draft-ietf-ipsp-ipsecpib-03.txt   draft-ietf-ipsp-ipsecpib-04.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires January 2002 David Arneson Expires August 2002 David Arneson
No Affiliation N/A
Avri Doria Avri Doria
Nortel Networks LTU
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
Markus Stenberg
SSH
July 2001 February 2002
IPSec Policy Information Base IPsec Policy Information Base
draft-ietf-ipsp-ipsecpib-03.txt draft-ietf-ipsp-ipsecpib-04.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
1. Abstract Abstract
This document specifies a set of policy rule classes (PRC) for This document specifies a set of policy rule classes (PRC) for
configuring IPSec policy at IPsec-enabled devices. Instances of configuring IPsec policy at IPsec-enabled devices (e.g., security
these classes reside in a virtual information store called the gateways). Instances of these classes reside in a virtual
IPSec Policy Information Base (PIB). The COPS protocol [COPS] with information store called the IPsec Policy Information Base (PIB).
extensions for provisioning [COPS-PR] is used to transmit this The COPS protocol [5] with extensions for provisioning [6] is used
IPSec policy information to IPSec-enabled devices (e.g., security to transmit this IPsec policy information to IPsec-enabled
gateways). The PRCs defined in this IPSec PIB are intended for use devices. The PRCs defined in this IPsec PIB are intended for use
by the COPS-PR IPSec client type. They complement the PRCs defined by the COPS-PR IPsec client type. These PRCs are in addition to
in the Framework PIB [FR-PIB]. any other PIBs that may be defined for the IPsec client type, as
well as the PRCs defined in the Framework PIB [9].
2. Conventions used in this document Li, et al Expires August, 2002 1
IPsec Policy Information Base February, 2002
Li, et al Expires January, 2002 1 Conventions used in this document
IPsec Policy Information Base July, 2001
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2]. RFC-2119 [2].
3. Introduction 1. Introduction
The policy rule classes (PRC) defined in this document contain The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. Details parameters for IKE phase one and phase two negotiations. Details
of these parameters can be found in [IPSEC-IM], [IKE], [ESP], [AH] of these parameters can be found in [12], [10], [8], [3], [7],
[DOI], [IPCOMP] and [SPPI]. The PIB defined in this document is [11] and [14]. The PIB defined in this document is based on the
based on the IPSec configuration policy model [IPSEC-IM]. The rule IPsec configuration policy model [12]. The rule and role approach
and role approach proposed in [PCIM], which scales to large proposed in [13], which scales to large networks, is adopted for
networks, is adopted for distributing IPsec policy over the COPS distributing IPsec policy over the COPS-PR protocol [6].
protocol.
4. Operation Overview 2. Operation Overview
Following the policy framework convention [PCIM], the management Following the policy framework convention [13], the management
entity that downloads policy to IPSec-enabled devices will be entity that downloads policy to IPsec-enabled devices will be
called a Policy Decision Point (PDP) and the target IPSec-enabled called a Policy Decision Point (PDP) and the target IPsec-enabled
devices will be called Policy Execution Points (PEP). devices will be called Policy Enforcement Points (PEP).
After connecting to a PDP using COPS-PR, a PEP reports to the PDP After connecting to a PDP using COPS-PR, a PEP reports to the PDP
the PIB Provisioning Classes (PRCs) it supports as well as any the PIB Provisioning Classes (PRCs) it supports as well as any
limitations related to the implementations of theses classes and limitations related to the implementations of theses classes and
parameters. The PEP provides the above information using the parameters. The PEP provides the above information using the
frwkPrcSupportTable and the frwkCompLimitsTable defined in the frwkPrcSupportTable and the frwkCompLimitsTable defined in the
framework PIB [FR-PIB]. In addition, the PEP also reports the framework PIB [9]. In addition, the PEP also reports the interface
interface type capabilities and role combinations it supports type capabilities and role combinations it supports using the
using the frwkIfCapSetTable and the frwkIfCapSetRoleComboTable. frwkIfCapSetTable and the frwkIfCapSetRoleComboTable. Each row of
Each row of the frwkIfCapSetTable contains a capability set name the frwkIfCapSetTable contains a capability set name and a
and a reference to an instance of a PRC that describes the reference to an instance of a PRC that describes the capabilities
capabilities of the interface type. The capability instances may of the interface type. The capability instances may reside in the
reside in the ipSecIfCapsTable or in a table defined in another ipSecIfCapsTable or in a table defined in another PIB. Each row of
PIB. Each row of the frwkIfCapSetRoleComboTable contains an the frwkIfCapSetRoleComboTable contains an interface capability
interface capability set name and a role combination. set name and a role combination.
Based on the interface capabilities and role combinations, the PDP Based on the interface capabilities and role combinations, the PDP
provides the PEP with IPSec PIB that contains IPSec policy. Later provides the PEP with IPsec policy information. Later on, if any
on, if the interface capabilities or role combinations of the PEP of the interface capabilities or role combinations of the PEP
change, the PEP MUST notify the PDP. The PDP will then send a new change, the PEP notifies the PDP. The PDP will then send a new set
PIB to the PEP. In addition, if the policy associated with given of IPsec policy information to the PEP. In addition, if the policy
interface capabilities and role combination change, the PDP MUST associated with a given interface capability and role combination
download a new IPSec PIB to all the PEPs that have registered with changes, the PDP will deliver the new IPsec policy to all the PEPs
the interface capabilities and role combination. that have registered with that interface capability and role
combination.
IPsec policy that is pushed down to individual PEP consists of two Li, et al Expires August, 2002 2
parts: IKE rules for IKE phase one negotiation and IPsec rules for IPsec Policy Information Base February, 2002
Li, et al Expires January, 2002 2 3. Structure of IPsec PIB
IPsec Policy Information Base July, 2001
IKE phase two negotiation. These sets of rules may be pushed down An IPsec policy consists of an ordered list of IPsec rules. Each
either together or independently. rule is composed of a set of conditions and a set of actions. If a
packet matches any of the conditions, the actions will be applied
accordingly.
After a PEP reports its interface capabilities and role The IPsec PIB module consists of nine groups. The selector group
combinations to a PDP, describes conditions to be associated with IPsec rules. The IPsec
association group, AH transform group, ESP transform group, COMP
transform group, IKE association group and the credential group
together describe actions to be associated with IPsec rules. The
policy time period group specifies time periods during which a
rule is valid. The interface capability group is used by a PEP to
report the capabilities associated with its interface types.
- if the corresponding policy consists of IPsec rules only (i.e., 3.1 IPsec association group
key management is not performed through IKE), the interface
capability set name and the role combination MUST match that in
the ipSecRuleTable. For the ipSecActionTable referenced by the
ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute
MUST be zero, indicating that no IKE associations are used. As a
result, the ipSecRuleTable and all subsequent referenced tables
are pushed down to the PEP.
- if the corresponding policy consists of IKE rules only, the This group specifies IPsec Security Associations.
interface capability set name and the role combination MUST match
that in the ipSecIkeRuleTable. The ipSecIkeEndpointTable indicates
the peer endpoints with which to establish IKE associations.
Hence, the ipSecIkeRuleTable and all subsequent referenced tables
are pushed down to the PEP.
- if the corresponding policy consists of both IPsec rules and IKE The ipSecRuleTable is the starting point for specifying an IPsec
rules (i.e., IKE association is established first and it is then policy. It contains an ordered list of IPsec rules. Each rule is
used for IPsec association negotiation), , the interface associated with IfName, Roles and Direction attributes to indicate
capability set name and the role combination MUST match that in the interface type and role combinations as well as the direction
the ipSecRuleTable. The ipSecRuleTable and the ipSecIkeRuleTable of the interface to which this rule is to be applied. Each rule
that is referenced by the ipSecRuleTable as well as all subsequent points to a set of selectors and, optionally, a set of IPSO
referenced tables are pushed down to the PEP. filters to indicate the conditions associated with this rule. In
addition, each rule has a pointer to a set of actions to indicate
the actions associated with this rule. Hence if a packet matches a
selector in the selector set and, if the reference to the IPSO
filter set is not zero, it matches a filter in the IPSO filter
set, the action(s) associated with this rule will be applied to
the packet.
The following figure shows the relations between the tables with When a rule involves multiple actions, the ExecutionStrategy
an example. The IPSec policy in this example contains both IKE and attribute indicates how these actions are executed. A value of
IPSec rules. ˘DoAll÷ means that all the actions MUST be applied to the packet
according to a predefined order. A value of ˘DoUntilSuccess÷ means
that the actions MUST be tried in sequence until a successful
execution of a single action.
+----------------------+ +------------------------+ For example, in a nested Security Associations case the actions of
| ipSecSelectorEntries | | ipSecRuleTableEntries | an initiator's rule might be structured as:
| Group = 10 |< ------------SelectorGroupId = 10 |
+----------------------+ | ActionGroupId = 20 | ExecutionStrategy='Do All'
| IfName = Ether_limit |
| Role = Finance_X |
+------------------------+
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway
| |
v +---2--- IPsecTransportAction // set up SA from host through
+---------------------------+ +------------------------+ // tunnel to remote host
| ipSecIkeRuleEntries | | ipSecActionEntries |
| Prid = 30 | | GroupId = 20 |
| IkeEndpointGroupId = 40 | | Action = Tunnel |
| | < --------- IkeRuleId = 30 |
| | | |
+---------------------------+ +------------------------+
| \ |
Li, et al Expires January, 2002 3 Li, et al Expires August, 2002 3
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
| \ | Another example, showing a rule with fallback actions might be
v \ v structured as:
+---------------------------+ \ ipSecAssociation
| ipSecIkeEndpointEntries | \ and subsequent
| | \ tables
| GroupId = 40 | \
+---------------------------+ \
v
ipSecIkeAssociations
and subsequent tables
4.1 Selector construction ExecutionStrategy='Do Until Success'
|
+---1--- IPsecTunnelAction // set up SA from host to gateway [A]
|
+---2--- IPsecTunnelAction // set up SA from host to gateway [B]
The ipSecAddressTable specifies individual or a range of IP As an optional feature, IPsec associations may be established
addresses and the ipSecL4PortTable specifies individual or a range without being prompted by IP packets. The AutoStart attribute
of layer 4 ports. The ipSecSelectorTable has references to these indicates if the IPsec association(s) of this rule should be set
two tables. Each row in the selector table represents multiple up automatically. Support of this attribute is optional.
selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP IPsec actions may be of two types: Static Action and Negotiation
addresses from the ipSecAddressTable whose ipSecAddressGroupId Action. Static Actions do not require any negotiations. They
matches the ipSecSelectorSrcAddressGroupId. include by-pass, discard, IKE rejection, pre-configured transport
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP and pre-configured tunnel actions. Negotiation Actions require
addresses from the ipSecAddressTable whose ipSecAddressGroupId negotiations in order to establish Security Associations. They
matches the ipSecSelectorDstAddressGroupId. include transport and tunnel actions.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four
fields together with the ipSecSelectorProtocol attribute to form a
list of five-tuple selectors
Selectors constructed from the same row inherit all the other The ipSecActionSetTable specifies sets of actions. Actions within
attributes of the row (e.g., ipSecSelectorGranularity) a set form an ordered list. If an action within a set is a Static
Action, the ActionId MUST point to a valid instance in the
ipSecStaticActionTable. If the action is a Negotiation Action, the
ActionId MUST point to a valid instance in the
ipSecNegotiationActionTable. For other actions, the ActionId MAY
point to an instance of a PRC defined in some other PIB module.
The following is an example for building the selectors (only The ipSecStaticActionTable specifies IPsec Static Actions. For a
relevant fields are shown). Suppose that the ipSecAddressTable is pre-configured transport or pre-configured tunnel action, it
populated with the following rows: further points to a valid instance in another table that describes
a transform to be used, for example, the ipSecEspTransformTable.
In addition, the SPI used for the transform is also defined in the
table.
AddrMin AddrGroupId The ipSecNegotiationActionTable specifies IPsec Negotiation
1.2.3.4 1 Actions. It points to a valid instance in the
1.2.3.18 1 ipSecAssociationTable that further defines the IPsec association
5.6.7.1 2 to be established. For key exchange policy, the KeyExchangeId
5.6.7.8 2 points to a valid instance in another table that describes key
exchange procedures. If a single IKE phase one negotiation is used
for the key exchange, this attribute MUST point to an instance in
the ipSecIkeAssociationTable. If multiple IKE phase one
negotiations (e.g., with different modes) are to be tried until
success, this attribute SHOULD point to ipSecIkeRuleTable. For
other key exchange methods, this attribute MAY point to an
instance of a PRC defined in some other PIB module.
For every row in this example, the AddrMax is a zero length octet The ipSecAssociationTable specifies attributes associated with
indicating that each row specifies a single IP address. IPsec associations. For each association, it points to a set of
proposals in the ipSecProposalSetTable that is associated with
this association.
The Layer4PortTable is populated with the following rows: Li, et al Expires August, 2002 4
IPsec Policy Information Base February, 2002
Li, et al Expires January, 2002 4 The ipSecProposalSetTable specifies sets of proposals. Proposals
IPsec Policy Information Base July, 2001 within a set are ordered with a preference value.
PortMin PortMax PortGroupId The ipSecProposalTable specifies proposals. It points to sets of
112 150 1 ESP transforms, AH transforms and COMP transforms. Within a
99 99 2 proposal, sets of transforms of different types are logically
ANDed. Transforms of the same type within a transform set are to
be logically ORed. For example, if the proposal were
The PortMax is equal to PortMin in the second row indicating that ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
only a single port is specified. AH = { MD5, SHA-1 }
The ipSecSelectorTable is populated with: then the one sending the proposal would want the other side to
pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list
AND one from the AH transform list (preferably MD5).
SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order 3.2 AH, ESP and COMP transform groups
1 2 1 1 udp 1
1 2 2 2 tcp 2
The following selectors are constructed: The AH, ESP and COMP transform groups describe sets of AH, ESP and
COMP transforms respectively.
SrcAddr dstAddr protocol port 3.3 IKE association group
1.2.3.4 5.6.7.1 UDP 112-150
1.2.3.4 5.6.7.8 UDP 112-150
1.2.3.18 5.6.7.1 UDP 112-150
1.2.3.18 5.6.7.8 UDP 112-150
1.2.3.4 5.6.7.1 TCP 99
1.2.3.4 5.6.7.8 TCP 99
1.2.3.18 5.6.7.1 TCP 99
1.2.3.18 5.6.7.8 TCP 99
The first four selectors are constructed from the first row of the This group specifies rules associated with IKE phase one
selector table whose order equals to 1. They can be ordered in any negotiation.
way. However, all of them must be evaluated before the selectors
constructed from the second row because the order of the second
row equals to 2.
The use of references in the ipSecSelectorTable instead of The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional
spelling out all the IP addresses and port numbers reduces the tables. Support of these tables is required only when a policy
number of bytes being pushed down to PEP. Grouping of IP addresses contains:
and layer four ports serves the same purpose.
4.2 Start up condition - Multiple IKE phase one actions (e.g., with different exchange
modes) that are associated with one IPsec association. These
actions are to be tried in sequence till one success.
The establishment of IKE or IPsec associations may be triggered in - IKE phase one actions that start automatically.
several ways as indicated by ipSecSelectorStartupCondition and
ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and
ipSecIkeEndpointTable respectively. The triggers may be:
OnBoot: IPsec or IKE association is established after system boot. For the latter case, IKE rules may be distributed independently
To avoid both endpoints trying to set up the same association, and the IfName and Roles attributes in the ipSecIkeRuleTable
only the endpoint whose ipSecSelectorIsOriginator indicate the interface type and role combinations to which this
(ipSecIkeEndpointIsOriginator) is true can initiate the IPsec rule is to be applied.
(IKE) association establishment.
OnTraffic: IPsec association is established only when packets need The ipSecIkeActionSetTable specifies sets of actions. Actions
to be sent and there are no appropriate security associations to within a set form an ordered list.
protect the packets. If there is no IKE association to protect the
Li, et al Expires January, 2002 5 The ipSecIkeAssociationTable contains parameters associated with
IPsec Policy Information Base July, 2001 IKE associations including the IKE identities to be used during
IKE phase one negotiation. It points to a set of credentials
specified in the ipSecCredentialTable. Any of the credentials in
this set may be used during IKE phase one negotiation. In
addition, each IKE association points to a set of IKE proposals to
be associated with this association. If the Authentication Method
for one or more of the IKE proposals is specified as PresharedKey
IPsec association negotiation, an IKE association should be set up Li, et al Expires August, 2002 5
first. IPsec Policy Information Base February, 2002
OnPolicy: IPsec or IKE association is established according to in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey
ipSecRuleTimePeriodSetTable referenced by the corresponding rule. attribute contains the actual pre-shared key to be used for the
At the time the policy becomes active, only the endpoint whose proposal(s). This attribute is optional. If this attribute is not
ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true supported or contains a zero length octet, the pre-shared key MUST
can initiate the IPsec (IKE) association establishment. be obtained through other methods.
These triggers are not mutually exclusive. The ipSecIkeProposalSetTable specifies sets of proposals.
Proposals within a set are ordered with a preference value.The
ipSecIkeProposalTable contains parameters associated with IKE
proposals.
4.3 Multiple security associations, proposals and transforms The ipSecIkePeerEndpointTable specifies IKE peer endpoint
information that includes acceptable peer identity and credentials
for IKE phase one negotiation. It points to a set of credentials
specified in the ipSecIkePeerEndpointCredentialSetTable. Any of
the credentials in the set is acceptable as a peer credential. The
AddressType and the Address attributes are used only when IKE
phase one negotiation starts automatically, i.e., the value of the
AutoStart attribute in the ipSecIkeRuleTable is true. In which
case, these two attributes together indicate the peer endpoint
address.
Multiple IPsec security associations may be established to protect 3.4 Credential group
the same traffic between two end points. The following figure
shows an example.
SA1 This group specifies credentials to be used for IKE phase one
====================================================== negotiations.
| SA2 |
|============================== |
|| | |
|| ---|----------------------|---
|| | | | |
H1 ----- (Internet) ------| SG2 ---- (Local ----- H2 |
| Intranet) |
------------------------------
admin. boundary (optional)
H1 and H2 are hosts and SG2 is a security gateway on the local The ipSecCredentialSetTable specifies sets of credentials. The
Intranet where H2 resides. Suppose that to protect TCP traffic ipSecCredentialTable and ipSecCredentialFieldsTable together
between H1 and H2, an IPsec security association (SA1) in specify credentials. Each credential may contain multiple sub-
transport mode may be established between H1 and H2. In addition, fields. For example, a certificate may contain a unique serial
an IPsec security association (SA2) in tunnel mode may be set up number sub-field and an issuer name sub-field, etc. The
between H1 and SG2. ipSecCredentialFieldsTable defines the sub-fields and their values
that MUST be matched against. The ipSecCredentialTable points to a
set of criteria defined in the ipSecCredentialFieldsTable. The
criteria MUST all be satisfied in order for a credential to be
considered as acceptable. Certificates may also be revoked. The
CrlDistributionPoint attribute in the ipSecCredentialTable
indicates the Certificate Revocation List (CRL) distribution point
where CRLs may be fetched.
For host H1, it needs to take two actions to protect TCP packets 3.5 Selector group
that travel from H1 to H2: first protect the packets with SA1 and
then encapsulate the resulted packets into SA2. This requires that
the IPSec policy downloaded to H1 contain two actions to be
applied to packets in order.
The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to This group specifies the selectors for IPsec rules.
handle multiple security association establishments or actions. It
contains references to the actions specified in the
ipSecActionTable. All the actions in the ipSecActionTable whose
ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST be
applied. The ipSecActionOrder indicates the order these actions
should be taken in setting up the security associations.
Li, et al Expires January, 2002 6 The ipSecSelectorSetTable specifies sets of selectors. Selectors
IPsec Policy Information Base July, 2001 within a set form an ordered list. The SelectorId attribute points
to a valid instance in another table that describes a selector. To
achieve scalability in policy distribution for large networks, it
SHOULD point to the ipSecSelectorTable.
During a security association negotiation, the initiating point Li, et al Expires August, 2002 6
can present multiple proposals in preference order. For IPsec IPsec Policy Information Base February, 2002
security association, every proposal can contain different
protocols, e.g., AH, ESP (A single proposal here is equivalent to
multiple proposal payloads with the same proposal number as
specified in [ISAKMP]). Different protocols are ANDed. Each
protocol, in turn, may contain multiple transforms in preference
order. The responder must select a single proposal and a single
transform for each protocol.
Multiple proposals are handled by the ipSecProposalSetTable and The ipSecAddressTable specifies individual or ranges of IP
ipSecIkeProposalSetTable. The ipSecProposalSetOrder and addresses and the ipSecL4PortTable specifies individual or ranges
ipSecIkeProposalSetOrder in these tables indicate preference. of layer 4 ports. The ipSecSelectorTable has references to these
two tables. Each row in the selector table can represent multiple
selectors. These selectors are constructed as follows:
Multiple transforms within a protocol are handled by 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
ipSecAhTransformSetTable, ipSecEspTransformSetTable and addresses from the ipSecAddressTable whose ipSecAddressGroupId
ipSecCompTransformSetTable. The IpSecAhTransformSetOrder, matches the ipSecSelectorSrcAddressGroupId.
ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
tables indicate preferences.
4.4 Credentials for IKE phase one negotiation 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
Credentials such as certificates may be exchanged during IKE phase 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
one negotiation for authentication purpose. An endpoint can or ranges of port whose ipSecL4PortGroupId matches the
possess multiple credentials. How each endpoint obtains its ipSecSelectorSrcPortGroupId.
credentials (e.g., through PKI) is out of the scope of IPsec
policy distribution. IPsec policy does specify, however, the
acceptable peer credentials and the credential sub-fields and
their values that MUST match.
IpSecPeerCredentialTable specifies a group of credentials that are 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
considered acceptable for a given peer endpoint. Any one of the or ranges of port whose ipSecL4PortGroupId matches the
credentials in a group is acceptable as the IKE peer endpoint ipSecSelectorDstPortGroupId.
credential. IpSecCredentialFieldsTable further specifies, for each
credential, their sub-fields and values that MUST be matched.
5. Summary of the IPSec PIB 5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol,
ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
the list of selectors.
The IPSec PIB consists of seven groups. Each group and the tables Selectors constructed from a single row have the same order within
it contains are summarized in the following: a selector set. The order is indicated by the Order attribute of
the ipSecSelectorSetTable. The relative order among selectors
constructed from a single row is unspecified. This is not an issue
as long as these selectors are not over-lapping.
5.1 ipSecSelector Group The use of references in the ipSecSelectorTable instead of real IP
This group specifies the selectors for IPSec associations. addresses and port numbers reduces the number of bytes being
pushed down to the PEP. Grouping of IP addresses and layer 4 ports
serves the same purpose.
5.1.1 ipSecAddressTable The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
Specifies IP addresses of endpoints. Filters within a set form an ordered list. The
ipSecIpsoFilterTable contains IPSO filters.
5.1.2 ipSecL4PortTable 3.6 Policy time period group
Specifies layer four port numbers.
5.1.3 ipSecSelectorTable This group specifies time periods during which a policy rule is
valid. The ipSecRuleTimePeriodTable specifies a single time period
within a day. The ipSecRuleTimePeriodSetTable specifies multiple
time periods.
Li, et al Expires January, 2002 7 Implementation of this group is optional.
IPsec Policy Information Base July, 2001
Specifies IPsec selectors. It has references to ipSecAddressTable 3.7 Interface capability group
and ipSecL4PortTable for selector constructions.
5.2 ipSecAssociation Group Li, et al Expires August, 2002 7
This group specifies attributes related to IPSec Security IPsec Policy Information Base February, 2002
Associations.
5.2.1 ipSecRuleTable PEPs may have different capabilities. For example, some PEPs
Specifies IPsec rules. It references the ipSecSelectorTable and support nested Security Associations whereas others do not. This
ipSecActionTable to indicate that IP packets that match the group allows a PEP to specify the capabilities associated with its
selector SHALL be applied with the IPsec action(s). different interface types.
This table also references the ipSecRuleTimePeriodSetTable to For ease of reference, a concise summary of the groups and tables
specify the time periods during which a rule is valid. is included in the next section.
5.2.2 ipSecActionTable 4. Summary of the IPsec PIB
Specifies group of IPsec actions. All actions that have the same
ipSecActionActionGroupId belong to the same group. Actions in the
same group MUST be applied in the order specified by
ipSecActionOrder.
This table also references ipSecIkeRuleTable to specify rules 4.1 ipSecAssociation group
associated with IKE phase one negotiation. This group specifies IPsec Security Associations.
5.2.3 ipSecAssociationTable 4.1.1 ipSecRuleTable
Specifies attributes associated with IPsec associations. It This table is the starting point for specifying an IPsec policy.
references ipSecProposalSetTable to specify associated proposals. It contains an ordered list of IPsec rules.
5.2.4 ipSecProposalSetTable 4.1.2 ipSecActionSetTable
Specifies IPsec proposal sets. Proposals within a set are ORed Specifies IPsec action sets.
with preference order.
5.2.5 ipSecProposalTable 4.1.3 ipSecStaticActionTable
Specifies an IPsec proposal. It has references to ESP, AH and Specifies IPsec static actions.
IPComp Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices
are ORed with preference order.
5.3 ipSecIkeAssociation Group 4.1.4 ipSecNegotiationActionTable
This group specifies attributes related to IKE Security Specifies IPsec negotiation actions.
Associations
5.3.1 ipSecIkeRuleTable 4.1.5 ipSecAssociationTable
Specifies IKE rules. It contains a reference to Specifies IPsec associations.
ipSecIkeAssociationTable to specify IKE associated actions. In
addition, it has a reference to ipSecIkeEndpointTable to specify
the endpoints to which this PEP can set up IKE associations.
This table also references to ipSecRuleTimePeriodSetTable to 4.1.6 ipSecProposalSetTable
specify the time periods during which a rule is valid. Specifies IPsec proposal sets.
5.3.2 ipSecIkeAssociationTable 4.1.7 ipSecProposalTable
Specifies IPsec proposals.
Li, et al Expires January, 2002 8 4.2 ipSecAhTransform group
IPsec Policy Information Base July, 2001 This group specifies AH Transforms.
Specifies attributes related to IKE associations. It references 4.2.1 ipSecAhTransformSetTable
ipSecIkeProposalSetTable to specify associated proposals. Specifies AH transform sets.
5.3.3 ipSecIkeProposalSetTable 4.2.2 ipSecAhTransformTable
Specifies IKE proposal sets. Proposals within a set are ORed with Specifies AH transforms.
preference order.
5.3.4 ipSecIkeProposalTable 4.3 ipSecEspTransform group
Specifies attributes associated with IKE proposals. This group specifies ESP Transforms.
5.3.5 ipSecIkeEndpointTable 4.3.1 ipSecEspTransformSetTable
Specifies the peer endpoints with which this PEP establishes IKE Specifies ESP transform sets.
associations according to ipSecIkeEndpointStartupCondition.
This table also contains a reference to ipSecPeerCredentialTable 4.3.2 ipSecEspTransformTable
to specify acceptable peer credentials. Specifies ESP transforms.
5.3.6 ipSecPeerCredentialTable Li, et al Expires August, 2002 8
Specifies groups of IKE peer credentials. Credentials in a group IPsec Policy Information Base February, 2002
are ORed. In other words, any one of the credentials in a group is
acceptable as the IKE peer endpoint credential.
This table also contains a reference to ipSecCredentialFieldsTable 4.4 ipSecCompTransform group
to further specify sub-field values in a credential that MUST be This group specifies Compression Transforms.
matched.
5.3.7 ipSecCredentialFieldsTable 4.4.1 ipSecCompTransformSetTable
Specifies the sub-fields and their values to be matched against Specifies IPComp transform sets.
peer credentials obtained during IKE phase one negotiation. All
criteria within a group are ANDed.
5.4 ipSecEspTransform Group 4.4.2 ipSecCompTransformTable
This group specifies attributes related to ESP Transform. Specifies IP compression (IPCOMP) algorithms.
5.4.1 ipSecEspTransformSetTable 4.5 ipSecIkeAssociation group
Specifies ESP transform sets. Within a transform set, the choices This group specifies IKE Security Associations.
are ORed with preference order.
5.4.2 ipSecEspTransformTable 4.5.1 ipSecIkeRuleTable
Specifies ESP transforms. Specifies IKE rules.
5.5 ipSecAhTransform Group 4.5.2 ipSecIkeActionSetTable
This group specifies attributes related to AH Transform. Specifies IKE action sets.
5.5.1 ipSecAhTransformSetTable 4.5.3 ipSecIkeAssociationTable
Specifies AH transform sets. Within a transform set, the choices Specifies IKE associations.
are ORed with preference order.
5.5.2 ipSecAhTransformTable 4.5.4 ipSecIkeProposalSetTable
Specifies AH transforms. Specifies IKE proposal sets.
5.6 ipSecCompTransform Group 4.5.5 ipSecIkeProposalTable
This group specifies attributes related to IPSecComp Transform Specifies IKE proposals.
Li, et al Expires January, 2002 9 4.5.6 ipSecIkePeerEndpointTable
IPsec Policy Information Base July, 2001 Specifies IKE peer endpoints.
5.6.1 ipSecCompTransformSetTable 4.6 ipSecCredential group
Specifies IPComp transform sets. Within a transform set, the This group specifies credentials for IKE phase one negotiations.
choices are ORed with preference order.
5.6.2 ipSecCompTransformTable 4.6.1 ipSecCredentialSetTable
Specifies IPComp transforms. Specifies credential sets.
5.7 ipSecPolicyTimePeriod Group 4.6.2 ipSecCredentialTable
Specifies credentials.
4.6.3 ipSecCredentialFieldsTable
Specifies sets of credential sub-fields and their values to be
matched against.
4.7 ipSecSelector group
This group specifies selectors for IPsec associations.
4.7.1 ipSecSelectorSetTable
Specifies IPsec selector sets.
4.7.2 ipSecSelectorTable
Specifies IPsec selectors.
Li, et al Expires August, 2002 9
IPsec Policy Information Base February, 2002
4.7.3 ipSecAddressTable
Specifies IP addresses.
4.7.4 ipSecL4PortTable
Specifies layer four port numbers.
4.7.5 ipSecIpsoFilterSetTable
Specifies IPSO filter sets.
4.7.6 ipSecIpsoFilterTable
Specifies IPSO filters.
4.8 ipSecPolicyTimePeriod group
This group specifies the time periods during which a policy rule This group specifies the time periods during which a policy rule
is valid. is valid.
5.7.1 ipSecRuleTimePeriodSetTable 4.8.1 ipSecRuleTimePeriodTable
Specifies multiple time period sets. The ipSecRuleTimePeriodTable
can specify only a single time period within a day. This table
enables the specification of multiple time periods within a day by
grouping them into one set.
5.7.2 ipSecRuleTimePeriodTable
Specifies the time periods during which a policy rule is valid. Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always
enabled.
5.8 ipSecIfCaps Group 4.8.2 ipSecRuleTimePeriodSetTable
Specifies time period sets.
4.9 ipSecIfCapability group
This group specifies capabilities associated with interface types. This group specifies capabilities associated with interface types.
5.8.1 ipSecIfCapsTable 4.9.1 ipSecIfCapsTable
Specifies capabilities that may be associated with an interface of Specifies capabilities that may be associated with an interface of
a specific type. The instances of this table are referenced by the a specific type.
frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
PIB].
6. The IPSec PIB 4.10 ipSecPolicyPibConformance group
This group specifies requirements for conformance to the IPsec
Policy PIB.
5. The IPsec PIB Module
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
MODULE-COMPLIANCE TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
OBJECT-IDENTITY
FROM SNMPv2-SMI
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
InstanceId, ReferenceId, TagId, TagReferenceId InstanceId, ReferenceId, TagId, TagReferenceId
FROM COPS-PR-SPPI; FROM COPS-PR-SPPI
RoleCombination RoleCombination
FROM POLICY-FRAMEWORK-PIB; FROM FRAMEWORK-TC-PIB;
OBJECT-GROUP
Li, et al Expires January, 2002 10
IPsec Policy Information Base July, 2001
From SNMPv2-CONF;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORY { tbd -- IPSec Client Type } SUBJECT-CATEGORY { tbd } -- IPsec Client Type --
LAST-UPDATED "200107011800Z" LAST-UPDATED "200202241800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
Li, et al Expires August, 2002 10
IPsec Policy Information Base February, 2002
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Nortel Networks Div. of Computer Communications
600 Technology Park Drive Lulea University of Technology
Billerica, MA 01821 SE-971 87
Phone: +1 401 663 5024 Lulea, Sweden
Email: avri@nortelnetworks.com Phone: +46 920 49 3030
Email: avri@sm.luth.se
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com Email: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: CWang@smartpipes.com" Email: CWang@smartpipes.com
Markus Stenberg
SSH Communications Security Corp.
Fredrikinkatu 42
FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466
Email: markus.stenberg@ssh.com"
DESCRIPTION DESCRIPTION
"This PIB module contains a set of policy rule classes that "This PIB module contains a set of policy rule classes that
describe IPSec policies." describe IPsec policies."
::= { tbd } ::= { pib yyy } ű- yyy to be assigned by IANA --
ipSecSelector OBJECT-IDENTITY Unsigned16 ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies selectors for IPSec associations" "An unsigned 16 bit integer."
::= { ipSecPolicyPib 1 } SYNTAX Unsigned32 (0..65535)
ipSecAssociation OBJECT-IDENTITY ipSecAssociation OBJECT-IDENTITY
Li, et al Expires August, 2002 11
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSec Security "This group specifies IPsec Security Associations."
Associations" ::= { ipSecPolicyPib 1 }
Li, et al Expires January, 2002 11
IPsec Policy Information Base July, 2001
ipSecAhTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies AH Transforms."
::= { ipSecPolicyPib 2 } ::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY ipSecEspTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IKE Security "This group specifies ESP Transforms."
Associations"
::= { ipSecPolicyPib 3 } ::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY ipSecCompTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to ESP Transform" "This group specifies Comp Transforms."
::= { ipSecPolicyPib 4 } ::= { ipSecPolicyPib 4 }
ipSecAhTransform OBJECT-IDENTITY ipSecIkeAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to AH Transform" "This group specifies IKE Security Associations."
::= { ipSecPolicyPib 5 } ::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY ipSecCredential OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies attributes related to IPSecComp Transform" "This group specifies credentials for IKE phase one negotiations."
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
ipSecSelector OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies selectors for IPsec associations."
::= { ipSecPolicyPib 7 }
ipSecPolicyTimePeriod OBJECT-IDENTITY ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule "This group specifies the time periods during which a policy rule
is valid" is valid."
::= { ipSecPolicyPib 7 } ::= { ipSecPolicyPib 8 }
ipSecIfCaps OBJECT-IDENTITY ipSecIfCapability OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies capabilities associated with interface "This group specifies capabilities associated with interface
types." types."
::= { ipSecPolicyPib 8 }
Li, et al Expires August, 2002 12
IPsec Policy Information Base February, 2002
::= { ipSecPolicyPib 9 }
ipSecPolicyPibConformance OBJECT-IDENTITY ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies requirements for conformance to the IPsec "This group specifies requirements for conformance to the IPsec
Policy PIB" Policy PIB"
::= { ipSecPolicyPib 9 } ::= { ipSecPolicyPib 10 }
-- --
-- --
-- The ipSecAddressTable -- The ipSecRuleTable
-- --
Li, et al Expires January, 2002 12 ipSecRuleTable OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecRuleEntry
ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP addresses." "This table is the starting point for specifying an IPsec policy.
INDEX { ipSecAddressPrid } It contains an ordered list of IPsec rules. "
UNIQUENESS { ::= { ipSecAssociation 1 }
ipSecAddressAddressType,
ipSecAddressAddrMask,
ipSecAddressAddrMin,
ipSecAddressAddrMax,
ipSecAddressGroupId
}
::= { ipSecSelector 1 }
ipSecAddressEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecAddressTable 1 } PIB-INDEX { ipSecRulePrid }
UNIQUENESS {
ipSecRuleIfName,
ipSecRuleRoles,
ipSecRuleOrder
}
::= { ipSecRuleTable 1 }
IpSecAddressEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecAddressPrid InstanceId, ipSecRulePrid InstanceId,
ipSecAddressAddressType INTEGER, ipSecRuleIfName SnmpAdminString,
ipSecAddressAddrMask OCTET STRING, ipSecRuleRoles RoleCombination,
ipSecAddressAddrMin OCTET STRING, ipSecRuleDirection INTEGER,
ipSecAddressAddrMax OCTET STRING, ipSecRuleIpSecSelectorSetId TagReferenceId,
ipSecAddressGroupId TagId ipSecRuleipSecIpsoFilterSetId TagReferenceId,
ipSecRuleIpSecActionSetId TagReferenceId,
ipSecRuleActionExecutionStrategy INTEGER,
ipSecRuleOrder Unsigned16,
ipSecRuleLimitNegotiation INTEGER,
ipSecRuleAutoStart TruthValue,
ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecAddressPrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
Li, et al Expires August, 2002 13
IPsec Policy Information Base February, 2002
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class." "An integer index that uniquely identifies an instance of this
::= { ipSecAddressEntry 1 } class."
::= { ipSecRuleEntry 1 }
ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
Li, et al Expires January, 2002 13
IPsec Policy Information Base July, 2001
} ipSecRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the address type. This also controls the length of the "The interface capability set to which this IPsec rule applies.
OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and The interface capability name specified by this attribute MUST
ipSecAddressAddrMax objects. IPv4 addresses are octet strings of exist in the frwkIfCapSetTable [FR-PIB] prior to association with
length 4. IPv6 addresses are octet strings of length 16. All other an instance of this class."
types are octet strings of variable length." ::= { ipSecRuleEntry 2 }
::= { ipSecAddressEntry 2 }
ipSecAddressAddrMask OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mask for the matching of the IP address. A zero bit in the mask "Specifies the role combination of the interface to which this
means that the corresponding bit in the address always matches. IPsec rule should apply. There must exist an instance in the
This attribute MUST be ignored when ipSecAddressAddressType is not frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
of IPv4 or IPv6 type." combination, together with the interface capability set specified
::= { ipSecAddressEntry 3 } by ipSecRuleIfName, prior to association with an instance of this
class."
::= { ipSecRuleEntry 3 }
ipSecAddressAddrMin OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX INTEGER {
in(1),
out(2),
bi-directional(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an end point address. The Length of the string is based "Specifies the direction of traffic to which this rule should
upon the address type. For IPv4 address types, this attribute is apply."
a 4-bytes octet string. For IPv6 address types, this attribute is ::= { ipSecRuleEntry 4 }
a 16-bytes octet string. For other types of addresses, this
attribute is a variable length octet string.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecAddressAddrMask of all zero means a wild-carded address,
i.e., all addresses match."
::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE ipSecRuleIpSecSelectorSetId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX TagReferenceId
PIB-TAG { ipSecSelectorSetSelectorSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If a range of addresses are being used then this specifies the "Identifies a set of selectors to be associated with this IPsec
ending address. The type of this address must be the same as the rule. "
ipSecAddressAddrMin. The Length of the string is based upon the ::= { ipSecRuleEntry 5 }
address type. For IPv4 address types, this attribute is a 4-bytes
octet string. For IPv6 address types, this attribute is a 16-bytes
octet string.
If no range is specified then this attribute MUST be a zero length
OCTET STRING."
::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagReferenceId
STATUS current PIB-TAG { ipSecIpsoFilterSetFilterSetId }
Li, et al Expires January, 2002 14 Li, et al Expires August, 2002 14
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IP address, address range or subnet "Identifies a set of IPSO filters to be associated with this IPsec
address belongs to." rule. A value of zero indicates that there are no IPSO filters
::= { ipSecAddressEntry 6 } associated with this rule.
-- When the value of this attribute is not zero, the set of IPSO
-- filters is ANDed with the set of Selectors specified by
-- The ipSecL4PortTable ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
-- selector in the selector sets and a filter in the IPSO filter sets
before the actions associated with this rule can be applied."
::= { ipSecRuleEntry 6 }
ipSecL4PortTable OBJECT-TYPE ipSecRuleIpSecActionSetId OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecL4PortEntry SYNTAX TagReferenceId
PIB-ACCESS install PIB-TAG { ipSecActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies layer four port numbers." "Identifies a set of IPsec actions to be associated with this
INDEX { ipSecL4PortPrid } rule."
UNIQUENESS { ::= { ipSecRuleEntry 7 }
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecSelector 2 }
ipSecL4PortEntry OBJECT-TYPE ipSecRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX IpSecL4PortEntry SYNTAX INTEGER {
doAll(1),
doUntilSuccess(2)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies the strategy to be used in executing the sequenced
::= { ipSecL4PortTable 1 } actions in the action set identified by ipSecRuleIpSecActionSetId.
IpSecL4PortEntry ::= SEQUENCE { DoAll (1) causes the execution of all the actions in the action
ipSecL4PortPrid InstanceId, set according to their defined precedence order. The precedence
ipSecL4PortPortMin INTEGER, order is specified by the ipSecActionSetOrder in the
ipSecL4PortPortMax INTEGER, ipSecActionSetTable.
ipSecL4PortGroupId TagId
}
ipSecL4PortPrid OBJECT-TYPE DoUntilSuccess (2) causes the execution of actions according to
SYNTAX InstanceId their defined precedence order until a successful execution of a
single action. The precedence order is specified by the
ipSecActionSetOrder in the ipSecActionSetTable."
::= { ipSecRuleEntry 8 }
ipSecRuleOrder OBJECT-TYPE
SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "Specifies the precedence order of the rule within all the rules
::= { ipSecL4PortEntry 1 } associated with {IfName, Roles}. A smaller value indicates a
higher precedence order. "
::= { ipSecRuleEntry 9 }
ipSecL4PortPortMin OBJECT-TYPE ipSecRuleLimitNegotiation OBJECT-TYPE
SYNTAX INTEGER (0..65535)
Li, et al Expires August, 2002 15
IPsec Policy Information Base February, 2002
SYNTAX INTEGER {
initiator(1),
responder(2),
both(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a layer 4 port or the first layer 4 port number of a "Limits the negotiation method. Before proceeding with a phase 2
range of ports." negotiation, the LimitNegotiation property of the IPsecRule is
::= { ipSecL4PortEntry 2 } first checked to determine if the negotiation part indicated for
the rule matches that of the current negotiation (Initiator,
Responder, or Either).
Li, et al Expires January, 2002 15 This attribute is ignored when an attempt is made to refresh an
IPsec Policy Information Base July, 2001 expiring SA (either side can initiate a refresh operation). The
system can determine that the negotiation is a refresh operation
by checking to see if the selector information matches that of an
existing SA. If LimitNegotiation does not match and the selector
corresponds to a new SA, the negotiation is stopped. "
::= { ipSecRuleEntry 10 }
ipSecL4PortPortMax OBJECT-TYPE ipSecRuleAutoStart OBJECT-TYPE
SYNTAX INTEGER (0..65535) SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the last layer 4 port in the range. If only a single "Indicates if this rule should be automatically executed."
port is specified, the value of this attribute must be equal to ::= { ipSecRuleEntry 11 }
that of ipSecL4PortPortMin. Otherwise, the value of this attribute
MUST be greater than that specified by ipSecL4PortPortMin."
::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this port or port range belongs to." "Identifies an IPsec rule time period set, specified in
::= { ipSecL4PortEntry 4 } ipSecRuleTimePeriodSetTable, that is associated with this rule.
A value of zero indicates that this IPsec rule is always valid."
::= { ipSecRuleEntry 12 }
-- --
-- --
-- The ipSecSelectorTable -- The ipSecActionSetTable
-- --
ipSecSelectorTable OBJECT-TYPE ipSecActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry SYNTAX SEQUENCE OF IpSecActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selectors. Each row in the selector table "Specifies IPsec action sets."
represents multiple selectors. These selectors are obtained as ::= { ipSecAssociation 2 }
follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four
fields together with the ipSecSelectorProtocol attribute to form
all the five-tuple selectors
Selectors constructed from a row inherit all the other attributes
of the row (e.g., ipSecSelectorGranularity)."
INDEX { ipSecSelectorPrid }
Li, et al Expires January, 2002 16
IPsec Policy Information Base July, 2001
UNIQUENESS { Li, et al Expires August, 2002 16
ipSecSelectorSrcAddressGroupId, IPsec Policy Information Base February, 2002
ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol,
ipSecSelectorGranularity,
ipSecSelectorOrder,
ipSecSelectorStartupCondition,
ipSecSelectorIsOriginator,
ipSecSelectorGroupId
}
::= { ipSecSelector 3 }
ipSecSelectorEntry OBJECT-TYPE ipSecActionSetEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry SYNTAX IpSecActionSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecSelectorTable 1 } PIB-INDEX { ipSecActionSetPrid }
UNIQUENESS {
ipSecActionSetActionSetId,
ipSecActionSetActionId,
ipSecActionSetDoActionLogging,
ipSecActionSetDoPacketLogging,
ipSecActionSetOrder
}
::= { ipSecActionSetTable 1 }
IpSecSelectorEntry ::= SEQUENCE { IpSecActionSetEntry ::= SEQUENCE {
ipSecSelectorPrid InstanceId, ipSecActionSetPrid InstanceId,
ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecActionSetActionSetId TagId,
ipSecSelectorSrcPortGroupId TagReferenceId, ipSecActionSetActionId Prid,
ipSecSelectorDstAddressGroupId TagReferenceId, ipSecActionSetDoActionLogging TruthValue,
ipSecSelectorDstPortGroupId TagReferenceId, ipSecActionSetDoPacketLogging TruthValue,
ipSecSelectorProtocol INTEGER, ipSecActionSetOrder Unsigned16
ipSecSelectorGranularity INTEGER,
ipSecSelectorOrder Unsigned32,
ipSecSelectorStartupCondition BITS,
ipSecSelectorIsOriginator TruthValue,
ipSecSelectorGroupId TagId
} }
ipSecSelectorPrid OBJECT-TYPE ipSecActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecSelectorEntry 1 } class."
::= { ipSecActionSetEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId
STATUS current
DESCRIPTION
"Specifies source addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId match this value are included as source
addresses."
::= { ipSecSelectorEntry 2 }
ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId
Li, et al Expires January, 2002 17
IPsec Policy Information Base July, 2001
STATUS current
DESCRIPTION
"Specifies source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId match this value are included."
::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId
STATUS current
DESCRIPTION
"Specifies destination addresses. All addresses in
ipSecAddressTable whose ipSecAddressGroupId match this value are
included as destination addresses."
::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE ipSecActionSetActionSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies destination layer 4 port numbers. All ports in "An IPsec action set is composed of one or more IPsec actions.
ipSecL4Port whose ipSecL4PortGroupId match this value are Each action belonging to the same set has the same ActionSetId."
included." ::= { ipSecActionSetEntry 2 }
::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecActionSetActionId OBJECT-TYPE
SYNTAX INTEGER (0..255) SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP protocol to match against the packet's protocol. A "A pointer to a valid instance in another table that describes an
value of zero means match all." action to be taken.
::= { ipSecSelectorEntry 6 }
ipSecSelectorGranularity OBJECT-TYPE For IPsec static actions, it MUST point to an instance in the
SYNTAX INTEGER { ipSecStaticActionTable.
wide(1),
narrow(2)
}
STATUS current
DESCRIPTION
"Specifies how the security associations established may be used.
A value of 1 (Wide) indicates that this security association may
be used by all packets that match the same selector that is
matched by the packet triggering the establishment of this
association.
A value of 2 (Narrow) indicates that this security association
can be used only by packets that have exactly the same selector
attribute values as that of the packet triggering the
establishment of this association. "
::= { ipSecSelectorEntry 7 }
ipSecSelectorOrder OBJECT-TYPE For IPsec negotiation actions, it MUST point to an instance in the
SYNTAX Unsigned32 ipSecNegotiationActionTable. For other actions, it may point to an
STATUS current instance in a table specified by other PIB modules."
Li, et al Expires January, 2002 18 Li, et al Expires August, 2002 17
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
DESCRIPTION ::= { ipSecActionSetEntry 3 }
"An integer that specifies the precedence order of the selectors
within the ipSecSelectorGroup. A given precedence order is
positioned before one with a higher-valued precedence order. All
selectors constructed from the same row have the same order. The
position of selectors with the same order is unspecified."
::= { ipSecSelectorEntry 8 }
ipSecSelectorStartupCondition OBJECT-TYPE ipSecActionSetDoActionLogging OBJECT-TYPE
SYNTAX BITS { SYNTAX TruthValue
onBoot(1),
onTraffic(2),
onPolicy(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the triggering event that causes the rule that "Specifies whether a log message is to be generated when the
references this selector be applied. OnBoot (1) means that the action is performed. This applies for ipSecNegotiationActions
rule is triggered after system boot. This selector is used as the with the meaning of logging a message when the negotiation is
selector for the IPsec action. OnTraffic (2) means that the rule attempted (with the success or failure result). This also applies
is triggered when packets without associated security associations for ipSecStaticAction only for PreconfiguredTransport action or
are sent or received. This selector is used as the selector for PreconfiguredTunnel action with the meaning of logging a message
the IPsec action. OnPolicy (3) means that the rule is triggered when the preconfigured SA is actually installed in the SADB."
when it becomes valid as specified by ::= { ipSecActionSetEntry 4 }
ipSecRuleTimePeriodGroupTable. This selector is used as the
selector for the IPsec action."
::= { ipSecSelectorEntry 9 }
ipSecSelectorIsOriginator OBJECT-TYPE ipSecActionSetDoPacketLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy "Specifies whether to log when the resulting security association
(3) and when IPsec associations need to be set up, this PEP is used to process a packet. For ipSecStaticActions, a log message
should initiate the establishment if this attribute is True. is to be generated when the IPsecBypass, IpsecDiscard or IKEReject
Otherwise, it should wait for the other end to initiate the actions are executed."
setup." ::= { ipSecActionSetEntry 5 }
::= { ipSecSelectorEntry 10 }
ipSecSelectorGroupId OBJECT-TYPE ipSecActionSetOrder OBJECT-TYPE
SYNTAX TagId SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specify the group this selector(s) belongs to. Selectors in the "Specifies the precedence order of the action within the action
same group are provided with the same IPsec services." set. An action with a smaller precedence order is to be applied
::= { ipSecSelectorEntry 11 } before one with a larger precedence order. "
::= { ipSecActionSetEntry 6 }
-- --
-- --
-- The ipSecRuleTable -- The ipSecStaticActionTable
-- --
Li, et al Expires January, 2002 19 ipSecStaticActionTable OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecStaticActionEntry
ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec rules. " "Specifies IPsec static actions."
INDEX { ipSecRulePrid } ::= { ipSecAssociation 3 }
UNIQUENESS {
ipSecRuleIfName,
ipSecRuleRoles,
ipSecRuleDirection
}
::= { ipSecAssociation 1 }
ipSecRuleEntry OBJECT-TYPE ipSecStaticActionEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry SYNTAX IpSecStaticActionEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { Li, et al Expires August, 2002 18
ipSecRulePrid InstanceId, IPsec Policy Information Base February, 2002
ipSecRuleIfName SnmpAdminString,
ipSecRuleRoles RoleCombination, PIB-INDEX { ipSecStaticActionPrid }
ipSecRuleDirection INTEGER, UNIQUENESS {
ipSecRuleIpSecSelectorGroupId TagReferenceId, ipSecStaticActionAction,
ipSecRuleIpSecActionGroupId TagReferenceId, ipSecStaticActionTunnelEndpointId,
ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecStaticActionDfHandling,
ipSecStaticActionSpi,
ipSecStaticActionLifetimeSeconds,
ipSecStaticActionLifetimeKilobytes,
ipSecStaticActionSaTransformId
} }
::= { ipSecStaticActionTable 1 }
ipSecRulePrid OBJECT-TYPE IpSecStaticActionEntry ::= SEQUENCE {
ipSecStaticActionPrid InstanceId,
ipSecStaticActionAction INTEGER,
ipSecStaticActionTunnelEndpointId ReferenceId,
ipSecStaticActionDfHandling INTEGER,
ipSecStaticActionSpi Unsigned32,
ipSecStaticActionLifetimeSeconds Unsigned32,
ipSecStaticActionLifetimeKilobytes Unsigned32,
ipSecStaticActionSaTransformId Prid
}
ipSecStaticActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class." "An integer index that uniquely identifies an instance of this
::= { ipSecRuleEntry 1 } class."
::= { ipSecStaticActionEntry 1 }
ipSecRuleIfName OBJECT-TYPE ipSecStaticActionAction OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX INTEGER {
byPass(1),
discard(2),
ikeRejection(3),
preConfiguredTransport(4),
preConfiguredTunnel(5)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IPSec rule applies. "Specifies the IPsec action to be applied to the traffic. byPass
The interface capability name specified by this attribute must (1) means that packets are to be allowed to pass in the clear.
exist in the frwkIfCapSetTable [FR-PIB] prior to association with discard (2) means that packets are to be discarded. ikeRejection
an instance of this class." (3) means that that an IKE negotiation should not even be
::= { ipSecRuleEntry 2 } attempted or continued. preConfiguredTransport (4) means that an
IPsec transport SA is pre-configured. preConfiguredTunnel (5)
means that an IPsec tunnel SA is pre-configured. "
::= { ipSecStaticActionEntry 2 }
ipSecStaticActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry }
Li, et al Expires August, 2002 19
IPsec Policy Information Base February, 2002
ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel (5), this
attribute indicates the peer gateway IP address. This address MUST
be a single endpoint address.
Li, et al Expires January, 2002 20 When ipSecStaticActionAction is not preConfiguredTunnel, this
IPsec Policy Information Base July, 2001 attribute MUST be zero."
::= { ipSecStaticActionEntry 3 }
"Specifies the role combination of the interface to which this
IPSec rule should apply. There must exist an instance in the
frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified
by ipSecRuleIfName, prior to association with an instance of this
class."
::= { ipSecRuleEntry 3 }
ipSecRuleDirection OBJECT-TYPE ipSecStaticActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), copy(1),
out(2), set(2),
bi-directional(3) clear(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "When ipSecStaticActionAction is preConfiguredTunnel, this
apply." attribute specifies how the DF bit is managed.
::= { ipSecRuleEntry 4 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE Copy (1) indicates to copy the DF bit from the internal IP header
SYNTAX TagReferenceId to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0.
When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be ignored. "
::= { ipSecStaticActionEntry 4 }
ipSecStaticActionSpi OBJECT-TYPE
SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies the selectors to be associated with this IPSec rule. "Specifies the SPI to be used with the SA Transform identified by
The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId ipSecStaticActionSaTransformId.
matches this attribute are provided with the IPSec services
specified by this rule."
::= { ipSecRuleEntry 5 }
ipSecRuleIpSecActionGroupId OBJECT-TYPE When ipSecStaticActionAction is neither
SYNTAX TagReferenceId preConfiguredTransportAction nor preConfiguredTunnelAction, this
attribute MUST be ignored."
::= { ipSecStaticActionEntry 5 }
ipSecStaticActionLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IPsec action group that is "Specifies the amount of time (in seconds) that a security
associated with this rule. Actions specified in ipSecActionTable association derived from this action should be used. When
whose ipSecActionActionGroupId match the value of this attribute ipSecStaticActionAction is neither preConfiguredTransportAction
MUST all be applied. The ipSecActionOrder in the ipSecActionTable nor preConfiguredTunnelAction, this attribute MUST be ignored.
indicates the order these actions should be taken in setting up
the security associations."
::= { ipSecRuleEntry 6 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE A value of zero indicates that there is not a lifetime associated
SYNTAX TagReferenceId with this action (i.e., infinite lifetime).
Li, et al Expires August, 2002 20
IPsec Policy Information Base February, 2002
The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeSeconds property and of the value of
the MaxLifetimeSeconds property of the associated SA Transform.
Except if the value of this LifetimeSeconds property is zero, then
there will be no lifetime associated to this SA."
::= { ipSecStaticActionEntry 6 }
ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "Specifies the SA lifetime in kilobytes. When
specified in ipSecRuleTimePeriodGroupTable, that is associated ipSecStaticActionAction is neither preConfiguredTransportAction
with this rule nor preConfiguredTunnelAction, this attribute MUST be ignored.
A value of zero indicates that this IPsec rule is always valid." A value of zero indicates that there is not a lifetime associated
::= { ipSecRuleEntry 7 } with this action (i.e., infinite lifetime).
Li, et al Expires January, 2002 21 The actual lifetime of the preconfigured SA will be the smallest
IPsec Policy Information Base July, 2001 of the value of this LifetimeKilobytes property and of the value
of the MaxLifetimeKilobytes property of the associated SA
transform. Except if the value of this LifetimeKilobytes property
is zero, then there will be no lifetime associated with this
action.
"
::= { ipSecStaticActionEntry 7 }
ipSecStaticActionSaTransformId OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
"A pointer to a valid instance in another table that describes an
SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
::= { ipSecStaticActionEntry 8 }
-- --
-- --
-- The ipSecActionTable -- The ipSecNegotiationActionTable
-- --
ipSecActionTable OBJECT-TYPE ipSecNegotiationActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry SYNTAX SEQUENCE OF IpSecNegotiationActionEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies group of IPsec actions. All actions that have the same "Specifies IPsec negotiation actions."
ipSecActionActionGroupId belong to the same group. Actions in the ::= { ipSecAssociation 4 }
same group MUST be applied in the order specified by
ipSecActionOrder."
INDEX { ipSecActionPrid }
UNIQUENESS {
ipSecActionAction,
ipSecActionTunnelEndpointId,
ipSecActionDfHandling,
ipSecActionDoLogging,
ipSecActionIpSecSecurityAssociationId,
ipSecActionActionGroupId,
ipSecActionOrder,
ipSecActionIkeRuleId
}
::= { ipSecAssociation 2 }
ipSecActionEntry OBJECT-TYPE ipSecNegotiationActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry SYNTAX IpSecNegotiationActionEntry
STATUS current STATUS current
Li, et al Expires August, 2002 21
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecActionTable 1 } PIB-INDEX { ipSecNegotiationActionPrid }
UNIQUENESS {
ipSecNegotiationActionAction,
ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId,
ipSecNegotiationActionKeyExchangeId
}
::= { ipSecNegotiationActionTable 1 }
IpSecActionEntry ::= SEQUENCE { IpSecNegotiationActionEntry ::= SEQUENCE {
ipSecActionPrid InstanceId, ipSecNegotiationActionPrid InstanceId,
ipSecActionAction INTEGER, ipSecNegotiationActionAction INTEGER,
ipSecActionTunnelEndpointId ReferenceId, ipSecNegotiationActionTunnelEndpointId ReferenceId,
ipSecActionDfHandling INTEGER, ipSecNegotiationActionDfHandling INTEGER,
ipSecActionDoLogging TruthValue, ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
ipSecActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionKeyExchangeId Prid
ipSecActionActionGroupId TagId,
ipSecActionOrder Unsigned32,
ipSecActionIkeRuleId ReferenceId
} }
ipSecActionPrid OBJECT-TYPE ipSecNegotiationActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecActionEntry 1 } class."
::= { ipSecNegotiationActionEntry 1 }
Li, et al Expires January, 2002 22
IPsec Policy Information Base July, 2001
ipSecActionAction OBJECT-TYPE ipSecNegotiationActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
byPass(1), transport(1),
discard(2), tunnel(2)
transport(3),
tunnel(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. "Specifies the IPsec action to be applied to the traffic.
ByPass(1) means that the packet should pass in clear. Discard(2) transport(1) means that the packet should be protected with a
means that the packet should be denied. Transport(3) means that security association in transport mode. tunnel(2) means that the
the packet should be protected with a security association in packet should be protected with a security association in tunnel
transport mode. Tunnel(4) means that the packet should be mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId
protected with a security association in tunnel mode. If Tunnel MUST also be specified."
(4) is specified, ipSecActionTunnelEndpointId MUST also be ::= { ipSecNegotiationActionEntry 2 }
specified."
::= { ipSecActionEntry 2 }
ipSecActionTunnelEndpointId OBJECT-TYPE ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies the IP "When ipSecActionAction is tunnel (2), this attribute indicates
address of the other end of the tunnel. The address specified in the peer gateway IP address. This address MUST be a single
ipSecAddressTable whose ipSecAddressPrid matches this value is the endpoint address.
other end of the tunnel. The address MUST be a single endpoint
address.
When ipSecActionAction is not tunnel, this attribute SHALL be Li, et al Expires August, 2002 22
IPsec Policy Information Base February, 2002
When ipSecActionAction is not tunnel, this attribute MUST be
zero. " zero. "
::= { ipSecActionEntry 3 } ::= { ipSecNegotiationActionEntry 3 }
ipSecActionDfHandling OBJECT-TYPE ipSecNegotiationActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
copy(1), copy(1),
set(2), set(2),
clear(3) clear(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies how "When ipSecActionAction is tunnel, this attribute specifies how
the DF bit is managed by the tunnel when ipSecActionAction is the DF bit is managed.
tunnel. Copy (1) indicates that the DF bit is copied. Set (2)
indicates that the DF bit is set. Clear (3) indicates that the DF
bit is cleared. When ipSecActionAction is not tunnel, this
attribute SHALL be ignored. "
::= { ipSecActionEntry 4 }
ipSecActionDoLogging OBJECT-TYPE
SYNTAX TruthValue
STATUS current
Li, et al Expires January, 2002 23 Copy (1) indicates to copy the DF bit from the internal IP header
IPsec Policy Information Base July, 2001 to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0.
DESCRIPTION When ipSecActionAction is not tunnel, this attribute MUST be
"Specifies if an audit message should be logged when discard ignored. "
action is taken." ::= { ipSecNegotiationActionEntry 4 }
::= { ipSecActionEntry 5 }
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAssociationEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPSec association, specified by "Pointer to a valid instance in the
ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable, ipSecSecurityAssociationTable."
that is associated with this action. ::= { ipSecNegotiationActionEntry 5 }
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute MUST have a value of zero. Otherwise, its
value MUST be greater than zero."
::= { ipSecActionEntry 6 }
ipSecActionActionGroupId OBJECT-TYPE
SYNTAX TagId
STATUS current
DESCRIPTION
"Specifies the group this action belongs to."
::= { ipSecActionEntry 7 }
ipSecActionOrder OBJECT-TYPE ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the order the actions in this group be applied. An "A pointer to a valid instance in another table that describes key
action with a lower order number is applied before one with a exchange associations. If a single IKE phase one negotiation is
higher order number. used for the key exchange, this attribute MUST point to an
instance in the ipSecIkeAssociationTable. If multiple IKE phase
one negotiations (e.g., with different modes) are to be tried
until success, this attribute SHOULD point to ipSecIkeRuleTable.
When ipSecActionAction attribute specifies Bypass (1) or Discard For other key exchange methods, this attribute may point to an
(2), this attribute MUST be ignored. " instance of a PRC defined in some other PIB.
::= { ipSecActionEntry 8 }
ipSecActionIkeRuleId OBJECT-TYPE A value of zero means that there is no key exchange procedure
SYNTAX ReferenceId associated."
STATUS current ::= { ipSecNegotiationActionEntry 6 }
DESCRIPTION
"An integer that identifies an IKE rule, specified by
ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with
this IPsec rule.
A value of zero means that there is no IKE rule associated. When
ipSecActionAction attribute specifies Bypass (1) or Discard (2),
this attribute must have a value of zero."
::= { ipSecActionEntry 9 }
-- --
Li, et al Expires August, 2002 23
IPsec Policy Information Base February, 2002
-- --
-- The ipSecAssociationTable -- The ipSecAssociationTable
-- --
Li, et al Expires January, 2002 24
IPsec Policy Information Base July, 2001
ipSecAssociationTable OBJECT-TYPE ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IPsec associations" "Specifies IPsec associations."
INDEX { ipSecAssociationPrid } ::= { ipSecAssociation 5 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationRefreshThresholdSeconds,
ipSecAssociationRefreshThresholdKilobytes,
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationTrafficIdleTime, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
ipSecAssociationUseIkeGroup, ipSecAssociationUseKeyExchangeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociation 3 }
ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid InstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationRefreshThresholdSeconds INTEGER,
ipSecAssociationRefreshThresholdKilobytes INTEGER,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32,
ipSecAssociationTrafficIdleTime Unsigned32, ipSecAssociationIdleDurationSeconds Unsigned32,
ipSecAssociationUsePfs TruthValue, ipSecAssociationUsePfs TruthValue,
ipSecAssociationVendorId OCTET STRING, ipSecAssociationVendorId OCTET STRING,
ipSecAssociationUseIkeGroup TruthValue, ipSecAssociationUseKeyExchangeGroup TruthValue,
ipSecAssociationDhGroup Unsigned32, ipSecAssociationDhGroup Unsigned16,
ipSecAssociationGranularity INTEGER,
ipSecAssociationProposalSetId TagReferenceId ipSecAssociationProposalSetId TagReferenceId
} }
ipSecAssociationPrid OBJECT-TYPE ipSecAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecAssociationEntry 1 } ::= { ipSecAssociationEntry 1 }
ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
Li, et al Expires January, 2002 25
IPsec Policy Information Base July, 2001
DESCRIPTION
"Specifies the percentage of expiration (in other words, the
refresh threshold) of an established SA's seconds lifetime at
which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecAssociationEntry 2 }
ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE Li, et al Expires August, 2002 24
SYNTAX INTEGER (1..100) IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecAssociationEntry 3 }
ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecAssociationEntry 4 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. A value of zero indicates that there is no minimum action. A value of zero indicates that there is no minimum
lifetime enforced." lifetime enforced."
::= { ipSecAssociationEntry 5 } ::= { ipSecAssociationEntry 3 }
ipSecAssociationTrafficIdleTime OBJECT-TYPE ipSecAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA can remain idle (in "Specifies how long, in seconds, a security association may remain
other words, no traffic protected by the SA) before it is deleted. unused before it is deleted.
A value of zero indicates that there is no idle time detection. A value of zero indicates that idle detection should not be used
The expiration of the SA is determined by the expiration of one of for the security association (only the seconds and kilobyte
the lifetime values." lifetimes will be used)."
::= { ipSecAssociationEntry 6 } ::= { ipSecAssociationEntry 4 }
ipSecAssociationUsePfs OBJECT-TYPE ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
Li, et al Expires January, 2002 26
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"If true, PFS SHALL be used when negotiating the phase two IPsec "Specifies whether or not to use PFS when refreshing keys."
SA." ::= { ipSecAssociationEntry 5 }
::= { ipSecAssociationEntry 7 }
ipSecAssociationVendorId OBJECT-TYPE ipSecAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs." "Specifies the IKE Vendor ID. This attribute is used together with
::= { ipSecAssociationEntry 8 } the property ipSecAssociationDhGroup (when it is in the vendor-
specific range) to identify the key exchange group. This
attribute is ignored unless ipSecAssociationUsePFS is true and
ipSecAssociationUseKeyExchangeGroup is false and
ipSecAssociationDhGroup is in the vendor-specific range (32768-
65535)."
::= { ipSecAssociationEntry 6 }
ipSecAssociationUseIkeGroup OBJECT-TYPE ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
Li, et al Expires August, 2002 25
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If true, the phase two DH group number MUST be the same as that "Specifies whether or not to use the same GroupId for phase 2 as
of phase 1. Otherwise, the group number specified by the was used in phase 1. If UsePFS is false, then this attribute is
ipSecSecurityAssociationDhGroup attribute SHALL be used. This ignored.
attribute is ignored if ipSecSecurityAssociationUsePfs is false."
::= { ipSecAssociationEntry 9 } A value of true indicates that the phase 2 GroupId should be the
same as phase 1. A value of false indicates that the group number
specified by the ipSecSecurityAssociationDhGroup attribute SHALL
be used for phase 2. "
::= { ipSecAssociationEntry 7 }
ipSecAssociationDhGroup OBJECT-TYPE ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If PFSis used during IKE phase two and "Specifies the key exchange group to use for phase 2 when the
ipSecSecurityAssociationUseIkeGroup is false, this attribute property ipSecSecurityAssociationUsePfs is true and the property
specifies the Diffie-Hellman group to use. ipSecSecurityAssociationUseKeyExchangeGroup is false."
::= { ipSecAssociationEntry 8 }
If the GroupID number is from the vendor-specific range (32768- ipSecAssociationGranularity OBJECT-TYPE
65535), the VendorID qualifies the group number. SYNTAX INTEGER {
subnet(1),
address(2),
protocol(3),
port(4)
}
STATUS current
DESCRIPTION
"Specifies how the proposed selector for the security association
will be created.
This attribute MUST be ignored if ipSecSecurityAssociationUsePfs A value of 1 (subnet) indicates that the source and destination
is false." subnet masks of the filter entry are used.
::= { ipSecAssociationEntry 10 }
A value of 2 (address) indicates that only the source and
destination IP addresses of the triggering packet are used.
A value of 3 (protocol) indicates that the source and destination
IP addresses and the IP protocol of the triggering packet are
used.
A value of 4 (port) indicates that the source and destination IP
addresses and the IP protocol and the source and destination layer
4 ports of the triggering packet are used. "
::= { ipSecAssociationEntry 9 }
ipSecAssociationProposalSetId OBJECT-TYPE ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IPsec proposal set, specified in
ipSecProposalGroupTable, that is associated with this IPsec Li, et al Expires August, 2002 26
association." IPsec Policy Information Base February, 2002
::= { ipSecAssociationEntry 11 }
"Identifies a set of IPsec proposals that is associated with this
IPsec association."
::= { ipSecAssociationEntry 10 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
-- --
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
Li, et al Expires January, 2002 27
IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecProposalSetEntry SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed "Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order." with preference order."
INDEX { ipSecProposalSetPrid } ::= { ipSecAssociation 6 }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecAssociation 4 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalSetPrid }
UNIQUENESS {
ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder
}
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid InstanceId, ipSecProposalSetPrid InstanceId,
ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalSetId TagId,
ipSecProposalSetProposalId ReferenceId, ipSecProposalSetProposalId ReferenceId,
ipSecProposalSetOrder Unsigned32 ipSecProposalSetOrder Unsigned16
} }
ipSecProposalSetPrid OBJECT-TYPE ipSecProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecProposalSetEntry 1 } ::= { ipSecProposalSetEntry 1 }
ipSecProposalSetProposalSetId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec proposal set."
Li, et al Expires August, 2002 27
IPsec Policy Information Base February, 2002
"An IPsec proposal set is composed of one or more IPsec proposals.
Each proposal belonging to the same set has the same
ProposalSetId."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPsec Proposal, specified by "A pointer to a valid instance in the ipSecProposalTable."
ipSecProposalPrid in ipSecProposalTable, that is included in this
set."
::= { ipSecProposalSetEntry 3 } ::= { ipSecProposalSetEntry 3 }
ipSecProposalSetOrder OBJECT-TYPE ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
Li, et al Expires January, 2002 28
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A smaller
precedence order is positioned before one with a higher-valued integer value indicates a higher preference."
precedence order."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
-- --
-- --
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IPsec proposal. It has references to ESP, AH and "Specifies IPsec proposals. It has references to ESP, AH and
IPComp Transform sets. Within a proposal, different types of IPCOMP Transform sets. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices transforms are ANDed. Multiple transforms of the same type are
are ORed with preference order." ORed with preference order."
INDEX { ipSecProposalPrid } ::= { ipSecAssociation 7 }
UNIQUENESS {
ipSecProposalLifetimeKilobytes,
ipSecProposalLifetimeSeconds,
ipSecProposalVendorId,
ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId
}
::= { ipSecAssociation 5 }
ipSecProposalEntry OBJECT-TYPE ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry SYNTAX IpSecProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalPrid }
UNIQUENESS {
ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId
}
::= { ipSecProposalTable 1 } ::= { ipSecProposalTable 1 }
Li, et al Expires August, 2002 28
IPsec Policy Information Base February, 2002
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid InstanceId, ipSecProposalPrid InstanceId,
ipSecProposalLifetimeKilobytes Unsigned32,
ipSecProposalLifetimeSeconds Unsigned32,
ipSecProposalVendorId OCTET STRING,
ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId ipSecProposalCompTransformSetId TagReferenceId
} }
Li, et al Expires January, 2002 29
IPsec Policy Information Base July, 2001
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX TagReferenceId
PIB-TAG { ipSecEspTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "An integer that identifies a set of ESP transforms, specified in
ipSecEspTransformSetTable, that is associated with this proposal."
A value of zero indicates that there is no kilobyte lifetime."
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalLifetimeSeconds OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX TagReferenceId
PIB-TAG { ipSecAhTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "An integer that identifies an AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal."
A value of zero indicates that the lifetime value defaults to 8
hours. "
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
ipSecProposalVendorId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX TagReferenceId
PIB-TAG { ipSecCompTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined transforms." "An integer that identifies a set of IPComp transforms, specified
in ipSecCompTransformSetTable, that is associated with this
proposal."
::= { ipSecProposalEntry 4 } ::= { ipSecProposalEntry 4 }
ipSecProposalEspTransformSetId OBJECT-TYPE --
SYNTAX TagReferenceId --
-- The ipSecAhTransformSetTable
--
ipSecAhTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install
Li, et al Expires August, 2002 29
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the ESP transform set, specified in "Specifies AH transform sets. Within a transform set, the
ipSecEspTransformSetTable, that is associated with this proposal." transforms are ORed with preference order. "
::= { ipSecProposalEntry 5 } ::= { ipSecAhTransform 1 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX IpSecAhTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the AH transform set, specified in "Specifies an instance of this class"
ipSecAhTransformSetTable, that is associated with this proposal." PIB-INDEX { ipSecAhTransformSetPrid }
::= { ipSecProposalEntry 6 } UNIQUENESS {
ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder
}
::= { ipSecAhTransformSetTable 1 }
ipSecProposalCompTransformSetId OBJECT-TYPE IpSecAhTransformSetEntry ::= SEQUENCE {
SYNTAX TagReferenceId ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId ReferenceId,
ipSecAhTransformSetOrder Unsigned16
}
ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this
class. "
::= { ipSecAhTransformSetEntry 1 }
Li, et al Expires January, 2002 30 ipSecAhTransformSetTransformSetId OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX TagId
STATUS current
DESCRIPTION
"An AH transform set is composed of one or more AH transforms.
Each transform belonging to the same set has the same
TransformSetId."
::= { ipSecAhTransformSetEntry 2 }
"An integer that identifies the IPComp transform set, specified in ipSecAhTransformSetTransformId OBJECT-TYPE
ipSecCompTransformSetTable, that is associated with this SYNTAX ReferenceId
proposal." PIB-REFERENCES {ipSecAhTransformEntry }
::= { ipSecProposalEntry 7 } STATUS current
DESCRIPTION
"A pointer to a valid instance in the ipSecAhTransformTable."
::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16
Li, et al Expires August, 2002 30
IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform
set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a
higher preference."
::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecIkeAssociationTable -- The ipSecAhTransformTable
-- --
ipSecIkeAssociationTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes related to IKE associations." "Specifies AH transforms."
INDEX { ipSecIkeAssociationPrid } ::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationRefreshThresholdSeconds, ipSecAhTransformTransformId,
ipSecIkeAssociationRefreshThresholdKilobytes, ipSecAhTransformIntegrityKey,
ipSecIkeAssociationMinLiftetimeSeconds, ipSecAhTransformUseReplayPrevention,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecAhTransformReplayPreventionWindowSize,
ipSecIkeAssociationTrafficIdleTime, ipSecAhTransformVendorId,
ipSecIkeAssociationExchangeMode, ipSecAhTransformMaxLifetimeSeconds,
ipSecIkeAssociationUseIkeIdentityType, ipSecAhTransformMaxLifetimeKilobytes
ipSecIkeAssociationRefreshThresholdDerivedKeys,
ipSecIkeAssociationIKEProposalSetId
} }
::= { ipSecIkeAssociation 6 } ::= { ipSecAhTransformTable 1 }
ipSecIkeAssociationEntry OBJECT-TYPE IpSecAhTransformEntry ::= SEQUENCE {
SYNTAX IpSecIkeAssociationEntry ipSecAhTransformPrid InstanceId,
ipSecAhTransformTransformId INTEGER,
ipSecAhTransformIntegrityKey OCTET STRING,
ipSecAhTransformUseReplayPrevention TruthValue,
ipSecAhTransformReplayPreventionWindowSize Unsigned32,
ipSecAhTransformVendorId OCTET STRING,
ipSecAhTransformMaxLifetimeSeconds Unsigned32,
ipSecAhTransformMaxLifetimeKilobytes Unsigned32
}
ipSecAhTransformPrid OBJECT-TYPE
Li, et al Expires August, 2002 31
IPsec Policy Information Base February, 2002
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class. "
::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER {
md5(2),
sha-1(3),
des(4)
}
STATUS current
DESCRIPTION
"Specifies the transform ID of the AH algorithm to propose."
::= { ipSecAhTransformEntry 2 }
ipSecAhTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"When this AH transform instance is used for a Static Action, this
attribute specifies the integrity key to be used. This attribute
MUST be ignored when this AH transform instance is used for a
Negotiation Action."
::= { ipSecAhTransformEntry 3 }
ipSecAhTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies whether to enable replay prevention detection."
::= { ipSecAhTransformEntry 4 }
ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies, in bits, the length of the sliding window used by the
replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2."
::= { ipSecAhTransformEntry 5 }
ipSecAhTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecAhTransformEntry 6 }
ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
Li, et al Expires August, 2002 32
IPsec Policy Information Base February, 2002
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the maximum amount of time to propose for a security
association to remain valid.
A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime."
::= { ipSecAhTransformEntry 7 }
ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid.
A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte
lifetime."
::= { ipSecAhTransformEntry 8 }
--
--
-- The ipSecEspTransformSetTable
--
ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order. "
::= { ipSecEspTransform 1 }
ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecIkeAssociationTable 1 } PIB-INDEX { ipSecEspTransformSetPrid }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransformSetTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE { IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecIkeAssociationPrid InstanceId, ipSecEspTransformSetPrid InstanceId,
ipSecIkeAssociationRefreshThresholdSeconds INTEGER, ipSecEspTransformSetTransformSetId TagId,
ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, Li, et al Expires August, 2002 33
ipSecIkeAssociationMinLifetimeKilobytes Unsigned32, IPsec Policy Information Base February, 2002
ipSecIkeAssociationTrafficIdleTime Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER, ipSecEspTransformSetTransformId ReferenceId,
ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecEspTransformSetOrder Unsigned16
ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
ipSecIkeAssociationIKEProposalSetId TagReferenceId
} }
ipSecIkeAssociationPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecEspTransformSetEntry 1 }
Li, et al Expires January, 2002 31 ipSecEspTransformSetTransformSetId OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX TagId
STATUS current
DESCRIPTION
"An ESP transform set is composed of one or more ESP transforms.
Each transform belonging to the same set has the same
TransformSetId."
::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId
PIB-REFERENCES {ipSecEspTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "A pointer to a valid instance in the ipSecEspTransformTable."
::= { ipSecIkeAssociationEntry 1 } ::= { ipSecEspTransformSetEntry 3 }
ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration (in other words, the "An integer that specifies the precedence order of the transform
refresh threshold) of an established SA's seconds lifetime at identified by ipSecEspTransformSetTransformId within a transform
which to begin renegotiation of the SA. set. The transform set is identified by
ipSecEspTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a
higher preference."
::= { ipSecEspTransformSetEntry 4 }
A value of 100 means that renegotiation does not occur until the --
seconds lifetime value has expired." --
::= { ipSecIkeAssociationEntry 2 } -- The ipSecEspTransformTable
--
ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established SA's "Specifies ESP transforms."
kilobyte lifetime at which to begin renegotiation of the SA.
A value of 100 means that renegotiation does not occur until the Li, et al Expires August, 2002 34
seconds lifetime value has expired." IPsec Policy Information Base February, 2002
::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE ::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecEspTransformPrid }
UNIQUENESS {
ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId,
ipSecEspTransformIntegrityKey,
ipSecEspTransformCipherKey,
ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize,
ipSecEspTransformVendorId,
ipSecEspTransformMaxLifetimeSeconds,
ipSecEspTransformMaxLifetimeKilobytes
}
::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER,
ipSecEspTransformIntegrityKey OCTET STRING,
ipSecEspTransformCipherKey OCTET STRING,
ipSecEspTransformCipherKeyRounds Unsigned16,
ipSecEspTransformCipherKeyLength Unsigned16,
ipSecEspTransformUseReplayPrevention TruthValue,
ipSecEspTransformReplayPreventionWindowSize Unsigned32,
ipSecEspTransformVendorId OCTET STRING,
ipSecEspTransformMaxLifetimeSeconds Unsigned32,
ipSecEspTransformMaxLifetimeKilobytes Unsigned32
}
ipSecEspTransformPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER {
none(0),
hmacMd5(1),
hmacSha(2),
desMac(3),
kpdk(4)
Li, et al Expires August, 2002 35
IPsec Policy Information Base February, 2002
}
STATUS current
DESCRIPTION
"Specifies the transform ID of the ESP integrity algorithm to
propose."
::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER {
desIV64(1),
des(2),
tripleDES(3),
rc5(4),
idea(5),
cast(6),
blowfish(7),
tripleIDEA(8),
desIV32(9),
rc4(10),
null(11)
}
STATUS current
DESCRIPTION
"Specifies the transform ID of the ESP encryption algorithm to
propose."
::= { ipSecEspTransformEntry 3 }
ipSecEspTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"When this ESP transform instance is used for a Static Action,
this attribute specifies the integrity key to be used. This
attribute MUST be ignored when this ESP transform instance is used
for a Negotiation Action."
::= { ipSecEspTransformEntry 4 }
ipSecEspTransformCipherKey OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"When this ESP transform instance is used for a Static Action,
this attribute specifies the cipher key to be used. This attribute
MUST be ignored when this ESP transform instance is used for a
Negotiation Action."
::= { ipSecEspTransformEntry 5 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned16
STATUS current
DESCRIPTION
Li, et al Expires August, 2002 36
IPsec Policy Information Base February, 2002
"Specifies the number of key rounds for the ESP encryption
algorithm. For encryption algorithms that use fixed number of key
rounds, this value is ignored."
::= { ipSecEspTransformEntry 6 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned16
STATUS current
DESCRIPTION
"Specifies, in bits, the key length for the ESP encryption
algorithm. For encryption algorithms that use fixed-length keys,
this value is ignored."
::= { ipSecEspTransformEntry 7 }
ipSecEspTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies whether to enable replay prevention detection."
::= { ipSecEspTransformEntry 8 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies, in bits, the length of the sliding window used by the
from a peer while negotiating an SA based upon this action. replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2."
::= { ipSecEspTransformEntry 9 }
A value of zero indicates that there is no minimum lifetime ipSecEspTransformVendorId OBJECT-TYPE
enforced." SYNTAX OCTET STRING
::= { ipSecIkeAssociationEntry 4 } STATUS current
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecEspTransformEntry 10 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the maximum amount of time to propose for a security
from a negotiating peer while negotiating an SA based upon this association to remain valid.
action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that the default of 8 hours be used. A
enforced." non-zero value indicates the maximum seconds lifetime."
::= { ipSecIkeAssociationEntry 5 } ::= { ipSecEspTransformEntry 11 }
ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current
DESCRIPTION
Li, et al Expires January, 2002 32 Li, et al Expires August, 2002 37
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
"Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid.
A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte
lifetime."
::= { ipSecEspTransformEntry 12 }
--
--
-- The ipSecCompTransformSetTable
--
ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle (in "Specifies IPComp transform sets. Within a transform set, the
other words, no traffic protected by the SA) before it is deleted. choices are ORed with preference order."
::= { ipSecCompTransform 1 }
A value of zero indicates that there is no idle time detection. ipSecCompTransformSetEntry OBJECT-TYPE
The expiration of the SA is determined by the expiration of one of SYNTAX IpSecCompTransformSetEntry
the lifetime values." STATUS current
::= { ipSecIkeAssociationEntry 6 } DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformSetPrid }
UNIQUENESS {
ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
}
::= { ipSecCompTransformSetTable 1 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE IpSecCompTransformSetEntry ::= SEQUENCE {
SYNTAX INTEGER { ipSecCompTransformSetPrid InstanceId,
baseMode(1), ipSecCompTransformSetTransformSetId TagId,
mainMode(2), ipSecCompTransformSetTransformId ReferenceId,
aggressiveMode(4) ipSecCompTransformSetOrder Unsigned16
} }
ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for "An integer index that uniquely identifies an instance of this
phase one." class."
::= { ipSecIkeAssociationEntry 7 } ::= { ipSecCompTransformSetEntry 1 }
ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId
Li, et al Expires August, 2002 38
IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION
"An IPCOMP transform set is composed of one or more IPCOMP
transforms. Each transform belonging to the same set has the same
TransformSetId."
::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId
PIB-REFERENCES {ipSecCompTransformEntry }
STATUS current
DESCRIPTION
"A pointer to a valid instance in the ipSecCompTransformTable."
::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform
set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a
higher preference."
::= { ipSecCompTransformSetEntry 4 }
--
--
-- The ipSecCompTransformTable
--
ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IP compression (IPCOMP) algorithms."
::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformPrid }
UNIQUENESS {
ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds,
Li, et al Expires August, 2002 39
IPsec Policy Information Base February, 2002
ipSecCompTransformMaxLifetimeKilobytes
}
::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformDictionarySize Unsigned16,
ipSecCompTransformPrivateAlgorithm Unsigned32,
ipSecCompTransformVendorId OCTET STRING,
ipSecCompTransformMaxLifetimeSeconds Unsigned32,
ipSecCompTransformMaxLifetimeKilobytes Unsigned32
}
ipSecCompTransformPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), oui(1),
fqdn(2), deflate(2),
user-Fqdn(3), lzs(3)
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one "Specifies the transform ID of the IPCOMP compression algorithm to
negotiation." propose."
::= { ipSecIkeAssociationEntry 8 } ::= { ipSecCompTransformEntry 2 }
ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX INTEGER (1..100) SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the percentage of expiration of an established IKE SA's "Specifies the log2 maximum size of the dictionary for the
derived keys lifetime at which to begin renegotiation of the SA. compression algorithm. For compression algorithms that have pre-
defined dictionary sizes, this value is ignored."
::= { ipSecCompTransformEntry 3 }
A value of 100 means that renegotiation does not occur until the ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
derived key lifetime value has expired." SYNTAX Unsigned32
::= { ipSecIkeAssociationEntry 9 } STATUS current
DESCRIPTION
"Specifies a private vendor-specific compression algorithm."
::= { ipSecCompTransformEntry 4 }
Li, et al Expires January, 2002 33 ipSecCompTransformVendorId OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX OCTET STRING
STATUS current
ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE Li, et al Expires August, 2002 40
SYNTAX TagReferenceId IPsec Policy Information Base February, 2002
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecCompTransformEntry 5 }
ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies the IKE proposal set, specified in "Specifies the maximum amount of time to propose for a security
ipSecIkeProposalGroupTable, that is associated with this IKE association to remain valid.
association."
::= { ipSecIkeAssociationEntry 10 } A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime."
::= { ipSecCompTransformEntry 6 }
ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid.
A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte
lifetime."
::= { ipSecCompTransformEntry 7 }
-- --
-- --
-- The ipSecIkeRuleTable -- The ipSecIkeRuleTable
-- --
ipSecIkeRuleTable OBJECT-TYPE ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE rules." "Specifies IKE rules. This table is required only when specifying:
INDEX { ipSecIkeRulePrid }
UNIQUENESS { - Multiple IKE phase one actions (e.g., with different exchange
ipSecIkeRuleIfName, modes) that are associated with one IPsec association. These
ipSecIkeRuleRoles actions are to be tried in sequence till one success.
}
- IKE phase one actions that start automatically.
Support of this table is optional."
::= { ipSecIkeAssociation 1 } ::= { ipSecIkeAssociation 1 }
ipSecIkeRuleEntry OBJECT-TYPE ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 41
IPsec Policy Information Base February, 2002
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS {
ipSecIkeRuleIfName,
ipSecIkeRuleRoles,
ipSecIkeRuleIkeActionSetId,
ipSecIkeRuleActionExecutionStrategy,
ipSecIkeRuleLimitNegotiation,
ipSecIkeRuleAutoStart
}
::= { ipSecIkeRuleTable 1 } ::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE { IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid InstanceId, ipSecIkeRulePrid InstanceId,
ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleIfName SnmpAdminString,
ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeAssiciationId ReferenceId, ipSecIkeRuleIkeActionSetId TagReferenceId,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId, ipSecIkeRuleActionExecutionStrategy INTEGER,
ipSecIkeRuleIkeEndpointGroupId TagReferenceId ipSecIkeRuleLimitNegotiation INTEGER,
ipSecIkeRuleAutoStart TruthValue,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecIkeRuleEntry 1 } ::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleIfName OBJECT-TYPE ipSecIkeRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
Li, et al Expires January, 2002 34
IPsec Policy Information Base July, 2001
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IKE rule applies. The "The interface capability set to which this IKE rule applies. The
interface capability name specified by this attribute must exist interface capability name specified by this attribute must exist
in the frwkIfCapSetTable [FR-PIB] prior to association with an in the frwkIfCapSetTable [FR-PIB] prior to association with an
instance of this class." instance of this class.
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 2 } ::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleRoles OBJECT-TYPE ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this IKE "Specifies the role combination of the interface to which this IKE
rule should apply. There must exist an instance in the rule should apply. There must exist an instance in the
frwkIfCapSetRoleComboTable [FR-PIB] specifying this role frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified combination, together with the interface capability set specified
by ipSecRuleIfName, prior to association with an instance of this by ipSecIkeRuleIfName, prior to association with an instance of
class." this class.
Li, et al Expires August, 2002 42
IPsec Policy Information Base February, 2002
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIkeAssiciationId OBJECT-TYPE ipSecIkeRuleIkeActionSetId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIkeActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies the IKE action, specified by "Identifies a set of IKE actions to be associated with this rule."
ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that is
associated with this rule"
::= { ipSecIkeRuleEntry 4 } ::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX INTEGER {
doAll(1),
doUntilSuccess(2)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute identifies an IPsec rule time period group, "Specifies the strategy to be used in executing the sequenced
sepcified in ipSecRuleTimePeriodGroupTable, that is associated actions in the action set identified by ipSecRuleIpSecActionSetId.
with this IKE rule.
A value of zero indicates that this IKE rule is always valid." DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in
ipSecIkeActionSetTable.
DoUntilSuccess (2) causes the execution of actions according to
their defined precedence order until a successful execution of a
single action. The precedence order is specified by the
ipSecActionSetOrder in ipSecIkeActionSetTable."
::= { ipSecIkeRuleEntry 5 } ::= { ipSecIkeRuleEntry 5 }
ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE ipSecIkeRuleLimitNegotiation OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX INTEGER {
initiator(1),
responder(2),
both(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of endpoints with which this "Limits the negotiation method. Before proceeding with a phase 1
PEP can set up IKE associations. The endpoints specified in negotiation, this property is checked to determine if the
ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this negotiation role of the rule matches that defined for the
attribute are the endpoints involved. " negotiation being undertaken (e.g., Initiator, Responder, or
Both). If this check fails (e.g. the current role is IKE responder
while the rule specifies IKE initiator), then the IKE negotiation
is stopped. Note that this only applies to new IKE phase 1
negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists."
::= { ipSecIkeRuleEntry 6 } ::= { ipSecIkeRuleEntry 6 }
ipSecIkeRuleAutoStart OBJECT-TYPE
Li, et al Expires August, 2002 43
IPsec Policy Information Base February, 2002
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Indicates if this rule should be automatically executed."
::= { ipSecIkeRuleEntry 7 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current
DESCRIPTION
"Identifies a rule time period set, specified in
ipSecRuleTimePeriodSetTable, that is associated with this rule.
A value of zero indicates that this rule is always valid."
::= { ipSecIkeRuleEntry 8 }
-- --
-- --
-- The ipSecIkeActionSetTable
--
Li, et al Expires January, 2002 35 ipSecIkeActionSetTable OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE action sets."
::= { ipSecIkeAssociation 2 }
ipSecIkeActionSetEntry OBJECT-TYPE
SYNTAX IpSecIkeActionSetEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecIkeActionSetPrid }
UNIQUENESS {
ipSecIkeActionSetActionSetId,
ipSecIkeActionSetActionId,
ipSecIkeActionSetOrder
}
::= { ipSecIkeActionSetTable 1 }
IpSecIkeActionSetEntry ::= SEQUENCE {
ipSecIkeActionSetPrid InstanceId,
ipSecIkeActionSetActionSetId TagId,
ipSecIkeActionSetActionId Prid,
ipSecIkeActionSetOrder Unsigned16
}
ipSecIkeActionSetPrid OBJECT-TYPE
SYNTAX InstanceId
Li, et al Expires August, 2002 44
IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecIkeActionSetEntry 1 }
ipSecIkeActionSetActionSetId OBJECT-TYPE
SYNTAX TagId
STATUS current
DESCRIPTION
"An IKE action set is composed of one or more IKE actions. Each
action belonging to the same set has the same ActionSetId."
::= { ipSecIkeActionSetEntry 2 }
ipSecIkeActionSetActionId OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
"A pointer to a valid instance in the ipSecIkeAssociationTable."
::= { ipSecIkeActionSetEntry 3 }
ipSecIkeActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16
STATUS current
DESCRIPTION
"Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be tried
before one with a larger precedence order. "
::= { ipSecIkeActionSetEntry 4 }
--
--
-- The ipSecIkeAssociationTable
--
ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE associations."
::= { ipSecIkeAssociation 3 }
ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS {
ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes,
Li, et al Expires August, 2002 45
IPsec Policy Information Base February, 2002
ipSecIkeAssociationIdleDurationSeconds,
ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationUseIkeIdentityValue,
ipSecIkeAssociationIkePeerEndpoint,
ipSecIkeAssociationPresharedKey,
ipSecIkeAssociationVendorId,
ipSecIkeAssociationAggressiveModeGroupId,
ipSecIkeAssociationLocalCredentialId,
ipSecIkeAssociationDoActionLogging,
ipSecIkeAssociationIkeProposalSetId
}
::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid InstanceId,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
ipSecIkeAssociationIdleDurationSeconds Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationUseIkeIdentityType INTEGER,
ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
ipSecIkeAssociationIkePeerEndpoint ReferenceId,
ipSecIkeAssociationPresharedKey OCTET STRING,
ipSecIkeAssociationVendorId OCTET STRING,
ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
ipSecIkeAssociationLocalCredentialId TagReferenceId,
ipSecIkeAssociationDoActionLogging TruthValue,
ipSecIkeAssociationIkeProposalSetId TagReferenceId
}
ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecIkeAssociationEntry 1 }
ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
Li, et al Expires August, 2002 46
IPsec Policy Information Base February, 2002
DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this
action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies how long, in seconds, a security association may remain
unused before it is deleted.
A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte
lifetimes will be used)."
::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER {
baseMode(1),
mainMode(2),
aggressiveMode(4)
}
STATUS current
DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for
phase one."
::= { ipSecIkeAssociationEntry 5 }
ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one
negotiation."
::= { ipSecIkeAssociationEntry 6 }
Li, et al Expires August, 2002 47
IPsec Policy Information Base February, 2002
ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the ID payload value to be provided to the peer during
IKE phase one negotiation."
::= { ipSecIkeAssociationEntry 7 }
ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkePeerEndpointEntry }
STATUS current
DESCRIPTION
"Pointer to a valid instance in the ipSecIkePeerEndpointTable to
indicate an IKE peer endpoint."
::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationPresharedKey OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute specifies the preshared key or secret to use for
IKE authentication. This is the key for all the IKE proposals of
this association that set ipSecIkeProposalAuthenticationMethod to
presharedKey(1)."
::= { ipSecIkeAssociationEntry 9 }
ipSecIkeAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the value to be used in the Vendor ID payload.
A value of NULL means that Vendor ID payload will be neither
generated nor accepted. A non-NULL value means that a Vendor ID
payload will be generated (when acting as an initiator) or is
expected (when acting as a responder). "
::= { ipSecIkeAssociationEntry 10 }
ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
SYNTAX Unsigned16
STATUS current
DESCRIPTION
"Specifies the group ID to be used for aggressive mode. This
attribute is ignored unless the attribute
ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
the value of this attribute is from the vendor-specific range
(32768-65535), this attribute qualifies the group number."
::= { ipSecIkeAssociationEntry 11 }
ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId }
Li, et al Expires August, 2002 48
IPsec Policy Information Base February, 2002
STATUS current
DESCRIPTION
"Indicates a group of credentials. One of the credentials in the
group MUST be used when establishing an IKE association with the
peer endpoint."
::= { ipSecIkeAssociationEntry 12 }
ipSecIkeAssociationDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"Specifies whether a log message is to be generated when the
negotiation is attempted (with the success or failure result)."
::= { ipSecIkeAssociationEntry 13 }
ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG { ipSecIkeProposalSetProposalSetId }
STATUS current
DESCRIPTION
"Identifies a set of IKE proposals that is associated with this
IKE association."
::= { ipSecIkeAssociationEntry 14 }
--
--
-- The ipSecIkeProposalSetTable -- The ipSecIkeProposalSetTable
-- --
ipSecIkeProposalSetTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposal sets. Proposals within a set are ORed with "Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. " preference order. "
INDEX { ipSecIkeProposalSetPrid } ::= { ipSecIkeAssociation 4 }
UNIQUENESS {
ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
}
::= { ipSecIkeAssociation 2 }
ipSecIkeProposalSetEntry OBJECT-TYPE ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry SYNTAX IpSecIkeProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS {
ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder
}
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
Li, et al Expires August, 2002 49
IPsec Policy Information Base February, 2002
ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned32 ipSecIkeProposalSetOrder Unsigned16
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecIkeProposalSetEntry 1 } ::= { ipSecIkeProposalSetEntry 1 }
ipSecIkeProposalSetProposalSetId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an IKE proposal set. " "An IKE proposal set is composed of one or more IKE proposals.
Each proposal belonging to the same set has the same
ProposalSetId. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkeProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IKE proposal, specified by "A pointer to a valid instance in the ipSecIkeProposalTable."
ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is
included in this set."
Li, et al Expires January, 2002 36
IPsec Policy Information Base July, 2001
::= { ipSecIkeProposalSetEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId. proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A given Proposals within a set are ORed with preference order. A smaller
precedence order is positioned before one with a higher-valued integer value indicates a higher preference."
precedence order."
::= { ipSecIkeProposalSetEntry 4 } ::= { ipSecIkeProposalSetEntry 4 }
-- --
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies attributes associated with IKE proposals."
INDEX { ipSecIkeProposalPrid } Li, et al Expires August, 2002 50
IPsec Policy Information Base February, 2002
"Specifies IKE proposals."
::= { ipSecIkeAssociation 5 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalLifetimeDerivedKeys,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalVendorId, ipSecIkeProposalIkeDhGroup,
ipSecIkeProposalIkeDhGroup ipSecIkeProposalVendorId
} }
::= { ipSecIkeAssociation 3 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid InstanceId, ipSecIkeProposalPrid InstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER,
Li, et al Expires January, 2002 37
IPsec Policy Information Base July, 2001
ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalLifetimeDerivedKeys Unsigned32, ipSecIkeProposalPrfAlgorithm Unsigned16,
ipSecIkeProposalPrfAlgorithm Unsigned32, ipSecIkeProposalIkeDhGroup Unsigned16,
ipSecIkeProposalVendorId OCTET STRING, ipSecIkeProposalVendorId OCTET STRING
ipSecIkeProposalIkeDhGroup Unsigned32
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
class."
::= { ipSecIkeProposalEntry 1 } ::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the seconds lifetime for this particular proposal. "Specifies the maximum amount of time to propose for a security
association to remain valid.
A value of zero indicates that the lifetime value defaults to 8 A value of zero indicates that the default of 8 hours be used. A
hours. " non-zero value indicates the maximum seconds lifetime."
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
Li, et al Expires August, 2002 51
IPsec Policy Information Base February, 2002
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal. "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid.
A value of zero indicates that there is no kilobyte lifetime. A value of zero indicates that there should be no maximum kilobyte
" lifetime. A non-zero value specifies the desired kilobyte
lifetime."
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
des-CBC(1), des-CBC(1),
idea-CBC(2), idea-CBC(2),
blowfish-CBC(3), blowfish-CBC(3),
rc5-R16-B64-CBC(4), rc5-R16-B64-CBC(4),
tripleDes-CBC(5), tripleDes-CBC(5),
cast-CBC(6) cast-CBC(6)
skipping to change at line 2121 skipping to change at line 2888
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(1), md5(1),
sha-1(2), sha-1(2),
Li, et al Expires January, 2002 38
IPsec Policy Information Base July, 2001
tiger(3) tiger(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association." "Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
presharedKey(1), presharedKey(1),
skipping to change at line 2147 skipping to change at line 2910
rsaEncryption(4), rsaEncryption(4),
revisedRsaEncryption(5), revisedRsaEncryption(5),
kerberos(6) kerberos(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
Li, et al Expires August, 2002 52
IPsec Policy Information Base February, 2002
SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of times the IKE phase one key can be used "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
to derive an IKE phase two key. A value of zero indicates that the association."
number of times an IKE phase one key may be used to derive an IKE
phase two key is limited by the seconds and/or kilobyte
lifetimes."
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE "Specifies the Diffie-Hellman group to propose for the IKE
association." association. The value of this property is to be ignored when
doing aggressive mode."
::= { ipSecIkeProposalEntry 8 } ::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalVendorId OBJECT-TYPE ipSecIkeProposalVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies vendor-defined key exchange GroupIDs." "Further qualifies the key exchange group. The property is
ignored unless the exchange is not in aggressive mode and the
property GroupID is in the vendor-specific range."
::= { ipSecIkeProposalEntry 9 } ::= { ipSecIkeProposalEntry 9 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
Li, et al Expires January, 2002 39
IPsec Policy Information Base July, 2001
"Specifies the Diffie-Hellman group to propose for the IKE
association. If the GroupID number is from the vendor-specific
range (32768-65535), the VendorID qualifies the group number. "
::= { ipSecIkeProposalEntry 4 }
-- --
-- --
-- The ipSecIkeEndpointTable -- The ipSecIkePeerEndpointTable
-- --
ipSecIkeEndpointTable OBJECT-TYPE ipSecIkePeerEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeEndpointEntry SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the peer endpoints with which this PEP establishes IKE "Specifies IKE peer endpoints."
associations according to ipSecIkeEndpointStartupCondition." ::= { ipSecIkeAssociation 6 }
INDEX { ipSecIkeEndpointPrid }
UNIQUENESS {
ipSecIkeEndpointIdentityType,
ipSecIkeEndpointIdentity,
ipSecIkeEndpointAddressType,
ipSecIkeEndpointAddress,
ipSecIkeEndpointPeerCredentialId,
ipSecIkeEndpointStartupCondition,
ipSecIkeEndpointIsOriginator,
ipSecIkeEndpointGroupId
}
::= { ipSecIkeAssociation 13 }
ipSecIkeEndpointEntry OBJECT-TYPE ipSecIkePeerEndpointEntry OBJECT-TYPE
SYNTAX IpSecIkeEndpointEntry SYNTAX IpSecIkePeerEndpointEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecIkeEndpointTable 1 } PIB-INDEX { ipSecIkePeerEndpointPrid }
UNIQUENESS {
ipSecIkePeerEndpointIdentityType,
ipSecIkePeerEndpointIdentityValue,
ipSecIkePeerEndpointAddressType,
ipSecIkePeerEndpointAddress,
ipSecIkePeerEndpointCredentialSetId
}
::= { ipSecIkePeerEndpointTable 1 }
IpSecIkeEndpointEntry ::= SEQUENCE { Li, et al Expires August, 2002 53
ipSecIkeEndpointPrid InstanceId, IPsec Policy Information Base February, 2002
ipSecIkeEndpointIdentityType INTEGER,
ipSecIkeEndpointIdentity OCTET STRING, IpSecIkePeerEndpointEntry ::= SEQUENCE {
ipSecIkeEndpointAddressType INTEGER, ipSecIkePeerEndpointPrid InstanceId,
ipSecIkeEndpointAddress OCTET STRING, ipSecIkePeerEndpointIdentityType INTEGER,
ipSecIkeEndpointPeerCredentialId TagReferenceId, ipSecIkePeerEndpointIdentityValue OCTET STRING,
ipSecIkeEndpointStartupCondition BITS, ipSecIkePeerEndpointAddressType INTEGER,
ipSecIkeEndpointIsOriginator TruthValue, ipSecIkePeerEndpointAddress OCTET STRING,
ipSecIkeEndpointGroupId TagId ipSecIkePeerEndpointCredentialSetId TagReferenceId
} }
ipSecIkeEndpointPrid OBJECT-TYPE ipSecIkePeerEndpointPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires January, 2002 40
IPsec Policy Information Base July, 2001
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecIkeEndpointEntry 1 } class."
::= { ipSecIkePeerEndpointEntry 1 }
ipSecIkeEndpointIdentityType OBJECT-TYPE ipSecIkePeerEndpointIdentityType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of identity that MUST be provided by the peer "Specifies the type of identity that MUST be provided by the peer
in the ID payload during IKE phase one negotiation." in the ID payload during IKE phase one negotiation."
::= { ipSecIkeEndpointEntry 2 } ::= { ipSecIkePeerEndpointEntry 2 }
ipSecIkeEndpointIdentity OBJECT-TYPE ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to be matched with the ID payload provided by "Specifies the value to be matched with the ID payload provided by
the peer during IKE phase one negotiation." the peer during IKE phase one negotiation.
::= { ipSecIkeEndpointEntry 3 }
ipSecIkeEndpointAddressType OBJECT-TYPE Different Wildcards wildcard mechanisms can be used as well as the
prefix notation for IPv4 addresses depending on the ID payload:
- an IdentityValue of "*@company.com" will match an user FQDN ID
payload of "JDOE@COMPANY.COM"
- an IdentityValue of "*.company.com" will match a FQDN ID payload
of "WWW.COMPANY.COM"
Li, et al Expires August, 2002 54
IPsec Policy Information Base February, 2002
- an IdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of "cn=John Doe, ou=engineering,
o=company, c=us"
- an IdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of 193.190.125.10.
- an IdentityValue of "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID
payloads supported by the local IKE entity. The character "*"
replaces 0 or multiple instances of any character."
::= { ipSecIkePeerEndpointEntry 3 }
ipSecIkePeerEndpointAddressType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4(1), ipV4(1),
ipV6(2) ipV6(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE peer endpoint address type. This controls the "Specifies IKE peer endpoint address type. This attribute MUST be
length of the OCTET STRING for the ipSecIkeEndpointAddress. IPv4 ignored if ipSecIkeRuleAutoStart is false."
addresses (1) are octet strings of length 4. IPv6 addresses (2) ::= { ipSecIkePeerEndpointEntry 4 }
are octet strings of length 16."
::= { ipSecIkeEndpointEntry 4 }
ipSecIkeEndpointAddress OBJECT-TYPE ipSecIkePeerEndpointAddress OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an endpoint address with which this PEP establishes IKE "Specifies an endpoint address with which this PEP establishes IKE
association." association. This attribute is used only when the IKE association
::= { ipSecIkeEndpointEntry 5 } is to be started automatically. Hence, this attribute MUST be
ignored if ipSecIkeRuleAutoStart is false."
Li, et al Expires January, 2002 41 ::= { ipSecIkePeerEndpointEntry 5 }
IPsec Policy Information Base July, 2001
ipSecIkeEndpointPeerCredentialId OBJECT-TYPE ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of credentials. The credential "Identifies a set of credentials. Any one of the credentials in
specified in ipSecPeerCredentialTable whose the set is acceptable as the IKE peer credential."
ipSecPeerCredentialGroupId match this attribute is included in ::= { ipSecIkePeerEndpointEntry 6 }
this group. Any one of the credentials in the group is acceptable
as the IKE peer credential.
If no credentials are used, this attribute MUST be zero." --
::= { ipSecIkeEndpointEntry 6 } --
-- The ipSecCredentialSetTable
--
ipSecIkeEndpointStartupCondition OBJECT-TYPE ipSecCredentialSetTable OBJECT-TYPE
SYNTAX BITS {
onBoot(1), Li, et al Expires August, 2002 55
onTraffic(2), IPsec Policy Information Base February, 2002
onPolicy(3)
} SYNTAX SEQUENCE OF IpSecCredentialSetEntry
PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the triggering event that causes the IKE rule "Specifies credential sets.
referenced be applied. OnBoot (1) means that the rule is
triggered after system boot. OnTraffic (2) means that the rule is
triggered when packets without associated security associations
are sent or received. OnPolicy (3) means that the rule is
triggered when it becomes valid as specified by
ipSecRuleTimePeriodGroupTable. "
::= { ipSecIkeEndpointEntry 7 }
ipSecIkeEndpointIsOriginator OBJECT-TYPE For IKE peer credentials, any one of the credentials in the set is
SYNTAX TruthValue acceptable as peer credential during IEK phase 1 negotiation. For
IKE local credentials, any one of the credentials in the set can
be used in IKE phase 1 negotiation."
::= { ipSecCredential 1 }
ipSecCredentialSetEntry OBJECT-TYPE
SYNTAX IpSecCredentialSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If this attribute is true, when IKE associations need to be set "Specifies an instance of this class"
up, this PEP SHALL initiate the establishment. Otherwise, it SHALL PIB-INDEX { ipSecCredentialSetPrid }
wait for the other end to initiate the setup." UNIQUENESS {
::= { ipSecIkeEndpointEntry 8 } ipSecCredentialSetPrid,
ipSecCredentialSetSetId,
ipSecCredentialSetCredentialId
}
::= { ipSecCredentialSetTable 1 }
ipSecIkeEndpointGroupId OBJECT-TYPE IpSecCredentialSetEntry ::= SEQUENCE {
ipSecCredentialSetPrid InstanceId,
ipSecCredentialSetSetId TagId,
ipSecCredentialSetCredentialId ReferenceId
}
ipSecCredentialSetPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index that uniquely identifies an instance of this
class."
::= { ipSecCredentialSetEntry 1 }
ipSecCredentialSetSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IKE endpoint belongs to." "A credential set is composed of one or more credentials. Each
::= { ipSecIkeEndpointEntry 9 } credential belonging to the same set has the same
CredentialSetId."
::= { ipSecCredentialSetEntry 2 }
ipSecCredentialSetCredentialId OBJECT-TYPE
SYNTAX ReferenceId
PIB-REFERENCES {ipSecCredentialEntry }
STATUS current
DESCRIPTION
Li, et al Expires August, 2002 56
IPsec Policy Information Base February, 2002
"A pointer to a valid instance in the ipSecCredentialTable."
::= { ipSecCredentialSetEntry 3 }
-- --
-- --
-- The ipSecPeerCredentialTable -- The ipSecCredentialTable
-- --
ipSecPeerCredentialTable OBJECT-TYPE ipSecCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialEntry
Li, et al Expires January, 2002 42
IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecPeerCredentialEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies groups of IKE peer credentials. Credentials in a group "Specifies credentials."
are ORed. Any one of the credentials in a group is acceptable as ::= { ipSecCredential 2 }
the IKE peer endpoint credential."
INDEX { ipSecPeerCredentialPrid }
UNIQUENESS {
ipSecPeerCredentialCredentialType,
ipSecPeerCredentialFieldsGroupId,
ipSecPeerCredentialGroupId
}
::= { ipSecIkeAssociation 5 }
ipSecPeerCredentialEntry OBJECT-TYPE ipSecCredentialEntry OBJECT-TYPE
SYNTAX IpSecPeerCredentialEntry SYNTAX IpSecCredentialEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecPeerCredentialTable 1 } PIB-INDEX { ipSecCredentialPrid }
UNIQUENESS {
ipSecCredentialCredentialType,
ipSecCredentialFieldsId,
ipSecCredentialCrlDistributionPoint
}
::= { ipSecCredentialTable 1 }
IpSecPeerCredentialEntry ::= SEQUENCE { IpSecCredentialEntry ::= SEQUENCE {
ipSecPeerCredentialPrid InstanceId, ipSecCredentialPrid InstanceId,
ipSecPeerCredentialCredentialType INTEGER, ipSecCredentialCredentialType INTEGER,
ipSecPeerCredentialFieldsGroupId TagReferenceId, ipSecCredentialFieldsId TagReferenceId,
ipSecPeerCredentialGroupId TagId ipSecCredentialCrlDistributionPoint OCTET STRING
} }
ipSecPeerCredentialPrid OBJECT-TYPE ipSecCredentialPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecPeerCredentialEntry 1 } class."
::= { ipSecCredentialEntry 1 }
ipSecPeerCredentialCredentialType OBJECT-TYPE ipSecCredentialCredentialType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
certificateX.509(1), certificateX509(1),
kerberos-ticket(2) kerberos-ticket(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of credential to be matched." "Specifies the type of credential to be matched."
::= { ipSecPeerCredentialEntry 2 }
ipSecPeerCredentialFieldsGroupId OBJECT-TYPE Li, et al Expires August, 2002 57
IPsec Policy Information Base February, 2002
::= { ipSecCredentialEntry 2 }
ipSecCredentialFieldsId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialFieldsSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a group of matching criteria to be "Identifies a group of matching criteria to be used for the peer
used for this peer credential. The criteria specified in credential. The identified criteria MUST all be satisfied."
ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId ::= { ipSecCredentialEntry 3 }
Li, et al Expires January, 2002 43
IPsec Policy Information Base July, 2001
match this attribute are the criteria to be used. The identified
criteria are ANDed. "
::= { ipSecPeerCredentialEntry 3 }
ipSecPeerCredentialGroupId OBJECT-TYPE ipSecCredentialCrlDistributionPoint OBJECT-TYPE
SYNTAX TagId SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this credential belongs to. Credentials in a "When credential type is certificate X509, this attribute
group are ORed. Any one of the credentials in a group is identifies the Certificate Revocation List (CRL) distribution
acceptable as the IKE peer endpoint credential." point for this credential."
::= { ipSecPeerCredentialEntry 4 } ::= { ipSecCredentialEntry 4 }
-- --
-- --
-- The ipSecCredentialFieldsTable -- The ipSecCredentialFieldsTable
-- --
ipSecCredentialFieldsTable OBJECT-TYPE ipSecCredentialFieldsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-fields and their values to be matched against "Specifies sets of credential sub-fields and their values to be
peer credentials obtained during IKE phase one negotiation. All matched against. "
criteria within a group are ANDed." ::= { ipSecCredential 3 }
INDEX { ipSecCredentialFieldsPrid }
UNIQUENESS {
ipSecCredentialFieldsName,
ipSecCredentialFieldsValue,
ipSecCredentialFieldsGroupId
}
::= { ipSecIkeAssociation 6 }
ipSecCredentialFieldsEntry OBJECT-TYPE ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry SYNTAX IpSecCredentialFieldsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCredentialFieldsPrid }
UNIQUENESS {
ipSecCredentialFieldsName,
ipSecCredentialFieldsValue,
ipSecCredentialFieldsSetId
}
::= { ipSecCredentialFieldsTable 1 } ::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE { IpSecCredentialFieldsEntry ::= SEQUENCE {
ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsName OCTET STRING,
ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsValue OCTET STRING,
ipSecCredentialFieldsGroupId TagId ipSecCredentialFieldsSetId TagId
Li, et al Expires August, 2002 58
IPsec Policy Information Base February, 2002
} }
ipSecCredentialFieldsPrid OBJECT-TYPE ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this
Li, et al Expires January, 2002 44 class."
IPsec Policy Information Base July, 2001
"An integer index to uniquely identify an instance of this class"
::= { ipSecCredentialFieldsEntry 1 } ::= { ipSecCredentialFieldsEntry 1 }
ipSecCredentialFieldsName OBJECT-TYPE ipSecCredentialFieldsName OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-field of the credential to match with." "Specifies the sub-field of the credential to match with. This is
the string representation of a X.509 certificate attribute, e.g.:
"serialNumber", "issuerName", "subjectName", etc..
"
::= { ipSecCredentialFieldsEntry 2 } ::= { ipSecCredentialFieldsEntry 2 }
ipSecCredentialFieldsValue OBJECT-TYPE ipSecCredentialFieldsValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to match with the ipSecCredentialFieldsName "Specifies the value to match with for the sub-field identified by
in a credential." ipSecCredentialFieldsName. A wildcard mechanism can be used in the
Value string. E.g., if the Name is "subjectName" then a Value of
"cn=*,ou=engineering,o=foo,c=be" will match successfully a
certificate whose subject attribute is "cn=Jane Doe,
ou=engineering, o=foo, c=be". The wildcard character '*' can be
used to represent 0 or several characters."
::= { ipSecCredentialFieldsEntry 3 } ::= { ipSecCredentialFieldsEntry 3 }
ipSecCredentialFieldsGroupId OBJECT-TYPE ipSecCredentialFieldsSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this criteria belongs to. All criteria within "Specifies the set this criteria belongs to. All criteria within a
a group are ANDed." set MUST all be satisfied."
::= { ipSecCredentialFieldsEntry 4 } ::= { ipSecCredentialFieldsEntry 4 }
-- --
-- --
-- The ipSecEspTransformSetTable -- The ipSecSelectorSetTable
-- --
ipSecEspTransformSetTable OBJECT-TYPE ipSecSelectorSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecSelectorSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies ESP transform sets. Within a transform set, the choices "Specifies IPsec selector sets."
are ORed with preference order."
INDEX { ipSecEspTransformSetPrid }
UNIQUENESS {
ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder
}
::= { ipSecEspTransform 1 }
ipSecEspTransformSetEntry OBJECT-TYPE Li, et al Expires August, 2002 59
SYNTAX IpSecEspTransformSetEntry IPsec Policy Information Base February, 2002
::= { ipSecSelector 1 }
ipSecSelectorSetEntry OBJECT-TYPE
SYNTAX IpSecSelectorSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecEspTransformSetTable 1 } PIB-INDEX { ipSecSelectorSetPrid }
UNIQUENESS {
Li, et al Expires January, 2002 45 ipSecSelectorSetSelectorSetId,
IPsec Policy Information Base July, 2001 ipSecSelectorSetSelectorId,
ipSecSelectorSetOrder
}
::= { ipSecSelectorSetTable 1 }
IpSecEspTransformSetEntry ::= SEQUENCE { IpSecSelectorSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid InstanceId, ipSecSelectorSetPrid InstanceId,
ipSecEspTransformSetTransformSetId TagId, ipSecSelectorSetSelectorSetId TagId,
ipSecEspTransformSetTransformId ReferenceId, ipSecSelectorSetSelectorId Prid,
ipSecEspTransformSetOrder Unsigned32 ipSecSelectorSetOrder Unsigned16
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecSelectorSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecEspTransformSetEntry 1 } class."
::= { ipSecSelectorSetEntry 1 }
ipSecEspTransformSetTransformSetId OBJECT-TYPE ipSecSelectorSetSelectorSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms" "An IPsec selector set is composed of one or more IPsec selectors.
::= { ipSecEspTransformSetEntry 2 } Each selector belonging to the same set has the same
SelectorSetId."
::= { ipSecSelectorSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecSelectorSetSelectorId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ESP transform, specified by "A pointer to a valid instance in another table that describes
ipSecEspTransformPrid in ipSecEspTransformTable, that is included selectors. To use selectors defined in this IPsec PIB module, this
in this set." attribute MUST point to an instance in ipSecSelectorTable. This
::= { ipSecEspTransformSetEntry 3 } attribute may also point to an instance in a selector or filter
table defined in other PIB modules."
::= { ipSecSelectorSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE ipSecSelectorSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
STATUS current STATUS current
Li, et al Expires August, 2002 60
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the selectors
identified by ipSecEspTransformSetTransformId within a transform identified by ipSecSelectorId within a selector set. The selector
set. The transform set is identified by set is identified by ipSecSelectorSetId. A smaller integer value
ipSecEspTransformSetTransformSetId. Transforms within a set are indicates a higher preference. All selectors constructed from the
ORed with preference order. A given precedence order is positioned instance pointed by ipSecSelectorId have the same order."
before one with a higher-valued precedence order." ::= { ipSecSelectorSetEntry 4 }
::= { ipSecEspTransformSetEntry 4 }
-- --
-- --
-- The ipSecEspTransformTable -- The ipSecSelectorTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecSelectorEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION
"Specifies IPsec selectors. Each row in the selector table
represents multiple selectors. These selectors are obtained as
follows:
Li, et al Expires January, 2002 46 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
IPsec Policy Information Base July, 2001 addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId.
DESCRIPTION 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
"Specifies ESP transforms." addresses from the ipSecAddressTable whose ipSecAddressGroupId
INDEX { ipSecEspTransformPrid } matches the ipSecSelectorDstAddressGroupId.
UNIQUENESS {
ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId,
ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize
}
::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
SYNTAX IpSecEspTransformEntry or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol,
ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
all the selectors.el attributes to form the list of selectors.
The relative order of the selectors constructed from a single row
is unspecified. "
::= { ipSecSelector 2 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { Li, et al Expires August, 2002 61
ipSecEspTransformPrid InstanceId, IPsec Policy Information Base February, 2002
ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER, PIB-INDEX { ipSecSelectorPrid }
ipSecEspTransformCipherKeyRounds Unsigned32, UNIQUENESS {
ipSecEspTransformCipherKeyLength Unsigned32, ipSecSelectorSrcAddressGroupId,
ipSecEspTransformUseReplayPrevention TruthValue, ipSecSelectorSrcPortGroupId,
ipSecEspTransformReplayPreventionWindowSize Unsigned32 ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol,
ipSecSelectorDscp,
ipSecSelectorFlowLabel
} }
::= { ipSecSelectorTable 1 }
ipSecEspTransformPrid OBJECT-TYPE IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid InstanceId,
ipSecSelectorSrcAddressGroupId TagReferenceId,
ipSecSelectorSrcPortGroupId TagReferenceId,
ipSecSelectorDstAddressGroupId TagReferenceId,
ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol INTEGER,
ipSecSelectorDscp INTEGER,
ipSecSelectorFlowLabel OCTET STRING
}
ipSecSelectorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecEspTransformEntry 1 } class."
::= { ipSecSelectorEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX TagReferenceId
none(0), PIB-TAG { ipSecAddressGroupId }
hmacMd5(1),
hmacSha(2),
desMac(3),
kpdk(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP integrity algorithm to propose." "Indicates source addresses. All addresses in ipSecAddressTable
::= { ipSecEspTransformEntry 2 } whose ipSecAddressGroupId matches this value are included as
source addresses.
ipSecEspTransformCipherTransformId OBJECT-TYPE A value of zero indicates wildcard address, i.e., any address
SYNTAX INTEGER { matches."
desIV64(1), ::= { ipSecSelectorEntry 2 }
Li, et al Expires January, 2002 47 ipSecSelectorSrcPortGroupId OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId }
STATUS current
DESCRIPTION
"Indicates source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId matches this value are included.
des(2), Li, et al Expires August, 2002 62
tripleDES(3), IPsec Policy Information Base February, 2002
rc5(4),
idea(5), A value of zero indicates wildcard port, i.e., any port number
cast(6), matches."
blowfish(7), ::= { ipSecSelectorEntry 3 }
tripleIDEA(8),
desIV32(9), ipSecSelectorDstAddressGroupId OBJECT-TYPE
rc4(10), SYNTAX TagReferenceId
null(11) PIB-TAG { ipSecAddressGroupId }
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose." "Indicates destination addresses. All addresses in
::= { ipSecEspTransformEntry 3 } ipSecAddressTable whose ipSecAddressGroupId matches this value are
included as destination addresses.
ipSecEspTransformCipherKeyRounds OBJECT-TYPE A value of zero indicates wildcard address, i.e., any address
SYNTAX Unsigned32 matches."
::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of key rounds for the ESP cipher algorithm "Indicates destination layer 4 port numbers. All ports in
specified by the attribute ipSecEspTransformCipherTransformId." ipSecL4Port whose ipSecL4PortGroupId matches this value are
::= { ipSecEspTransformEntry 4 } included.
ipSecEspTransformCipherKeyLength OBJECT-TYPE A value of zero indicates wildcard port, i.e., any port number
SYNTAX Unsigned32 matches."
::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the ESP cipher key in bits." "Specifies IP protocol to match against a packet's protocol. A
::= { ipSecEspTransformEntry 5 } value of zero indicates wildcard protocol, i.e., any protocol
matches."
::= { ipSecSelectorEntry 6 }
ipSecEspTransformUseReplayPrevention OBJECT-TYPE ipSecSelectorDscp OBJECT-TYPE
SYNTAX TruthValue SYNTAX INTEGER (-1..63)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies the DSCP value to match against the DSCP in a packet
::= { ipSecEspTransformEntry 6 } header. A value of -1 indicates match all."
::= { ipSecSelectorEntry 7 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE ipSecSelectorFlowLabel OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the window used by replay prevention
detection mechanism." Li, et al Expires August, 2002 63
::= { ipSecEspTransformEntry 7 } IPsec Policy Information Base February, 2002
"Specifies the Flow Label to match against the Flow Label field in
the IPv6 header of a packet. This attribute MUST be a zero length
OCTET STRING when specifying selectors for IPv4 packets."
::= { ipSecSelectorEntry 8 }
-- --
-- --
-- The ipSecAhTransformSetTable -- The ipSecAddressTable
-- --
ipSecAhTransformSetTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry
Li, et al Expires January, 2002 48
IPsec Policy Information Base July, 2001
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transform sets. Within a transform set, the choices "Specifies IP addresses. To specify a single IP address,
are ORed with preference order." ipSecAddressAddrMin MUST be specified. To specify a range of
INDEX { ipSecAhTransformSetPrid } addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST
UNIQUENESS { be specified. To specify a subnet, both ipSecAddressAddrMin and
ipSecAhTransformSetTransformSetId, ipSecAddressAddrMask MUST be specified. "
ipSecAhTransformSetTransformId, ::= { ipSecSelector 3 }
ipSecAhTransformSetOrder
}
::= { ipSecAhTransform 1 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAddressEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecAhTransformSetTable 1 } PIB-INDEX { ipSecAddressPrid }
UNIQUENESS {
ipSecAddressAddressType,
ipSecAddressAddrMask,
ipSecAddressAddrMin,
ipSecAddressAddrMax,
ipSecAddressGroupId
}
::= { ipSecAddressTable 1 }
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAddressEntry ::= SEQUENCE {
ipSecAhTransformSetPrid InstanceId, ipSecAddressPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId, ipSecAddressAddressType INTEGER,
ipSecAhTransformSetTransformId ReferenceId, ipSecAddressAddrMask OCTET STRING,
ipSecAhTransformSetOrder Unsigned32 ipSecAddressAddrMin OCTET STRING,
ipSecAddressAddrMax OCTET STRING,
ipSecAddressGroupId TagId
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAddressPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecAhTransformSetEntry 1 } class."
ipSecAhTransformSetTransformSetId OBJECT-TYPE Li, et al Expires August, 2002 64
SYNTAX TagId IPsec Policy Information Base February, 2002
::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform set." "Specifies the address type. "
::= { ipSecAhTransformSetEntry 2 } ::= { ipSecAddressEntry 2 }
ipSecAhTransformSetTransformId OBJECT-TYPE ipSecAddressAddrMask OBJECT-TYPE
SYNTAX ReferenceId SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform, as specified by "A mask for the matching of the IP address. A zero bit in the mask
ipSecAhTransform in ipSecAhTransformTable, that is included in means that the corresponding bit in the address always matches.
this set."
::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE This attribute MUST be ignored when ipSecAddressAddressType is not
SYNTAX Unsigned32 of IPv4 or IPv6 type."
::= { ipSecAddressEntry 3 }
Li, et al Expires January, 2002 49 ipSecAddressAddrMin OBJECT-TYPE
IPsec Policy Information Base July, 2001 SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies an IP address. "
::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"If a range of addresses is used then this specifies the ending
address. The type of this address must be the same as the
ipSecAddressAddrMin.
If no range is specified then this attribute MUST be a zero length
OCTET STRING."
::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE
SYNTAX TagId
Li, et al Expires August, 2002 65
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "Specifies the group this IP address, address range or subnet
identified by ipSecAhTransformSetTransformId within a transform address belongs to."
set. The transform set is identified by ::= { ipSecAddressEntry 6 }
ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A given precedence order is positioned
before one with a higher-valued precedence order."
::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecL4PortTable
-- --
ipSecAhTransformTable OBJECT-TYPE ipSecL4PortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecL4PortEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transforms." "Specifies layer four port numbers."
INDEX { ipSecAhTransformPrid } ::= { ipSecSelector 4 }
UNIQUENESS {
ipSecAhTransformTransformId,
ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize
}
::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecAhTransformTable 1 } PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS {
ipSecL4PortPortMin,
ipSecL4PortPortMax,
ipSecL4PortGroupId
}
::= { ipSecL4PortTable 1 }
IpSecAhTransformEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecAhTransformPrid InstanceId, ipSecL4PortPrid InstanceId,
ipSecAhTransformTransformId INTEGER, ipSecL4PortPortMin Unsigned16,
ipSecAhTransformUseReplayPrevention TruthValue, ipSecL4PortPortMax Unsigned16,
ipSecAhTransformReplayPreventionWindowSize Unsigned32 ipSecL4PortGroupId TagId
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecL4PortPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class " "An integer index that uniquely identifies an instance of this
::= { ipSecAhTransformEntry 1 } class."
::= { ipSecL4PortEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER {
Li, et al Expires January, 2002 50
IPsec Policy Information Base July, 2001
md5(2), ipSecL4PortPortMin OBJECT-TYPE
sha-1(3), SYNTAX Unsigned16
des(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the AH hash algorithm to propose."
::= { ipSecAhTransformEntry 2 }
ipSecAhTransformUseReplayPrevention OBJECT-TYPE Li, et al Expires August, 2002 66
SYNTAX TruthValue IPsec Policy Information Base February, 2002
"Specifies a layer 4 port or the first layer 4 port number of a
range of ports. The value of this attribute must be equal or less
than that of ipSecL4PortPortMax.
A value of zero indicates any port matches."
::= { ipSecL4PortEntry 2 }
ipSecL4PortPortMax OBJECT-TYPE
SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies the last layer 4 port in the range. If only a single
::= { ipSecAhTransformEntry 3 } port is specified, the value of this attribute must be equal to
that of ipSecL4PortPortMin. Otherwise, the value of this attribute
MUST be greater than that specified by ipSecL4PortPortMin.
ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE If ipSecL4PortPortMin is zero, this attribute MUST be ignored."
SYNTAX Unsigned32 ::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE
SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the length of the window used by replay prevention "Specifies the group this port or port range belongs to."
detection mechanism." ::= { ipSecL4PortEntry 4 }
::= { ipSecAhTransformEntry 4 }
-- --
-- --
-- The ipSecCompTransformSetTable -- The ipSecIpsoFilterSetTable
-- --
ipSecCompTransformSetTable OBJECT-TYPE ipSecIpsoFilterSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transform sets. Within a transform set, the "Specifies IPSO filter sets."
choices are ORed with preference order." ::= { ipSecSelector 5 }
INDEX { ipSecCompTransformSetPrid }
UNIQUENESS {
ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder
}
::= { ipSecCompTransform 1 }
ipSecCompTransformSetEntry OBJECT-TYPE ipSecIpsoFilterSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry SYNTAX IpSecIpsoFilterSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecCompTransformSetTable 1 } PIB-INDEX { ipSecIpsoFilterSetPrid }
UNIQUENESS {
IpSecCompTransformSetEntry ::= SEQUENCE { ipSecIpsoFilterSetFilterSetId,
ipSecIpsoFilterSetFilterId,
ipSecIpsoFilterSetOrder
}
::= { ipSecIpsoFilterSetTable 1 }
Li, et al Expires January, 2002 51 Li, et al Expires August, 2002 67
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
ipSecCompTransformSetPrid InstanceId, IpSecIpsoFilterSetEntry ::= SEQUENCE {
ipSecCompTransformSetTransformSetId TagId, ipSecIpsoFilterSetPrid InstanceId,
ipSecCompTransformSetTransformId ReferenceId, ipSecIpsoFilterSetFilterSetId TagId,
ipSecCompTransformSetOrder Unsigned32 ipSecIpsoFilterSetFilterId ReferenceId,
ipSecIpsoFilterSetOrder Unsigned16
} }
ipSecCompTransformSetPrid OBJECT-TYPE ipSecIpsoFilterSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index that uniquely identifies an instance of this
::= { ipSecCompTransformSetEntry 1 } class."
::= { ipSecIpsoFilterSetEntry 1 }
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp transform set" "An IPSO filter set is composed of one or more IPSO filters. Each
::= { ipSecCompTransformSetEntry 2 } filter belonging to the same set has the same FilterSetId."
::= { ipSecIpsoFilterSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecIpsoFilterSetFilterId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIpsoFilterEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an IPComp Transform, specified by "A pointer to a valid instance in the ipSecIpsoFilterTable."
ipSecCompTransformPrid in ipSecCompTransformTable, that is ::= { ipSecIpsoFilterSetEntry 3 }
included in this set."
::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE ipSecIpsoFilterSetOrder OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the filter
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecIpsoFilterSetFilterId within a filter set. The
set. The transform set is identified by filter set is identified by ipSecIpsoFilterSetFilterSetId. A
ipSecCompTransformSetTransformSetId. Transforms within a set are smaller integer value indicates a higher preference."
ORed with preference order. A given precedence order is positioned ::= { ipSecIpsoFilterSetEntry 4 }
before one with a higher-valued precedence order."
::= { ipSecCompTransformSetEntry 4 }
-- --
-- --
-- The ipSecCompTransformTable -- The ipSecIpsoFilterTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecIpsoFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transforms." "Specifies IPSO filters."
Li, et al Expires January, 2002 52 Li, et al Expires August, 2002 68
IPsec Policy Information Base July, 2001 IPsec Policy Information Base February, 2002
INDEX { ipSecCompTransformPrid } ::= { ipSecSelector 6 }
UNIQUENESS {
ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm
}
::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE ipSecIpsoFilterEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry SYNTAX IpSecIpsoFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
::= { ipSecCompTransformTable 1 } PIB-INDEX { ipSecIpsoFilterPrid }
UNIQUENESS {
ipSecIpsoFilterMatchConditionType,
ipSecIpsoFilterClassificationLevel,
ipSecIpsoFilterProtectionAuthority
}
::= { ipSecIpsoFilterTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecIpsoFilterEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId, ipSecIpsoFilterPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecIpsoFilterMatchConditionType INTEGER,
ipSecCompTransformDictionarySize Unsigned32, ipSecIpsoFilterClassificationLevel INTEGER,
ipSecCompTransformPrivateAlgorithm Unsigned32 ipSecIpsoFilterProtectionAuthority INTEGER
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecIpsoFilterPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION