ipsp working group                                             Man Li
Internet Draft                                                  Nokia
Expires May September 2001                                  David Arneson
                                                        No Affiliation
                                                            Avri Doria
                                                       Nortel Networks
                                                           Jamie Jason
                                                                 Intel
                                                            Cliff Wang
                                                             SmartPipe

                                                          November 2000

                                                            March 2001

                    IPSec Policy Information Base
                    draft-ietf-ipsp-ipsecpib-01.txt
                   draft-ietf-ipsp-ipsecpib-02.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [1].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts. Internet-Drafts are draft documents valid for a maximum of
   six months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet- Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

1. Abstract

   This document specifies a set of policy rule classes (PRC) for
   configuring IPSec policy at IPsec-enabled devices. Instances of
   these classes reside in a virtual information store called IPSec
   Policy Information Base (PIB). COPS protocol [COPS] with the
   extensions for provisioning [COPS-PR] may be is used to transmit this
   IPSec policy information to IPSec-enabled devices (e.g.,
   gateways). The PRCs defined in this IPSec PIB are intended for use
   by the COPS-
   PR COPS-PR IPSec client type. They complement the PRCs defined
   in the Framework PIB [FR-PIB].

2. Conventions used in this document

Li, et al               Expires January, 2000 September, 2001                      1
                    IPsec Policy Information Base       October, 2000         March, 2001

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   RFC-2119 [2].

3. Introduction

   The policy rule classes (PRC) defined in this document contain
   parameters for IKE phase one and phase two negotiations. They are
   based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The
   rule and role approach proposed in [PCIM], which scales to large
   networks, is adopted for distributing IPsec policy over COPS
   protocol.

   There is an ongoing effort in defining IPSec configuration policy
   model [IPSEC-IM]. The PIB defined in this document is not
   completely aligned with the information model. As work goes on,
   they should be aligned in the near future.

   The PIB contained in this draft is written using SPPI as specified
   in draft-ietf-rap-sppi-01.txt [SPPI]. It will be updated as SPPI
   updates.

4. Operation Overview

   Following the policy framework convention [PCIM], the management
   entity that downloads policy to IPSec-enabled devices will be
   called a Policy Decision Point (PDP) and the target IPSec-enabled
   devices will be called Policy Execution Points (PEP).

   On boot up, a PEP reports to a PDP, among other things, its role
   or role combinations. combination. The PDP then determines the IPSec PIB that should
   need to be downloaded to the PEP according to the role
   description. Later on, if the role of the PEP changes, the PEP would
   must notify the PDP with its new role and the PDP would will send new
   PIB to the PEP. In addition, if policy associated with a
   particular role changes, PDP
   would must download new PIB to all the PEPs
   that have registered with the particular role.

   IPsec policy that is pushed down to individual PEP consists of two
   parts: IKE rules for IKE phase one negotiation and IPsec rules for
   IKE phase two negotiation. These sets of rules may be pushed down
   either together or independently. Hence a role is associated with
   each set of rules. Figure 1 shows the relations between the tables
   with an example.

       +----------------------+          +------------------------+
       | ipSecSelectorEntries |          | ipSecRuleTableEntries  |
       |     Group = 10       |< ------------SelectorGroupId = 10 |

   Li, et al           Expires January, 2000                       2
                    IPsec Policy Information Base       October, 2000

       +----------------------+          |   ActionGroupId = 20   |
                                         |   Role = Finance_X     |
                                         +------------------------+
                                                     |
                                                     |
                                                     v
       +---------------------------+     +------------------------+
       | ipSecIkeRuleEntries       |     |   ipSecActionEntries   |
       |   Prid = 30               |     |       GroupId = 20     |
       |   IkeEndpointGroupId = 40 |     |       Action = Tunnel  |
       |                           | < --------- IkeRuleId = 30   |
       |                           |     |      Role = Finance_X  |
       +---------------------------+     +------------------------+
                     |              \                          |
                     |               \                         |
                     v                \                        v
       +---------------------------+   \               ipSecAssociation
       | ipSecIkeEndpointEntries   |    \               and subsequent
       |                           |     \                 tables
       |     GroupId = 40          |      \
       +---------------------------+       \
                                           v
                                  ipSecIkeAssociations
                                  and subsequent tables

   When a PEP reports to a PDP its roles,

   - if the corresponding policy consists of IPsec rules only (i.e.,
   key management is not through IKE), the roles must role combination MUST
   match only those that in the ipSecRuleTable. In the ipSecActionTable
   referenced by the ipSecRuleTable, the values of the
   ipSecActionIkeRuleId attribute
   must MUST be zero, indicating that no
   IKE associations are used. As a result, the ipSecRuleTable and all
   subsequent referenced tables are pushed down to the PEP.

   Li, et al          Expires September, 2001                      2
                    IPsec Policy Information Base         March, 2001

   - if the corresponding policy consists of IKE rules only, the roles
   must role
   combination MUST match only those that in the ipSecIkeRuleTable. The
   ipSecIkeEndpointTable indicates the peer endpoints with which to
   establish IKE associations. Hence, the ipSecIkeRuleTable and all
   subsequent referenced tables are pushed down to the PEP.

   - if the corresponding policy consists of both IPsec rules and IKE
   rules (i.e., IKE association is established first and it is then
   used for IPsec association negotiation), the roles must role combination MUST
   match those that in the ipSecRuleTable. Further more, in the ipSecActionTable
   referenced by the ipSecRuleTable, the ipSecActionIkeRuleId
   attributes must point to ipSecIkeRuleTable entries with the same
   roles. In addition, if IPsec tunnel mode is required in an action,
   the tunnel peer endpoint address must match an ipSecIkeEndpointId in

   Li, et al           Expires January, 2000                       3
                    IPsec Policy Information Base       October, 2000

   the ipSecIkeEndpointTable. If, on the other hand, IPsec transport
   mode is required, the peer endpoint address of the IPsec association
   must match an ipSecIkeEndpointId in the ipSecIkeEndpointTable. The ipSecRuleTable and the
   ipSecIkeRuleTable it references as well as all subsequent
   referenced tables are pushed down to the PEP.

4.1 Selector

   The following figure shows the relations between the tables with
   an example.

       +----------------------+          +------------------------+
       | ipSecSelectorEntries |          | ipSecRuleTableEntries  |
       |     Group = 10       |< ------------SelectorGroupId = 10 |
       +----------------------+          |   ActionGroupId = 20   |
                                         |   Role = Finance_X     |
                                         +------------------------+
                                                     |
                                                     |
                                                     v
       +---------------------------+     +------------------------+
       | ipSecIkeRuleEntries       |     |   ipSecActionEntries   |
       |   Prid = 30               |     |       GroupId = 20     |
       |   IkeEndpointGroupId = 40 |     |       Action = Tunnel  |
       |                           | < --------- IkeRuleId = 30   |
       |                           |     |                        |
       +---------------------------+     +------------------------+
                     |              \                          |
                     |               \                         |
                     v                \                        v
       +---------------------------+   \             ipSecAssociation
       | ipSecIkeEndpointEntries   |    \             and subsequent
       |                           |     \                 tables
       |     GroupId = 40          |      \
       +---------------------------+       \
                                           v
                                  ipSecIkeAssociations
                                  and subsequent tables

4.1 Selector construction

   Li, et al          Expires September, 2001                      3
                    IPsec Policy Information Base         March, 2001

   The ipSecAddressTable specifies individual or a range of IP
   addresses and the ipSecL4PortTable specifies individual or a range
   of layer 4 ports. The ipSecSelectorTable has references to these
   two tables.  Each row in the selector table represents multiple
   selectors. These selectors are constructed as follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.
   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.
   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.
   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.
   5. Construct all the possible combinations of the above four
   fields together with the ipSecSelectorProtocol attribute to form a
   list of five-tuple selectors

   Selectors constructed from the same row inherit all the other
   attributes of the row (e.g., ipSecSelectorGranularity)

   The following is an example for building the selectors (only
   relevant fields are shown). Suppose that the ipSecAddressTable is
   populated with the following rows:

   AddrMin       AddrGroupId
   1.2.3.4           1
   1.2.3.18          1
   5.6.7.1           2
   5.6.7.8           2

   For every row in this example, the AddrMax is a zero length octet
   indicating that each row specifies a single IP address.

   The Layer4PortTable is populated with the following rows:

   PortMin    PortMax    PortGroupId
    112       150            1
    99         0        99             2

   Li, et al           Expires January, 2000                       4
                    IPsec Policy Information Base       October, 2000

   The PortMax is zero equal to PortMin in the second row indicating that
   only a single port is specified.

   The ipSecSelectorTable is populated with:

   SrcAddrGpId  dstAddrGpId  srcPortGpId  dstPortGpId  protocol order
     1            2            1            1           udp      1
     1            2            2            2           tcp      2

   Li, et al          Expires September, 2001                      4
                    IPsec Policy Information Base         March, 2001

   The following selectors are constructed:

   srcAddr

   SrcAddr    dstAddr    protocol    srcPort    dstPort    port
   1.2.3.4    5.6.7.1      UDP      112-150    112-150
   1.2.3.4    5.6.7.8      UDP      112-150    112-150
   1.2.3.18   5.6.7.1      UDP      112-150    112-150
   1.2.3.18   5.6.7.8      UDP      112-150    112-150
   1.2.3.4    5.6.7.1      TCP      99         99
   1.2.3.4    5.6.7.8      TCP      99         99
   1.2.3.18   5.6.7.1      TCP      99         99
   1.2.3.18   5.6.7.8      TCP      99         99

   The first four selectors are constructed from the first row of the
   selector table whose order equals to 1. They may can be ordered in any
   way. However, all of them must be evaluated before the selectors
   constructed from the second row because the order of the second
   row equals to 2.

   The use of references in the ipSecSelectorTable instead of
   spelling out all the IP addresses and port numbers reduces the
   number of bytes being pushed down to PEP. Grouping of IP addresses
   and layer four ports serves the same purpose.

4.2 Start up condition

   The establishment of IKE or IPsec associations may be triggered in
   several ways as indicated by ipSecSelectorStartupCondition and
   ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and
   ipSecIkeEndpointTable respectively. The triggers may be:

   OnBoot: IPsec or IKE association is established after system boot.
   To avoid both endpoints trying to set up the same association,
   only the endpoint whose ipSecSelectorIsOriginator
   (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec
   (IKE) association establishment.

   OnTraffic: IPsec association is established only when packets need
   to be sent and there are no appropriate security associations to
   protect the packets. If there is no IKE association to protect the
   IPsec association negotiation, an IKE association should be set up
   first.

   OnPolicy: IPsec or IKE association is established according to
   ipSecRuleTimePeriodSetTable referenced by the corresponding rule.
   At

   Li, et al           Expires January, 2000                       5
                    IPsec Policy Information Base       October, 2000 the time the policy becomes active, only the endpoint whose
   ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true
   can initiate the IPsec (IKE) association establishment.

   These triggers are not mutually exclusive.

4.3 Multiple security associations, proposals and transforms

   Li, et al          Expires September, 2001                      5
                    IPsec Policy Information Base         March, 2001

   Multiple IPsec security associations may be established to protect
   the same traffic between two end points. For example, to protect
   TCP traffic between hosts A and B, an IPsec security association
   in transport mode may be established between hosts A and B. In
   addition, an IPsec security association in tunnel mode may be set
   up between host A and gateway C that protects the LAN host B
   resides. From A's point of view, it needs to take two actions to
   protect the TCP traffic: protect with transport security
   association first and then with tunnel security association. In
   other words, the policy downloaded to A needs to contain a group
   of two actions to be applied to packets in order.

   The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to
   handle multiple security association establishments or actions. It
   contains references to the actions specified in the
   ipSecActionTable. All the actions in the ipSecActionTable whose
   ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId must MUST be
   applied. The ipSecActionOrder indicates the order these actions
   should be taken in setting up the security associations.

   During a security association negotiation, the initiating point may
   can present multiple proposals in preference order. For IPsec
   security association, every proposal may can contain different
   protocols, e.g., AH, ESP (A single proposal here is equivalent to
   multiple proposal payloads with the same proposal number as
   specified in [ISAKMP]). Different protocols are ANDed. Each
   protocol, in turn, may contain multiple transforms in preference
   order. The responder must select a single proposal and a single
   transform for each protocol.

   Multiple proposals are handled by the ipSecProposalSetTable and
   ipSecIkeProposalSetTable. The ipSecProposalSetOrder and
   ipSecIkeProposalSetOrder in these tables indicate preference.

   Multiple transforms within a protocol are handled by
   ipSecAhTransformSetTable, ipSecEspTransformSetTable and
   ipSecCompTransformSetTable. The IpSecAhTransformSetOrder,
   ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
   tables indicate preferences.

5. Summary of the IPSec PIB

   The IPSec PIB consists of several groups that are summarized in

4.4 Credentials for IKE phase one negotiation

   Credentials such as certificates may be exchanged during IKE phase
   one negotiation for authentication purpose. An endpoint can
   possess multiple credentials. How each endpoint obtains its
   credentials (e.g., through PKI) is out of the scope of IPsec
   policy distribution. IPsec policy does specify, however, the
   acceptable peer credentials and the credential sub-fields and
   their values that MUST match.

   IpSecPeerCredentialTable specifies a group of credentials that are
   considered acceptable for a given peer endpoint. Any one of the
   credentials in a group is acceptable as the IKE peer endpoint

   Li, et al          Expires September, 2001                      6
                    IPsec Policy Information Base         March, 2001

   credential. IpSecCredentialFieldsTable further specifies, for each
   credential, their sub-fields and values that MUST be matched.

5. Summary of the IPSec PIB

   The IPSec PIB consists of seven groups. Each group and the tables
   it contains are summarized in the following:

   5.1 ipSecSelector Group
   This group specifies the selectors for IPSec associations.

   5.1.1 ipSecAddressTable
   Specifies IP addresses of endpoints.

   5.1.2 ipSecL4PortTable
   Specifies layer four port numbers.

   5.1.3 ipSecSelectorTable
   Specifies IPsec selectors. It has references to ipSecAddressTable
   and ipSecL4PortTable for selector constructions.

   5.2 ipSecAssociation Group
   This group specifies attributes related to IPSec Security
   Associations.

   5.2.1 ipSecRuleTable
   Specifies IPsec rules. It has references to ipSecSelectorTable and
   ipSecActionTable to indicate that IP packets that match the
   selector SHALL be applied with the IPsec action(s).

   This table also references to ipSecRuleTimePeriodSetTable to
   specify the time periods during which a rule is valid.

   5.2.2 ipSecActionTable
   Specifies group of IPsec actions. All actions that have the same
   ipSecActionActionGroupId belong to the same group. Actions in the
   same group MUST be applied in the order specified by
   ipSecActionOrder.

   This table also references ipSecIkeRuleTable to specify rules
   associated with IKE phase one negotiation.

   5.2.3 ipSecAssociationTable
   Specifies attributes associated with IPsec associations. It
   references ipSecProposalSetTable to specify associated proposals.

   5.2.4 ipSecProposalSetTable
   Specifies IPsec proposal sets. Proposals within a set are ORed
   with preference order.

   5.2.5 ipSecProposalTable

   Li, et al          Expires September, 2001                      7
                    IPsec Policy Information Base         March, 2001

   Specifies an IPsec proposal. It has references to ESP, AH and
   IPComp Transform sets. Within a proposal, different types of
   transforms are ANDed. Within one type of transforms, the choices
   are ORed with preference order.

   5.3 ipSecIkeAssociation Group
   This group specifies attributes related to IKE Security
   Associations

   5.3.1 ipSecIkeRuleTable
   Specifies IKE rules. It contains a reference to
   ipSecIkeAssociationTable to specify IKE associated actions. In
   addition, it has a reference to ipSecIkeEndpointTable to specify
   the endpoints this PEP can set up IKE associations.

   This table also references to ipSecRuleTimePeriodSetTable to
   specify the time periods during which a rule is valid.

   5.3.2 ipSecIkeAssociationTable
   Specifies attributes related to IKE associations. It references
   ipSecIkeProposalSetTable to specify associated proposals.

   5.3.3 ipSecIkeProposalSetTable
   Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order.

   5.3.4 ipSecIkeProposalTable
   Specifies attributes associated with IKE proposals.

   5.3.5 ipSecIkeEndpointTable
   Specifies the
   following:

   ipSecSelector Group peer endpoints with which this PEP establishes IKE
   associations according to ipSecIkeEndpointStartupCondition.

   This table also contains a reference to ipSecPeerCredentialTable
   to specify acceptable peer credentials.

   5.3.6 ipSecPeerCredentialTable
   Specifies groups of IKE peer credentials. Credentials in a group specifies
   are ORed. In other words, any one of the selectors for IPSec associations.

   ipSecAssociation Group

   Li, et al           Expires January, 2000                       6
                    IPsec Policy Information Base       October, 2000

   This credentials in a group specifies attributes related to IPSec Security
   Associations

   IpSecIkeAssociation Group is
   acceptable as the IKE peer endpoint credential.

   This group specifies attributes related table also contains a reference to ipSecCredentialFieldsTable
   to further specify sub-field values in a credential that MUST be
   matched.

   5.3.7 ipSecCredentialFieldsTable
   Specifies the sub-fields and their values to be matched against
   peer credentials obtained during IKE Security Associations

   IpSecEspTransform phase one negotiation. All
   criteria within a group are ANDed.

   5.4 ipSecEspTransform Group
   This group specifies attributes related to ESP Transform.

   IpSecAhTransform

   Li, et al          Expires September, 2001                      8
                    IPsec Policy Information Base         March, 2001

   5.4.1 ipSecEspTransformSetTable
   Specifies ESP transform sets. Within a transform set, the choices
   are ORed with preference order.

   5.4.2 ipSecEspTransformTable
   Specifies ESP transforms.

   5.5 ipSecAhTransform Group
   This group specifies attributes related to AH Transform

   IpSecCompTransform Transform.

   5.5.1 ipSecAhTransformSetTable
   Specifies AH transform sets. Within a transform set, the choices
   are ORed with preference order.

   5.5.2 ipSecAhTransformTable
   Specifies AH transforms.

   5.6 ipSecCompTransform Group
   This group specifies attributes related to IPSecComp Transform

   IpSecPolicyTimePeriod

   5.6.1 ipSecCompTransformSetTable
   Specifies IPComp transform sets. Within a transform set, the
   choices are ORed with preference order.

   5.6.2 ipSecCompTransformTable
   Specifies IPComp transforms.

   5.7 ipSecPolicyTimePeriod Group
   This group specifies the time periods during which a policy rule
   is valid.

   5.7.1 ipSecRuleTimePeriodSetTable
   Specifies multiple time period sets. The ipSecRuleTimePeriodTable
   can specify only a single time period within a day. This table
   enables the specification of multiple time periods within a day by
   grouping them into one set.

   5.7.2 ipSecRuleTimePeriodTable
   Specifies the time periods during which a policy rule is valid.
   The values of the first five attributes in a row are ANDed
   together to determine the validity period(s). If any of the five
   attributes is not present, it is treated as having value always
   enabled.

6. The IPSec PIB

   IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN

   IMPORTS
   Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION,
   MODULE-COMPLIANCE
        FROM COPS-PR-SPPI

   Li, et al          Expires September, 2001                      9
                    IPsec Policy Information Base         March, 2001

   OBJECT-IDENTITY
        FROM SNMPv2-SMI
   TruthValue
        FROM SNMPv2-TC
   PolicyInstanceId, PolicyReferenceId, PolicyTagId, PolicyTagReference
   InstanceId, ReferenceId, TagId, TagReferenceId
        FROM COPS-PR-SPPI;
   RoleCombination
        FROM POLICY-FRAMEWORK-PIB;
   OBJECT-GROUP
        From SNMPv2-CONF;

   ipSecPolicyPib MODULE-IDENTITY
   SUBJECT-CATEGORY { tbd -- IPSec Client Type }
   LAST-UPDATED "200010101800Z" "200102251800Z"
   ORGANIZATION "IETF ipsp WG"
   CONTACT-INFO "
                Man Li
                Nokia
                5 Wayside Road,
                Burlington, MA 01803
                Phone: +1 781 993 3923
                Email: man.m.li@nokia.com

                Avri Doria
                Nortel Networks
                600 Technology Park Drive

   Li, et al           Expires January, 2000                       7
                    IPsec Policy Information Base       October, 2000
                Billerica, MA 01821
                Phone: +1 401 663 5024
                Email: avri@nortelnetworks.com

                Jamie Jason
                Intel Corporation
                MS JF3-206
                2111 NE 25th Ave.
                Hillsboro, OR 97124
                Phone: +1 503 264 9531
                Fax: +1 503 264 9428
                E-Mail: jamie.jason@intel.com

                Cliff Wang
                SmartPipes Inc.
                Suite 300, 565 Metro Place South
                Dublin, OH 43017
                Phone: +1 614 923 6241
                E-Mail: CWang@smartpipes.com

   DESCRIPTION
   "This PIB module contains a set of policy rule classes that
   describe IPSec policies."
   ::= { tbd }

   ipSecSelector OBJECT-IDENTITY
     STATUS current

   Li, et al          Expires September, 2001                     10
                    IPsec Policy Information Base         March, 2001

     DESCRIPTION
   "This group specifies selectors for IPSec associations.  " associations"
     ::= { ipSecPolicyPib 1 }

   ipSecAssociation OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IPSec Security
   Associations"
     ::= { ipSecPolicyPib 2 }

   ipSecIkeAssociation OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IKE Security
   Associations"
     ::= { ipSecPolicyPib 3 }

   ipSecEspTransform OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to ESP Transform"
     ::= { ipSecPolicyPib 4 }

   ipSecAhTransform OBJECT-IDENTITY

   Li, et al           Expires January, 2000                       8
                    IPsec Policy Information Base       October, 2000
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to AH Transform"
     ::= { ipSecPolicyPib 5 }

   ipSecCompTransform OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IPSecComp Transform"
     ::= { ipSecPolicyPib 6 }

   ipSecPolicyTimePeriod OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies the time periods during which a policy rule
   is
   valid. valid  "
     ::= { ipSecPolicyPib 7 }

   ipSecPolicyPibConformance OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies requirements for conformance to the IPsec
   Policy PIB"
     ::= { ipSecPolicyPib 8 }

   --
   --

   Li, et al          Expires September, 2001                     11
                    IPsec Policy Information Base         March, 2001

   -- The ipSecAddressTable
   --

   ipSecAddressTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAddressEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IP addresses"
     INDEX { ipSecAddressPrid }
     UNIQUENESS {
       ipSecAddressAddressType,
       ipSecAddressAddrMask,
       ipSecAddressAddrMin,
       ipSecAddressAddrMax,
       ipSecAddressGroupId
       } addresses."
     ::= { ipSecSelector  1 }

   ipSecAddressEntry OBJECT-TYPE
     SYNTAX IpSecAddressEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecAddressPrid }
     UNIQUENESS {
       ipSecAddressAddressType,
       ipSecAddressAddrMask,
       ipSecAddressAddrMin,
       ipSecAddressAddrMax,
       ipSecAddressGroupId
       }
     ::= { ipSecAddressTable 1 }

   Li, et al           Expires January, 2000                       9
                    IPsec Policy Information Base       October, 2000

     IpSecAddressEntry ::= SEQUENCE {
        ipSecAddressPrid PolicyInstanceId, InstanceId,
        ipSecAddressAddressType INTEGER,
        ipSecAddressAddrMask OCTET STRING,
        ipSecAddressAddrMin OCTET STRING,
        ipSecAddressAddrMax OCTET STRING,
        ipSecAddressGroupId PolicyTagId TagId
   }

   ipSecAddressPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class" class."
     ::= { ipSecAddressEntry  1 }

   ipSecAddressAddressType OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),

   Li, et al          Expires September, 2001                     12
                    IPsec Policy Information Base         March, 2001

       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the address type. This also controls the length of the
   OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and
   ipSecAddressAddrMax objects. IPv4 addresses (1)(4)(7) are octet strings of
   length 4. IPv6 addresses (5)(6)(8) are octet strings of length 16.
   Other type of addresses All other
   types are octet strings of variable length."
     ::= { ipSecAddressEntry  2 }

   ipSecAddressAddrMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "A mask for the matching of the IP address. A zero bit in the mask
   means that the corresponding bit in the address always matches. The
   type of this address is based on the ipSecAddressAddressType. If
   This attribute MUST be ignored when ipSecAddressAddressType is not
   of IPv4 addresses (1)(4)(7) or IPv6
   addresses (5)(6)(8), this attribute must be a zero length octet
   string." type."
     ::= { ipSecAddressEntry  3 }

   Li, et al           Expires January, 2000                      10
                    IPsec Policy Information Base       October, 2000

   ipSecAddressAddrMin OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies an end point address. The Length of the string is based
   upon the address type.  For IPv4 address types, this attribute is
   a 4-bytes octet string. For IPv6 address types, this attribute is
   a
   64-bytes 16-bytes octet string. For other types of addresses, this
   attribute is a variable length octet string.

   A value of all zero (e.g., IPv4 0.0.0.0) accompanied by  the
   ipSecAddressAddrMask of all zero means a wild-carded address,
   i.e., all addresses match."
     ::= { ipSecAddressEntry  4 }

   ipSecAddressAddrMax OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "If a range of addresses are being used then this specifies the
   ending address. The type of this address must be the same as the
   ipSecAddressAddrMin. The Length of the string is based upon the
   address type.  For IPv4 address types, this attribute is a 4-bytes
   octet string. For IPv6 address types, this attribute is a 64-bytes
   octet string. For other types of addresses, this attribute must be a
   zero length 16-bytes
   octet string.

   If no range is specified then this attribute must MUST be a zero length
   octet string."
   OCTET STRING."
     ::= { ipSecAddressEntry  5 }

   ipSecAddressGroupId OBJECT-TYPE

   Li, et al          Expires September, 2001                     13
                    IPsec Policy Information Base         March, 2001

     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this IP address,address address, address range or subnet
   address belongs to."
     ::= { ipSecAddressEntry  6 }

   --
   --
   -- The ipSecL4PortTable
   --

   ipSecL4PortTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecL4PortEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies layer four port numbers"
     INDEX { ipSecL4PortPrid }
     UNIQUENESS {

   Li, et al           Expires January, 2000                      11
                    IPsec Policy Information Base       October, 2000

       ipSecL4PortPortMin,
       ipSecL4PortPortMax,
       ipSecL4PortGroupId
       } numbers."
     ::= { ipSecSelector  2 }

   ipSecL4PortEntry OBJECT-TYPE
     SYNTAX IpSecL4PortEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecL4PortPrid }
     UNIQUENESS {
       ipSecL4PortPortMin,
       ipSecL4PortPortMax,
       ipSecL4PortGroupId
       }
     ::= { ipSecL4PortTable 1 }

     IpSecL4PortEntry ::= SEQUENCE {
        ipSecL4PortPrid PolicyInstanceId, InstanceId,
        ipSecL4PortPortMin INTEGER,
        ipSecL4PortPortMax INTEGER,
        ipSecL4PortGroupId PolicyTagId TagId
   }

   ipSecL4PortPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecL4PortEntry  1 }

   ipSecL4PortPortMin OBJECT-TYPE
     SYNTAX INTEGER (0..65535)
     STATUS current
     DESCRIPTION

   Li, et al          Expires September, 2001                     14
                    IPsec Policy Information Base         March, 2001

   "Specifies a layer 4 port or  the first layer 4 port number of a
   range of ports."
     ::= { ipSecL4PortEntry  2 }

   ipSecL4PortPortMax OBJECT-TYPE
     SYNTAX INTEGER (0..65535)
     STATUS current
     DESCRIPTION
   "Specifies the last layer 4 source port in the range.  If only a range of
   ports single
   port is not being used then specified, the value of this object attribute must have a value be equal to
   that of 0. ipSecL4PortPortMin. Otherwise, this the value should of this attribute
   MUST be greater than that specified by
   ipSecSelectorSrcPortMin." ipSecL4PortPortMin."
     ::= { ipSecL4PortEntry  3 }

   ipSecL4PortGroupId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this port or port range of ports belongs to."
     ::= { ipSecL4PortEntry  4 }

   Li, et al           Expires January, 2000                      12
                    IPsec Policy Information Base       October, 2000 }

   --
   --
   -- The ipSecSelectorTable
   --

   ipSecSelectorTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecSelectorEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec address selector table. selectors. Each row in the selector table
   represents multiple selectors. These selectors are obtained as
   follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.
   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.
   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.
   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.
   5. Construct all the possible combinations of the above four
   fields together with the ipSecSelectorProtocol attribute to form
   all the five-tuple selectors

   Li, et al          Expires September, 2001                     15
                    IPsec Policy Information Base         March, 2001

   Selectors constructed from a row inherit all the other attributes
   of  the row (e.g., ipSecSelectorGranularity)."
     INDEX { ipSecSelectorPrid }
     UNIQUENESS {
       ipSecSelectorSrcAddressGroupId,
       ipSecSelectorSrcPortGroupId,
       ipSecSelectorDstAddressGroupId,
       ipSecSelectorDstPortGroupId,
       ipSecSelectorProtocol,
       ipSecSelectorGranularity,
       ipSecSelectorOrder,
       ipSecSelectorStartupCondition,
       ipSecSelectorIsOriginator,
       ipSecSelectorGroupId
       }
     ::= { ipSecSelector  3 }

   ipSecSelectorEntry OBJECT-TYPE
     SYNTAX IpSecSelectorEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecSelectorPrid }
     UNIQUENESS {
       ipSecSelectorSrcAddressGroupId,
       ipSecSelectorSrcPortGroupId,
       ipSecSelectorDstAddressGroupId,
       ipSecSelectorDstPortGroupId,
       ipSecSelectorProtocol,
       ipSecSelectorGranularity,
       ipSecSelectorOrder,
       ipSecSelectorStartupCondition,
       ipSecSelectorIsOriginator,
       ipSecSelectorGroupId
       }
     ::= { ipSecSelectorTable 1 }

   Li, et al           Expires January, 2000                      13
                    IPsec Policy Information Base       October, 2000

     IpSecSelectorEntry ::= SEQUENCE {
        ipSecSelectorPrid PolicyInstanceId, InstanceId,
        ipSecSelectorSrcAddressGroupId PolicyTagReference, TagReferenceId,
        ipSecSelectorSrcPortGroupId PolicyTagReference, TagReferenceId,
        ipSecSelectorDstAddressGroupId PolicyTagReference, TagReferenceId,
        ipSecSelectorDstPortGroupId PolicyTagReference, TagReferenceId,
        ipSecSelectorProtocol INTEGER,
        ipSecSelectorGranularity INTEGER,
        ipSecSelectorOrder Unsigned32,
        ipSecSelectorStartupCondition BITS,
        ipSecSelectorIsOriginator TruthValue,
        ipSecSelectorGroupId PolicyTagId TagId
   }

   ipSecSelectorPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecSelectorEntry  1 }

   ipSecSelectorSrcAddressGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecAddressGroupId
     STATUS current
     DESCRIPTION
   "Specifies source addresses. All addresses in ipSecAddressTable
   whose ipSecAddressGroupId match  this value are included as source
   addresses."

   Li, et al          Expires September, 2001                     16
                    IPsec Policy Information Base         March, 2001

     ::= { ipSecSelectorEntry  2 }

   ipSecSelectorSrcPortGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecL4PortGroupId
     STATUS current
     DESCRIPTION
   "Specifies source layer 4 port numbers. All ports in ipSecL4Port
   whose ipSecL4PortGroupId match this value are included."
     ::= { ipSecSelectorEntry  3 }

   ipSecSelectorDstAddressGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecAddressGroupId
     STATUS current
     DESCRIPTION
   "Specifies destination addresses. All addresses in
   ipSecAddressTable whose ipSecAddressGroupId match  this value are
   included as destination addresses."
     ::= { ipSecSelectorEntry  4 }

   ipSecSelectorDstPortGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference

   Li, et al           Expires January, 2000                      14
                    IPsec Policy Information Base       October, 2000 TagReferenceId
     PIB-TAG    ipSecL4PortGroupId
     STATUS current
     DESCRIPTION
   "Specifies destination layer 4 port numbers. All ports in
   ipSecL4Port whose ipSecL4PortGroupId match this value are
   included."
     ::= { ipSecSelectorEntry  5 }

   ipSecSelectorProtocol OBJECT-TYPE
     SYNTAX INTEGER (0..255)
     STATUS current
     DESCRIPTION
   "Specifies IP protocol to match against the packet's protocol. A
   value of zero means match all" all."
     ::= { ipSecSelectorEntry  6 }

   ipSecSelectorGranularity OBJECT-TYPE
     SYNTAX INTEGER {
       wide(1),
       narrow(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies how the security associations established may be used.
   A value of 1 (Wide) indicates that this security association may
   be used by all packets that match the same selector that is
   matched by the packet triggering the establishment of this
   association.
   A value of 2  (Narrow) indicates that this security association
   can be used only by packets that have exactly the same selector

   Li, et al          Expires September, 2001                     17
                    IPsec Policy Information Base         March, 2001

   attribute values as that of the packet triggering the
   establishment of this
association." association. "
     ::= { ipSecSelectorEntry  7 }

   ipSecSelectorOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the selectors
   within the ipSecSelectorGroup. A given precedence order is
   positioned before one with a higher-valued precedence order. All
   selectors constructed from the same row have the same order.  The
   position of selectors with the same order is unspecified."
     ::= { ipSecSelectorEntry  8 }

   ipSecSelectorStartupCondition OBJECT-TYPE
     SYNTAX BITS {
       onBoot(1),
       onTraffic(2),
       onPolicy(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the triggering event that causes the rule that
   references this selector to be applied. OnBoot (1) means that  the
   rule is

   Li, et al           Expires January, 2000                      15
                    IPsec Policy Information Base       October, 2000 triggered after system boot. This selector is used as the
   selector for the IPsec action. OnTraffic (2) means that the rule
   is triggered when packets without associated security associations
   are sent or received.  This selector is used as the selector for
   the IPsec action. OnPolicy (3) means that the rule is triggered
   when it becomes valid as specified by
   ipSecRuleTimePeriodGroupTable.  This selector is used as the
   selector for the IPsec action."
     ::= { ipSecSelectorEntry  9 }

   ipSecSelectorIsOriginator OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy
   (3) and  when IPsec associations need to be set up, this PEP
   should initiate the establishment if this attribute is True.
   Otherwise, it should wait for the other end to initiate the
   setup."
     ::= { ipSecSelectorEntry  10 }

   ipSecSelectorGroupId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "Specify the group this selector(s) belongs to. Selectors in the
   same group are provided with the same IPsec services."
     ::= { ipSecSelectorEntry  11 }

   Li, et al          Expires September, 2001                     18
                    IPsec Policy Information Base         March, 2001

   --
   --
   -- The ipSecRuleTable
   --

   ipSecRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec rules. "
     INDEX { ipSecRulePrid }
     UNIQUENESS {
       ipSecRuleRoles,
       ipSecRuleDirection,
       ipSecRuleipSecSelectorGroupId,
       ipSecRuleIpSecActionGroupId,
       ipSecRuleIpSecRuleTimePeriodGroupId
       }
     ::= { ipSecAssociation  4  1 }

   ipSecRuleEntry OBJECT-TYPE
     SYNTAX IpSecRuleEntry
     STATUS current
     DESCRIPTION

   Li, et al           Expires January, 2000                      16
                    IPsec Policy Information Base       October, 2000
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecRulePrid }
     UNIQUENESS {
       ipSecRuleRoles,
       ipSecRuleDirection,
       ipSecRuleIpSecSelectorGroupId,
       ipSecRuleIpSecActionGroupId,
       ipSecRuleIpSecRuleTimePeriodGroupId
       }
     ::= { ipSecRuleTable 1 }

     IpSecRuleEntry ::= SEQUENCE {
        ipSecRulePrid PolicyInstanceId, InstanceId,
        ipSecRuleRoles RoleCombination,
        ipSecRuleDirection INTEGER,
        ipSecRuleIpSecSelectorGroupId PolicyTagReference, TagReferenceId,
        ipSecRuleIpSecActionGroupId PolicyTagReference, TagReferenceId,
        ipSecRuleIpSecRuleTimePeriodGroupId PolicyTagReference TagReferenceId
   }

   ipSecRulePrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class" class."
     ::= { ipSecRuleEntry  1 }

   ipSecRuleRoles OBJECT-TYPE
     SYNTAX RoleCombination
     STATUS current
     DESCRIPTION
   "Specifies the role combinations combination of the interface to which this
   IPSec rule should apply."
     ::= { ipSecRuleEntry  2 }

   Li, et al          Expires September, 2001                     19
                    IPsec Policy Information Base         March, 2001

   ipSecRuleDirection OBJECT-TYPE
     SYNTAX INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the direction of traffic to which this rule should
   apply."
     ::= { ipSecRuleEntry  3 }

   ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecSelectorGroupId
     STATUS current
     DESCRIPTION
   "Identifies the selectors to be associated with this IPSec rule.
   The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
   matches this attribute are provided with the IPSec services
   specified by this rule."
     ::= { ipSecRuleEntry  4 }

   ipSecRuleIpSecActionGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecActionActionGroupId

   Li, et al           Expires January, 2000                      17
                    IPsec Policy Information Base       October, 2000
     STATUS current
     DESCRIPTION
   "This attribute identifies the IPsec action groups group that is
   associated with this rule. All actions Actions specified in ipSecActionTable
   whose ipSecActionActionGroupId match the value of this attribute
   must
   MUST all be applied. " The ipSecActionOrder in the ipSecActionTable
   indicates the order these actions should be taken in setting up
   the security associations."
     ::= { ipSecRuleEntry  5 }

   ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecRuleTimePeriodSetRuleTimePeriodSetId
     STATUS current
     DESCRIPTION
   "This attribute identifies an IPsec rule time period group,
   specified
   sepcified in ipSecRuleTimePeriodGroupTable, that is associated
   with this rule

   A value of zero indicates that this IPsec rule is always valid until
   being deleted." valid."
     ::= { ipSecRuleEntry  6 }

   --
   --
   -- The ipSecActionTable
   --

   ipSecActionTable

   --
   --
   -- The ipSecActionTable

   Li, et al          Expires September, 2001                     20
                    IPsec Policy Information Base         March, 2001

   --

   ipSecActionTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies group of IPsec actions. All actions that have the same
   ipSecActionActionGroupId belong to the same group. Actions in the
   same group MUST be applied in the order specified by
   ipSecActionOrder.  "
     ::= { ipSecAssociation  2 }

   ipSecActionEntry OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec action."
     INDEX an instance of this class."
     PIB-INDEX { ipSecActionPrid }
     UNIQUENESS {
       ipSecActionAction,
       ipSecActionTunnelEndpointId,
       ipSecActionDfHandling,
       ipSecActionDoLogging,
       ipSecActionIpSecSecurityAssociationId,
       ipSecActionActionGroupId,
       ipSecActionOrder,
       ipSecActionIkeRuleId
       }
     ::= { ipSecAssociation  5 }

   ipSecActionEntry OBJECT-TYPE
     SYNTAX IpSecActionEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= { ipSecActionTable 1 }

   Li, et al           Expires January, 2000                      18
                    IPsec Policy Information Base       October, 2000

     IpSecActionEntry ::= SEQUENCE {
        ipSecActionPrid PolicyInstanceId, InstanceId,
        ipSecActionAction INTEGER,
        ipSecActionTunnelEndpointId PolicyReferenceId, ReferenceId,
        ipSecActionDfHandling INTEGER,
        ipSecActionDoLogging TruthValue,
        ipSecActionIpSecSecurityAssociationId PolicyReferenceId, ReferenceId,
        ipSecActionActionGroupId PolicyTagId, TagId,
        ipSecActionOrder Unsigned32,
        ipSecActionIkeRuleId PolicyReferenceId ReferenceId
   }

   ipSecActionPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecActionEntry  1 }

   ipSecActionAction OBJECT-TYPE
     SYNTAX INTEGER {
       byPass(1),

   Li, et al          Expires September, 2001                     21
                    IPsec Policy Information Base         March, 2001

       discard(2),
       transport(3),
       tunnel(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPsec action to be applied to the traffic.
   ByPass(1) means that the packet should pass in clear. Discard(2)
   means that the packet should be denied. Transport(3) means that
   the packet should be protected with a security association in
   transport mode. Tunnel(4) means that the packet should be
   protected with a security association in tunnel mode.  If Tunnel
   (4) is specified, ipSecActionTunnelEndpointId must MUST also be specified"
   specified."
     ::= { ipSecActionEntry  2 }

   ipSecActionTunnelEndpointId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecAddressTable
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is Tunnel, tunnel, this attribute specifies the IP
   address of the other end of the tunnel. The address specified in
   ipSecAddressTable whose ipSecAddressPrid matches this value is the
   other end of the tunnel. The address MUST be a single endpoint
   address.

   When ipSecActionAction is not tunnel, this attribute should SHALL be ignored.
   zero. "
     ::= { ipSecActionEntry  3 }

   ipSecActionDfHandling OBJECT-TYPE
     SYNTAX INTEGER {
       copy(1),
       set(2),

   Li, et al           Expires January, 2000                      19
                    IPsec Policy Information Base       October, 2000
       clear(3)
       }
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is tunnel, this attribute specifies how
   the DF bit is managed by the tunnel when ipSecActionAction is
   tunnel. Copy (1) indicates that the DF bit is copied. Set (2)
   indicates that the DF bit is set. Clear (3) indicates that the DF
   bit is cleared. When ipSecActionAction is not tunnel, this
   attribute should SHALL be ignored. "
     ::= { ipSecActionEntry  4 }

   ipSecActionDoLogging OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies if an audit message should be logged when discard
   action is taken."

   Li, et al          Expires September, 2001                     22
                    IPsec Policy Information Base         March, 2001

     ::= { ipSecActionEntry  5 }

   ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecAssociationTable
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPSec association, specified by
   ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable,
   that is associated with this action.
   When ipSecActionAction attribute specifies Bypass (1) or Discard
   (2), this attribute must MUST have a value of zero. Otherwise, its
   value
   must MUST be greater than zero."
     ::= { ipSecActionEntry  6 }

   ipSecActionActionGroupId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this action belongs to. When ipSecActionAction
   is bypass or discard, this attribute must be zero. Otherwise, this
   attribute must be greater than zero." to."
     ::= { ipSecActionEntry  7 }

   ipSecActionOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the order the actions in this group be applied. An
   action with a lower order number is applied before one with a
   higher order number.

   When ipSecActionAction attribute specifies Bypass (1) or Discard
   (2), this attribute MUST be ignored.  "
     ::= { ipSecActionEntry  8 }

   ipSecActionIkeRuleId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecIkeRuleTable

   Li, et al           Expires January, 2000                      20
                    IPsec Policy Information Base       October, 2000
     STATUS current
     DESCRIPTION
   "An integer that identifies an IKE rule, specified by
   ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with
   this IPsec rule.
   A value of zero means that there is no IKE rule associated." associated. When
   ipSecActionAction attribute specifies Bypass (1) or Discard (2),
   this attribute must have a value of zero."
     ::= { ipSecActionEntry  9 }

   --
   --
   -- The ipSecAssociationTable
   --

   Li, et al          Expires September, 2001                     23
                    IPsec Policy Information Base         March, 2001

   ipSecAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAssociationEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes associated with IPsec associations"
     INDEX { ipSecAssociationPrid }
     UNIQUENESS {
       ipSecAssociationRefreshThresholdSeconds,
       ipSecAssociationRefreshThresholdKilobytes,
       ipSecAssociationMinLifetimeSeconds,
       ipSecAssociationMinLifetimeKilobytes,
       ipSecAssociationTrafficIdleTime,
       ipSecAssociationUsePfs,
       ipSecAssociationUseIkeGroup,
       ipSecAssociationDhGroup,
       ipSecAssociationProposalSetId
       }
     ::= { ipSecAssociation  6  3 }

   ipSecAssociationEntry OBJECT-TYPE
     SYNTAX IpSecAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecAssociationPrid }
     UNIQUENESS {
       ipSecAssociationRefreshThresholdSeconds,
       ipSecAssociationRefreshThresholdKilobytes,
       ipSecAssociationMinLifetimeSeconds,
       ipSecAssociationMinLifetimeKilobytes,
       ipSecAssociationTrafficIdleTime,
       ipSecAssociationUsePfs,
       ipSecAssociationVendorId,
       ipSecAssociationUseIkeGroup,
       ipSecAssociationDhGroup,
       ipSecAssociationProposalSetId
       }
     ::= { ipSecAssociationTable 1 }

     IpSecAssociationEntry ::= SEQUENCE {
        ipSecAssociationPrid PolicyInstanceId, InstanceId,
        ipSecAssociationRefreshThresholdSeconds INTEGER,
        ipSecAssociationRefreshThresholdKilobytes INTEGER,
        ipSecAssociationMinLifetimeSeconds Unsigned32,
        ipSecAssociationMinLifetimeKilobytes Unsigned32,
        ipSecAssociationTrafficIdleTime Unsigned32,
        ipSecAssociationUsePfs TruthValue,
        ipSecAssociationVendorId OCTET STRING,
        ipSecAssociationUseIkeGroup TruthValue,
        ipSecAssociationDhGroup Unsigned32,
        ipSecAssociationProposalSetId PolicyTagReference TagReferenceId
   }

   Li, et al           Expires January, 2000                      21
                    IPsec Policy Information Base       October, 2000

   ipSecAssociationPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecAssociationEntry  1 }

   ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION

   Li, et al          Expires September, 2001                     24
                    IPsec Policy Information Base         March, 2001

   "Specifies the percentage of expiration (in other words, the
   refresh threshold) of an established SA's seconds lifetime at
   which to begin renegotiation of the SA.
   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired."
     ::= { ipSecAssociationEntry  2 }

   ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established SA's
   kilobyte lifetime at which to begin renegotiation of the SA.
   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired."
     ::= { ipSecAssociationEntry  3 }

   ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum SA seconds lifetime that will be accepted
   from a peer while negotiating an SA based upon this action.
   A value of zero indicates that there is no minimum lifetime
   enforced."
     ::= { ipSecAssociationEntry  4 }

   ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime that will be accepted
   from a negotiating peer while negotiating an SA based upon this
   action.  A value of zero indicates that there is no minimum
   lifetime enforced."
     ::= { ipSecAssociationEntry  5 }

   ipSecAssociationTrafficIdleTime OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION

   Li, et al           Expires January, 2000                      22
                    IPsec Policy Information Base       October, 2000
   "Specifies the amount of time in seconds an SA may can remain idle (in
   other words, no traffic protected by the SA) before it is deleted.

   A value of zero indicates that there is no idle time detection.
   The expiration of the SA is determined by the expiration of one of
   the lifetime values."
     ::= { ipSecAssociationEntry  6 }

   ipSecAssociationUsePfs OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION

   Li, et al          Expires September, 2001                     25
                    IPsec Policy Information Base         March, 2001

   "If true,  PFS should SHALL be used when negotiating the phase two IPsec
   SA.
       "
   SA."
     ::= { ipSecAssociationEntry  7 }

   ipSecAssociationVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined key exchange GroupIDs."
     ::= { ipSecAssociationEntry  7  8 }

   ipSecAssociationUseIkeGroup OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "If true, the phase two DH group number should MUST be the same as that
   of phase 1. Otherwise, the group number specified by the
   ipSecSecurityAssociationDhGroup attribute should SHALL be used. This
   attribute is ignored if ipSecSecurityAssociationUsePfs is false."
     ::= { ipSecAssociationEntry  8  9 }

   ipSecAssociationDhGroup OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "If PFS should be PFSis used during IKE phase two and
   ipSecSecurityAssociationUseIkeGroup is false, this attribute
   specifies the Diffie-Hellman group to use.

   If the GroupID number is from the vendor-specific range (32768-
   65535), the VendorID qualifies the group number.

   This attribute is MUST be ignored if ipSecSecurityAssociationUsePfs
   is false."
     ::= { ipSecAssociationEntry  9  10 }

   ipSecAssociationProposalSetId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecProposalSetProposalSetId
     STATUS current
     DESCRIPTION
   "An integer that identifies the IPsec proposal set, specified in
   ipSecProposalGroupTable, that is associated with this IPsec
   association."
     ::= { ipSecAssociationEntry  10  11 }

   --
   --
   -- The ipSecProposalSetTable
   --

   ipSecProposalSetTable OBJECT-TYPE

   Li, et al          Expires January, 2000                      23 September, 2001                     26
                    IPsec Policy Information Base       October, 2000

   ipSecProposalSetTable OBJECT-TYPE         March, 2001

     SYNTAX SEQUENCE OF IpSecProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec proposal sets. Proposals within a set set are ORed
   with preference order."
     ::= { ipSecAssociation  4 }

   ipSecProposalSetEntry OBJECT-TYPE
     SYNTAX IpSecProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class."
     PIB-INDEX { ipSecProposalSetPrid }
     UNIQUENESS {
       ipSecProposalSetProposalSetId,
       ipSecProposalSetProposalId,
       ipSecProposalSetOrder
       }
     ::= { ipSecProposalSetTable 1 }

     IpSecProposalSetEntry ::= SEQUENCE {
        ipSecProposalSetPrid InstanceId,
        ipSecProposalSetProposalSetId TagId,
        ipSecProposalSetProposalId ReferenceId,
        ipSecProposalSetOrder Unsigned32
   }

   ipSecProposalSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecProposalSetEntry  1 }

   ipSecProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPsec proposal set."
     ::= { ipSecProposalSetEntry  2 }

   ipSecProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    ipSecProposalTable
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPsec Proposal, specified by
   ipSecProposalPrid in ipSecProposalTable, that is included in this
   set."
     ::= { ipSecProposalSetEntry  3 }

   ipSecProposalSetOrder OBJECT-TYPE

   Li, et al          Expires September, 2001                     27
                    IPsec Policy Information Base         March, 2001

     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the proposal
   identified by ipSecProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given
   precedence order is positioned before one with a higher-valued
   precedence order."
     ::= { ipSecProposalSetEntry  4 }

   --
   --
   -- The ipSecProposalTable
   --

   ipSecProposalTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an IPsec proposal. It has references to ESP, AH and
   IPComp Transform sets. Within a proposal, different types of
   transforms are ANDed. Within one type of transforms, the choices
   are ORed with preference order."
     INDEX { ipSecProposalSetPrid }
     UNIQUENESS {
       ipSecProposalSetProposalSetId,
       ipSecProposalSetProposalId,
       ipSecProposalSetOrder
       }
     ::= { ipSecAssociation  7  5 }

   ipSecProposalSetEntry

   ipSecProposalEntry OBJECT-TYPE
     SYNTAX IpSecProposalSetEntry IpSecProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecProposalPrid }
     UNIQUENESS {
       ipSecProposalLifetimeKilobytes,
       ipSecProposalLifetimeSeconds,
       ipSecProposalVendorId,
       ipSecProposalEspTransformSetId,
       ipSecProposalAhTransformSetId,
       ipSecProposalCompTransformSetId
       }
     ::= { ipSecProposalSetTable ipSecProposalTable 1 }

     IpSecProposalSetEntry

     IpSecProposalEntry ::= SEQUENCE {
        ipSecProposalSetPrid PolicyInstanceId,
        ipSecProposalSetProposalSetId PolicyTagId,
        ipSecProposalSetProposalId PolicyReferenceId,
        ipSecProposalSetOrder Unsigned32
        ipSecProposalPrid InstanceId,
        ipSecProposalLifetimeKilobytes Unsigned32,
        ipSecProposalLifetimeSeconds Unsigned32,
        ipSecProposalVendorId OCTET STRING,
        ipSecProposalEspTransformSetId TagReferenceId,
        ipSecProposalAhTransformSetId TagReferenceId,
        ipSecProposalCompTransformSetId TagReferenceId
   }

   ipSecProposalSetPrid

   Li, et al          Expires September, 2001                     28
                    IPsec Policy Information Base         March, 2001

   ipSecProposalPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecProposalSetEntry ipSecProposalEntry  1 }

   ipSecProposalSetProposalSetId

   ipSecProposalLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the kilobyte lifetime for this particular proposal.

   A value of zero indicates that there is no kilobyte lifetime."
     ::= { ipSecProposalEntry  2 }

   ipSecProposalLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the seconds lifetime for this particular proposal.

   A value of zero indicates that the lifetime value defaults to 8
   hours. "
     ::= { ipSecProposalEntry  3 }

   ipSecProposalVendorId OBJECT-TYPE
     SYNTAX PolicyTagId OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined transforms."
     ::= { ipSecProposalEntry  4 }

   ipSecProposalEspTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    ipSecEspTransformSetTransformSetId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPsec proposal set" the ESP transform set, specified in
   ipSecEspTransformSetTable, that is associated with this proposal."
     ::= { ipSecProposalSetEntry  2 ipSecProposalEntry  5 }

   ipSecProposalSetProposalId

   ipSecProposalAhTransformSetId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE    ipSecProposalTable TagReferenceId
     PIB-TAG    ipSecAhTransformSetTransformSetId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPsec Proposal, the AH transform set, specified by
   ipSecProposalTable, in
   ipSecAhTransformSetTable, that is included in associated with this set." proposal."
     ::= { ipSecProposalSetEntry  3 ipSecProposalEntry  6 }

   ipSecProposalCompTransformSetId OBJECT-TYPE

   Li, et al          Expires January, 2000                      24 September, 2001                     29
                    IPsec Policy Information Base       October, 2000

   ipSecProposalSetOrder OBJECT-TYPE         March, 2001

     SYNTAX Unsigned32 TagReferenceId
     PIB-TAG    ipSecCompTransformSetTransformId
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the proposal
   identified by ipSecProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given
   precedence order
     DESCRIPTION
   "An integer that identifies the IPComp transform set, specified in
   ipSecCompTransformSetTable, that is positioned before one associated with a higher-valued
   precedence order." this
   proposal."
     ::= { ipSecProposalSetEntry  4 ipSecProposalEntry  7 }

   --
   --
   -- The ipSecProposalTable ipSecIkeAssociationTable
   --

   ipSecProposalTable

   ipSecIkeAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecProposalEntry IpSecIkeAssociationEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an IPsec proposal. It has references attributes related to ESP, AH and
   IPComp Transform sets. Within a proposal, different types of
   transforms are ANDed. Within one type of transforms, the choices are
   ORed with preference order."
     INDEX { ipSecProposalPrid }
     UNIQUENESS {
       ipSecProposalLifetimeKilobytes,
       ipSecProposalLifetimeSeconds,
       ipSecProposalEspTransformSetId,
       ipSecProposalAhTransformSetId,
       ipSecProposalCompTransformSetId
       } IKE associations."
     ::= { ipSecAssociation  8 ipSecIkeAssociation  1 }

   ipSecProposalEntry

   ipSecIkeAssociationEntry OBJECT-TYPE
     SYNTAX IpSecProposalEntry IpSecIkeAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecIkeAssociationPrid }
     UNIQUENESS {
       ipSecIkeAssociationRefreshThresholdSeconds,
       ipSecIkeAssociationRefreshThresholdKilobytes,
       ipSecIkeAssociationMinLiftetimeSeconds,
       ipSecIkeAssociationMinLifetimeKilobytes,
       ipSecIkeAssociationTrafficIdleTime,
       ipSecIkeAssociationExchangeMode,
       ipSecIkeAssociationUseIkeIdentityType,
       ipSecIkeAssociationRefreshThresholdDerivedKeys,
       ipSecIkeAssociationIKEProposalSetId
       }
     ::= { ipSecProposalTable ipSecIkeAssociationTable 1 }

     IpSecProposalEntry

     IpSecIkeAssociationEntry ::= SEQUENCE {
        ipSecProposalPrid PolicyInstanceId,
        ipSecProposalLifetimeKilobytes
        ipSecIkeAssociationPrid InstanceId,
        ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
        ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
        ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
        ipSecProposalLifetimeSeconds
        ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
        ipSecProposalEspTransformSetId PolicyTagReference,
        ipSecProposalAhTransformSetId PolicyTagReference,
        ipSecProposalCompTransformSetId PolicyTagReference
   }
        ipSecIkeAssociationTrafficIdleTime Unsigned32,
        ipSecIkeAssociationExchangeMode INTEGER,
        ipSecIkeAssociationUseIkeIdentityType INTEGER,
        ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
        ipSecIkeAssociationIKEProposalSetId TagReferenceId

   Li, et al          Expires January, 2000                      25 September, 2001                     30
                    IPsec Policy Information Base       October, 2000

   ipSecProposalPrid         March, 2001

   }

   ipSecIkeAssociationPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecIkeAssociationEntry  1 }

   ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration (in other words, the
   refresh threshold) of an established SA's seconds lifetime at
   which to begin renegotiation of the SA.

   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired."
     ::= { ipSecIkeAssociationEntry  2 }

   ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established SA's
   kilobyte lifetime at which to begin renegotiation of the SA.

   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired."
     ::= { ipSecIkeAssociationEntry  3 }

   ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
     SYNTAX PolicyInstanceId Unsigned32
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify
   "Specifies the minimum SA seconds lifetime that will be accepted
   from a peer while negotiating an instance of SA based upon this class" action.

   A value of zero indicates that there is no minimum lifetime
   enforced."
     ::= { ipSecProposalEntry  1 ipSecIkeAssociationEntry  4 }

   ipSecProposalLifetimeKilobytes

   ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime for that will be accepted
   from a negotiating peer while negotiating an SA based upon this particular proposal.
   action.

   A value of zero indicates that there is no kilobyte lifetime." minimum lifetime
   enforced."

   Li, et al          Expires September, 2001                     31
                    IPsec Policy Information Base         March, 2001

     ::= { ipSecProposalEntry  2 ipSecIkeAssociationEntry  5 }

   ipSecProposalLifetimeSeconds

   ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the amount of time in seconds lifetime for this particular proposal. an SA may remain idle (in
   other words, no traffic protected by the SA) before it is deleted.

   A value of zero indicates that there is no idle time detection.
   The expiration of the SA is determined by the expiration of one of
   the lifetime value defaults to 8
   hours.
       " values."
     ::= { ipSecProposalEntry  3 ipSecIkeAssociationEntry  6 }

   ipSecProposalEspTransformSetId

   ipSecIkeAssociationExchangeMode OBJECT-TYPE
     SYNTAX PolicyTagReference
     PIB-TAG    ipSecEspTransformSetTransformSetId INTEGER {
       baseMode(1),
       mainMode(2),
       aggressiveMode(4)
       }
     STATUS current
     DESCRIPTION
   "An integer that identifies
   "Specifies the ESP transform set, specified in
   ipSecEspTransformSetTable, negotiation mode that is associated with this proposal." the IKE server will use for
   phase one."
     ::= { ipSecProposalEntry  4 ipSecIkeAssociationEntry  7 }

   ipSecProposalAhTransformSetId

   ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
     SYNTAX PolicyTagReference
     PIB-TAG    ipSecAhTransformSetTransformSetId INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "An integer that identifies
   "Specifies the type of IKE identity to use during IKE phase one
   negotiation."
     ::= { ipSecIkeAssociationEntry  8 }

   ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established IKE SA's
   derived keys lifetime at which to begin renegotiation of the AH transform set, specified in
   ipSecAhTransformSetTable, SA.

   Li, et al          Expires September, 2001                     32
                    IPsec Policy Information Base         March, 2001

   A value of 100 means that is associated with this proposal." renegotiation does not occur until the
   derived key lifetime value has expired."
     ::= { ipSecProposalEntry  5 ipSecIkeAssociationEntry  9 }

   ipSecProposalCompTransformSetId

   ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE
     SYNTAX PolicyTagReference TagReferenceId
     PIB-TAG    ipSecCompTransformSetTransformId    ipSecIkeProposalSetProposalSetId
     STATUS current
     DESCRIPTION
   "An integer that identifies the IPComp transform IKE proposal set, specified in
   ipSecCompTransformSetTable,
   ipSecIkeProposalGroupTable, that is associated with this proposal." IKE
   association."
     ::= { ipSecProposalEntry  6 ipSecIkeAssociationEntry  10 }

   Li, et al           Expires January, 2000                      26
                    IPsec Policy Information Base       October, 2000

   --
   --
   -- The ipSecIkeAssociationTable ipSecIkeRuleTable
   --

   ipSecIkeAssociationTable

   ipSecIkeRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeAssociationEntry IpSecIkeRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes related to IKE associations."
     INDEX { ipSecIkeAssociationPrid }
     UNIQUENESS {
       ipSecIkeAssociationRefreshThresholdSeconds,
       ipSecIkeAssociationRefreshThresholdKilobytes,
       ipSecIkeAssociationMinLiftetimeSeconds,
       ipSecIkeAssociationMinLifetimeKilobytes,
       ipSecIkeAssociationTrafficIdleTime,
       ipSecIkeAssociationExchangeMode,
       ipSecIkeAssociationRefreshThresholdDerivedKeys,
       ipSecIkeAssociationIKEProposalSetId
       } rules."
     ::= { ipSecIkeAssociation  9  2 }

   ipSecIkeAssociationEntry

   ipSecIkeRuleEntry OBJECT-TYPE
     SYNTAX IpSecIkeAssociationEntry IpSecIkeRuleEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecIkeRulePrid }
     UNIQUENESS {
       ipSecIkeRuleRoles,
       ipSecIkeRuleIkeAssiciationId,
       ipSecIkeRuleIpSecRuleTimePeriodGroupId,
       ipSecIkeRuleIkeEndpointGroupId
       }
     ::= { ipSecIkeAssociationTable ipSecIkeRuleTable 1 }

     IpSecIkeAssociationEntry

     IpSecIkeRuleEntry ::= SEQUENCE {
        ipSecIkeAssociationPrid PolicyInstanceId,
        ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
        ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
        ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
        ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
        ipSecIkeAssociationTrafficIdleTime Unsigned32,
        ipSecIkeAssociationExchangeMode INTEGER,
        ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
        ipSecIkeAssociationIKEProposalSetId PolicyTagReference
        ipSecIkeRulePrid InstanceId,
        ipSecIkeRuleRoles RoleCombination,
        ipSecIkeRuleIkeAssiciationId ReferenceId,
        ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId,
        ipSecIkeRuleIkeEndpointGroupId TagReferenceId
   }

   ipSecIkeAssociationPrid

   ipSecIkeRulePrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current

   Li, et al          Expires September, 2001                     33
                    IPsec Policy Information Base         March, 2001

     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecIkeAssociationEntry ipSecIkeRuleEntry  1 }

   ipSecIkeAssociationRefreshThresholdSeconds

   ipSecIkeRuleRoles OBJECT-TYPE

   Li, et al           Expires January, 2000                      27
                    IPsec Policy Information Base       October, 2000
     SYNTAX INTEGER (1..100) RoleCombination
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration (in other words, the refresh
   threshold) of an established SA's seconds lifetime at which to begin
   renegotiation of the SA.

A value role combination of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
     ::= { ipSecIkeAssociationEntry  2 }

   ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established SA's
   kilobyte lifetime at which interface to begin renegotiation of the SA.

   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired." which this IKE
   rule should apply."
     ::= { ipSecIkeAssociationEntry  3 ipSecIkeRuleEntry  2 }

   ipSecIkeAssociationMinLiftetimeSeconds

   ipSecIkeRuleIkeAssiciationId OBJECT-TYPE
     SYNTAX Unsigned32 ReferenceId
     PIB-REFERENCES    ipSecIkeAssociationTable
     STATUS current
     DESCRIPTION
   "Specifies
   "This attribute identifies the minimum SA seconds lifetime that will be
   accepted from a peer while negotiating an SA based upon this action.

   A value of zero indicates IKE action, specified by
   ipSecIkeAssociationPrid in ipSecIkeAssociationTable,  that there is no minimum lifetime
   enforced."
   associated with this rule"
     ::= { ipSecIkeAssociationEntry  4 ipSecIkeRuleEntry  3 }

   ipSecIkeAssociationMinLifetimeKilobytes

   ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX Unsigned32 TagReferenceId
     PIB-TAG    ipSecRuleTimePeriodSetRuleTimePeriodSetId
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime that will be accepted from
   a negotiating peer while negotiating
   "This attribute identifies an SA based upon IPsec rule time period group,
   sepcified in ipSecRuleTimePeriodGroupTable, that is associated
   with this action. IKE rule.

   A value of zero indicates that there this IKE rule is no minimum lifetime
   enforced." always valid."
     ::= { ipSecIkeAssociationEntry  5 ipSecIkeRuleEntry  4 }

   ipSecIkeAssociationTrafficIdleTime

   ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
     SYNTAX Unsigned32 TagReferenceId
     PIB-TAG    ipSecIkeEndpointGroupId
     STATUS current
     DESCRIPTION
   "Specifies the amount
   "An integer that identifies a group of time endpoints with which this
   PEP can set up IKE associations. The endpoints specified in seconds an SA may remain idle (in
   other words, no traffic protected by
   ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
   attribute are the SA) before it is deleted.
   A value of zero indicates that there is no idle time detection. endpoints involved. "
     ::= { ipSecIkeRuleEntry  5 }

   --
   --
   -- The
   expiration of the SA is determined by the expiration of one of the
   lifetime values. ipSecIkeProposalSetTable
   --

   ipSecIkeProposalSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry

   Li, et al          Expires January, 2000                      28 September, 2001                     34
                    IPsec Policy Information Base       October, 2000         March, 2001

     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order. "
     ::= { ipSecIkeAssociationEntry  6 ipSecIkeAssociation  3 }

   ipSecIkeProposalSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class."
     PIB-INDEX { ipSecIkeProposalSetPrid }
     UNIQUENESS {
       ipSecIkeProposalSetProposalSetId,
       ipSecIkeProposalSetProposalId,
       ipSecIkeProposalSetOrder
       }
     ::= { ipSecIkeProposalSetTable 1 }

   ipSecIkeAssociationExchangeMode

     IpSecIkeProposalSetEntry ::= SEQUENCE {
        ipSecIkeProposalSetPrid InstanceId,
        ipSecIkeProposalSetProposalSetId TagId,
        ipSecIkeProposalSetProposalId ReferenceId,
        ipSecIkeProposalSetOrder Unsigned32
   }

   ipSecIkeProposalSetPrid OBJECT-TYPE
     SYNTAX INTEGER InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= {
       baseMode(1),
       mainMode(2),
       aggressiveMode(4) ipSecIkeProposalSetEntry  1 }

   ipSecIkeProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the negotiation mode
   "An integer that the uniquely identifies an IKE server will use for
   phase one. proposal set. "
     ::= { ipSecIkeAssociationEntry  7 ipSecIkeProposalSetEntry  2 }

   ipSecIkeAssociationRefreshThresholdDerivedKeys

   ipSecIkeProposalSetProposalId OBJECT-TYPE
     SYNTAX INTEGER (1..100) ReferenceId
     PIB-REFERENCES    ipSecIkeProposalTable
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of
   "An integer that identifies an established IKE SA's
   derived keys lifetime at which to begin renegotiation of proposal, specified by
   ipSecIkeProposalPrid in the SA.

   A value of 100 means ipSecIkeProposalTable, that renegotiation does not occur until the
   derived key lifetime value has expired. " is
   included in this set."
     ::= { ipSecIkeAssociationEntry  8 ipSecIkeProposalSetEntry  3 }

   ipSecIkeAssociationIKEProposalSetId

   ipSecIkeProposalSetOrder OBJECT-TYPE
     SYNTAX PolicyTagReference
     PIB-TAG    ipSecIkeProposalSetProposalSetId Unsigned32

   Li, et al          Expires September, 2001                     35
                    IPsec Policy Information Base         March, 2001

     STATUS current
     DESCRIPTION
   "An integer that identifies specifies the precedence order of the IKE proposal set, specified
   identified by ipSecIkeProposalSetProposalId in
   ipSecIkeProposalGroupTable, that a proposal set. The
   proposal set is associated identified by ipSecIkeProposalSetProposalSetId.
   Proposals within a set are ORed with this IKE
   association." preference order. A given
   precedence order is positioned before one with a higher-valued
   precedence order."
     ::= { ipSecIkeAssociationEntry  9 ipSecIkeProposalSetEntry  4 }

   --
   --
   -- The ipSecIkeRuleTable ipSecIkeProposalTable
   --

   ipSecIkeRuleTable

   ipSecIkeProposalTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeRuleEntry IpSecIkeProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes associated with IKE rule."
     INDEX { ipSecIkeRulePrid }
     UNIQUENESS {
       ipSecIkeRuleRoles,
       ipSecIkeRuleIkeAssiciationId,
       ipSecIkeRuleIpSecRuleTimePeriodGroupId,

   Li, et al           Expires January, 2000                      29
                    IPsec Policy Information Base       October, 2000

       ipSecIkeRuleIkeEndpointGroupId
       } proposals."
     ::= { ipSecIkeAssociation  10  4 }

   ipSecIkeRuleEntry

   ipSecIkeProposalEntry OBJECT-TYPE
     SYNTAX IpSecIkeRuleEntry IpSecIkeProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecIkeProposalPrid }
     UNIQUENESS {
       ipSecIkeProposalMaxLifetimeSeconds,
       ipSecIkeProposalMaxLifetimeKilobytes,
       ipSecIkeProposalCipherAlgorithm,
       ipSecIkeProposalHashAlgorithm,
       ipSecIkeProposalAuthenticationMethod,
       ipSecIkeProposalLifetimeDerivedKeys,
       ipSecIkeProposalPrfAlgorithm,
       ipSecIkeProposalVendorId,
       ipSecIkeProposalIkeDhGroup
       }
     ::= { ipSecIkeRuleTable ipSecIkeProposalTable 1 }

     IpSecIkeRuleEntry

     IpSecIkeProposalEntry ::= SEQUENCE {
        ipSecIkeRulePrid PolicyInstanceId,
        ipSecIkeRuleRoles RoleCombination,
        ipSecIkeRuleIkeAssiciationId PolicyReferenceId,
        ipSecIkeRuleIpSecRuleTimePeriodGroupId PolicyTagReference,
        ipSecIkeRuleIkeEndpointGroupId PolicyTagReference {
        ipSecIkeProposalPrid InstanceId,
        ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
        ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
        ipSecIkeProposalCipherAlgorithm INTEGER,
        ipSecIkeProposalHashAlgorithm INTEGER,
        ipSecIkeProposalAuthenticationMethod INTEGER,
        ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
        ipSecIkeProposalPrfAlgorithm Unsigned32,
        ipSecIkeProposalVendorId OCTET STRING,

   Li, et al          Expires September, 2001                     36
                    IPsec Policy Information Base         March, 2001

        ipSecIkeProposalIkeDhGroup Unsigned32
   }

   ipSecIkeRulePrid

   ipSecIkeProposalPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecIkeRuleEntry ipSecIkeProposalEntry  1 }

   ipSecIkeRuleRoles

   ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX RoleCombination Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the role combinations seconds lifetime for this particular proposal.

   A value of zero indicates that the interface lifetime value defaults to which this IKE
   rule should apply." 8
   hours. "
     ::= { ipSecIkeRuleEntry ipSecIkeProposalEntry  2 }

   ipSecIkeRuleIkeAssiciationId

   ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE    ipSecIkeAssociationTable Unsigned32
     STATUS current
     DESCRIPTION
   "This attribute identifies
   "Specifies the IKE action, specified in
   ipSecIkeAssociationTable,  that is associated with this rule"
     ::= { ipSecIkeRuleEntry  3 }

   ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference
     PIB-TAG    ipSecRuleTimePeriodSetRuleTimePeriodSetId
     STATUS current
     DESCRIPTION
   "This attribute identifies an IPsec rule time period group,
   sepcified in ipSecRuleTimePeriodGroupTable, that is associated with kilobyte lifetime for this IKE rule

   Li, et al           Expires January, 2000                      30
                    IPsec Policy Information Base       October, 2000 particular proposal.

   A value of zero indicates that this IKE rule there is always valid until
   being deleted."
     ::= { ipSecIkeRuleEntry  4 }

   ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
     SYNTAX PolicyTagReference
     PIB-TAG    ipSecIkeEndpointGroupId
     STATUS current
     DESCRIPTION
   "An integer that identifies a group of endpoints with which this PEP
   may set up IKE associations. The endpoints specified in
   ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
   attribute are the endpoints involved. "
     ::= { ipSecIkeRuleEntry  5 }

   --
   --
   -- The ipSecIkeProposalSetTable
   --

   ipSecIkeProposalSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order. no kilobyte lifetime.
       "
     INDEX { ipSecIkeProposalSetPrid }
     UNIQUENESS {
       ipSecIkeProposalSetProposalSetId,
       ipSecIkeProposalSetProposalId,
       ipSecIkeProposalSetOrder
       }
     ::= { ipSecIkeAssociation  11 ipSecIkeProposalEntry  3 }

   ipSecIkeProposalSetEntry

   ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
     SYNTAX IpSecIkeProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= INTEGER { ipSecIkeProposalSetTable 1
       des-CBC(1),
       idea-CBC(2),
       blowfish-CBC(3),
       rc5-R16-B64-CBC(4),
       tripleDes-CBC(5),
       cast-CBC(6)
       }

     IpSecIkeProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies the encryption algorithm to propose for the IKE
   association."
     ::= SEQUENCE {
        ipSecIkeProposalSetPrid PolicyInstanceId,
        ipSecIkeProposalSetProposalSetId PolicyTagId,
        ipSecIkeProposalSetProposalId PolicyReferenceId,
        ipSecIkeProposalSetOrder Unsigned32 ipSecIkeProposalEntry  4 }

   ipSecIkeProposalSetPrid

   ipSecIkeProposalHashAlgorithm OBJECT-TYPE
     SYNTAX PolicyInstanceId INTEGER {
       md5(1),
       sha-1(2),
       tiger(3)
       }
     STATUS current
     DESCRIPTION

   Li, et al          Expires January, 2000                      31 September, 2001                     37
                    IPsec Policy Information Base       October, 2000

     DESCRIPTION
   "An integer index         March, 2001

   "Specifies the hash algorithm to uniquely identify an instance of this class" propose for the IKE association."
     ::= { ipSecIkeProposalSetEntry  1 ipSecIkeProposalEntry  5 }

   ipSecIkeProposalSetProposalSetId

   ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
     SYNTAX PolicyTagId INTEGER {
       presharedKey(1),
       dssSignatures(2),
       rsaSignatures(3),
       rsaEncryption(4),
       revisedRsaEncryption(5),
       kerberos(6)
       }
     STATUS current
     DESCRIPTION
   "An integer that uniquely identifies an
   "Specifies the authentication method to propose for the IKE proposal set. "
   association."
     ::= { ipSecIkeProposalSetEntry  2 ipSecIkeProposalEntry  6 }

   ipSecIkeProposalSetProposalId

   ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE    ipSecIkeProposalTable Unsigned32
     STATUS current
     DESCRIPTION
   "An integer
   "Specifies the number of times the IKE phase one key can be used
   to derive an IKE phase two key. A value of zero indicates that identifies the
   number of times an IKE proposal, specified phase one key may be used to derive an IKE
   phase two key is limited by the
   ipSecIkeProposalTable, that is included in this set." seconds and/or kilobyte
   lifetimes."
     ::= { ipSecIkeProposalSetEntry  3 ipSecIkeProposalEntry  7 }

   ipSecIkeProposalSetOrder

   ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies
   "Specifies the precedence order of Psuedo-Random Function (PRF) to propose for the proposal
   identified by ipSecIkeProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecIkeProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given
   precedence order IKE
   association."
     ::= { ipSecIkeProposalEntry  8 }

   ipSecIkeProposalVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined key exchange GroupIDs."
     ::= { ipSecIkeProposalEntry  9 }

   ipSecIkeProposalIkeDhGroup OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the Diffie-Hellman group to propose for the IKE
   association.  If the GroupID number is positioned before one with a higher-valued
   precedence order." from the vendor-specific
   range (32768-65535), the VendorID qualifies the group number.  "
     ::= { ipSecIkeProposalSetEntry  4 ipSecIkeProposalEntry  10 }

   Li, et al          Expires September, 2001                     38
                    IPsec Policy Information Base         March, 2001

   --
   --
   -- The ipSecIkeProposalTable ipSecIkeEndpointTable
   --

   ipSecIkeProposalTable

   ipSecIkeEndpointTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalEntry IpSecIkeEndpointEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes associated the peer endpoints with which this PEP establishes  IKE proposals."
     INDEX { ipSecIkeProposalPrid }
     UNIQUENESS {
       ipSecIkeProposalMaxLifetimeSeconds,
       ipSecIkeProposalMaxLifetimeKilobytes,
       ipSecIkeProposalCipherAlgorithm,
       ipSecIkeProposalHashAlgorithm,
       ipSecIkeProposalAuthenticationMethod,
       ipSecIkeProposalLifetimeDerivedKeys,
       ipSecIkeProposalPrfAlgorithm,

   Li, et al           Expires January, 2000                      32
                    IPsec Policy Information Base       October, 2000

       ipSecIkeProposalIkeDhGroup
       }
   associations according to ipSecIkeEndpointStartupCondition."
     ::= { ipSecIkeAssociation  12  5 }

   ipSecIkeProposalEntry

   ipSecIkeEndpointEntry OBJECT-TYPE
     SYNTAX IpSecIkeProposalEntry IpSecIkeEndpointEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecIkeEndpointPrid }
     UNIQUENESS {
       ipSecIkeEndpointIdentityType,
       ipSecIkeEndpointIdentity,
       ipSecIkeEndpointAddressType,
       ipSecIkeEndpointAddress,
       ipSecIkeEndpointPeerCredentialId,
       ipSecIkeEndpointStartupCondition,
       ipSecIkeEndpointIsOriginator,
       ipSecIkeEndpointGroupId
       }
     ::= { ipSecIkeProposalTable ipSecIkeEndpointTable 1 }

     IpSecIkeProposalEntry

     IpSecIkeEndpointEntry ::= SEQUENCE {
        ipSecIkeProposalPrid PolicyInstanceId,
        ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
        ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
        ipSecIkeProposalCipherAlgorithm INTEGER,
        ipSecIkeProposalHashAlgorithm
        ipSecIkeEndpointPrid InstanceId,
        ipSecIkeEndpointIdentityType INTEGER,
        ipSecIkeProposalAuthenticationMethod
        ipSecIkeEndpointIdentity OCTET STRING,
        ipSecIkeEndpointAddressType INTEGER,
        ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
        ipSecIkeProposalPrfAlgorithm Unsigned32,
        ipSecIkeProposalIkeDhGroup Unsigned32
        ipSecIkeEndpointAddress OCTET STRING,
        ipSecIkeEndpointPeerCredentialId TagReferenceId,
        ipSecIkeEndpointStartupCondition BITS,
        ipSecIkeEndpointIsOriginator TruthValue,
        ipSecIkeEndpointGroupId TagId
   }

   ipSecIkeProposalPrid

   ipSecIkeEndpointPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  1 }

   ipSecIkeProposalMaxLifetimeSeconds

   ipSecIkeEndpointIdentityType OBJECT-TYPE

   Li, et al          Expires September, 2001                     39
                    IPsec Policy Information Base         March, 2001

     SYNTAX Unsigned32 INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the seconds lifetime for this particular proposal.

   A value type of zero indicates identity that MUST be provided by the lifetime value defaults to 8
   hours. " peer
   in the ID payload during IKE phase one negotiation."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  2 }

   ipSecIkeProposalMaxLifetimeKilobytes

   ipSecIkeEndpointIdentity OBJECT-TYPE
     SYNTAX Unsigned32 OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the kilobyte lifetime for this particular proposal.

   A value of zero indicates that there is no kilobyte lifetime. " to be matched with the ID payload provided by
   the peer during IKE phase one negotiation."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  3 }

   ipSecIkeProposalCipherAlgorithm

   ipSecIkeEndpointAddressType OBJECT-TYPE
     SYNTAX INTEGER {
       des-CBC(1),
       idea-CBC(2),

   Li, et al           Expires January, 2000                      33
                    IPsec Policy Information Base       October, 2000

       blowfish-CBC(3),
       rc5-R16-B64-CBC(4),
       tripleDes-CBC(5),
       cast-CBC(6)
       ipV4(1),
       ipV6(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies IKE peer endpoint address type. This controls the encryption algorithm to propose
   length of the OCTET STRING for the IKE
   association. " ipSecIkeEndpointAddress. IPv4
   addresses (1)  are octet strings of length 4. IPv6 addresses (2)
   are octet strings of length 16."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  4 }

   ipSecIkeProposalHashAlgorithm

   ipSecIkeEndpointAddress OBJECT-TYPE
     SYNTAX INTEGER {
       md5(1),
       sha-1(2),
       tiger(3)
       } OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the hash algorithm to propose for the an endpoint address with which this PEP establishes IKE
   association."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  5 }

   ipSecIkeProposalAuthenticationMethod

   ipSecIkeEndpointPeerCredentialId OBJECT-TYPE
     SYNTAX INTEGER {
       presharedKey(1),
       dssSignatures(2),
       rsaSignatures(3),
       rsaEncryption(4),
       revisedRsaEncryption(5),
       kerberos(6)
       } TagReferenceId
     PIB-TAG    ipSecPeerCredentialGroupId
     STATUS current
     DESCRIPTION
   "Specifies

   Li, et al          Expires September, 2001                     40
                    IPsec Policy Information Base         March, 2001

   "An integer that identifies a group of credentials. The credential
   specified in ipSecPeerCredentialTable whose
   ipSecPeerCredentialGroupId match this attribute is included in
   this group. Any one of the authentication method to propose for credentials in the group is acceptable
   as the IKE
   association. " peer credential.

   If no credentials are used, this attribute MUST be zero."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  6 }

   ipSecIkeProposalLifetimeDerivedKeys

   ipSecIkeEndpointStartupCondition OBJECT-TYPE
     SYNTAX Unsigned32 BITS {
       onBoot(1),
       onTraffic(2),
       onPolicy(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the number of times triggering event that causes the IKE phase one key may rule
   referenced  be used to
   derive an IKE phase two key. A value of zero indicates applied.OnBoot (1) means that  the
   number of times an IKE phase one key may be used to derive an IKE
   phase two key rule is limited by
   triggered after system boot. OnTraffic (2) means that the seconds and/or kilobyte lifetimes. rule is
   triggered when packets without associated security associations
   are sent or received.  OnPolicy (3) means that the rule is
   triggered when it becomes valid as specified by
   ipSecRuleTimePeriodGroupTable.  "
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  7 }

   ipSecIkeProposalPrfAlgorithm

   ipSecIkeEndpointIsOriginator OBJECT-TYPE
     SYNTAX Unsigned32 TruthValue
     STATUS current
     DESCRIPTION
   "Specifies the Psuedo-Random Function (PRF)
   "If this attribute is true,  when IKE associations need to propose be set
   up, this PEP SHALL initiate the establishment. Otherwise, it SHALL
   wait for the IKE
   association. "

   Li, et al           Expires January, 2000                      34
                    IPsec Policy Information Base       October, 2000 other end to initiate the setup."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  8 }

   ipSecIkeProposalIkeDhGroup

   ipSecIkeEndpointGroupId OBJECT-TYPE
     SYNTAX Unsigned32 TagId
     STATUS current
     DESCRIPTION
   "Specifies the Diffie-Hellman group to propose for the this IKE
   association.  " endpoint belongs to."
     ::= { ipSecIkeProposalEntry ipSecIkeEndpointEntry  9 }

   --
   --
   -- The ipSecIkeEndpointTable ipSecPeerCredentialTable
   --

   ipSecIkeEndpointTable

   ipSecPeerCredentialTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeEndpointEntry IpSecPeerCredentialEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION

   Li, et al          Expires September, 2001                     41
                    IPsec Policy Information Base         March, 2001

   "Specifies the groups of IKE peer endpoints with which this PEP should establish credentials. Credentials in a group
   are ORed.  Any one of the credentials in a group is acceptable as
   the IKE associations according to ipSecIkeEndpointStartupCondition."
     INDEX { ipSecIkeEndpointPrid }
     UNIQUENESS {
       ipSecIkeEndpointUseIkeIdentityType,
       ipSecIkeEndpointIkeIdentityId,
       ipSecIkeEndpointEndpointId,
       ipSecIkeEndpointStartupCondition,
       ipSecIkeEndpointIsOriginator,
       ipSecIkeEndpointGroupId
       } peer endpoint credential."
     ::= { ipSecIkeAssociation  13  6 }

   ipSecIkeEndpointEntry

   ipSecPeerCredentialEntry OBJECT-TYPE
     SYNTAX IpSecIkeEndpointEntry IpSecPeerCredentialEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecPeerCredentialPrid }
     UNIQUENESS {
       ipSecPeerCredentialCredentialType,
       ipSecPeerCredentialFieldsGroupId,
       ipSecPeerCredentialGroupId
       }
     ::= { ipSecIkeEndpointTable ipSecPeerCredentialTable 1 }

     IpSecIkeEndpointEntry

     IpSecPeerCredentialEntry ::= SEQUENCE {
        ipSecIkeEndpointPrid PolicyInstanceId,
        ipSecIkeEndpointUseIkeIdentityType
        ipSecPeerCredentialPrid InstanceId,
        ipSecPeerCredentialCredentialType INTEGER,
        ipSecIkeEndpointIkeIdentityId PolicyReferenceId,
        ipSecIkeEndpointEndpointId PolicyReferenceId,
        ipSecIkeEndpointStartupCondition BITS,
        ipSecIkeEndpointIsOriginator TruthValue,
        ipSecIkeEndpointGroupId PolicyTagId
        ipSecPeerCredentialFieldsGroupId TagReferenceId,
        ipSecPeerCredentialGroupId TagId
   }

   ipSecIkeEndpointPrid

   ipSecPeerCredentialPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId

   Li, et al           Expires January, 2000                      35
                    IPsec Policy Information Base       October, 2000 InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecIkeEndpointEntry ipSecPeerCredentialEntry  1 }

   ipSecIkeEndpointUseIkeIdentityType

   ipSecPeerCredentialCredentialType OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       certificateX.509(1),
       kerberos-ticket(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IKE identity type of credential to use during negotiation." be matched."
     ::= { ipSecIkeEndpointEntry ipSecPeerCredentialEntry  2 }

   ipSecIkeEndpointIkeIdentityId

   ipSecPeerCredentialFieldsGroupId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE    ipSecAddressTable TagReferenceId
     PIB-TAG    ipSecCredentialFieldsGroupId
     STATUS current
     DESCRIPTION
   "An integer that identifies the IKE identity a group of the peer point. This
   information is matching criteria to be
   used during IKE negotiation. The type of for this address
   is specified by ipSecIkeEndpointIkeIdentityType. peer credential. The address criteria specified in the ipSecAddressTable
   ipSecCredentialFieldsTable whose ipSecAddressPrid matches ipSecCredentialFieldsGroupId
   match this integer is attribute are the IKE identity. criteria to be used. The identified
   criteria are ANDed. "
     ::= { ipSecIkeEndpointEntry ipSecPeerCredentialEntry  3 }

   ipSecIkeEndpointEndpointId

   Li, et al          Expires September, 2001                     42
                    IPsec Policy Information Base         March, 2001

   ipSecPeerCredentialGroupId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE    ipSecAddressTable TagId
     STATUS current
     DESCRIPTION
   "Specifies an endpoint address with which the group this PEP may establish IKE
   association. The address credential belongs to. Credentials in a
   group are ORed.  Any one of the ipSecAddressTable whose
   ipSecAddressPrid matches this value credentials in a group is
   acceptable as the IKE peer endpoint address. This
   address must identify credential."
     ::= { ipSecPeerCredentialEntry  4 }

   --
   --
   -- The ipSecCredentialFieldsTable
   --

   ipSecCredentialFieldsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies the sub-fields and their values to be matched against
   peer credentials obtained during IKE phase one negotiation. All
   criteria within a single endpoint. Address ranges or subnet
   addresses group are not allowed " ANDed."
     ::= { ipSecIkeAssociation  7 }

   ipSecCredentialFieldsEntry OBJECT-TYPE
     SYNTAX IpSecCredentialFieldsEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class."
     PIB-INDEX { ipSecCredentialFieldsPrid }
     UNIQUENESS {
       ipSecCredentialFieldsName,
       ipSecCredentialFieldsValue,
       ipSecCredentialFieldsGroupId
       }
     ::= { ipSecIkeEndpointEntry  4 ipSecCredentialFieldsTable 1 }

   ipSecIkeEndpointStartupCondition

     IpSecCredentialFieldsEntry ::= SEQUENCE {
        ipSecCredentialFieldsPrid InstanceId,
        ipSecCredentialFieldsName OCTET STRING,
        ipSecCredentialFieldsValue OCTET STRING,
        ipSecCredentialFieldsGroupId TagId
   }

   ipSecCredentialFieldsPrid OBJECT-TYPE
     SYNTAX BITS InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= {
       onBoot(1),
       onTraffic(2),
       onPolicy(3) ipSecCredentialFieldsEntry  1 }

   Li, et al          Expires January, 2000                      36 September, 2001                     43
                    IPsec Policy Information Base       October, 2000

       }         March, 2001

   ipSecCredentialFieldsName OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the triggering event that causes the IKE rule referenced
   be applied.OnBoot (1) means that  the rule is triggered after system
   boot. OnTraffic (2) means that the rule is triggered when packets
   without associated security associations are sent or received.
   OnPolicy (3) means that sub-field of the rule is triggered when it becomes valid
   as specified by ipSecRuleTimePeriodGroupTable.  " credential to match with."
     ::= { ipSecIkeEndpointEntry  5 ipSecCredentialFieldsEntry  2 }

   ipSecIkeEndpointIsOriginator

   ipSecCredentialFieldsValue OBJECT-TYPE
     SYNTAX TruthValue OCTET STRING
     STATUS current
     DESCRIPTION
   "If this attribute is true,  when IKE associations need to be set
   up, this PEP should initiate the establishment. Otherwise, it should
   wait for
   "Specifies the other end value to initiate match with the setup." ipSecCredentialFieldsName
   in a credential."
     ::= { ipSecIkeEndpointEntry  6 ipSecCredentialFieldsEntry  3 }

   ipSecIkeEndpointGroupId

   ipSecCredentialFieldsGroupId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this IKE endpoint criteria belongs to." to. All criteria within
   a group are ANDed."
     ::= { ipSecIkeEndpointEntry  7 ipSecCredentialFieldsEntry  4 }

   --
   --
   -- The ipSecEspTransformSetTable
   --

   ipSecEspTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an ESP transform group. sets. Within a transform group, set, the choices
   are ORed with preference order."
     INDEX { ipSecEspTransformSetPrid }
     UNIQUENESS {
       ipSecEspTransformSetTransformSetId,
       ipSecEspTransformSetTransformId,
       ipSecEspTransformSetOrder
       }
     ::= { ipSecEspTransform  14  1 }

   ipSecEspTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"

   Li, et al           Expires January, 2000                      37
                    IPsec Policy Information Base       October, 2000 class."
     PIB-INDEX { ipSecEspTransformSetPrid }
     UNIQUENESS {
       ipSecEspTransformSetTransformSetId,
       ipSecEspTransformSetTransformId,
       ipSecEspTransformSetOrder
       }
     ::= { ipSecEspTransformSetTable 1 }

     IpSecEspTransformSetEntry ::= SEQUENCE {
        ipSecEspTransformSetPrid PolicyInstanceId, InstanceId,

   Li, et al          Expires September, 2001                     44
                    IPsec Policy Information Base         March, 2001

        ipSecEspTransformSetTransformSetId PolicyTagId, TagId,
        ipSecEspTransformSetTransformId PolicyReferenceId, ReferenceId,
        ipSecEspTransformSetOrder Unsigned32
   }

   ipSecEspTransformSetPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecEspTransformSetEntry  1 }

   ipSecEspTransformSetTransformSetId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "An integer that identifies a set of ESP transforms"
     ::= { ipSecEspTransformSetEntry  2 }

   ipSecEspTransformSetTransformId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecEspTransformTable
     STATUS current
     DESCRIPTION
   "An integer that identifies an ESP transform, specified by
   ipSecEspTransformPrid in ipSecEspTransformTable, that is included
   in this set."
     ::= { ipSecEspTransformSetEntry  3 }

   ipSecEspTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecEspTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecEspTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A given precedence order is positioned
   before one with a higher-valued precedence order."
     ::= { ipSecEspTransformSetEntry  4 }

   --
   --
   -- The ipSecEspTransformTable
   --

   ipSecEspTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies ESP transforms."

   Li, et al          Expires January, 2000                      38 September, 2001                     45
                    IPsec Policy Information Base       October, 2000

     STATUS current
     DESCRIPTION
   "Specifies an ESP transform."
     INDEX { ipSecEspTransformPrid }
     UNIQUENESS {
       ipSecEspTransformIntegrityTransformId,
       ipSecEspTransformCipherTransformId,
       ipSecEspTransformCipherKeyRounds,
       ipSecEspTransformCipherKeyLength
       }         March, 2001

     ::= { ipSecEspTransform  15  2 }

   ipSecEspTransformEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecEspTransformPrid }
     UNIQUENESS {
       ipSecEspTransformIntegrityTransformId,
       ipSecEspTransformCipherTransformId,
       ipSecEspTransformCipherKeyRounds,
       ipSecEspTransformCipherKeyLength
       }
     ::= { ipSecEspTransformTable 1 }

     IpSecEspTransformEntry ::= SEQUENCE {
        ipSecEspTransformPrid PolicyInstanceId, InstanceId,
        ipSecEspTransformIntegrityTransformId INTEGER,
        ipSecEspTransformCipherTransformId INTEGER,
        ipSecEspTransformCipherKeyRounds Unsigned32,
        ipSecEspTransformCipherKeyLength Unsigned32
   }

   ipSecEspTransformPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecEspTransformEntry  1 }

   ipSecEspTransformIntegrityTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       none(0),
       hmacMd5(1),
       hmacSha(2),
       desMac(3),
       kpdk(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies the ESP integrity algorithm to propose."
     ::= { ipSecEspTransformEntry  2 }

   ipSecEspTransformCipherTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       desIV64(1),
       des(2),
       tripleDES(3),
       rc5(4),
       idea(5),
       cast(6),
       blowfish(7),

   Li, et al          Expires January, 2000                      39 September, 2001                     46
                    IPsec Policy Information Base       October, 2000

       idea(5),
       cast(6),
       blowfish(7),         March, 2001

       tripleIDEA(8),
       desIV32(9),
       rc4(10),
       null(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the ESP cipher/encryption algorithm to propose.
       " propose."
     ::= { ipSecEspTransformEntry  3 }

   ipSecEspTransformCipherKeyRounds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the number of key rounds for the ESP cipher algorithm
   specified by the attribute
   ipSecEspTransformCipherTransformId. " ipSecEspTransformCipherTransformId."
     ::= { ipSecEspTransformEntry  4 }

   ipSecEspTransformCipherKeyLength OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the length of the ESP cipher key in bits. " bits."
     ::= { ipSecEspTransformEntry  5 }

   --
   --
   -- The ipSecAhTransformSetTable
   --

   ipSecAhTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an  AH transform set. sets. Within a transform set, the choices
   are ORed with preference order."
     INDEX { ipSecAhTransformSetPrid }
     UNIQUENESS {
       ipSecAhTransformSetTransformSetId,
       ipSecAhTransformSetTransformId,
       ipSecAhTransformSetOrder
       }
     ::= { ipSecAhTransform  16  1 }

   ipSecAhTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformSetEntry

   Li, et al           Expires January, 2000                      40
                    IPsec Policy Information Base       October, 2000
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecAhTransformSetPrid }
     UNIQUENESS {
       ipSecAhTransformSetTransformSetId,
       ipSecAhTransformSetTransformId,
       ipSecAhTransformSetOrder
       }
     ::= { ipSecAhTransformSetTable 1 }

   Li, et al          Expires September, 2001                     47
                    IPsec Policy Information Base         March, 2001

     IpSecAhTransformSetEntry ::= SEQUENCE {
        ipSecAhTransformSetPrid PolicyInstanceId, InstanceId,
        ipSecAhTransformSetTransformSetId PolicyTagId, TagId,
        ipSecAhTransformSetTransformId PolicyReferenceId, ReferenceId,
        ipSecAhTransformSetOrder Unsigned32
   }

   ipSecAhTransformSetPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecAhTransformSetEntry  1 }

   ipSecAhTransformSetTransformSetId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "An integer that identifies an AH transform set."
     ::= { ipSecAhTransformSetEntry  2 }

   ipSecAhTransformSetTransformId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecAhTransformTable
     STATUS current
     DESCRIPTION
   "An integer that identifies an AH transform, as specified by
   ipSecAhTransform in ipSecAhTransformTable, that is included in
   this set."
     ::= { ipSecAhTransformSetEntry  3 }

   ipSecAhTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecAhTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecAhTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A given precedence order is positioned
   before one with a higher-valued precedence order."
     ::= { ipSecAhTransformSetEntry  4 }

   --
   --
   -- The ipSecAhTransformTable
   --

   Li, et al           Expires January, 2000                      41
                    IPsec Policy Information Base       October, 2000

   ipSecAhTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformEntry
     PIB-ACCESS install
     STATUS current

   Li, et al          Expires September, 2001                     48
                    IPsec Policy Information Base         March, 2001

     DESCRIPTION
   "Specifies an  AH transform"
     INDEX { ipSecAhTransformPrid }
     UNIQUENESS {
       ipSecAhTransformTransformId
       } transforms."
     ::= { ipSecAhTransform  17  2 }

   ipSecAhTransformEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecAhTransformPrid }
     UNIQUENESS {
       ipSecAhTransformTransformId
       }
     ::= { ipSecAhTransformTable 1 }

     IpSecAhTransformEntry ::= SEQUENCE {
        ipSecAhTransformPrid PolicyInstanceId, InstanceId,
        ipSecAhTransformTransformId INTEGER
   }

   ipSecAhTransformPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class "
     ::= { ipSecAhTransformEntry  1 }

   ipSecAhTransformTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       md5(2),
       sha-1(3),
       des(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies the AH hash algorithm to propose" propose."
     ::= { ipSecAhTransformEntry  2 }

   --
   --
   -- The ipSecCompTransformSetTable
   --

   ipSecCompTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION

   Li, et al           Expires January, 2000                      42
                    IPsec Policy Information Base       October, 2000
   "Specifies an IPComp transform set. sets. Within a transform set, the
   choices are ORed with preference order."
     INDEX { ipSecCompTransformSetPrid }
     UNIQUENESS {
       ipSecCompTransformSetTransformSetId,
       ipSecCompTransformSetTransformId,
       ipSecCompTransformSetOrder
       }
     ::= { ipSecCompTransform  18  1 }

   Li, et al          Expires September, 2001                     49
                    IPsec Policy Information Base         March, 2001

   ipSecCompTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecCompTransformSetPrid }
     UNIQUENESS {
       ipSecCompTransformSetTransformSetId,
       ipSecCompTransformSetTransformId,
       ipSecCompTransformSetOrder
       }
     ::= { ipSecCompTransformSetTable 1 }

     IpSecCompTransformSetEntry ::= SEQUENCE {
        ipSecCompTransformSetPrid PolicyInstanceId, InstanceId,
        ipSecCompTransformSetTransformSetId PolicyTagId, TagId,
        ipSecCompTransformSetTransformId PolicyReferenceId, ReferenceId,
        ipSecCompTransformSetOrder Unsigned32
   }

   ipSecCompTransformSetPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecCompTransformSetEntry  1 }

   ipSecCompTransformSetTransformSetId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPComp transform set"
     ::= { ipSecCompTransformSetEntry  2 }

   ipSecCompTransformSetTransformId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecCompTransformTable
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPComp Transform, specified by
   ipSecCompTransformPrid in ipSecCompTransformTable, that is
   included in this set."
     ::= { ipSecCompTransformSetEntry  3 }

   ipSecCompTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecCompTransformSetTransformId within a transform

   Li, et al           Expires January, 2000                      43
                    IPsec Policy Information Base       October, 2000
   set. The transform set is identified by
   ipSecCompTransformSetTransformSetId. Transforms within a set are

   Li, et al          Expires September, 2001                     50
                    IPsec Policy Information Base         March, 2001

   ORed with preference order. A given precedence order is positioned
   before one with a higher-valued precedence order."
     ::= { ipSecCompTransformSetEntry  4 }

   --
   --
   -- The ipSecCompTransformTable
   --

   ipSecCompTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an IPComp transform."
     INDEX { ipSecCompTransformPrid }
     UNIQUENESS {
       ipSecCompTransformAlgorithm,
       ipSecCompTransformDictionarySize,
       ipSecCompTransformPrivateAlgorithm
       } transforms."
     ::= { ipSecCompTransform  19  2 }

   ipSecCompTransformEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecCompTransformPrid }
     UNIQUENESS {
       ipSecCompTransformAlgorithm,
       ipSecCompTransformDictionarySize,
       ipSecCompTransformPrivateAlgorithm
       }
     ::= { ipSecCompTransformTable 1 }

     IpSecCompTransformEntry ::= SEQUENCE {
        ipSecCompTransformPrid PolicyInstanceId, InstanceId,
        ipSecCompTransformAlgorithm INTEGER,
        ipSecCompTransformDictionarySize Unsigned32,
        ipSecCompTransformPrivateAlgorithm Unsigned32
   }

   ipSecCompTransformPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecCompTransformEntry  1 }

   ipSecCompTransformAlgorithm OBJECT-TYPE
     SYNTAX INTEGER {
       oui(1),
       deflate(2),
       lzs(3)
       }
     STATUS current
     DESCRIPTION

   Li, et al          Expires January, 2000                      44 September, 2001                     51
                    IPsec Policy Information Base       October, 2000

     STATUS current
     DESCRIPTION         March, 2001

   "Specifies the IPComp compression algorithm to propose."
     ::= { ipSecCompTransformEntry  2 }

   ipSecCompTransformDictionarySize OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the log2 maximum size of the dictionary."
     ::= { ipSecCompTransformEntry  3 }

   ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies a specific vendor algorithm that will be used.  "
     ::= { ipSecCompTransformEntry  4 }

   --
   --
   -- The ipSecRuleTimePeriodTable
   --

   ipSecRuleTimePeriodTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies the time periods during which a policy rule is valid.
   The values of the first five attributes in a row are ANDed
   together to determine the validity period(s). If any of the five
   attributes is not present, it is treated as having value always
   enabled.  "
     INDEX { ipSecRuleTimePeriodPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime
       }
     ::= { ipSecPolicyTimePeriod  20  1 }

   ipSecRuleTimePeriodEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecRuleTimePeriodPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime
       }
     ::= { ipSecRuleTimePeriodTable 1 }

     IpSecRuleTimePeriodEntry ::= SEQUENCE {
        ipSecRuleTimePeriodPrid InstanceId,

   Li, et al          Expires January, 2000                      45 September, 2001                     52
                    IPsec Policy Information Base       October, 2000

        ipSecRuleTimePeriodPrid PolicyInstanceId,         March, 2001

        ipSecRuleTimePeriodTimePeriod OCTET STRING,
        ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
        ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
        ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
        ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
        ipSecRuleTimePeriodLocalOrUtcTime INTEGER
   }

   ipSecRuleTimePeriodPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecRuleTimePeriodEntry  1 }

   ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that identifies an overall range of calendar
   dates and times over which a policy rule is valid.  It reuses the
   format for an explicit time period defined in RFC 2445 : a string
   representing a starting date and time, in which the character 'T'
   indicates the beginning of the time portion, followed by the
   solidus character '/', followed by a similar string representing
   an end date and time.  The first date indicates the beginning of
   the range, while the second date indicates the end.  Thus, the
   second date and time must be later than the first.  Date/times are
   expressed as substrings
   of the form yyyymmddThhmmss.

   There are also two special cases:

   -  If the first date/time is replaced with the string
   THISANDPRIOR,  then the property indicates that a policy rule is
   valid [from now] until the date/time that appears after the '/'.

   - If the second date/time is replaced with the string
   THISANDFUTURE, then the property indicates that a policy rule
   becomes valid on the date/time that appears before the '/', and
   remains valid from that point on.
   "
     ::= { ipSecRuleTimePeriodEntry  2 }

   ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies which months the policy is valid
   for.  The octet string is structured as follows:

   Li, et al          Expires January, 2000                      46 September, 2001                     53
                    IPsec Policy Information Base       October, 2000         March, 2001

   - a 4-octet length field, indicating the length of the entire
   octet string; this field is always set to 0x00000006 for this
   property;

   - a 2-octet field consisting of 12 bits identifying the 12 months
   of the year, beginning with January and ending with December,
   followed by 4 bits that are always set to '0'.  For each month,
   the value '1' indicates that the policy is valid for that month,
   and the value '0' indicates that it is not valid.

    If this property is omitted, then the policy rule is treated as
   valid for all twelve months."
     ::= { ipSecRuleTimePeriodEntry  3 }

   ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies which days of the month the policy
   is valid for. The octet string is structured as follows:

   -a 4-octet length field, indicating the length of the entire octet
   string; this field is always set to 0x0000000C for this property;

   -an 8-octet field consisting of 31 bits identifying the days of
   the month counting from the beginning, followed by 31 more bits
   identifying the days of the month counting from the end, followed
   by 2 bits that are always set to '0'.  For each day, the value '1'
   indicates that the policy is valid for that day, and the value '0'
   indicates that it is not valid.

   For months with fewer than 31 days, the digits corresponding to
   days that the months do not have (counting in both directions) are
   ignored.
   "
     ::= { ipSecRuleTimePeriodEntry  4 }

   ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies which days of the week the policy
   is valid for. The octet string is structured as follows:

   - a 4-octet length field, indicating the length of the entire
   octet string; this field is always set to 0x00000005 for this
   property;

   - a 1-octet field consisting of 7 bits identifying the 7 days of
   the week, beginning with Sunday and ending with Saturday, followed
   by 1 bit that is always set to '0'.  For each day of the week, the
   value '1' indicates that the policy is valid for that day, and the
   value '0' indicates that it is not valid. "
     ::= { ipSecRuleTimePeriodEntry  5 }

   ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE

   Li, et al          Expires January, 2000                      47 September, 2001                     54
                    IPsec Policy Information Base       October, 2000         March, 2001

   "
     ::= { ipSecRuleTimePeriodEntry  5 }

   ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies a range of times in a day the
   policy is valid for. It is formatted as follows:

   A  time  string beginning with the character 'T', followed by the
   solidus character '/', followed by a second time string.  The
   first time indicates the beginning of the range, while the second
   time indicates the end.  Times are expressed as substrings of the
   form Thhmmss.

   The second substring always identifies a later time than the first
   substring.  To allow for ranges that span midnight, however, the
   value of the second string may be smaller than the value of the
   first substring.  Thus, T080000/T210000 identifies the range from
   0800 until 2100, while T210000/T080000 identifies the range from
   2100 until 0800 of the following day.
   " day."
     ::= { ipSecRuleTimePeriodEntry  6 }

   ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
     SYNTAX INTEGER {
       localTime(1),
       utcTime(2)
       }
     STATUS current
     DESCRIPTION
   "This property indicates whether the times represented in this
   table represent local times or UTC times.  There is no provision
   for mixing of local times and UTC times:  the value of this
   property applies to all of the other time-related properties. " properties."
     ::= { ipSecRuleTimePeriodEntry  7 }

   --
   --
   -- The ipSecRuleTimePeriodSetTable
   --

   ipSecRuleTimePeriodSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies mutiple multiple time period sets. The ipSecRuleTimePeriodTable
   can specifie specify only a single time period within a day. This table
   enables the specificaiton specification of multiple time periods within a day by
   grouping them into one set. "
     INDEX { ipSecRuleTimePeriodSetPrid }
     UNIQUENESS
     ::= {
       ipSecRuleTimePeriodSetRuleTimePeriodSetId,
       ipSecRuleTimePeriodSetRuleTimePeriodId ipSecPolicyTimePeriod  2 }

   Li, et al          Expires January, 2000                      48 September, 2001                     55
                    IPsec Policy Information Base       October, 2000

     ::= { ipSecPolicyTimePeriod  21 }         March, 2001

   ipSecRuleTimePeriodSetEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class" class."
     PIB-INDEX { ipSecRuleTimePeriodSetPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodSetRuleTimePeriodSetId,
       ipSecRuleTimePeriodSetRuleTimePeriodId
       }
     ::= { ipSecRuleTimePeriodSetTable 1 }

     IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
        ipSecRuleTimePeriodSetPrid PolicyInstanceId, InstanceId,
        ipSecRuleTimePeriodSetRuleTimePeriodSetId PolicyTagId, TagId,
        ipSecRuleTimePeriodSetRuleTimePeriodId PolicyReferenceId ReferenceId
   }

   ipSecRuleTimePeriodSetPrid OBJECT-TYPE
     SYNTAX PolicyInstanceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecRuleTimePeriodSetEntry  1 }

   ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
     SYNTAX PolicyTagId TagId
     STATUS current
     DESCRIPTION
   "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
     ::= { ipSecRuleTimePeriodSetEntry  2 }

   ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
     SYNTAX PolicyReferenceId
     PIB-REFERENCE ReferenceId
     PIB-REFERENCES    ipSecRuleTimePeriod
     STATUS current
     DESCRIPTION
   "An integer that identifies an ipSecRuleTimePeriod, specified by
   ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
   included in this set."
     ::= { ipSecRuleTimePeriodSetEntry  3 }

   --
   --
   -- Conformance Section
   --

   ipSecPolicyPibConformanceCompliances
       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }

   ipSecPolicyPibConformanceGroups

   Li, et al          Expires September, 2001                     56
                    IPsec Policy Information Base         March, 2001

       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }

   IPSecPibCompilance MODULE-COMPLIANCE
       STATUS current
       DESCRIPTION

   Li, et al           Expires January, 2000                      49
                    IPsec Policy Information Base       October, 2000
   "        Compliance statement"
       MODULE MANDATORY-GROUPS {
           ipSecAddressGroup,
           ipSecL4PortGroup,
           ipSecSelectorGroup,
           ipSecRuleGroup,
           ipSecActionGroup,
           ipSecAssociationGroup,
           ipSecProposalSetGroup,
           ipSecProposalGroup,
           ipSecIkeAssociationGroup,
           ipSecIkeRuleGroup,
           ipSecIkeProposalSetGroup,
           ipSecIkeProposalGroup,
           ipSecIkeEndpointGroup,
           ipSecPeerCredentialGroup,
           ipSecCredentialFieldsGroup,
           ipSecEspTransformSetGroup,
           ipSecEspTransformGroup,
           ipSecAhTransformSetGroup,
           ipSecAhTransformGroup,
           ipSecCompTransformSetGroup,
           ipSecCompTransformGroup,
           }

       GROUP ipSecRuleTimePeriodGroup
           DESCRIPTION
   "The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is
   supported."
       GROUP ipSecRuleTimePeriodSetGroup
           DESCRIPTION
   "The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling
   is supported."
       ::= { ipSecPolicyPibConformanceCompliances 1 }

   ipSecAddressGroup OBJECT-GROUP
       OBJECTS {
           AddressType,
           AddrMask,
           AddrMin,
           AddrMax,
           GroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecAddressTable."
       ::= { ipSecPolicyPibConformanceGroups  1 }
   ipSecL4PortGroup OBJECT-GROUP

   Li, et al          Expires September, 2001                     57
                    IPsec Policy Information Base         March, 2001

       OBJECTS {
           PortMin,
           PortMax,
           GroupId
          }
       STATUS current
       DESCRIPTION

   Li, et al           Expires January, 2000                      50
                    IPsec Policy Information Base       October, 2000
   "    Objects from the ipSecL4PortTable."
       ::= { ipSecPolicyPibConformanceGroups  2 }
   ipSecSelectorGroup OBJECT-GROUP
       OBJECTS {
           SrcAddressGroupId,
           SrcPortGroupId,
           DstAddressGroupId,
           DstPortGroupId,
           Protocol,
           Granularity,
           Order,
           StartupCondition,
           IsOriginator,
           GroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecSelectorTable."
       ::= { ipSecPolicyPibConformanceGroups  3 }
   ipSecRuleGroup OBJECT-GROUP
       OBJECTS {
           Roles,
           Direction,
           ipSecSelectorGroupId,
           IpSecSelectorGroupId,
           IpSecActionGroupId,
           IpSecRuleTimePeriodGroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  4 }
   ipSecActionGroup OBJECT-GROUP
       OBJECTS {
           Action,
           TunnelEndpointId,
           DfHandling,
           DoLogging,
           IpSecSecurityAssociationId,
           ActionGroupId,
           Order,
           IkeRuleId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecActionTable."
       ::= { ipSecPolicyPibConformanceGroups  5 }

   Li, et al          Expires September, 2001                     58
                    IPsec Policy Information Base         March, 2001

   ipSecAssociationGroup OBJECT-GROUP
       OBJECTS {
           RefreshThresholdSeconds,
           RefreshThresholdKilobytes,
           MinLifetimeSeconds,
           MinLifetimeKilobytes,
           TrafficIdleTime,

   Li, et al           Expires January, 2000                      51
                    IPsec Policy Information Base       October, 2000
           UsePfs,
           VendorId,
           UseIkeGroup,
           DhGroup,
           ProposalSetId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecSecurityAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  6 }
   ipSecProposalSetGroup OBJECT-GROUP
       OBJECTS {
           ProposalSetId,
           ProposalId,
           Order
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  7 }
   ipSecProposalGroup OBJECT-GROUP
       OBJECTS {
           LifetimeKilobytes,
           LifetimeSeconds,
           VendorId,
           EspTransformSetId,
           AhTransformSetId,
           CompTransformSetId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecProposalTable."
       ::= { ipSecPolicyPibConformanceGroups  8 }
   ipSecIkeAssociationGroup OBJECT-GROUP
       OBJECTS {
           RefreshThresholdSeconds,
           RefreshThresholdKilobytes,
           MinLiftetimeSeconds,
           MinLifetimeKilobytes,
           TrafficIdleTime,
           ExchangeMode,
           UseIkeIdentityType,
           RefreshThresholdDerivedKeys,
           IKEProposalSetId
          }
       STATUS current

   Li, et al          Expires September, 2001                     59
                    IPsec Policy Information Base         March, 2001

       DESCRIPTION
   "    Objects from the ipSecIkeAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  9 }
   ipSecIkeRuleGroup OBJECT-GROUP
       OBJECTS {
           Roles,
           IkeAssiciationId,
           IpSecRuleTimePeriodGroupId,
           IkeEndpointGroupId
          }

   Li, et al           Expires January, 2000                      52
                    IPsec Policy Information Base       October, 2000
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecIkeRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  10 }
   ipSecIkeProposalSetGroup OBJECT-GROUP
       OBJECTS {
           ProposalSetId,
           ProposalId,
           Order
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecIkeProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  11 }
   ipSecIkeProposalGroup OBJECT-GROUP
       OBJECTS {
           MaxLifetimeSeconds,
           MaxLifetimeKilobytes,
           CipherAlgorithm,
           HashAlgorithm,
           AuthenticationMethod,
           LifetimeDerivedKeys,
           PrfAlgorithm,
           VendorId,
           IkeDhGroup
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecIkeProposalTable."
       ::= { ipSecPolicyPibConformanceGroups  12 }
   ipSecIkeEndpointGroup OBJECT-GROUP
       OBJECTS {
           UseIkeIdentityType,
           IkeIdentityId,
           EndpointId,
           IdentityType,
           Identity,
           AddressType,
           Address,
           PeerCredentialId,
           StartupCondition,
           IsOriginator,
           GroupId
          }
       STATUS current
       DESCRIPTION

   Li, et al          Expires September, 2001                     60
                    IPsec Policy Information Base         March, 2001

   "    Objects from the ipSecIkeEndpointTable."
       ::= { ipSecPolicyPibConformanceGroups  13 }
   ipSecPeerCredentialGroup OBJECT-GROUP
       OBJECTS {
           CredentialType,
           FieldsGroupId,
           GroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecPeerCredentialTable."
       ::= { ipSecPolicyPibConformanceGroups  14 }
   ipSecCredentialFieldsGroup OBJECT-GROUP
       OBJECTS {
           Name,
           Value,
           GroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecCredentialFieldsTable."
       ::= { ipSecPolicyPibConformanceGroups  15 }
   ipSecEspTransformSetGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecEspTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  14  16 }
   ipSecEspTransformGroup OBJECT-GROUP

   Li, et al           Expires January, 2000                      53
                    IPsec Policy Information Base       October, 2000
       OBJECTS {
           IntegrityTransformId,
           CipherTransformId,
           CipherKeyRounds,
           CipherKeyLength
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecEspTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  15  17 }
   ipSecAhTransformSetGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecAhTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  16  18 }

   Li, et al          Expires September, 2001                     61
                    IPsec Policy Information Base         March, 2001

   ipSecAhTransformGroup OBJECT-GROUP
       OBJECTS {
           TransformId
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecAhTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  17  19 }
   ipSecCompTransformSetGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecCompTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  18  20 }
   ipSecCompTransformGroup OBJECT-GROUP
       OBJECTS {
           Algorithm,
           DictionarySize,
           PrivateAlgorithm
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecCompTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  19  21 }
   ipSecRuleTimePeriodGroup OBJECT-GROUP
       OBJECTS {
           TimePeriod,
           MonthOfYearMask,
           DayOfMonthMask,

   Li, et al           Expires January, 2000                      54
                    IPsec Policy Information Base       October, 2000
           DayOfWeekMask,
           TimeOfDayMask,
           LocalOrUtcTime
          }
       STATUS current
       DESCRIPTION
   "    The ipSecRuleTimePeriodGroup is mandatory if policy
   scheduling is supported."
       ::= { ipSecPolicyPibConformanceGroups  20  22 }
   ipSecRuleTimePeriodSetGroup OBJECT-GROUP
       OBJECTS {
           RuleTimePeriodSetId,
           RuleTimePeriodId
          }
       STATUS current
       DESCRIPTION
   "    The ipSecRuleTimePeriodSetGroup is mandatory if policy
   scheduling is supported."
       ::= { ipSecPolicyPibConformanceGroups  21  23 }
   END

8.

   Li, et al          Expires September, 2001                     62
                    IPsec Policy Information Base         March, 2001

7. Security Considerations

   Since COPS is used to carry the PIB defined in this document, the
   security and protection of the information can be provided by
   either COPS or a combination of COPS and other security protocols,
   e.g.,IPsec or TLS.

9.

8. References

   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
      9, RFC 2026, October 1996.

   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997

   [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
   November 1998.

   [ARCH] S. Kent, R. Atkinson, "Security ˘Security Architecture for the
   Internet
   Protocol", Protocol÷, RFC 2401, November 1998.

   [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
   Scheduling Core Object Specification (iCalendar)", RFC 2445,
   November 1998.

   Li, et al           Expires January, 2000                      55
                    IPsec Policy Information Base       October, 2000

   [COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748,
   January 2000.

   [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
   Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000.

   [DOI] D. Piper, "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
   Smith, F. Reichmeyer "Framework Policy Information Base", Internet
   Draft , March 2000.

   [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   Li, et al          Expires September, 2001                     63
                    IPsec Policy Information Base         March, 2001

   [IPSEC-IM] J. Jason,"IPSec Jason,˘IPSec Configuration Policy Model,"draft-ietf-
   ipsp-config-policy-model-00.txt, Model,÷ draft-
   ietf-ipsp-config-policy-model-00.txt, march 2000.

   [ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, "Internet
   ˘Internet Security Association and Key Management Protocol (ISAKMP)",
   (ISAKMP)÷, RFC 2408, November 1998.

   [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy ˘Policy Core
   Information Model -- Version 1 Specification", draft-ietf-policy-core-info-
   model-06.txt, Specification÷, draft-ietf-policy-
   core-info-model-06.txt, May, 2000.

   [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
   Smith, F. Reichmeyer, "Structure of Policy Provisioning
   Information," draft-ietf-rap-sppi-01.txt, July 2000.

7.

9. Author's Addresses

   Man Li
   Nokia
   5 Wayside Road,
   Burlington, MA 01803
   Phone: +1 781 993 3923
   Email: man.m.li@nokia.com

   David Arneson
   Email: dla@mediaone.net

   Li, et al           Expires January, 2000                      56
                    IPsec Policy Information Base       October, 2000

   Avri Doria
   Nortel Networks
   600 Technology Park Drive
   Billerica, MA 01821
   Phone: +1 401 663 5024
   Email: avri@nortelnetworks.com

   Jamie Jason
   Intel Corporation
   MS JF3-206
   2111 NE 25th Ave.
   Hillsboro, OR 97124
   Phone: +1 503 264 9531
   E-Mail: jamie.jason@intel.com

   Cliff Wang
   SmartPipes Inc.
   Suite 300, 565 Metro Place South
   Dublin, OH 43017
   Phone: +1 614 923 6241
   E-Mail: CWang@smartpipes.com

   Full Copyright Statement

   Li, et al          Expires January, 2000                      57 September, 2001                     64
                    IPsec Policy Information Base       October, 2000

Full Copyright Statement         March, 2001

   "Copyright (C) The Internet Society (date). All Rights Reserved.
   This document and translations of it may be copied and furnished
   to others, and derivative works that comment on or otherwise
   explain it or assist in its implmentation may be prepared, copied,
   published and distributed, in whole or in part, without
   restriction of any kind, provided that the above copyright notice
   and this paragraph are included on all such copies and derivative
   works. However, this document itself may not be modified in any
   way, such as by removing the copyright notice or references to the
   Internet Society or other Internet organizations, except as needed
   for the purpose of developing Internet standards in which case the
   procedures for copyrights defined in the Internet Standards
   process must be followed, or as required to translate it into.

   Li, et al          Expires January, 2000                      58 September, 2001                     65