024 Phone: +1 401 663 5024
Email: avri@nortelnetworks.com Email: avri@nortelnetworks.com
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
DESCRIPTION Cliff Wang
SmartPipes Inc.
"This PIB module contains a set of policy rule classes that Suite 300, 565 Metro Place South
describe IPSec policies." Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com
DESCRIPTION
"This PIB module contains a set of policy rule classes that describe
IPSec policies."
::= { tbd } ::= { tbd }
ipSecBase OBJECT-IDENTITY
ipSecSelector OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the basics of IPSec policy. " "This group specifies selectors for IPSec associations. "
::= { ipSecPolicyPib 1 } ::= { ipSecPolicyPib 1 }
ipSecSecurityAssociation OBJECT-IDENTITY ipSecAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSec Security "This group specifies attributes related to IPSec Security
Associations" Associations"
::= { ipSecPolicyPib 2 } ::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY ipSecIkeAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IKE Security "This group specifies attributes related to IKE Security
Associations" Associations"
::= { ipSecPolicyPib 3 } ::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY ipSecEspTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to ESP Transform" "This group specifies attributes related to ESP Transform"
::= { ipSecPolicyPib 4 } ::= { ipSecPolicyPib 4 }
ipSecAhTransform OBJECT-IDENTITY ipSecAhTransform OBJECT-IDENTITY
Li, et al Expires January, 2000 8
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to AH Transform" "This group specifies attributes related to AH Transform"
::= { ipSecPolicyPib 5 } ::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY ipSecCompTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSecComp Transform" "This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
skipping to change at page 8, line 4 skipping to change at line 448
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to AH Transform" "This group specifies attributes related to AH Transform"
::= { ipSecPolicyPib 5 } ::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY ipSecCompTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSecComp Transform" "This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
ipSecPolicyTimePeriod OBJECT-IDENTITY ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule "This group specifies the time periods during which a policy rule is
is valid. " valid. "
::= { ipSecPolicyPib 7 } ::= { ipSecPolicyPib 7 }
ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies requirements for conformance to the IPsec
Policy PIB"
::= { ipSecPolicyPib 8 }
-- --
-- --
-- The ipSecSelectorTable -- The ipSecAddressTable
-- --
ipSecSelectorTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry SYNTAX SEQUENCE OF IpSecAddressEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSec address selector table" "Specifies IP addresses"
INDEX { ipSecSelectorPrid } INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
SrcAddressType, ipSecAddressAddressType,
DstAddressType, ipSecAddressAddrMask,
DstAddrMask, ipSecAddressAddrMin,
SrcAddrMask, ipSecAddressAddrMax,
DestAddrMin, ipSecAddressGroupId
DestAddrMax,
SrcAddrMin,
SrcAddrMax,
Protocol,
SrcPortMin,
SrcPortMax,
DstPortMin,
DstPortMax
} }
::= { ipSecBase 1 } ::= { ipSecSelector 1 }
ipSecSelectorEntry OBJECT-TYPE ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry SYNTAX IpSecAddressEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecSelectorTable 1 } ::= { ipSecAddressTable 1 }
IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid Li, et al Expires January, 2000 9
PolicyInstanceId, IPsec Policy Information Base October, 2000
ipSecSelectorSrcAddressType
INTEGER, IpSecAddressEntry ::= SEQUENCE {
ipSecSelectorDstAddressType ipSecAddressPrid PolicyInstanceId,
INTEGER, ipSecAddressAddressType INTEGER,
ipSecSelectorDstAddrMask OCTET STRING, ipSecAddressAddrMask OCTET STRING,
ipSecSelectorSrcAddrMask OCTET STRING, ipSecAddressAddrMin OCTET STRING,
ipSecSelectorDestAddrMin OCTET STRING, ipSecAddressAddrMax OCTET STRING,
ipSecSelectorDestAddrMax OCTET STRING, ipSecAddressGroupId PolicyTagId
ipSecSelectorSrcAddrMin OCTET STRING,
ipSecSelectorSrcAddrMax OCTET STRING,
ipSecSelectorProtocol
INTEGER,
ipSecSelectorSrcPortMin
INTEGER,
ipSecSelectorSrcPortMax
INTEGER,
ipSecSelectorDstPortMin
INTEGER,
ipSecSelectorDstPortMax
INTEGER,
ipSecSelectorOrder
Unsigned32,
ipSecSelectorGroupId
Unsigned32
} }
ipSecSelectorPrid OBJECT-TYPE ipSecAddressPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecSelectorEntry 1 } ::= { ipSecAddressEntry 1 }
ipSecSelectorSrcAddressType OBJECT-TYPE ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4(1),
ipV6(2),
fqdn(3)
}
STATUS current
DESCRIPTION
"Specifies the source address type. This also controls the length
of the OCTET STRING for the source address objects.
A value of IPv4 specifies an IPv4 address and an octet string of
length 4.
A value of IPv6 specifies an IPv6 address and an octet string of
length 16.
A value of FQDN specifies a fully qualified domain name and an
octet string of variable length."
::= { ipSecSelectorEntry 2 }
ipSecSelectorDstAddressType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4(1), ipV4-Address(1),
ipV6(2), fqdn(2),
fqdn(3) user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the destination address type. This also controls the "Specifies the address type. This also controls the length of the
length of the OCTET STRING for the destination address objects. OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and
A value of IPv4 specifies an IPv4 address and an octet string of ipSecAddressAddrMax objects.
length 4. IPv4 addresses (1)(4)(7) are octet strings of length 4.
A value of IPv6 specifies an IPv6 address and an octet string of IPv6 addresses (5)(6)(8) are octet strings of length 16.
length 16. Other type of addresses are octet strings of variable length."
A value of FQDN specifies a fully qualified domain name and an ::= { ipSecAddressEntry 2 }
octet string of variable length."
::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddrMask OBJECT-TYPE ipSecAddressAddrMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mask for the matching of the destination IP address. A zero "A mask for the matching of the IP address. A zero bit in the mask
bit in the mask means that the corresponding bit in the address means that the corresponding bit in the address always matches. The
always matches. The type of this address is based on the type of this address is based on the ipSecAddressAddressType. If
ipSecAddressSelectorDstAddressType." ipSecAddressAddressType is not IPv4 addresses (1)(4)(7) or IPv6
::= { ipSecSelectorEntry 4 } addresses (5)(6)(8), this attribute must be a zero length octet
string."
::= { ipSecAddressEntry 3 }
ipSecSelectorSrcAddrMask OBJECT-TYPE Li, et al Expires January, 2000 10
SYNTAX OCTET STRING IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"A mask for the matching of the source IP address. A zero bit in
the mask means that the corresponding bit in the address always
matches. The type of this address is based on the
ipSecAddressSelectorSrcAddressType."
::= { ipSecSelectorEntry 5 }
ipSecSelectorDestAddrMin OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the destination end point address or fully qualified
domain name.
The length of the string is based upon the address type.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecSelectorDstAddrMask of all zero means a wild-carded address,
i.e., all addresses match.
A value of all zero accompanied by the ipSecSelectorDstAddrMask
of all one (e.g., IPv4 255.255.255.255) means all addresses
protected by the gateway. "
::= { ipSecSelectorEntry 6 }
ipSecSelectorDestAddrMax OBJECT-TYPE ipSecAddressAddrMin OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"If a range of addresses are being used then this sepcifies the
ending destination address. The type of this address must be the
same as the ipSecSelectorDestAddrMin.
If no range is specified or a fully qualified domain name is used
then this object must be a 0 length octet string."
::= { ipSecSelectorEntry 7 }
ipSecSelectorSrcAddrMin OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the source address or fully qualified domain name. "Specifies an end point address. The Length of the string is based
The length of the string is based upon the address type. upon the address type. For IPv4 address types, this attribute is a
4-bytes octet string. For IPv6 address types, this attribute is a
64-bytes octet string. For other types of addresses, this attribute
is a variable length octet string.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecSelectorSrcAddrMask of all zero means a wild-carded address, ipSecAddressAddrMask of all zero means a wild-carded address, i.e., all
i.e., all addresses match. addresses match."
A value of all zero accompanied by the ipSecSelectorSrcAddrMask ::= { ipSecAddressEntry 4 }
of all one (e.g., IPv4 255.255.255.255) means all addresses
protected by the gateway. "
::= { ipSecSelectorEntry 8 }
ipSecSelectorSrcAddrMax OBJECT-TYPE ipSecAddressAddrMax OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If a range of addresses are being used then this specifies the "If a range of addresses are being used then this specifies the
ending source address. The type of this address must be the same ending address. The type of this address must be the same as the
as the ipSecSelectorSrcAddrMin. ipSecAddressAddrMin. The Length of the string is based upon the
If no range is specified or a fully qualified domain name is used address type. For IPv4 address types, this attribute is a 4-bytes
then this object must be a 0 length octet string." octet string. For IPv6 address types, this attribute is a 64-bytes
::= { ipSecSelectorEntry 9 } octet string. For other types of addresses, this attribute must be a
zero length octet string.
ipSecSelectorProtocol OBJECT-TYPE If no range is specified then this attribute must be a zero length
SYNTAX INTEGER (0..255) octet string."
::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP protocol to match against the packet's protocol. A value "Specifies the group this IP address,address range or subnet address
of zero means match all." belongs to."
::= { ipSecSelectorEntry 10 } ::= { ipSecAddressEntry 6 }
ipSecSelectorSrcPortMin OBJECT-TYPE --
SYNTAX INTEGER (0..65535) --
-- The ipSecL4PortTable
--
ipSecL4PortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecL4PortEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the first layer 4 source port number of a range of "Specifies layer four port numbers"
ports." INDEX { ipSecL4PortPrid }
::= { ipSecSelectorEntry 11 } UNIQUENESS {
ipSecSelectorSrcPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535) Li, et al Expires January, 2000 11
IPsec Policy Information Base October, 2000
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecSelector 2 }
ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the last layer 4 source port in the range. If a range "Specifies an instance of this class"
of ports is not being used then this object must have a value of ::= { ipSecL4PortTable 1 }
0. Otherwise, this value should be greater than that specified by
ipSecSelectorSrcPortMin."
::= { ipSecSelectorEntry 12 }
ipSecSelectorDstPortMin OBJECT-TYPE IpSecL4PortEntry ::= SEQUENCE {
SYNTAX INTEGER (0..65535) ipSecL4PortPrid PolicyInstanceId,
ipSecL4PortPortMin INTEGER,
ipSecL4PortPortMax INTEGER,
ipSecL4PortGroupId PolicyTagId
}
ipSecL4PortPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the first layer 4 destination port number of a range "An integer index to uniquely identify an instance of this class"
of ports" ::= { ipSecL4PortEntry 1 }
::= { ipSecSelectorEntry 13 }
ipSecSelectorDstPortMax OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the last layer 4 destination port in the range. If a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports is not being used then this object must have a range of ports."
value of 0. Otherwise, this value should be greater than that ::= { ipSecL4PortEntry 2 }
specified by ipSecSelectorDstPortMin."
::= { ipSecSelectorEntry 14 }
ipSecSelectorOrder OBJECT-TYPE ipSecL4PortPortMax OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of this selector, "Specifies the last layer 4 source port in the range. If a range of
within the ipSecSelectorTable. A given precedence order is ports is not being used then this object must have a value of 0.
positioned before one with a higher-valued precedence order. " Otherwise, this value should be greater than that specified by
::= { ipSecSelectorEntry 15 } ipSecSelectorSrcPortMin."
ipSecSelectorGroupId OBJECT-TYPE ::= { ipSecL4PortEntry 3 }
SYNTAX Unsigned32
ipSecL4PortGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPSec selector group this selector belongs to. "Specifies the group this port or range of ports belongs to."
Selectors in the same group are provided with the same service." ::= { ipSecL4PortEntry 4 }
::= { ipSecSelectorEntry 16 }
Li, et al Expires January, 2000 12
IPsec Policy Information Base October, 2000
-- --
-- --
-- The ipSecActionTable -- The ipSecSelectorTable
-- --
ipSecActionTable OBJECT-TYPE ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry SYNTAX SEQUENCE OF IpSecSelectorEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSec action. It ties IPSec action with IPSec security "Specifies IPsec address selector table. Each row in the selector
association and IKE association." table represents multiple selectors. These selectors are obtained as
INDEX { ipSecActionPrid } follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or
ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields
together with the ipSecSelectorProtocol attribute to form all the
five-tuple selectors
Selectors constructed from a row inherit all the other attributes of
the row (e.g., ipSecSelectorGranularity)."
INDEX { ipSecSelectorPrid }
UNIQUENESS { UNIQUENESS {
Action, ipSecSelectorSrcAddressGroupId,
RemoteGatewayAddressType, ipSecSelectorSrcPortGroupId,
RemoteGatewayAddress, ipSecSelectorDstAddressGroupId,
IpSecSecurityAssociationId, ipSecSelectorDstPortGroupId,
IPSecIkeActionId ipSecSelectorProtocol,
ipSecSelectorGranularity,
ipSecSelectorOrder,
ipSecSelectorStartupCondition,
ipSecSelectorIsOriginator,
ipSecSelectorGroupId
} }
::= { ipSecBase 2 } ::= { ipSecSelector 3 }
ipSecActionEntry OBJECT-TYPE ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecActionEntry SYNTAX IpSecSelectorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecActionTable 1 } ::= { ipSecSelectorTable 1 }
IpSecActionEntry ::= SEQUENCE {
ipSecActionPrid Li, et al Expires January, 2000 13
PolicyInstanceId, IPsec Policy Information Base October, 2000
ipSecActionAction
INTEGER, IpSecSelectorEntry ::= SEQUENCE {
ipSecActionRemoteGatewayAddressType ipSecSelectorPrid PolicyInstanceId,
INTEGER, ipSecSelectorSrcAddressGroupId PolicyTagReference,
ipSecActionRemoteGatewayAddress OCTET STRING, ipSecSelectorSrcPortGroupId PolicyTagReference,
ipSecActionIpSecSecurityAssociationId ipSecSelectorDstAddressGroupId PolicyTagReference,
PolicyReferenceId, ipSecSelectorDstPortGroupId PolicyTagReference,
ipSecActionIPSecIkeActionId ipSecSelectorProtocol INTEGER,
PolicyReferenceId ipSecSelectorGranularity INTEGER,
ipSecSelectorOrder Unsigned32,
ipSecSelectorStartupCondition BITS,
ipSecSelectorIsOriginator TruthValue,
ipSecSelectorGroupId PolicyTagId
} }
ipSecActionPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecActionEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecActionAction OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX PolicyTagReference
byPass(1), PIB-TAG ipSecAddressGroupId
discard(2),
transport(3),
tunnel(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPSec action to be applied to the traffic. "Specifies source addresses. All addresses in ipSecAddressTable
ByPass(1) means that the packet should pass in clear. Discard (2) whose ipSecAddressGroupId match this value are included as source
means that the packet should be denied. Transport (3) means that addresses."
the packet should be protected with a security association in ::= { ipSecSelectorEntry 2 }
transport mode. Tunnel (4) means that the packet should be
protected with a security association in tunnel mode. If Tunnel ipSecSelectorSrcPortGroupId OBJECT-TYPE
(4) is specified, ipSecActionRemoteGatewayAddressType and SYNTAX PolicyTagReference
ipSecActionRemoteGateway must also be specified" PIB-TAG ipSecL4PortGroupId
::= { ipSecActionEntry 2 } STATUS current
ipSecActionRemoteGatewayAddressType OBJECT-TYPE DESCRIPTION
"Specifies source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecAddressGroupId
STATUS current
DESCRIPTION
"Specifies destination addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as
destination addresses."
::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
Li, et al Expires January, 2000 14
IPsec Policy Information Base October, 2000
PIB-TAG ipSecL4PortGroupId
STATUS current
DESCRIPTION
"Specifies destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current
DESCRIPTION
"Specifies IP protocol to match against the packet's protocol. A
value of zero means match all"
::= { ipSecSelectorEntry 6 }
ipSecSelectorGranularity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4(1), wide(1),
ipV6(2), narrow(2)
fqdn(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction specifies Tunnel (4), this attribute "Specifies how the security associations established may be used.
specifies the remote gateway address type. This also controls the A value of 1 (Wide) indicates that this security association may be
length of the OCTET STRING for the used by all packets that match the same selector that is matched by
ipSecActionRemoteGatewayAddress attribute. the packet triggering the establishment of this association.
A value of IPv4 specifies an IPv4 address and an octet string of A value of 2 (Narrow) indicates that this security association can be
length 4. used only by packets that have exactly the same selector attribute
A value of IPv6 specifies an IPv6 address and an octet string of values as that of the packet triggering the establishment of this
length 16. association."
A value of FQDN specifies a fully qualified domain name and an ::= { ipSecSelectorEntry 7 }
octet string of variable length.
If ipSecActionAction does NOT specify Tunnel (4), this object
must be a 0 length integer."
::= { ipSecActionEntry 3 }
ipSecActionRemoteGatewayAddress OBJECT-TYPE ipSecSelectorOrder OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction specifies Tunnel (4), this attribute "An integer that specifies the precedence order of the selectors
specifies the address of the point where the tunnel terminates on within the ipSecSelectorGroup. A given precedence order is
the remote gateway. The length of the string is based upon the positioned before one with a higher-valued precedence order. All
address type specified in ipSecActionRemoteGatewayAddressType. selectors constructed from the same row have the same order. The
If ipSecActionAction does NOT specify Tunnel (4), this attribute position of selectors with the same order is unspecified."
must be a 0 length octet string." ::= { ipSecSelectorEntry 8 }
::= { ipSecActionEntry 4 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE ipSecSelectorStartupCondition OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX BITS {
onBoot(1),
onTraffic(2),
onPolicy(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPSec association, specified in "Specifies the triggering event that causes the rule that references
ipSecSecurityAssociationTable, that is associated with this this selector to be applied. OnBoot (1) means that the rule is
action.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute must have a value of zero. Otherwise, its
value must be greater than zero."
::= { ipSecActionEntry 5 }
ipSecActionIPSecIkeActionId OBJECT-TYPE Li, et al Expires January, 2000 15
SYNTAX PolicyReferenceId IPsec Policy Information Base October, 2000
triggered after system boot. This selector is used as the selector for
the IPsec action. OnTraffic (2) means that the rule is triggered when
packets without associated security associations are sent or received.
This selector is used as the selector for the IPsec action. OnPolicy
(3) means that the rule is triggered when it becomes valid as specified
by ipSecRuleTimePeriodGroupTable. This selector is used as the
selector for the IPsec action."
::= { ipSecSelectorEntry 9 }
ipSecSelectorIsOriginator OBJECT-TYPE
SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE action, specified in "If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy
ipSecIkeActionTable, that is associated with this action. (3) and when IPsec associations need to be set up, this PEP should
When ipSecActionAction attribute specifies Bypass (1) or Discard initiate the establishment if this attribute is True. Otherwise, it
(2), This attribute must have a value of zero. Otherwise, its should wait for the other end to initiate the setup."
value must be greater than zero." ::= { ipSecSelectorEntry 10 }
::= { ipSecActionEntry 6 }
ipSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specify the group this selector(s) belongs to. Selectors in the
same group are provided with the same IPsec services."
::= { ipSecSelectorEntry 11 }
-- --
-- --
-- The ipSecRuleTable -- The ipSecRuleTable
-- --
ipSecRuleTable OBJECT-TYPE ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry SYNTAX SEQUENCE OF IpSecRuleEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSec rules. This is the table that ties selectors and "Specifies IPsec rules. "
IPSec actions together."
INDEX { ipSecRulePrid } INDEX { ipSecRulePrid }
UNIQUENESS { UNIQUENESS {
Roles, ipSecRuleRoles,
Direction, ipSecRuleDirection,
IpSecSelectorGroupId, ipSecRuleipSecSelectorGroupId,
IpSecActionId, ipSecRuleIpSecActionGroupId,
IPSecRuleTimePeriodGroupId ipSecRuleIpSecRuleTimePeriodGroupId
} }
::= { ipSecBase 3 } ::= { ipSecAssociation 4 }
ipSecRuleEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2000 16
IPsec Policy Information Base October, 2000
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecRuleTable 1 } ::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid ipSecRulePrid PolicyInstanceId,
PolicyInstanceId, ipSecRuleRoles RoleCombination,
ipSecRuleRoles ipSecRuleDirection INTEGER,
RoleCombination, ipSecRuleIpSecSelectorGroupId PolicyTagReference,
ipSecRuleDirection ipSecRuleIpSecActionGroupId PolicyTagReference,
INTEGER, ipSecRuleIpSecRuleTimePeriodGroupId PolicyTagReference
ipSecRuleIpSecSelectorGroupId
PolicyReferenceId,
ipSecRuleIpSecActionId
PolicyReferenceId,
ipSecRuleIPSecRuleTimePeriodGroupId
PolicyReferenceId
} }
ipSecRulePrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleRoles OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combinations of the interface to which this "Specifies the role combinations of the interface to which this
IPSec rule should apply." IPSec rule should apply."
::= { ipSecRuleEntry 2 } ::= { ipSecRuleEntry 2 }
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
skipping to change at page 19, line 25 skipping to change at line 926
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "Specifies the direction of traffic to which this rule should
apply." apply."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 3 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyTagReference
PIB-TAG ipSecSelectorGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IPSec selector group, defined in "Identifies the selectors to be associated with this IPSec rule. The
ipSecSelectorTable, that is associated with this rule. This value selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
must match an ipSecSelectorGroupId attribute in the matches this attribute are provided with the IPSec services
ipSecSelectorTable. " specified by this rule."
::= { ipSecRuleEntry 4 } ::= { ipSecRuleEntry 4 }
ipSecRuleIpSecActionId OBJECT-TYPE ipSecRuleIpSecActionGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyTagReference
PIB-TAG ipSecActionActionGroupId
Li, et al Expires January, 2000 17
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IPSec action, defined in "This attribute identifies the IPsec action groups that is
ipSecActionTable, that is associated with this rule." associated with this rule. All actions specified in ipSecActionTable
whose ipSecActionActionGroupId match the value of this attribute
must be applied. "
::= { ipSecRuleEntry 5 } ::= { ipSecRuleEntry 5 }
ipSecRuleIPSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPSec rule time period group, "This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated specified in ipSecRuleTimePeriodGroupTable, that is associated with
with this rule this rule
A value of zero indicates that this IPSec rule is always valid
until being deleted." A value of zero indicates that this IPsec rule is always valid until
being deleted."
::= { ipSecRuleEntry 6 } ::= { ipSecRuleEntry 6 }
-- --
-- --
-- The ipSecSecurityAssociationTable -- The ipSecActionTable
-- --
ipSecSecurityAssociationTable OBJECT-TYPE ipSecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSecurityAssociationEntry SYNTAX SEQUENCE OF IpSecActionEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IPSec associations" "Specifies IPsec action."
INDEX { ipSecSecurityAssociationPrid } INDEX { ipSecActionPrid }
UNIQUENESS { UNIQUENESS {
RefreshThresholdSeconds, ipSecActionAction,
RefreshThresholdKilobytes, ipSecActionTunnelEndpointId,
MinLifetimeSeconds, ipSecActionDfHandling,
MinLifetimeKilobytes, ipSecActionDoLogging,
TrafficIdleTime, ipSecActionIpSecSecurityAssociationId,
UsePfs, ipSecActionActionGroupId,
UseIkeGroup, ipSecActionOrder,
DhGroup, ipSecActionIkeRuleId
Granularity,
ProposalGroupId
} }
::= { ipSecSecurityAssociation 1 } ::= { ipSecAssociation 5 }
ipSecSecurityAssociationEntry OBJECT-TYPE
SYNTAX IpSecSecurityAssociationEntry ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecSecurityAssociationTable 1 } ::= { ipSecActionTable 1 }
IpSecSecurityAssociationEntry ::= SEQUENCE { Li, et al Expires January, 2000 18
ipSecSecurityAssociationPrid IPsec Policy Information Base October, 2000
PolicyInstanceId,
ipSecSecurityAssociationRefreshThresholdSeconds IpSecActionEntry ::= SEQUENCE {
INTEGER, ipSecActionPrid PolicyInstanceId,
ipSecSecurityAssociationRefreshThresholdKilobytes ipSecActionAction INTEGER,
INTEGER, ipSecActionTunnelEndpointId PolicyReferenceId,
ipSecSecurityAssociationMinLifetimeSeconds ipSecActionDfHandling INTEGER,
Unsigned32, ipSecActionDoLogging TruthValue,
ipSecSecurityAssociationMinLifetimeKilobytes ipSecActionIpSecSecurityAssociationId PolicyReferenceId,
Unsigned32, ipSecActionActionGroupId PolicyTagId,
ipSecSecurityAssociationTrafficIdleTime ipSecActionOrder Unsigned32,
Unsigned32, ipSecActionIkeRuleId PolicyReferenceId
ipSecSecurityAssociationUsePfs
TruthValue,
ipSecSecurityAssociationUseIkeGroup
TruthValue,
ipSecSecurityAssociationDhGroup
Unsigned32,
ipSecSecurityAssociationGranularity
INTEGER,
ipSecSecurityAssociationProposalGroupId
PolicyReferenceId
} }
ipSecSecurityAssociationPrid OBJECT-TYPE ipSecActionPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecSecurityAssociationEntry 1 } ::= { ipSecActionEntry 1 }
ipSecSecurityAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecActionAction OBJECT-TYPE
SYNTAX INTEGER {
byPass(1),
discard(2),
transport(3),
tunnel(4)
}
STATUS current
DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. ByPass(1)
means that the packet should pass in clear. Discard(2) means that
the packet should be denied. Transport(3) means that the packet
should be protected with a security association in transport mode.
Tunnel(4) means that the packet should be protected with a security
association in tunnel mode. If Tunnel (4) is specified,
ipSecActionTunnelEndpointId must also be specified"
::= { ipSecActionEntry 2 }
ipSecActionTunnelEndpointId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"When ipSecActionAction is Tunnel, this attribute specifies the IP
address of the other end of the tunnel. The address specified in
ipSecAddressTable whose ipSecAddressPrid matches this value is the
other end of the tunnel. When ipSecActionAction is not tunnel, this
attribute should be ignored. "
::= { ipSecActionEntry 3 }
ipSecActionDfHandling OBJECT-TYPE
SYNTAX INTEGER {
copy(1),
set(2),
Li, et al Expires January, 2000 19
IPsec Policy Information Base October, 2000
clear(3)
}
STATUS current
DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies how the
DF bit is managed by the tunnel when ipSecActionAction is tunnel.
Copy (1) indicates that the DF bit is copied. Set (2) indicates that
the DF bit is set. Clear (3) indicates that the DF bit is cleared.
When ipSecActionAction is not tunnel, this attribute should be
ignored. "
::= { ipSecActionEntry 4 }
ipSecActionDoLogging OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies if an audit message should be logged when discard action
is taken."
::= { ipSecActionEntry 5 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAssociationTable
STATUS current
DESCRIPTION
"An integer that identifies an IPSec association, specified in
ipSecSecurityAssociationTable, that is associated with this action.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute must have a value of zero. Otherwise, its value
must be greater than zero."
::= { ipSecActionEntry 6 }
ipSecActionActionGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this action belongs to. When ipSecActionAction
is bypass or discard, this attribute must be zero. Otherwise, this
attribute must be greater than zero."
::= { ipSecActionEntry 7 }
ipSecActionOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the order the actions in this group be applied. An action
with a lower order number is applied before one with a higher order
number. "
::= { ipSecActionEntry 8 }
ipSecActionIkeRuleId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeRuleTable
Li, et al Expires January, 2000 20
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"An integer that identifies an IKE rule, specified in
ipSecIkeRuleTable, that is associated with this IPsec rule.
A value of zero means that there is no IKE rule associated."
::= { ipSecActionEntry 9 }
--
--
-- The ipSecAssociationTable
--
ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes associated with IPsec associations"
INDEX { ipSecAssociationPrid }
UNIQUENESS {
ipSecAssociationRefreshThresholdSeconds,
ipSecAssociationRefreshThresholdKilobytes,
ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationTrafficIdleTime,
ipSecAssociationUsePfs,
ipSecAssociationUseIkeGroup,
ipSecAssociationDhGroup,
ipSecAssociationProposalSetId
}
::= { ipSecAssociation 6 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid PolicyInstanceId,
ipSecAssociationRefreshThresholdSeconds INTEGER,
ipSecAssociationRefreshThresholdKilobytes INTEGER,
ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32,
ipSecAssociationTrafficIdleTime Unsigned32,
ipSecAssociationUsePfs TruthValue,
ipSecAssociationUseIkeGroup TruthValue,
ipSecAssociationDhGroup Unsigned32,
ipSecAssociationProposalSetId PolicyTagReference
}
Li, et al Expires January, 2000 21
IPsec Policy Information Base October, 2000
ipSecAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecAssociationEntry 1 }
ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the "Specifies the percentage of expiration (in other words, the refresh
refresh threshold) of an established SA's seconds lifetime at threshold) of an established SA's seconds lifetime at which to begin
which to begin re-negotiation of the SA. renegotiation of the SA.
A value of 100 means that re-negotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecSecurityAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecSecurityAssociationRefreshThresholdKilobytes OBJECT-TYPE
ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established SA's "Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin re-negotiation of the SA. kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that re-negotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired. seconds lifetime value has expired."
" ::= { ipSecAssociationEntry 3 }
::= { ipSecSecurityAssociationEntry 3 }
ipSecSecurityAssociationMinLifetimeSeconds OBJECT-TYPE ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be
from a peer while negotiating an SA based upon this action. accepted from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecSecurityAssociationEntry 4 } ::= { ipSecAssociationEntry 4 }
ipSecSecurityAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted from
from a negotiating peer while negotiating an SA based upon this a negotiating peer while negotiating an SA based upon this action.
action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecSecurityAssociationEntry 5 } ::= { ipSecAssociationEntry 5 }
ipSecSecurityAssociationTrafficIdleTime OBJECT-TYPE ipSecAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle
(in other words, no traffic protected by the SA) before it is Li, et al Expires January, 2000 22
deleted. IPsec Policy Information Base October, 2000
A value of zero indicates that there is no idle time detection.
The expiration of the SA is determined by the expiration of one "Specifies the amount of time in seconds an SA may remain idle (in
of the lifetime values." other words, no traffic protected by the SA) before it is deleted.
::= { ipSecSecurityAssociationEntry 6 } A value of zero indicates that there is no idle time detection. The
ipSecSecurityAssociationUsePfs OBJECT-TYPE expiration of the SA is determined by the expiration of one of the
lifetime values."
::= { ipSecAssociationEntry 6 }
ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If true, PFS should be used when negotiating the phase two IPSec "If true, PFS should be used when negotiating the phase two IPsec
SA. SA.
" "
::= { ipSecSecurityAssociationEntry 7 } ::= { ipSecAssociationEntry 7 }
ipSecSecurityAssociationUseIkeGroup OBJECT-TYPE ipSecAssociationUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If true, the phase two DH group number should be the same as "If true, the phase two DH group number should be the same as that
that of phase 1. Otherwise, the group number specified by the of phase 1. Otherwise, the group number specified by the
ipSecSecurityAssociationDhGroup attribute should be used. ipSecSecurityAssociationDhGroup attribute should be used.
This attribute is ignored if ipSecSecurityAssociationUsePfs is This attribute is ignored if ipSecSecurityAssociationUsePfs is
false." false."
::= { ipSecSecurityAssociationEntry 8 } ::= { ipSecAssociationEntry 8 }
ipSecSecurityAssociationDhGroup OBJECT-TYPE ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If PFS should be used during IKE phase two and "If PFS should be used during IKE phase two and
ipSecSecurityAssociationUseIkeGroup is false, this attribute ipSecSecurityAssociationUseIkeGroup is false, this attribute
specifies the Diffie-Hellman group to use. specifies the Diffie-Hellman group to use.
This attribute is ignored if ipSecSecurityAssociationUsePfs is This attribute is ignored if ipSecSecurityAssociationUsePfs is
false." false."
::= { ipSecSecurityAssociationEntry 9 } ::= { ipSecAssociationEntry 9 }
ipSecSecurityAssociationGranularity OBJECT-TYPE
SYNTAX INTEGER { ipSecAssociationProposalSetId OBJECT-TYPE
wide(1), SYNTAX PolicyTagReference
narrow(2) PIB-TAG ipSecProposalSetProposalSetId
}
STATUS current
DESCRIPTION
"Specifies how this security association may be used.
A value of 1 (Wide) indicates that this security association may
be used by all packets that match the same selector that is
matched by the packet triggering the establishment of this
association.
A value of 2 (Narrow) indicates that this security association
can be used only by packets that have exactly the same selector
attribute values as that of the packet triggering the
establishment of this association.
" ::= { ipSecSecurityAssociationEntry 10 }
ipSecSecurityAssociationProposalGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPSec proposal group, specified "An integer that identifies the IPsec proposal set, specified in
in ipSecProposalGroupTable, that is associated with this action." ipSecProposalGroupTable, that is associated with this IPsec
::= { ipSecSecurityAssociationEntry 11 } association."
::= { ipSecAssociationEntry 10 }
-- --
-- --
-- The ipSecProposalGroupTable -- The ipSecProposalSetTable
-- --
ipSecProposalGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalGroupEntry Li, et al Expires January, 2000 23
POLICY-ACCESS install IPsec Policy Information Base October, 2000
ipSecProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSec proposal groups. Proposals within a group are "Specifies IPsec proposal sets. Proposals within a set are ORed with
ORed with preference order." preference order."
INDEX { ipSecProposalGroupPrid } INDEX { ipSecProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ProposalGroupId, ipSecProposalSetProposalSetId,
ProposalId ipSecProposalSetProposalId,
ipSecProposalSetOrder
} }
::= { ipSecSecurityAssociation 2 } ::= { ipSecAssociation 7 }
ipSecProposalGroupEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalGroupEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecProposalGroupTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalGroupEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalGroupPrid ipSecProposalSetPrid PolicyInstanceId,
PolicyInstanceId, ipSecProposalSetProposalSetId PolicyTagId,
ipSecProposalGroupProposalGroupId ipSecProposalSetProposalId PolicyReferenceId,
Unsigned32, ipSecProposalSetOrder Unsigned32
ipSecProposalGroupProposalId
PolicyReferenceId,
ipSecProposalGroupOrder
Unsigned32
} }
ipSecProposalGroupPrid OBJECT-TYPE ipSecProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecProposalGroupEntry 1 } ::= { ipSecProposalSetEntry 1 }
ipSecProposalGroupProposalGroupId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies an IPSec proposal group" "An integer that identifies an IPsec proposal set"
::= { ipSecProposalGroupEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalGroupProposalId OBJECT-TYPE
ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPSec Proposal, specified by "An integer that identifies an IPsec Proposal, specified by
ipSecProposalTable, that is included in this group." ipSecProposalTable, that is included in this set."
::= { ipSecProposalGroupEntry 3 } ::= { ipSecProposalSetEntry 3 }
ipSecProposalGroupOrder OBJECT-TYPE Li, et al Expires January, 2000 24
IPsec Policy Information Base October, 2000
ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order, within the "An integer that specifies the precedence order of the proposal
ProposalGroup, of the proposal identified by identified by ipSecProposalSetProposalId in a proposal set. The
ipSecProposalGroupProposalId. Proposals within a group are ORed proposal set is identified by ipSecProposalSetProposalSetId.
with preference order. A given precedence order is positioned Proposals within a set are ORed with preference order. A given
before one with a higher-valued precedence order." precedence order is positioned before one with a higher-valued
::= { ipSecProposalGroupEntry 4 } precedence order."
::= { ipSecProposalSetEntry 4 }
-- --
-- --
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPSec proposal. It has references to ESP, AH and "Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform groups. Within a proposal, different types of IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices transforms are ANDed. Within one type of transforms, the choices are
are ORed with preference order." ORed with preference order."
INDEX { ipSecProposalPrid } INDEX { ipSecProposalPrid }
UNIQUENESS { UNIQUENESS {
LifetimeKilobytes, ipSecProposalLifetimeKilobytes,
LifetimeSeconds, ipSecProposalLifetimeSeconds,
EspTransformGroupId, ipSecProposalEspTransformSetId,
AhTransformGroupId, ipSecProposalAhTransformSetId,
CompTransformGroupId ipSecProposalCompTransformSetId
} }
::= { ipSecSecurityAssociation 3 } ::= { ipSecAssociation 8 }
ipSecProposalEntry OBJECT-TYPE ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry SYNTAX IpSecProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecProposalTable 1 } ::= { ipSecProposalTable 1 }
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid ipSecProposalPrid PolicyInstanceId,
PolicyInstanceId, ipSecProposalLifetimeKilobytes Unsigned32,
ipSecProposalLifetimeKilobytes ipSecProposalLifetimeSeconds Unsigned32,
Unsigned32, ipSecProposalEspTransformSetId PolicyTagReference,
ipSecProposalLifetimeSeconds ipSecProposalAhTransformSetId PolicyTagReference,
Unsigned32, ipSecProposalCompTransformSetId PolicyTagReference
ipSecProposalEspTransformGroupId
PolicyReferenceId,
ipSecProposalAhTransformGroupId
PolicyReferenceId,
ipSecProposalCompTransformGroupId
PolicyReferenceId
} }
Li, et al Expires January, 2000 25
IPsec Policy Information Base October, 2000
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE ipSecProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime.
" A value of zero indicates that there is no kilobyte lifetime."
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalLifetimeSeconds OBJECT-TYPE ipSecProposalLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8 A value of zero indicates that the lifetime value defaults to 8
hours. hours.
" "
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
ipSecProposalEspTransformGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecEspTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the ESP transform group, specified in "An integer that identifies the ESP transform set, specified in
ipSecEspTransformGroupTable, that is associated with this ipSecEspTransformSetTable, that is associated with this proposal."
proposal."
::= { ipSecProposalEntry 4 } ::= { ipSecProposalEntry 4 }
ipSecProposalAhTransformGroupId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyTagReference
PIB-TAG ipSecAhTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the AH transform group, specified in "An integer that identifies the AH transform set, specified in
ipSecAhTransformGroupTable, that is associated with this ipSecAhTransformSetTable, that is associated with this proposal."
proposal."
::= { ipSecProposalEntry 5 } ::= { ipSecProposalEntry 5 }
ipSecProposalCompTransformGroupId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyTagReference
PIB-TAG ipSecCompTransformSetTransformId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPComp transform group, specified "An integer that identifies the IPComp transform set, specified in
in ipSecCompTransformGroupTable, that is associated with this ipSecCompTransformSetTable, that is associated with this proposal."
proposal."
::= { ipSecProposalEntry 6 } ::= { ipSecProposalEntry 6 }
Li, et al Expires January, 2000 26
IPsec Policy Information Base October, 2000
-- --
-- --
-- The ipSecIkeActionTable -- The ipSecIkeAssociationTable
-- --
ipSecIkeActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeActionEntry ipSecIkeAssociationTable OBJECT-TYPE
POLICY-ACCESS install SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes related to IKE action" "Specifies attributes related to IKE associations."
INDEX { ipSecIkeActionPrid } INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
RefreshThresholdSeconds, ipSecIkeAssociationRefreshThresholdSeconds,
RefreshThresholdKilobytes, ipSecIkeAssociationRefreshThresholdKilobytes,
MinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
MinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
TrafficIdleTime, ipSecIkeAssociationTrafficIdleTime,
ExchangeMode, ipSecIkeAssociationExchangeMode,
RefreshThresholdDerivedKeys, ipSecIkeAssociationRefreshThresholdDerivedKeys,
UseIkeIdentityType, ipSecIkeAssociationIKEProposalSetId
IKEProposalGroupId
} }
::= { ipSecIkeAssociation 1 } ::= { ipSecIkeAssociation 9 }
ipSecIkeActionEntry OBJECT-TYPE ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeActionEntry SYNTAX IpSecIkeAssociationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecIkeActionTable 1 } ::= { ipSecIkeAssociationTable 1 }
IpSecIkeActionEntry ::= SEQUENCE { IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeActionPrid ipSecIkeAssociationPrid PolicyInstanceId,
PolicyInstanceId, ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
ipSecIkeActionRefreshThresholdSeconds ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
INTEGER, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeActionRefreshThresholdKilobytes ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
INTEGER, ipSecIkeAssociationTrafficIdleTime Unsigned32,
ipSecIkeActionMinLiftetimeSeconds ipSecIkeAssociationExchangeMode INTEGER,
Unsigned32, ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
ipSecIkeActionMinLifetimeKilobytes ipSecIkeAssociationIKEProposalSetId PolicyTagReference
Unsigned32,
ipSecIkeActionTrafficIdleTime
Unsigned32,
ipSecIkeActionExchangeMode
INTEGER,
ipSecIkeActionRefreshThresholdDerivedKeys
INTEGER,
ipSecIkeActionUseIkeIdentityType
INTEGER,
ipSecIkeActionIKEProposalGroupId
PolicyReferenceId
} }
ipSecIkeActionPrid OBJECT-TYPE
ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeActionEntry 1 } ::= { ipSecIkeAssociationEntry 1 }
ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE
Li, et al Expires January, 2000 27
IPsec Policy Information Base October, 2000
ipSecIkeActionRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the "Specifies the percentage of expiration (in other words, the refresh
refresh threshold) of an established SA's seconds lifetime at threshold) of an established SA's seconds lifetime at which to begin
which to begin re-negotiation of the SA. renegotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
seconds lifetime value has expired.
"
::= { ipSecIkeActionEntry 2 }
ipSecIkeActionRefreshThresholdKilobytes OBJECT-TYPE A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established SA's "Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin re-negotiation of the SA. kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecIkeActionEntry 3 } ::= { ipSecIkeAssociationEntry 3 }
ipSecIkeActionMinLiftetimeSeconds OBJECT-TYPE ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be "Specifies the minimum SA seconds lifetime that will be
accepted from a peer while negotiating an SA based upon this accepted from a peer while negotiating an SA based upon this action.
action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeActionEntry 4 } ::= { ipSecIkeAssociationEntry 4 }
ipSecIkeActionMinLifetimeKilobytes OBJECT-TYPE
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted from
from a negotiating peer while negotiating an SA based upon this a negotiating peer while negotiating an SA based upon this action.
action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeActionEntry 5 } ::= { ipSecIkeAssociationEntry 5 }
ipSecIkeActionTrafficIdleTime OBJECT-TYPE ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle "Specifies the amount of time in seconds an SA may remain idle (in
(in other words, no traffic protected by the SA) before it is other words, no traffic protected by the SA) before it is deleted.
deleted. A value of zero indicates that there is no idle time detection. The
A value of zero indicates that there is no idle time detection. expiration of the SA is determined by the expiration of one of the
The expiration of the SA is determined by the expiration of one lifetime values.
of the lifetime values.
Li, et al Expires January, 2000 28
IPsec Policy Information Base October, 2000
" "
::= { ipSecIkeActionEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
ipSecIkeActionExchangeMode OBJECT-TYPE
ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
baseMode(1), baseMode(1),
mainMode(2), mainMode(2),
aggressiveMode(4) aggressiveMode(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for "Specifies the negotiation mode that the IKE server will use for
phase one. phase one. "
" ::= { ipSecIkeAssociationEntry 7 }
::= { ipSecIkeActionEntry 7 }
ipSecIkeActionRefreshThresholdDerivedKeys OBJECT-TYPE ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established IKE "Specifies the percentage of expiration of an established IKE SA's
SA's derived keys lifetime at which to begin re-negotiation of derived keys lifetime at which to begin renegotiation of the SA.
the SA.
A value of 100 means that re-negotiation does not occur until the
derived key lifetime value has expired.
"
::= { ipSecIkeActionEntry 8 }
ipSecIkeActionUseIkeIdentityType OBJECT-TYPE A value of 100 means that renegotiation does not occur until the
SYNTAX INTEGER { derived key lifetime value has expired. "
ipV4-Address(1), ::= { ipSecIkeAssociationEntry 8 }
fqdn(2),
user-Fqdn(3), ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE
ipV4-Subnet(4), SYNTAX PolicyTagReference
ipV6-Address(5), PIB-TAG ipSecIkeProposalSetProposalSetId
ipV6-Subnet(6), STATUS current
ipV4-Address-Range(7), DESCRIPTION
ipV6-Address-Range(8), "An integer that identifies the IKE proposal set, specified in
der-Asn1-DN(9), ipSecIkeProposalGroupTable, that is associated with this IKE
der-Asn1-GN(10), association."
key-Id(11) ::= { ipSecIkeAssociationEntry 9 }
--
--
-- The ipSecIkeRuleTable
--
ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE rule."
INDEX { ipSecIkeRulePrid }
UNIQUENESS {
ipSecIkeRuleRoles,
ipSecIkeRuleIkeAssiciationId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId,
Li, et al Expires January, 2000 29
IPsec Policy Information Base October, 2000
ipSecIkeRuleIkeEndpointGroupId
} }
::= { ipSecIkeAssociation 10 }
ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IKE identity to use during negotiation." "Specifies an instance of this class"
::= { ipSecIkeActionEntry 9 } ::= { ipSecIkeRuleTable 1 }
ipSecIkeActionIKEProposalGroupId OBJECT-TYPE
IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid PolicyInstanceId,
ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeAssiciationId PolicyReferenceId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId PolicyTagReference,
ipSecIkeRuleIkeEndpointGroupId PolicyTagReference
}
ipSecIkeRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"Specifies the role combinations of the interface to which this IKE
rule should apply."
::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleIkeAssiciationId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeAssociationTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IKE proposal group, specified in "This attribute identifies the IKE action, specified in
ipSecIkeProposalGroupTable, that is associated with this action." ipSecIkeAssociationTable, that is associated with this rule"
::= { ipSecIkeActionEntry 10 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current
DESCRIPTION
"This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated with
this IKE rule
Li, et al Expires January, 2000 30
IPsec Policy Information Base October, 2000
A value of zero indicates that this IKE rule is always valid until
being deleted."
::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagReference
PIB-TAG ipSecIkeEndpointGroupId
STATUS current
DESCRIPTION
"An integer that identifies a group of endpoints with which this PEP
may set up IKE associations. The endpoints specified in
ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
attribute are the endpoints involved. "
::= { ipSecIkeRuleEntry 5 }
-- --
-- --
-- The ipSecIkeProposalGroupTable -- The ipSecIkeProposalSetTable
-- --
ipSecIkeProposalGroupTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalGroupEntry SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposal groups. Proposals within a group are ORed "Specifies IKE proposal sets. Proposals within a set are ORed with
with preference order. " preference order. "
INDEX { ipSecIkeProposalGroupPrid } INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ProposalGroupId, ipSecIkeProposalSetProposalSetId,
ProposalId ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
} }
::= { ipSecIkeAssociation 2 } ::= { ipSecIkeAssociation 11 }
ipSecIkeProposalGroupEntry OBJECT-TYPE ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalGroupEntry SYNTAX IpSecIkeProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecIkeProposalGroupTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalGroupEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
ipSecIkeProposalGroupPrid ipSecIkeProposalSetPrid PolicyInstanceId,
PolicyInstanceId, ipSecIkeProposalSetProposalSetId PolicyTagId,
ipSecIkeProposalGroupProposalGroupId ipSecIkeProposalSetProposalId PolicyReferenceId,
Unsigned32, ipSecIkeProposalSetOrder Unsigned32
ipSecIkeProposalGroupProposalId
PolicyReferenceId,
ipSecIkeProposalGroupOrder
Unsigned32
} }
ipSecIkeProposalGroupPrid OBJECT-TYPE
ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
Li, et al Expires January, 2000 31
IPsec Policy Information Base October, 2000
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalGroupEntry 1 } ::= { ipSecIkeProposalSetEntry 1 }
ipSecIkeProposalGroupProposalGroupId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an IKE proposal group. " "An integer that uniquely identifies an IKE proposal set. "
::= { ipSecIkeProposalGroupEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalGroupProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecIkeProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE proposal, specified by the "An integer that identifies an IKE proposal, specified by the
ipSecIkeProposalTable, that is included in this group." ipSecIkeProposalTable, that is included in this set."
::= { ipSecIkeProposalGroupEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalGroupOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order, within the "An integer that specifies the precedence order of the proposal
ProposalGroup, of the proposal identified by identified by ipSecIkeProposalSetProposalId in a proposal set. The
ipSecIkeProposalGroupProposalId. Proposals within a group are proposal set is identified by ipSecIkeProposalSetProposalSetId.
ORed with preference order. A given precedence order is Proposals within a set are ORed with preference order. A given
positioned before one with a higher-valued precedence order." precedence order is positioned before one with a higher-valued
::= { ipSecIkeProposalGroupEntry 4 } precedence order."
::= { ipSecIkeProposalSetEntry 4 }
-- --
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with an IKE proposal." "Specifies attributes associated with IKE proposals."
INDEX { ipSecIkeProposalPrid } INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
LifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
LifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
CipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
HashAlgorithm, ipSecIkeProposalHashAlgorithm,
AuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
LifetimeDerivedKeys, ipSecIkeProposalLifetimeDerivedKeys,
PrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
IkeDhGroup
Li, et al Expires January, 2000 32
IPsec Policy Information Base October, 2000
ipSecIkeProposalIkeDhGroup
} }
::= { ipSecIkeAssociation 3 } ::= { ipSecIkeAssociation 12 }
ipSecIkeProposalEntry OBJECT-TYPE ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry SYNTAX IpSecIkeProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid ipSecIkeProposalPrid PolicyInstanceId,
PolicyInstanceId, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalLifetimeSeconds ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
Unsigned32, ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalLifetimeKilobytes ipSecIkeProposalHashAlgorithm INTEGER,
Unsigned32, ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalCipherAlgorithm ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
INTEGER, ipSecIkeProposalPrfAlgorithm Unsigned32,
ipSecIkeProposalHashAlgorithm ipSecIkeProposalIkeDhGroup Unsigned32
INTEGER,
ipSecIkeProposalAuthenticationMethod
INTEGER,
ipSecIkeProposalLifetimeDerivedKeys
Unsigned32,
ipSecIkeProposalPrfAlgorithm
Unsigned32,
ipSecIkeProposalIkeDhGroup
Unsigned32
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalEntry 1 } ::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalLifetimeSeconds OBJECT-TYPE ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8 A value of zero indicates that the lifetime value defaults to 8
hours. hours. "
"
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime.
" A value of zero indicates that there is no kilobyte lifetime. "
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
des-CBC(1), des-CBC(1),
idea-CBC(2), idea-CBC(2),
Li, et al Expires January, 2000 33
IPsec Policy Information Base October, 2000
blowfish-CBC(3), blowfish-CBC(3),
rc5-R16-B64-CBC(4), rc5-R16-B64-CBC(4),
tripleDes-CBC(5), tripleDes-CBC(5),
cast-CBC(6) cast-CBC(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association. association. "
"
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(1), md5(1),
sha-1(2), sha-1(2),
tiger(3) tiger(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association. "Specifies the hash algorithm to propose for the IKE association."
"
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
presharedKey(1), presharedKey(1),
dssSignatures(2), dssSignatures(2),
rsaSignatures(3), rsaSignatures(3),
rsaEncryption(4), rsaEncryption(4),
revisedRsaEncryption(5), revisedRsaEncryption(5),
kerberos(6) kerberos(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association. association. "
"
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of times the IKE phase one key may be used "Specifies the number of times the IKE phase one key may be used to
to derive an IKE phase two key. A value of zero indicates that derive an IKE phase two key. A value of zero indicates that the
the number of times an IKE phase one key may be used to derive an number of times an IKE phase one key may be used to derive an IKE
IKE phase two key is limited by the seconds and/or kilobyte phase two key is limited by the seconds and/or kilobyte lifetimes. "
lifetimes.
"
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Pseudo-Random Function (PRF) to propose for the "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
IKE association. association. "
"
Li, et al Expires January, 2000 34
IPsec Policy Information Base October, 2000
::= { ipSecIkeProposalEntry 8 } ::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Diffie-Hellman group to propose for the IKE "Specifies the Diffie-Hellman group to propose for the IKE
association. " association. "
::= { ipSecIkeProposalEntry 9 } ::= { ipSecIkeProposalEntry 9 }
-- --
-- --
-- The ipSecEspTransformGroupTable -- The ipSecIkeEndpointTable
-- --
ipSecEspTransformGroupTable OBJECT-TYPE ipSecIkeEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformGroupEntry SYNTAX SEQUENCE OF IpSecIkeEndpointEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies the peer endpoints with which this PEP should establish
IKE associations according to ipSecIkeEndpointStartupCondition."
INDEX { ipSecIkeEndpointPrid }
UNIQUENESS {
ipSecIkeEndpointUseIkeIdentityType,
ipSecIkeEndpointIkeIdentityId,
ipSecIkeEndpointEndpointId,
ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId
}
::= { ipSecIkeAssociation 13 }
ipSecIkeEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeEndpointTable 1 }
IpSecIkeEndpointEntry ::= SEQUENCE {
ipSecIkeEndpointPrid PolicyInstanceId,
ipSecIkeEndpointUseIkeIdentityType INTEGER,
ipSecIkeEndpointIkeIdentityId PolicyReferenceId,
ipSecIkeEndpointEndpointId PolicyReferenceId,
ipSecIkeEndpointStartupCondition BITS,
ipSecIkeEndpointIsOriginator TruthValue,
ipSecIkeEndpointGroupId PolicyTagId
}
ipSecIkeEndpointPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
Li, et al Expires January, 2000 35
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeEndpointEntry 1 }
ipSecIkeEndpointUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the IKE identity to use during negotiation."
::= { ipSecIkeEndpointEntry 2 }
ipSecIkeEndpointIkeIdentityId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"An integer that identifies the IKE identity of the peer point. This
information is used during IKE negotiation. The type of this address
is specified by ipSecIkeEndpointIkeIdentityType. The address
specified in the ipSecAddressTable whose ipSecAddressPrid matches
this integer is the IKE identity. "
::= { ipSecIkeEndpointEntry 3 }
ipSecIkeEndpointEndpointId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAddressTable
STATUS current
DESCRIPTION
"Specifies an endpoint address with which this PEP may establish IKE
association. The address in the ipSecAddressTable whose
ipSecAddressPrid matches this value is the endpoint address. This
address must identify a single endpoint. Address ranges or subnet
addresses are not allowed "
::= { ipSecIkeEndpointEntry 4 }
ipSecIkeEndpointStartupCondition OBJECT-TYPE
SYNTAX BITS {
onBoot(1),
onTraffic(2),
onPolicy(3)
Li, et al Expires January, 2000 36
IPsec Policy Information Base October, 2000
}
STATUS current
DESCRIPTION
"Specifies the triggering event that causes the IKE rule referenced
be applied.OnBoot (1) means that the rule is triggered after system
boot. OnTraffic (2) means that the rule is triggered when packets
without associated security associations are sent or received.
OnPolicy (3) means that the rule is triggered when it becomes valid
as specified by ipSecRuleTimePeriodGroupTable. "
::= { ipSecIkeEndpointEntry 5 }
ipSecIkeEndpointIsOriginator OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If this attribute is true, when IKE associations need to be set
up, this PEP should initiate the establishment. Otherwise, it should
wait for the other end to initiate the setup."
::= { ipSecIkeEndpointEntry 6 }
ipSecIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"Specifies the group this IKE endpoint belongs to."
::= { ipSecIkeEndpointEntry 7 }
--
--
-- The ipSecEspTransformSetTable
--
ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an ESP transform group. Within a transform group, the "Specifies an ESP transform group. Within a transform group, the
choices are ORed with preference order." choices are ORed with preference order."
INDEX { ipSecEspTransformGroupPrid } INDEX { ipSecEspTransformSetPrid }
UNIQUENESS { UNIQUENESS {
TransformGroupId, ipSecEspTransformSetTransformSetId,
TransformId ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
} }
::= { ipSecEspTransform 1 } ::= { ipSecEspTransform 14 }
ipSecEspTransformGroupEntry OBJECT-TYPE ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformGroupEntry SYNTAX IpSecEspTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecEspTransformGroupTable 1 }
IpSecEspTransformGroupEntry ::= SEQUENCE { Li, et al Expires January, 2000 37
ipSecEspTransformGroupPrid IPsec Policy Information Base October, 2000
PolicyInstanceId,
ipSecEspTransformGroupTransformGroupId ::= { ipSecEspTransformSetTable 1 }
Unsigned32,
ipSecEspTransformGroupTransformId IpSecEspTransformSetEntry ::= SEQUENCE {
PolicyReferenceId, ipSecEspTransformSetPrid PolicyInstanceId,
ipSecEspTransformGroupOrder ipSecEspTransformSetTransformSetId PolicyTagId,
Unsigned32 ipSecEspTransformSetTransformId PolicyReferenceId,
ipSecEspTransformSetOrder Unsigned32
} }
ipSecEspTransformGroupPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformGroupEntry 1 } ::= { ipSecEspTransformSetEntry 1 }
ipSecEspTransformGroupTransformGroupId OBJECT-TYPE ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of ESP transforms" "An integer that identifies a set of ESP transforms"
::= { ipSecEspTransformGroupEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformGroupTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecEspTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ESP transform, specified by "An integer that identifies an ESP transform, specified by
ipSecEspTransformTable, that is included in this group." ipSecEspTransformTable, that is included in this set."
::= { ipSecEspTransformGroupEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformGroupOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order, within the "An integer that specifies the precedence order of the transform
ipSecEspTransformGroup, of the transform identified by identified by ipSecEspTransformSetTransformId within a transform
ipSecEspTransformGroupEspProposalId. Transforms within a group set. The transform set is identified by
are ORed with preference order. A given precedence order is ipSecEspTransformSetTransformSetId. Transforms within a set are ORed
positioned before one with a higher-valued precedence order." with preference order. A given precedence order is positioned before
::= { ipSecEspTransformGroupEntry 4 } one with a higher-valued precedence order."
::= { ipSecEspTransformSetEntry 4 }
-- --
-- --
-- The ipSecEspTransformTable -- The ipSecEspTransformTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecEspTransformEntry
POLICY-ACCESS install PIB-ACCESS install
Li, et al Expires January, 2000 38
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an ESP transform." "Specifies an ESP transform."
INDEX { ipSecEspTransformPrid } INDEX { ipSecEspTransformPrid }
UNIQUENESS { UNIQUENESS {
IntegrityTransformId, ipSecEspTransformIntegrityTransformId,
CipherTransformId, ipSecEspTransformCipherTransformId,
CipherKeyRounds, ipSecEspTransformCipherKeyRounds,
CipherKeyLength ipSecEspTransformCipherKeyLength
} }
::= { ipSecEspTransform 2 } ::= { ipSecEspTransform 15 }
ipSecEspTransformEntry OBJECT-TYPE ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry SYNTAX IpSecEspTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid ipSecEspTransformPrid PolicyInstanceId,
PolicyInstanceId, ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformIntegrityTransformId ipSecEspTransformCipherTransformId INTEGER,
INTEGER, ipSecEspTransformCipherKeyRounds Unsigned32,
ipSecEspTransformCipherTransformId ipSecEspTransformCipherKeyLength Unsigned32
INTEGER,
ipSecEspTransformCipherKeyRounds
Unsigned32,
ipSecEspTransformCipherKeyLength
Unsigned32
} }
ipSecEspTransformPrid OBJECT-TYPE ipSecEspTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformEntry 1 } ::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
none(0), none(0),
hmacMd5(1), hmacMd5(1),
hmacSha(2), hmacSha(2),
desMac(3), desMac(3),
kpdk(4) kpdk(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 41, line 23 skipping to change at line 2173
DESCRIPTION DESCRIPTION
"Specifies the ESP integrity algorithm to propose." "Specifies the ESP integrity algorithm to propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
desIV64(1), desIV64(1),
des(2), des(2),
tripleDES(3), tripleDES(3),
rc5(4), rc5(4),
Li, et al Expires January, 2000 39
IPsec Policy Information Base October, 2000
idea(5), idea(5),
cast(6), cast(6),
blowfish(7), blowfish(7),
tripleIDEA(8), tripleIDEA(8),
desIV32(9), desIV32(9),
rc4(10), rc4(10),
null(11) null(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose. "Specifies the ESP cipher/encryption algorithm to propose.
" "
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of key rounds for the ESP cipher "Specifies the number of key rounds for the ESP cipher
algorithm specified by the attribute algorithm specified by the attribute
ipSecEspTransformCipherTransformId. ipSecEspTransformCipherTransformId. "
"
::= { ipSecEspTransformEntry 4 } ::= { ipSecEspTransformEntry 4 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the ESP cipher key in bits. "Specifies the length of the ESP cipher key in bits. "
"
::= { ipSecEspTransformEntry 5 } ::= { ipSecEspTransformEntry 5 }
-- --
-- --
-- The ipSecAhTransformGroupTable -- The ipSecAhTransformSetTable
-- --
ipSecAhTransformGroupTable OBJECT-TYPE ipSecAhTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformGroupEntry SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an AH transform group. Within a transform group, the "Specifies an AH transform set. Within a transform set, the choices
choices are ORed with preference order." are ORed with preference order."
INDEX { ipSecAhTransformGroupPrid } INDEX { ipSecAhTransformSetPrid }
UNIQUENESS { UNIQUENESS {
TransformGroupId, ipSecAhTransformSetTransformSetId,
TransformId ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
} }
::= { ipSecAhTransform 1 } ::= { ipSecAhTransform 16 }
ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry
Li, et al Expires January, 2000 40
IPsec Policy Information Base October, 2000
ipSecAhTransformGroupEntry OBJECT-TYPE
SYNTAX IpSecAhTransformGroupEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecAhTransformGroupTable 1 } ::= { ipSecAhTransformSetTable 1 }
IpSecAhTransformGroupEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformGroupPrid ipSecAhTransformSetPrid PolicyInstanceId,
PolicyInstanceId, ipSecAhTransformSetTransformSetId PolicyTagId,
ipSecAhTransformGroupTransformGroupId ipSecAhTransformSetTransformId PolicyReferenceId,
Unsigned32, ipSecAhTransformSetOrder Unsigned32
ipSecAhTransformGroupTransformId
PolicyReferenceId,
ipSecAhTransformGroupOrder
Unsigned32
} }
ipSecAhTransformGroupPrid OBJECT-TYPE
ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecAhTransformGroupEntry 1 } ::= { ipSecAhTransformSetEntry 1 }
ipSecAhTransformGroupTransformGroupId OBJECT-TYPE ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform group." "An integer that identifies an AH transform set."
::= { ipSecAhTransformGroupEntry 2 } ::= { ipSecAhTransformSetEntry 2 }
ipSecAhTransformGroupTransformId OBJECT-TYPE ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecAhTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform, as specified in "An integer that identifies an AH transform, as specified in
ipSecAhTransformTable, that is included in this group." ipSecAhTransformTable, that is included in this set."
::= { ipSecAhTransformGroupEntry 3 } ::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformGroupOrder OBJECT-TYPE ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order, within the "An integer that specifies the precedence order of the transform
ipSecAhTransformGroup, of the transform identified by identified by ipSecAhTransformSetTransformId within a transform set.
ipSecAhTransformGroupTransformId. Transforms within a group are The transform set is identified by
ORed with preference order. A given precedence order is ipSecAhTransformSetTransformSetId. Transforms within a set are ORed
positioned before one with a higher-valued precedence order." with preference order. A given precedence order is positioned before
::= { ipSecAhTransformGroupEntry 4 } one with a higher-valued precedence order."
::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecAhTransformTable
-- --
Li, et al Expires January, 2000 41
IPsec Policy Information Base October, 2000
ipSecAhTransformTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an AH transform" "Specifies an AH transform"
INDEX { ipSecAhTransformPrid } INDEX { ipSecAhTransformPrid }
UNIQUENESS { UNIQUENESS {
TransformId ipSecAhTransformTransformId
} }
::= { ipSecAhTransform 2 } ::= { ipSecAhTransform 17 }
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecAhTransformTable 1 } ::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE { IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid ipSecAhTransformPrid PolicyInstanceId,
PolicyInstanceId, ipSecAhTransformTransformId INTEGER
ipSecAhTransformTransformId
INTEGER
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecAhTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class "An integer index to uniquely identify an instance of this class "
"
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(2), md5(2),
sha-1(3), sha-1(3),
des(4) des(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 45, line 4 skipping to change at line 2329
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(2), md5(2),
sha-1(3), sha-1(3),
des(4) des(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the AH hash algorithm to propose" "Specifies the AH hash algorithm to propose"
::= { ipSecAhTransformEntry 2 } ::= { ipSecAhTransformEntry 2 }
-- --
-- --
-- The ipSecCompTransformGroupTable -- The ipSecCompTransformSetTable
-- --
ipSecCompTransformGroupTable OBJECT-TYPE ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformGroupEntry SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPComp transform group. Within a transform group,
the choices are ORed with preference order." Li, et al Expires January, 2000 42
INDEX { ipSecCompTransformGroupPrid } IPsec Policy Information Base October, 2000
"Specifies an IPComp transform set. Within a transform set, the
choices are ORed with preference order."
INDEX { ipSecCompTransformSetPrid }
UNIQUENESS { UNIQUENESS {
TransformGroupId, ipSecCompTransformSetTransformSetId,
TransformId ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
} }
::= { ipSecCompTransform 1 } ::= { ipSecCompTransform 18 }
ipSecCompTransformGroupEntry OBJECT-TYPE ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformGroupEntry SYNTAX IpSecCompTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecCompTransformGroupTable 1 } ::= { ipSecCompTransformSetTable 1 }
IpSecCompTransformGroupEntry ::= SEQUENCE { IpSecCompTransformSetEntry ::= SEQUENCE {
ipSecCompTransformGroupPrid ipSecCompTransformSetPrid PolicyInstanceId,
PolicyInstanceId, ipSecCompTransformSetTransformSetId PolicyTagId,
ipSecCompTransformGroupTransformGroupId ipSecCompTransformSetTransformId PolicyReferenceId,
Unsigned32, ipSecCompTransformSetOrder Unsigned32
ipSecCompTransformGroupTransformId
PolicyReferenceId,
ipSecCompTransformGroupOrder
Unsigned32
} }
ipSecCompTransformGroupPrid OBJECT-TYPE ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformGroupEntry 1 } ::= { ipSecCompTransformSetEntry 1 }
ipSecCompTransformGroupTransformGroupId OBJECT-TYPE
SYNTAX Unsigned32 ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp transform group" "An integer that identifies an IPComp transform set"
::= { ipSecCompTransformGroupEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformGroupTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecCompTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp Transform, specified by "An integer that identifies an IPComp Transform, specified by
ipSecCompTransformTable, that is included in this group." ipSecCompTransformTable, that is included in this set."
::= { ipSecCompTransformGroupEntry 3 } ::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformGroupOrder OBJECT-TYPE ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order, within the "An integer that specifies the precedence order of the transform
ipSecCompTransformGroup, of the transform identified by identified by ipSecCompTransformSetTransformId within a transform
ipSecCompTransformGroupTransformId. Transforms within a group are
ORed with preference order. A given precedence order is Li, et al Expires January, 2000 43
positioned before one with a higher-valued precedence order." IPsec Policy Information Base October, 2000
::= { ipSecCompTransformGroupEntry 4 }
set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order."
::= { ipSecCompTransformSetEntry 4 }
-- --
-- --
-- The ipSecCompTransformTable -- The ipSecCompTransformTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecCompTransformEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPComp transform." "Specifies an IPComp transform."
INDEX { ipSecCompTransformPrid } INDEX { ipSecCompTransformPrid }
UNIQUENESS { UNIQUENESS {
Algorithm, ipSecCompTransformAlgorithm,
DictionarySize, ipSecCompTransformDictionarySize,
PrivateAlgorithm ipSecCompTransformPrivateAlgorithm
} }
::= { ipSecCompTransform 2 } ::= { ipSecCompTransform 19 }
ipSecCompTransformEntry OBJECT-TYPE ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry SYNTAX IpSecCompTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid ipSecCompTransformPrid PolicyInstanceId,
PolicyInstanceId, ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformAlgorithm ipSecCompTransformDictionarySize Unsigned32,
INTEGER, ipSecCompTransformPrivateAlgorithm Unsigned32
ipSecCompTransformDictionarySize
Unsigned32,
ipSecCompTransformPrivateAlgorithm
Unsigned32
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecCompTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
oui(1), oui(1),
deflate(2), deflate(2),
lzs(3) lzs(3)
} }
Li, et al Expires January, 2000 44
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPComp compression algorithm to propose." "Specifies the IPComp compression algorithm to propose."
::= { ipSecCompTransformEntry 2 } ::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the log2 maximum size of the dictionary." "Specifies the log2 maximum size of the dictionary."
skipping to change at page 49, line 4 skipping to change at line 2480
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a specific vendor algorithm that will be used. " "Specifies a specific vendor algorithm that will be used. "
::= { ipSecCompTransformEntry 4 } ::= { ipSecCompTransformEntry 4 }
-- --
-- --
-- The ipSecRuleTimePeriodTable -- The ipSecRuleTimePeriodTable
-- --
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the time periods during which a policy rule is valid. "Specifies the time periods during which a policy rule is valid. The
The values of second through sixth attributes in a row are ANDed values of the first five attributes in a row are ANDed together to
together to determine the validity period(s). If any of the five determine the validity period(s). If any of the five attributes is
attributes is not present, it is treated as having value always not present, it is treated as having value always enabled. "
enabled. "
INDEX { ipSecRuleTimePeriodPrid } INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS { UNIQUENESS {
TimePeriod, ipSecRuleTimePeriodTimePeriod,
MonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
DayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
DayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
TimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
LocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecPolicyTimePeriod 1 } ::= { ipSecPolicyTimePeriod 20 }
ipSecRuleTimePeriodEntry OBJECT-TYPE ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry SYNTAX IpSecRuleTimePeriodEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE { IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid
PolicyInstanceId, Li, et al Expires January, 2000 45
IPsec Policy Information Base October, 2000
ipSecRuleTimePeriodPrid PolicyInstanceId,
ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime INTEGER
INTEGER
} }
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 } ::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that identifies an overall range of calendar "An octet string that identifies an overall range of calendar dates
dates and times over which a policy rule is valid. It reuses the and times over which a policy rule is valid. It reuses the format
format for an explicit time period defined in RFC 2445 for an explicit time period defined in RFC 2445 : a string
[ICALENDAR]: a string representing a starting date and time, in representing a starting date and time, in which the character 'T'
which the character `T' indicates the beginning of the time indicates the beginning of the time portion, followed by the solidus
portion, followed by the character '/', followed by a similar character '/', followed by a similar string representing an end date
string representing an end date and time. The first date and time. The first date indicates the beginning of the range,
indicates the beginning of the range, while the second date while the second date indicates the end. Thus, the second date and
indicates the end. Thus, the second date and time must be later time must be later than the first. Date/times are expressed as
than the first. Date/times are expressed as sub-strings of the substrings
form yyyymmddThhmmss. of the form yyyymmddThhmmss.
There are also two special cases: There are also two special cases:
- If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is - If the first date/time is replaced with the string THISANDPRIOR,
valid [from now] until the date/time that appears after the '/'. then the property indicates that a policy rule is valid [from now]
- If the second date/time is replaced with the string until the date/time that appears after the '/'.
THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and - If the second date/time is replaced with the string THISANDFUTURE,
remains valid from that point on. then the property indicates that a policy rule becomes valid on the
" date/time that appears before the '/', and remains valid from that
point on. "
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "An octet string that specifies which months the policy is valid
for. The octet string is structured as follows: for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000006 for this Li, et al Expires January, 2000 46
property; IPsec Policy Information Base October, 2000
- a 2-octet field consisting of 12 bits identifying the 12 months
of the year, beginning with January and ending with December, - a 4-octet length field, indicating the length of the entire octet
followed by 4 bits that are always set to '0'. For each month, string; this field is always set to 0x00000006 for this property;
the value '1' indicates that the policy is valid for that month,
and the value '0' indicates that it is not valid. - a 2-octet field consisting of 12 bits identifying the 12 months of
the year, beginning with January and ending with December, followed
by 4 bits that are always set to '0'. For each month, the value '1'
indicates that the policy is valid for that month, and the value '0'
indicates that it is not valid.
If this property is omitted, then the policy rule is treated as If this property is omitted, then the policy rule is treated as
valid for all twelve months." valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the month the "An octet string that specifies which days of the month the policy
policy is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x0000000C for this -a 4-octet length field, indicating the length of the entire octet
property; string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits -an 8-octet field consisting of 31 bits identifying the days of the
identifying the days of the month counting from the end, followed month counting from the beginning, followed by 31 more bits
by 2 bits that are always set to '0'. For each day, the value identifying the days of the month counting from the end, followed by
'1' indicates that the policy is valid for that day, and the 2 bits that are always set to '0'. For each day, the value '1'
value '0' indicates that it is not valid. indicates that the policy is valid for that day, and the value '0'
For months with fewer than 31 days, the digits corresponding to indicates that it is not valid.
days that the months do not have (counting in both directions)
are ignored. For months with fewer than 31 days, the digits corresponding to days
" that the months do not have (counting in both directions) are
ignored. "
::= { ipSecRuleTimePeriodEntry 4 } ::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the week the policy "An octet string that specifies which days of the week the policy is
is valid for. The octet string is structured as follows: valid for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000005 for this - a 4-octet length field, indicating the length of the entire octet
property; string; this field is always set to 0x00000005 for this property;
- a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday, - a 1-octet field consisting of 7 bits identifying the 7 days of the
followed by 1 bit that is always set to '0'. For each day of the week, beginning with Sunday and ending with Saturday, followed by 1
week, the value '1' indicates that the policy is valid for that bit that is always set to '0'. For each day of the week, the value
day, and the value '0' indicates that it is not valid. '1' indicates that the policy is valid for that day, and the value
" '0' indicates that it is not valid. "
::= { ipSecRuleTimePeriodEntry 5 } ::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
Li, et al Expires January, 2000 47
IPsec Policy Information Base October, 2000
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies a range of times in a day the "An octet string that specifies a range of times in a day the policy
policy is valid for. It is formatted as follows: is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the A time string beginning with the character 'T', followed by the
character '/', followed by a second time string. The first time solidus character '/', followed by a second time string. The first
indicates the beginning of the range, while the second time time indicates the beginning of the range, while the second time
indicates the end. Times are expressed as sub-strings of the indicates the end. Times are expressed as substrings of the form
form Thhmmss. Thhmmss.
The second sub-string always identifies a later time than the
first sub-string. To allow for ranges that span midnight, The second substring always identifies a later time than the first
however, the value of the second string may be smaller than the substring. To allow for ranges that span midnight, however, the
value of the first sub-string. Thus, T080000/T210000 identifies value of the second string may be smaller than the value of the
the range from 0800 until 2100, while T210000/T080000 identifies first substring. Thus, T080000/T210000 identifies the range from
the range from 2100 until 0800 of the following day. 0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day.
" "
::= { ipSecRuleTimePeriodEntry 6 } ::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
localTime(1), localTime(1),
utcTime(2) utcTime(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This property indicates whether the times represented in this "This property indicates whether the times represented in this table
table represent local times or UTC times. There is no provision represent local times or UTC times. There is no provision for
for mixing of local times and UTC times: the value of this mixing of local times and UTC times: the value of this property
property applies to all of the other time-related properties. applies to all of the other time-related properties. "
"
::= { ipSecRuleTimePeriodEntry 7 } ::= { ipSecRuleTimePeriodEntry 7 }
-- --
-- --
-- The ipSecRuleTimePeriodGroupTable -- The ipSecRuleTimePeriodSetTable
-- --
ipSecRuleTimePeriodGroupTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodGroupEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
POLICY-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies multiple time periods. The ipSecPolicyTimePeriodTable "Specifies mutiple time period sets. The ipSecRuleTimePeriodTable
is able to specify a single time period over multiple days (e.g., can specifie only a single time period within a day. This table
8:00-10:00 am every Friday). This table allows one to specify enables the specificaiton of multiple time periods within a day by
multiple time periods over multiple days (e.g., 8:00-10:00 am and grouping them into one set. "
2:00-5:00 pm every Friday) by grouping them into one group." INDEX { ipSecRuleTimePeriodSetPrid }
INDEX { ipSecRuleTimePeriodGroupPrid }
UNIQUENESS { UNIQUENESS {
RuleTimePeriodGroupId, ipSecRuleTimePeriodSetRuleTimePeriodSetId,
RuleTimePeriodId ipSecRuleTimePeriodSetRuleTimePeriodId
} }
::= { ipSecPolicyTimePeriod 2 }
ipSecRuleTimePeriodGroupEntry OBJECT-TYPE Li, et al Expires January, 2000 48
SYNTAX IpSecRuleTimePeriodGroupEntry IPsec Policy Information Base October, 2000
::= { ipSecPolicyTimePeriod 21 }
ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecRuleTimePeriodGroupTable 1 } ::= { ipSecRuleTimePeriodSetTable 1 }
IpSecRuleTimePeriodGroupEntry ::= SEQUENCE {
ipSecRuleTimePeriodGroupPrid IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
PolicyInstanceId, ipSecRuleTimePeriodSetPrid PolicyInstanceId,
ipSecRuleTimePeriodGroupRuleTimePeriodGroupId ipSecRuleTimePeriodSetRuleTimePeriodSetId PolicyTagId,
Unsigned32, ipSecRuleTimePeriodSetRuleTimePeriodId PolicyReferenceId
ipSecRuleTimePeriodGroupRuleTimePeriodId
PolicyReferenceId
} }
ipSecRuleTimePeriodGroupPrid OBJECT-TYPE ipSecRuleTimePeriodSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodGroupEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodGroupRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX PolicyTagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
group. " ::= { ipSecRuleTimePeriodSetEntry 2 }
::= { ipSecRuleTimePeriodGroupEntry 2 }
ipSecRuleTimePeriodGroupRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX PolicyReferenceId
PIB-REFERENCE ipSecRuleTimePeriod
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by "An integer that identifies an ipSecRuleTimePeriod, specified by the
the ipSecRuleTimePeriodTable, that is included in this group." ipSecRuleTimePeriodTable, that is included in this set."
::= { ipSecRuleTimePeriodGroupEntry 3 } ::= { ipSecRuleTimePeriodSetEntry 3 }
END --
--
-- Conformance Section
--
4. Security Consideration ipSecPolicyPibConformanceCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
Since COPS is used to carry the PIB defined in this document, the ipSecPolicyPibConformanceGroups
security and protection of the information can be provided by OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
either COPS or a combination of COPS and IPSec.
5. Intellectual Property IPSecPibCompilance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
The IETF takes no position regarding the validity or scope of any Li, et al Expires January, 2000 49
intellectual property or other rights that might be claimed to IPsec Policy Information Base October, 2000
pertain to the implementation or use of the technology described
in this document or the extent to which any license under such
rights might or might not be available; neither does it represent
that it has made any effort to identify any such rights.
Information on the IETF's procedures with respect to rights in
standards-track and standards-related documentation can be found
in BCP-11.
Copies of claims of rights made available for publication and any " Compliance statement"
assurances of licenses to be made available, or the result of an MODULE MANDATORY-GROUPS {
attempt made to obtain a general license or permission for the use ipSecAddressGroup,
of such proprietary rights by implementers or users of this ipSecL4PortGroup,
specification can be obtained from the IETF Secretariat. ipSecSelectorGroup,
ipSecRuleGroup,
ipSecActionGroup,
ipSecAssociationGroup,
ipSecProposalSetGroup,
ipSecProposalGroup,
ipSecIkeAssociationGroup,
ipSecIkeRuleGroup,
ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup,
ipSecIkeEndpointGroup,
ipSecEspTransformSetGroup,
ipSecEspTransformGroup,
ipSecAhTransformSetGroup,
ipSecAhTransformGroup,
ipSecCompTransformSetGroup,
ipSecCompTransformGroup,
}
The IETF invites any interested party to bring to its attention GROUP ipSecRuleTimePeriodGroup
any copyrights, patents or patent applications, or other DESCRIPTION
proprietary rights which may cover technology that may be required "The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is
to practice this standard. Please address the information to the supported."
IETF Executive Director. GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION
"The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling
is supported."
::= { ipSecPolicyPibConformanceCompliances 1 }
6. References ipSecAddressGroup OBJECT-GROUP
OBJECTS {
AddressType,
AddrMask,
AddrMin,
AddrMax,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecAddressTable."
::= { ipSecPolicyPibConformanceGroups 1 }
ipSecL4PortGroup OBJECT-GROUP
OBJECTS {
PortMin,
PortMax,
GroupId
}
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 50
IPsec Policy Information Base October, 2000
" Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 2 }
ipSecSelectorGroup OBJECT-GROUP
OBJECTS {
SrcAddressGroupId,
SrcPortGroupId,
DstAddressGroupId,
DstPortGroupId,
Protocol,
Granularity,
Order,
StartupCondition,
IsOriginator,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 3 }
ipSecRuleGroup OBJECT-GROUP
OBJECTS {
Roles,
Direction,
ipSecSelectorGroupId,
IpSecActionGroupId,
IpSecRuleTimePeriodGroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecRuleTable."
::= { ipSecPolicyPibConformanceGroups 4 }
ipSecActionGroup OBJECT-GROUP
OBJECTS {
Action,
TunnelEndpointId,
DfHandling,
DoLogging,
IpSecSecurityAssociationId,
ActionGroupId,
Order,
IkeRuleId
}
STATUS current
DESCRIPTION
" Objects from the ipSecActionTable."
::= { ipSecPolicyPibConformanceGroups 5 }
ipSecAssociationGroup OBJECT-GROUP
OBJECTS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLifetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
Li, et al Expires January, 2000 51
IPsec Policy Information Base October, 2000
UsePfs,
UseIkeGroup,
DhGroup,
ProposalSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecSecurityAssociationTable."
::= { ipSecPolicyPibConformanceGroups 6 }
ipSecProposalSetGroup OBJECT-GROUP
OBJECTS {
ProposalSetId,
ProposalId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 7 }
ipSecProposalGroup OBJECT-GROUP
OBJECTS {
LifetimeKilobytes,
LifetimeSeconds,
EspTransformSetId,
AhTransformSetId,
CompTransformSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecProposalTable."
::= { ipSecPolicyPibConformanceGroups 8 }
ipSecIkeAssociationGroup OBJECT-GROUP
OBJECTS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLiftetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
ExchangeMode,
RefreshThresholdDerivedKeys,
IKEProposalSetId
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 9 }
ipSecIkeRuleGroup OBJECT-GROUP
OBJECTS {
Roles,
IkeAssiciationId,
IpSecRuleTimePeriodGroupId,
IkeEndpointGroupId
}
Li, et al Expires January, 2000 52
IPsec Policy Information Base October, 2000
STATUS current
DESCRIPTION
" Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 10 }
ipSecIkeProposalSetGroup OBJECT-GROUP
OBJECTS {
ProposalSetId,
ProposalId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 11 }
ipSecIkeProposalGroup OBJECT-GROUP
OBJECTS {
MaxLifetimeSeconds,
MaxLifetimeKilobytes,
CipherAlgorithm,
HashAlgorithm,
AuthenticationMethod,
LifetimeDerivedKeys,
PrfAlgorithm,
IkeDhGroup
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeProposalTable."
::= { ipSecPolicyPibConformanceGroups 12 }
ipSecIkeEndpointGroup OBJECT-GROUP
OBJECTS {
UseIkeIdentityType,
IkeIdentityId,
EndpointId,
StartupCondition,
IsOriginator,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecIkeEndpointTable."
::= { ipSecPolicyPibConformanceGroups 13 }
ipSecEspTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecEspTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 14 }
ipSecEspTransformGroup OBJECT-GROUP
Li, et al Expires January, 2000 53
IPsec Policy Information Base October, 2000
OBJECTS {
IntegrityTransformId,
CipherTransformId,
CipherKeyRounds,
CipherKeyLength
}
STATUS current
DESCRIPTION
" Objects from the ipSecEspTransformTable."
::= { ipSecPolicyPibConformanceGroups 15 }
ipSecAhTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecAhTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 16 }
ipSecAhTransformGroup OBJECT-GROUP
OBJECTS {
TransformId
}
STATUS current
DESCRIPTION
" Objects from the ipSecAhTransformTable."
::= { ipSecPolicyPibConformanceGroups 17 }
ipSecCompTransformSetGroup OBJECT-GROUP
OBJECTS {
TransformSetId,
TransformId,
Order
}
STATUS current
DESCRIPTION
" Objects from the ipSecCompTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 18 }
ipSecCompTransformGroup OBJECT-GROUP
OBJECTS {
Algorithm,
DictionarySize,
PrivateAlgorithm
}
STATUS current
DESCRIPTION
" Objects from the ipSecCompTransformTable."
::= { ipSecPolicyPibConformanceGroups 19 }
ipSecRuleTimePeriodGroup OBJECT-GROUP
OBJECTS {
TimePeriod,
MonthOfYearMask,
DayOfMonthMask,
Li, et al Expires January, 2000 54
IPsec Policy Information Base October, 2000
DayOfWeekMask,
TimeOfDayMask,
LocalOrUtcTime
}
STATUS current
DESCRIPTION
" The ipSecRuleTimePeriodGroup is mandatory if policy scheduling
is supported."
::= { ipSecPolicyPibConformanceGroups 20 }
ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS {
RuleTimePeriodSetId,
RuleTimePeriodId
}
STATUS current
DESCRIPTION
" The ipSecRuleTimePeriodSetGroup is mandatory if policy
scheduling is supported."
::= { ipSecPolicyPibConformanceGroups 21 }
END
8. Security Considerations
Since COPS is used to carry the PIB defined in this document, the
security and protection of the information can be provided by either
COPS or a combination of COPS and other security protocols,
e.g.,IPsec or TLS.
9. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
[AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998. November 1998.
[ARCH] S. Kent, R. Atkinson,"Security Architecture for the Internet [ARCH] S. Kent, R. Atkinson,"Security Architecture for the Internet
Protocol", RFC 2401, November, 1998. Protocol", RFC 2401, November 1998.
[ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)", RFC 2445, November Scheduling Core Object Specification (iCalendar)", RFC 2445,
1998. November 1998.
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, Li, et al Expires January, 2000 55
"The COPS (Common Open Policy Service) Protocol" RFC 2748, January IPsec Policy Information Base October, 2000
2000.
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748,
January 2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000. Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000.
[DOI] D. Piper, "The Internet IP Security Domain of Interpretation [DOI] D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
skipping to change at page 56, line 14 skipping to change at line 3097
[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
2409, November 1998. 2409, November 1998.
[IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
Compression Protocol (IPComp)", RFC 2393, August 1998. Compression Protocol (IPComp)", RFC 2393, August 1998.
[IPSEC-IM] J. Jason,"IPSec Configuration Policy Model," draft-ietf- [IPSEC-IM] J. Jason,"IPSec Configuration Policy Model," draft-ietf-
ipsp-config-policy-model-00.txt, march 2000. ipsp-config-policy-model-00.txt, march 2000.
[ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, "Internet
Security Association and Key Management Protocol (ISAKMP)", RFC
2408, November 1998.
[PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
Model -- Version 1 Specification", draft-ietf-policy-core-info-model- Model -- Version 1 Specification", draft-ietf-policy-core-info-
06.txt, May, 2000. model-06.txt, May, 2000.
[SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Information," Smith, F. Reichmeyer, "Structure of Policy Provisioning
draft-ietf-rap-sppi-00.txt, march 2000. Information," draft-ietf-rap-sppi-01.txt, July 2000.
7. Author's Addresses 7. Author's Addresses
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
David Arneson David Arneson
Nokia Email: dla@mediaone.net
5 Wayside Road,
Burlington, MA 01803 Li, et al Expires January, 2000 56
Phone: +1 781 993 3925 IPsec Policy Information Base October, 2000
Email: david.arneson@nokia.com
Avri Doria Avri Doria
Nortel Networks Nortel Networks
600 Technology Park Drive 600 Technology Park Drive
Billerica, MA 01821 Billerica, MA 01821
Phone: +1 401 663 5024 Phone: +1 401 663 5024
Email: avri@nortelnetworks.com Email: avri@nortelnetworks.com
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com
Li, et al Expires January, 2000 57
IPsec Policy Information Base October, 2000
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into.
Li, et al Expires January, 2000 58
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/