draft-ietf-ipsp-ipsecpib-01.txt   draft-ietf-ipsp-ipsecpib-02.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires May 2001 David Arneson Expires September 2001 David Arneson
No Affiliation No Affiliation
Avri Doria Avri Doria
Nortel Networks Nortel Networks
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
November 2000 March 2001
IPSec Policy Information Base IPSec Policy Information Base
draft-ietf-ipsp-ipsecpib-01.txt draft-ietf-ipsp-ipsecpib-02.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
skipping to change at line 43 skipping to change at line 43
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
1. Abstract 1. Abstract
This document specifies a set of policy rule classes (PRC) for This document specifies a set of policy rule classes (PRC) for
configuring IPSec policy at IPsec-enabled devices. Instances of configuring IPSec policy at IPsec-enabled devices. Instances of
these classes reside in a virtual information store called IPSec these classes reside in a virtual information store called IPSec
Policy Information Base (PIB). COPS protocol [COPS] with the Policy Information Base (PIB). COPS protocol [COPS] with the
extensions for provisioning [COPS-PR] may be used to transmit this extensions for provisioning [COPS-PR] is used to transmit this
IPSec policy information to IPSec-enabled devices (e.g., gateways). IPSec policy information to IPSec-enabled devices (e.g.,
The PRCs defined in this IPSec PIB are intended for use by the COPS- gateways). The PRCs defined in this IPSec PIB are intended for use
PR IPSec client type. They complement the PRCs defined in the by the COPS-PR IPSec client type. They complement the PRCs defined
Framework PIB [FR-PIB]. in the Framework PIB [FR-PIB].
2. Conventions used in this document 2. Conventions used in this document
Li, et al Expires January, 2000 1 Li, et al Expires September, 2001 1
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
this document are to be interpreted as described in RFC-2119 [2]. "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2].
3. Introduction 3. Introduction
The policy rule classes (PRC) defined in this document contain The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. They are parameters for IKE phase one and phase two negotiations. They are
based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The rule based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The
and role approach proposed in [PCIM], which scales to large rule and role approach proposed in [PCIM], which scales to large
networks, is adopted for distributing IPsec policy over COPS networks, is adopted for distributing IPsec policy over COPS
protocol. protocol.
There is an ongoing effort in defining IPSec configuration policy There is an ongoing effort in defining IPSec configuration policy
model [IPSEC-IM]. The PIB defined in this document is not completely model [IPSEC-IM]. The PIB defined in this document is not
aligned with the information model. As work goes on, they should be completely aligned with the information model. As work goes on,
aligned in the near future. they should be aligned in the near future.
The PIB contained in this draft is written using SPPI as specified
in draft-ietf-rap-sppi-01.txt [SPPI]. It will be updated as SPPI
updates.
4. Operation Overview 4. Operation Overview
Following the policy framework convention [PCIM], the management Following the policy framework convention [PCIM], the management
entity that downloads policy to IPSec-enabled devices will be called entity that downloads policy to IPSec-enabled devices will be
a Policy Decision Point (PDP) and the target IPSec-enabled devices called a Policy Decision Point (PDP) and the target IPSec-enabled
will be called Policy Execution Points (PEP). devices will be called Policy Execution Points (PEP).
On boot up, a PEP reports to a PDP, among other things, its role or On boot up, a PEP reports to a PDP, among other things, its role
role combinations. The PDP then determines the IPSec PIB that should or role combination. The PDP then determines the IPSec PIB that
be downloaded to the PEP according to the role description. Later need to be downloaded to the PEP according to the role
on, if the role of the PEP changes, the PEP would notify the PDP description. Later on, if the role of the PEP changes, the PEP
with its new role and the PDP would send new PIB to the PEP. In must notify the PDP with its new role and the PDP will send new
addition, if policy associated with a particular role changes, PDP PIB to the PEP. In addition, if policy associated with a
would download new PIB to all the PEPs that have registered with the particular role changes, PDP must download new PIB to all the PEPs
particular role. that have registered with the particular role.
IPsec policy that is pushed down to individual PEP consists of two IPsec policy that is pushed down to individual PEP consists of two
parts: IKE rules for IKE phase one negotiation and IPsec rules for parts: IKE rules for IKE phase one negotiation and IPsec rules for
IKE phase two negotiation. These sets of rules may be pushed down IKE phase two negotiation. These sets of rules may be pushed down
either together or independently. Hence a role is associated with either together or independently. Hence a role is associated with
each set of rules. Figure 1 shows the relations between the tables each set of rules.
with an example.
When a PEP reports to a PDP its roles,
- if the corresponding policy consists of IPsec rules only (i.e.,
key management is not through IKE), the role combination MUST
match that in the ipSecRuleTable. In the ipSecActionTable
referenced by the ipSecRuleTable, the values of the
ipSecActionIkeRuleId attribute MUST be zero, indicating that no
IKE associations are used. As a result, the ipSecRuleTable and all
subsequent referenced tables are pushed down to the PEP.
Li, et al Expires September, 2001 2
IPsec Policy Information Base March, 2001
- if the corresponding policy consists of IKE rules only, the role
combination MUST match that in the ipSecIkeRuleTable. The
ipSecIkeEndpointTable indicates the peer endpoints with which to
establish IKE associations. Hence, the ipSecIkeRuleTable and all
subsequent referenced tables are pushed down to the PEP.
- if the corresponding policy consists of both IPsec rules and IKE
rules (i.e., IKE association is established first and it is then
used for IPsec association negotiation), the role combination MUST
match that in the ipSecRuleTable. The ipSecRuleTable and the
ipSecIkeRuleTable it references as well as all subsequent
referenced tables are pushed down to the PEP.
The following figure shows the relations between the tables with
an example.
+----------------------+ +------------------------+ +----------------------+ +------------------------+
| ipSecSelectorEntries | | ipSecRuleTableEntries | | ipSecSelectorEntries | | ipSecRuleTableEntries |
| Group = 10 |< ------------SelectorGroupId = 10 | | Group = 10 |< ------------SelectorGroupId = 10 |
Li, et al Expires January, 2000 2
IPsec Policy Information Base October, 2000
+----------------------+ | ActionGroupId = 20 | +----------------------+ | ActionGroupId = 20 |
| Role = Finance_X | | Role = Finance_X |
+------------------------+ +------------------------+
| |
| |
v v
+---------------------------+ +------------------------+ +---------------------------+ +------------------------+
| ipSecIkeRuleEntries | | ipSecActionEntries | | ipSecIkeRuleEntries | | ipSecActionEntries |
| Prid = 30 | | GroupId = 20 | | Prid = 30 | | GroupId = 20 |
| IkeEndpointGroupId = 40 | | Action = Tunnel | | IkeEndpointGroupId = 40 | | Action = Tunnel |
| | < --------- IkeRuleId = 30 | | | < --------- IkeRuleId = 30 |
| | | Role = Finance_X | | | | |
+---------------------------+ +------------------------+ +---------------------------+ +------------------------+
| \ | | \ |
| \ | | \ |
v \ v v \ v
+---------------------------+ \ ipSecAssociation +---------------------------+ \ ipSecAssociation
| ipSecIkeEndpointEntries | \ and subsequent | ipSecIkeEndpointEntries | \ and subsequent
| | \ tables | | \ tables
| GroupId = 40 | \ | GroupId = 40 | \
+---------------------------+ \ +---------------------------+ \
v v
ipSecIkeAssociations ipSecIkeAssociations
and subsequent tables and subsequent tables
When a PEP reports to a PDP its roles,
- if the corresponding policy consists of IPsec rules only (i.e.,
key management is not through IKE), the roles must match only those
in the ipSecRuleTable. In the ipSecActionTable referenced by the
ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute
must be zero, indicating that no IKE associations are used. As a
result, the ipSecRuleTable and all subsequent referenced tables are
pushed down to the PEP.
- if the corresponding policy consists of IKE rules only, the roles
must match only those in the ipSecIkeRuleTable. The
ipSecIkeEndpointTable indicates the peer endpoints with which to
establish IKE associations. Hence, the ipSecIkeRuleTable and all
subsequent referenced tables are pushed down to the PEP.
- if the corresponding policy consists of both IPsec rules and IKE
rules (i.e., IKE association is established first and it is then
used for IPsec association negotiation), the roles must match those
in the ipSecRuleTable. Further more, in the ipSecActionTable
referenced by the ipSecRuleTable, the ipSecActionIkeRuleId
attributes must point to ipSecIkeRuleTable entries with the same
roles. In addition, if IPsec tunnel mode is required in an action,
the tunnel peer endpoint address must match an ipSecIkeEndpointId in
Li, et al Expires January, 2000 3
IPsec Policy Information Base October, 2000
the ipSecIkeEndpointTable. If, on the other hand, IPsec transport
mode is required, the peer endpoint address of the IPsec association
must match an ipSecIkeEndpointId in the ipSecIkeEndpointTable. The
ipSecRuleTable and the ipSecIkeRuleTable as well as all subsequent
referenced tables are pushed down to the PEP.
4.1 Selector construction 4.1 Selector construction
Li, et al Expires September, 2001 3
IPsec Policy Information Base March, 2001
The ipSecAddressTable specifies individual or a range of IP The ipSecAddressTable specifies individual or a range of IP
addresses and the ipSecL4PortTable specifies individual or a range addresses and the ipSecL4PortTable specifies individual or a range
of layer 4 ports. The ipSecSelectorTable has references to these two of layer 4 ports. The ipSecSelectorTable has references to these
tables. Each row in the selector table represents multiple two tables. Each row in the selector table represents multiple
selectors. These selectors are constructed as follows: selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields 5. Construct all the possible combinations of the above four
together with the ipSecSelectorProtocol attribute to form a list of fields together with the ipSecSelectorProtocol attribute to form a
five-tuple selectors list of five-tuple selectors
Selectors constructed from the same row inherit all the other Selectors constructed from the same row inherit all the other
attributes of the row (e.g., ipSecSelectorGranularity) attributes of the row (e.g., ipSecSelectorGranularity)
The following is an example for building the selectors (only The following is an example for building the selectors (only
relevant fields are shown). Suppose that the ipSecAddressTable is relevant fields are shown). Suppose that the ipSecAddressTable is
populated with the following rows: populated with the following rows:
AddrMin AddrGroupId AddrMin AddrGroupId
1.2.3.4 1 1.2.3.4 1
skipping to change at line 209 skipping to change at line 199
5.6.7.1 2 5.6.7.1 2
5.6.7.8 2 5.6.7.8 2
For every row in this example, the AddrMax is a zero length octet For every row in this example, the AddrMax is a zero length octet
indicating that each row specifies a single IP address. indicating that each row specifies a single IP address.
The Layer4PortTable is populated with the following rows: The Layer4PortTable is populated with the following rows:
PortMin PortMax PortGroupId PortMin PortMax PortGroupId
112 150 1 112 150 1
99 0 2 99 99 2
Li, et al Expires January, 2000 4
IPsec Policy Information Base October, 2000
The PortMax is zero in the second row indicating that a single port The PortMax is equal to PortMin in the second row indicating that
is specified. only a single port is specified.
The ipSecSelectorTable is populated with: The ipSecSelectorTable is populated with:
SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order
1 2 1 1 udp 1 1 2 1 1 udp 1
1 2 2 2 tcp 2 1 2 2 2 tcp 2
Li, et al Expires September, 2001 4
IPsec Policy Information Base March, 2001
The following selectors are constructed: The following selectors are constructed:
srcAddr dstAddr protocol srcPort dstPort SrcAddr dstAddr protocol port
1.2.3.4 5.6.7.1 UDP 112-150 112-150 1.2.3.4 5.6.7.1 UDP 112-150
1.2.3.4 5.6.7.8 UDP 112-150 112-150 1.2.3.4 5.6.7.8 UDP 112-150
1.2.3.18 5.6.7.1 UDP 112-150 112-150 1.2.3.18 5.6.7.1 UDP 112-150
1.2.3.18 5.6.7.8 UDP 112-150 112-150 1.2.3.18 5.6.7.8 UDP 112-150
1.2.3.4 5.6.7.1 TCP 99 99 1.2.3.4 5.6.7.1 TCP 99
1.2.3.4 5.6.7.8 TCP 99 99 1.2.3.4 5.6.7.8 TCP 99
1.2.3.18 5.6.7.1 TCP 99 99 1.2.3.18 5.6.7.1 TCP 99
1.2.3.18 5.6.7.8 TCP 99 99 1.2.3.18 5.6.7.8 TCP 99
The first four selectors are constructed from the first row of the The first four selectors are constructed from the first row of the
selector table whose order equals to 1. They may be ordered in any selector table whose order equals to 1. They can be ordered in any
way. However, all of them must be evaluated before the selectors way. However, all of them must be evaluated before the selectors
constructed from the second row because the order of the second row constructed from the second row because the order of the second
equals to 2. row equals to 2.
The use of references in the ipSecSelectorTable instead of spelling The use of references in the ipSecSelectorTable instead of
out all the IP addresses and port numbers reduces the number of spelling out all the IP addresses and port numbers reduces the
bytes being pushed down to PEP. Grouping of IP addresses and layer number of bytes being pushed down to PEP. Grouping of IP addresses
four ports serves the same purpose. and layer four ports serves the same purpose.
4.2 Start up condition 4.2 Start up condition
The establishment of IKE or IPsec associations may be triggered in The establishment of IKE or IPsec associations may be triggered in
several ways as indicated by ipSecSelectorStartupCondition and several ways as indicated by ipSecSelectorStartupCondition and
ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and
ipSecIkeEndpointTable respectively. The triggers may be: ipSecIkeEndpointTable respectively. The triggers may be:
OnBoot: IPsec or IKE association is established after system boot. OnBoot: IPsec or IKE association is established after system boot.
To avoid both endpoints trying to set up the same association, only To avoid both endpoints trying to set up the same association,
the endpoint whose ipSecSelectorIsOriginator only the endpoint whose ipSecSelectorIsOriginator
(ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (IKE) (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec
association establishment. (IKE) association establishment.
OnTraffic: IPsec association is established only when packets need OnTraffic: IPsec association is established only when packets need
to be sent and there are no appropriate security associations to to be sent and there are no appropriate security associations to
protect the packets. If there is no IKE association to protect the protect the packets. If there is no IKE association to protect the
IPsec association negotiation, an IKE association should be set up IPsec association negotiation, an IKE association should be set up
first. first.
OnPolicy: IPsec or IKE association is established according to OnPolicy: IPsec or IKE association is established according to
ipSecRuleTimePeriodSetTable referenced by the corresponding rule. At ipSecRuleTimePeriodSetTable referenced by the corresponding rule.
At the time the policy becomes active, only the endpoint whose
Li, et al Expires January, 2000 5 ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true
IPsec Policy Information Base October, 2000 can initiate the IPsec (IKE) association establishment.
the time the policy becomes active, only the endpoint whose
ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true can
initiate the IPsec (IKE) association establishment.
These triggers are not mutually exclusive. These triggers are not mutually exclusive.
4.3 Multiple security associations, proposals and transforms 4.3 Multiple security associations, proposals and transforms
Li, et al Expires September, 2001 5
IPsec Policy Information Base March, 2001
Multiple IPsec security associations may be established to protect Multiple IPsec security associations may be established to protect
the same traffic between two end points. For example, to protect TCP the same traffic between two end points. For example, to protect
traffic between hosts A and B, an IPsec security association in TCP traffic between hosts A and B, an IPsec security association
transport mode may be established between hosts A and B. In in transport mode may be established between hosts A and B. In
addition, an IPsec security association in tunnel mode may be set up addition, an IPsec security association in tunnel mode may be set
between host A and gateway C that protects the LAN host B resides. up between host A and gateway C that protects the LAN host B
resides. From A's point of view, it needs to take two actions to
protect the TCP traffic: protect with transport security
association first and then with tunnel security association. In
other words, the policy downloaded to A needs to contain a group
of two actions to be applied to packets in order.
The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to
handle multiple security association establishments or actions. It handle multiple security association establishments or actions. It
contains references to the actions specified in the contains references to the actions specified in the
ipSecActionTable. All the actions in the ipSecActionTable whose ipSecActionTable. All the actions in the ipSecActionTable whose
ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId must be ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST be
applied. The ipSecActionOrder indicates the order these actions applied. The ipSecActionOrder indicates the order these actions
should be taken in setting up the security associations. should be taken in setting up the security associations.
During a security association negotiation, the initiating point may During a security association negotiation, the initiating point
present multiple proposals in preference order. For IPsec security can present multiple proposals in preference order. For IPsec
association, every proposal may contain different protocols, e.g., security association, every proposal can contain different
AH, ESP (A single proposal here is equivalent to multiple proposal protocols, e.g., AH, ESP (A single proposal here is equivalent to
payloads with the same proposal number as specified in [ISAKMP]). multiple proposal payloads with the same proposal number as
Different protocols are ANDed. Each protocol, in turn, may contain specified in [ISAKMP]). Different protocols are ANDed. Each
multiple transforms in preference order. The responder must select a protocol, in turn, may contain multiple transforms in preference
single proposal and a single transform for each protocol. order. The responder must select a single proposal and a single
transform for each protocol.
Multiple proposals are handled by the ipSecProposalSetTable and Multiple proposals are handled by the ipSecProposalSetTable and
ipSecIkeProposalSetTable. The ipSecProposalSetOrder and ipSecIkeProposalSetTable. The ipSecProposalSetOrder and
ipSecIkeProposalSetOrder in these tables indicate preference. ipSecIkeProposalSetOrder in these tables indicate preference.
Multiple transforms within a protocol are handled by Multiple transforms within a protocol are handled by
ipSecAhTransformSetTable, ipSecEspTransformSetTable and ipSecAhTransformSetTable, ipSecEspTransformSetTable and
ipSecCompTransformSetTable. The IpSecAhTransformSetOrder, ipSecCompTransformSetTable. The IpSecAhTransformSetOrder,
ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
tables indicate preferences. tables indicate preferences.
4.4 Credentials for IKE phase one negotiation
Credentials such as certificates may be exchanged during IKE phase
one negotiation for authentication purpose. An endpoint can
possess multiple credentials. How each endpoint obtains its
credentials (e.g., through PKI) is out of the scope of IPsec
policy distribution. IPsec policy does specify, however, the
acceptable peer credentials and the credential sub-fields and
their values that MUST match.
IpSecPeerCredentialTable specifies a group of credentials that are
considered acceptable for a given peer endpoint. Any one of the
credentials in a group is acceptable as the IKE peer endpoint
Li, et al Expires September, 2001 6
IPsec Policy Information Base March, 2001
credential. IpSecCredentialFieldsTable further specifies, for each
credential, their sub-fields and values that MUST be matched.
5. Summary of the IPSec PIB 5. Summary of the IPSec PIB
The IPSec PIB consists of several groups that are summarized in the The IPSec PIB consists of seven groups. Each group and the tables
following: it contains are summarized in the following:
ipSecSelector Group 5.1 ipSecSelector Group
This group specifies the selectors for IPSec associations. This group specifies the selectors for IPSec associations.
ipSecAssociation Group 5.1.1 ipSecAddressTable
Specifies IP addresses of endpoints.
Li, et al Expires January, 2000 6 5.1.2 ipSecL4PortTable
IPsec Policy Information Base October, 2000 Specifies layer four port numbers.
5.1.3 ipSecSelectorTable
Specifies IPsec selectors. It has references to ipSecAddressTable
and ipSecL4PortTable for selector constructions.
5.2 ipSecAssociation Group
This group specifies attributes related to IPSec Security This group specifies attributes related to IPSec Security
Associations.
5.2.1 ipSecRuleTable
Specifies IPsec rules. It has references to ipSecSelectorTable and
ipSecActionTable to indicate that IP packets that match the
selector SHALL be applied with the IPsec action(s).
This table also references to ipSecRuleTimePeriodSetTable to
specify the time periods during which a rule is valid.
5.2.2 ipSecActionTable
Specifies group of IPsec actions. All actions that have the same
ipSecActionActionGroupId belong to the same group. Actions in the
same group MUST be applied in the order specified by
ipSecActionOrder.
This table also references ipSecIkeRuleTable to specify rules
associated with IKE phase one negotiation.
5.2.3 ipSecAssociationTable
Specifies attributes associated with IPsec associations. It
references ipSecProposalSetTable to specify associated proposals.
5.2.4 ipSecProposalSetTable
Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order.
5.2.5 ipSecProposalTable
Li, et al Expires September, 2001 7
IPsec Policy Information Base March, 2001
Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices
are ORed with preference order.
5.3 ipSecIkeAssociation Group
This group specifies attributes related to IKE Security
Associations Associations
IpSecIkeAssociation Group 5.3.1 ipSecIkeRuleTable
This group specifies attributes related to IKE Security Associations Specifies IKE rules. It contains a reference to
ipSecIkeAssociationTable to specify IKE associated actions. In
addition, it has a reference to ipSecIkeEndpointTable to specify
the endpoints this PEP can set up IKE associations.
IpSecEspTransform Group This table also references to ipSecRuleTimePeriodSetTable to
specify the time periods during which a rule is valid.
5.3.2 ipSecIkeAssociationTable
Specifies attributes related to IKE associations. It references
ipSecIkeProposalSetTable to specify associated proposals.
5.3.3 ipSecIkeProposalSetTable
Specifies IKE proposal sets. Proposals within a set are ORed with
preference order.
5.3.4 ipSecIkeProposalTable
Specifies attributes associated with IKE proposals.
5.3.5 ipSecIkeEndpointTable
Specifies the peer endpoints with which this PEP establishes IKE
associations according to ipSecIkeEndpointStartupCondition.
This table also contains a reference to ipSecPeerCredentialTable
to specify acceptable peer credentials.
5.3.6 ipSecPeerCredentialTable
Specifies groups of IKE peer credentials. Credentials in a group
are ORed. In other words, any one of the credentials in a group is
acceptable as the IKE peer endpoint credential.
This table also contains a reference to ipSecCredentialFieldsTable
to further specify sub-field values in a credential that MUST be
matched.
5.3.7 ipSecCredentialFieldsTable
Specifies the sub-fields and their values to be matched against
peer credentials obtained during IKE phase one negotiation. All
criteria within a group are ANDed.
5.4 ipSecEspTransform Group
This group specifies attributes related to ESP Transform. This group specifies attributes related to ESP Transform.
IpSecAhTransform Group Li, et al Expires September, 2001 8
This group specifies attributes related to AH Transform IPsec Policy Information Base March, 2001
IpSecCompTransform Group 5.4.1 ipSecEspTransformSetTable
Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order.
5.4.2 ipSecEspTransformTable
Specifies ESP transforms.
5.5 ipSecAhTransform Group
This group specifies attributes related to AH Transform.
5.5.1 ipSecAhTransformSetTable
Specifies AH transform sets. Within a transform set, the choices
are ORed with preference order.
5.5.2 ipSecAhTransformTable
Specifies AH transforms.
5.6 ipSecCompTransform Group
This group specifies attributes related to IPSecComp Transform This group specifies attributes related to IPSecComp Transform
IpSecPolicyTimePeriod Group 5.6.1 ipSecCompTransformSetTable
This group specifies the time periods during which a policy rule is Specifies IPComp transform sets. Within a transform set, the
valid. choices are ORed with preference order.
5.6.2 ipSecCompTransformTable
Specifies IPComp transforms.
5.7 ipSecPolicyTimePeriod Group
This group specifies the time periods during which a policy rule
is valid.
5.7.1 ipSecRuleTimePeriodSetTable
Specifies multiple time period sets. The ipSecRuleTimePeriodTable
can specify only a single time period within a day. This table
enables the specification of multiple time periods within a day by
grouping them into one set.
5.7.2 ipSecRuleTimePeriodTable
Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always
enabled.
6. The IPSec PIB 6. The IPSec PIB
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION,
MODULE-COMPLIANCE
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
Li, et al Expires September, 2001 9
IPsec Policy Information Base March, 2001
OBJECT-IDENTITY OBJECT-IDENTITY
FROM SNMPv2-SMI FROM SNMPv2-SMI
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
PolicyInstanceId, PolicyReferenceId, PolicyTagId, PolicyTagReference InstanceId, ReferenceId, TagId, TagReferenceId
FROM COPS-PR-SPPI; FROM COPS-PR-SPPI;
RoleCombination RoleCombination
FROM POLICY-FRAMEWORK-PIB; FROM POLICY-FRAMEWORK-PIB;
OBJECT-GROUP OBJECT-GROUP
From SNMPv2-CONF; From SNMPv2-CONF;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORY { tbd -- IPSec Client Type } SUBJECT-CATEGORY { tbd -- IPSec Client Type }
LAST-UPDATED "200010101800Z" LAST-UPDATED "200102251800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Nortel Networks Nortel Networks
600 Technology Park Drive 600 Technology Park Drive
Li, et al Expires January, 2000 7
IPsec Policy Information Base October, 2000
Billerica, MA 01821 Billerica, MA 01821
Phone: +1 401 663 5024 Phone: +1 401 663 5024
Email: avri@nortelnetworks.com Email: avri@nortelnetworks.com
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
skipping to change at line 403 skipping to change at line 539
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com E-Mail: CWang@smartpipes.com
DESCRIPTION DESCRIPTION
"This PIB module contains a set of policy rule classes that describe "This PIB module contains a set of policy rule classes that
IPSec policies." describe IPSec policies."
::= { tbd } ::= { tbd }
ipSecSelector OBJECT-IDENTITY ipSecSelector OBJECT-IDENTITY
STATUS current STATUS current
Li, et al Expires September, 2001 10
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"This group specifies selectors for IPSec associations. " "This group specifies selectors for IPSec associations"
::= { ipSecPolicyPib 1 } ::= { ipSecPolicyPib 1 }
ipSecAssociation OBJECT-IDENTITY ipSecAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSec Security "This group specifies attributes related to IPSec Security
Associations" Associations"
::= { ipSecPolicyPib 2 } ::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY ipSecIkeAssociation OBJECT-IDENTITY
skipping to change at line 434 skipping to change at line 574
Associations" Associations"
::= { ipSecPolicyPib 3 } ::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY ipSecEspTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to ESP Transform" "This group specifies attributes related to ESP Transform"
::= { ipSecPolicyPib 4 } ::= { ipSecPolicyPib 4 }
ipSecAhTransform OBJECT-IDENTITY ipSecAhTransform OBJECT-IDENTITY
Li, et al Expires January, 2000 8
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to AH Transform" "This group specifies attributes related to AH Transform"
::= { ipSecPolicyPib 5 } ::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY ipSecCompTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSecComp Transform" "This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
ipSecPolicyTimePeriod OBJECT-IDENTITY ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule is "This group specifies the time periods during which a policy rule
valid. " is valid "
::= { ipSecPolicyPib 7 } ::= { ipSecPolicyPib 7 }
ipSecPolicyPibConformance OBJECT-IDENTITY ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies requirements for conformance to the IPsec "This group specifies requirements for conformance to the IPsec
Policy PIB" Policy PIB"
::= { ipSecPolicyPib 8 } ::= { ipSecPolicyPib 8 }
-- --
-- --
Li, et al Expires September, 2001 11
IPsec Policy Information Base March, 2001
-- The ipSecAddressTable -- The ipSecAddressTable
-- --
ipSecAddressTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP addresses" "Specifies IP addresses."
INDEX { ipSecAddressPrid } ::= { ipSecSelector 1 }
ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
ipSecAddressAddressType, ipSecAddressAddressType,
ipSecAddressAddrMask, ipSecAddressAddrMask,
ipSecAddressAddrMin, ipSecAddressAddrMin,
ipSecAddressAddrMax, ipSecAddressAddrMax,
ipSecAddressGroupId ipSecAddressGroupId
} }
::= { ipSecSelector 1 }
ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAddressTable 1 } ::= { ipSecAddressTable 1 }
Li, et al Expires January, 2000 9
IPsec Policy Information Base October, 2000
IpSecAddressEntry ::= SEQUENCE { IpSecAddressEntry ::= SEQUENCE {
ipSecAddressPrid PolicyInstanceId, ipSecAddressPrid InstanceId,
ipSecAddressAddressType INTEGER, ipSecAddressAddressType INTEGER,
ipSecAddressAddrMask OCTET STRING, ipSecAddressAddrMask OCTET STRING,
ipSecAddressAddrMin OCTET STRING, ipSecAddressAddrMin OCTET STRING,
ipSecAddressAddrMax OCTET STRING, ipSecAddressAddrMax OCTET STRING,
ipSecAddressGroupId PolicyTagId ipSecAddressGroupId TagId
} }
ipSecAddressPrid OBJECT-TYPE ipSecAddressPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class."
::= { ipSecAddressEntry 1 } ::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
Li, et al Expires September, 2001 12
IPsec Policy Information Base March, 2001
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the address type. This also controls the length of the "Specifies the address type. This also controls the length of the
OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and
ipSecAddressAddrMax objects. ipSecAddressAddrMax objects. IPv4 addresses are octet strings of
IPv4 addresses (1)(4)(7) are octet strings of length 4. length 4. IPv6 addresses are octet strings of length 16. All other
IPv6 addresses (5)(6)(8) are octet strings of length 16. types are octet strings of variable length."
Other type of addresses are octet strings of variable length."
::= { ipSecAddressEntry 2 } ::= { ipSecAddressEntry 2 }
ipSecAddressAddrMask OBJECT-TYPE ipSecAddressAddrMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mask for the matching of the IP address. A zero bit in the mask "A mask for the matching of the IP address. A zero bit in the mask
means that the corresponding bit in the address always matches. The means that the corresponding bit in the address always matches.
type of this address is based on the ipSecAddressAddressType. If This attribute MUST be ignored when ipSecAddressAddressType is not
ipSecAddressAddressType is not IPv4 addresses (1)(4)(7) or IPv6 of IPv4 or IPv6 type."
addresses (5)(6)(8), this attribute must be a zero length octet
string."
::= { ipSecAddressEntry 3 } ::= { ipSecAddressEntry 3 }
Li, et al Expires January, 2000 10
IPsec Policy Information Base October, 2000
ipSecAddressAddrMin OBJECT-TYPE ipSecAddressAddrMin OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an end point address. The Length of the string is based "Specifies an end point address. The Length of the string is based
upon the address type. For IPv4 address types, this attribute is a upon the address type. For IPv4 address types, this attribute is
4-bytes octet string. For IPv6 address types, this attribute is a a 4-bytes octet string. For IPv6 address types, this attribute is
64-bytes octet string. For other types of addresses, this attribute a 16-bytes octet string. For other types of addresses, this
is a variable length octet string. attribute is a variable length octet string.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecAddressAddrMask of all zero means a wild-carded address, i.e., all ipSecAddressAddrMask of all zero means a wild-carded address,
addresses match." i.e., all addresses match."
::= { ipSecAddressEntry 4 } ::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE ipSecAddressAddrMax OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If a range of addresses are being used then this specifies the "If a range of addresses are being used then this specifies the
ending address. The type of this address must be the same as the ending address. The type of this address must be the same as the
ipSecAddressAddrMin. The Length of the string is based upon the ipSecAddressAddrMin. The Length of the string is based upon the
address type. For IPv4 address types, this attribute is a 4-bytes address type. For IPv4 address types, this attribute is a 4-bytes
octet string. For IPv6 address types, this attribute is a 64-bytes octet string. For IPv6 address types, this attribute is a 16-bytes
octet string. For other types of addresses, this attribute must be a octet string.
zero length octet string.
If no range is specified then this attribute must be a zero length If no range is specified then this attribute MUST be a zero length
octet string." OCTET STRING."
::= { ipSecAddressEntry 5 } ::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagId
Li, et al Expires September, 2001 13
IPsec Policy Information Base March, 2001
SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IP address,address range or subnet address "Specifies the group this IP address, address range or subnet
belongs to." address belongs to."
::= { ipSecAddressEntry 6 } ::= { ipSecAddressEntry 6 }
-- --
-- --
-- The ipSecL4PortTable -- The ipSecL4PortTable
-- --
ipSecL4PortTable OBJECT-TYPE ipSecL4PortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecL4PortEntry SYNTAX SEQUENCE OF IpSecL4PortEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies layer four port numbers" "Specifies layer four port numbers."
INDEX { ipSecL4PortPrid }
UNIQUENESS {
Li, et al Expires January, 2000 11
IPsec Policy Information Base October, 2000
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecSelector 2 } ::= { ipSecSelector 2 }
ipSecL4PortEntry OBJECT-TYPE ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS {
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecL4PortTable 1 } ::= { ipSecL4PortTable 1 }
IpSecL4PortEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid PolicyInstanceId, ipSecL4PortPrid InstanceId,
ipSecL4PortPortMin INTEGER, ipSecL4PortPortMin INTEGER,
ipSecL4PortPortMax INTEGER, ipSecL4PortPortMax INTEGER,
ipSecL4PortGroupId PolicyTagId ipSecL4PortGroupId TagId
} }
ipSecL4PortPrid OBJECT-TYPE ipSecL4PortPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecL4PortEntry 1 } ::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 14
IPsec Policy Information Base March, 2001
"Specifies a layer 4 port or the first layer 4 port number of a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports." range of ports."
::= { ipSecL4PortEntry 2 } ::= { ipSecL4PortEntry 2 }
ipSecL4PortPortMax OBJECT-TYPE ipSecL4PortPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the last layer 4 source port in the range. If a range of "Specifies the last layer 4 port in the range. If only a single
ports is not being used then this object must have a value of 0. port is specified, the value of this attribute must be equal to
Otherwise, this value should be greater than that specified by that of ipSecL4PortPortMin. Otherwise, the value of this attribute
ipSecSelectorSrcPortMin." MUST be greater than that specified by ipSecL4PortPortMin."
::= { ipSecL4PortEntry 3 } ::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE ipSecL4PortGroupId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this port or range of ports belongs to." "Specifies the group this port or port range belongs to."
::= { ipSecL4PortEntry 4 } ::= { ipSecL4PortEntry 4 }
Li, et al Expires January, 2000 12
IPsec Policy Information Base October, 2000
-- --
-- --
-- The ipSecSelectorTable -- The ipSecSelectorTable
-- --
ipSecSelectorTable OBJECT-TYPE ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry SYNTAX SEQUENCE OF IpSecSelectorEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec address selector table. Each row in the selector "Specifies IPsec selectors. Each row in the selector table
table represents multiple selectors. These selectors are obtained as represents multiple selectors. These selectors are obtained as
follows: follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports or 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four fields 5. Construct all the possible combinations of the above four
together with the ipSecSelectorProtocol attribute to form all the fields together with the ipSecSelectorProtocol attribute to form
five-tuple selectors all the five-tuple selectors
Selectors constructed from a row inherit all the other attributes of Li, et al Expires September, 2001 15
the row (e.g., ipSecSelectorGranularity)." IPsec Policy Information Base March, 2001
INDEX { ipSecSelectorPrid }
Selectors constructed from a row inherit all the other attributes
of the row (e.g., ipSecSelectorGranularity)."
::= { ipSecSelector 3 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecSelectorPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId, ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId, ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorGranularity, ipSecSelectorGranularity,
ipSecSelectorOrder, ipSecSelectorOrder,
ipSecSelectorStartupCondition, ipSecSelectorStartupCondition,
ipSecSelectorIsOriginator, ipSecSelectorIsOriginator,
ipSecSelectorGroupId ipSecSelectorGroupId
} }
::= { ipSecSelector 3 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecSelectorTable 1 } ::= { ipSecSelectorTable 1 }
Li, et al Expires January, 2000 13
IPsec Policy Information Base October, 2000
IpSecSelectorEntry ::= SEQUENCE { IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid PolicyInstanceId, ipSecSelectorPrid InstanceId,
ipSecSelectorSrcAddressGroupId PolicyTagReference, ipSecSelectorSrcAddressGroupId TagReferenceId,
ipSecSelectorSrcPortGroupId PolicyTagReference, ipSecSelectorSrcPortGroupId TagReferenceId,
ipSecSelectorDstAddressGroupId PolicyTagReference, ipSecSelectorDstAddressGroupId TagReferenceId,
ipSecSelectorDstPortGroupId PolicyTagReference, ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol INTEGER, ipSecSelectorProtocol INTEGER,
ipSecSelectorGranularity INTEGER, ipSecSelectorGranularity INTEGER,
ipSecSelectorOrder Unsigned32, ipSecSelectorOrder Unsigned32,
ipSecSelectorStartupCondition BITS, ipSecSelectorStartupCondition BITS,
ipSecSelectorIsOriginator TruthValue, ipSecSelectorIsOriginator TruthValue,
ipSecSelectorGroupId PolicyTagId ipSecSelectorGroupId TagId
} }
ipSecSelectorPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecSelectorEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecAddressGroupId PIB-TAG ipSecAddressGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies source addresses. All addresses in ipSecAddressTable "Specifies source addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as source whose ipSecAddressGroupId match this value are included as source
addresses." addresses."
Li, et al Expires September, 2001 16
IPsec Policy Information Base March, 2001
::= { ipSecSelectorEntry 2 } ::= { ipSecSelectorEntry 2 }
ipSecSelectorSrcPortGroupId OBJECT-TYPE ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecL4PortGroupId PIB-TAG ipSecL4PortGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies source layer 4 port numbers. All ports in ipSecL4Port "Specifies source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId match this value are included." whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 3 } ::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecAddressGroupId PIB-TAG ipSecAddressGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies destination addresses. All addresses in ipSecAddressTable "Specifies destination addresses. All addresses in
whose ipSecAddressGroupId match this value are included as ipSecAddressTable whose ipSecAddressGroupId match this value are
destination addresses." included as destination addresses."
::= { ipSecSelectorEntry 4 } ::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
Li, et al Expires January, 2000 14
IPsec Policy Information Base October, 2000
PIB-TAG ipSecL4PortGroupId PIB-TAG ipSecL4PortGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies destination layer 4 port numbers. All ports in "Specifies destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId match this value are included." ipSecL4Port whose ipSecL4PortGroupId match this value are
included."
::= { ipSecSelectorEntry 5 } ::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255) SYNTAX INTEGER (0..255)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP protocol to match against the packet's protocol. A "Specifies IP protocol to match against the packet's protocol. A
value of zero means match all" value of zero means match all."
::= { ipSecSelectorEntry 6 } ::= { ipSecSelectorEntry 6 }
ipSecSelectorGranularity OBJECT-TYPE ipSecSelectorGranularity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
wide(1), wide(1),
narrow(2) narrow(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how the security associations established may be used. "Specifies how the security associations established may be used.
A value of 1 (Wide) indicates that this security association may be A value of 1 (Wide) indicates that this security association may
used by all packets that match the same selector that is matched by be used by all packets that match the same selector that is
the packet triggering the establishment of this association. matched by the packet triggering the establishment of this
A value of 2 (Narrow) indicates that this security association can be association.
used only by packets that have exactly the same selector attribute A value of 2 (Narrow) indicates that this security association
values as that of the packet triggering the establishment of this can be used only by packets that have exactly the same selector
association."
Li, et al Expires September, 2001 17
IPsec Policy Information Base March, 2001
attribute values as that of the packet triggering the
establishment of this association. "
::= { ipSecSelectorEntry 7 } ::= { ipSecSelectorEntry 7 }
ipSecSelectorOrder OBJECT-TYPE ipSecSelectorOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the selectors "An integer that specifies the precedence order of the selectors
within the ipSecSelectorGroup. A given precedence order is within the ipSecSelectorGroup. A given precedence order is
positioned before one with a higher-valued precedence order. All positioned before one with a higher-valued precedence order. All
selectors constructed from the same row have the same order. The selectors constructed from the same row have the same order. The
skipping to change at line 824 skipping to change at line 965
::= { ipSecSelectorEntry 8 } ::= { ipSecSelectorEntry 8 }
ipSecSelectorStartupCondition OBJECT-TYPE ipSecSelectorStartupCondition OBJECT-TYPE
SYNTAX BITS { SYNTAX BITS {
onBoot(1), onBoot(1),
onTraffic(2), onTraffic(2),
onPolicy(3) onPolicy(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the triggering event that causes the rule that references "Specifies the triggering event that causes the rule that
this selector to be applied. OnBoot (1) means that the rule is references this selector be applied. OnBoot (1) means that the
rule is triggered after system boot. This selector is used as the
Li, et al Expires January, 2000 15 selector for the IPsec action. OnTraffic (2) means that the rule
IPsec Policy Information Base October, 2000 is triggered when packets without associated security associations
are sent or received. This selector is used as the selector for
triggered after system boot. This selector is used as the selector for the IPsec action. OnPolicy (3) means that the rule is triggered
the IPsec action. OnTraffic (2) means that the rule is triggered when when it becomes valid as specified by
packets without associated security associations are sent or received. ipSecRuleTimePeriodGroupTable. This selector is used as the
This selector is used as the selector for the IPsec action. OnPolicy
(3) means that the rule is triggered when it becomes valid as specified
by ipSecRuleTimePeriodGroupTable. This selector is used as the
selector for the IPsec action." selector for the IPsec action."
::= { ipSecSelectorEntry 9 } ::= { ipSecSelectorEntry 9 }
ipSecSelectorIsOriginator OBJECT-TYPE ipSecSelectorIsOriginator OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy "If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy
(3) and when IPsec associations need to be set up, this PEP should (3) and when IPsec associations need to be set up, this PEP
initiate the establishment if this attribute is True. Otherwise, it should initiate the establishment if this attribute is True.
should wait for the other end to initiate the setup." Otherwise, it should wait for the other end to initiate the
setup."
::= { ipSecSelectorEntry 10 } ::= { ipSecSelectorEntry 10 }
ipSecSelectorGroupId OBJECT-TYPE ipSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specify the group this selector(s) belongs to. Selectors in the "Specify the group this selector(s) belongs to. Selectors in the
same group are provided with the same IPsec services." same group are provided with the same IPsec services."
::= { ipSecSelectorEntry 11 } ::= { ipSecSelectorEntry 11 }
Li, et al Expires September, 2001 18
IPsec Policy Information Base March, 2001
-- --
-- --
-- The ipSecRuleTable -- The ipSecRuleTable
-- --
ipSecRuleTable OBJECT-TYPE ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec rules. " "Specifies IPsec rules. "
INDEX { ipSecRulePrid } ::= { ipSecAssociation 1 }
ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleDirection, ipSecRuleDirection,
ipSecRuleipSecSelectorGroupId, ipSecRuleIpSecSelectorGroupId,
ipSecRuleIpSecActionGroupId, ipSecRuleIpSecActionGroupId,
ipSecRuleIpSecRuleTimePeriodGroupId ipSecRuleIpSecRuleTimePeriodGroupId
} }
::= { ipSecAssociation 4 }
ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry
STATUS current
DESCRIPTION
Li, et al Expires January, 2000 16
IPsec Policy Information Base October, 2000
"Specifies an instance of this class"
::= { ipSecRuleTable 1 } ::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid PolicyInstanceId, ipSecRulePrid InstanceId,
ipSecRuleRoles RoleCombination, ipSecRuleRoles RoleCombination,
ipSecRuleDirection INTEGER, ipSecRuleDirection INTEGER,
ipSecRuleIpSecSelectorGroupId PolicyTagReference, ipSecRuleIpSecSelectorGroupId TagReferenceId,
ipSecRuleIpSecActionGroupId PolicyTagReference, ipSecRuleIpSecActionGroupId TagReferenceId,
ipSecRuleIpSecRuleTimePeriodGroupId PolicyTagReference ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecRulePrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class."
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleRoles OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combinations of the interface to which this "Specifies the role combination of the interface to which this
IPSec rule should apply." IPSec rule should apply."
::= { ipSecRuleEntry 2 } ::= { ipSecRuleEntry 2 }
Li, et al Expires September, 2001 19
IPsec Policy Information Base March, 2001
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "Specifies the direction of traffic to which this rule should
apply." apply."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 3 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecSelectorGroupId PIB-TAG ipSecSelectorGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies the selectors to be associated with this IPSec rule. The "Identifies the selectors to be associated with this IPSec rule.
selectors in the ipSecSelectorTable whose ipSecSelectorGroupId The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
matches this attribute are provided with the IPSec services matches this attribute are provided with the IPSec services
specified by this rule." specified by this rule."
::= { ipSecRuleEntry 4 } ::= { ipSecRuleEntry 4 }
ipSecRuleIpSecActionGroupId OBJECT-TYPE ipSecRuleIpSecActionGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecActionActionGroupId PIB-TAG ipSecActionActionGroupId
Li, et al Expires January, 2000 17
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IPsec action groups that is "This attribute identifies the IPsec action group that is
associated with this rule. All actions specified in ipSecActionTable associated with this rule. Actions specified in ipSecActionTable
whose ipSecActionActionGroupId match the value of this attribute whose ipSecActionActionGroupId match the value of this attribute
must be applied. " MUST all be applied. The ipSecActionOrder in the ipSecActionTable
indicates the order these actions should be taken in setting up
the security associations."
::= { ipSecRuleEntry 5 } ::= { ipSecRuleEntry 5 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "This attribute identifies an IPsec rule time period group,
specified in ipSecRuleTimePeriodGroupTable, that is associated with sepcified in ipSecRuleTimePeriodGroupTable, that is associated
this rule with this rule
A value of zero indicates that this IPsec rule is always valid until A value of zero indicates that this IPsec rule is always valid."
being deleted."
::= { ipSecRuleEntry 6 } ::= { ipSecRuleEntry 6 }
-- --
-- --
-- The ipSecActionTable -- The ipSecActionTable
Li, et al Expires September, 2001 20
IPsec Policy Information Base March, 2001
-- --
ipSecActionTable OBJECT-TYPE ipSecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry SYNTAX SEQUENCE OF IpSecActionEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec action." "Specifies group of IPsec actions. All actions that have the same
INDEX { ipSecActionPrid } ipSecActionActionGroupId belong to the same group. Actions in the
same group MUST be applied in the order specified by
ipSecActionOrder. "
::= { ipSecAssociation 2 }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecActionAction, ipSecActionAction,
ipSecActionTunnelEndpointId, ipSecActionTunnelEndpointId,
ipSecActionDfHandling, ipSecActionDfHandling,
ipSecActionDoLogging, ipSecActionDoLogging,
ipSecActionIpSecSecurityAssociationId, ipSecActionIpSecSecurityAssociationId,
ipSecActionActionGroupId, ipSecActionActionGroupId,
ipSecActionOrder, ipSecActionOrder,
ipSecActionIkeRuleId ipSecActionIkeRuleId
} }
::= { ipSecAssociation 5 }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecActionTable 1 } ::= { ipSecActionTable 1 }
Li, et al Expires January, 2000 18
IPsec Policy Information Base October, 2000
IpSecActionEntry ::= SEQUENCE { IpSecActionEntry ::= SEQUENCE {
ipSecActionPrid PolicyInstanceId, ipSecActionPrid InstanceId,
ipSecActionAction INTEGER, ipSecActionAction INTEGER,
ipSecActionTunnelEndpointId PolicyReferenceId, ipSecActionTunnelEndpointId ReferenceId,
ipSecActionDfHandling INTEGER, ipSecActionDfHandling INTEGER,
ipSecActionDoLogging TruthValue, ipSecActionDoLogging TruthValue,
ipSecActionIpSecSecurityAssociationId PolicyReferenceId, ipSecActionIpSecSecurityAssociationId ReferenceId,
ipSecActionActionGroupId PolicyTagId, ipSecActionActionGroupId TagId,
ipSecActionOrder Unsigned32, ipSecActionOrder Unsigned32,
ipSecActionIkeRuleId PolicyReferenceId ipSecActionIkeRuleId ReferenceId
} }
ipSecActionPrid OBJECT-TYPE ipSecActionPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecActionEntry 1 } ::= { ipSecActionEntry 1 }
ipSecActionAction OBJECT-TYPE ipSecActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
byPass(1), byPass(1),
Li, et al Expires September, 2001 21
IPsec Policy Information Base March, 2001
discard(2), discard(2),
transport(3), transport(3),
tunnel(4) tunnel(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. ByPass(1) "Specifies the IPsec action to be applied to the traffic.
means that the packet should pass in clear. Discard(2) means that ByPass(1) means that the packet should pass in clear. Discard(2)
the packet should be denied. Transport(3) means that the packet means that the packet should be denied. Transport(3) means that
should be protected with a security association in transport mode. the packet should be protected with a security association in
Tunnel(4) means that the packet should be protected with a security transport mode. Tunnel(4) means that the packet should be
association in tunnel mode. If Tunnel (4) is specified, protected with a security association in tunnel mode. If Tunnel
ipSecActionTunnelEndpointId must also be specified" (4) is specified, ipSecActionTunnelEndpointId MUST also be
specified."
::= { ipSecActionEntry 2 } ::= { ipSecActionEntry 2 }
ipSecActionTunnelEndpointId OBJECT-TYPE ipSecActionTunnelEndpointId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecAddressTable PIB-REFERENCES ipSecAddressTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is Tunnel, this attribute specifies the IP "When ipSecActionAction is tunnel, this attribute specifies the IP
address of the other end of the tunnel. The address specified in address of the other end of the tunnel. The address specified in
ipSecAddressTable whose ipSecAddressPrid matches this value is the ipSecAddressTable whose ipSecAddressPrid matches this value is the
other end of the tunnel. When ipSecActionAction is not tunnel, this other end of the tunnel. The address MUST be a single endpoint
attribute should be ignored. " address.
When ipSecActionAction is not tunnel, this attribute SHALL be
zero. "
::= { ipSecActionEntry 3 } ::= { ipSecActionEntry 3 }
ipSecActionDfHandling OBJECT-TYPE ipSecActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
copy(1), copy(1),
set(2), set(2),
Li, et al Expires January, 2000 19
IPsec Policy Information Base October, 2000
clear(3) clear(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies how the "When ipSecActionAction is tunnel, this attribute specifies how
DF bit is managed by the tunnel when ipSecActionAction is tunnel. the DF bit is managed by the tunnel when ipSecActionAction is
Copy (1) indicates that the DF bit is copied. Set (2) indicates that tunnel. Copy (1) indicates that the DF bit is copied. Set (2)
the DF bit is set. Clear (3) indicates that the DF bit is cleared. indicates that the DF bit is set. Clear (3) indicates that the DF
When ipSecActionAction is not tunnel, this attribute should be bit is cleared. When ipSecActionAction is not tunnel, this
ignored. " attribute SHALL be ignored. "
::= { ipSecActionEntry 4 } ::= { ipSecActionEntry 4 }
ipSecActionDoLogging OBJECT-TYPE ipSecActionDoLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies if an audit message should be logged when discard action "Specifies if an audit message should be logged when discard
is taken." action is taken."
Li, et al Expires September, 2001 22
IPsec Policy Information Base March, 2001
::= { ipSecActionEntry 5 } ::= { ipSecActionEntry 5 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecAssociationTable PIB-REFERENCES ipSecAssociationTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPSec association, specified in "An integer that identifies an IPSec association, specified by
ipSecSecurityAssociationTable, that is associated with this action. ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable,
that is associated with this action.
When ipSecActionAction attribute specifies Bypass (1) or Discard When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute must have a value of zero. Otherwise, its value (2), this attribute MUST have a value of zero. Otherwise, its
must be greater than zero." value MUST be greater than zero."
::= { ipSecActionEntry 6 } ::= { ipSecActionEntry 6 }
ipSecActionActionGroupId OBJECT-TYPE ipSecActionActionGroupId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this action belongs to. When ipSecActionAction "Specifies the group this action belongs to."
is bypass or discard, this attribute must be zero. Otherwise, this
attribute must be greater than zero."
::= { ipSecActionEntry 7 } ::= { ipSecActionEntry 7 }
ipSecActionOrder OBJECT-TYPE ipSecActionOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the order the actions in this group be applied. An action "Specifies the order the actions in this group be applied. An
with a lower order number is applied before one with a higher order action with a lower order number is applied before one with a
number. " higher order number.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute MUST be ignored. "
::= { ipSecActionEntry 8 } ::= { ipSecActionEntry 8 }
ipSecActionIkeRuleId OBJECT-TYPE ipSecActionIkeRuleId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecIkeRuleTable PIB-REFERENCES ipSecIkeRuleTable
Li, et al Expires January, 2000 20
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE rule, specified in "An integer that identifies an IKE rule, specified by
ipSecIkeRuleTable, that is associated with this IPsec rule. ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with
A value of zero means that there is no IKE rule associated." this IPsec rule.
A value of zero means that there is no IKE rule associated. When
ipSecActionAction attribute specifies Bypass (1) or Discard (2),
this attribute must have a value of zero."
::= { ipSecActionEntry 9 } ::= { ipSecActionEntry 9 }
-- --
-- --
-- The ipSecAssociationTable -- The ipSecAssociationTable
-- --
Li, et al Expires September, 2001 23
IPsec Policy Information Base March, 2001
ipSecAssociationTable OBJECT-TYPE ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IPsec associations" "Specifies attributes associated with IPsec associations"
INDEX { ipSecAssociationPrid } ::= { ipSecAssociation 3 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationRefreshThresholdSeconds, ipSecAssociationRefreshThresholdSeconds,
ipSecAssociationRefreshThresholdKilobytes, ipSecAssociationRefreshThresholdKilobytes,
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationTrafficIdleTime, ipSecAssociationTrafficIdleTime,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId,
ipSecAssociationUseIkeGroup, ipSecAssociationUseIkeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociation 6 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid PolicyInstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationRefreshThresholdSeconds INTEGER, ipSecAssociationRefreshThresholdSeconds INTEGER,
ipSecAssociationRefreshThresholdKilobytes INTEGER, ipSecAssociationRefreshThresholdKilobytes INTEGER,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32,
ipSecAssociationTrafficIdleTime Unsigned32, ipSecAssociationTrafficIdleTime Unsigned32,
ipSecAssociationUsePfs TruthValue, ipSecAssociationUsePfs TruthValue,
ipSecAssociationVendorId OCTET STRING,
ipSecAssociationUseIkeGroup TruthValue, ipSecAssociationUseIkeGroup TruthValue,
ipSecAssociationDhGroup Unsigned32, ipSecAssociationDhGroup Unsigned32,
ipSecAssociationProposalSetId PolicyTagReference ipSecAssociationProposalSetId TagReferenceId
} }
Li, et al Expires January, 2000 21
IPsec Policy Information Base October, 2000
ipSecAssociationPrid OBJECT-TYPE ipSecAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecAssociationEntry 1 } ::= { ipSecAssociationEntry 1 }
ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the refresh
threshold) of an established SA's seconds lifetime at which to begin Li, et al Expires September, 2001 24
renegotiation of the SA. IPsec Policy Information Base March, 2001
"Specifies the percentage of expiration (in other words, the
refresh threshold) of an established SA's seconds lifetime at
which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established SA's "Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin renegotiation of the SA. kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecAssociationEntry 3 } ::= { ipSecAssociationEntry 3 }
ipSecAssociationMinLifetimeSeconds OBJECT-TYPE ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be "Specifies the minimum SA seconds lifetime that will be accepted
accepted from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecAssociationEntry 4 } ::= { ipSecAssociationEntry 4 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted from "Specifies the minimum kilobyte lifetime that will be accepted
a negotiating peer while negotiating an SA based upon this action. from a negotiating peer while negotiating an SA based upon this
A value of zero indicates that there is no minimum lifetime action. A value of zero indicates that there is no minimum
enforced." lifetime enforced."
::= { ipSecAssociationEntry 5 } ::= { ipSecAssociationEntry 5 }
ipSecAssociationTrafficIdleTime OBJECT-TYPE ipSecAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA can remain idle (in
Li, et al Expires January, 2000 22
IPsec Policy Information Base October, 2000
"Specifies the amount of time in seconds an SA may remain idle (in
other words, no traffic protected by the SA) before it is deleted. other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. The
expiration of the SA is determined by the expiration of one of the A value of zero indicates that there is no idle time detection.
lifetime values." The expiration of the SA is determined by the expiration of one of
the lifetime values."
::= { ipSecAssociationEntry 6 } ::= { ipSecAssociationEntry 6 }
ipSecAssociationUsePfs OBJECT-TYPE ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If true, PFS should be used when negotiating the phase two IPsec
SA. Li, et al Expires September, 2001 25
" IPsec Policy Information Base March, 2001
"If true, PFS SHALL be used when negotiating the phase two IPsec
SA."
::= { ipSecAssociationEntry 7 } ::= { ipSecAssociationEntry 7 }
ipSecAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs."
::= { ipSecAssociationEntry 8 }
ipSecAssociationUseIkeGroup OBJECT-TYPE ipSecAssociationUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If true, the phase two DH group number should be the same as that "If true, the phase two DH group number MUST be the same as that
of phase 1. Otherwise, the group number specified by the of phase 1. Otherwise, the group number specified by the
ipSecSecurityAssociationDhGroup attribute should be used. ipSecSecurityAssociationDhGroup attribute SHALL be used. This
This attribute is ignored if ipSecSecurityAssociationUsePfs is attribute is ignored if ipSecSecurityAssociationUsePfs is false."
false." ::= { ipSecAssociationEntry 9 }
::= { ipSecAssociationEntry 8 }
ipSecAssociationDhGroup OBJECT-TYPE ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If PFS should be used during IKE phase two and "If PFSis used during IKE phase two and
ipSecSecurityAssociationUseIkeGroup is false, this attribute ipSecSecurityAssociationUseIkeGroup is false, this attribute
specifies the Diffie-Hellman group to use. specifies the Diffie-Hellman group to use.
This attribute is ignored if ipSecSecurityAssociationUsePfs is
false." If the GroupID number is from the vendor-specific range (32768-
::= { ipSecAssociationEntry 9 } 65535), the VendorID qualifies the group number.
This attribute MUST be ignored if ipSecSecurityAssociationUsePfs
is false."
::= { ipSecAssociationEntry 10 }
ipSecAssociationProposalSetId OBJECT-TYPE ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecProposalSetProposalSetId PIB-TAG ipSecProposalSetProposalSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPsec proposal set, specified in "An integer that identifies the IPsec proposal set, specified in
ipSecProposalGroupTable, that is associated with this IPsec ipSecProposalGroupTable, that is associated with this IPsec
association." association."
::= { ipSecAssociationEntry 10 } ::= { ipSecAssociationEntry 11 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
-- --
Li, et al Expires January, 2000 23
IPsec Policy Information Base October, 2000
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
Li, et al Expires September, 2001 26
IPsec Policy Information Base March, 2001
SYNTAX SEQUENCE OF IpSecProposalSetEntry SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed with "Specifies IPsec proposal sets. Proposals within a set are ORed
preference order." with preference order."
INDEX { ipSecProposalSetPrid } ::= { ipSecAssociation 4 }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecAssociation 7 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecProposalSetPrid }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid PolicyInstanceId, ipSecProposalSetPrid InstanceId,
ipSecProposalSetProposalSetId PolicyTagId, ipSecProposalSetProposalSetId TagId,
ipSecProposalSetProposalId PolicyReferenceId, ipSecProposalSetProposalId ReferenceId,
ipSecProposalSetOrder Unsigned32 ipSecProposalSetOrder Unsigned32
} }
ipSecProposalSetPrid OBJECT-TYPE ipSecProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecProposalSetEntry 1 } ::= { ipSecProposalSetEntry 1 }
ipSecProposalSetProposalSetId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec proposal set" "An integer that identifies an IPsec proposal set."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecProposalTable PIB-REFERENCES ipSecProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec Proposal, specified by "An integer that identifies an IPsec Proposal, specified by
ipSecProposalTable, that is included in this set." ipSecProposalPrid in ipSecProposalTable, that is included in this
set."
::= { ipSecProposalSetEntry 3 } ::= { ipSecProposalSetEntry 3 }
Li, et al Expires January, 2000 24
IPsec Policy Information Base October, 2000
ipSecProposalSetOrder OBJECT-TYPE ipSecProposalSetOrder OBJECT-TYPE
Li, et al Expires September, 2001 27
IPsec Policy Information Base March, 2001
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued precedence order is positioned before one with a higher-valued
precedence order." precedence order."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
skipping to change at line 1358 skipping to change at line 1528
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPsec proposal. It has references to ESP, AH and "Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices are transforms are ANDed. Within one type of transforms, the choices
ORed with preference order." are ORed with preference order."
INDEX { ipSecProposalPrid } ::= { ipSecAssociation 5 }
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalLifetimeKilobytes, ipSecProposalLifetimeKilobytes,
ipSecProposalLifetimeSeconds, ipSecProposalLifetimeSeconds,
ipSecProposalVendorId,
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId, ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId ipSecProposalCompTransformSetId
} }
::= { ipSecAssociation 8 }
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalTable 1 } ::= { ipSecProposalTable 1 }
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid PolicyInstanceId, ipSecProposalPrid InstanceId,
ipSecProposalLifetimeKilobytes Unsigned32, ipSecProposalLifetimeKilobytes Unsigned32,
ipSecProposalLifetimeSeconds Unsigned32, ipSecProposalLifetimeSeconds Unsigned32,
ipSecProposalEspTransformSetId PolicyTagReference, ipSecProposalVendorId OCTET STRING,
ipSecProposalAhTransformSetId PolicyTagReference, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId PolicyTagReference ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId
} }
Li, et al Expires January, 2000 25 Li, et al Expires September, 2001 28
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE ipSecProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "Specifies the kilobyte lifetime for this particular proposal.
skipping to change at line 1412 skipping to change at line 1584
A value of zero indicates that there is no kilobyte lifetime." A value of zero indicates that there is no kilobyte lifetime."
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalLifetimeSeconds OBJECT-TYPE ipSecProposalLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8 A value of zero indicates that the lifetime value defaults to 8
hours. hours. "
"
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
ipSecProposalVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Identifies vendor-defined transforms."
::= { ipSecProposalEntry 4 }
ipSecProposalEspTransformSetId OBJECT-TYPE ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecEspTransformSetTransformSetId PIB-TAG ipSecEspTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the ESP transform set, specified in "An integer that identifies the ESP transform set, specified in
ipSecEspTransformSetTable, that is associated with this proposal." ipSecEspTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 4 } ::= { ipSecProposalEntry 5 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecAhTransformSetTransformSetId PIB-TAG ipSecAhTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the AH transform set, specified in "An integer that identifies the AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal." ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 5 } ::= { ipSecProposalEntry 6 }
ipSecProposalCompTransformSetId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX PolicyTagReference
Li, et al Expires September, 2001 29
IPsec Policy Information Base March, 2001
SYNTAX TagReferenceId
PIB-TAG ipSecCompTransformSetTransformId PIB-TAG ipSecCompTransformSetTransformId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPComp transform set, specified in "An integer that identifies the IPComp transform set, specified in
ipSecCompTransformSetTable, that is associated with this proposal." ipSecCompTransformSetTable, that is associated with this
::= { ipSecProposalEntry 6 } proposal."
::= { ipSecProposalEntry 7 }
Li, et al Expires January, 2000 26
IPsec Policy Information Base October, 2000
-- --
-- --
-- The ipSecIkeAssociationTable -- The ipSecIkeAssociationTable
-- --
ipSecIkeAssociationTable OBJECT-TYPE ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes related to IKE associations." "Specifies attributes related to IKE associations."
INDEX { ipSecIkeAssociationPrid } ::= { ipSecIkeAssociation 1 }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationRefreshThresholdSeconds, ipSecIkeAssociationRefreshThresholdSeconds,
ipSecIkeAssociationRefreshThresholdKilobytes, ipSecIkeAssociationRefreshThresholdKilobytes,
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationTrafficIdleTime, ipSecIkeAssociationTrafficIdleTime,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationRefreshThresholdDerivedKeys, ipSecIkeAssociationRefreshThresholdDerivedKeys,
ipSecIkeAssociationIKEProposalSetId ipSecIkeAssociationIKEProposalSetId
} }
::= { ipSecIkeAssociation 9 }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeAssociationTable 1 } ::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE { IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid PolicyInstanceId, ipSecIkeAssociationPrid InstanceId,
ipSecIkeAssociationRefreshThresholdSeconds INTEGER, ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
ipSecIkeAssociationRefreshThresholdKilobytes INTEGER, ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned32, ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
ipSecIkeAssociationTrafficIdleTime Unsigned32, ipSecIkeAssociationTrafficIdleTime Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationUseIkeIdentityType INTEGER,
ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER, ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
ipSecIkeAssociationIKEProposalSetId PolicyTagReference ipSecIkeAssociationIKEProposalSetId TagReferenceId
Li, et al Expires September, 2001 30
IPsec Policy Information Base March, 2001
} }
ipSecIkeAssociationPrid OBJECT-TYPE ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeAssociationEntry 1 } ::= { ipSecIkeAssociationEntry 1 }
ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE
Li, et al Expires January, 2000 27
IPsec Policy Information Base October, 2000
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the refresh "Specifies the percentage of expiration (in other words, the
threshold) of an established SA's seconds lifetime at which to begin refresh threshold) of an established SA's seconds lifetime at
renegotiation of the SA. which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecIkeAssociationEntry 2 } ::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established SA's "Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin renegotiation of the SA. kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecIkeAssociationEntry 3 } ::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be "Specifies the minimum SA seconds lifetime that will be accepted
accepted from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeAssociationEntry 4 } ::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted from "Specifies the minimum kilobyte lifetime that will be accepted
a negotiating peer while negotiating an SA based upon this action. from a negotiating peer while negotiating an SA based upon this
action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
Li, et al Expires September, 2001 31
IPsec Policy Information Base March, 2001
::= { ipSecIkeAssociationEntry 5 } ::= { ipSecIkeAssociationEntry 5 }
ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle (in "Specifies the amount of time in seconds an SA may remain idle (in
other words, no traffic protected by the SA) before it is deleted. other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. The
expiration of the SA is determined by the expiration of one of the
lifetime values.
Li, et al Expires January, 2000 28 A value of zero indicates that there is no idle time detection.
IPsec Policy Information Base October, 2000 The expiration of the SA is determined by the expiration of one of
the lifetime values."
"
::= { ipSecIkeAssociationEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
baseMode(1), baseMode(1),
mainMode(2), mainMode(2),
aggressiveMode(4) aggressiveMode(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for "Specifies the negotiation mode that the IKE server will use for
phase one. " phase one. "
::= { ipSecIkeAssociationEntry 7 } ::= { ipSecIkeAssociationEntry 7 }
ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one
negotiation."
::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established IKE SA's "Specifies the percentage of expiration of an established IKE SA's
derived keys lifetime at which to begin renegotiation of the SA. derived keys lifetime at which to begin renegotiation of the SA.
Li, et al Expires September, 2001 32
IPsec Policy Information Base March, 2001
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
derived key lifetime value has expired. " derived key lifetime value has expired. "
::= { ipSecIkeAssociationEntry 8 } ::= { ipSecIkeAssociationEntry 9 }
ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecIkeProposalSetProposalSetId PIB-TAG ipSecIkeProposalSetProposalSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IKE proposal set, specified in "An integer that identifies the IKE proposal set, specified in
ipSecIkeProposalGroupTable, that is associated with this IKE ipSecIkeProposalGroupTable, that is associated with this IKE
association." association."
::= { ipSecIkeAssociationEntry 9 } ::= { ipSecIkeAssociationEntry 10 }
-- --
-- --
-- The ipSecIkeRuleTable -- The ipSecIkeRuleTable
-- --
ipSecIkeRuleTable OBJECT-TYPE ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE rule." "Specifies IKE rules."
INDEX { ipSecIkeRulePrid } ::= { ipSecIkeAssociation 2 }
ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeRuleRoles, ipSecIkeRuleRoles,
ipSecIkeRuleIkeAssiciationId, ipSecIkeRuleIkeAssiciationId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId, ipSecIkeRuleIpSecRuleTimePeriodGroupId,
Li, et al Expires January, 2000 29
IPsec Policy Information Base October, 2000
ipSecIkeRuleIkeEndpointGroupId ipSecIkeRuleIkeEndpointGroupId
} }
::= { ipSecIkeAssociation 10 }
ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeRuleTable 1 } ::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE { IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid PolicyInstanceId, ipSecIkeRulePrid InstanceId,
ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeAssiciationId PolicyReferenceId, ipSecIkeRuleIkeAssiciationId ReferenceId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId PolicyTagReference, ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId,
ipSecIkeRuleIkeEndpointGroupId PolicyTagReference ipSecIkeRuleIkeEndpointGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires September, 2001 33
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeRuleEntry 1 } ::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleRoles OBJECT-TYPE ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combinations of the interface to which this IKE "Specifies the role combination of the interface to which this IKE
rule should apply." rule should apply."
::= { ipSecIkeRuleEntry 2 } ::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleIkeAssiciationId OBJECT-TYPE ipSecIkeRuleIkeAssiciationId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecIkeAssociationTable PIB-REFERENCES ipSecIkeAssociationTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IKE action, specified in "This attribute identifies the IKE action, specified by
ipSecIkeAssociationTable, that is associated with this rule" ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that is
associated with this rule"
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated with sepcified in ipSecRuleTimePeriodGroupTable, that is associated
this IKE rule with this IKE rule.
Li, et al Expires January, 2000 30
IPsec Policy Information Base October, 2000
A value of zero indicates that this IKE rule is always valid until A value of zero indicates that this IKE rule is always valid."
being deleted."
::= { ipSecIkeRuleEntry 4 } ::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagReference SYNTAX TagReferenceId
PIB-TAG ipSecIkeEndpointGroupId PIB-TAG ipSecIkeEndpointGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of endpoints with which this PEP "An integer that identifies a group of endpoints with which this
may set up IKE associations. The endpoints specified in PEP can set up IKE associations. The endpoints specified in
ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
attribute are the endpoints involved. " attribute are the endpoints involved. "
::= { ipSecIkeRuleEntry 5 } ::= { ipSecIkeRuleEntry 5 }
-- --
-- --
-- The ipSecIkeProposalSetTable -- The ipSecIkeProposalSetTable
-- --
ipSecIkeProposalSetTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
Li, et al Expires September, 2001 34
IPsec Policy Information Base March, 2001
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposal sets. Proposals within a set are ORed with "Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. " preference order. "
INDEX { ipSecIkeProposalSetPrid } ::= { ipSecIkeAssociation 3 }
UNIQUENESS {
ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
}
::= { ipSecIkeAssociation 11 }
ipSecIkeProposalSetEntry OBJECT-TYPE ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry SYNTAX IpSecIkeProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS {
ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
}
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
ipSecIkeProposalSetPrid PolicyInstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId PolicyTagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId PolicyReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned32 ipSecIkeProposalSetOrder Unsigned32
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires January, 2000 31
IPsec Policy Information Base October, 2000
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalSetEntry 1 } ::= { ipSecIkeProposalSetEntry 1 }
ipSecIkeProposalSetProposalSetId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an IKE proposal set. " "An integer that uniquely identifies an IKE proposal set. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecIkeProposalTable PIB-REFERENCES ipSecIkeProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE proposal, specified by the "An integer that identifies an IKE proposal, specified by
ipSecIkeProposalTable, that is included in this set." ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is
included in this set."
::= { ipSecIkeProposalSetEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
Li, et al Expires September, 2001 35
IPsec Policy Information Base March, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId. proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued precedence order is positioned before one with a higher-valued
precedence order." precedence order."
::= { ipSecIkeProposalSetEntry 4 } ::= { ipSecIkeProposalSetEntry 4 }
skipping to change at line 1768 skipping to change at line 1976
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IKE proposals." "Specifies attributes associated with IKE proposals."
INDEX { ipSecIkeProposalPrid } ::= { ipSecIkeAssociation 4 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalLifetimeDerivedKeys, ipSecIkeProposalLifetimeDerivedKeys,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalVendorId,
Li, et al Expires January, 2000 32
IPsec Policy Information Base October, 2000
ipSecIkeProposalIkeDhGroup ipSecIkeProposalIkeDhGroup
} }
::= { ipSecIkeAssociation 12 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid PolicyInstanceId, ipSecIkeProposalPrid InstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER,
ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalLifetimeDerivedKeys Unsigned32, ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
ipSecIkeProposalPrfAlgorithm Unsigned32, ipSecIkeProposalPrfAlgorithm Unsigned32,
ipSecIkeProposalVendorId OCTET STRING,
Li, et al Expires September, 2001 36
IPsec Policy Information Base March, 2001
ipSecIkeProposalIkeDhGroup Unsigned32 ipSecIkeProposalIkeDhGroup Unsigned32
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalEntry 1 } ::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "Specifies the seconds lifetime for this particular proposal.
skipping to change at line 1827 skipping to change at line 2037
A value of zero indicates that the lifetime value defaults to 8 A value of zero indicates that the lifetime value defaults to 8
hours. " hours. "
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime. " A value of zero indicates that there is no kilobyte lifetime.
"
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
des-CBC(1), des-CBC(1),
idea-CBC(2), idea-CBC(2),
Li, et al Expires January, 2000 33
IPsec Policy Information Base October, 2000
blowfish-CBC(3), blowfish-CBC(3),
rc5-R16-B64-CBC(4), rc5-R16-B64-CBC(4),
tripleDes-CBC(5), tripleDes-CBC(5),
cast-CBC(6) cast-CBC(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association. " association. "
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(1), md5(1),
sha-1(2), sha-1(2),
tiger(3) tiger(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 37
IPsec Policy Information Base March, 2001
"Specifies the hash algorithm to propose for the IKE association." "Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
presharedKey(1), presharedKey(1),
dssSignatures(2), dssSignatures(2),
rsaSignatures(3), rsaSignatures(3),
rsaEncryption(4), rsaEncryption(4),
revisedRsaEncryption(5), revisedRsaEncryption(5),
skipping to change at line 1879 skipping to change at line 2090
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association. " association. "
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of times the IKE phase one key may be used to "Specifies the number of times the IKE phase one key can be used
derive an IKE phase two key. A value of zero indicates that the to derive an IKE phase two key. A value of zero indicates that the
number of times an IKE phase one key may be used to derive an IKE number of times an IKE phase one key may be used to derive an IKE
phase two key is limited by the seconds and/or kilobyte lifetimes. " phase two key is limited by the seconds and/or kilobyte
lifetimes."
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
association. " association. "
Li, et al Expires January, 2000 34
IPsec Policy Information Base October, 2000
::= { ipSecIkeProposalEntry 8 } ::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs."
::= { ipSecIkeProposalEntry 9 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Diffie-Hellman group to propose for the IKE "Specifies the Diffie-Hellman group to propose for the IKE
association. " association. If the GroupID number is from the vendor-specific
::= { ipSecIkeProposalEntry 9 } range (32768-65535), the VendorID qualifies the group number. "
::= { ipSecIkeProposalEntry 10 }
Li, et al Expires September, 2001 38
IPsec Policy Information Base March, 2001
-- --
-- --
-- The ipSecIkeEndpointTable -- The ipSecIkeEndpointTable
-- --
ipSecIkeEndpointTable OBJECT-TYPE ipSecIkeEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeEndpointEntry SYNTAX SEQUENCE OF IpSecIkeEndpointEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the peer endpoints with which this PEP should establish "Specifies the peer endpoints with which this PEP establishes IKE
IKE associations according to ipSecIkeEndpointStartupCondition." associations according to ipSecIkeEndpointStartupCondition."
INDEX { ipSecIkeEndpointPrid } ::= { ipSecIkeAssociation 5 }
UNIQUENESS {
ipSecIkeEndpointUseIkeIdentityType,
ipSecIkeEndpointIkeIdentityId,
ipSecIkeEndpointEndpointId,
ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId
}
::= { ipSecIkeAssociation 13 }
ipSecIkeEndpointEntry OBJECT-TYPE ipSecIkeEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry SYNTAX IpSecIkeEndpointEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecIkeEndpointPrid }
UNIQUENESS {
ipSecIkeEndpointIdentityType,
ipSecIkeEndpointIdentity,
ipSecIkeEndpointAddressType,
ipSecIkeEndpointAddress,
ipSecIkeEndpointPeerCredentialId,
ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId
}
::= { ipSecIkeEndpointTable 1 } ::= { ipSecIkeEndpointTable 1 }
IpSecIkeEndpointEntry ::= SEQUENCE { IpSecIkeEndpointEntry ::= SEQUENCE {
ipSecIkeEndpointPrid PolicyInstanceId, ipSecIkeEndpointPrid InstanceId,
ipSecIkeEndpointUseIkeIdentityType INTEGER, ipSecIkeEndpointIdentityType INTEGER,
ipSecIkeEndpointIkeIdentityId PolicyReferenceId, ipSecIkeEndpointIdentity OCTET STRING,
ipSecIkeEndpointEndpointId PolicyReferenceId, ipSecIkeEndpointAddressType INTEGER,
ipSecIkeEndpointAddress OCTET STRING,
ipSecIkeEndpointPeerCredentialId TagReferenceId,
ipSecIkeEndpointStartupCondition BITS, ipSecIkeEndpointStartupCondition BITS,
ipSecIkeEndpointIsOriginator TruthValue, ipSecIkeEndpointIsOriginator TruthValue,
ipSecIkeEndpointGroupId PolicyTagId ipSecIkeEndpointGroupId TagId
} }
ipSecIkeEndpointPrid OBJECT-TYPE ipSecIkeEndpointPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
Li, et al Expires January, 2000 35
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeEndpointEntry 1 } ::= { ipSecIkeEndpointEntry 1 }
ipSecIkeEndpointUseIkeIdentityType OBJECT-TYPE ipSecIkeEndpointIdentityType OBJECT-TYPE
Li, et al Expires September, 2001 39
IPsec Policy Information Base March, 2001
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IKE identity to use during negotiation." "Specifies the type of identity that MUST be provided by the peer
in the ID payload during IKE phase one negotiation."
::= { ipSecIkeEndpointEntry 2 } ::= { ipSecIkeEndpointEntry 2 }
ipSecIkeEndpointIkeIdentityId OBJECT-TYPE ipSecIkeEndpointIdentity OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX OCTET STRING
PIB-REFERENCE ipSecAddressTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IKE identity of the peer point. This "Specifies the value to be matched with the ID payload provided by
information is used during IKE negotiation. The type of this address the peer during IKE phase one negotiation."
is specified by ipSecIkeEndpointIkeIdentityType. The address
specified in the ipSecAddressTable whose ipSecAddressPrid matches
this integer is the IKE identity. "
::= { ipSecIkeEndpointEntry 3 } ::= { ipSecIkeEndpointEntry 3 }
ipSecIkeEndpointEndpointId OBJECT-TYPE ipSecIkeEndpointAddressType OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX INTEGER {
PIB-REFERENCE ipSecAddressTable ipV4(1),
ipV6(2)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an endpoint address with which this PEP may establish IKE "Specifies IKE peer endpoint address type. This controls the
association. The address in the ipSecAddressTable whose length of the OCTET STRING for the ipSecIkeEndpointAddress. IPv4
ipSecAddressPrid matches this value is the endpoint address. This addresses (1) are octet strings of length 4. IPv6 addresses (2)
address must identify a single endpoint. Address ranges or subnet are octet strings of length 16."
addresses are not allowed "
::= { ipSecIkeEndpointEntry 4 } ::= { ipSecIkeEndpointEntry 4 }
ipSecIkeEndpointAddress OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies an endpoint address with which this PEP establishes IKE
association."
::= { ipSecIkeEndpointEntry 5 }
ipSecIkeEndpointPeerCredentialId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG ipSecPeerCredentialGroupId
STATUS current
DESCRIPTION
Li, et al Expires September, 2001 40
IPsec Policy Information Base March, 2001
"An integer that identifies a group of credentials. The credential
specified in ipSecPeerCredentialTable whose
ipSecPeerCredentialGroupId match this attribute is included in
this group. Any one of the credentials in the group is acceptable
as the IKE peer credential.
If no credentials are used, this attribute MUST be zero."
::= { ipSecIkeEndpointEntry 6 }
ipSecIkeEndpointStartupCondition OBJECT-TYPE ipSecIkeEndpointStartupCondition OBJECT-TYPE
SYNTAX BITS { SYNTAX BITS {
onBoot(1), onBoot(1),
onTraffic(2), onTraffic(2),
onPolicy(3) onPolicy(3)
Li, et al Expires January, 2000 36
IPsec Policy Information Base October, 2000
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the triggering event that causes the IKE rule referenced "Specifies the triggering event that causes the IKE rule
be applied.OnBoot (1) means that the rule is triggered after system referenced be applied.OnBoot (1) means that the rule is
boot. OnTraffic (2) means that the rule is triggered when packets triggered after system boot. OnTraffic (2) means that the rule is
without associated security associations are sent or received. triggered when packets without associated security associations
OnPolicy (3) means that the rule is triggered when it becomes valid are sent or received. OnPolicy (3) means that the rule is
as specified by ipSecRuleTimePeriodGroupTable. " triggered when it becomes valid as specified by
::= { ipSecIkeEndpointEntry 5 } ipSecRuleTimePeriodGroupTable. "
::= { ipSecIkeEndpointEntry 7 }
ipSecIkeEndpointIsOriginator OBJECT-TYPE ipSecIkeEndpointIsOriginator OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If this attribute is true, when IKE associations need to be set "If this attribute is true, when IKE associations need to be set
up, this PEP should initiate the establishment. Otherwise, it should up, this PEP SHALL initiate the establishment. Otherwise, it SHALL
wait for the other end to initiate the setup." wait for the other end to initiate the setup."
::= { ipSecIkeEndpointEntry 6 } ::= { ipSecIkeEndpointEntry 8 }
ipSecIkeEndpointGroupId OBJECT-TYPE ipSecIkeEndpointGroupId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IKE endpoint belongs to." "Specifies the group this IKE endpoint belongs to."
::= { ipSecIkeEndpointEntry 7 } ::= { ipSecIkeEndpointEntry 9 }
--
--
-- The ipSecPeerCredentialTable
--
ipSecPeerCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecPeerCredentialEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
Li, et al Expires September, 2001 41
IPsec Policy Information Base March, 2001
"Specifies groups of IKE peer credentials. Credentials in a group
are ORed. Any one of the credentials in a group is acceptable as
the IKE peer endpoint credential."
::= { ipSecIkeAssociation 6 }
ipSecPeerCredentialEntry OBJECT-TYPE
SYNTAX IpSecPeerCredentialEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecPeerCredentialPrid }
UNIQUENESS {
ipSecPeerCredentialCredentialType,
ipSecPeerCredentialFieldsGroupId,
ipSecPeerCredentialGroupId
}
::= { ipSecPeerCredentialTable 1 }
IpSecPeerCredentialEntry ::= SEQUENCE {
ipSecPeerCredentialPrid InstanceId,
ipSecPeerCredentialCredentialType INTEGER,
ipSecPeerCredentialFieldsGroupId TagReferenceId,
ipSecPeerCredentialGroupId TagId
}
ipSecPeerCredentialPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecPeerCredentialEntry 1 }
ipSecPeerCredentialCredentialType OBJECT-TYPE
SYNTAX INTEGER {
certificateX.509(1),
kerberos-ticket(2)
}
STATUS current
DESCRIPTION
"Specifies the type of credential to be matched."
::= { ipSecPeerCredentialEntry 2 }
ipSecPeerCredentialFieldsGroupId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG ipSecCredentialFieldsGroupId
STATUS current
DESCRIPTION
"An integer that identifies a group of matching criteria to be
used for this peer credential. The criteria specified in
ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId
match this attribute are the criteria to be used. The identified
criteria are ANDed. "
::= { ipSecPeerCredentialEntry 3 }
Li, et al Expires September, 2001 42
IPsec Policy Information Base March, 2001
ipSecPeerCredentialGroupId OBJECT-TYPE
SYNTAX TagId
STATUS current
DESCRIPTION
"Specifies the group this credential belongs to. Credentials in a
group are ORed. Any one of the credentials in a group is
acceptable as the IKE peer endpoint credential."
::= { ipSecPeerCredentialEntry 4 }
--
--
-- The ipSecCredentialFieldsTable
--
ipSecCredentialFieldsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies the sub-fields and their values to be matched against
peer credentials obtained during IKE phase one negotiation. All
criteria within a group are ANDed."
::= { ipSecIkeAssociation 7 }
ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecCredentialFieldsPrid }
UNIQUENESS {
ipSecCredentialFieldsName,
ipSecCredentialFieldsValue,
ipSecCredentialFieldsGroupId
}
::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE {
ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING,
ipSecCredentialFieldsValue OCTET STRING,
ipSecCredentialFieldsGroupId TagId
}
ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecCredentialFieldsEntry 1 }
Li, et al Expires September, 2001 43
IPsec Policy Information Base March, 2001
ipSecCredentialFieldsName OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the sub-field of the credential to match with."
::= { ipSecCredentialFieldsEntry 2 }
ipSecCredentialFieldsValue OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the value to match with the ipSecCredentialFieldsName
in a credential."
::= { ipSecCredentialFieldsEntry 3 }
ipSecCredentialFieldsGroupId OBJECT-TYPE
SYNTAX TagId
STATUS current
DESCRIPTION
"Specifies the group this criteria belongs to. All criteria within
a group are ANDed."
::= { ipSecCredentialFieldsEntry 4 }
-- --
-- --
-- The ipSecEspTransformSetTable -- The ipSecEspTransformSetTable
-- --
ipSecEspTransformSetTable OBJECT-TYPE ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an ESP transform group. Within a transform group, the "Specifies ESP transform sets. Within a transform set, the choices
choices are ORed with preference order." are ORed with preference order."
INDEX { ipSecEspTransformSetPrid } ::= { ipSecEspTransform 1 }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransform 14 }
ipSecEspTransformSetEntry OBJECT-TYPE ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformSetEntry SYNTAX IpSecEspTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecEspTransformSetPrid }
Li, et al Expires January, 2000 37 UNIQUENESS {
IPsec Policy Information Base October, 2000 ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransformSetTable 1 } ::= { ipSecEspTransformSetTable 1 }
IpSecEspTransformSetEntry ::= SEQUENCE { IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid PolicyInstanceId, ipSecEspTransformSetPrid InstanceId,
ipSecEspTransformSetTransformSetId PolicyTagId,
ipSecEspTransformSetTransformId PolicyReferenceId, Li, et al Expires September, 2001 44
IPsec Policy Information Base March, 2001
ipSecEspTransformSetTransformSetId TagId,
ipSecEspTransformSetTransformId ReferenceId,
ipSecEspTransformSetOrder Unsigned32 ipSecEspTransformSetOrder Unsigned32
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformSetEntry 1 } ::= { ipSecEspTransformSetEntry 1 }
ipSecEspTransformSetTransformSetId OBJECT-TYPE ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms" "An integer that identifies a set of ESP transforms"
::= { ipSecEspTransformSetEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecEspTransformTable PIB-REFERENCES ipSecEspTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ESP transform, specified by "An integer that identifies an ESP transform, specified by
ipSecEspTransformTable, that is included in this set." ipSecEspTransformPrid in ipSecEspTransformTable, that is included
in this set."
::= { ipSecEspTransformSetEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecEspTransformSetTransformId within a transform identified by ipSecEspTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecEspTransformSetTransformSetId. Transforms within a set are ORed ipSecEspTransformSetTransformSetId. Transforms within a set are
with preference order. A given precedence order is positioned before ORed with preference order. A given precedence order is positioned
one with a higher-valued precedence order." before one with a higher-valued precedence order."
::= { ipSecEspTransformSetEntry 4 } ::= { ipSecEspTransformSetEntry 4 }
-- --
-- --
-- The ipSecEspTransformTable -- The ipSecEspTransformTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies ESP transforms."
Li, et al Expires January, 2000 38 Li, et al Expires September, 2001 45
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an ESP transform." "Specifies an instance of this class."
INDEX { ipSecEspTransformPrid } PIB-INDEX { ipSecEspTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength ipSecEspTransformCipherKeyLength
} }
::= { ipSecEspTransform 15 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid PolicyInstanceId, ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER,
ipSecEspTransformCipherKeyRounds Unsigned32, ipSecEspTransformCipherKeyRounds Unsigned32,
ipSecEspTransformCipherKeyLength Unsigned32 ipSecEspTransformCipherKeyLength Unsigned32
} }
ipSecEspTransformPrid OBJECT-TYPE ipSecEspTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformEntry 1 } ::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
none(0), none(0),
hmacMd5(1), hmacMd5(1),
hmacSha(2), hmacSha(2),
skipping to change at line 2173 skipping to change at line 2566
DESCRIPTION DESCRIPTION
"Specifies the ESP integrity algorithm to propose." "Specifies the ESP integrity algorithm to propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
desIV64(1), desIV64(1),
des(2), des(2),
tripleDES(3), tripleDES(3),
rc5(4), rc5(4),
Li, et al Expires January, 2000 39
IPsec Policy Information Base October, 2000
idea(5), idea(5),
cast(6), cast(6),
blowfish(7), blowfish(7),
Li, et al Expires September, 2001 46
IPsec Policy Information Base March, 2001
tripleIDEA(8), tripleIDEA(8),
desIV32(9), desIV32(9),
rc4(10), rc4(10),
null(11) null(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose. "Specifies the ESP cipher/encryption algorithm to propose."
"
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of key rounds for the ESP cipher "Specifies the number of key rounds for the ESP cipher algorithm
algorithm specified by the attribute specified by the attribute ipSecEspTransformCipherTransformId."
ipSecEspTransformCipherTransformId. "
::= { ipSecEspTransformEntry 4 } ::= { ipSecEspTransformEntry 4 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the ESP cipher key in bits. " "Specifies the length of the ESP cipher key in bits. "
::= { ipSecEspTransformEntry 5 } ::= { ipSecEspTransformEntry 5 }
-- --
-- --
-- The ipSecAhTransformSetTable -- The ipSecAhTransformSetTable
-- --
ipSecAhTransformSetTable OBJECT-TYPE ipSecAhTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an AH transform set. Within a transform set, the choices "Specifies AH transform sets. Within a transform set, the choices
are ORed with preference order." are ORed with preference order."
INDEX { ipSecAhTransformSetPrid } ::= { ipSecAhTransform 1 }
UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransform 16 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAhTransformSetEntry
Li, et al Expires January, 2000 40
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecAhTransformSetPrid }
UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransformSetTable 1 } ::= { ipSecAhTransformSetTable 1 }
Li, et al Expires September, 2001 47
IPsec Policy Information Base March, 2001
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid PolicyInstanceId, ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId PolicyTagId, ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId PolicyReferenceId, ipSecAhTransformSetTransformId ReferenceId,
ipSecAhTransformSetOrder Unsigned32 ipSecAhTransformSetOrder Unsigned32
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecAhTransformSetEntry 1 } ::= { ipSecAhTransformSetEntry 1 }
ipSecAhTransformSetTransformSetId OBJECT-TYPE ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform set." "An integer that identifies an AH transform set."
::= { ipSecAhTransformSetEntry 2 } ::= { ipSecAhTransformSetEntry 2 }
ipSecAhTransformSetTransformId OBJECT-TYPE ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecAhTransformTable PIB-REFERENCES ipSecAhTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform, as specified in "An integer that identifies an AH transform, as specified by
ipSecAhTransformTable, that is included in this set." ipSecAhTransform in ipSecAhTransformTable, that is included in
this set."
::= { ipSecAhTransformSetEntry 3 } ::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform set. identified by ipSecAhTransformSetTransformId within a transform
The transform set is identified by set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ORed ipSecAhTransformSetTransformSetId. Transforms within a set are
with preference order. A given precedence order is positioned before ORed with preference order. A given precedence order is positioned
one with a higher-valued precedence order." before one with a higher-valued precedence order."
::= { ipSecAhTransformSetEntry 4 } ::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecAhTransformTable
-- --
Li, et al Expires January, 2000 41
IPsec Policy Information Base October, 2000
ipSecAhTransformTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
Li, et al Expires September, 2001 48
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"Specifies an AH transform" "Specifies AH transforms."
INDEX { ipSecAhTransformPrid } ::= { ipSecAhTransform 2 }
UNIQUENESS {
ipSecAhTransformTransformId
}
::= { ipSecAhTransform 17 }
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecAhTransformPrid }
UNIQUENESS {
ipSecAhTransformTransformId
}
::= { ipSecAhTransformTable 1 } ::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE { IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid PolicyInstanceId, ipSecAhTransformPrid InstanceId,
ipSecAhTransformTransformId INTEGER ipSecAhTransformTransformId INTEGER
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecAhTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class " "An integer index to uniquely identify an instance of this class "
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(2), md5(2),
sha-1(3), sha-1(3),
des(4) des(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the AH hash algorithm to propose" "Specifies the AH hash algorithm to propose."
::= { ipSecAhTransformEntry 2 } ::= { ipSecAhTransformEntry 2 }
-- --
-- --
-- The ipSecCompTransformSetTable -- The ipSecCompTransformSetTable
-- --
ipSecCompTransformSetTable OBJECT-TYPE ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transform sets. Within a transform set, the
choices are ORed with preference order."
::= { ipSecCompTransform 1 }
Li, et al Expires January, 2000 42 Li, et al Expires September, 2001 49
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
"Specifies an IPComp transform set. Within a transform set, the ipSecCompTransformSetEntry OBJECT-TYPE
choices are ORed with preference order." SYNTAX IpSecCompTransformSetEntry
INDEX { ipSecCompTransformSetPrid } STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecCompTransformSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId, ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder ipSecCompTransformSetOrder
} }
::= { ipSecCompTransform 18 }
ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformSetTable 1 } ::= { ipSecCompTransformSetTable 1 }
IpSecCompTransformSetEntry ::= SEQUENCE { IpSecCompTransformSetEntry ::= SEQUENCE {
ipSecCompTransformSetPrid PolicyInstanceId, ipSecCompTransformSetPrid InstanceId,
ipSecCompTransformSetTransformSetId PolicyTagId, ipSecCompTransformSetTransformSetId TagId,
ipSecCompTransformSetTransformId PolicyReferenceId, ipSecCompTransformSetTransformId ReferenceId,
ipSecCompTransformSetOrder Unsigned32 ipSecCompTransformSetOrder Unsigned32
} }
ipSecCompTransformSetPrid OBJECT-TYPE ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformSetEntry 1 } ::= { ipSecCompTransformSetEntry 1 }
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp transform set" "An integer that identifies an IPComp transform set"
::= { ipSecCompTransformSetEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecCompTransformTable PIB-REFERENCES ipSecCompTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp Transform, specified by "An integer that identifies an IPComp Transform, specified by
ipSecCompTransformTable, that is included in this set." ipSecCompTransformPrid in ipSecCompTransformTable, that is
included in this set."
::= { ipSecCompTransformSetEntry 3 } ::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecCompTransformSetTransformId within a transform
Li, et al Expires January, 2000 43
IPsec Policy Information Base October, 2000
set. The transform set is identified by set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are ipSecCompTransformSetTransformSetId. Transforms within a set are
Li, et al Expires September, 2001 50
IPsec Policy Information Base March, 2001
ORed with preference order. A given precedence order is positioned ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order." before one with a higher-valued precedence order."
::= { ipSecCompTransformSetEntry 4 } ::= { ipSecCompTransformSetEntry 4 }
-- --
-- --
-- The ipSecCompTransformTable -- The ipSecCompTransformTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPComp transform." "Specifies IPComp transforms."
INDEX { ipSecCompTransformPrid } ::= { ipSecCompTransform 2 }
UNIQUENESS {
ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm
}
::= { ipSecCompTransform 19 }
ipSecCompTransformEntry OBJECT-TYPE ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry SYNTAX IpSecCompTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecCompTransformPrid }
UNIQUENESS {
ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm
}
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid PolicyInstanceId, ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformDictionarySize Unsigned32, ipSecCompTransformDictionarySize Unsigned32,
ipSecCompTransformPrivateAlgorithm Unsigned32 ipSecCompTransformPrivateAlgorithm Unsigned32
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecCompTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
oui(1), oui(1),
deflate(2), deflate(2),
lzs(3) lzs(3)
} }
Li, et al Expires January, 2000 44
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 51
IPsec Policy Information Base March, 2001
"Specifies the IPComp compression algorithm to propose." "Specifies the IPComp compression algorithm to propose."
::= { ipSecCompTransformEntry 2 } ::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the log2 maximum size of the dictionary." "Specifies the log2 maximum size of the dictionary."
::= { ipSecCompTransformEntry 3 } ::= { ipSecCompTransformEntry 3 }
skipping to change at line 2486 skipping to change at line 2878
-- --
-- --
-- The ipSecRuleTimePeriodTable -- The ipSecRuleTimePeriodTable
-- --
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the time periods during which a policy rule is valid. The "Specifies the time periods during which a policy rule is valid.
values of the first five attributes in a row are ANDed together to The values of the first five attributes in a row are ANDed
determine the validity period(s). If any of the five attributes is together to determine the validity period(s). If any of the five
not present, it is treated as having value always enabled. " attributes is not present, it is treated as having value always
INDEX { ipSecRuleTimePeriodPrid } enabled. "
::= { ipSecPolicyTimePeriod 1 }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecPolicyTimePeriod 20 }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE { IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid InstanceId,
Li, et al Expires January, 2000 45 Li, et al Expires September, 2001 52
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
ipSecRuleTimePeriodPrid PolicyInstanceId,
ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime INTEGER ipSecRuleTimePeriodLocalOrUtcTime INTEGER
} }
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 } ::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that identifies an overall range of calendar dates "An octet string that identifies an overall range of calendar
and times over which a policy rule is valid. It reuses the format dates and times over which a policy rule is valid. It reuses the
for an explicit time period defined in RFC 2445 : a string format for an explicit time period defined in RFC 2445 : a string
representing a starting date and time, in which the character 'T' representing a starting date and time, in which the character 'T'
indicates the beginning of the time portion, followed by the solidus indicates the beginning of the time portion, followed by the
character '/', followed by a similar string representing an end date solidus character '/', followed by a similar string representing
and time. The first date indicates the beginning of the range, an end date and time. The first date indicates the beginning of
while the second date indicates the end. Thus, the second date and the range, while the second date indicates the end. Thus, the
time must be later than the first. Date/times are expressed as second date and time must be later than the first. Date/times are
substrings expressed as substrings
of the form yyyymmddThhmmss. of the form yyyymmddThhmmss.
There are also two special cases: There are also two special cases:
- If the first date/time is replaced with the string THISANDPRIOR, - If the first date/time is replaced with the string
then the property indicates that a policy rule is valid [from now] THISANDPRIOR, then the property indicates that a policy rule is
until the date/time that appears after the '/'. valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string THISANDFUTURE, - If the second date/time is replaced with the string
then the property indicates that a policy rule becomes valid on the THISANDFUTURE, then the property indicates that a policy rule
date/time that appears before the '/', and remains valid from that becomes valid on the date/time that appears before the '/', and
point on. " remains valid from that point on.
"
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "An octet string that specifies which months the policy is valid
for. The octet string is structured as follows: for. The octet string is structured as follows:
Li, et al Expires January, 2000 46 Li, et al Expires September, 2001 53
IPsec Policy Information Base October, 2000 IPsec Policy Information Base March, 2001
- a 4-octet length field, indicating the length of the entire octet - a 4-octet length field, indicating the length of the entire
string; this field is always set to 0x00000006 for this property; octet string; this field is always set to 0x00000006 for this
property;
- a 2-octet field consisting of 12 bits identifying the 12 months of - a 2-octet field consisting of 12 bits identifying the 12 months
the year, beginning with January and ending with December, followed of the year, beginning with January and ending with December,
by 4 bits that are always set to '0'. For each month, the value '1' followed by 4 bits that are always set to '0'. For each month,
indicates that the policy is valid for that month, and the value '0' the value '1' indicates that the policy is valid for that month,
indicates that it is not valid. and the value '0' indicates that it is not valid.
If this property is omitted, then the policy rule is treated as If this property is omitted, then the policy rule is treated as
valid for all twelve months." valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the month the policy "An octet string that specifies which days of the month the policy
is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire octet -a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x0000000C for this property; string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of the -an 8-octet field consisting of 31 bits identifying the days of
month counting from the beginning, followed by 31 more bits the month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed by identifying the days of the month counting from the end, followed
2 bits that are always set to '0'. For each day, the value '1' by 2 bits that are always set to '0'. For each day, the value '1'
indicates that the policy is valid for that day, and the value '0' indicates that the policy is valid for that day, and the value '0'
indicates that it is not valid. indicates that it is not valid.
For months with fewer than 31 days, the digits corresponding to days For months with fewer than 31 days, the digits corresponding to
that the months do not have (counting in both directions) are days that the months do not have (counting in both directions) are
ignored. " ignored.
"
::= { ipSecRuleTimePeriodEntry 4 } ::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the week the policy is "An octet string that specifies which days of the week the policy
valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire octet - a 4-octet length field, indicating the length of the entire
string; this field is always set to 0x00000005 for this property; octet string; this field is always set to 0x00000005 for this
property;
- a 1-octet field consisting of 7 bits identifying the 7 days of the - a 1-octet field consisting of 7 bits identifying the 7 days of
week, beginning with Sunday and ending with Saturday, followed by 1 the week, beginning with Sunday and ending with Saturday, followed
bit that is always set to '0'. For each day of the week, the value by 1 bit that is always set to '0'. For each day of the week, the
'1' indicates that the policy is valid for that day, and the value value '1' indicates that the policy is valid for that day, and the
'0' indicates that it is not valid. " value '0' indicates that it is not valid.
::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE Li, et al Expires September, 2001 54
IPsec Policy Information Base March, 2001
Li, et al Expires January, 2000 47 "
IPsec Policy Information Base October, 2000 ::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies a range of times in a day the policy "An octet string that specifies a range of times in a day the
is valid for. It is formatted as follows: policy is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The first solidus character '/', followed by a second time string. The
time indicates the beginning of the range, while the second time first time indicates the beginning of the range, while the second
indicates the end. Times are expressed as substrings of the form time indicates the end. Times are expressed as substrings of the
Thhmmss. form Thhmmss.
The second substring always identifies a later time than the first The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the substring. To allow for ranges that span midnight, however, the
value of the second string may be smaller than the value of the value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from first substring. Thus, T080000/T210000 identifies the range from
0800 until 2100, while T210000/T080000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day. 2100 until 0800 of the following day."
"
::= { ipSecRuleTimePeriodEntry 6 } ::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
localTime(1), localTime(1),
utcTime(2) utcTime(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This property indicates whether the times represented in this table "This property indicates whether the times represented in this
represent local times or UTC times. There is no provision for table represent local times or UTC times. There is no provision
mixing of local times and UTC times: the value of this property for mixing of local times and UTC times: the value of this
applies to all of the other time-related properties. " property applies to all of the other time-related properties."
::= { ipSecRuleTimePeriodEntry 7 } ::= { ipSecRuleTimePeriodEntry 7 }
-- --
-- --
-- The ipSecRuleTimePeriodSetTable -- The ipSecRuleTimePeriodSetTable
-- --
ipSecRuleTimePeriodSetTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies mutiple time period sets. The ipSecRuleTimePeriodTable "Specifies multiple time period sets. The ipSecRuleTimePeriodTable
can specifie only a single time period within a day. This table can specify only a single time period within a day. This table
enables the specificaiton of multiple time periods within a day by enables the specification of multiple time periods within a day by
grouping them into one set. " grouping them into one set. "
INDEX { ipSecRuleTimePeriodSetPrid } ::= { ipSecPolicyTimePeriod 2 }
UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId
}
Li, et al Expires January, 2000 48
IPsec Policy Information Base October, 2000
::= { ipSecPolicyTimePeriod 21 } Li, et al Expires September, 2001 55
IPsec Policy Information Base March, 2001
ipSecRuleTimePeriodSetEntry OBJECT-TYPE ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry SYNTAX IpSecRuleTimePeriodSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class."
PIB-INDEX { ipSecRuleTimePeriodSetPrid }
UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId
}
::= { ipSecRuleTimePeriodSetTable 1 } ::= { ipSecRuleTimePeriodSetTable 1 }
IpSecRuleTimePeriodSetEntry ::= SEQUENCE { IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
ipSecRuleTimePeriodSetPrid PolicyInstanceId, ipSecRuleTimePeriodSetPrid InstanceId,
ipSecRuleTimePeriodSetRuleTimePeriodSetId PolicyTagId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
ipSecRuleTimePeriodSetRuleTimePeriodId PolicyReferenceId ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
} }
ipSecRuleTimePeriodSetPrid OBJECT-TYPE ipSecRuleTimePeriodSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX PolicyTagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod set. " "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
::= { ipSecRuleTimePeriodSetEntry 2 } ::= { ipSecRuleTimePeriodSetEntry 2 }
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX PolicyReferenceId SYNTAX ReferenceId
PIB-REFERENCE ipSecRuleTimePeriod PIB-REFERENCES ipSecRuleTimePeriod
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by the "An integer that identifies an ipSecRuleTimePeriod, specified by
ipSecRuleTimePeriodTable, that is included in this set." ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
included in this set."
::= { ipSecRuleTimePeriodSetEntry 3 } ::= { ipSecRuleTimePeriodSetEntry 3 }
-- --
-- --
-- Conformance Section -- Conformance Section
-- --
ipSecPolicyPibConformanceCompliances ipSecPolicyPibConformanceCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
ipSecPolicyPibConformanceGroups ipSecPolicyPibConformanceGroups
Li, et al Expires September, 2001 56
IPsec Policy Information Base March, 2001
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
IPSecPibCompilance MODULE-COMPLIANCE IPSecPibCompilance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2000 49
IPsec Policy Information Base October, 2000
" Compliance statement" " Compliance statement"
MODULE MANDATORY-GROUPS { MODULE MANDATORY-GROUPS {
ipSecAddressGroup, ipSecAddressGroup,
ipSecL4PortGroup, ipSecL4PortGroup,
ipSecSelectorGroup, ipSecSelectorGroup,
ipSecRuleGroup, ipSecRuleGroup,
ipSecActionGroup, ipSecActionGroup,
ipSecAssociationGroup, ipSecAssociationGroup,
ipSecProposalSetGroup, ipSecProposalSetGroup,
ipSecProposalGroup, ipSecProposalGroup,
ipSecIkeAssociationGroup, ipSecIkeAssociationGroup,
ipSecIkeRuleGroup, ipSecIkeRuleGroup,
ipSecIkeProposalSetGroup, ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup, ipSecIkeProposalGroup,
ipSecIkeEndpointGroup, ipSecIkeEndpointGroup,
ipSecPeerCredentialGroup,
ipSecCredentialFieldsGroup,
ipSecEspTransformSetGroup, ipSecEspTransformSetGroup,
ipSecEspTransformGroup, ipSecEspTransformGroup,
ipSecAhTransformSetGroup, ipSecAhTransformSetGroup,
ipSecAhTransformGroup, ipSecAhTransformGroup,
ipSecCompTransformSetGroup, ipSecCompTransformSetGroup,
ipSecCompTransformGroup, ipSecCompTransformGroup,
} }
GROUP ipSecRuleTimePeriodGroup GROUP ipSecRuleTimePeriodGroup
DESCRIPTION DESCRIPTION
skipping to change at line 2782 skipping to change at line 3182
AddrMask, AddrMask,
AddrMin, AddrMin,
AddrMax, AddrMax,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAddressTable." " Objects from the ipSecAddressTable."
::= { ipSecPolicyPibConformanceGroups 1 } ::= { ipSecPolicyPibConformanceGroups 1 }
ipSecL4PortGroup OBJECT-GROUP ipSecL4PortGroup OBJECT-GROUP
Li, et al Expires September, 2001 57
IPsec Policy Information Base March, 2001
OBJECTS { OBJECTS {
PortMin, PortMin,
PortMax, PortMax,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2000 50
IPsec Policy Information Base October, 2000
" Objects from the ipSecL4PortTable." " Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 2 } ::= { ipSecPolicyPibConformanceGroups 2 }
ipSecSelectorGroup OBJECT-GROUP ipSecSelectorGroup OBJECT-GROUP
OBJECTS { OBJECTS {
SrcAddressGroupId, SrcAddressGroupId,
SrcPortGroupId, SrcPortGroupId,
DstAddressGroupId, DstAddressGroupId,
DstPortGroupId, DstPortGroupId,
Protocol, Protocol,
Granularity, Granularity,
skipping to change at line 2816 skipping to change at line 3216
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecSelectorTable." " Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 3 } ::= { ipSecPolicyPibConformanceGroups 3 }
ipSecRuleGroup OBJECT-GROUP ipSecRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Roles, Roles,
Direction, Direction,
ipSecSelectorGroupId, IpSecSelectorGroupId,
IpSecActionGroupId, IpSecActionGroupId,
IpSecRuleTimePeriodGroupId IpSecRuleTimePeriodGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecRuleTable." " Objects from the ipSecRuleTable."
::= { ipSecPolicyPibConformanceGroups 4 } ::= { ipSecPolicyPibConformanceGroups 4 }
ipSecActionGroup OBJECT-GROUP ipSecActionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Action, Action,
skipping to change at line 2839 skipping to change at line 3239
DoLogging, DoLogging,
IpSecSecurityAssociationId, IpSecSecurityAssociationId,
ActionGroupId, ActionGroupId,
Order, Order,
IkeRuleId IkeRuleId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecActionTable." " Objects from the ipSecActionTable."
::= { ipSecPolicyPibConformanceGroups 5 } ::= { ipSecPolicyPibConformanceGroups 5 }
Li, et al Expires September, 2001 58
IPsec Policy Information Base March, 2001
ipSecAssociationGroup OBJECT-GROUP ipSecAssociationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
RefreshThresholdSeconds, RefreshThresholdSeconds,
RefreshThresholdKilobytes, RefreshThresholdKilobytes,
MinLifetimeSeconds, MinLifetimeSeconds,
MinLifetimeKilobytes, MinLifetimeKilobytes,
TrafficIdleTime, TrafficIdleTime,
Li, et al Expires January, 2000 51
IPsec Policy Information Base October, 2000
UsePfs, UsePfs,
VendorId,
UseIkeGroup, UseIkeGroup,
DhGroup, DhGroup,
ProposalSetId ProposalSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecSecurityAssociationTable." " Objects from the ipSecSecurityAssociationTable."
::= { ipSecPolicyPibConformanceGroups 6 } ::= { ipSecPolicyPibConformanceGroups 6 }
ipSecProposalSetGroup OBJECT-GROUP ipSecProposalSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at line 2873 skipping to change at line 3274
Order Order
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecProposalSetTable." " Objects from the ipSecProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 7 } ::= { ipSecPolicyPibConformanceGroups 7 }
ipSecProposalGroup OBJECT-GROUP ipSecProposalGroup OBJECT-GROUP
OBJECTS { OBJECTS {
LifetimeKilobytes, LifetimeKilobytes,
LifetimeSeconds, LifetimeSeconds,
VendorId,
EspTransformSetId, EspTransformSetId,
AhTransformSetId, AhTransformSetId,
CompTransformSetId CompTransformSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecProposalTable." " Objects from the ipSecProposalTable."
::= { ipSecPolicyPibConformanceGroups 8 } ::= { ipSecPolicyPibConformanceGroups 8 }
ipSecIkeAssociationGroup OBJECT-GROUP ipSecIkeAssociationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
RefreshThresholdSeconds, RefreshThresholdSeconds,
RefreshThresholdKilobytes, RefreshThresholdKilobytes,
MinLiftetimeSeconds, MinLiftetimeSeconds,
MinLifetimeKilobytes, MinLifetimeKilobytes,
TrafficIdleTime, TrafficIdleTime,
ExchangeMode, ExchangeMode,
UseIkeIdentityType,
RefreshThresholdDerivedKeys, RefreshThresholdDerivedKeys,
IKEProposalSetId IKEProposalSetId
} }
STATUS current STATUS current
Li, et al Expires September, 2001 59
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
" Objects from the ipSecIkeAssociationTable." " Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 9 } ::= { ipSecPolicyPibConformanceGroups 9 }
ipSecIkeRuleGroup OBJECT-GROUP ipSecIkeRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Roles, Roles,
IkeAssiciationId, IkeAssiciationId,
IpSecRuleTimePeriodGroupId, IpSecRuleTimePeriodGroupId,
IkeEndpointGroupId IkeEndpointGroupId
} }
Li, et al Expires January, 2000 52
IPsec Policy Information Base October, 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecIkeRuleTable." " Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 10 } ::= { ipSecPolicyPibConformanceGroups 10 }
ipSecIkeProposalSetGroup OBJECT-GROUP ipSecIkeProposalSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ProposalSetId, ProposalSetId,
ProposalId, ProposalId,
Order Order
} }
skipping to change at line 2930 skipping to change at line 3333
::= { ipSecPolicyPibConformanceGroups 11 } ::= { ipSecPolicyPibConformanceGroups 11 }
ipSecIkeProposalGroup OBJECT-GROUP ipSecIkeProposalGroup OBJECT-GROUP
OBJECTS { OBJECTS {
MaxLifetimeSeconds, MaxLifetimeSeconds,
MaxLifetimeKilobytes, MaxLifetimeKilobytes,
CipherAlgorithm, CipherAlgorithm,
HashAlgorithm, HashAlgorithm,
AuthenticationMethod, AuthenticationMethod,
LifetimeDerivedKeys, LifetimeDerivedKeys,
PrfAlgorithm, PrfAlgorithm,
VendorId,
IkeDhGroup IkeDhGroup
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecIkeProposalTable." " Objects from the ipSecIkeProposalTable."
::= { ipSecPolicyPibConformanceGroups 12 } ::= { ipSecPolicyPibConformanceGroups 12 }
ipSecIkeEndpointGroup OBJECT-GROUP ipSecIkeEndpointGroup OBJECT-GROUP
OBJECTS { OBJECTS {
UseIkeIdentityType, IdentityType,
IkeIdentityId, Identity,
EndpointId, AddressType,
Address,
PeerCredentialId,
StartupCondition, StartupCondition,
IsOriginator, IsOriginator,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 60
IPsec Policy Information Base March, 2001
" Objects from the ipSecIkeEndpointTable." " Objects from the ipSecIkeEndpointTable."
::= { ipSecPolicyPibConformanceGroups 13 } ::= { ipSecPolicyPibConformanceGroups 13 }
ipSecPeerCredentialGroup OBJECT-GROUP
OBJECTS {
CredentialType,
FieldsGroupId,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecPeerCredentialTable."
::= { ipSecPolicyPibConformanceGroups 14 }
ipSecCredentialFieldsGroup OBJECT-GROUP
OBJECTS {
Name,
Value,
GroupId
}
STATUS current
DESCRIPTION
" Objects from the ipSecCredentialFieldsTable."
::= { ipSecPolicyPibConformanceGroups 15 }
ipSecEspTransformSetGroup OBJECT-GROUP ipSecEspTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformSetId, TransformSetId,
TransformId, TransformId,
Order Order
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecEspTransformSetTable." " Objects from the ipSecEspTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 14 } ::= { ipSecPolicyPibConformanceGroups 16 }
ipSecEspTransformGroup OBJECT-GROUP ipSecEspTransformGroup OBJECT-GROUP
Li, et al Expires January, 2000 53
IPsec Policy Information Base October, 2000
OBJECTS { OBJECTS {
IntegrityTransformId, IntegrityTransformId,
CipherTransformId, CipherTransformId,
CipherKeyRounds, CipherKeyRounds,
CipherKeyLength CipherKeyLength
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecEspTransformTable." " Objects from the ipSecEspTransformTable."
::= { ipSecPolicyPibConformanceGroups 15 } ::= { ipSecPolicyPibConformanceGroups 17 }
ipSecAhTransformSetGroup OBJECT-GROUP ipSecAhTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformSetId, TransformSetId,
TransformId, TransformId,
Order Order
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAhTransformSetTable." " Objects from the ipSecAhTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 16 } ::= { ipSecPolicyPibConformanceGroups 18 }
Li, et al Expires September, 2001 61
IPsec Policy Information Base March, 2001
ipSecAhTransformGroup OBJECT-GROUP ipSecAhTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformId TransformId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAhTransformTable." " Objects from the ipSecAhTransformTable."
::= { ipSecPolicyPibConformanceGroups 17 } ::= { ipSecPolicyPibConformanceGroups 19 }
ipSecCompTransformSetGroup OBJECT-GROUP ipSecCompTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformSetId, TransformSetId,
TransformId, TransformId,
Order Order
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecCompTransformSetTable." " Objects from the ipSecCompTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 18 } ::= { ipSecPolicyPibConformanceGroups 20 }
ipSecCompTransformGroup OBJECT-GROUP ipSecCompTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Algorithm, Algorithm,
DictionarySize, DictionarySize,
PrivateAlgorithm PrivateAlgorithm
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecCompTransformTable." " Objects from the ipSecCompTransformTable."
::= { ipSecPolicyPibConformanceGroups 19 } ::= { ipSecPolicyPibConformanceGroups 21 }
ipSecRuleTimePeriodGroup OBJECT-GROUP ipSecRuleTimePeriodGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TimePeriod, TimePeriod,
MonthOfYearMask, MonthOfYearMask,
DayOfMonthMask, DayOfMonthMask,
Li, et al Expires January, 2000 54
IPsec Policy Information Base October, 2000
DayOfWeekMask, DayOfWeekMask,
TimeOfDayMask, TimeOfDayMask,
LocalOrUtcTime LocalOrUtcTime
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" The ipSecRuleTimePeriodGroup is mandatory if policy scheduling " The ipSecRuleTimePeriodGroup is mandatory if policy
is supported." scheduling is supported."
::= { ipSecPolicyPibConformanceGroups 20 } ::= { ipSecPolicyPibConformanceGroups 22 }
ipSecRuleTimePeriodSetGroup OBJECT-GROUP ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
RuleTimePeriodSetId, RuleTimePeriodSetId,
RuleTimePeriodId RuleTimePeriodId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" The ipSecRuleTimePeriodSetGroup is mandatory if policy " The ipSecRuleTimePeriodSetGroup is mandatory if policy
scheduling is supported." scheduling is supported."
::= { ipSecPolicyPibConformanceGroups 21 } ::= { ipSecPolicyPibConformanceGroups 23 }
END END
8. Security Considerations Li, et al Expires September, 2001 62
IPsec Policy Information Base March, 2001
7. Security Considerations
Since COPS is used to carry the PIB defined in this document, the Since COPS is used to carry the PIB defined in this document, the
security and protection of the information can be provided by either security and protection of the information can be provided by
COPS or a combination of COPS and other security protocols, either COPS or a combination of COPS and other security protocols,
e.g.,IPsec or TLS. e.g.,IPsec or TLS.
9. References 8. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996. 9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997 Levels", BCP 14, RFC 2119, March 1997
[AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998. November 1998.
[ARCH] S. Kent, R. Atkinson, "Security Architecture for the Internet [ARCH] S. Kent, R. Atkinson, ˘Security Architecture for the
Protocol", RFC 2401, November 1998. Internet Protocol÷, RFC 2401, November 1998.
[ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)", RFC 2445, Scheduling Core Object Specification (iCalendar)", RFC 2445,
November 1998. November 1998.
Li, et al Expires January, 2000 55
IPsec Policy Information Base October, 2000
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748,
January 2000. January 2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000. Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000.
[DOI] D. Piper, "The Internet IP Security Domain of Interpretation [DOI] D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
[FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. [FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", Internet Smith, F. Reichmeyer "Framework Policy Information Base", Internet
Draft , March 2000. Draft , March 2000.
[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)",
2409, November 1998. RFC 2409, November 1998.
[IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP
Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[IPSEC-IM] J. Jason,"IPSec Configuration Policy Model,"draft-ietf- Li, et al Expires September, 2001 63
ipsp-config-policy-model-00.txt, march 2000. IPsec Policy Information Base March, 2001
[ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, "Internet [IPSEC-IM] J. Jason,˘IPSec Configuration Policy Model,÷ draft-
Security Association and Key Management Protocol (ISAKMP)", RFC ietf-ipsp-config-policy-model-00.txt, march 2000.
2408, November 1998.
[PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information [ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner,
Model -- Version 1 Specification", draft-ietf-policy-core-info- ˘Internet Security Association and Key Management Protocol
model-06.txt, May, 2000. (ISAKMP)÷, RFC 2408, November 1998.
[PCIM] B. Moore, E. Ellesson, J. Strassner, ˘Policy Core
Information Model -- Version 1 Specification÷, draft-ietf-policy-
core-info-model-06.txt, May, 2000.
[SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Smith, F. Reichmeyer, "Structure of Policy Provisioning
Information," draft-ietf-rap-sppi-01.txt, July 2000. Information," draft-ietf-rap-sppi-01.txt, July 2000.
7. Author's Addresses 9. Author's Addresses
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
David Arneson David Arneson
Email: dla@mediaone.net Email: dla@mediaone.net
Li, et al Expires January, 2000 56
IPsec Policy Information Base October, 2000
Avri Doria Avri Doria
Nortel Networks Nortel Networks
600 Technology Park Drive 600 Technology Park Drive
Billerica, MA 01821 Billerica, MA 01821
Phone: +1 401 663 5024 Phone: +1 401 663 5024
Email: avri@nortelnetworks.com Email: avri@nortelnetworks.com
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
skipping to change at line 3146 skipping to change at line 3572
Phone: +1 503 264 9531 Phone: +1 503 264 9531
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com E-Mail: CWang@smartpipes.com
Li, et al Expires January, 2000 57
IPsec Policy Information Base October, 2000
Full Copyright Statement Full Copyright Statement
Li, et al Expires September, 2001 64
IPsec Policy Information Base March, 2001
"Copyright (C) The Internet Society (date). All Rights Reserved. "Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain it to others, and derivative works that comment on or otherwise
or assist in its implmentation may be prepared, copied, published explain it or assist in its implmentation may be prepared, copied,
and distributed, in whole or in part, without restriction of any published and distributed, in whole or in part, without
kind, provided that the above copyright notice and this paragraph restriction of any kind, provided that the above copyright notice
are included on all such copies and derivative works. However, this and this paragraph are included on all such copies and derivative
document itself may not be modified in any way, such as by removing works. However, this document itself may not be modified in any
the copyright notice or references to the Internet Society or other way, such as by removing the copyright notice or references to the
Internet organizations, except as needed for the purpose of Internet Society or other Internet organizations, except as needed
developing Internet standards in which case the procedures for for the purpose of developing Internet standards in which case the
copyrights defined in the Internet Standards process must be procedures for copyrights defined in the Internet Standards
followed, or as required to translate it into. process must be followed, or as required to translate it into.
Li, et al Expires January, 2000 58 Li, et al Expires September, 2001 65
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/