draft-ietf-ipsp-ipsecpib-02.txt   draft-ietf-ipsp-ipsecpib-03.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires September 2001 David Arneson Expires January 2002 David Arneson
No Affiliation No Affiliation
Avri Doria Avri Doria
Nortel Networks Nortel Networks
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
March 2001 July 2001
IPSec Policy Information Base IPSec Policy Information Base
draft-ietf-ipsp-ipsecpib-02.txt draft-ietf-ipsp-ipsecpib-03.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
skipping to change at line 41 skipping to change at line 41
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
1. Abstract 1. Abstract
This document specifies a set of policy rule classes (PRC) for This document specifies a set of policy rule classes (PRC) for
configuring IPSec policy at IPsec-enabled devices. Instances of configuring IPSec policy at IPsec-enabled devices. Instances of
these classes reside in a virtual information store called IPSec these classes reside in a virtual information store called the
Policy Information Base (PIB). COPS protocol [COPS] with the IPSec Policy Information Base (PIB). The COPS protocol [COPS] with
extensions for provisioning [COPS-PR] is used to transmit this extensions for provisioning [COPS-PR] is used to transmit this
IPSec policy information to IPSec-enabled devices (e.g., IPSec policy information to IPSec-enabled devices (e.g., security
gateways). The PRCs defined in this IPSec PIB are intended for use gateways). The PRCs defined in this IPSec PIB are intended for use
by the COPS-PR IPSec client type. They complement the PRCs defined by the COPS-PR IPSec client type. They complement the PRCs defined
in the Framework PIB [FR-PIB]. in the Framework PIB [FR-PIB].
2. Conventions used in this document 2. Conventions used in this document
Li, et al Expires September, 2001 1 Li, et al Expires January, 2002 1
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2]. RFC-2119 [2].
3. Introduction 3. Introduction
The policy rule classes (PRC) defined in this document contain The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. They are parameters for IKE phase one and phase two negotiations. Details
based on [IPSEC-IM] [IKE] [ESP] [AH] [DOI] [IPCOMP] [SPPI]. The of these parameters can be found in [IPSEC-IM], [IKE], [ESP], [AH]
rule and role approach proposed in [PCIM], which scales to large [DOI], [IPCOMP] and [SPPI]. The PIB defined in this document is
networks, is adopted for distributing IPsec policy over COPS based on the IPSec configuration policy model [IPSEC-IM]. The rule
and role approach proposed in [PCIM], which scales to large
networks, is adopted for distributing IPsec policy over the COPS
protocol. protocol.
There is an ongoing effort in defining IPSec configuration policy
model [IPSEC-IM]. The PIB defined in this document is not
completely aligned with the information model. As work goes on,
they should be aligned in the near future.
4. Operation Overview 4. Operation Overview
Following the policy framework convention [PCIM], the management Following the policy framework convention [PCIM], the management
entity that downloads policy to IPSec-enabled devices will be entity that downloads policy to IPSec-enabled devices will be
called a Policy Decision Point (PDP) and the target IPSec-enabled called a Policy Decision Point (PDP) and the target IPSec-enabled
devices will be called Policy Execution Points (PEP). devices will be called Policy Execution Points (PEP).
On boot up, a PEP reports to a PDP, among other things, its role After connecting to a PDP using COPS-PR, a PEP reports to the PDP
or role combination. The PDP then determines the IPSec PIB that the PIB Provisioning Classes (PRCs) it supports as well as any
need to be downloaded to the PEP according to the role limitations related to the implementations of theses classes and
description. Later on, if the role of the PEP changes, the PEP parameters. The PEP provides the above information using the
must notify the PDP with its new role and the PDP will send new frwkPrcSupportTable and the frwkCompLimitsTable defined in the
PIB to the PEP. In addition, if policy associated with a framework PIB [FR-PIB]. In addition, the PEP also reports the
particular role changes, PDP must download new PIB to all the PEPs interface type capabilities and role combinations it supports
that have registered with the particular role. using the frwkIfCapSetTable and the frwkIfCapSetRoleComboTable.
Each row of the frwkIfCapSetTable contains a capability set name
and a reference to an instance of a PRC that describes the
capabilities of the interface type. The capability instances may
reside in the ipSecIfCapsTable or in a table defined in another
PIB. Each row of the frwkIfCapSetRoleComboTable contains an
interface capability set name and a role combination.
Based on the interface capabilities and role combinations, the PDP
provides the PEP with IPSec PIB that contains IPSec policy. Later
on, if the interface capabilities or role combinations of the PEP
change, the PEP MUST notify the PDP. The PDP will then send a new
PIB to the PEP. In addition, if the policy associated with given
interface capabilities and role combination change, the PDP MUST
download a new IPSec PIB to all the PEPs that have registered with
the interface capabilities and role combination.
IPsec policy that is pushed down to individual PEP consists of two IPsec policy that is pushed down to individual PEP consists of two
parts: IKE rules for IKE phase one negotiation and IPsec rules for parts: IKE rules for IKE phase one negotiation and IPsec rules for
Li, et al Expires January, 2002 2
IPsec Policy Information Base July, 2001
IKE phase two negotiation. These sets of rules may be pushed down IKE phase two negotiation. These sets of rules may be pushed down
either together or independently. Hence a role is associated with either together or independently.
each set of rules.
When a PEP reports to a PDP its roles, After a PEP reports its interface capabilities and role
combinations to a PDP,
- if the corresponding policy consists of IPsec rules only (i.e., - if the corresponding policy consists of IPsec rules only (i.e.,
key management is not through IKE), the role combination MUST key management is not performed through IKE), the interface
match that in the ipSecRuleTable. In the ipSecActionTable capability set name and the role combination MUST match that in
referenced by the ipSecRuleTable, the values of the the ipSecRuleTable. For the ipSecActionTable referenced by the
ipSecActionIkeRuleId attribute MUST be zero, indicating that no ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute
IKE associations are used. As a result, the ipSecRuleTable and all MUST be zero, indicating that no IKE associations are used. As a
subsequent referenced tables are pushed down to the PEP. result, the ipSecRuleTable and all subsequent referenced tables
are pushed down to the PEP.
Li, et al Expires September, 2001 2
IPsec Policy Information Base March, 2001
- if the corresponding policy consists of IKE rules only, the role - if the corresponding policy consists of IKE rules only, the
combination MUST match that in the ipSecIkeRuleTable. The interface capability set name and the role combination MUST match
ipSecIkeEndpointTable indicates the peer endpoints with which to that in the ipSecIkeRuleTable. The ipSecIkeEndpointTable indicates
establish IKE associations. Hence, the ipSecIkeRuleTable and all the peer endpoints with which to establish IKE associations.
subsequent referenced tables are pushed down to the PEP. Hence, the ipSecIkeRuleTable and all subsequent referenced tables
are pushed down to the PEP.
- if the corresponding policy consists of both IPsec rules and IKE - if the corresponding policy consists of both IPsec rules and IKE
rules (i.e., IKE association is established first and it is then rules (i.e., IKE association is established first and it is then
used for IPsec association negotiation), the role combination MUST used for IPsec association negotiation), , the interface
match that in the ipSecRuleTable. The ipSecRuleTable and the capability set name and the role combination MUST match that in
ipSecIkeRuleTable it references as well as all subsequent the ipSecRuleTable. The ipSecRuleTable and the ipSecIkeRuleTable
that is referenced by the ipSecRuleTable as well as all subsequent
referenced tables are pushed down to the PEP. referenced tables are pushed down to the PEP.
The following figure shows the relations between the tables with The following figure shows the relations between the tables with
an example. an example. The IPSec policy in this example contains both IKE and
IPSec rules.
+----------------------+ +------------------------+ +----------------------+ +------------------------+
| ipSecSelectorEntries | | ipSecRuleTableEntries | | ipSecSelectorEntries | | ipSecRuleTableEntries |
| Group = 10 |< ------------SelectorGroupId = 10 | | Group = 10 |< ------------SelectorGroupId = 10 |
+----------------------+ | ActionGroupId = 20 | +----------------------+ | ActionGroupId = 20 |
| IfName = Ether_limit |
| Role = Finance_X | | Role = Finance_X |
+------------------------+ +------------------------+
| |
| |
v v
+---------------------------+ +------------------------+ +---------------------------+ +------------------------+
| ipSecIkeRuleEntries | | ipSecActionEntries | | ipSecIkeRuleEntries | | ipSecActionEntries |
| Prid = 30 | | GroupId = 20 | | Prid = 30 | | GroupId = 20 |
| IkeEndpointGroupId = 40 | | Action = Tunnel | | IkeEndpointGroupId = 40 | | Action = Tunnel |
| | < --------- IkeRuleId = 30 | | | < --------- IkeRuleId = 30 |
| | | | | | | |
+---------------------------+ +------------------------+ +---------------------------+ +------------------------+
| \ | | \ |
Li, et al Expires January, 2002 3
IPsec Policy Information Base July, 2001
| \ | | \ |
v \ v v \ v
+---------------------------+ \ ipSecAssociation +---------------------------+ \ ipSecAssociation
| ipSecIkeEndpointEntries | \ and subsequent | ipSecIkeEndpointEntries | \ and subsequent
| | \ tables | | \ tables
| GroupId = 40 | \ | GroupId = 40 | \
+---------------------------+ \ +---------------------------+ \
v v
ipSecIkeAssociations ipSecIkeAssociations
and subsequent tables and subsequent tables
4.1 Selector construction 4.1 Selector construction
Li, et al Expires September, 2001 3
IPsec Policy Information Base March, 2001
The ipSecAddressTable specifies individual or a range of IP The ipSecAddressTable specifies individual or a range of IP
addresses and the ipSecL4PortTable specifies individual or a range addresses and the ipSecL4PortTable specifies individual or a range
of layer 4 ports. The ipSecSelectorTable has references to these of layer 4 ports. The ipSecSelectorTable has references to these
two tables. Each row in the selector table represents multiple two tables. Each row in the selector table represents multiple
selectors. These selectors are constructed as follows: selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
skipping to change at line 197 skipping to change at line 216
1.2.3.4 1 1.2.3.4 1
1.2.3.18 1 1.2.3.18 1
5.6.7.1 2 5.6.7.1 2
5.6.7.8 2 5.6.7.8 2
For every row in this example, the AddrMax is a zero length octet For every row in this example, the AddrMax is a zero length octet
indicating that each row specifies a single IP address. indicating that each row specifies a single IP address.
The Layer4PortTable is populated with the following rows: The Layer4PortTable is populated with the following rows:
Li, et al Expires January, 2002 4
IPsec Policy Information Base July, 2001
PortMin PortMax PortGroupId PortMin PortMax PortGroupId
112 150 1 112 150 1
99 99 2 99 99 2
The PortMax is equal to PortMin in the second row indicating that The PortMax is equal to PortMin in the second row indicating that
only a single port is specified. only a single port is specified.
The ipSecSelectorTable is populated with: The ipSecSelectorTable is populated with:
SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order
1 2 1 1 udp 1 1 2 1 1 udp 1
1 2 2 2 tcp 2 1 2 2 2 tcp 2
Li, et al Expires September, 2001 4
IPsec Policy Information Base March, 2001
The following selectors are constructed: The following selectors are constructed:
SrcAddr dstAddr protocol port SrcAddr dstAddr protocol port
1.2.3.4 5.6.7.1 UDP 112-150 1.2.3.4 5.6.7.1 UDP 112-150
1.2.3.4 5.6.7.8 UDP 112-150 1.2.3.4 5.6.7.8 UDP 112-150
1.2.3.18 5.6.7.1 UDP 112-150 1.2.3.18 5.6.7.1 UDP 112-150
1.2.3.18 5.6.7.8 UDP 112-150 1.2.3.18 5.6.7.8 UDP 112-150
1.2.3.4 5.6.7.1 TCP 99 1.2.3.4 5.6.7.1 TCP 99
1.2.3.4 5.6.7.8 TCP 99 1.2.3.4 5.6.7.8 TCP 99
1.2.3.18 5.6.7.1 TCP 99 1.2.3.18 5.6.7.1 TCP 99
skipping to change at line 252 skipping to change at line 271
OnBoot: IPsec or IKE association is established after system boot. OnBoot: IPsec or IKE association is established after system boot.
To avoid both endpoints trying to set up the same association, To avoid both endpoints trying to set up the same association,
only the endpoint whose ipSecSelectorIsOriginator only the endpoint whose ipSecSelectorIsOriginator
(ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec
(IKE) association establishment. (IKE) association establishment.
OnTraffic: IPsec association is established only when packets need OnTraffic: IPsec association is established only when packets need
to be sent and there are no appropriate security associations to to be sent and there are no appropriate security associations to
protect the packets. If there is no IKE association to protect the protect the packets. If there is no IKE association to protect the
Li, et al Expires January, 2002 5
IPsec Policy Information Base July, 2001
IPsec association negotiation, an IKE association should be set up IPsec association negotiation, an IKE association should be set up
first. first.
OnPolicy: IPsec or IKE association is established according to OnPolicy: IPsec or IKE association is established according to
ipSecRuleTimePeriodSetTable referenced by the corresponding rule. ipSecRuleTimePeriodSetTable referenced by the corresponding rule.
At the time the policy becomes active, only the endpoint whose At the time the policy becomes active, only the endpoint whose
ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true
can initiate the IPsec (IKE) association establishment. can initiate the IPsec (IKE) association establishment.
These triggers are not mutually exclusive. These triggers are not mutually exclusive.
4.3 Multiple security associations, proposals and transforms 4.3 Multiple security associations, proposals and transforms
Li, et al Expires September, 2001 5
IPsec Policy Information Base March, 2001
Multiple IPsec security associations may be established to protect Multiple IPsec security associations may be established to protect
the same traffic between two end points. For example, to protect the same traffic between two end points. The following figure
TCP traffic between hosts A and B, an IPsec security association shows an example.
in transport mode may be established between hosts A and B. In
addition, an IPsec security association in tunnel mode may be set SA1
up between host A and gateway C that protects the LAN host B ======================================================
resides. From A's point of view, it needs to take two actions to | SA2 |
protect the TCP traffic: protect with transport security |============================== |
association first and then with tunnel security association. In || | |
other words, the policy downloaded to A needs to contain a group || ---|----------------------|---
of two actions to be applied to packets in order. || | | | |
H1 ----- (Internet) ------| SG2 ---- (Local ----- H2 |
| Intranet) |
------------------------------
admin. boundary (optional)
H1 and H2 are hosts and SG2 is a security gateway on the local
Intranet where H2 resides. Suppose that to protect TCP traffic
between H1 and H2, an IPsec security association (SA1) in
transport mode may be established between H1 and H2. In addition,
an IPsec security association (SA2) in tunnel mode may be set up
between H1 and SG2.
For host H1, it needs to take two actions to protect TCP packets
that travel from H1 to H2: first protect the packets with SA1 and
then encapsulate the resulted packets into SA2. This requires that
the IPSec policy downloaded to H1 contain two actions to be
applied to packets in order.
The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to
handle multiple security association establishments or actions. It handle multiple security association establishments or actions. It
contains references to the actions specified in the contains references to the actions specified in the
ipSecActionTable. All the actions in the ipSecActionTable whose ipSecActionTable. All the actions in the ipSecActionTable whose
ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST be ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST be
applied. The ipSecActionOrder indicates the order these actions applied. The ipSecActionOrder indicates the order these actions
should be taken in setting up the security associations. should be taken in setting up the security associations.
Li, et al Expires January, 2002 6
IPsec Policy Information Base July, 2001
During a security association negotiation, the initiating point During a security association negotiation, the initiating point
can present multiple proposals in preference order. For IPsec can present multiple proposals in preference order. For IPsec
security association, every proposal can contain different security association, every proposal can contain different
protocols, e.g., AH, ESP (A single proposal here is equivalent to protocols, e.g., AH, ESP (A single proposal here is equivalent to
multiple proposal payloads with the same proposal number as multiple proposal payloads with the same proposal number as
specified in [ISAKMP]). Different protocols are ANDed. Each specified in [ISAKMP]). Different protocols are ANDed. Each
protocol, in turn, may contain multiple transforms in preference protocol, in turn, may contain multiple transforms in preference
order. The responder must select a single proposal and a single order. The responder must select a single proposal and a single
transform for each protocol. transform for each protocol.
skipping to change at line 321 skipping to change at line 361
one negotiation for authentication purpose. An endpoint can one negotiation for authentication purpose. An endpoint can
possess multiple credentials. How each endpoint obtains its possess multiple credentials. How each endpoint obtains its
credentials (e.g., through PKI) is out of the scope of IPsec credentials (e.g., through PKI) is out of the scope of IPsec
policy distribution. IPsec policy does specify, however, the policy distribution. IPsec policy does specify, however, the
acceptable peer credentials and the credential sub-fields and acceptable peer credentials and the credential sub-fields and
their values that MUST match. their values that MUST match.
IpSecPeerCredentialTable specifies a group of credentials that are IpSecPeerCredentialTable specifies a group of credentials that are
considered acceptable for a given peer endpoint. Any one of the considered acceptable for a given peer endpoint. Any one of the
credentials in a group is acceptable as the IKE peer endpoint credentials in a group is acceptable as the IKE peer endpoint
Li, et al Expires September, 2001 6
IPsec Policy Information Base March, 2001
credential. IpSecCredentialFieldsTable further specifies, for each credential. IpSecCredentialFieldsTable further specifies, for each
credential, their sub-fields and values that MUST be matched. credential, their sub-fields and values that MUST be matched.
5. Summary of the IPSec PIB 5. Summary of the IPSec PIB
The IPSec PIB consists of seven groups. Each group and the tables The IPSec PIB consists of seven groups. Each group and the tables
it contains are summarized in the following: it contains are summarized in the following:
5.1 ipSecSelector Group 5.1 ipSecSelector Group
This group specifies the selectors for IPSec associations. This group specifies the selectors for IPSec associations.
5.1.1 ipSecAddressTable 5.1.1 ipSecAddressTable
Specifies IP addresses of endpoints. Specifies IP addresses of endpoints.
5.1.2 ipSecL4PortTable 5.1.2 ipSecL4PortTable
Specifies layer four port numbers. Specifies layer four port numbers.
5.1.3 ipSecSelectorTable 5.1.3 ipSecSelectorTable
Li, et al Expires January, 2002 7
IPsec Policy Information Base July, 2001
Specifies IPsec selectors. It has references to ipSecAddressTable Specifies IPsec selectors. It has references to ipSecAddressTable
and ipSecL4PortTable for selector constructions. and ipSecL4PortTable for selector constructions.
5.2 ipSecAssociation Group 5.2 ipSecAssociation Group
This group specifies attributes related to IPSec Security This group specifies attributes related to IPSec Security
Associations. Associations.
5.2.1 ipSecRuleTable 5.2.1 ipSecRuleTable
Specifies IPsec rules. It has references to ipSecSelectorTable and Specifies IPsec rules. It references the ipSecSelectorTable and
ipSecActionTable to indicate that IP packets that match the ipSecActionTable to indicate that IP packets that match the
selector SHALL be applied with the IPsec action(s). selector SHALL be applied with the IPsec action(s).
This table also references to ipSecRuleTimePeriodSetTable to This table also references the ipSecRuleTimePeriodSetTable to
specify the time periods during which a rule is valid. specify the time periods during which a rule is valid.
5.2.2 ipSecActionTable 5.2.2 ipSecActionTable
Specifies group of IPsec actions. All actions that have the same Specifies group of IPsec actions. All actions that have the same
ipSecActionActionGroupId belong to the same group. Actions in the ipSecActionActionGroupId belong to the same group. Actions in the
same group MUST be applied in the order specified by same group MUST be applied in the order specified by
ipSecActionOrder. ipSecActionOrder.
This table also references ipSecIkeRuleTable to specify rules This table also references ipSecIkeRuleTable to specify rules
associated with IKE phase one negotiation. associated with IKE phase one negotiation.
5.2.3 ipSecAssociationTable 5.2.3 ipSecAssociationTable
Specifies attributes associated with IPsec associations. It Specifies attributes associated with IPsec associations. It
references ipSecProposalSetTable to specify associated proposals. references ipSecProposalSetTable to specify associated proposals.
5.2.4 ipSecProposalSetTable 5.2.4 ipSecProposalSetTable
Specifies IPsec proposal sets. Proposals within a set are ORed Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order. with preference order.
5.2.5 ipSecProposalTable 5.2.5 ipSecProposalTable
Li, et al Expires September, 2001 7
IPsec Policy Information Base March, 2001
Specifies an IPsec proposal. It has references to ESP, AH and Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices transforms are ANDed. Within one type of transforms, the choices
are ORed with preference order. are ORed with preference order.
5.3 ipSecIkeAssociation Group 5.3 ipSecIkeAssociation Group
This group specifies attributes related to IKE Security This group specifies attributes related to IKE Security
Associations Associations
5.3.1 ipSecIkeRuleTable 5.3.1 ipSecIkeRuleTable
Specifies IKE rules. It contains a reference to Specifies IKE rules. It contains a reference to
ipSecIkeAssociationTable to specify IKE associated actions. In ipSecIkeAssociationTable to specify IKE associated actions. In
addition, it has a reference to ipSecIkeEndpointTable to specify addition, it has a reference to ipSecIkeEndpointTable to specify
the endpoints this PEP can set up IKE associations. the endpoints to which this PEP can set up IKE associations.
This table also references to ipSecRuleTimePeriodSetTable to This table also references to ipSecRuleTimePeriodSetTable to
specify the time periods during which a rule is valid. specify the time periods during which a rule is valid.
5.3.2 ipSecIkeAssociationTable 5.3.2 ipSecIkeAssociationTable
Li, et al Expires January, 2002 8
IPsec Policy Information Base July, 2001
Specifies attributes related to IKE associations. It references Specifies attributes related to IKE associations. It references
ipSecIkeProposalSetTable to specify associated proposals. ipSecIkeProposalSetTable to specify associated proposals.
5.3.3 ipSecIkeProposalSetTable 5.3.3 ipSecIkeProposalSetTable
Specifies IKE proposal sets. Proposals within a set are ORed with Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. preference order.
5.3.4 ipSecIkeProposalTable 5.3.4 ipSecIkeProposalTable
Specifies attributes associated with IKE proposals. Specifies attributes associated with IKE proposals.
skipping to change at line 433 skipping to change at line 473
matched. matched.
5.3.7 ipSecCredentialFieldsTable 5.3.7 ipSecCredentialFieldsTable
Specifies the sub-fields and their values to be matched against Specifies the sub-fields and their values to be matched against
peer credentials obtained during IKE phase one negotiation. All peer credentials obtained during IKE phase one negotiation. All
criteria within a group are ANDed. criteria within a group are ANDed.
5.4 ipSecEspTransform Group 5.4 ipSecEspTransform Group
This group specifies attributes related to ESP Transform. This group specifies attributes related to ESP Transform.
Li, et al Expires September, 2001 8
IPsec Policy Information Base March, 2001
5.4.1 ipSecEspTransformSetTable 5.4.1 ipSecEspTransformSetTable
Specifies ESP transform sets. Within a transform set, the choices Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order. are ORed with preference order.
5.4.2 ipSecEspTransformTable 5.4.2 ipSecEspTransformTable
Specifies ESP transforms. Specifies ESP transforms.
5.5 ipSecAhTransform Group 5.5 ipSecAhTransform Group
This group specifies attributes related to AH Transform. This group specifies attributes related to AH Transform.
5.5.1 ipSecAhTransformSetTable 5.5.1 ipSecAhTransformSetTable
Specifies AH transform sets. Within a transform set, the choices Specifies AH transform sets. Within a transform set, the choices
are ORed with preference order. are ORed with preference order.
5.5.2 ipSecAhTransformTable 5.5.2 ipSecAhTransformTable
Specifies AH transforms. Specifies AH transforms.
5.6 ipSecCompTransform Group 5.6 ipSecCompTransform Group
This group specifies attributes related to IPSecComp Transform This group specifies attributes related to IPSecComp Transform
Li, et al Expires January, 2002 9
IPsec Policy Information Base July, 2001
5.6.1 ipSecCompTransformSetTable 5.6.1 ipSecCompTransformSetTable
Specifies IPComp transform sets. Within a transform set, the Specifies IPComp transform sets. Within a transform set, the
choices are ORed with preference order. choices are ORed with preference order.
5.6.2 ipSecCompTransformTable 5.6.2 ipSecCompTransformTable
Specifies IPComp transforms. Specifies IPComp transforms.
5.7 ipSecPolicyTimePeriod Group 5.7 ipSecPolicyTimePeriod Group
This group specifies the time periods during which a policy rule This group specifies the time periods during which a policy rule
is valid. is valid.
skipping to change at line 480 skipping to change at line 520
enables the specification of multiple time periods within a day by enables the specification of multiple time periods within a day by
grouping them into one set. grouping them into one set.
5.7.2 ipSecRuleTimePeriodTable 5.7.2 ipSecRuleTimePeriodTable
Specifies the time periods during which a policy rule is valid. Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always attributes is not present, it is treated as having value always
enabled. enabled.
5.8 ipSecIfCaps Group
This group specifies capabilities associated with interface types.
5.8.1 ipSecIfCapsTable
Specifies capabilities that may be associated with an interface of
a specific type. The instances of this table are referenced by the
frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
PIB].
6. The IPSec PIB 6. The IPSec PIB
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION,
MODULE-COMPLIANCE MODULE-COMPLIANCE
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
Li, et al Expires September, 2001 9
IPsec Policy Information Base March, 2001
OBJECT-IDENTITY OBJECT-IDENTITY
FROM SNMPv2-SMI FROM SNMPv2-SMI
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
InstanceId, ReferenceId, TagId, TagReferenceId InstanceId, ReferenceId, TagId, TagReferenceId
FROM COPS-PR-SPPI; FROM COPS-PR-SPPI;
RoleCombination RoleCombination
FROM POLICY-FRAMEWORK-PIB; FROM POLICY-FRAMEWORK-PIB;
OBJECT-GROUP OBJECT-GROUP
Li, et al Expires January, 2002 10
IPsec Policy Information Base July, 2001
From SNMPv2-CONF; From SNMPv2-CONF;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORY { tbd -- IPSec Client Type } SUBJECT-CATEGORY { tbd -- IPSec Client Type }
LAST-UPDATED "200102251800Z" LAST-UPDATED "200107011800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
skipping to change at line 536 skipping to change at line 585
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com E-Mail: CWang@smartpipes.com"
DESCRIPTION DESCRIPTION
"This PIB module contains a set of policy rule classes that "This PIB module contains a set of policy rule classes that
describe IPSec policies." describe IPSec policies."
::= { tbd } ::= { tbd }
ipSecSelector OBJECT-IDENTITY ipSecSelector OBJECT-IDENTITY
STATUS current STATUS current
Li, et al Expires September, 2001 10
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"This group specifies selectors for IPSec associations" "This group specifies selectors for IPSec associations"
::= { ipSecPolicyPib 1 } ::= { ipSecPolicyPib 1 }
ipSecAssociation OBJECT-IDENTITY ipSecAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSec Security "This group specifies attributes related to IPSec Security
Associations" Associations"
Li, et al Expires January, 2002 11
IPsec Policy Information Base July, 2001
::= { ipSecPolicyPib 2 } ::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY ipSecIkeAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IKE Security "This group specifies attributes related to IKE Security
Associations" Associations"
::= { ipSecPolicyPib 3 } ::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY ipSecEspTransform OBJECT-IDENTITY
skipping to change at line 592 skipping to change at line 641
"This group specifies attributes related to IPSecComp Transform" "This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
ipSecPolicyTimePeriod OBJECT-IDENTITY ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule "This group specifies the time periods during which a policy rule
is valid " is valid "
::= { ipSecPolicyPib 7 } ::= { ipSecPolicyPib 7 }
ipSecIfCaps OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies capabilities associated with interface
types."
::= { ipSecPolicyPib 8 }
ipSecPolicyPibConformance OBJECT-IDENTITY ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies requirements for conformance to the IPsec "This group specifies requirements for conformance to the IPsec
Policy PIB" Policy PIB"
::= { ipSecPolicyPib 8 } ::= { ipSecPolicyPib 9 }
-- --
-- --
Li, et al Expires September, 2001 11
IPsec Policy Information Base March, 2001
-- The ipSecAddressTable -- The ipSecAddressTable
-- --
Li, et al Expires January, 2002 12
IPsec Policy Information Base July, 2001
ipSecAddressTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP addresses." "Specifies IP addresses."
::= { ipSecSelector 1 } INDEX { ipSecAddressPrid }
ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
ipSecAddressAddressType, ipSecAddressAddressType,
ipSecAddressAddrMask, ipSecAddressAddrMask,
ipSecAddressAddrMin, ipSecAddressAddrMin,
ipSecAddressAddrMax, ipSecAddressAddrMax,
ipSecAddressGroupId ipSecAddressGroupId
} }
::= { ipSecSelector 1 }
ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAddressTable 1 } ::= { ipSecAddressTable 1 }
IpSecAddressEntry ::= SEQUENCE { IpSecAddressEntry ::= SEQUENCE {
ipSecAddressPrid InstanceId, ipSecAddressPrid InstanceId,
ipSecAddressAddressType INTEGER, ipSecAddressAddressType INTEGER,
ipSecAddressAddrMask OCTET STRING, ipSecAddressAddrMask OCTET STRING,
ipSecAddressAddrMin OCTET STRING, ipSecAddressAddrMin OCTET STRING,
ipSecAddressAddrMax OCTET STRING, ipSecAddressAddrMax OCTET STRING,
ipSecAddressGroupId TagId ipSecAddressGroupId TagId
} }
skipping to change at line 658 skipping to change at line 713
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
Li, et al Expires September, 2001 12
IPsec Policy Information Base March, 2001
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
Li, et al Expires January, 2002 13
IPsec Policy Information Base July, 2001
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the address type. This also controls the length of the "Specifies the address type. This also controls the length of the
OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and
ipSecAddressAddrMax objects. IPv4 addresses are octet strings of ipSecAddressAddrMax objects. IPv4 addresses are octet strings of
length 4. IPv6 addresses are octet strings of length 16. All other length 4. IPv6 addresses are octet strings of length 16. All other
types are octet strings of variable length." types are octet strings of variable length."
::= { ipSecAddressEntry 2 } ::= { ipSecAddressEntry 2 }
skipping to change at line 715 skipping to change at line 770
ipSecAddressAddrMin. The Length of the string is based upon the ipSecAddressAddrMin. The Length of the string is based upon the
address type. For IPv4 address types, this attribute is a 4-bytes address type. For IPv4 address types, this attribute is a 4-bytes
octet string. For IPv6 address types, this attribute is a 16-bytes octet string. For IPv6 address types, this attribute is a 16-bytes
octet string. octet string.
If no range is specified then this attribute MUST be a zero length If no range is specified then this attribute MUST be a zero length
OCTET STRING." OCTET STRING."
::= { ipSecAddressEntry 5 } ::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecAddressGroupId OBJECT-TYPE
Li, et al Expires September, 2001 13
IPsec Policy Information Base March, 2001
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
Li, et al Expires January, 2002 14
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"Specifies the group this IP address, address range or subnet "Specifies the group this IP address, address range or subnet
address belongs to." address belongs to."
::= { ipSecAddressEntry 6 } ::= { ipSecAddressEntry 6 }
-- --
-- --
-- The ipSecL4PortTable -- The ipSecL4PortTable
-- --
ipSecL4PortTable OBJECT-TYPE ipSecL4PortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecL4PortEntry SYNTAX SEQUENCE OF IpSecL4PortEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies layer four port numbers." "Specifies layer four port numbers."
INDEX { ipSecL4PortPrid }
UNIQUENESS {
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecSelector 2 } ::= { ipSecSelector 2 }
ipSecL4PortEntry OBJECT-TYPE ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS {
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecL4PortTable 1 } ::= { ipSecL4PortTable 1 }
IpSecL4PortEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid InstanceId, ipSecL4PortPrid InstanceId,
ipSecL4PortPortMin INTEGER, ipSecL4PortPortMin INTEGER,
ipSecL4PortPortMax INTEGER, ipSecL4PortPortMax INTEGER,
ipSecL4PortGroupId TagId ipSecL4PortGroupId TagId
} }
ipSecL4PortPrid OBJECT-TYPE ipSecL4PortPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecL4PortEntry 1 } ::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 14
IPsec Policy Information Base March, 2001
"Specifies a layer 4 port or the first layer 4 port number of a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports." range of ports."
::= { ipSecL4PortEntry 2 } ::= { ipSecL4PortEntry 2 }
Li, et al Expires January, 2002 15
IPsec Policy Information Base July, 2001
ipSecL4PortPortMax OBJECT-TYPE ipSecL4PortPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX INTEGER (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the last layer 4 port in the range. If only a single "Specifies the last layer 4 port in the range. If only a single
port is specified, the value of this attribute must be equal to port is specified, the value of this attribute must be equal to
that of ipSecL4PortPortMin. Otherwise, the value of this attribute that of ipSecL4PortPortMin. Otherwise, the value of this attribute
MUST be greater than that specified by ipSecL4PortPortMin." MUST be greater than that specified by ipSecL4PortPortMin."
::= { ipSecL4PortEntry 3 } ::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE ipSecL4PortGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this port or port range belongs to." "Specifies the group this port or port range belongs to."
::= { ipSecL4PortEntry 4 } ::= { ipSecL4PortEntry 4 }
-- --
skipping to change at line 825 skipping to change at line 880
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four 5. Construct all the possible combinations of the above four
fields together with the ipSecSelectorProtocol attribute to form fields together with the ipSecSelectorProtocol attribute to form
all the five-tuple selectors all the five-tuple selectors
Li, et al Expires September, 2001 15
IPsec Policy Information Base March, 2001
Selectors constructed from a row inherit all the other attributes Selectors constructed from a row inherit all the other attributes
of the row (e.g., ipSecSelectorGranularity)." of the row (e.g., ipSecSelectorGranularity)."
::= { ipSecSelector 3 } INDEX { ipSecSelectorPrid }
Li, et al Expires January, 2002 16
IPsec Policy Information Base July, 2001
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecSelectorPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId, ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId, ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorGranularity, ipSecSelectorGranularity,
ipSecSelectorOrder, ipSecSelectorOrder,
ipSecSelectorStartupCondition, ipSecSelectorStartupCondition,
ipSecSelectorIsOriginator, ipSecSelectorIsOriginator,
ipSecSelectorGroupId ipSecSelectorGroupId
} }
::= { ipSecSelector 3 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecSelectorTable 1 } ::= { ipSecSelectorTable 1 }
IpSecSelectorEntry ::= SEQUENCE { IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid InstanceId, ipSecSelectorPrid InstanceId,
ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecSelectorSrcAddressGroupId TagReferenceId,
ipSecSelectorSrcPortGroupId TagReferenceId, ipSecSelectorSrcPortGroupId TagReferenceId,
ipSecSelectorDstAddressGroupId TagReferenceId, ipSecSelectorDstAddressGroupId TagReferenceId,
ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol INTEGER, ipSecSelectorProtocol INTEGER,
ipSecSelectorGranularity INTEGER, ipSecSelectorGranularity INTEGER,
skipping to change at line 875 skipping to change at line 931
ipSecSelectorPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecSelectorEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecAddressGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies source addresses. All addresses in ipSecAddressTable "Specifies source addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as source whose ipSecAddressGroupId match this value are included as source
addresses." addresses."
Li, et al Expires September, 2001 16
IPsec Policy Information Base March, 2001
::= { ipSecSelectorEntry 2 } ::= { ipSecSelectorEntry 2 }
ipSecSelectorSrcPortGroupId OBJECT-TYPE ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecL4PortGroupId
Li, et al Expires January, 2002 17
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies source layer 4 port numbers. All ports in ipSecL4Port "Specifies source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId match this value are included." whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 3 } ::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecAddressGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies destination addresses. All addresses in "Specifies destination addresses. All addresses in
ipSecAddressTable whose ipSecAddressGroupId match this value are ipSecAddressTable whose ipSecAddressGroupId match this value are
included as destination addresses." included as destination addresses."
::= { ipSecSelectorEntry 4 } ::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecL4PortGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies destination layer 4 port numbers. All ports in "Specifies destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId match this value are ipSecL4Port whose ipSecL4PortGroupId match this value are
included." included."
::= { ipSecSelectorEntry 5 } ::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255) SYNTAX INTEGER (0..255)
STATUS current STATUS current
skipping to change at line 938 skipping to change at line 990
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how the security associations established may be used. "Specifies how the security associations established may be used.
A value of 1 (Wide) indicates that this security association may A value of 1 (Wide) indicates that this security association may
be used by all packets that match the same selector that is be used by all packets that match the same selector that is
matched by the packet triggering the establishment of this matched by the packet triggering the establishment of this
association. association.
A value of 2 (Narrow) indicates that this security association A value of 2 (Narrow) indicates that this security association
can be used only by packets that have exactly the same selector can be used only by packets that have exactly the same selector
Li, et al Expires September, 2001 17
IPsec Policy Information Base March, 2001
attribute values as that of the packet triggering the attribute values as that of the packet triggering the
establishment of this association. " establishment of this association. "
::= { ipSecSelectorEntry 7 } ::= { ipSecSelectorEntry 7 }
ipSecSelectorOrder OBJECT-TYPE ipSecSelectorOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
Li, et al Expires January, 2002 18
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the selectors "An integer that specifies the precedence order of the selectors
within the ipSecSelectorGroup. A given precedence order is within the ipSecSelectorGroup. A given precedence order is
positioned before one with a higher-valued precedence order. All positioned before one with a higher-valued precedence order. All
selectors constructed from the same row have the same order. The selectors constructed from the same row have the same order. The
position of selectors with the same order is unspecified." position of selectors with the same order is unspecified."
::= { ipSecSelectorEntry 8 } ::= { ipSecSelectorEntry 8 }
ipSecSelectorStartupCondition OBJECT-TYPE ipSecSelectorStartupCondition OBJECT-TYPE
SYNTAX BITS { SYNTAX BITS {
skipping to change at line 996 skipping to change at line 1048
::= { ipSecSelectorEntry 10 } ::= { ipSecSelectorEntry 10 }
ipSecSelectorGroupId OBJECT-TYPE ipSecSelectorGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specify the group this selector(s) belongs to. Selectors in the "Specify the group this selector(s) belongs to. Selectors in the
same group are provided with the same IPsec services." same group are provided with the same IPsec services."
::= { ipSecSelectorEntry 11 } ::= { ipSecSelectorEntry 11 }
Li, et al Expires September, 2001 18
IPsec Policy Information Base March, 2001
-- --
-- --
-- The ipSecRuleTable -- The ipSecRuleTable
-- --
Li, et al Expires January, 2002 19
IPsec Policy Information Base July, 2001
ipSecRuleTable OBJECT-TYPE ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec rules. " "Specifies IPsec rules. "
INDEX { ipSecRulePrid }
UNIQUENESS {
ipSecRuleIfName,
ipSecRuleRoles,
ipSecRuleDirection
}
::= { ipSecAssociation 1 } ::= { ipSecAssociation 1 }
ipSecRuleEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecRulePrid }
UNIQUENESS {
ipSecRuleRoles,
ipSecRuleDirection,
ipSecRuleIpSecSelectorGroupId,
ipSecRuleIpSecActionGroupId,
ipSecRuleIpSecRuleTimePeriodGroupId
}
::= { ipSecRuleTable 1 } ::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid InstanceId, ipSecRulePrid InstanceId,
ipSecRuleIfName SnmpAdminString,
ipSecRuleRoles RoleCombination, ipSecRuleRoles RoleCombination,
ipSecRuleDirection INTEGER, ipSecRuleDirection INTEGER,
ipSecRuleIpSecSelectorGroupId TagReferenceId, ipSecRuleIpSecSelectorGroupId TagReferenceId,
ipSecRuleIpSecActionGroupId TagReferenceId, ipSecRuleIpSecActionGroupId TagReferenceId,
ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecRulePrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class." "An integer index to uniquely identify an instance of this class."
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString
STATUS current
DESCRIPTION
"The interface capability set to which this IPSec rule applies.
The interface capability name specified by this attribute must
exist in the frwkIfCapSetTable [FR-PIB] prior to association with
an instance of this class."
::= { ipSecRuleEntry 2 }
ipSecRuleRoles OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this
IPSec rule should apply."
::= { ipSecRuleEntry 2 }
Li, et al Expires September, 2001 19 Li, et al Expires January, 2002 20
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
"Specifies the role combination of the interface to which this
IPSec rule should apply. There must exist an instance in the
frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified
by ipSecRuleIfName, prior to association with an instance of this
class."
::= { ipSecRuleEntry 3 }
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "Specifies the direction of traffic to which this rule should
apply." apply."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 4 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecSelectorGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies the selectors to be associated with this IPSec rule. "Identifies the selectors to be associated with this IPSec rule.
The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
matches this attribute are provided with the IPSec services matches this attribute are provided with the IPSec services
specified by this rule." specified by this rule."
::= { ipSecRuleEntry 4 } ::= { ipSecRuleEntry 5 }
ipSecRuleIpSecActionGroupId OBJECT-TYPE ipSecRuleIpSecActionGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecActionActionGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IPsec action group that is "This attribute identifies the IPsec action group that is
associated with this rule. Actions specified in ipSecActionTable associated with this rule. Actions specified in ipSecActionTable
whose ipSecActionActionGroupId match the value of this attribute whose ipSecActionActionGroupId match the value of this attribute
MUST all be applied. The ipSecActionOrder in the ipSecActionTable MUST all be applied. The ipSecActionOrder in the ipSecActionTable
indicates the order these actions should be taken in setting up indicates the order these actions should be taken in setting up
the security associations." the security associations."
::= { ipSecRuleEntry 5 } ::= { ipSecRuleEntry 6 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated specified in ipSecRuleTimePeriodGroupTable, that is associated
with this rule with this rule
A value of zero indicates that this IPsec rule is always valid." A value of zero indicates that this IPsec rule is always valid."
::= { ipSecRuleEntry 6 } ::= { ipSecRuleEntry 7 }
Li, et al Expires January, 2002 21
IPsec Policy Information Base July, 2001
-- --
-- --
-- The ipSecActionTable -- The ipSecActionTable
Li, et al Expires September, 2001 20
IPsec Policy Information Base March, 2001
-- --
ipSecActionTable OBJECT-TYPE ipSecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry SYNTAX SEQUENCE OF IpSecActionEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies group of IPsec actions. All actions that have the same "Specifies group of IPsec actions. All actions that have the same
ipSecActionActionGroupId belong to the same group. Actions in the ipSecActionActionGroupId belong to the same group. Actions in the
same group MUST be applied in the order specified by same group MUST be applied in the order specified by
ipSecActionOrder. " ipSecActionOrder. "
::= { ipSecAssociation 2 } INDEX { ipSecActionPrid }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecActionAction, ipSecActionAction,
ipSecActionTunnelEndpointId, ipSecActionTunnelEndpointId,
ipSecActionDfHandling, ipSecActionDfHandling,
ipSecActionDoLogging, ipSecActionDoLogging,
ipSecActionIpSecSecurityAssociationId, ipSecActionIpSecSecurityAssociationId,
ipSecActionActionGroupId, ipSecActionActionGroupId,
ipSecActionOrder, ipSecActionOrder,
ipSecActionIkeRuleId ipSecActionIkeRuleId
} }
::= { ipSecAssociation 2 }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecActionTable 1 } ::= { ipSecActionTable 1 }
IpSecActionEntry ::= SEQUENCE { IpSecActionEntry ::= SEQUENCE {
ipSecActionPrid InstanceId, ipSecActionPrid InstanceId,
ipSecActionAction INTEGER, ipSecActionAction INTEGER,
ipSecActionTunnelEndpointId ReferenceId, ipSecActionTunnelEndpointId ReferenceId,
ipSecActionDfHandling INTEGER, ipSecActionDfHandling INTEGER,
ipSecActionDoLogging TruthValue, ipSecActionDoLogging TruthValue,
ipSecActionIpSecSecurityAssociationId ReferenceId, ipSecActionIpSecSecurityAssociationId ReferenceId,
ipSecActionActionGroupId TagId, ipSecActionActionGroupId TagId,
skipping to change at line 1159 skipping to change at line 1221
ipSecActionIkeRuleId ReferenceId ipSecActionIkeRuleId ReferenceId
} }
ipSecActionPrid OBJECT-TYPE ipSecActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecActionEntry 1 } ::= { ipSecActionEntry 1 }
Li, et al Expires January, 2002 22
IPsec Policy Information Base July, 2001
ipSecActionAction OBJECT-TYPE ipSecActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
byPass(1), byPass(1),
Li, et al Expires September, 2001 21
IPsec Policy Information Base March, 2001
discard(2), discard(2),
transport(3), transport(3),
tunnel(4) tunnel(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. "Specifies the IPsec action to be applied to the traffic.
ByPass(1) means that the packet should pass in clear. Discard(2) ByPass(1) means that the packet should pass in clear. Discard(2)
means that the packet should be denied. Transport(3) means that means that the packet should be denied. Transport(3) means that
the packet should be protected with a security association in the packet should be protected with a security association in
transport mode. Tunnel(4) means that the packet should be transport mode. Tunnel(4) means that the packet should be
protected with a security association in tunnel mode. If Tunnel protected with a security association in tunnel mode. If Tunnel
(4) is specified, ipSecActionTunnelEndpointId MUST also be (4) is specified, ipSecActionTunnelEndpointId MUST also be
specified." specified."
::= { ipSecActionEntry 2 } ::= { ipSecActionEntry 2 }
ipSecActionTunnelEndpointId OBJECT-TYPE ipSecActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecAddressTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies the IP "When ipSecActionAction is tunnel, this attribute specifies the IP
address of the other end of the tunnel. The address specified in address of the other end of the tunnel. The address specified in
ipSecAddressTable whose ipSecAddressPrid matches this value is the ipSecAddressTable whose ipSecAddressPrid matches this value is the
other end of the tunnel. The address MUST be a single endpoint other end of the tunnel. The address MUST be a single endpoint
address. address.
When ipSecActionAction is not tunnel, this attribute SHALL be When ipSecActionAction is not tunnel, this attribute SHALL be
zero. " zero. "
skipping to change at line 1216 skipping to change at line 1276
the DF bit is managed by the tunnel when ipSecActionAction is the DF bit is managed by the tunnel when ipSecActionAction is
tunnel. Copy (1) indicates that the DF bit is copied. Set (2) tunnel. Copy (1) indicates that the DF bit is copied. Set (2)
indicates that the DF bit is set. Clear (3) indicates that the DF indicates that the DF bit is set. Clear (3) indicates that the DF
bit is cleared. When ipSecActionAction is not tunnel, this bit is cleared. When ipSecActionAction is not tunnel, this
attribute SHALL be ignored. " attribute SHALL be ignored. "
::= { ipSecActionEntry 4 } ::= { ipSecActionEntry 4 }
ipSecActionDoLogging OBJECT-TYPE ipSecActionDoLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
Li, et al Expires January, 2002 23
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"Specifies if an audit message should be logged when discard "Specifies if an audit message should be logged when discard
action is taken." action is taken."
Li, et al Expires September, 2001 22
IPsec Policy Information Base March, 2001
::= { ipSecActionEntry 5 } ::= { ipSecActionEntry 5 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecAssociationTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPSec association, specified by "An integer that identifies an IPSec association, specified by
ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable, ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable,
that is associated with this action. that is associated with this action.
When ipSecActionAction attribute specifies Bypass (1) or Discard When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute MUST have a value of zero. Otherwise, its (2), this attribute MUST have a value of zero. Otherwise, its
value MUST be greater than zero." value MUST be greater than zero."
::= { ipSecActionEntry 6 } ::= { ipSecActionEntry 6 }
skipping to change at line 1259 skipping to change at line 1318
"Specifies the order the actions in this group be applied. An "Specifies the order the actions in this group be applied. An
action with a lower order number is applied before one with a action with a lower order number is applied before one with a
higher order number. higher order number.
When ipSecActionAction attribute specifies Bypass (1) or Discard When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute MUST be ignored. " (2), this attribute MUST be ignored. "
::= { ipSecActionEntry 8 } ::= { ipSecActionEntry 8 }
ipSecActionIkeRuleId OBJECT-TYPE ipSecActionIkeRuleId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecIkeRuleTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE rule, specified by "An integer that identifies an IKE rule, specified by
ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with
this IPsec rule. this IPsec rule.
A value of zero means that there is no IKE rule associated. When A value of zero means that there is no IKE rule associated. When
ipSecActionAction attribute specifies Bypass (1) or Discard (2), ipSecActionAction attribute specifies Bypass (1) or Discard (2),
this attribute must have a value of zero." this attribute must have a value of zero."
::= { ipSecActionEntry 9 } ::= { ipSecActionEntry 9 }
-- --
-- --
-- The ipSecAssociationTable -- The ipSecAssociationTable
-- --
Li, et al Expires September, 2001 23 Li, et al Expires January, 2002 24
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
ipSecAssociationTable OBJECT-TYPE ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IPsec associations" "Specifies attributes associated with IPsec associations"
::= { ipSecAssociation 3 } INDEX { ipSecAssociationPrid }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationRefreshThresholdSeconds, ipSecAssociationRefreshThresholdSeconds,
ipSecAssociationRefreshThresholdKilobytes, ipSecAssociationRefreshThresholdKilobytes,
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationTrafficIdleTime, ipSecAssociationTrafficIdleTime,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
ipSecAssociationUseIkeGroup, ipSecAssociationUseIkeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociation 3 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid InstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationRefreshThresholdSeconds INTEGER, ipSecAssociationRefreshThresholdSeconds INTEGER,
ipSecAssociationRefreshThresholdKilobytes INTEGER, ipSecAssociationRefreshThresholdKilobytes INTEGER,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32,
ipSecAssociationTrafficIdleTime Unsigned32, ipSecAssociationTrafficIdleTime Unsigned32,
ipSecAssociationUsePfs TruthValue, ipSecAssociationUsePfs TruthValue,
skipping to change at line 1330 skipping to change at line 1388
ipSecAssociationPrid OBJECT-TYPE ipSecAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecAssociationEntry 1 } ::= { ipSecAssociationEntry 1 }
ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION
Li, et al Expires September, 2001 24 Li, et al Expires January, 2002 25
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
DESCRIPTION
"Specifies the percentage of expiration (in other words, the "Specifies the percentage of expiration (in other words, the
refresh threshold) of an established SA's seconds lifetime at refresh threshold) of an established SA's seconds lifetime at
which to begin renegotiation of the SA. which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired." seconds lifetime value has expired."
::= { ipSecAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
skipping to change at line 1387 skipping to change at line 1445
other words, no traffic protected by the SA) before it is deleted. other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. A value of zero indicates that there is no idle time detection.
The expiration of the SA is determined by the expiration of one of The expiration of the SA is determined by the expiration of one of
the lifetime values." the lifetime values."
::= { ipSecAssociationEntry 6 } ::= { ipSecAssociationEntry 6 }
ipSecAssociationUsePfs OBJECT-TYPE ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION
Li, et al Expires September, 2001 25 Li, et al Expires January, 2002 26
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
DESCRIPTION
"If true, PFS SHALL be used when negotiating the phase two IPsec "If true, PFS SHALL be used when negotiating the phase two IPsec
SA." SA."
::= { ipSecAssociationEntry 7 } ::= { ipSecAssociationEntry 7 }
ipSecAssociationVendorId OBJECT-TYPE ipSecAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs." "Identifies vendor-defined key exchange GroupIDs."
::= { ipSecAssociationEntry 8 } ::= { ipSecAssociationEntry 8 }
skipping to change at line 1430 skipping to change at line 1488
If the GroupID number is from the vendor-specific range (32768- If the GroupID number is from the vendor-specific range (32768-
65535), the VendorID qualifies the group number. 65535), the VendorID qualifies the group number.
This attribute MUST be ignored if ipSecSecurityAssociationUsePfs This attribute MUST be ignored if ipSecSecurityAssociationUsePfs
is false." is false."
::= { ipSecAssociationEntry 10 } ::= { ipSecAssociationEntry 10 }
ipSecAssociationProposalSetId OBJECT-TYPE ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecProposalSetProposalSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPsec proposal set, specified in "An integer that identifies the IPsec proposal set, specified in
ipSecProposalGroupTable, that is associated with this IPsec ipSecProposalGroupTable, that is associated with this IPsec
association." association."
::= { ipSecAssociationEntry 11 } ::= { ipSecAssociationEntry 11 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
-- --
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
Li, et al Expires September, 2001 26 Li, et al Expires January, 2002 27
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecProposalSetEntry SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed "Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order." with preference order."
INDEX { ipSecProposalSetPrid }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecAssociation 4 } ::= { ipSecAssociation 4 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecProposalSetPrid }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid InstanceId, ipSecProposalSetPrid InstanceId,
ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalSetId TagId,
ipSecProposalSetProposalId ReferenceId, ipSecProposalSetProposalId ReferenceId,
ipSecProposalSetOrder Unsigned32 ipSecProposalSetOrder Unsigned32
} }
ipSecProposalSetPrid OBJECT-TYPE ipSecProposalSetPrid OBJECT-TYPE
skipping to change at line 1492 skipping to change at line 1549
ipSecProposalSetProposalSetId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec proposal set." "An integer that identifies an IPsec proposal set."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec Proposal, specified by "An integer that identifies an IPsec Proposal, specified by
ipSecProposalPrid in ipSecProposalTable, that is included in this ipSecProposalPrid in ipSecProposalTable, that is included in this
set." set."
::= { ipSecProposalSetEntry 3 } ::= { ipSecProposalSetEntry 3 }
ipSecProposalSetOrder OBJECT-TYPE ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32
Li, et al Expires September, 2001 27 Li, et al Expires January, 2002 28
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued precedence order is positioned before one with a higher-valued
precedence order." precedence order."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
skipping to change at line 1530 skipping to change at line 1586
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPsec proposal. It has references to ESP, AH and "Specifies an IPsec proposal. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices transforms are ANDed. Within one type of transforms, the choices
are ORed with preference order." are ORed with preference order."
::= { ipSecAssociation 5 } INDEX { ipSecProposalPrid }
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalLifetimeKilobytes, ipSecProposalLifetimeKilobytes,
ipSecProposalLifetimeSeconds, ipSecProposalLifetimeSeconds,
ipSecProposalVendorId, ipSecProposalVendorId,
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId, ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId ipSecProposalCompTransformSetId
} }
::= { ipSecAssociation 5 }
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalTable 1 } ::= { ipSecProposalTable 1 }
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid InstanceId, ipSecProposalPrid InstanceId,
ipSecProposalLifetimeKilobytes Unsigned32, ipSecProposalLifetimeKilobytes Unsigned32,
ipSecProposalLifetimeSeconds Unsigned32, ipSecProposalLifetimeSeconds Unsigned32,
ipSecProposalVendorId OCTET STRING, ipSecProposalVendorId OCTET STRING,
ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId ipSecProposalCompTransformSetId TagReferenceId
} }
Li, et al Expires September, 2001 28 Li, et al Expires January, 2002 29
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE ipSecProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
skipping to change at line 1596 skipping to change at line 1652
ipSecProposalVendorId OBJECT-TYPE ipSecProposalVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined transforms." "Identifies vendor-defined transforms."
::= { ipSecProposalEntry 4 } ::= { ipSecProposalEntry 4 }
ipSecProposalEspTransformSetId OBJECT-TYPE ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecEspTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the ESP transform set, specified in "An integer that identifies the ESP transform set, specified in
ipSecEspTransformSetTable, that is associated with this proposal." ipSecEspTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 5 } ::= { ipSecProposalEntry 5 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecAhTransformSetTransformSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the AH transform set, specified in "An integer that identifies the AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal." ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 6 } ::= { ipSecProposalEntry 6 }
ipSecProposalCompTransformSetId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
Li, et al Expires September, 2001 29
IPsec Policy Information Base March, 2001
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecCompTransformSetTransformId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2002 30
IPsec Policy Information Base July, 2001
"An integer that identifies the IPComp transform set, specified in "An integer that identifies the IPComp transform set, specified in
ipSecCompTransformSetTable, that is associated with this ipSecCompTransformSetTable, that is associated with this
proposal." proposal."
::= { ipSecProposalEntry 7 } ::= { ipSecProposalEntry 7 }
-- --
-- --
-- The ipSecIkeAssociationTable -- The ipSecIkeAssociationTable
-- --
ipSecIkeAssociationTable OBJECT-TYPE ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes related to IKE associations." "Specifies attributes related to IKE associations."
::= { ipSecIkeAssociation 1 } INDEX { ipSecIkeAssociationPrid }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationRefreshThresholdSeconds, ipSecIkeAssociationRefreshThresholdSeconds,
ipSecIkeAssociationRefreshThresholdKilobytes, ipSecIkeAssociationRefreshThresholdKilobytes,
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationTrafficIdleTime, ipSecIkeAssociationTrafficIdleTime,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationRefreshThresholdDerivedKeys, ipSecIkeAssociationRefreshThresholdDerivedKeys,
ipSecIkeAssociationIKEProposalSetId ipSecIkeAssociationIKEProposalSetId
} }
::= { ipSecIkeAssociation 6 }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeAssociationTable 1 } ::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE { IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationPrid InstanceId,
ipSecIkeAssociationRefreshThresholdSeconds INTEGER, ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
ipSecIkeAssociationRefreshThresholdKilobytes INTEGER, ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned32, ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
ipSecIkeAssociationTrafficIdleTime Unsigned32, ipSecIkeAssociationTrafficIdleTime Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER,
ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER, ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
ipSecIkeAssociationIKEProposalSetId TagReferenceId ipSecIkeAssociationIKEProposalSetId TagReferenceId
Li, et al Expires September, 2001 30
IPsec Policy Information Base March, 2001
} }
ipSecIkeAssociationPrid OBJECT-TYPE ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Li, et al Expires January, 2002 31
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeAssociationEntry 1 } ::= { ipSecIkeAssociationEntry 1 }
ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the "Specifies the percentage of expiration (in other words, the
skipping to change at line 1726 skipping to change at line 1779
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
Li, et al Expires September, 2001 31
IPsec Policy Information Base March, 2001
::= { ipSecIkeAssociationEntry 5 } ::= { ipSecIkeAssociationEntry 5 }
ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
Li, et al Expires January, 2002 32
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle (in "Specifies the amount of time in seconds an SA may remain idle (in
other words, no traffic protected by the SA) before it is deleted. other words, no traffic protected by the SA) before it is deleted.
A value of zero indicates that there is no idle time detection. A value of zero indicates that there is no idle time detection.
The expiration of the SA is determined by the expiration of one of The expiration of the SA is determined by the expiration of one of
the lifetime values." the lifetime values."
::= { ipSecIkeAssociationEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
skipping to change at line 1783 skipping to change at line 1836
negotiation." negotiation."
::= { ipSecIkeAssociationEntry 8 } ::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX INTEGER (1..100)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established IKE SA's "Specifies the percentage of expiration of an established IKE SA's
derived keys lifetime at which to begin renegotiation of the SA. derived keys lifetime at which to begin renegotiation of the SA.
Li, et al Expires September, 2001 32
IPsec Policy Information Base March, 2001
A value of 100 means that renegotiation does not occur until the A value of 100 means that renegotiation does not occur until the
derived key lifetime value has expired." derived key lifetime value has expired."
::= { ipSecIkeAssociationEntry 9 } ::= { ipSecIkeAssociationEntry 9 }
Li, et al Expires January, 2002 33
IPsec Policy Information Base July, 2001
ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecIkeProposalSetProposalSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IKE proposal set, specified in "An integer that identifies the IKE proposal set, specified in
ipSecIkeProposalGroupTable, that is associated with this IKE ipSecIkeProposalGroupTable, that is associated with this IKE
association." association."
::= { ipSecIkeAssociationEntry 10 } ::= { ipSecIkeAssociationEntry 10 }
-- --
-- --
-- The ipSecIkeRuleTable -- The ipSecIkeRuleTable
-- --
ipSecIkeRuleTable OBJECT-TYPE ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE rules." "Specifies IKE rules."
::= { ipSecIkeAssociation 2 } INDEX { ipSecIkeRulePrid }
UNIQUENESS {
ipSecIkeRuleIfName,
ipSecIkeRuleRoles
}
::= { ipSecIkeAssociation 1 }
ipSecIkeRuleEntry OBJECT-TYPE ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS {
ipSecIkeRuleRoles,
ipSecIkeRuleIkeAssiciationId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId,
ipSecIkeRuleIkeEndpointGroupId
}
::= { ipSecIkeRuleTable 1 } ::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE { IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid InstanceId, ipSecIkeRulePrid InstanceId,
ipSecIkeRuleIfName SnmpAdminString,
ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeAssiciationId ReferenceId, ipSecIkeRuleIkeAssiciationId ReferenceId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId, ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId,
ipSecIkeRuleIkeEndpointGroupId TagReferenceId ipSecIkeRuleIkeEndpointGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires September, 2001 33
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeRuleEntry 1 } ::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString
Li, et al Expires January, 2002 34
IPsec Policy Information Base July, 2001
STATUS current
DESCRIPTION
"The interface capability set to which this IKE rule applies. The
interface capability name specified by this attribute must exist
in the frwkIfCapSetTable [FR-PIB] prior to association with an
instance of this class."
::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleRoles OBJECT-TYPE ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this IKE "Specifies the role combination of the interface to which this IKE
rule should apply." rule should apply. There must exist an instance in the
::= { ipSecIkeRuleEntry 2 } frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified
by ipSecRuleIfName, prior to association with an instance of this
class."
::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIkeAssiciationId OBJECT-TYPE ipSecIkeRuleIkeAssiciationId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecIkeAssociationTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IKE action, specified by "This attribute identifies the IKE action, specified by
ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that is ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that is
associated with this rule" associated with this rule"
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecRuleTimePeriodSetRuleTimePeriodSetId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "This attribute identifies an IPsec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated sepcified in ipSecRuleTimePeriodGroupTable, that is associated
with this IKE rule. with this IKE rule.
A value of zero indicates that this IKE rule is always valid." A value of zero indicates that this IKE rule is always valid."
::= { ipSecIkeRuleEntry 4 } ::= { ipSecIkeRuleEntry 5 }
ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecIkeEndpointGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of endpoints with which this "An integer that identifies a group of endpoints with which this
PEP can set up IKE associations. The endpoints specified in PEP can set up IKE associations. The endpoints specified in
ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
attribute are the endpoints involved. " attribute are the endpoints involved. "
::= { ipSecIkeRuleEntry 5 } ::= { ipSecIkeRuleEntry 6 }
-- --
-- --
Li, et al Expires January, 2002 35
IPsec Policy Information Base July, 2001
-- The ipSecIkeProposalSetTable -- The ipSecIkeProposalSetTable
-- --
ipSecIkeProposalSetTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
Li, et al Expires September, 2001 34
IPsec Policy Information Base March, 2001
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposal sets. Proposals within a set are ORed with "Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. " preference order. "
::= { ipSecIkeAssociation 3 } INDEX { ipSecIkeProposalSetPrid }
ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId, ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder ipSecIkeProposalSetOrder
} }
::= { ipSecIkeAssociation 2 }
ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned32 ipSecIkeProposalSetOrder Unsigned32
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
skipping to change at line 1941 skipping to change at line 2003
ipSecIkeProposalSetProposalSetId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an IKE proposal set. " "An integer that uniquely identifies an IKE proposal set. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecIkeProposalTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE proposal, specified by "An integer that identifies an IKE proposal, specified by
ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is
included in this set." included in this set."
Li, et al Expires January, 2002 36
IPsec Policy Information Base July, 2001
::= { ipSecIkeProposalSetEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
Li, et al Expires September, 2001 35
IPsec Policy Information Base March, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId. proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A given
precedence order is positioned before one with a higher-valued precedence order is positioned before one with a higher-valued
precedence order." precedence order."
::= { ipSecIkeProposalSetEntry 4 } ::= { ipSecIkeProposalSetEntry 4 }
skipping to change at line 1976 skipping to change at line 2037
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IKE proposals." "Specifies attributes associated with IKE proposals."
::= { ipSecIkeAssociation 4 } INDEX { ipSecIkeProposalPrid }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalLifetimeDerivedKeys, ipSecIkeProposalLifetimeDerivedKeys,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalVendorId, ipSecIkeProposalVendorId,
ipSecIkeProposalIkeDhGroup ipSecIkeProposalIkeDhGroup
} }
::= { ipSecIkeAssociation 3 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid InstanceId, ipSecIkeProposalPrid InstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER,
Li, et al Expires January, 2002 37
IPsec Policy Information Base July, 2001
ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalLifetimeDerivedKeys Unsigned32, ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
ipSecIkeProposalPrfAlgorithm Unsigned32, ipSecIkeProposalPrfAlgorithm Unsigned32,
ipSecIkeProposalVendorId OCTET STRING, ipSecIkeProposalVendorId OCTET STRING,
Li, et al Expires September, 2001 36
IPsec Policy Information Base March, 2001
ipSecIkeProposalIkeDhGroup Unsigned32 ipSecIkeProposalIkeDhGroup Unsigned32
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalEntry 1 } ::= { ipSecIkeProposalEntry 1 }
skipping to change at line 2060 skipping to change at line 2121
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(1), md5(1),
sha-1(2), sha-1(2),
Li, et al Expires January, 2002 38
IPsec Policy Information Base July, 2001
tiger(3) tiger(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 37
IPsec Policy Information Base March, 2001
"Specifies the hash algorithm to propose for the IKE association." "Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
presharedKey(1), presharedKey(1),
dssSignatures(2), dssSignatures(2),
rsaSignatures(3), rsaSignatures(3),
rsaEncryption(4), rsaEncryption(4),
revisedRsaEncryption(5), revisedRsaEncryption(5),
skipping to change at line 2116 skipping to change at line 2177
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs." "Identifies vendor-defined key exchange GroupIDs."
::= { ipSecIkeProposalEntry 9 } ::= { ipSecIkeProposalEntry 9 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2002 39
IPsec Policy Information Base July, 2001
"Specifies the Diffie-Hellman group to propose for the IKE "Specifies the Diffie-Hellman group to propose for the IKE
association. If the GroupID number is from the vendor-specific association. If the GroupID number is from the vendor-specific
range (32768-65535), the VendorID qualifies the group number. " range (32768-65535), the VendorID qualifies the group number. "
::= { ipSecIkeProposalEntry 10 } ::= { ipSecIkeProposalEntry 4 }
Li, et al Expires September, 2001 38
IPsec Policy Information Base March, 2001
-- --
-- --
-- The ipSecIkeEndpointTable -- The ipSecIkeEndpointTable
-- --
ipSecIkeEndpointTable OBJECT-TYPE ipSecIkeEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeEndpointEntry SYNTAX SEQUENCE OF IpSecIkeEndpointEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the peer endpoints with which this PEP establishes IKE "Specifies the peer endpoints with which this PEP establishes IKE
associations according to ipSecIkeEndpointStartupCondition." associations according to ipSecIkeEndpointStartupCondition."
::= { ipSecIkeAssociation 5 } INDEX { ipSecIkeEndpointPrid }
ipSecIkeEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecIkeEndpointPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeEndpointIdentityType, ipSecIkeEndpointIdentityType,
ipSecIkeEndpointIdentity, ipSecIkeEndpointIdentity,
ipSecIkeEndpointAddressType, ipSecIkeEndpointAddressType,
ipSecIkeEndpointAddress, ipSecIkeEndpointAddress,
ipSecIkeEndpointPeerCredentialId, ipSecIkeEndpointPeerCredentialId,
ipSecIkeEndpointStartupCondition, ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator, ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId ipSecIkeEndpointGroupId
} }
::= { ipSecIkeAssociation 13 }
ipSecIkeEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeEndpointTable 1 } ::= { ipSecIkeEndpointTable 1 }
IpSecIkeEndpointEntry ::= SEQUENCE { IpSecIkeEndpointEntry ::= SEQUENCE {
ipSecIkeEndpointPrid InstanceId, ipSecIkeEndpointPrid InstanceId,
ipSecIkeEndpointIdentityType INTEGER, ipSecIkeEndpointIdentityType INTEGER,
ipSecIkeEndpointIdentity OCTET STRING, ipSecIkeEndpointIdentity OCTET STRING,
ipSecIkeEndpointAddressType INTEGER, ipSecIkeEndpointAddressType INTEGER,
ipSecIkeEndpointAddress OCTET STRING, ipSecIkeEndpointAddress OCTET STRING,
ipSecIkeEndpointPeerCredentialId TagReferenceId, ipSecIkeEndpointPeerCredentialId TagReferenceId,
ipSecIkeEndpointStartupCondition BITS, ipSecIkeEndpointStartupCondition BITS,
ipSecIkeEndpointIsOriginator TruthValue, ipSecIkeEndpointIsOriginator TruthValue,
ipSecIkeEndpointGroupId TagId ipSecIkeEndpointGroupId TagId
} }
ipSecIkeEndpointPrid OBJECT-TYPE ipSecIkeEndpointPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires January, 2002 40
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecIkeEndpointEntry 1 } ::= { ipSecIkeEndpointEntry 1 }
ipSecIkeEndpointIdentityType OBJECT-TYPE ipSecIkeEndpointIdentityType OBJECT-TYPE
Li, et al Expires September, 2001 39
IPsec Policy Information Base March, 2001
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
skipping to change at line 2228 skipping to change at line 2290
::= { ipSecIkeEndpointEntry 4 } ::= { ipSecIkeEndpointEntry 4 }
ipSecIkeEndpointAddress OBJECT-TYPE ipSecIkeEndpointAddress OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an endpoint address with which this PEP establishes IKE "Specifies an endpoint address with which this PEP establishes IKE
association." association."
::= { ipSecIkeEndpointEntry 5 } ::= { ipSecIkeEndpointEntry 5 }
Li, et al Expires January, 2002 41
IPsec Policy Information Base July, 2001
ipSecIkeEndpointPeerCredentialId OBJECT-TYPE ipSecIkeEndpointPeerCredentialId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecPeerCredentialGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 40
IPsec Policy Information Base March, 2001
"An integer that identifies a group of credentials. The credential "An integer that identifies a group of credentials. The credential
specified in ipSecPeerCredentialTable whose specified in ipSecPeerCredentialTable whose
ipSecPeerCredentialGroupId match this attribute is included in ipSecPeerCredentialGroupId match this attribute is included in
this group. Any one of the credentials in the group is acceptable this group. Any one of the credentials in the group is acceptable
as the IKE peer credential. as the IKE peer credential.
If no credentials are used, this attribute MUST be zero." If no credentials are used, this attribute MUST be zero."
::= { ipSecIkeEndpointEntry 6 } ::= { ipSecIkeEndpointEntry 6 }
ipSecIkeEndpointStartupCondition OBJECT-TYPE ipSecIkeEndpointStartupCondition OBJECT-TYPE
skipping to change at line 2285 skipping to change at line 2345
DESCRIPTION DESCRIPTION
"Specifies the group this IKE endpoint belongs to." "Specifies the group this IKE endpoint belongs to."
::= { ipSecIkeEndpointEntry 9 } ::= { ipSecIkeEndpointEntry 9 }
-- --
-- --
-- The ipSecPeerCredentialTable -- The ipSecPeerCredentialTable
-- --
ipSecPeerCredentialTable OBJECT-TYPE ipSecPeerCredentialTable OBJECT-TYPE
Li, et al Expires January, 2002 42
IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecPeerCredentialEntry SYNTAX SEQUENCE OF IpSecPeerCredentialEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 41
IPsec Policy Information Base March, 2001
"Specifies groups of IKE peer credentials. Credentials in a group "Specifies groups of IKE peer credentials. Credentials in a group
are ORed. Any one of the credentials in a group is acceptable as are ORed. Any one of the credentials in a group is acceptable as
the IKE peer endpoint credential." the IKE peer endpoint credential."
::= { ipSecIkeAssociation 6 } INDEX { ipSecPeerCredentialPrid }
ipSecPeerCredentialEntry OBJECT-TYPE
SYNTAX IpSecPeerCredentialEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecPeerCredentialPrid }
UNIQUENESS { UNIQUENESS {
ipSecPeerCredentialCredentialType, ipSecPeerCredentialCredentialType,
ipSecPeerCredentialFieldsGroupId, ipSecPeerCredentialFieldsGroupId,
ipSecPeerCredentialGroupId ipSecPeerCredentialGroupId
} }
::= { ipSecIkeAssociation 5 }
ipSecPeerCredentialEntry OBJECT-TYPE
SYNTAX IpSecPeerCredentialEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecPeerCredentialTable 1 } ::= { ipSecPeerCredentialTable 1 }
IpSecPeerCredentialEntry ::= SEQUENCE { IpSecPeerCredentialEntry ::= SEQUENCE {
ipSecPeerCredentialPrid InstanceId, ipSecPeerCredentialPrid InstanceId,
ipSecPeerCredentialCredentialType INTEGER, ipSecPeerCredentialCredentialType INTEGER,
ipSecPeerCredentialFieldsGroupId TagReferenceId, ipSecPeerCredentialFieldsGroupId TagReferenceId,
ipSecPeerCredentialGroupId TagId ipSecPeerCredentialGroupId TagId
} }
ipSecPeerCredentialPrid OBJECT-TYPE ipSecPeerCredentialPrid OBJECT-TYPE
skipping to change at line 2337 skipping to change at line 2397
certificateX.509(1), certificateX.509(1),
kerberos-ticket(2) kerberos-ticket(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of credential to be matched." "Specifies the type of credential to be matched."
::= { ipSecPeerCredentialEntry 2 } ::= { ipSecPeerCredentialEntry 2 }
ipSecPeerCredentialFieldsGroupId OBJECT-TYPE ipSecPeerCredentialFieldsGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG ipSecCredentialFieldsGroupId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of matching criteria to be "An integer that identifies a group of matching criteria to be
used for this peer credential. The criteria specified in used for this peer credential. The criteria specified in
ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId
Li, et al Expires January, 2002 43
IPsec Policy Information Base July, 2001
match this attribute are the criteria to be used. The identified match this attribute are the criteria to be used. The identified
criteria are ANDed. " criteria are ANDed. "
::= { ipSecPeerCredentialEntry 3 } ::= { ipSecPeerCredentialEntry 3 }
Li, et al Expires September, 2001 42
IPsec Policy Information Base March, 2001
ipSecPeerCredentialGroupId OBJECT-TYPE ipSecPeerCredentialGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this credential belongs to. Credentials in a "Specifies the group this credential belongs to. Credentials in a
group are ORed. Any one of the credentials in a group is group are ORed. Any one of the credentials in a group is
acceptable as the IKE peer endpoint credential." acceptable as the IKE peer endpoint credential."
::= { ipSecPeerCredentialEntry 4 } ::= { ipSecPeerCredentialEntry 4 }
-- --
skipping to change at line 2372 skipping to change at line 2432
-- --
ipSecCredentialFieldsTable OBJECT-TYPE ipSecCredentialFieldsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-fields and their values to be matched against "Specifies the sub-fields and their values to be matched against
peer credentials obtained during IKE phase one negotiation. All peer credentials obtained during IKE phase one negotiation. All
criteria within a group are ANDed." criteria within a group are ANDed."
::= { ipSecIkeAssociation 7 } INDEX { ipSecCredentialFieldsPrid }
ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecCredentialFieldsPrid }
UNIQUENESS { UNIQUENESS {
ipSecCredentialFieldsName, ipSecCredentialFieldsName,
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsGroupId ipSecCredentialFieldsGroupId
} }
::= { ipSecIkeAssociation 6 }
ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCredentialFieldsTable 1 } ::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE { IpSecCredentialFieldsEntry ::= SEQUENCE {
ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsName OCTET STRING,
ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsValue OCTET STRING,
ipSecCredentialFieldsGroupId TagId ipSecCredentialFieldsGroupId TagId
} }
ipSecCredentialFieldsPrid OBJECT-TYPE ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2002 44
IPsec Policy Information Base July, 2001
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecCredentialFieldsEntry 1 } ::= { ipSecCredentialFieldsEntry 1 }
Li, et al Expires September, 2001 43
IPsec Policy Information Base March, 2001
ipSecCredentialFieldsName OBJECT-TYPE ipSecCredentialFieldsName OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-field of the credential to match with." "Specifies the sub-field of the credential to match with."
::= { ipSecCredentialFieldsEntry 2 } ::= { ipSecCredentialFieldsEntry 2 }
ipSecCredentialFieldsValue OBJECT-TYPE ipSecCredentialFieldsValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
skipping to change at line 2439 skipping to change at line 2500
-- The ipSecEspTransformSetTable -- The ipSecEspTransformSetTable
-- --
ipSecEspTransformSetTable OBJECT-TYPE ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies ESP transform sets. Within a transform set, the choices "Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order." are ORed with preference order."
INDEX { ipSecEspTransformSetPrid }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransform 1 } ::= { ipSecEspTransform 1 }
ipSecEspTransformSetEntry OBJECT-TYPE ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformSetEntry SYNTAX IpSecEspTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecEspTransformSetPrid }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransformSetTable 1 } ::= { ipSecEspTransformSetTable 1 }
Li, et al Expires January, 2002 45
IPsec Policy Information Base July, 2001
IpSecEspTransformSetEntry ::= SEQUENCE { IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetPrid InstanceId,
Li, et al Expires September, 2001 44
IPsec Policy Information Base March, 2001
ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformSetId TagId,
ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetTransformId ReferenceId,
ipSecEspTransformSetOrder Unsigned32 ipSecEspTransformSetOrder Unsigned32
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
skipping to change at line 2481 skipping to change at line 2541
ipSecEspTransformSetTransformSetId OBJECT-TYPE ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms" "An integer that identifies a set of ESP transforms"
::= { ipSecEspTransformSetEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecEspTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ESP transform, specified by "An integer that identifies an ESP transform, specified by
ipSecEspTransformPrid in ipSecEspTransformTable, that is included ipSecEspTransformPrid in ipSecEspTransformTable, that is included
in this set." in this set."
::= { ipSecEspTransformSetEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
skipping to change at line 2510 skipping to change at line 2569
-- --
-- --
-- The ipSecEspTransformTable -- The ipSecEspTransformTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION
"Specifies ESP transforms."
Li, et al Expires September, 2001 45 Li, et al Expires January, 2002 46
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies ESP transforms."
PIB-INDEX { ipSecEspTransformPrid } INDEX { ipSecEspTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize
} }
::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid InstanceId, ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER,
ipSecEspTransformCipherKeyRounds Unsigned32, ipSecEspTransformCipherKeyRounds Unsigned32,
ipSecEspTransformCipherKeyLength Unsigned32 ipSecEspTransformCipherKeyLength Unsigned32,
ipSecEspTransformUseReplayPrevention TruthValue,
ipSecEspTransformReplayPreventionWindowSize Unsigned32
} }
ipSecEspTransformPrid OBJECT-TYPE ipSecEspTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformEntry 1 } ::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecEspTransformIntegrityTransformId OBJECT-TYPE
skipping to change at line 2563 skipping to change at line 2626
kpdk(4) kpdk(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP integrity algorithm to propose." "Specifies the ESP integrity algorithm to propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
desIV64(1), desIV64(1),
Li, et al Expires January, 2002 47
IPsec Policy Information Base July, 2001
des(2), des(2),
tripleDES(3), tripleDES(3),
rc5(4), rc5(4),
idea(5), idea(5),
cast(6), cast(6),
blowfish(7), blowfish(7),
Li, et al Expires September, 2001 46
IPsec Policy Information Base March, 2001
tripleIDEA(8), tripleIDEA(8),
desIV32(9), desIV32(9),
rc4(10), rc4(10),
null(11) null(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose." "Specifies the ESP cipher/encryption algorithm to propose."
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
skipping to change at line 2598 skipping to change at line 2661
specified by the attribute ipSecEspTransformCipherTransformId." specified by the attribute ipSecEspTransformCipherTransformId."
::= { ipSecEspTransformEntry 4 } ::= { ipSecEspTransformEntry 4 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the ESP cipher key in bits." "Specifies the length of the ESP cipher key in bits."
::= { ipSecEspTransformEntry 5 } ::= { ipSecEspTransformEntry 5 }
ipSecEspTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies whether to enable replay prevention detection."
::= { ipSecEspTransformEntry 6 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the length of the window used by replay prevention
detection mechanism."
::= { ipSecEspTransformEntry 7 }
-- --
-- --
-- The ipSecAhTransformSetTable -- The ipSecAhTransformSetTable
-- --
ipSecAhTransformSetTable OBJECT-TYPE ipSecAhTransformSetTable OBJECT-TYPE
Li, et al Expires January, 2002 48
IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transform sets. Within a transform set, the choices "Specifies AH transform sets. Within a transform set, the choices
are ORed with preference order." are ORed with preference order."
INDEX { ipSecAhTransformSetPrid }
UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransform 1 } ::= { ipSecAhTransform 1 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAhTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformSetPrid }
UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransformSetTable 1 } ::= { ipSecAhTransformSetTable 1 }
Li, et al Expires September, 2001 47
IPsec Policy Information Base March, 2001
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetTransformId ReferenceId,
ipSecAhTransformSetOrder Unsigned32 ipSecAhTransformSetOrder Unsigned32
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 2651 skipping to change at line 2730
ipSecAhTransformSetTransformSetId OBJECT-TYPE ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform set." "An integer that identifies an AH transform set."
::= { ipSecAhTransformSetEntry 2 } ::= { ipSecAhTransformSetEntry 2 }
ipSecAhTransformSetTransformId OBJECT-TYPE ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecAhTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform, as specified by "An integer that identifies an AH transform, as specified by
ipSecAhTransform in ipSecAhTransformTable, that is included in ipSecAhTransform in ipSecAhTransformTable, that is included in
this set." this set."
::= { ipSecAhTransformSetEntry 3 } ::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
Li, et al Expires January, 2002 49
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform identified by ipSecAhTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A given precedence order is positioned ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order." before one with a higher-valued precedence order."
::= { ipSecAhTransformSetEntry 4 } ::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecAhTransformTable
-- --
ipSecAhTransformTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
Li, et al Expires September, 2001 48
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
"Specifies AH transforms." "Specifies AH transforms."
INDEX { ipSecAhTransformPrid }
UNIQUENESS {
ipSecAhTransformTransformId,
ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize
}
::= { ipSecAhTransform 2 } ::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformPrid }
UNIQUENESS {
ipSecAhTransformTransformId
}
::= { ipSecAhTransformTable 1 } ::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE { IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid InstanceId, ipSecAhTransformPrid InstanceId,
ipSecAhTransformTransformId INTEGER ipSecAhTransformTransformId INTEGER,
ipSecAhTransformUseReplayPrevention TruthValue,
ipSecAhTransformReplayPreventionWindowSize Unsigned32
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecAhTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class " "An integer index to uniquely identify an instance of this class "
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
Li, et al Expires January, 2002 50
IPsec Policy Information Base July, 2001
md5(2), md5(2),
sha-1(3), sha-1(3),
des(4) des(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the AH hash algorithm to propose." "Specifies the AH hash algorithm to propose."
::= { ipSecAhTransformEntry 2 } ::= { ipSecAhTransformEntry 2 }
ipSecAhTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies whether to enable replay prevention detection."
::= { ipSecAhTransformEntry 3 }
ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the length of the window used by replay prevention
detection mechanism."
::= { ipSecAhTransformEntry 4 }
-- --
-- --
-- The ipSecCompTransformSetTable -- The ipSecCompTransformSetTable
-- --
ipSecCompTransformSetTable OBJECT-TYPE ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transform sets. Within a transform set, the "Specifies IPComp transform sets. Within a transform set, the
choices are ORed with preference order." choices are ORed with preference order."
INDEX { ipSecCompTransformSetPrid }
UNIQUENESS {
ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
}
::= { ipSecCompTransform 1 } ::= { ipSecCompTransform 1 }
Li, et al Expires September, 2001 49
IPsec Policy Information Base March, 2001
ipSecCompTransformSetEntry OBJECT-TYPE ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry SYNTAX IpSecCompTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformSetPrid }
UNIQUENESS {
ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
}
::= { ipSecCompTransformSetTable 1 } ::= { ipSecCompTransformSetTable 1 }
IpSecCompTransformSetEntry ::= SEQUENCE { IpSecCompTransformSetEntry ::= SEQUENCE {
Li, et al Expires January, 2002 51
IPsec Policy Information Base July, 2001
ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetPrid InstanceId,
ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformSetId TagId,
ipSecCompTransformSetTransformId ReferenceId, ipSecCompTransformSetTransformId ReferenceId,
ipSecCompTransformSetOrder Unsigned32 ipSecCompTransformSetOrder Unsigned32
} }
ipSecCompTransformSetPrid OBJECT-TYPE ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2775 skipping to change at line 2877
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp transform set" "An integer that identifies an IPComp transform set"
::= { ipSecCompTransformSetEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecCompTransformTable
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp Transform, specified by "An integer that identifies an IPComp Transform, specified by
ipSecCompTransformPrid in ipSecCompTransformTable, that is ipSecCompTransformPrid in ipSecCompTransformTable, that is
included in this set." included in this set."
::= { ipSecCompTransformSetEntry 3 } ::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecCompTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are ipSecCompTransformSetTransformSetId. Transforms within a set are
Li, et al Expires September, 2001 50
IPsec Policy Information Base March, 2001
ORed with preference order. A given precedence order is positioned ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order." before one with a higher-valued precedence order."
::= { ipSecCompTransformSetEntry 4 } ::= { ipSecCompTransformSetEntry 4 }
-- --
-- --
-- The ipSecCompTransformTable -- The ipSecCompTransformTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transforms." "Specifies IPComp transforms."
::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE Li, et al Expires January, 2002 52
SYNTAX IpSecCompTransformEntry IPsec Policy Information Base July, 2001
STATUS current
DESCRIPTION INDEX { ipSecCompTransformPrid }
"Specifies an instance of this class."
PIB-INDEX { ipSecCompTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecCompTransformAlgorithm, ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize, ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm ipSecCompTransformPrivateAlgorithm
} }
::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId, ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformDictionarySize Unsigned32, ipSecCompTransformDictionarySize Unsigned32,
ipSecCompTransformPrivateAlgorithm Unsigned32 ipSecCompTransformPrivateAlgorithm Unsigned32
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecCompTransformPrid OBJECT-TYPE
skipping to change at line 2847 skipping to change at line 2948
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
oui(1), oui(1),
deflate(2), deflate(2),
lzs(3) lzs(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 51
IPsec Policy Information Base March, 2001
"Specifies the IPComp compression algorithm to propose." "Specifies the IPComp compression algorithm to propose."
::= { ipSecCompTransformEntry 2 } ::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the log2 maximum size of the dictionary." "Specifies the log2 maximum size of the dictionary."
::= { ipSecCompTransformEntry 3 } ::= { ipSecCompTransformEntry 3 }
ipSecCompTransformPrivateAlgorithm OBJECT-TYPE ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a specific vendor algorithm that will be used. " "Specifies a specific vendor algorithm that will be used. "
::= { ipSecCompTransformEntry 4 } ::= { ipSecCompTransformEntry 4 }
Li, et al Expires January, 2002 53
IPsec Policy Information Base July, 2001
-- --
-- --
-- The ipSecRuleTimePeriodTable -- The ipSecRuleTimePeriodTable
-- --
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the time periods during which a policy rule is valid. "Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always attributes is not present, it is treated as having value always
enabled. " enabled. "
::= { ipSecPolicyTimePeriod 1 } INDEX { ipSecRuleTimePeriodPrid }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class."
PIB-INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecPolicyTimePeriod 1 }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE { IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodPrid InstanceId,
Li, et al Expires September, 2001 52
IPsec Policy Information Base March, 2001
ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime INTEGER ipSecRuleTimePeriodLocalOrUtcTime INTEGER
} }
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 } ::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
Li, et al Expires January, 2002 54
IPsec Policy Information Base July, 2001
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that identifies an overall range of calendar "An octet string that identifies an overall range of calendar
dates and times over which a policy rule is valid. It reuses the dates and times over which a policy rule is valid. It reuses the
format for an explicit time period defined in RFC 2445 : a string format for an explicit time period defined in RFC 2445 : a string
representing a starting date and time, in which the character 'T' representing a starting date and time, in which the character 'T'
indicates the beginning of the time portion, followed by the indicates the beginning of the time portion, followed by the
solidus character '/', followed by a similar string representing solidus character '/', followed by a similar string representing
an end date and time. The first date indicates the beginning of an end date and time. The first date indicates the beginning of
the range, while the second date indicates the end. Thus, the the range, while the second date indicates the end. Thus, the
second date and time must be later than the first. Date/times are second date and time must be later than the first. Date/times are
expressed as substrings expressed as substrings of the form yyyymmddThhmmss.
of the form yyyymmddThhmmss.
There are also two special cases: There are also two special cases:
- If the first date/time is replaced with the string - If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'. valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string - If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and becomes valid on the date/time that appears before the '/', and
skipping to change at line 2958 skipping to change at line 3057
" "
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "An octet string that specifies which months the policy is valid
for. The octet string is structured as follows: for. The octet string is structured as follows:
Li, et al Expires September, 2001 53
IPsec Policy Information Base March, 2001
- a 4-octet length field, indicating the length of the entire - a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000006 for this octet string; this field is always set to 0x00000006 for this
property; property;
- a 2-octet field consisting of 12 bits identifying the 12 months - a 2-octet field consisting of 12 bits identifying the 12 months
of the year, beginning with January and ending with December, of the year, beginning with January and ending with December,
followed by 4 bits that are always set to '0'. For each month, followed by 4 bits that are always set to '0'. For each month,
the value '1' indicates that the policy is valid for that month, the value '1' indicates that the policy is valid for that month,
and the value '0' indicates that it is not valid. and the value '0' indicates that it is not valid.
If this property is omitted, then the policy rule is treated as If this property is omitted, then the policy rule is treated as
valid for all twelve months." valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires January, 2002 55
IPsec Policy Information Base July, 2001
"An octet string that specifies which days of the month the policy "An octet string that specifies which days of the month the policy
is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire octet -a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x0000000C for this property; string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of -an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits the month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed identifying the days of the month counting from the end, followed
by 2 bits that are always set to '0'. For each day, the value '1' by 2 bits that are always set to '0'. For each day, the value '1'
skipping to change at line 3014 skipping to change at line 3114
- a 4-octet length field, indicating the length of the entire - a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000005 for this octet string; this field is always set to 0x00000005 for this
property; property;
- a 1-octet field consisting of 7 bits identifying the 7 days of - a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday, followed the week, beginning with Sunday and ending with Saturday, followed
by 1 bit that is always set to '0'. For each day of the week, the by 1 bit that is always set to '0'. For each day of the week, the
value '1' indicates that the policy is valid for that day, and the value '1' indicates that the policy is valid for that day, and the
value '0' indicates that it is not valid. value '0' indicates that it is not valid.
Li, et al Expires September, 2001 54
IPsec Policy Information Base March, 2001
" "
::= { ipSecRuleTimePeriodEntry 5 } ::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies a range of times in a day the "An octet string that specifies a range of times in a day the
policy is valid for. It is formatted as follows: policy is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The solidus character '/', followed by a second time string. The
first time indicates the beginning of the range, while the second first time indicates the beginning of the range, while the second
time indicates the end. Times are expressed as substrings of the time indicates the end. Times are expressed as substrings of the
form Thhmmss. form Thhmmss.
The second substring always identifies a later time than the first The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the substring. To allow for ranges that span midnight, however, the
Li, et al Expires January, 2002 56
IPsec Policy Information Base July, 2001
value of the second string may be smaller than the value of the value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from first substring. Thus, T080000/T210000 identifies the range from
0800 until 2100, while T210000/T080000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day." 2100 until 0800 of the following day."
::= { ipSecRuleTimePeriodEntry 6 } ::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
localTime(1), localTime(1),
utcTime(2) utcTime(2)
skipping to change at line 3069 skipping to change at line 3169
ipSecRuleTimePeriodSetTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies multiple time period sets. The ipSecRuleTimePeriodTable "Specifies multiple time period sets. The ipSecRuleTimePeriodTable
can specify only a single time period within a day. This table can specify only a single time period within a day. This table
enables the specification of multiple time periods within a day by enables the specification of multiple time periods within a day by
grouping them into one set. " grouping them into one set. "
INDEX { ipSecRuleTimePeriodSetPrid }
UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId
}
::= { ipSecPolicyTimePeriod 2 } ::= { ipSecPolicyTimePeriod 2 }
Li, et al Expires September, 2001 55
IPsec Policy Information Base March, 2001
ipSecRuleTimePeriodSetEntry OBJECT-TYPE ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry SYNTAX IpSecRuleTimePeriodSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class." "Specifies an instance of this class"
PIB-INDEX { ipSecRuleTimePeriodSetPrid }
UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId
}
::= { ipSecRuleTimePeriodSetTable 1 } ::= { ipSecRuleTimePeriodSetTable 1 }
IpSecRuleTimePeriodSetEntry ::= SEQUENCE { IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
ipSecRuleTimePeriodSetPrid InstanceId, ipSecRuleTimePeriodSetPrid InstanceId,
ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
} }
Li, et al Expires January, 2002 57
IPsec Policy Information Base July, 2001
ipSecRuleTimePeriodSetPrid OBJECT-TYPE ipSecRuleTimePeriodSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod set. " "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
::= { ipSecRuleTimePeriodSetEntry 2 } ::= { ipSecRuleTimePeriodSetEntry 2 }
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES ipSecRuleTimePeriod
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by "An integer that identifies an ipSecRuleTimePeriod, specified by
ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
included in this set." included in this set."
::= { ipSecRuleTimePeriodSetEntry 3 } ::= { ipSecRuleTimePeriodSetEntry 3 }
-- --
-- --
-- The ipSecIfCapsTable
--
ipSecIfCapsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIfCapsEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies capabilities that may be associated with an interface
of a specific type. The instances of this table are referenced by
the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
PIB]."
INDEX { ipSecIfCapsPrid }
UNIQUENESS {
ipSecIfCapsDirection,
ipSecIfCapsMaxActions
}
::= { ipSecIfCaps 1 }
ipSecIfCapsEntry OBJECT-TYPE
SYNTAX IpSecIfCapsEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIfCapsTable 1 }
Li, et al Expires January, 2002 58
IPsec Policy Information Base July, 2001
IpSecIfCapsEntry ::= SEQUENCE {
ipSecIfCapsPrid InstanceId,
ipSecIfCapsDirection INTEGER,
ipSecIfCapsMaxActions Unsigned32
}
ipSecIfCapsPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class."
::= { ipSecIfCapsEntry 1 }
ipSecIfCapsDirection OBJECT-TYPE
SYNTAX INTEGER {
in(1),
out(2),
bi-directional(3)
}
STATUS current
DESCRIPTION
"Specifies the direction for which the capability applies."
::= { ipSecIfCapsEntry 2 }
ipSecIfCapsMaxActions OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the maxmum number of actions an action group may
contain. Actions that are specified in the ipSecActionTable and
have the same ipSecActionActionGroupId value belong to the same
action group.
A value of zero indicates that there is no maximum limit."
::= { ipSecIfCapsEntry 3 }
--
--
-- Conformance Section -- Conformance Section
-- --
ipSecPolicyPibConformanceCompliances ipSecPolicyPibConformanceCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
ipSecPolicyPibConformanceGroups ipSecPolicyPibConformanceGroups
Li, et al Expires September, 2001 56
IPsec Policy Information Base March, 2001
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
IPSecPibCompilance MODULE-COMPLIANCE IPSecPibCompilance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Compliance statement" " Compliance statement"
MODULE MANDATORY-GROUPS { MODULE MANDATORY-GROUPS {
Li, et al Expires January, 2002 59
IPsec Policy Information Base July, 2001
ipSecAddressGroup, ipSecAddressGroup,
ipSecL4PortGroup, ipSecL4PortGroup,
ipSecSelectorGroup, ipSecSelectorGroup,
ipSecRuleGroup, ipSecRuleGroup,
ipSecActionGroup, ipSecActionGroup,
ipSecAssociationGroup, ipSecAssociationGroup,
ipSecProposalSetGroup, ipSecProposalSetGroup,
ipSecProposalGroup, ipSecProposalGroup,
ipSecIkeAssociationGroup, ipSecIkeAssociationGroup,
ipSecIkeRuleGroup, ipSecIkeRuleGroup,
skipping to change at line 3157 skipping to change at line 3323
ipSecIkeProposalGroup, ipSecIkeProposalGroup,
ipSecIkeEndpointGroup, ipSecIkeEndpointGroup,
ipSecPeerCredentialGroup, ipSecPeerCredentialGroup,
ipSecCredentialFieldsGroup, ipSecCredentialFieldsGroup,
ipSecEspTransformSetGroup, ipSecEspTransformSetGroup,
ipSecEspTransformGroup, ipSecEspTransformGroup,
ipSecAhTransformSetGroup, ipSecAhTransformSetGroup,
ipSecAhTransformGroup, ipSecAhTransformGroup,
ipSecCompTransformSetGroup, ipSecCompTransformSetGroup,
ipSecCompTransformGroup, ipSecCompTransformGroup,
ipSecIfCapsGroup,
} }
GROUP ipSecRuleTimePeriodGroup GROUP ipSecRuleTimePeriodGroup
DESCRIPTION DESCRIPTION
"The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is "The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is
supported." supported."
GROUP ipSecRuleTimePeriodSetGroup GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION DESCRIPTION
"The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling "The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling
is supported." is supported."
skipping to change at line 3182 skipping to change at line 3349
AddrMask, AddrMask,
AddrMin, AddrMin,
AddrMax, AddrMax,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAddressTable." " Objects from the ipSecAddressTable."
::= { ipSecPolicyPibConformanceGroups 1 } ::= { ipSecPolicyPibConformanceGroups 1 }
ipSecL4PortGroup OBJECT-GROUP ipSecL4PortGroup OBJECT-GROUP
Li, et al Expires September, 2001 57
IPsec Policy Information Base March, 2001
OBJECTS { OBJECTS {
PortMin, PortMin,
PortMax, PortMax,
GroupId GroupId
} }
STATUS current STATUS current
Li, et al Expires January, 2002 60
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
" Objects from the ipSecL4PortTable." " Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 2 } ::= { ipSecPolicyPibConformanceGroups 2 }
ipSecSelectorGroup OBJECT-GROUP ipSecSelectorGroup OBJECT-GROUP
OBJECTS { OBJECTS {
SrcAddressGroupId, SrcAddressGroupId,
SrcPortGroupId, SrcPortGroupId,
DstAddressGroupId, DstAddressGroupId,
DstPortGroupId, DstPortGroupId,
Protocol, Protocol,
skipping to change at line 3214 skipping to change at line 3381
StartupCondition, StartupCondition,
IsOriginator, IsOriginator,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecSelectorTable." " Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 3 } ::= { ipSecPolicyPibConformanceGroups 3 }
ipSecRuleGroup OBJECT-GROUP ipSecRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
IfName,
Roles, Roles,
Direction, Direction,
IpSecSelectorGroupId, IpSecSelectorGroupId,
IpSecActionGroupId, IpSecActionGroupId,
IpSecRuleTimePeriodGroupId IpSecRuleTimePeriodGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecRuleTable." " Objects from the ipSecRuleTable."
::= { ipSecPolicyPibConformanceGroups 4 } ::= { ipSecPolicyPibConformanceGroups 4 }
skipping to change at line 3239 skipping to change at line 3407
DoLogging, DoLogging,
IpSecSecurityAssociationId, IpSecSecurityAssociationId,
ActionGroupId, ActionGroupId,
Order, Order,
IkeRuleId IkeRuleId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecActionTable." " Objects from the ipSecActionTable."
::= { ipSecPolicyPibConformanceGroups 5 } ::= { ipSecPolicyPibConformanceGroups 5 }
Li, et al Expires September, 2001 58
IPsec Policy Information Base March, 2001
ipSecAssociationGroup OBJECT-GROUP ipSecAssociationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
RefreshThresholdSeconds, RefreshThresholdSeconds,
RefreshThresholdKilobytes, RefreshThresholdKilobytes,
MinLifetimeSeconds, MinLifetimeSeconds,
Li, et al Expires January, 2002 61
IPsec Policy Information Base July, 2001
MinLifetimeKilobytes, MinLifetimeKilobytes,
TrafficIdleTime, TrafficIdleTime,
UsePfs, UsePfs,
VendorId, VendorId,
UseIkeGroup, UseIkeGroup,
DhGroup, DhGroup,
ProposalSetId ProposalSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3296 skipping to change at line 3464
RefreshThresholdKilobytes, RefreshThresholdKilobytes,
MinLiftetimeSeconds, MinLiftetimeSeconds,
MinLifetimeKilobytes, MinLifetimeKilobytes,
TrafficIdleTime, TrafficIdleTime,
ExchangeMode, ExchangeMode,
UseIkeIdentityType, UseIkeIdentityType,
RefreshThresholdDerivedKeys, RefreshThresholdDerivedKeys,
IKEProposalSetId IKEProposalSetId
} }
STATUS current STATUS current
Li, et al Expires September, 2001 59
IPsec Policy Information Base March, 2001
DESCRIPTION DESCRIPTION
" Objects from the ipSecIkeAssociationTable." " Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 9 } ::= { ipSecPolicyPibConformanceGroups 9 }
ipSecIkeRuleGroup OBJECT-GROUP ipSecIkeRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Li, et al Expires January, 2002 62
IPsec Policy Information Base July, 2001
IfName,
Roles, Roles,
IkeAssiciationId, IkeAssiciationId,
IpSecRuleTimePeriodGroupId, IpSecRuleTimePeriodGroupId,
IkeEndpointGroupId IkeEndpointGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecIkeRuleTable." " Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 10 } ::= { ipSecPolicyPibConformanceGroups 10 }
ipSecIkeProposalSetGroup OBJECT-GROUP ipSecIkeProposalSetGroup OBJECT-GROUP
skipping to change at line 3353 skipping to change at line 3522
Identity, Identity,
AddressType, AddressType,
Address, Address,
PeerCredentialId, PeerCredentialId,
StartupCondition, StartupCondition,
IsOriginator, IsOriginator,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires September, 2001 60
IPsec Policy Information Base March, 2001
" Objects from the ipSecIkeEndpointTable." " Objects from the ipSecIkeEndpointTable."
::= { ipSecPolicyPibConformanceGroups 13 } ::= { ipSecPolicyPibConformanceGroups 13 }
ipSecPeerCredentialGroup OBJECT-GROUP ipSecPeerCredentialGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Li, et al Expires January, 2002 63
IPsec Policy Information Base July, 2001
CredentialType, CredentialType,
FieldsGroupId, FieldsGroupId,
GroupId GroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecPeerCredentialTable." " Objects from the ipSecPeerCredentialTable."
::= { ipSecPolicyPibConformanceGroups 14 } ::= { ipSecPolicyPibConformanceGroups 14 }
ipSecCredentialFieldsGroup OBJECT-GROUP ipSecCredentialFieldsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at line 3394 skipping to change at line 3563
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecEspTransformSetTable." " Objects from the ipSecEspTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 16 } ::= { ipSecPolicyPibConformanceGroups 16 }
ipSecEspTransformGroup OBJECT-GROUP ipSecEspTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
IntegrityTransformId, IntegrityTransformId,
CipherTransformId, CipherTransformId,
CipherKeyRounds, CipherKeyRounds,
CipherKeyLength CipherKeyLength,
UseReplayPrevention,
ReplayPreventionWindowSize
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecEspTransformTable." " Objects from the ipSecEspTransformTable."
::= { ipSecPolicyPibConformanceGroups 17 } ::= { ipSecPolicyPibConformanceGroups 17 }
ipSecAhTransformSetGroup OBJECT-GROUP ipSecAhTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformSetId, TransformSetId,
TransformId, TransformId,
Order Order
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAhTransformSetTable." " Objects from the ipSecAhTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 18 } ::= { ipSecPolicyPibConformanceGroups 18 }
Li, et al Expires September, 2001 61
IPsec Policy Information Base March, 2001
ipSecAhTransformGroup OBJECT-GROUP ipSecAhTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformId
Li, et al Expires January, 2002 64
IPsec Policy Information Base July, 2001
TransformId,
UseReplayPrevention,
ReplayPreventionWindowSize
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Objects from the ipSecAhTransformTable." " Objects from the ipSecAhTransformTable."
::= { ipSecPolicyPibConformanceGroups 19 } ::= { ipSecPolicyPibConformanceGroups 19 }
ipSecCompTransformSetGroup OBJECT-GROUP ipSecCompTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
TransformSetId, TransformSetId,
TransformId, TransformId,
Order Order
skipping to change at line 3466 skipping to change at line 3639
ipSecRuleTimePeriodSetGroup OBJECT-GROUP ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
RuleTimePeriodSetId, RuleTimePeriodSetId,
RuleTimePeriodId RuleTimePeriodId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" The ipSecRuleTimePeriodSetGroup is mandatory if policy " The ipSecRuleTimePeriodSetGroup is mandatory if policy
scheduling is supported." scheduling is supported."
::= { ipSecPolicyPibConformanceGroups 23 } ::= { ipSecPolicyPibConformanceGroups 23 }
END ipSecIfCapsGroup OBJECT-GROUP
Li, et al Expires September, 2001 62 Li, et al Expires January, 2002 65
IPsec Policy Information Base March, 2001 IPsec Policy Information Base July, 2001
OBJECTS {
Direction,
MaxActions
}
STATUS current
DESCRIPTION
" Objects from the ipSecIfCapsTable.."
::= { ipSecPolicyPibConformanceGroups 24 }
END
7. Security Considerations 7. Security Considerations
Since COPS is used to carry the PIB defined in this document, the Since COPS is used to carry the PIB defined in this document, the
security and protection of the information can be provided by security and protection of the information can be provided by
either COPS or a combination of COPS and other security protocols, either COPS or a combination of COPS and other security protocols,
e.g.,IPsec or TLS. e.g.,IPsec or TLS.
8. References 8. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
[AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998. November 1998.
[ARCH] S. Kent, R. Atkinson, ˘Security Architecture for the [ARCH] S. Kent, R. Atkinson, ˘Security Architecture for the
Internet Protocol÷, RFC 2401, November 1998. Internet Protocol÷, RFC 2401, November 1998.
[ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)", RFC 2445, Scheduling Core Object Specification (iCalendar)", RFC 2445,
November 1998. November 1998.
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748,
January 2000. January 2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000. Policy Provisioning," RFC 3084, March 2001.
[DOI] D. Piper, "The Internet IP Security Domain of Interpretation [DOI] D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
Li, et al Expires January, 2002 66
IPsec Policy Information Base July, 2001
[FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. [FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", Internet Smith, F. Reichmeyer "Framework Policy Information Base", draft-
Draft , March 2000. ietf-rap-frameworkpib-04.txt, March 2001.
[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
[IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
Li, et al Expires September, 2001 63
IPsec Policy Information Base March, 2001
[IPSEC-IM] J. Jason,˘IPSec Configuration Policy Model,÷ draft- [IPSEC-IM] J. Jason,˘IPSec Configuration Policy Model,÷ draft-
ietf-ipsp-config-policy-model-00.txt, march 2000. ietf-ipsp-config-policy-model-02.txt, march 2001.
[ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, [ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner,
˘Internet Security Association and Key Management Protocol ˘Internet Security Association and Key Management Protocol
(ISAKMP)÷, RFC 2408, November 1998. (ISAKMP)÷, RFC 2408, November 1998.
[PCIM] B. Moore, E. Ellesson, J. Strassner, ˘Policy Core [PCIM] B. Moore, E. Ellesson, J. Strassner, ˘Policy Core
Information Model -- Version 1 Specification÷, draft-ietf-policy- Information Model -- Version 1 Specification÷, RFC 3060, February
core-info-model-06.txt, May, 2000. 2000.
[SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Smith, F. Reichmeyer, "Structure of Policy Provisioning
Information," draft-ietf-rap-sppi-01.txt, July 2000. Information," draft-ietf-rap-sppi-07.txt, May 2001.
9. Author's Addresses 9. Author's Addresses
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
skipping to change at line 3565 skipping to change at line 3742
Email: avri@nortelnetworks.com Email: avri@nortelnetworks.com
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Li, et al Expires January, 2002 67
IPsec Policy Information Base July, 2001
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com E-Mail: CWang@smartpipes.com
Full Copyright Statement Full Copyright Statement
Li, et al Expires September, 2001 64
IPsec Policy Information Base March, 2001
"Copyright (C) The Internet Society (date). All Rights Reserved. "Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implmentation may be prepared, copied, explain it or assist in its implmentation may be prepared, copied,
published and distributed, in whole or in part, without published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to the way, such as by removing the copyright notice or references to the
Internet Society or other Internet organizations, except as needed Internet Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which case the for the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards procedures for copyrights defined in the Internet Standards
process must be followed, or as required to translate it into. process must be followed, or as required to translate it into.
Li, et al Expires September, 2001 65 Li, et al Expires January, 2002 68
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/