ipsp working group                                             Man Li
Internet Draft                                                  Nokia
Expires January August 2002                                     David Arneson
                                                        No Affiliation
                                                                   N/A
                                                            Avri Doria
                                                       Nortel Networks
                                                                   LTU
                                                           Jamie Jason
                                                                 Intel
                                                            Cliff Wang
                                                             SmartPipe

                                                             July 2001

                    IPSec
                                                       Markus Stenberg
                                                                   SSH

                                                        February 2002

                       IPsec Policy Information Base
                   draft-ietf-ipsp-ipsecpib-03.txt
                      draft-ietf-ipsp-ipsecpib-04.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [1].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts. Internet-Drafts are draft documents valid for a maximum of
   six months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet- Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

1.

Abstract

   This document specifies a set of policy rule classes (PRC) for
   configuring IPSec IPsec policy at IPsec-enabled devices. devices (e.g., security
   gateways). Instances of these classes reside in a virtual
   information store called the
   IPSec IPsec Policy Information Base (PIB).
   The COPS protocol [COPS] [5] with extensions for provisioning [COPS-PR] [6] is used
   to transmit this
   IPSec IPsec policy information to IPSec-enabled devices (e.g., security
   gateways). IPsec-enabled
   devices. The PRCs defined in this IPSec IPsec PIB are intended for use
   by the COPS-PR IPSec IPsec client type. They complement These PRCs are in addition to
   any other PIBs that may be defined for the IPsec client type, as
   well as the PRCs defined in the Framework PIB [FR-PIB].

2. Conventions used in this document [9].

Li, et al                Expires January, August, 2002                       1
                    IPsec Policy Information Base          July, 2001      February, 2002

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   RFC-2119 [2].

3.

1. Introduction

   The policy rule classes (PRC) defined in this document contain
   parameters for IKE phase one and phase two negotiations. Details
   of these parameters can be found in [IPSEC-IM], [IKE], [ESP], [AH]
   [DOI], [IPCOMP] [12], [10], [8], [3], [7],
   [11] and [SPPI]. [14]. The PIB defined in this document is based on the IPSec
   IPsec configuration policy model [IPSEC-IM]. [12]. The rule and role approach
   proposed in [PCIM], [13], which scales to large networks, is adopted for
   distributing IPsec policy over the COPS
   protocol.

4. COPS-PR protocol [6].

2. Operation Overview

   Following the policy framework convention [PCIM], [13], the management
   entity that downloads policy to IPSec-enabled IPsec-enabled devices will be
   called a Policy Decision Point (PDP) and the target IPSec-enabled IPsec-enabled
   devices will be called Policy Execution Enforcement Points (PEP).

   After connecting to a PDP using COPS-PR, a PEP reports to the PDP
   the PIB Provisioning Classes (PRCs) it supports as well as any
   limitations related to the implementations of theses classes and
   parameters. The PEP provides the above information using the
   frwkPrcSupportTable and the frwkCompLimitsTable defined in the
   framework PIB [FR-PIB]. [9]. In addition, the PEP also reports the interface
   type capabilities and role combinations it supports using the
   frwkIfCapSetTable and the frwkIfCapSetRoleComboTable. Each row of
   the frwkIfCapSetTable contains a capability set name and a
   reference to an instance of a PRC that describes the capabilities
   of the interface type. The capability instances may reside in the
   ipSecIfCapsTable or in a table defined in another PIB. Each row of
   the frwkIfCapSetRoleComboTable contains an interface capability
   set name and a role combination.

   Based on the interface capabilities and role combinations, the PDP
   provides the PEP with IPSec PIB that contains IPSec policy. IPsec policy information. Later on, if any
   of the interface capabilities or role combinations of the PEP
   change, the PEP MUST notify notifies the PDP. The PDP will then send a new
   PIB set
   of IPsec policy information to the PEP. In addition, if the policy
   associated with a given interface capabilities capability and role combination change,
   changes, the PDP MUST
   download a will deliver the new IPSec PIB IPsec policy to all the PEPs
   that have registered with
   the that interface capabilities capability and role
   combination.

   IPsec policy that is pushed down to individual PEP consists of two
   parts: IKE rules for IKE phase one negotiation and IPsec rules for

   Li, et al            Expires January, August, 2002                        2
                    IPsec Policy Information Base          July, 2001

   IKE phase two negotiation. These sets      February, 2002

3. Structure of rules may be pushed down
   either together or independently.

   After a PEP reports its interface capabilities and role
   combinations to a PDP,

   - if the corresponding IPsec PIB

   An IPsec policy consists of an ordered list of IPsec rules only (i.e.,
   key management rules. Each
   rule is not performed through IKE), the interface
   capability composed of a set name of conditions and the role combination MUST match that in
   the ipSecRuleTable. For the ipSecActionTable referenced by the
   ipSecRuleTable, the values a set of the ipSecActionIkeRuleId attribute
   MUST be zero, indicating that no IKE associations are used. As actions. If a
   result, the ipSecRuleTable and all subsequent referenced tables
   are pushed down to
   packet matches any of the PEP.

   - if conditions, the corresponding policy actions will be applied
   accordingly.

   The IPsec PIB module consists of IKE rules only, the
   interface capability set name and the role combination MUST match
   that in the ipSecIkeRuleTable. nine groups. The ipSecIkeEndpointTable indicates
   the peer endpoints with which selector group
   describes conditions to establish be associated with IPsec rules. The IPsec
   association group, AH transform group, ESP transform group, COMP
   transform group, IKE associations.
   Hence, the ipSecIkeRuleTable association group and all subsequent referenced tables
   are pushed down to the PEP.

   - if the corresponding policy consists of both credential group
   together describe actions to be associated with IPsec rules and IKE
   rules (i.e., IKE association rules. The
   policy time period group specifies time periods during which a
   rule is established first and it valid. The interface capability group is then used for IPsec association negotiation), , by a PEP to
   report the capabilities associated with its interface
   capability set name and the role combination MUST match that in
   the ipSecRuleTable. types.

3.1 IPsec association group

   This group specifies IPsec Security Associations.

   The ipSecRuleTable and is the ipSecIkeRuleTable
   that starting point for specifying an IPsec
   policy. It contains an ordered list of IPsec rules. Each rule is referenced by
   associated with IfName, Roles and Direction attributes to indicate
   the ipSecRuleTable interface type and role combinations as well as all subsequent
   referenced tables are pushed down to the PEP.

   The following figure shows direction
   of the relations between interface to which this rule is to be applied. Each rule
   points to a set of selectors and, optionally, a set of IPSO
   filters to indicate the tables conditions associated with
   an example. The IPSec policy this rule. In
   addition, each rule has a pointer to a set of actions to indicate
   the actions associated with this rule. Hence if a packet matches a
   selector in the selector set and, if the reference to the IPSO
   filter set is not zero, it matches a filter in the IPSO filter
   set, the action(s) associated with this example contains both IKE and
   IPSec rules.

       +----------------------+          +------------------------+
       | ipSecSelectorEntries |          | ipSecRuleTableEntries  |
       |     Group = 10       |< ------------SelectorGroupId = 10 |
       +----------------------+          |   ActionGroupId = 20   |
                                         |   IfName = Ether_limit |
                                         |   Role = Finance_X     |
                                         +------------------------+
                                                     |
                                                     |
                                                     v
       +---------------------------+     +------------------------+
       | ipSecIkeRuleEntries       |     |   ipSecActionEntries   |
       |   Prid = 30               |     |       GroupId = 20     |
       |   IkeEndpointGroupId = 40 |     |       Action = Tunnel  |
       |                           | < --------- IkeRuleId = 30   |
       |                           |     |                        |
       +---------------------------+     +------------------------+ rule will be applied to
   the packet.

   When a rule involves multiple actions, the ExecutionStrategy
   attribute indicates how these actions are executed. A value of
   ˘DoAll÷ means that all the actions MUST be applied to the packet
   according to a predefined order. A value of ˘DoUntilSuccess÷ means
   that the actions MUST be tried in sequence until a successful
   execution of a single action.

   For example, in a nested Security Associations case the actions of
   an initiator's rule might be structured as:

    ExecutionStrategy='Do All'
    |              \
    +---1--- IPsecTunnelAction    // set up SA from host to gateway
    |
    +---2--- IPsecTransportAction // set up SA from host through
                                  // tunnel to remote host

   Li, et al            Expires January, August, 2002                        3
                    IPsec Policy Information Base          July, 2001

                     |               \                         |
                     v                \                        v
       +---------------------------+   \             ipSecAssociation      February, 2002

   Another example, showing a rule with fallback actions might be
   structured as:

    ExecutionStrategy='Do Until Success'
    | ipSecIkeEndpointEntries
    +---1--- IPsecTunnelAction // set up SA from host to gateway [A]
    |    \
    +---2--- IPsecTunnelAction // set up SA from host to gateway [B]

   As an optional feature, IPsec associations may be established
   without being prompted by IP packets. The AutoStart attribute
   indicates if the IPsec association(s) of this rule should be set
   up automatically. Support of this attribute is optional.

   IPsec actions may be of two types: Static Action and subsequent
       |                           |     \                 tables
       |     GroupId = 40          |      \
       +---------------------------+       \
                                           v
                                  ipSecIkeAssociations Negotiation
   Action. Static Actions do not require any negotiations. They
   include by-pass, discard, IKE rejection, pre-configured transport
   and subsequent tables

4.1 Selector construction pre-configured tunnel actions. Negotiation Actions require
   negotiations in order to establish Security Associations. They
   include transport and tunnel actions.

   The ipSecAddressTable ipSecActionSetTable specifies individual or a range sets of IP
   addresses and actions. Actions within
   a set form an ordered list. If an action within a set is a Static
   Action, the ipSecL4PortTable specifies individual or ActionId MUST point to a range
   of layer 4 ports. The ipSecSelectorTable has references to these
   two tables.  Each row valid instance in the selector table represents multiple
   selectors. These selectors are constructed as follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.
   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from
   ipSecStaticActionTable. If the ipSecAddressTable whose ipSecAddressGroupId
   matches action is a Negotiation Action, the ipSecSelectorDstAddressGroupId.
   3. Substitute
   ActionId MUST point to a valid instance in the ipSecSelectorSrcPortGroupId with all
   ipSecNegotiationActionTable. For other actions, the ports
   or ranges ActionId MAY
   point to an instance of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.
   4. Substitute the ipSecSelectorDstPortGroupId with all the ports a PRC defined in some other PIB module.

   The ipSecStaticActionTable specifies IPsec Static Actions. For a
   pre-configured transport or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.
   5. Construct all the possible combinations of the above four
   fields together with the ipSecSelectorProtocol attribute pre-configured tunnel action, it
   further points to form a
   list of five-tuple selectors

   Selectors constructed from the same row inherit all valid instance in another table that describes
   a transform to be used, for example, the other
   attributes of ipSecEspTransformTable.
   In addition, the row (e.g., ipSecSelectorGranularity)

   The following is an example SPI used for building the selectors (only
   relevant fields are shown). Suppose that the ipSecAddressTable transform is
   populated with the following rows:

   AddrMin       AddrGroupId
   1.2.3.4           1
   1.2.3.18          1
   5.6.7.1           2
   5.6.7.8           2

   For every row also defined in this example, the AddrMax is a zero length octet
   indicating that each row
   table.

   The ipSecNegotiationActionTable specifies IPsec Negotiation
   Actions. It points to a single IP address.

   The Layer4PortTable is populated with valid instance in the
   ipSecAssociationTable that further defines the following rows:

   Li, et al           Expires January, 2002                       4 IPsec Policy Information Base          July, 2001

   PortMin    PortMax    PortGroupId
    112       150            1
    99        99             2

   The PortMax is equal association
   to PortMin in be established. For key exchange policy, the second row indicating KeyExchangeId
   points to a valid instance in another table that
   only describes key
   exchange procedures. If a single port IKE phase one negotiation is specified.

   The ipSecSelectorTable is populated with:

   SrcAddrGpId  dstAddrGpId  srcPortGpId  dstPortGpId  protocol order
     1            2            1            1           udp      1
     1            2            2            2           tcp      2

   The following selectors are constructed:

   SrcAddr    dstAddr    protocol    port
   1.2.3.4    5.6.7.1      UDP      112-150
   1.2.3.4    5.6.7.8      UDP      112-150
   1.2.3.18   5.6.7.1      UDP      112-150
   1.2.3.18   5.6.7.8      UDP      112-150
   1.2.3.4    5.6.7.1      TCP      99
   1.2.3.4    5.6.7.8      TCP      99
   1.2.3.18   5.6.7.1      TCP      99
   1.2.3.18   5.6.7.8      TCP      99

   The first four selectors are constructed from the first row of used
   for the
   selector table whose order equals key exchange, this attribute MUST point to 1. They can be ordered an instance in any
   way. However, all of them must be evaluated before the selectors
   constructed from the second row because the order of
   the second
   row equals ipSecIkeAssociationTable. If multiple IKE phase one
   negotiations (e.g., with different modes) are to 2.

   The use of references in the ipSecSelectorTable instead of
   spelling out all the IP addresses and port numbers reduces the
   number of bytes being pushed down be tried until
   success, this attribute SHOULD point to PEP. Grouping of IP addresses
   and layer four ports serves the same purpose.

4.2 Start up condition

   The establishment ipSecIkeRuleTable. For
   other key exchange methods, this attribute MAY point to an
   instance of IKE or IPsec associations may be triggered in
   several ways as indicated by ipSecSelectorStartupCondition and
   ipSecIkeEndpointStartupCondition a PRC defined in the ipSecSelectorTable and
   ipSecIkeEndpointTable respectively. some other PIB module.

   The triggers may be:

   OnBoot: ipSecAssociationTable specifies attributes associated with
   IPsec or IKE association is established after system boot.
   To avoid both endpoints trying to set up the same associations. For each association,
   only the endpoint whose ipSecSelectorIsOriginator
   (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec
   (IKE) association establishment.

   OnTraffic: IPsec association is established only when packets need
   to be sent and there are no appropriate security associations it points to
   protect a set of
   proposals in the packets. If there ipSecProposalSetTable that is no IKE association to protect the associated with
   this association.

   Li, et al            Expires January, August, 2002                       5                        4
                    IPsec Policy Information Base          July, 2001

   IPsec association negotiation, an IKE association should be      February, 2002

   The ipSecProposalSetTable specifies sets of proposals. Proposals
   within a set up
   first.

   OnPolicy: IPsec or IKE association is established according are ordered with a preference value.

   The ipSecProposalTable specifies proposals. It points to
   ipSecRuleTimePeriodSetTable referenced by sets of
   ESP transforms, AH transforms and COMP transforms. Within a
   proposal, sets of transforms of different types are logically
   ANDed. Transforms of the corresponding rule.
   At same type within a transform set are to
   be logically ORed. For example, if the time proposal were

      ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
      AH  = { MD5, SHA-1 }

   then the policy becomes active, only one sending the endpoint whose
   ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true
   can initiate proposal would want the IPsec (IKE) association establishment.

   These triggers are not mutually exclusive.

4.3 Multiple security associations, proposals and transforms

   Multiple IPsec security associations may be established other side to protect
   pick one from the same traffic between two end points. ESP transform (preferably (HMAC-MD5, 3DES)) list
   AND one from the AH transform list (preferably MD5).

3.2 AH, ESP and COMP transform groups

   The following figure
   shows an example.

                            SA1
        ======================================================
        |                   SA2                              |
        |==============================                      |
        ||                            |                      |
        ||                         ---|----------------------|---
        ||                         |  |                      |  |
        H1  ----- (Internet) ------| SG2  ---- (Local ----- H2  |
                                   |           Intranet)        |
                                   ------------------------------
                                   admin. boundary (optional)

   H1 AH, ESP and H2 are hosts COMP transform groups describe sets of AH, ESP and
   COMP transforms respectively.

3.3 IKE association group

   This group specifies rules associated with IKE phase one
   negotiation.

   The ipSecIkeRuleTable and SG2 the ipSecIkeActionSetTable are optional
   tables. Support of these tables is required only when a security gateway on the local
   Intranet where H2 resides. Suppose policy
   contains:

   - Multiple IKE phase one actions (e.g., with different exchange
   modes) that to protect TCP traffic
   between H1 and H2, an are associated with one IPsec security association (SA1) in
   transport mode may association. These
   actions are to be established between H1 and H2. In addition,
   an IPsec security association (SA2) tried in tunnel mode sequence till one success.

   - IKE phase one actions that start automatically.

   For the latter case, IKE rules may be set up
   between H1 distributed independently
   and SG2.

   For host H1, it needs to take two actions to protect TCP packets
   that travel from H1 to H2: first protect the packets with SA1 IfName and
   then encapsulate Roles attributes in the resulted packets into SA2. This requires that ipSecIkeRuleTable
   indicate the IPSec policy downloaded to H1 contain two actions interface type and role combinations to be
   applied which this
   rule is to packets in order. be applied.

   The ipSecRuleIpSecActionGroupId in ipSecIkeActionSetTable specifies sets of actions. Actions
   within a set form an ordered list.

   The ipSecIkeAssociationTable contains parameters associated with
   IKE associations including the ipSecRuleTable is used IKE identities to
   handle multiple security association establishments or actions. be used during
   IKE phase one negotiation. It
   contains references points to the actions a set of credentials
   specified in the
   ipSecActionTable. All ipSecCredentialTable. Any of the actions credentials in the ipSecActionTable whose
   ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST
   this set may be
   applied. The ipSecActionOrder indicates the order these actions
   should used during IKE phase one negotiation. In
   addition, each IKE association points to a set of IKE proposals to
   be taken in setting up associated with this association. If the security associations. Authentication Method
   for one or more of the IKE proposals is specified as PresharedKey

   Li, et al            Expires January, August, 2002                       6                        5
                    IPsec Policy Information Base          July, 2001

   During a security association negotiation, the initiating point
   can present multiple proposals      February, 2002

   in preference order. For IPsec
   security association, every proposal can contain different
   protocols, e.g., AH, ESP (A single proposal here is equivalent the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey
   attribute contains the actual pre-shared key to
   multiple proposal payloads with be used for the same proposal number as
   specified in [ISAKMP]). Different protocols are ANDed. Each
   protocol, in turn, may contain multiple transforms in preference
   order. The responder must select a single proposal and
   proposal(s). This attribute is optional. If this attribute is not
   supported or contains a single
   transform for each protocol.

   Multiple proposals are handled by zero length octet, the ipSecProposalSetTable and
   ipSecIkeProposalSetTable. pre-shared key MUST
   be obtained through other methods.

   The ipSecProposalSetOrder and
   ipSecIkeProposalSetOrder in these tables indicate preference.

   Multiple transforms ipSecIkeProposalSetTable specifies sets of proposals.
   Proposals within a protocol set are handled by
   ipSecAhTransformSetTable, ipSecEspTransformSetTable and
   ipSecCompTransformSetTable. ordered with a preference value.The
   ipSecIkeProposalTable contains parameters associated with IKE
   proposals.

   The IpSecAhTransformSetOrder,
   ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these
   tables indicate preferences.

4.4 Credentials for ipSecIkePeerEndpointTable specifies IKE phase one negotiation

   Credentials such as certificates may be exchanged during peer endpoint
   information that includes acceptable peer identity and credentials
   for IKE phase one negotiation for authentication purpose. An endpoint can
   possess multiple credentials. How each endpoint obtains its
   credentials (e.g., through PKI) is out negotiation. It points to a set of credentials
   specified in the scope ipSecIkePeerEndpointCredentialSetTable. Any of IPsec
   policy distribution. IPsec policy does specify, however,
   the
   acceptable peer credentials and in the credential sub-fields and
   their values that MUST match.

   IpSecPeerCredentialTable specifies a group of credentials that are
   considered set is acceptable for as a given peer endpoint. Any credential. The
   AddressType and the Address attributes are used only when IKE
   phase one negotiation starts automatically, i.e., the value of the
   credentials
   AutoStart attribute in a group the ipSecIkeRuleTable is acceptable as true. In which
   case, these two attributes together indicate the IKE peer endpoint
   credential. IpSecCredentialFieldsTable further specifies,
   address.

3.4 Credential group

   This group specifies credentials to be used for each
   credential, their IKE phase one
   negotiations.

   The ipSecCredentialSetTable specifies sets of credentials. The
   ipSecCredentialTable and ipSecCredentialFieldsTable together
   specify credentials. Each credential may contain multiple sub-
   fields. For example, a certificate may contain a unique serial
   number sub-field and an issuer name sub-field, etc. The
   ipSecCredentialFieldsTable defines the sub-fields and their values
   that MUST be matched.

5. Summary of the IPSec PIB matched against. The IPSec PIB consists ipSecCredentialTable points to a
   set of seven groups. Each group and criteria defined in the tables
   it contains are summarized ipSecCredentialFieldsTable. The
   criteria MUST all be satisfied in order for a credential to be
   considered as acceptable. Certificates may also be revoked. The
   CrlDistributionPoint attribute in the following:

   5.1 ipSecSelector Group ipSecCredentialTable
   indicates the Certificate Revocation List (CRL) distribution point
   where CRLs may be fetched.

3.5 Selector group

   This group specifies the selectors for IPSec associations.

   5.1.1 ipSecAddressTable
   Specifies IP addresses IPsec rules.

   The ipSecSelectorSetTable specifies sets of endpoints.

   5.1.2 ipSecL4PortTable
   Specifies layer four port numbers.

   5.1.3 ipSecSelectorTable selectors. Selectors
   within a set form an ordered list. The SelectorId attribute points
   to a valid instance in another table that describes a selector. To
   achieve scalability in policy distribution for large networks, it
   SHOULD point to the ipSecSelectorTable.

   Li, et al            Expires January, August, 2002                       7                        6
                    IPsec Policy Information Base          July, 2001

   Specifies IPsec selectors. It has references to      February, 2002

   The ipSecAddressTable specifies individual or ranges of IP
   addresses and the ipSecL4PortTable for selector constructions.

   5.2 ipSecAssociation Group
   This group specifies attributes related to IPSec Security
   Associations.

   5.2.1 ipSecRuleTable
   Specifies IPsec rules. It individual or ranges
   of layer 4 ports. The ipSecSelectorTable has references to these
   two tables.  Each row in the ipSecSelectorTable selector table can represent multiple
   selectors. These selectors are constructed as follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.

   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.

   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.

   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.

   5. Construct all the possible combinations of the above four
   fields. Then add to the combinations the ipSecSelectorProtocol,
   ipSecSelectorDscp and
   ipSecActionTable ipSecSelectorFlowLabel attributes to indicate that IP packets that match form
   the list of selectors.

   Selectors constructed from a single row have the same order within
   a selector SHALL be applied with set. The order is indicated by the IPsec action(s). Order attribute of
   the ipSecSelectorSetTable. The relative order among selectors
   constructed from a single row is unspecified. This table also is not an issue
   as long as these selectors are not over-lapping.

   The use of references in the ipSecRuleTimePeriodSetTable ipSecSelectorTable instead of real IP
   addresses and port numbers reduces the number of bytes being
   pushed down to
   specify the PEP. Grouping of IP addresses and layer 4 ports
   serves the same purpose.

   The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
   Filters within a set form an ordered list. The
   ipSecIpsoFilterTable contains IPSO filters.

3.6 Policy time period group

   This group specifies time periods during which a policy rule is
   valid.

   5.2.2 ipSecActionTable
   Specifies group of The ipSecRuleTimePeriodTable specifies a single time period
   within a day. The ipSecRuleTimePeriodSetTable specifies multiple
   time periods.

   Implementation of this group is optional.

3.7 Interface capability group

   Li, et al            Expires August, 2002                        7
                    IPsec actions. All actions that Policy Information Base      February, 2002

   PEPs may have the same
   ipSecActionActionGroupId belong different capabilities. For example, some PEPs
   support nested Security Associations whereas others do not. This
   group allows a PEP to specify the same group. Actions in capabilities associated with its
   different interface types.

   For ease of reference, a concise summary of the
   same group MUST be applied groups and tables
   is included in the order specified by
   ipSecActionOrder. next section.

4. Summary of the IPsec PIB

4.1 ipSecAssociation group
   This group specifies IPsec Security Associations.

4.1.1 ipSecRuleTable
   This table also references ipSecIkeRuleTable to specify rules
   associated with IKE phase one negotiation.

   5.2.3 is the starting point for specifying an IPsec policy.
   It contains an ordered list of IPsec rules.

4.1.2 ipSecActionSetTable
   Specifies IPsec action sets.

4.1.3 ipSecStaticActionTable
   Specifies IPsec static actions.

4.1.4 ipSecNegotiationActionTable
   Specifies IPsec negotiation actions.

4.1.5 ipSecAssociationTable
   Specifies attributes associated with IPsec associations. It
   references ipSecProposalSetTable to specify associated proposals.

   5.2.4

4.1.6 ipSecProposalSetTable
   Specifies IPsec proposal sets. Proposals within a set are ORed
   with preference order.

   5.2.5

4.1.7 ipSecProposalTable
   Specifies an IPsec proposal. It has references to ESP, proposals.

4.2 ipSecAhTransform group
   This group specifies AH and Transforms.

4.2.1 ipSecAhTransformSetTable
   Specifies AH transform sets.

4.2.2 ipSecAhTransformTable
   Specifies AH transforms.

4.3 ipSecEspTransform group
   This group specifies ESP Transforms.

4.3.1 ipSecEspTransformSetTable
   Specifies ESP transform sets.

4.3.2 ipSecEspTransformTable
   Specifies ESP transforms.

   Li, et al            Expires August, 2002                        8
                    IPsec Policy Information Base      February, 2002

4.4 ipSecCompTransform group
   This group specifies Compression Transforms.

4.4.1 ipSecCompTransformSetTable
   Specifies IPComp Transform transform sets. Within a proposal, different types of
   transforms are ANDed. Within one type of transforms, the choices
   are ORed with preference order.

   5.3

4.4.2 ipSecCompTransformTable
   Specifies IP compression (IPCOMP) algorithms.

4.5 ipSecIkeAssociation Group group
   This group specifies attributes related to IKE Security
   Associations

   5.3.1 Associations.

4.5.1 ipSecIkeRuleTable
   Specifies IKE rules. It contains a reference to
   ipSecIkeAssociationTable to specify

4.5.2 ipSecIkeActionSetTable
   Specifies IKE associated actions. In
   addition, it has a reference to ipSecIkeEndpointTable to specify
   the endpoints to which this PEP can set up IKE associations.

   This table also references to ipSecRuleTimePeriodSetTable to
   specify the time periods during which a rule is valid.

   5.3.2 action sets.

4.5.3 ipSecIkeAssociationTable

   Li, et al           Expires January, 2002                       8
                    IPsec Policy Information Base          July, 2001
   Specifies attributes related to IKE associations. It references
   ipSecIkeProposalSetTable to specify associated proposals.

   5.3.3

4.5.4 ipSecIkeProposalSetTable
   Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order.

   5.3.4

4.5.5 ipSecIkeProposalTable
   Specifies attributes associated with IKE proposals.

   5.3.5 ipSecIkeEndpointTable
   Specifies the peer endpoints with which this PEP establishes IKE
   associations according to ipSecIkeEndpointStartupCondition.

   This table also contains a reference to ipSecPeerCredentialTable
   to specify acceptable peer credentials.

   5.3.6 ipSecPeerCredentialTable

4.5.6 ipSecIkePeerEndpointTable
   Specifies groups of IKE peer credentials. Credentials in a endpoints.

4.6 ipSecCredential group
   are ORed. In other words, any one of the credentials in a
   This group is
   acceptable as the specifies credentials for IKE peer endpoint credential.

   This table also contains a reference to ipSecCredentialFieldsTable
   to further specify sub-field values in a phase one negotiations.

4.6.1 ipSecCredentialSetTable
   Specifies credential that MUST be
   matched.

   5.3.7 sets.

4.6.2 ipSecCredentialTable
   Specifies credentials.

4.6.3 ipSecCredentialFieldsTable
   Specifies the sets of credential sub-fields and their values to be
   matched against
   peer credentials obtained during IKE phase one negotiation. All
   criteria within a group are ANDed.

   5.4 ipSecEspTransform Group
   This against.

4.7 ipSecSelector group specifies attributes related to ESP Transform.

   5.4.1 ipSecEspTransformSetTable
   Specifies ESP transform sets. Within a transform set, the choices
   are ORed with preference order.

   5.4.2 ipSecEspTransformTable
   Specifies ESP transforms.

   5.5 ipSecAhTransform Group
   This group specifies attributes related to AH Transform.

   5.5.1 ipSecAhTransformSetTable selectors for IPsec associations.

4.7.1 ipSecSelectorSetTable
   Specifies AH transform IPsec selector sets. Within a transform set, the choices
   are ORed with preference order.

   5.5.2 ipSecAhTransformTable

4.7.2 ipSecSelectorTable
   Specifies AH transforms.

   5.6 ipSecCompTransform Group
   This group specifies attributes related to IPSecComp Transform IPsec selectors.

   Li, et al            Expires January, August, 2002                        9
                    IPsec Policy Information Base          July, 2001

   5.6.1 ipSecCompTransformSetTable      February, 2002

4.7.3 ipSecAddressTable
   Specifies IPComp transform IP addresses.

4.7.4 ipSecL4PortTable
   Specifies layer four port numbers.

4.7.5 ipSecIpsoFilterSetTable
   Specifies IPSO filter sets. Within a transform set, the
   choices are ORed with preference order.

   5.6.2 ipSecCompTransformTable

4.7.6 ipSecIpsoFilterTable
   Specifies IPComp transforms.

   5.7 IPSO filters.

4.8 ipSecPolicyTimePeriod Group group
   This group specifies the time periods during which a policy rule
   is valid.

   5.7.1 ipSecRuleTimePeriodSetTable
   Specifies multiple time period sets. The ipSecRuleTimePeriodTable
   can specify only a single time period within a day. This table
   enables the specification of multiple time periods within a day by
   grouping them into one set.

   5.7.2

4.8.1 ipSecRuleTimePeriodTable
   Specifies the time periods during which a policy rule is valid.
   The values of the first five attributes in a row are ANDed
   together to determine the validity period(s). If any of the five
   attributes is not present, it is treated as having value always
   enabled.

   5.8 ipSecIfCaps Group

4.8.2 ipSecRuleTimePeriodSetTable
   Specifies time period sets.

4.9 ipSecIfCapability group
   This group specifies capabilities associated with interface types.

   5.8.1

4.9.1 ipSecIfCapsTable
   Specifies capabilities that may be associated with an interface of
   a specific type. The instances of this table are referenced by the
   frwkIfCapSetCapability attribute of

4.10 ipSecPolicyPibConformance group
   This group specifies requirements for conformance to the frwkIfCapSetTable [FR-
   PIB].

6. IPsec
   Policy PIB.

5. The IPSec IPsec PIB Module

   IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN

   IMPORTS
   Unsigned 32,
   Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
   TEXTUAL-CONVENTION,
   MODULE-COMPLIANCE MODULE-COMPLIANCE, OBJECT-GROUP
        FROM COPS-PR-SPPI
   OBJECT-IDENTITY
        FROM SNMPv2-SMI
   TruthValue
        FROM SNMPv2-TC
   InstanceId, ReferenceId, TagId, TagReferenceId
        FROM COPS-PR-SPPI; COPS-PR-SPPI
   RoleCombination
        FROM POLICY-FRAMEWORK-PIB;
   OBJECT-GROUP

   Li, et al           Expires January, 2002                      10
                    IPsec Policy Information Base          July, 2001

        From SNMPv2-CONF; FRAMEWORK-TC-PIB;

   ipSecPolicyPib MODULE-IDENTITY
   SUBJECT-CATEGORY { tbd } -- IPSec IPsec Client Type } --
   LAST-UPDATED "200107011800Z" "200202241800Z"
   ORGANIZATION "IETF ipsp WG"

   Li, et al            Expires August, 2002                       10
                    IPsec Policy Information Base      February, 2002

   CONTACT-INFO "
                Man Li
                Nokia
                5 Wayside Road,
                Burlington, MA 01803
                Phone: +1 781 993 3923
                Email: man.m.li@nokia.com

                Avri Doria
                Nortel Networks
                600
                Div. of Computer Communications
                Lulea University of Technology Park Drive
                Billerica, MA 01821
                SE-971 87
                Lulea, Sweden
                Phone: +1 401 663 5024 +46 920 49 3030
                Email: avri@nortelnetworks.com avri@sm.luth.se

                Jamie Jason
                Intel Corporation
                MS JF3-206
                2111 NE 25th Ave.
                Hillsboro, OR 97124
                Phone: +1 503 264 9531
                Fax: +1 503 264 9428
                E-Mail:
                Email: jamie.jason@intel.com

                Cliff Wang
                SmartPipes Inc.
                Suite 300, 565 Metro Place South
                Dublin, OH 43017
                Phone: +1 614 923 6241
                E-Mail: CWang@smartpipes.com"
                Email: CWang@smartpipes.com

                 Markus Stenberg
                 SSH Communications Security Corp.
                 Fredrikinkatu 42
                 FIN-00100 Helsinki, Finland
                 Phone: +358 20 500 7466
                 Email: markus.stenberg@ssh.com"

   DESCRIPTION
   "This PIB module contains a set of policy rule classes that
   describe IPSec IPsec policies."
   ::= { tbd pib yyy }

   ipSecSelector ű- yyy to be assigned by IANA --

   Unsigned16 ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     "An unsigned 16 bit integer."
     SYNTAX    Unsigned32 (0..65535)

   ipSecAssociation OBJECT-IDENTITY

   Li, et al            Expires August, 2002                       11
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "This group specifies selectors for IPSec associations" IPsec Security Associations."
     ::= { ipSecPolicyPib 1 }

   ipSecAssociation

   ipSecAhTransform OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IPSec Security
   Associations"

   Li, et al           Expires January, 2002                      11
                    IPsec Policy Information Base          July, 2001 AH Transforms."
     ::= { ipSecPolicyPib 2 }

   ipSecIkeAssociation

   ipSecEspTransform OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IKE Security
   Associations" ESP Transforms."
     ::= { ipSecPolicyPib 3 }

   ipSecEspTransform

   ipSecCompTransform OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to ESP Transform" Comp Transforms."
     ::= { ipSecPolicyPib 4 }

   ipSecAhTransform

   ipSecIkeAssociation OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to AH Transform" IKE Security Associations."
     ::= { ipSecPolicyPib 5 }

   ipSecCompTransform

   ipSecCredential OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies attributes related to IPSecComp Transform" credentials for IKE phase one negotiations."
     ::= { ipSecPolicyPib 6 }

   ipSecPolicyTimePeriod

   ipSecSelector OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies the time periods during which a policy rule
   is valid"
     ::= { selectors for IPsec associations."
     ::= { ipSecPolicyPib 7 }

   ipSecIfCaps

   ipSecPolicyTimePeriod OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies the time periods during which a policy rule
   is valid."
     ::= { ipSecPolicyPib 8 }

   ipSecIfCapability OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies capabilities associated with interface
   types."

   Li, et al            Expires August, 2002                       12
                    IPsec Policy Information Base      February, 2002

     ::= { ipSecPolicyPib 8 9 }

   ipSecPolicyPibConformance OBJECT-IDENTITY
     STATUS current
     DESCRIPTION
   "This group specifies requirements for conformance to the IPsec
   Policy PIB"
     ::= { ipSecPolicyPib 9 10 }

   --
   --
   -- The ipSecAddressTable ipSecRuleTable
   --

   Li, et al           Expires January, 2002                      12
                    IPsec Policy Information Base          July, 2001

   ipSecAddressTable

   ipSecRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAddressEntry IpSecRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IP addresses."
     INDEX { ipSecAddressPrid }
     UNIQUENESS {
       ipSecAddressAddressType,
       ipSecAddressAddrMask,
       ipSecAddressAddrMin,
       ipSecAddressAddrMax,
       ipSecAddressGroupId
       }
   "This table is the starting point for specifying an IPsec policy.
   It contains an ordered list of IPsec rules. "
     ::= { ipSecSelector ipSecAssociation  1 }

   ipSecAddressEntry

   ipSecRuleEntry OBJECT-TYPE
     SYNTAX IpSecAddressEntry IpSecRuleEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRulePrid }
     UNIQUENESS {
       ipSecRuleIfName,
       ipSecRuleRoles,
       ipSecRuleOrder
       }
     ::= { ipSecAddressTable ipSecRuleTable 1 }

     IpSecAddressEntry

     IpSecRuleEntry ::= SEQUENCE {
        ipSecAddressPrid
        ipSecRulePrid InstanceId,
        ipSecAddressAddressType
        ipSecRuleIfName SnmpAdminString,
        ipSecRuleRoles RoleCombination,
        ipSecRuleDirection INTEGER,
        ipSecAddressAddrMask OCTET STRING,
        ipSecAddressAddrMin OCTET STRING,
        ipSecAddressAddrMax OCTET STRING,
        ipSecAddressGroupId TagId
        ipSecRuleIpSecSelectorSetId TagReferenceId,
        ipSecRuleipSecIpsoFilterSetId TagReferenceId,
        ipSecRuleIpSecActionSetId TagReferenceId,
        ipSecRuleActionExecutionStrategy INTEGER,
        ipSecRuleOrder Unsigned16,
        ipSecRuleLimitNegotiation INTEGER,
        ipSecRuleAutoStart TruthValue,
        ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
   }

   ipSecAddressPrid

   ipSecRulePrid OBJECT-TYPE

   Li, et al            Expires August, 2002                       13
                    IPsec Policy Information Base      February, 2002

     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this
   class."
     ::= { ipSecAddressEntry ipSecRuleEntry  1 }

   ipSecAddressAddressType

   ipSecRuleIfName OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)

   Li, et al           Expires January, 2002                      13
                    IPsec Policy Information Base          July, 2001

       } SnmpAdminString
     STATUS current
     DESCRIPTION
   "Specifies the address type. This also controls the length of the
   OCTET STRING for
   "The interface capability set to which this IPsec rule applies.
   The interface capability name specified by this attribute MUST
   exist in the ipSecAddressAddrMask, ipSecAddressAddrMin and
   ipSecAddressAddrMax objects. IPv4 addresses are octet strings of
   length 4. IPv6 addresses are octet strings of length 16. All other
   types are octet strings frwkIfCapSetTable [FR-PIB] prior to association with
   an instance of variable length." this class."
     ::= { ipSecAddressEntry ipSecRuleEntry  2 }

   ipSecAddressAddrMask

   ipSecRuleRoles OBJECT-TYPE
     SYNTAX OCTET STRING RoleCombination
     STATUS current
     DESCRIPTION
   "A mask for
   "Specifies the matching role combination of the IP address. A zero bit interface to which this
   IPsec rule should apply. There must exist an instance in the mask
   means that the corresponding bit in
   frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
   combination, together with the address always matches.
   This attribute MUST be ignored when ipSecAddressAddressType is not interface capability set specified
   by ipSecRuleIfName, prior to association with an instance of IPv4 or IPv6 type." this
   class."
     ::= { ipSecAddressEntry ipSecRuleEntry  3 }

   ipSecAddressAddrMin

   ipSecRuleDirection OBJECT-TYPE
     SYNTAX OCTET STRING INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies an end point address. The Length of the string is based
   upon the address type.  For IPv4 address types, this attribute is
   a 4-bytes octet string. For IPv6 address types, this attribute is
   a 16-bytes octet string. For other types direction of addresses, traffic to which this
   attribute is a variable length octet string.

   A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
   ipSecAddressAddrMask of all zero means a wild-carded address,
   i.e., all addresses match." rule should
   apply."
     ::= { ipSecAddressEntry ipSecRuleEntry  4 }

   ipSecAddressAddrMax

   ipSecRuleIpSecSelectorSetId OBJECT-TYPE
     SYNTAX OCTET STRING TagReferenceId
     PIB-TAG    { ipSecSelectorSetSelectorSetId }
     STATUS current
     DESCRIPTION
   "If
   "Identifies a range of addresses are being used then this specifies the
   ending address. The type set of this address must selectors to be the same as the
   ipSecAddressAddrMin. The Length of the string is based upon the
   address type.  For IPv4 address types, this attribute is a 4-bytes
   octet string. For IPv6 address types, this attribute is a 16-bytes
   octet string.

   If no range is specified then associated with this attribute MUST be a zero length
   OCTET STRING." IPsec
   rule. "
     ::= { ipSecAddressEntry ipSecRuleEntry  5 }

   ipSecAddressGroupId

   ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current TagReferenceId
     PIB-TAG    { ipSecIpsoFilterSetFilterSetId }

   Li, et al            Expires January, August, 2002                       14
                    IPsec Policy Information Base          July, 2001      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies the group
   "Identifies a set of IPSO filters to be associated with this IP address, address range or subnet
   address belongs to." IPsec
   rule. A value of zero indicates that there are no IPSO filters
   associated with this rule.

   When the value of this attribute is not zero, the set of IPSO
   filters is ANDed with the set of Selectors specified by
   ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
   selector in the selector sets and a filter in the IPSO filter sets
   before the actions associated with this rule can be applied."
     ::= { ipSecAddressEntry ipSecRuleEntry  6 }

   --
   --
   -- The ipSecL4PortTable
   --

   ipSecL4PortTable

   ipSecRuleIpSecActionSetId OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecL4PortEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies layer four port numbers."
     INDEX { ipSecL4PortPrid }
     UNIQUENESS {
       ipSecL4PortPortMin,
       ipSecL4PortPortMax,
       ipSecL4PortGroupId
       }
     ::= TagReferenceId
     PIB-TAG    { ipSecSelector  2 ipSecActionSetActionSetId }

   ipSecL4PortEntry OBJECT-TYPE
     SYNTAX IpSecL4PortEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance
   "Identifies a set of this class"
     ::= { ipSecL4PortTable 1 }

     IpSecL4PortEntry ::= SEQUENCE {
        ipSecL4PortPrid InstanceId,
        ipSecL4PortPortMin INTEGER,
        ipSecL4PortPortMax INTEGER,
        ipSecL4PortGroupId TagId
   }

   ipSecL4PortPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index IPsec actions to uniquely identify an instance of be associated with this class"
   rule."
     ::= { ipSecL4PortEntry  1 ipSecRuleEntry  7 }

   ipSecL4PortPortMin

   ipSecRuleActionExecutionStrategy OBJECT-TYPE
     SYNTAX INTEGER (0..65535) {
       doAll(1),
       doUntilSuccess(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies a layer 4 port or the first layer 4 port number strategy to be used in executing the sequenced
   actions in the action set identified by ipSecRuleIpSecActionSetId.

   DoAll (1) causes the execution of all the actions in the action
   set according to their defined precedence order. The precedence
   order is specified by the ipSecActionSetOrder in the
   ipSecActionSetTable.

   DoUntilSuccess (2) causes the execution of actions according to
   their defined precedence order until a
   range successful execution of ports." a
   single action. The precedence order is specified by the
   ipSecActionSetOrder in the ipSecActionSetTable."
     ::= { ipSecL4PortEntry  2 ipSecRuleEntry  8 }

   Li, et al           Expires January, 2002                      15
                    IPsec Policy Information Base          July, 2001

   ipSecL4PortPortMax

   ipSecRuleOrder OBJECT-TYPE
     SYNTAX INTEGER (0..65535) Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the last layer 4 port in precedence order of the range.  If only rule within all the rules
   associated with {IfName, Roles}. A smaller value indicates a single
   port
   higher precedence order. "
     ::= { ipSecRuleEntry  9 }

   ipSecRuleLimitNegotiation OBJECT-TYPE

   Li, et al            Expires August, 2002                       15
                    IPsec Policy Information Base      February, 2002

     SYNTAX INTEGER {
       initiator(1),
       responder(2),
       both(3)
       }
     STATUS current
     DESCRIPTION
   "Limits the negotiation method. Before proceeding with a phase 2
   negotiation, the LimitNegotiation property of the IPsecRule is specified,
   first checked to determine if the value negotiation part indicated for
   the rule matches that of this the current negotiation (Initiator,
   Responder, or Either).

   This attribute must be equal is ignored when an attempt is made to refresh an
   expiring SA (either side can initiate a refresh operation).  The
   system can determine that the negotiation is a refresh operation
   by checking to see if the selector information matches that of ipSecL4PortPortMin. Otherwise, an
   existing SA. If LimitNegotiation does not match and the value of selector
   corresponds to a new SA, the negotiation is stopped. "
     ::= { ipSecRuleEntry  10 }

   ipSecRuleAutoStart OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Indicates if this attribute
   MUST rule should be greater than that specified by ipSecL4PortPortMin." automatically executed."
     ::= { ipSecL4PortEntry  3 ipSecRuleEntry  11 }

   ipSecL4PortGroupId

   ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX TagId TagReferenceId
     PIB-TAG    { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
     STATUS current
     DESCRIPTION
   "Specifies the group
   "Identifies an IPsec rule time period set, specified in
   ipSecRuleTimePeriodSetTable, that is associated with this port or port range belongs to." rule.

   A value of zero indicates that this IPsec rule is always valid."
     ::= { ipSecL4PortEntry  4 ipSecRuleEntry  12 }

   --
   --
   -- The ipSecSelectorTable ipSecActionSetTable
   --

   ipSecSelectorTable

   ipSecActionSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecSelectorEntry IpSecActionSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec selectors. Each row in the selector table
   represents multiple selectors. These selectors are obtained as
   follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.
   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.
   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.
   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.
   5. Construct all the possible combinations of the above four
   fields together with the ipSecSelectorProtocol attribute to form
   all the five-tuple selectors

   Selectors constructed from a row inherit all the other attributes
   of  the row (e.g., ipSecSelectorGranularity)."
     INDEX action sets."
     ::= { ipSecSelectorPrid ipSecAssociation  2 }

   Li, et al            Expires January, August, 2002                       16
                    IPsec Policy Information Base          July, 2001

     UNIQUENESS {
       ipSecSelectorSrcAddressGroupId,
       ipSecSelectorSrcPortGroupId,
       ipSecSelectorDstAddressGroupId,
       ipSecSelectorDstPortGroupId,
       ipSecSelectorProtocol,
       ipSecSelectorGranularity,
       ipSecSelectorOrder,
       ipSecSelectorStartupCondition,
       ipSecSelectorIsOriginator,
       ipSecSelectorGroupId
       }
     ::= { ipSecSelector  3 }

   ipSecSelectorEntry      February, 2002

   ipSecActionSetEntry OBJECT-TYPE
     SYNTAX IpSecSelectorEntry IpSecActionSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecActionSetPrid }
     UNIQUENESS {
       ipSecActionSetActionSetId,
       ipSecActionSetActionId,
       ipSecActionSetDoActionLogging,
       ipSecActionSetDoPacketLogging,
       ipSecActionSetOrder
       }
     ::= { ipSecSelectorTable ipSecActionSetTable 1 }

     IpSecSelectorEntry

     IpSecActionSetEntry ::= SEQUENCE {
        ipSecSelectorPrid
        ipSecActionSetPrid InstanceId,
        ipSecSelectorSrcAddressGroupId TagReferenceId,
        ipSecSelectorSrcPortGroupId TagReferenceId,
        ipSecSelectorDstAddressGroupId TagReferenceId,
        ipSecSelectorDstPortGroupId TagReferenceId,
        ipSecSelectorProtocol INTEGER,
        ipSecSelectorGranularity INTEGER,
        ipSecSelectorOrder Unsigned32,
        ipSecSelectorStartupCondition BITS,
        ipSecSelectorIsOriginator
        ipSecActionSetActionSetId TagId,
        ipSecActionSetActionId Prid,
        ipSecActionSetDoActionLogging TruthValue,
        ipSecSelectorGroupId TagId
        ipSecActionSetDoPacketLogging TruthValue,
        ipSecActionSetOrder Unsigned16
   }

   ipSecSelectorPrid

   ipSecActionSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecSelectorEntry ipSecActionSetEntry  1 }

   ipSecSelectorSrcAddressGroupId

   ipSecActionSetActionSetId OBJECT-TYPE
     SYNTAX TagReferenceId TagId
     STATUS current
     DESCRIPTION
   "Specifies source addresses. All addresses in ipSecAddressTable
   whose ipSecAddressGroupId match  this value are included as source
   addresses."
   "An IPsec action set is composed of one or more IPsec actions.
   Each action belonging to the same set has the same ActionSetId."
     ::= { ipSecSelectorEntry ipSecActionSetEntry  2 }

   ipSecSelectorSrcPortGroupId

   ipSecActionSetActionId OBJECT-TYPE
     SYNTAX TagReferenceId Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table that describes an
   action to be taken.

   For IPsec static actions, it MUST point to an instance in the
   ipSecStaticActionTable.

   For IPsec negotiation actions, it MUST point to an instance in the
   ipSecNegotiationActionTable. For other actions, it may point to an
   instance in a table specified by other PIB modules."

   Li, et al            Expires January, August, 2002                       17
                    IPsec Policy Information Base          July, 2001

     STATUS current
     DESCRIPTION
   "Specifies source layer 4 port numbers. All ports in ipSecL4Port
   whose ipSecL4PortGroupId match this value are included."      February, 2002

     ::= { ipSecSelectorEntry ipSecActionSetEntry  3 }

   ipSecSelectorDstAddressGroupId

   ipSecActionSetDoActionLogging OBJECT-TYPE
     SYNTAX TagReferenceId TruthValue
     STATUS current
     DESCRIPTION
   "Specifies destination addresses. All addresses in
   ipSecAddressTable whose ipSecAddressGroupId match  this value are
   included as destination addresses."
     ::= { ipSecSelectorEntry  4 }

   ipSecSelectorDstPortGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     STATUS current
     DESCRIPTION
   "Specifies destination layer 4 port numbers. All ports in
   ipSecL4Port whose ipSecL4PortGroupId match this value are
   included."
     ::= { ipSecSelectorEntry  5 }

   ipSecSelectorProtocol OBJECT-TYPE
     SYNTAX INTEGER (0..255)
     STATUS current
     DESCRIPTION
   "Specifies IP protocol whether a log message is to match against be generated when the packet's protocol. A
   value
   action is performed.  This applies for ipSecNegotiationActions
   with the meaning of zero means match all." logging a message when the negotiation is
   attempted (with the success or failure result). This also applies
   for ipSecStaticAction only for PreconfiguredTransport action or
   PreconfiguredTunnel action with the meaning of logging a message
   when the preconfigured SA is actually installed in the SADB."
     ::= { ipSecSelectorEntry  6 ipSecActionSetEntry  4 }

   ipSecSelectorGranularity

   ipSecActionSetDoPacketLogging OBJECT-TYPE
     SYNTAX INTEGER {
       wide(1),
       narrow(2)
       } TruthValue
     STATUS current
     DESCRIPTION
   "Specifies how whether to log when the security associations established may be used.
   A value of 1 (Wide) indicates that this resulting security association may
   be
   is used by all packets that match the same selector that to process a packet. For ipSecStaticActions, a log message
   is
   matched by the packet triggering the establishment of this
   association.
   A value of 2  (Narrow) indicates that this security association
   can to be used only by packets that have exactly the same selector
   attribute values as that of the packet triggering generated when the
   establishment of this association. " IPsecBypass, IpsecDiscard or IKEReject
   actions are executed."
     ::= { ipSecSelectorEntry  7 ipSecActionSetEntry  5 }

   ipSecSelectorOrder

   ipSecActionSetOrder OBJECT-TYPE
     SYNTAX Unsigned32 Unsigned16
     STATUS current

   Li, et al           Expires January, 2002                      18
                    IPsec Policy Information Base          July, 2001
     DESCRIPTION
   "An integer that specifies
   "Specifies the precedence order of the selectors action within the ipSecSelectorGroup. A given action
   set. An action with a smaller precedence order is
   positioned to be applied
   before one with a higher-valued larger precedence order. All
   selectors constructed from the same row have the same order.  The
   position of selectors with the same order is unspecified." "
     ::= { ipSecSelectorEntry  8 ipSecActionSetEntry  6 }

   ipSecSelectorStartupCondition

   --
   --
   -- The ipSecStaticActionTable
   --

   ipSecStaticActionTable OBJECT-TYPE
     SYNTAX BITS SEQUENCE OF IpSecStaticActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec static actions."
     ::= {
       onBoot(1),
       onTraffic(2),
       onPolicy(3) ipSecAssociation  3 }

   ipSecStaticActionEntry OBJECT-TYPE
     SYNTAX IpSecStaticActionEntry
     STATUS current
     DESCRIPTION
   "Specifies the triggering event that causes the rule that
   references this selector be applied. OnBoot (1) means that the
   rule is triggered after system boot. This selector is used as the
   selector for the IPsec action. OnTraffic (2) means that the rule
   is triggered when packets without associated security associations
   are sent or received.  This selector is used as the selector for
   the IPsec action. OnPolicy (3) means that the rule is triggered
   when it becomes valid as specified by
   ipSecRuleTimePeriodGroupTable.  This selector is used as the
   selector for the IPsec action."
     ::= { ipSecSelectorEntry  9 }

   ipSecSelectorIsOriginator OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy
   (3) and  when IPsec associations need to be set up, this PEP
   should initiate the establishment if this attribute is True.
   Otherwise, it should wait for the other end to initiate the
   setup."
     ::= { ipSecSelectorEntry  10 }

   ipSecSelectorGroupId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specify the group an instance of this selector(s) belongs to. Selectors in the
   same group are provided with the same IPsec services."
     ::= { ipSecSelectorEntry  11 }

   --
   --
   -- The ipSecRuleTable
   -- class"

   Li, et al            Expires January, August, 2002                      19                       18
                    IPsec Policy Information Base          July, 2001

   ipSecRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec rules. "
     INDEX      February, 2002

     PIB-INDEX { ipSecRulePrid ipSecStaticActionPrid }
     UNIQUENESS {
       ipSecRuleIfName,
       ipSecRuleRoles,
       ipSecRuleDirection
       }
     ::= { ipSecAssociation  1
       ipSecStaticActionAction,
       ipSecStaticActionTunnelEndpointId,
       ipSecStaticActionDfHandling,
       ipSecStaticActionSpi,
       ipSecStaticActionLifetimeSeconds,
       ipSecStaticActionLifetimeKilobytes,
       ipSecStaticActionSaTransformId
       }

   ipSecRuleEntry OBJECT-TYPE
     SYNTAX IpSecRuleEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= { ipSecRuleTable ipSecStaticActionTable 1 }

     IpSecRuleEntry

     IpSecStaticActionEntry ::= SEQUENCE {
        ipSecRulePrid
        ipSecStaticActionPrid InstanceId,
        ipSecRuleIfName SnmpAdminString,
        ipSecRuleRoles RoleCombination,
        ipSecRuleDirection
        ipSecStaticActionAction INTEGER,
        ipSecRuleIpSecSelectorGroupId TagReferenceId,
        ipSecRuleIpSecActionGroupId TagReferenceId,
        ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
        ipSecStaticActionTunnelEndpointId ReferenceId,
        ipSecStaticActionDfHandling INTEGER,
        ipSecStaticActionSpi Unsigned32,
        ipSecStaticActionLifetimeSeconds Unsigned32,
        ipSecStaticActionLifetimeKilobytes Unsigned32,
        ipSecStaticActionSaTransformId Prid
   }

   ipSecRulePrid

   ipSecStaticActionPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this
   class."
     ::= { ipSecRuleEntry ipSecStaticActionEntry  1 }

   ipSecRuleIfName

   ipSecStaticActionAction OBJECT-TYPE
     SYNTAX SnmpAdminString INTEGER {
       byPass(1),
       discard(2),
       ikeRejection(3),
       preConfiguredTransport(4),
       preConfiguredTunnel(5)
       }
     STATUS current
     DESCRIPTION
   "The interface capability set to which this IPSec rule applies.
   The interface capability name specified by this attribute must
   exist in
   "Specifies the frwkIfCapSetTable [FR-PIB] prior IPsec action to association with be applied to the traffic. byPass
   (1) means that packets are to be allowed to pass in the clear.
   discard (2) means that packets are to be discarded. ikeRejection
   (3) means that that an instance of this class." IKE negotiation should not even be
   attempted or continued. preConfiguredTransport (4) means that an
   IPsec transport SA is pre-configured. preConfiguredTunnel (5)
   means that an IPsec tunnel SA is pre-configured. "
     ::= { ipSecRuleEntry ipSecStaticActionEntry  2 }

   ipSecRuleRoles

   ipSecStaticActionTunnelEndpointId OBJECT-TYPE
     SYNTAX RoleCombination
     STATUS current
     DESCRIPTION ReferenceId
     PIB-REFERENCES    {ipSecAddressEntry }

   Li, et al            Expires January, August, 2002                      20                       19
                    IPsec Policy Information Base          July, 2001

   "Specifies the role combination of the interface to which this
   IPSec rule should apply. There must exist an instance in the
   frwkIfCapSetRoleComboTable [FR-PIB] specifying      February, 2002

     STATUS current
     DESCRIPTION
   "When ipSecStaticActionAction is preConfiguredTunnel (5), this role
   combination, together with
   attribute indicates the interface capability set specified
   by ipSecRuleIfName, prior to association with an instance of peer gateway IP address. This address MUST
   be a single endpoint address.

   When ipSecStaticActionAction is not preConfiguredTunnel, this
   class."
   attribute MUST be zero."
     ::= { ipSecRuleEntry ipSecStaticActionEntry  3 }

   ipSecRuleDirection

   ipSecStaticActionDfHandling OBJECT-TYPE
     SYNTAX INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       copy(1),
       set(2),
       clear(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies
   "When ipSecStaticActionAction is preConfiguredTunnel, this
   attribute specifies how the direction DF bit is managed.

   Copy (1) indicates to copy the DF bit from the internal IP header
   to the external IP header. Set (2) indicates to set the DF bit of traffic
   the external IP header to which 1. Clear (3) indicates to clear the DF
   bit of the external IP header to 0.

   When ipSecStaticActionAction is not preConfiguredTunnel, this rule should
   apply."
   attribute MUST be ignored. "
     ::= { ipSecRuleEntry ipSecStaticActionEntry  4 }

   ipSecRuleIpSecSelectorGroupId

   ipSecStaticActionSpi OBJECT-TYPE
     SYNTAX TagReferenceId Unsigned32
     STATUS current
     DESCRIPTION
   "Identifies
   "Specifies the selectors SPI to be associated with this IPSec rule.
   The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId
   matches this attribute are provided used with the IPSec services
   specified SA Transform identified by
   ipSecStaticActionSaTransformId.

   When ipSecStaticActionAction is neither
   preConfiguredTransportAction nor preConfiguredTunnelAction, this rule."
   attribute MUST be ignored."
     ::= { ipSecRuleEntry ipSecStaticActionEntry  5 }

   ipSecRuleIpSecActionGroupId

   ipSecStaticActionLifetimeSeconds OBJECT-TYPE
     SYNTAX TagReferenceId Unsigned32
     STATUS current
     DESCRIPTION
   "This attribute identifies
   "Specifies the IPsec action group amount of time (in seconds) that is
   associated with this rule. Actions specified in ipSecActionTable
   whose ipSecActionActionGroupId match the value of a security
   association derived from this action should be used. When
   ipSecStaticActionAction is neither preConfiguredTransportAction
   nor preConfiguredTunnelAction, this attribute MUST all be applied. The ipSecActionOrder in the ipSecActionTable ignored.

   A value of zero indicates that there is not a lifetime associated
   with this action (i.e., infinite lifetime).

   Li, et al            Expires August, 2002                       20
                    IPsec Policy Information Base      February, 2002

   The actual lifetime of the order these actions should preconfigured SA will be taken in setting up the security associations." smallest
   of the value of this LifetimeSeconds property and of the value of
   the MaxLifetimeSeconds property of the associated SA Transform.
   Except if the value of this LifetimeSeconds property is zero, then
   there will be no lifetime associated to this SA."
     ::= { ipSecRuleEntry ipSecStaticActionEntry  6 }

   ipSecRuleIpSecRuleTimePeriodGroupId

   ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
     SYNTAX TagReferenceId Unsigned32
     STATUS current
     DESCRIPTION
   "This attribute identifies an IPsec rule time period group,
   specified
   "Specifies the SA lifetime in ipSecRuleTimePeriodGroupTable, that kilobytes. When
   ipSecStaticActionAction is associated
   with neither preConfiguredTransportAction
   nor preConfiguredTunnelAction, this rule attribute MUST be ignored.

   A value of zero indicates that there is not a lifetime associated
   with this IPsec rule action (i.e., infinite lifetime).

   The actual lifetime of the preconfigured SA will be the smallest
   of the value of this LifetimeKilobytes property and of the value
   of the MaxLifetimeKilobytes property of the associated SA
   transform. Except if the value of this LifetimeKilobytes property
   is always valid." zero, then there will be no lifetime associated with this
   action.
   "
     ::= { ipSecRuleEntry ipSecStaticActionEntry  7 }

   Li, et al           Expires January, 2002                      21
                    IPsec Policy Information Base          July, 2001

   ipSecStaticActionSaTransformId OBJECT-TYPE
     SYNTAX Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table that describes an
   SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
     ::= { ipSecStaticActionEntry  8 }

   --
   --
   -- The ipSecActionTable ipSecNegotiationActionTable
   --

   ipSecActionTable

   ipSecNegotiationActionTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecActionEntry IpSecNegotiationActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies group of IPsec actions. All actions that have the same
   ipSecActionActionGroupId belong to the same group. Actions in the
   same group MUST be applied in the order specified by
   ipSecActionOrder."
     INDEX { ipSecActionPrid }
     UNIQUENESS {
       ipSecActionAction,
       ipSecActionTunnelEndpointId,
       ipSecActionDfHandling,
       ipSecActionDoLogging,
       ipSecActionIpSecSecurityAssociationId,
       ipSecActionActionGroupId,
       ipSecActionOrder,
       ipSecActionIkeRuleId
       } negotiation actions."
     ::= { ipSecAssociation  2  4 }

   ipSecActionEntry

   ipSecNegotiationActionEntry OBJECT-TYPE
     SYNTAX IpSecActionEntry IpSecNegotiationActionEntry
     STATUS current
     DESCRIPTION
   "Specifies

   Li, et al            Expires August, 2002                       21
                    IPsec Policy Information Base      February, 2002

     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecNegotiationActionPrid }
     UNIQUENESS {
       ipSecNegotiationActionAction,
       ipSecNegotiationActionTunnelEndpointId,
       ipSecNegotiationActionDfHandling,
       ipSecNegotiationActionIpSecSecurityAssociationId,
       ipSecNegotiationActionKeyExchangeId
       }
     ::= { ipSecActionTable ipSecNegotiationActionTable 1 }

     IpSecActionEntry

     IpSecNegotiationActionEntry ::= SEQUENCE {
        ipSecActionPrid
        ipSecNegotiationActionPrid InstanceId,
        ipSecActionAction
        ipSecNegotiationActionAction INTEGER,
        ipSecActionTunnelEndpointId
        ipSecNegotiationActionTunnelEndpointId ReferenceId,
        ipSecActionDfHandling
        ipSecNegotiationActionDfHandling INTEGER,
        ipSecActionDoLogging TruthValue,
        ipSecActionIpSecSecurityAssociationId
        ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
        ipSecActionActionGroupId TagId,
        ipSecActionOrder Unsigned32,
        ipSecActionIkeRuleId ReferenceId
        ipSecNegotiationActionKeyExchangeId Prid
   }

   ipSecActionPrid

   ipSecNegotiationActionPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecActionEntry ipSecNegotiationActionEntry  1 }

   Li, et al           Expires January, 2002                      22
                    IPsec Policy Information Base          July, 2001

   ipSecActionAction

   ipSecNegotiationActionAction OBJECT-TYPE
     SYNTAX INTEGER {
       byPass(1),
       discard(2),
       transport(3),
       tunnel(4)
       transport(1),
       tunnel(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPsec action to be applied to the traffic.
   ByPass(1) means that the packet should pass in clear. Discard(2)
   means that the packet should be denied. Transport(3)
   transport(1) means that the packet should be protected with a
   security association in transport mode. Tunnel(4) tunnel(2) means that the
   packet should be protected with a security association in tunnel
   mode.  If Tunnel
   (4) tunnel (2) is specified, ipSecActionTunnelEndpointId
   MUST also be specified."
     ::= { ipSecActionEntry ipSecNegotiationActionEntry  2 }

   ipSecActionTunnelEndpointId

   ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAddressEntry }
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is tunnel, tunnel (2), this attribute specifies indicates
   the peer gateway IP
   address of the other end of the tunnel. The address specified in
   ipSecAddressTable whose ipSecAddressPrid matches this value is the
   other end of the tunnel. The address. This address MUST be a single
   endpoint address.

   Li, et al            Expires August, 2002                       22
                    IPsec Policy Information Base      February, 2002

   When ipSecActionAction is not tunnel, this attribute SHALL MUST be
   zero. "
   zero."
     ::= { ipSecActionEntry ipSecNegotiationActionEntry  3 }

   ipSecActionDfHandling

   ipSecNegotiationActionDfHandling OBJECT-TYPE
     SYNTAX INTEGER {
       copy(1),
       set(2),
       clear(3)
       }
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is tunnel, this attribute specifies how
   the DF bit is managed by the tunnel when ipSecActionAction is
   tunnel. managed.

   Copy (1) indicates that to copy the DF bit is copied. from the internal IP header
   to the external IP header. Set (2) indicates that to set the DF bit is set. of
   the external IP header to 1. Clear (3) indicates that to clear the DF
   bit is cleared. of the external IP header to 0.

   When ipSecActionAction is not tunnel, this attribute SHALL MUST be
   ignored. "
     ::= { ipSecActionEntry ipSecNegotiationActionEntry  4 }

   ipSecActionDoLogging

   ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
     SYNTAX TruthValue ReferenceId
     PIB-REFERENCES    {ipSecAssociationEntry }
     STATUS current

   Li, et al           Expires January, 2002                      23
                    IPsec Policy Information Base          July, 2001
     DESCRIPTION
   "Specifies if an audit message should be logged when discard
   action is taken."
   "Pointer to a valid instance in the
   ipSecSecurityAssociationTable."
     ::= { ipSecActionEntry ipSecNegotiationActionEntry  5 }

   ipSecActionIpSecSecurityAssociationId

   ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
     SYNTAX ReferenceId Prid
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPSec association, specified by
   ipSecSecurityAssociationPrid
   "A pointer to a valid instance in ipSecSecurityAssociationTable, another table that describes key
   exchange associations. If a single IKE phase one negotiation is associated
   used for the key exchange, this attribute MUST point to an
   instance in the ipSecIkeAssociationTable. If multiple IKE phase
   one negotiations (e.g., with different modes) are to be tried
   until success, this action.
   When ipSecActionAction attribute specifies Bypass (1) or Discard
   (2), SHOULD point to ipSecIkeRuleTable.

   For other key exchange methods, this attribute MUST have may point to an
   instance of a value of zero. Otherwise, its
   value MUST be greater than zero."
     ::= { ipSecActionEntry  6 }

   ipSecActionActionGroupId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this action belongs to."
     ::= { ipSecActionEntry  7 }

   ipSecActionOrder OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the order the actions in this group be applied. An
   action with a lower order number is applied before one with a
   higher order number.

   When ipSecActionAction attribute specifies Bypass (1) or Discard
   (2), this attribute MUST be ignored.  "
     ::= { ipSecActionEntry  8 }

   ipSecActionIkeRuleId OBJECT-TYPE
     SYNTAX ReferenceId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IKE rule, specified by
   ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with
   this IPsec rule.
   A PRC defined in some other PIB.

   A value of zero means that there is no IKE rule associated. When
   ipSecActionAction attribute specifies Bypass (1) or Discard (2),
   this attribute must have a value of zero." key exchange procedure
   associated."
     ::= { ipSecActionEntry  9 ipSecNegotiationActionEntry  6 }

   --
   --
   -- The ipSecAssociationTable
   --

   Li, et al            Expires January, August, 2002                      24                       23
                    IPsec Policy Information Base          July, 2001      February, 2002

   --
   -- The ipSecAssociationTable
   --

   ipSecAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAssociationEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes associated with IPsec associations"
     INDEX { ipSecAssociationPrid }
     UNIQUENESS {
       ipSecAssociationRefreshThresholdSeconds,
       ipSecAssociationRefreshThresholdKilobytes,
       ipSecAssociationMinLifetimeSeconds,
       ipSecAssociationMinLifetimeKilobytes,
       ipSecAssociationTrafficIdleTime,
       ipSecAssociationUsePfs,
       ipSecAssociationVendorId,
       ipSecAssociationUseIkeGroup,
       ipSecAssociationDhGroup,
       ipSecAssociationProposalSetId
       } associations."
     ::= { ipSecAssociation  3  5 }

   ipSecAssociationEntry OBJECT-TYPE
     SYNTAX IpSecAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAssociationPrid }
     UNIQUENESS {
       ipSecAssociationMinLifetimeSeconds,
       ipSecAssociationMinLifetimeKilobytes,
       ipSecAssociationIdleDurationSeconds,
       ipSecAssociationUsePfs,
       ipSecAssociationVendorId,
       ipSecAssociationUseKeyExchangeGroup,
       ipSecAssociationDhGroup,
       ipSecAssociationGranularity,
       ipSecAssociationProposalSetId
       }
     ::= { ipSecAssociationTable 1 }

     IpSecAssociationEntry ::= SEQUENCE {
        ipSecAssociationPrid InstanceId,
        ipSecAssociationRefreshThresholdSeconds INTEGER,
        ipSecAssociationRefreshThresholdKilobytes INTEGER,
        ipSecAssociationMinLifetimeSeconds Unsigned32,
        ipSecAssociationMinLifetimeKilobytes Unsigned32,
        ipSecAssociationTrafficIdleTime
        ipSecAssociationIdleDurationSeconds Unsigned32,
        ipSecAssociationUsePfs TruthValue,
        ipSecAssociationVendorId OCTET STRING,
        ipSecAssociationUseIkeGroup
        ipSecAssociationUseKeyExchangeGroup TruthValue,
        ipSecAssociationDhGroup Unsigned32, Unsigned16,
        ipSecAssociationGranularity INTEGER,
        ipSecAssociationProposalSetId TagReferenceId
   }

   ipSecAssociationPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecAssociationEntry  1 }

   ipSecAssociationRefreshThresholdSeconds

   ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
     SYNTAX INTEGER (1..100)
     STATUS current

   Li, et al            Expires January, August, 2002                      25                       24
                    IPsec Policy Information Base          July, 2001      February, 2002

     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration (in other words, the
   refresh threshold) of an established SA's minimum SA seconds lifetime at
   which to begin renegotiation of the SA. that will be accepted
   from a peer while negotiating an SA based upon this action.
   A value of 100 means zero indicates that renegotiation does not occur until the
   seconds there is no minimum lifetime value has expired."
   enforced."
     ::= { ipSecAssociationEntry  2 }

   ipSecAssociationRefreshThresholdKilobytes

   ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX INTEGER (1..100) Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established SA's
   kilobyte lifetime at which to begin renegotiation of the SA.
   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value has expired."
     ::= { ipSecAssociationEntry  3 }

   ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum SA seconds lifetime that will be accepted
   from a peer while negotiating an SA based upon this action.
   A value of zero indicates that there is no minimum lifetime
   enforced."
     ::= { ipSecAssociationEntry  4 }

   ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum minimum kilobyte lifetime that will be accepted
   from a negotiating peer while negotiating an SA based upon this
   action.  A value of zero indicates that there is no minimum
   lifetime enforced."
     ::= { ipSecAssociationEntry  5  3 }

   ipSecAssociationTrafficIdleTime

   ipSecAssociationIdleDurationSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the amount of time how long, in seconds an SA can seconds, a security association may remain idle (in
   other words, no traffic protected by the SA)
   unused before it is deleted.

   A value of zero indicates that there is no idle time detection.
   The expiration of the SA is determined by detection should not be used
   for the expiration of one of security association (only the lifetime values." seconds and kilobyte
   lifetimes will be used)."
     ::= { ipSecAssociationEntry  6  4 }

   ipSecAssociationUsePfs OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current

   Li, et al           Expires January, 2002                      26
                    IPsec Policy Information Base          July, 2001
     DESCRIPTION
   "If true,
   "Specifies whether or not to use PFS SHALL be used when negotiating the phase two IPsec
   SA." refreshing keys."
     ::= { ipSecAssociationEntry  7  5 }

   ipSecAssociationVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined
   "Specifies the IKE Vendor ID. This attribute is used together with
   the property ipSecAssociationDhGroup (when it is in the vendor-
   specific range) to identify the key exchange GroupIDs." group.  This
   attribute is ignored unless ipSecAssociationUsePFS is true and
   ipSecAssociationUseKeyExchangeGroup is false and
   ipSecAssociationDhGroup is in the vendor-specific range (32768-
   65535)."
     ::= { ipSecAssociationEntry  8  6 }

   ipSecAssociationUseIkeGroup

   ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
     SYNTAX TruthValue

   Li, et al            Expires August, 2002                       25
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "If true,
   "Specifies whether or not to use the same GroupId for phase two DH group number MUST 2 as
   was used in phase 1.  If UsePFS is false, then this attribute is
   ignored.

   A value of true indicates that the phase 2 GroupId should be the
   same as that
   of phase 1. Otherwise,  A value of false indicates that the group number
   specified by the ipSecSecurityAssociationDhGroup attribute SHALL
   be used. This
   attribute is ignored if ipSecSecurityAssociationUsePfs is false." used for phase 2. "
     ::= { ipSecAssociationEntry  9  7 }

   ipSecAssociationDhGroup OBJECT-TYPE
     SYNTAX Unsigned32 Unsigned16
     STATUS current
     DESCRIPTION
   "If PFSis used during IKE phase two and
   ipSecSecurityAssociationUseIkeGroup is false, this attribute
   specifies
   "Specifies the Diffie-Hellman key exchange group to use.

   If use for phase 2 when the GroupID number
   property ipSecSecurityAssociationUsePfs is from true and the vendor-specific range (32768-
   65535), property
   ipSecSecurityAssociationUseKeyExchangeGroup is false."
     ::= { ipSecAssociationEntry  8 }

   ipSecAssociationGranularity OBJECT-TYPE
     SYNTAX INTEGER {
       subnet(1),
       address(2),
       protocol(3),
       port(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies how the VendorID qualifies proposed selector for the group number.

   This attribute MUST security association
   will be ignored if ipSecSecurityAssociationUsePfs
   is false." created.

   A value of 1 (subnet) indicates that the source and destination
   subnet masks of the filter entry are used.

   A value of 2 (address) indicates that only the source and
   destination IP addresses of the triggering packet are used.

   A value of 3 (protocol) indicates that the source and destination
   IP addresses and the IP protocol of the triggering packet are
   used.

   A value of 4 (port) indicates that the source and destination IP
   addresses and the IP protocol and the source and destination layer
   4 ports of the triggering packet are used. "
     ::= { ipSecAssociationEntry  10  9 }

   ipSecAssociationProposalSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecProposalSetProposalSetId }
     STATUS current
     DESCRIPTION
   "An integer that identifies the

   Li, et al            Expires August, 2002                       26
                    IPsec proposal set, specified in
   ipSecProposalGroupTable, Policy Information Base      February, 2002

   "Identifies a set of IPsec proposals that is associated with this
   IPsec association."
     ::= { ipSecAssociationEntry  11  10 }

   --
   --
   -- The ipSecProposalSetTable
   --

   ipSecProposalSetTable OBJECT-TYPE

   Li, et al           Expires January, 2002                      27
                    IPsec Policy Information Base          July, 2001
     SYNTAX SEQUENCE OF IpSecProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec proposal sets. Proposals within a set are ORed
   with preference order."
     INDEX { ipSecProposalSetPrid }
     UNIQUENESS {
       ipSecProposalSetProposalSetId,
       ipSecProposalSetProposalId,
       ipSecProposalSetOrder
       } order. "
     ::= { ipSecAssociation  4  6 }

   ipSecProposalSetEntry OBJECT-TYPE
     SYNTAX IpSecProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecProposalSetPrid }
     UNIQUENESS {
       ipSecProposalSetProposalSetId,
       ipSecProposalSetProposalId,
       ipSecProposalSetOrder
       }
     ::= { ipSecProposalSetTable 1 }

     IpSecProposalSetEntry ::= SEQUENCE {
        ipSecProposalSetPrid InstanceId,
        ipSecProposalSetProposalSetId TagId,
        ipSecProposalSetProposalId ReferenceId,
        ipSecProposalSetOrder Unsigned32 Unsigned16
   }

   ipSecProposalSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecProposalSetEntry  1 }

   ipSecProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION

   Li, et al            Expires August, 2002                       27
                    IPsec Policy Information Base      February, 2002

   "An integer that identifies an IPsec proposal set."
     ::= set is composed of one or more IPsec proposals.
   Each proposal belonging to the same set has the same
   ProposalSetId."
     ::= { ipSecProposalSetEntry  2 }

   ipSecProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecProposalEntry }
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPsec Proposal, specified by
   ipSecProposalPrid in ipSecProposalTable, that is included
   "A pointer to a valid instance in this
   set." the ipSecProposalTable."
     ::= { ipSecProposalSetEntry  3 }

   ipSecProposalSetOrder OBJECT-TYPE
     SYNTAX Unsigned32

   Li, et al           Expires January, 2002                      28
                    IPsec Policy Information Base          July, 2001 Unsigned16
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the proposal
   identified by ipSecProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given
   precedence order is positioned before one with smaller
   integer value indicates a higher-valued
   precedence order." higher preference."
     ::= { ipSecProposalSetEntry  4 }

   --
   --
   -- The ipSecProposalTable
   --

   ipSecProposalTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies an IPsec proposal. proposals. It has references to ESP, AH and
   IPComp
   IPCOMP Transform sets. Within a proposal, different types of
   transforms are ANDed. Within one type Multiple transforms of transforms, the choices same type are
   ORed with preference order."
     INDEX { ipSecProposalPrid }
     UNIQUENESS {
       ipSecProposalLifetimeKilobytes,
       ipSecProposalLifetimeSeconds,
       ipSecProposalVendorId,
       ipSecProposalEspTransformSetId,
       ipSecProposalAhTransformSetId,
       ipSecProposalCompTransformSetId
       }
     ::= { ipSecAssociation  5  7 }

   ipSecProposalEntry OBJECT-TYPE
     SYNTAX IpSecProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecProposalPrid }
     UNIQUENESS {
       ipSecProposalEspTransformSetId,
       ipSecProposalAhTransformSetId,
       ipSecProposalCompTransformSetId
       }
     ::= { ipSecProposalTable 1 }

   Li, et al            Expires August, 2002                       28
                    IPsec Policy Information Base      February, 2002

     IpSecProposalEntry ::= SEQUENCE {
        ipSecProposalPrid InstanceId,
        ipSecProposalLifetimeKilobytes Unsigned32,
        ipSecProposalLifetimeSeconds Unsigned32,
        ipSecProposalVendorId OCTET STRING,
        ipSecProposalEspTransformSetId TagReferenceId,
        ipSecProposalAhTransformSetId TagReferenceId,
        ipSecProposalCompTransformSetId TagReferenceId
   }

   Li, et al           Expires January, 2002                      29
                    IPsec Policy Information Base          July, 2001

   ipSecProposalPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecProposalEntry  1 }

   ipSecProposalLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the kilobyte lifetime for this particular proposal.

   A value of zero indicates that there is no kilobyte lifetime."
     ::= { ipSecProposalEntry  2 }

   ipSecProposalLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the seconds lifetime for this particular proposal.

   A value of zero indicates that the lifetime value defaults to 8
   hours. "
     ::= { ipSecProposalEntry  3 }

   ipSecProposalVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined transforms."
     ::= { ipSecProposalEntry  4 }

   ipSecProposalEspTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecEspTransformSetTransformSetId }
     STATUS current
     DESCRIPTION
   "An integer that identifies the a set of ESP transform set, transforms, specified in
   ipSecEspTransformSetTable, that is associated with this proposal."
     ::= { ipSecProposalEntry  5  2 }

   ipSecProposalAhTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAhTransformSetTransformSetId }
     STATUS current
     DESCRIPTION
   "An integer that identifies the an AH transform set, specified in
   ipSecAhTransformSetTable, that is associated with this proposal."
     ::= { ipSecProposalEntry  6  3 }

   ipSecProposalCompTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCompTransformSetTransformSetId }
     STATUS current
     DESCRIPTION

   Li, et al           Expires January, 2002                      30
                    IPsec Policy Information Base          July, 2001
   "An integer that identifies the a set of IPComp transform set, transforms, specified
   in ipSecCompTransformSetTable, that is associated with this
   proposal."
     ::= { ipSecProposalEntry  7  4 }

   --
   --
   -- The ipSecIkeAssociationTable ipSecAhTransformSetTable
   --

   ipSecIkeAssociationTable

   ipSecAhTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeAssociationEntry IpSecAhTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies attributes related to IKE associations."
     INDEX { ipSecIkeAssociationPrid }
     UNIQUENESS {
       ipSecIkeAssociationRefreshThresholdSeconds,
       ipSecIkeAssociationRefreshThresholdKilobytes,
       ipSecIkeAssociationMinLiftetimeSeconds,
       ipSecIkeAssociationMinLifetimeKilobytes,
       ipSecIkeAssociationTrafficIdleTime,
       ipSecIkeAssociationExchangeMode,
       ipSecIkeAssociationUseIkeIdentityType,
       ipSecIkeAssociationRefreshThresholdDerivedKeys,
       ipSecIkeAssociationIKEProposalSetId
       }

   Li, et al            Expires August, 2002                       29
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies AH transform sets. Within a transform set, the
   transforms are ORed with preference order. "
     ::= { ipSecIkeAssociation  6 ipSecAhTransform  1 }

   ipSecIkeAssociationEntry

   ipSecAhTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeAssociationEntry IpSecAhTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAhTransformSetPrid }
     UNIQUENESS {
       ipSecAhTransformSetTransformSetId,
       ipSecAhTransformSetTransformId,
       ipSecAhTransformSetOrder
       }
     ::= { ipSecIkeAssociationTable ipSecAhTransformSetTable 1 }

     IpSecIkeAssociationEntry

     IpSecAhTransformSetEntry ::= SEQUENCE {
        ipSecIkeAssociationPrid
        ipSecAhTransformSetPrid InstanceId,
        ipSecIkeAssociationRefreshThresholdSeconds INTEGER,
        ipSecIkeAssociationRefreshThresholdKilobytes INTEGER,
        ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
        ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
        ipSecIkeAssociationTrafficIdleTime Unsigned32,
        ipSecIkeAssociationExchangeMode INTEGER,
        ipSecIkeAssociationUseIkeIdentityType INTEGER,
        ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER,
        ipSecIkeAssociationIKEProposalSetId TagReferenceId
        ipSecAhTransformSetTransformSetId TagId,
        ipSecAhTransformSetTransformId ReferenceId,
        ipSecAhTransformSetOrder Unsigned16
   }

   ipSecIkeAssociationPrid

   ipSecAhTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId

   Li, et al           Expires January, 2002                      31
                    IPsec Policy Information Base          July, 2001
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class. "
     ::= { ipSecIkeAssociationEntry ipSecAhTransformSetEntry  1 }

   ipSecIkeAssociationRefreshThresholdSeconds

   ipSecAhTransformSetTransformSetId OBJECT-TYPE
     SYNTAX INTEGER (1..100) TagId
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration (in other words, the
   refresh threshold)
   "An AH transform set is composed of an established SA's seconds lifetime at
   which one or more AH transforms.
   Each transform belonging to begin renegotiation of the SA.

   A value of 100 means that renegotiation does not occur until the
   seconds lifetime value same set has expired." the same
   TransformSetId."
     ::= { ipSecIkeAssociationEntry ipSecAhTransformSetEntry  2 }

   ipSecIkeAssociationRefreshThresholdKilobytes

   ipSecAhTransformSetTransformId OBJECT-TYPE
     SYNTAX INTEGER (1..100) ReferenceId
     PIB-REFERENCES    {ipSecAhTransformEntry }
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established SA's
   kilobyte lifetime at which
   "A pointer to begin renegotiation of the SA.

   A value of 100 means that renegotiation does not occur until a valid instance in the
   seconds lifetime value has expired." ipSecAhTransformTable."
     ::= { ipSecIkeAssociationEntry ipSecAhTransformSetEntry  3 }

   ipSecIkeAssociationMinLiftetimeSeconds

   ipSecAhTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned32 Unsigned16

   Li, et al            Expires August, 2002                       30
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies the minimum SA seconds lifetime
   "An integer that will be accepted
   from a peer while negotiating an SA based upon this action.

   A value specifies the precedence order of zero indicates that there is no minimum lifetime
   enforced."
     ::= { ipSecIkeAssociationEntry  4 }

   ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime that will be accepted
   from transform
   identified by ipSecAhTransformSetTransformId within a negotiating peer while negotiating an SA based upon this
   action. transform
   set. The transform set is identified by
   ipSecAhTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A smaller integer value of zero indicates that there is no minimum lifetime
   enforced." a
   higher preference."
     ::= { ipSecIkeAssociationEntry  5 ipSecAhTransformSetEntry  4 }

   --
   --
   -- The ipSecAhTransformTable
   --

   ipSecAhTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies AH transforms."
     ::= { ipSecAhTransform  2 }

   ipSecIkeAssociationTrafficIdleTime

   ipSecAhTransformEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAhTransformPrid }
     UNIQUENESS {
       ipSecAhTransformTransformId,
       ipSecAhTransformIntegrityKey,
       ipSecAhTransformUseReplayPrevention,
       ipSecAhTransformReplayPreventionWindowSize,
       ipSecAhTransformVendorId,
       ipSecAhTransformMaxLifetimeSeconds,
       ipSecAhTransformMaxLifetimeKilobytes
       }
     ::= { ipSecAhTransformTable 1 }

     IpSecAhTransformEntry ::= SEQUENCE {
        ipSecAhTransformPrid InstanceId,
        ipSecAhTransformTransformId INTEGER,
        ipSecAhTransformIntegrityKey OCTET STRING,
        ipSecAhTransformUseReplayPrevention TruthValue,
        ipSecAhTransformReplayPreventionWindowSize Unsigned32,
        ipSecAhTransformVendorId OCTET STRING,
        ipSecAhTransformMaxLifetimeSeconds Unsigned32,
        ipSecAhTransformMaxLifetimeKilobytes Unsigned32
   }

   ipSecAhTransformPrid OBJECT-TYPE

   Li, et al            Expires January, August, 2002                      32                       31
                    IPsec Policy Information Base          July, 2001      February, 2002

     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "Specifies the amount of time in seconds an SA may remain idle (in
   other words, no traffic protected by the SA) before it is deleted.

   A value of zero indicates
   "An integer index that there is no idle time detection.
   The expiration of the SA is determined by the expiration of one uniquely identifies an instance of
   the lifetime values." this
   class. "
     ::= { ipSecIkeAssociationEntry  6 ipSecAhTransformEntry  1 }

   ipSecIkeAssociationExchangeMode

   ipSecAhTransformTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       baseMode(1),
       mainMode(2),
       aggressiveMode(4)
       md5(2),
       sha-1(3),
       des(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies the negotiation mode that transform ID of the IKE server will use for
   phase one." AH algorithm to propose."
     ::= { ipSecIkeAssociationEntry  7 ipSecAhTransformEntry  2 }

   ipSecIkeAssociationUseIkeIdentityType

   ipSecAhTransformIntegrityKey OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       } OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies
   "When this AH transform instance is used for a Static Action, this
   attribute specifies the type of IKE identity integrity key to use during IKE phase one
   negotiation." be used. This attribute
   MUST be ignored when this AH transform instance is used for a
   Negotiation Action."
     ::= { ipSecIkeAssociationEntry  8 ipSecAhTransformEntry  3 }

   ipSecIkeAssociationRefreshThresholdDerivedKeys

   ipSecAhTransformUseReplayPrevention OBJECT-TYPE
     SYNTAX INTEGER (1..100) TruthValue
     STATUS current
     DESCRIPTION
   "Specifies the percentage of expiration of an established IKE SA's
   derived keys lifetime at which whether to begin renegotiation enable replay prevention detection."
     ::= { ipSecAhTransformEntry  4 }

   ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies, in bits, the length of the SA.

   A sliding window used by the
   replay prevention detection mechanism. The value of 100 means this property
   is ignored if UseReplayPrevention is false. It is assumed that renegotiation does not occur until the
   derived key lifetime value has expired."
   window size will be power of 2."
     ::= { ipSecIkeAssociationEntry  9 ipSecAhTransformEntry  5 }

   ipSecAhTransformVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the vendor ID for vendor-defined transforms."
     ::= { ipSecAhTransformEntry  6 }

   ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE

   Li, et al            Expires January, August, 2002                      33                       32
                    IPsec Policy Information Base          July, 2001

   ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE      February, 2002

     SYNTAX TagReferenceId Unsigned32
     STATUS current
     DESCRIPTION
   "An integer
   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   A value of zero indicates that identifies the IKE proposal set, specified in
   ipSecIkeProposalGroupTable, default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime."
     ::= { ipSecAhTransformEntry  7 }

   ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that is associated with this IKE
   association." there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
     ::= { ipSecIkeAssociationEntry  10 ipSecAhTransformEntry  8 }

   --
   --
   -- The ipSecIkeRuleTable ipSecEspTransformSetTable
   --

   ipSecIkeRuleTable

   ipSecEspTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeRuleEntry IpSecEspTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE rules."
     INDEX { ipSecIkeRulePrid }
     UNIQUENESS {
       ipSecIkeRuleIfName,
       ipSecIkeRuleRoles
       } ESP transform sets. Within a transform set, the choices
   are ORed with preference order. "
     ::= { ipSecIkeAssociation ipSecEspTransform  1 }

   ipSecIkeRuleEntry

   ipSecEspTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeRuleEntry IpSecEspTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::=
     PIB-INDEX { ipSecIkeRuleTable 1 ipSecEspTransformSetPrid }

     IpSecIkeRuleEntry
     UNIQUENESS {
       ipSecEspTransformSetTransformSetId,
       ipSecEspTransformSetTransformId,
       ipSecEspTransformSetOrder
       }
     ::= { ipSecEspTransformSetTable 1 }

     IpSecEspTransformSetEntry ::= SEQUENCE {
        ipSecIkeRulePrid
        ipSecEspTransformSetPrid InstanceId,
        ipSecIkeRuleIfName SnmpAdminString,
        ipSecIkeRuleRoles RoleCombination,
        ipSecIkeRuleIkeAssiciationId
        ipSecEspTransformSetTransformSetId TagId,

   Li, et al            Expires August, 2002                       33
                    IPsec Policy Information Base      February, 2002

        ipSecEspTransformSetTransformId ReferenceId,
        ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId,
        ipSecIkeRuleIkeEndpointGroupId TagReferenceId
        ipSecEspTransformSetOrder Unsigned16
   }

   ipSecIkeRulePrid

   ipSecEspTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecIkeRuleEntry ipSecEspTransformSetEntry  1 }

   ipSecIkeRuleIfName

   ipSecEspTransformSetTransformSetId OBJECT-TYPE
     SYNTAX SnmpAdminString

   Li, et al           Expires January, 2002                      34
                    IPsec Policy Information Base          July, 2001 TagId
     STATUS current
     DESCRIPTION
   "The interface capability
   "An ESP transform set is composed of one or more ESP transforms.
   Each transform belonging to which this IKE rule applies. The
   interface capability name specified by this attribute must exist
   in the frwkIfCapSetTable [FR-PIB] prior to association with an
   instance of this class." same set has the same
   TransformSetId."
     ::= { ipSecIkeRuleEntry ipSecEspTransformSetEntry  2 }

   ipSecIkeRuleRoles

   ipSecEspTransformSetTransformId OBJECT-TYPE
     SYNTAX RoleCombination ReferenceId
     PIB-REFERENCES    {ipSecEspTransformEntry }
     STATUS current
     DESCRIPTION
   "Specifies the role combination of the interface
   "A pointer to which this IKE
   rule should apply. There must exist an a valid instance in the
   frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
   combination, together with the interface capability set specified
   by ipSecRuleIfName, prior to association with an instance of this
   class." ipSecEspTransformTable."
     ::= { ipSecIkeRuleEntry ipSecEspTransformSetEntry  3 }

   ipSecIkeRuleIkeAssiciationId

   ipSecEspTransformSetOrder OBJECT-TYPE
     SYNTAX ReferenceId Unsigned16
     STATUS current
     DESCRIPTION
   "This attribute identifies
   "An integer that specifies the IKE action, specified precedence order of the transform
   identified by
   ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that ipSecEspTransformSetTransformId within a transform
   set. The transform set is
   associated identified by
   ipSecEspTransformSetTransformSetId. Transforms within a set are
   ORed with this rule" preference order. A smaller integer value indicates a
   higher preference."
     ::= { ipSecIkeRuleEntry ipSecEspTransformSetEntry  4 }

   ipSecIkeRuleIpSecRuleTimePeriodGroupId

   --
   --
   -- The ipSecEspTransformTable
   --

   ipSecEspTransformTable OBJECT-TYPE
     SYNTAX TagReferenceId SEQUENCE OF IpSecEspTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "This attribute identifies an IPsec rule time period group,
   sepcified in ipSecRuleTimePeriodGroupTable, that is associated
   with this IKE rule.

   A value of zero indicates that this IKE rule is always valid."
     ::= { ipSecIkeRuleEntry  5 }

   ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     STATUS current
     DESCRIPTION
   "An integer that identifies a group of endpoints with which this
   PEP can set up IKE associations. The endpoints specified in
   ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this
   attribute are the endpoints involved. "
     ::= { ipSecIkeRuleEntry  6 }

   --
   --

   Li, et al           Expires January, 2002                      35
   "Specifies ESP transforms."

   Li, et al            Expires August, 2002                       34
                    IPsec Policy Information Base          July, 2001

   -- The ipSecIkeProposalSetTable
   --

   ipSecIkeProposalSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order. "
     INDEX { ipSecIkeProposalSetPrid }
     UNIQUENESS {
       ipSecIkeProposalSetProposalSetId,
       ipSecIkeProposalSetProposalId,
       ipSecIkeProposalSetOrder
       }      February, 2002

     ::= { ipSecIkeAssociation ipSecEspTransform  2 }

   ipSecIkeProposalSetEntry

   ipSecEspTransformEntry OBJECT-TYPE
     SYNTAX IpSecIkeProposalSetEntry IpSecEspTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecEspTransformPrid }
     UNIQUENESS {
       ipSecEspTransformIntegrityTransformId,
       ipSecEspTransformCipherTransformId,
       ipSecEspTransformIntegrityKey,
       ipSecEspTransformCipherKey,
       ipSecEspTransformCipherKeyRounds,
       ipSecEspTransformCipherKeyLength,
       ipSecEspTransformUseReplayPrevention,
       ipSecEspTransformReplayPreventionWindowSize,
       ipSecEspTransformVendorId,
       ipSecEspTransformMaxLifetimeSeconds,
       ipSecEspTransformMaxLifetimeKilobytes
       }
     ::= { ipSecIkeProposalSetTable ipSecEspTransformTable 1 }

     IpSecIkeProposalSetEntry

     IpSecEspTransformEntry ::= SEQUENCE {
        ipSecIkeProposalSetPrid
        ipSecEspTransformPrid InstanceId,
        ipSecIkeProposalSetProposalSetId TagId,
        ipSecIkeProposalSetProposalId ReferenceId,
        ipSecIkeProposalSetOrder
        ipSecEspTransformIntegrityTransformId INTEGER,
        ipSecEspTransformCipherTransformId INTEGER,
        ipSecEspTransformIntegrityKey OCTET STRING,
        ipSecEspTransformCipherKey OCTET STRING,
        ipSecEspTransformCipherKeyRounds Unsigned16,
        ipSecEspTransformCipherKeyLength Unsigned16,
        ipSecEspTransformUseReplayPrevention TruthValue,
        ipSecEspTransformReplayPreventionWindowSize Unsigned32,
        ipSecEspTransformVendorId OCTET STRING,
        ipSecEspTransformMaxLifetimeSeconds Unsigned32,
        ipSecEspTransformMaxLifetimeKilobytes Unsigned32
   }

   ipSecIkeProposalSetPrid

   ipSecEspTransformPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecIkeProposalSetEntry ipSecEspTransformEntry  1 }

   ipSecIkeProposalSetProposalSetId

   ipSecEspTransformIntegrityTransformId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An integer that uniquely identifies an IKE proposal set. "
     ::= INTEGER { ipSecIkeProposalSetEntry  2 }

   ipSecIkeProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IKE proposal, specified by
   ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is
   included in this set."
       none(0),
       hmacMd5(1),
       hmacSha(2),
       desMac(3),
       kpdk(4)

   Li, et al            Expires January, August, 2002                      36                       35
                    IPsec Policy Information Base          July, 2001      February, 2002

       }
     STATUS current
     DESCRIPTION
   "Specifies the transform ID of the ESP integrity algorithm to
   propose."
     ::= { ipSecIkeProposalSetEntry  3 ipSecEspTransformEntry  2 }

   ipSecIkeProposalSetOrder

   ipSecEspTransformCipherTransformId OBJECT-TYPE
     SYNTAX Unsigned32 INTEGER {
       desIV64(1),
       des(2),
       tripleDES(3),
       rc5(4),
       idea(5),
       cast(6),
       blowfish(7),
       tripleIDEA(8),
       desIV32(9),
       rc4(10),
       null(11)
       }
     STATUS current
     DESCRIPTION
   "An integer that specifies
   "Specifies the precedence order transform ID of the proposal
   identified by ipSecIkeProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecIkeProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given
   precedence order is positioned before one with a higher-valued
   precedence order." ESP encryption algorithm to
   propose."
     ::= { ipSecIkeProposalSetEntry  4 ipSecEspTransformEntry  3 }

   --
   --
   -- The ipSecIkeProposalTable
   --

   ipSecIkeProposalTable

   ipSecEspTransformIntegrityKey OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalEntry
     PIB-ACCESS install OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies attributes associated with IKE proposals."
     INDEX { ipSecIkeProposalPrid }
     UNIQUENESS {
       ipSecIkeProposalMaxLifetimeSeconds,
       ipSecIkeProposalMaxLifetimeKilobytes,
       ipSecIkeProposalCipherAlgorithm,
       ipSecIkeProposalHashAlgorithm,
       ipSecIkeProposalAuthenticationMethod,
       ipSecIkeProposalLifetimeDerivedKeys,
       ipSecIkeProposalPrfAlgorithm,
       ipSecIkeProposalVendorId,
       ipSecIkeProposalIkeDhGroup
       }
   "When this ESP transform instance is used for a Static Action,
   this attribute specifies the integrity key to be used. This
   attribute MUST be ignored when this ESP transform instance is used
   for a Negotiation Action."
     ::= { ipSecIkeAssociation  3 ipSecEspTransformEntry  4 }

   ipSecIkeProposalEntry

   ipSecEspTransformCipherKey OBJECT-TYPE
     SYNTAX IpSecIkeProposalEntry OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies an
   "When this ESP transform instance of is used for a Static Action,
   this class" attribute specifies the cipher key to be used. This attribute
   MUST be ignored when this ESP transform instance is used for a
   Negotiation Action."
     ::= { ipSecIkeProposalTable 1 ipSecEspTransformEntry  5 }

     IpSecIkeProposalEntry ::= SEQUENCE {
        ipSecIkeProposalPrid InstanceId,
        ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
        ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
        ipSecIkeProposalCipherAlgorithm INTEGER,
        ipSecIkeProposalHashAlgorithm INTEGER,

   ipSecEspTransformCipherKeyRounds OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION

   Li, et al            Expires January, August, 2002                      37                       36
                    IPsec Policy Information Base          July, 2001

        ipSecIkeProposalAuthenticationMethod INTEGER,
        ipSecIkeProposalLifetimeDerivedKeys Unsigned32,
        ipSecIkeProposalPrfAlgorithm Unsigned32,
        ipSecIkeProposalVendorId OCTET STRING,
        ipSecIkeProposalIkeDhGroup Unsigned32
   }

   ipSecIkeProposalPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance      February, 2002

   "Specifies the number of key rounds for the ESP encryption
   algorithm.  For encryption algorithms that use fixed number of key
   rounds, this class" value is ignored."
     ::= { ipSecIkeProposalEntry  1 ipSecEspTransformEntry  6 }

   ipSecIkeProposalMaxLifetimeSeconds

   ipSecEspTransformCipherKeyLength OBJECT-TYPE
     SYNTAX Unsigned32 Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies
   "Specifies, in bits, the seconds lifetime key length for this particular proposal.

   A value of zero indicates that the lifetime ESP encryption
   algorithm. For encryption algorithms that use fixed-length keys,
   this value defaults to 8
   hours. " is ignored."
     ::= { ipSecIkeProposalEntry  2 }

   ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the kilobyte lifetime for this particular proposal.

   A value of zero indicates that there is no kilobyte lifetime.
       "
     ::= { ipSecIkeProposalEntry  3 ipSecEspTransformEntry  7 }

   ipSecIkeProposalCipherAlgorithm

   ipSecEspTransformUseReplayPrevention OBJECT-TYPE
     SYNTAX INTEGER {
       des-CBC(1),
       idea-CBC(2),
       blowfish-CBC(3),
       rc5-R16-B64-CBC(4),
       tripleDes-CBC(5),
       cast-CBC(6)
       } TruthValue
     STATUS current
     DESCRIPTION
   "Specifies the encryption algorithm whether to propose for the IKE
   association." enable replay prevention detection."
     ::= { ipSecIkeProposalEntry  4 ipSecEspTransformEntry  8 }

   ipSecIkeProposalHashAlgorithm

   ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
     SYNTAX INTEGER {
       md5(1),
       sha-1(2),

   Li, et al           Expires January, 2002                      38
                    IPsec Policy Information Base          July, 2001

       tiger(3)
       } Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies
   "Specifies, in bits, the hash algorithm to propose for length of the IKE association." sliding window used by the
   replay prevention detection mechanism. The value of this property
   is ignored if UseReplayPrevention is false. It is assumed that the
   window size will be power of 2."
     ::= { ipSecIkeProposalEntry  5 ipSecEspTransformEntry  9 }

   ipSecIkeProposalAuthenticationMethod

   ipSecEspTransformVendorId OBJECT-TYPE
     SYNTAX INTEGER {
       presharedKey(1),
       dssSignatures(2),
       rsaSignatures(3),
       rsaEncryption(4),
       revisedRsaEncryption(5),
       kerberos(6)
       } OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the authentication method to propose vendor ID for the IKE
   association." vendor-defined transforms."
     ::= { ipSecIkeProposalEntry  6 ipSecEspTransformEntry  10 }

   ipSecIkeProposalLifetimeDerivedKeys

   ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the number maximum amount of times the IKE phase one key can be used time to derive an IKE phase two key. propose for a security
   association to remain valid.

   A value of zero indicates that the
   number default of times an IKE phase one key may 8 hours be used to derive an IKE
   phase two key is limited by used.  A
   non-zero value indicates the maximum seconds and/or kilobyte
   lifetimes."
     ::= { ipSecIkeProposalEntry  7 }

   ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
   association."
     ::= { ipSecIkeProposalEntry  8 }

   ipSecIkeProposalVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Identifies vendor-defined key exchange GroupIDs." lifetime."
     ::= { ipSecIkeProposalEntry  9 ipSecEspTransformEntry  11 }

   ipSecIkeProposalIkeDhGroup

   ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION

   Li, et al            Expires January, August, 2002                      39                       37
                    IPsec Policy Information Base          July, 2001      February, 2002

   "Specifies the Diffie-Hellman group maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the IKE
   association.  If the GroupID number is from the vendor-specific
   range (32768-65535), the VendorID qualifies the group number.  " desired kilobyte
   lifetime."
     ::= { ipSecIkeProposalEntry  4 ipSecEspTransformEntry  12 }

   --
   --
   -- The ipSecIkeEndpointTable ipSecCompTransformSetTable
   --

   ipSecIkeEndpointTable

   ipSecCompTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeEndpointEntry IpSecCompTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPComp transform sets. Within a transform set, the peer endpoints
   choices are ORed with which this PEP establishes IKE
   associations according to ipSecIkeEndpointStartupCondition."
     INDEX { ipSecIkeEndpointPrid }
     UNIQUENESS {
       ipSecIkeEndpointIdentityType,
       ipSecIkeEndpointIdentity,
       ipSecIkeEndpointAddressType,
       ipSecIkeEndpointAddress,
       ipSecIkeEndpointPeerCredentialId,
       ipSecIkeEndpointStartupCondition,
       ipSecIkeEndpointIsOriginator,
       ipSecIkeEndpointGroupId
       } preference order."
     ::= { ipSecIkeAssociation  13 ipSecCompTransform  1 }

   ipSecIkeEndpointEntry

   ipSecCompTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeEndpointEntry IpSecCompTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCompTransformSetPrid }
     UNIQUENESS {
       ipSecCompTransformSetTransformSetId,
       ipSecCompTransformSetTransformId,
       ipSecCompTransformSetOrder
       }
     ::= { ipSecIkeEndpointTable ipSecCompTransformSetTable 1 }

     IpSecIkeEndpointEntry

     IpSecCompTransformSetEntry ::= SEQUENCE {
        ipSecIkeEndpointPrid
        ipSecCompTransformSetPrid InstanceId,
        ipSecIkeEndpointIdentityType INTEGER,
        ipSecIkeEndpointIdentity OCTET STRING,
        ipSecIkeEndpointAddressType INTEGER,
        ipSecIkeEndpointAddress OCTET STRING,
        ipSecIkeEndpointPeerCredentialId TagReferenceId,
        ipSecIkeEndpointStartupCondition BITS,
        ipSecIkeEndpointIsOriginator TruthValue,
        ipSecIkeEndpointGroupId TagId
        ipSecCompTransformSetTransformSetId TagId,
        ipSecCompTransformSetTransformId ReferenceId,
        ipSecCompTransformSetOrder Unsigned16
   }

   ipSecIkeEndpointPrid

   ipSecCompTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current

   Li, et al           Expires January, 2002                      40
                    IPsec Policy Information Base          July, 2001
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecIkeEndpointEntry ipSecCompTransformSetEntry  1 }

   ipSecIkeEndpointIdentityType

   ipSecCompTransformSetTransformSetId OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       } TagId

   Li, et al            Expires August, 2002                       38
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies the type
   "An IPCOMP transform set is composed of identity that MUST be provided by one or more IPCOMP
   transforms. Each transform belonging to the peer
   in same set has the ID payload during IKE phase one negotiation." same
   TransformSetId."
     ::= { ipSecIkeEndpointEntry ipSecCompTransformSetEntry  2 }

   ipSecIkeEndpointIdentity

   ipSecCompTransformSetTransformId OBJECT-TYPE
     SYNTAX OCTET STRING ReferenceId
     PIB-REFERENCES    {ipSecCompTransformEntry }
     STATUS current
     DESCRIPTION
   "Specifies the value
   "A pointer to be matched with the ID payload provided by a valid instance in the peer during IKE phase one negotiation." ipSecCompTransformTable."
     ::= { ipSecIkeEndpointEntry ipSecCompTransformSetEntry  3 }

   ipSecIkeEndpointAddressType

   ipSecCompTransformSetOrder OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4(1),
       ipV6(2)
       } Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies IKE peer endpoint address type. This controls
   "An integer that specifies the
   length precedence order of the OCTET STRING for the ipSecIkeEndpointAddress. IPv4
   addresses (1) transform
   identified by ipSecCompTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecCompTransformSetTransformSetId. Transforms within a set are octet strings of length 4. IPv6 addresses (2)
   are octet strings of length 16."
   ORed with preference order. A smaller integer value indicates a
   higher preference."
     ::= { ipSecIkeEndpointEntry ipSecCompTransformSetEntry  4 }

   ipSecIkeEndpointAddress

   --
   --
   -- The ipSecCompTransformTable
   --

   ipSecCompTransformTable OBJECT-TYPE
     SYNTAX OCTET STRING SEQUENCE OF IpSecCompTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IP compression (IPCOMP) algorithms."
     ::= { ipSecCompTransform  2 }

   ipSecCompTransformEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an endpoint address with which instance of this PEP establishes IKE
   association."
     ::= class"
     PIB-INDEX { ipSecIkeEndpointEntry  5 ipSecCompTransformPrid }
     UNIQUENESS {
       ipSecCompTransformAlgorithm,
       ipSecCompTransformDictionarySize,
       ipSecCompTransformPrivateAlgorithm,
       ipSecCompTransformVendorId,
       ipSecCompTransformMaxLifetimeSeconds,

   Li, et al            Expires January, August, 2002                      41                       39
                    IPsec Policy Information Base          July, 2001

   ipSecIkeEndpointPeerCredentialId      February, 2002

       ipSecCompTransformMaxLifetimeKilobytes
       }
     ::= { ipSecCompTransformTable 1 }

     IpSecCompTransformEntry ::= SEQUENCE {
        ipSecCompTransformPrid InstanceId,
        ipSecCompTransformAlgorithm INTEGER,
        ipSecCompTransformDictionarySize Unsigned16,
        ipSecCompTransformPrivateAlgorithm Unsigned32,
        ipSecCompTransformVendorId OCTET STRING,
        ipSecCompTransformMaxLifetimeSeconds Unsigned32,
        ipSecCompTransformMaxLifetimeKilobytes Unsigned32
   }

   ipSecCompTransformPrid OBJECT-TYPE
     SYNTAX TagReferenceId InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies a group of credentials. The credential
   specified in ipSecPeerCredentialTable whose
   ipSecPeerCredentialGroupId match this attribute is included in
   this group. Any one an instance of the credentials in the group is acceptable
   as the IKE peer credential.

   If no credentials are used, this attribute MUST be zero."
   class."
     ::= { ipSecIkeEndpointEntry  6 ipSecCompTransformEntry  1 }

   ipSecIkeEndpointStartupCondition

   ipSecCompTransformAlgorithm OBJECT-TYPE
     SYNTAX BITS INTEGER {
       onBoot(1),
       onTraffic(2),
       onPolicy(3)
       oui(1),
       deflate(2),
       lzs(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the triggering event that causes the IKE rule
   referenced be applied. OnBoot (1) means that  the rule is
   triggered after system boot. OnTraffic (2) means that the rule is
   triggered when packets without associated security associations
   are sent or received.  OnPolicy (3) means that transform ID of the rule is
   triggered when it becomes valid as specified by
   ipSecRuleTimePeriodGroupTable.  " IPCOMP compression algorithm to
   propose."
     ::= { ipSecIkeEndpointEntry  7 ipSecCompTransformEntry  2 }

   ipSecIkeEndpointIsOriginator

   ipSecCompTransformDictionarySize OBJECT-TYPE
     SYNTAX TruthValue Unsigned16
     STATUS current
     DESCRIPTION
   "If this attribute is true, when IKE associations need to be set
   up, this PEP SHALL initiate
   "Specifies the establishment. Otherwise, it SHALL
   wait for log2 maximum size of the other end to initiate dictionary for the setup."
   compression algorithm.  For compression algorithms that have pre-
   defined dictionary sizes, this value is ignored."
     ::= { ipSecIkeEndpointEntry  8 ipSecCompTransformEntry  3 }

   ipSecIkeEndpointGroupId

   ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
     SYNTAX TagId Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the group this IKE endpoint belongs to."
     ::= { ipSecIkeEndpointEntry  9 a private vendor-specific compression algorithm."
     ::= { ipSecCompTransformEntry  4 }

   --
   --
   -- The ipSecPeerCredentialTable
   --

   ipSecPeerCredentialTable

   ipSecCompTransformVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current

   Li, et al            Expires January, August, 2002                      42                       40
                    IPsec Policy Information Base          July, 2001      February, 2002

     DESCRIPTION
   "Specifies the vendor ID for vendor-defined transforms."
     ::= { ipSecCompTransformEntry  5 }

   ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecPeerCredentialEntry
     PIB-ACCESS install Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies groups the maximum amount of IKE peer credentials. Credentials in time to propose for a group
   are ORed.  Any one security
   association to remain valid.

   A value of zero indicates that the credentials in a group is acceptable as default of 8 hours be used.  A
   non-zero value indicates the IKE peer endpoint credential."
     INDEX maximum seconds lifetime."
     ::= { ipSecPeerCredentialPrid ipSecCompTransformEntry  6 }
     UNIQUENESS

   ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
     ::= {
       ipSecPeerCredentialCredentialType,
       ipSecPeerCredentialFieldsGroupId,
       ipSecPeerCredentialGroupId ipSecCompTransformEntry  7 }

   --
   --
   -- The ipSecIkeRuleTable
   --

   ipSecIkeRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE rules. This table is required only when specifying:

   - Multiple IKE phase one actions (e.g., with different exchange
   modes) that are associated with one IPsec association. These
   actions are to be tried in sequence till one success.

   - IKE phase one actions that start automatically.

   Support of this table is optional."
     ::= { ipSecIkeAssociation  5  1 }

   ipSecPeerCredentialEntry

   ipSecIkeRuleEntry OBJECT-TYPE
     SYNTAX IpSecPeerCredentialEntry IpSecIkeRuleEntry
     STATUS current
     DESCRIPTION

   Li, et al            Expires August, 2002                       41
                    IPsec Policy Information Base      February, 2002

   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeRulePrid }
     UNIQUENESS {
       ipSecIkeRuleIfName,
       ipSecIkeRuleRoles,
       ipSecIkeRuleIkeActionSetId,
       ipSecIkeRuleActionExecutionStrategy,
       ipSecIkeRuleLimitNegotiation,
       ipSecIkeRuleAutoStart
       }
     ::= { ipSecPeerCredentialTable ipSecIkeRuleTable 1 }

     IpSecPeerCredentialEntry

     IpSecIkeRuleEntry ::= SEQUENCE {
        ipSecPeerCredentialPrid
        ipSecIkeRulePrid InstanceId,
        ipSecPeerCredentialCredentialType INTEGER,
        ipSecPeerCredentialFieldsGroupId
        ipSecIkeRuleIfName SnmpAdminString,
        ipSecIkeRuleRoles RoleCombination,
        ipSecIkeRuleIkeActionSetId TagReferenceId,
        ipSecPeerCredentialGroupId TagId
        ipSecIkeRuleActionExecutionStrategy INTEGER,
        ipSecIkeRuleLimitNegotiation INTEGER,
        ipSecIkeRuleAutoStart TruthValue,
        ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
   }

   ipSecPeerCredentialPrid

   ipSecIkeRulePrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecPeerCredentialEntry ipSecIkeRuleEntry  1 }

   ipSecPeerCredentialCredentialType

   ipSecIkeRuleIfName OBJECT-TYPE
     SYNTAX INTEGER {
       certificateX.509(1),
       kerberos-ticket(2)
       } SnmpAdminString
     STATUS current
     DESCRIPTION
   "Specifies the type of credential
   "The interface capability set to be matched."
     ::= which this IKE rule applies. The
   interface capability name specified by this attribute must exist
   in the frwkIfCapSetTable [FR-PIB] prior to association with an
   instance of this class.

   This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
     ::= { ipSecPeerCredentialEntry ipSecIkeRuleEntry  2 }

   ipSecPeerCredentialFieldsGroupId

   ipSecIkeRuleRoles OBJECT-TYPE
     SYNTAX TagReferenceId RoleCombination
     STATUS current
     DESCRIPTION
   "An integer that identifies a group
   "Specifies the role combination of matching criteria the interface to be
   used for which this peer credential. The criteria specified IKE
   rule should apply. There must exist an instance in
   ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId the
   frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
   combination, together with the interface capability set specified
   by ipSecIkeRuleIfName, prior to association with an instance of
   this class.

   Li, et al            Expires January, August, 2002                      43                       42
                    IPsec Policy Information Base          July, 2001

   match this      February, 2002

   This attribute are the criteria to MUST be used. The identified
   criteria are ANDed. " ignored if ipSecIkeRuleAutoStart is false."
     ::= { ipSecPeerCredentialEntry ipSecIkeRuleEntry  3 }

   ipSecPeerCredentialGroupId

   ipSecIkeRuleIkeActionSetId OBJECT-TYPE
     SYNTAX TagId TagReferenceId
     PIB-TAG    { ipSecIkeActionSetActionSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of IKE actions to be associated with this rule."
     ::= { ipSecIkeRuleEntry  4 }

   ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
     SYNTAX INTEGER {
       doAll(1),
       doUntilSuccess(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the group this credential belongs to. Credentials strategy to be used in a
   group are ORed.  Any one executing the sequenced
   actions in the action set identified by ipSecRuleIpSecActionSetId.

   DoAll (1) causes the execution of all the credentials actions in the action
   set according to their defined precedence order. The precedence
   order is specified by the ipSecActionSetOrder in
   ipSecIkeActionSetTable.

   DoUntilSuccess (2) causes the execution of actions according to
   their defined precedence order until a group successful execution of a
   single action. The precedence order is
   acceptable as specified by the IKE peer endpoint credential."
   ipSecActionSetOrder in ipSecIkeActionSetTable."
     ::= { ipSecPeerCredentialEntry  4 ipSecIkeRuleEntry  5 }

   --
   --
   -- The ipSecCredentialFieldsTable
   --

   ipSecCredentialFieldsTable

   ipSecIkeRuleLimitNegotiation OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
     PIB-ACCESS install INTEGER {
       initiator(1),
       responder(2),
       both(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies
   "Limits the sub-fields and their values negotiation method. Before proceeding with a phase 1
   negotiation, this property is checked to be matched against
   peer credentials obtained during determine if the
   negotiation role of the rule matches that defined for the
   negotiation being undertaken (e.g., Initiator, Responder, or
   Both). If this check fails (e.g. the current role is IKE responder
   while the rule specifies IKE initiator), then the IKE negotiation
   is stopped. Note that this only applies to new IKE phase one negotiation. All
   criteria within a group are ANDed."
     INDEX 1
   negotiations and has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists."
     ::= { ipSecCredentialFieldsPrid ipSecIkeRuleEntry  6 }
     UNIQUENESS

   ipSecIkeRuleAutoStart OBJECT-TYPE

   Li, et al            Expires August, 2002                       43
                    IPsec Policy Information Base      February, 2002

     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Indicates if this rule should be automatically executed."
     ::= {
       ipSecCredentialFieldsName,
       ipSecCredentialFieldsValue,
       ipSecCredentialFieldsGroupId ipSecIkeRuleEntry  7 }

   ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
     STATUS current
     DESCRIPTION
   "Identifies a rule time period set, specified in
   ipSecRuleTimePeriodSetTable, that is associated with this rule.

   A value of zero indicates that this rule is always valid."
     ::= { ipSecIkeRuleEntry  8 }

   --
   --
   -- The ipSecIkeActionSetTable
   --

   ipSecIkeActionSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE action sets."
     ::= { ipSecIkeAssociation  6  2 }

   ipSecCredentialFieldsEntry

   ipSecIkeActionSetEntry OBJECT-TYPE
     SYNTAX IpSecCredentialFieldsEntry IpSecIkeActionSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeActionSetPrid }
     UNIQUENESS {
       ipSecIkeActionSetActionSetId,
       ipSecIkeActionSetActionId,
       ipSecIkeActionSetOrder
       }
     ::= { ipSecCredentialFieldsTable ipSecIkeActionSetTable 1 }

     IpSecCredentialFieldsEntry

     IpSecIkeActionSetEntry ::= SEQUENCE {
        ipSecCredentialFieldsPrid
        ipSecIkeActionSetPrid InstanceId,
        ipSecCredentialFieldsName OCTET STRING,
        ipSecCredentialFieldsValue OCTET STRING,
        ipSecCredentialFieldsGroupId TagId
        ipSecIkeActionSetActionSetId TagId,
        ipSecIkeActionSetActionId Prid,
        ipSecIkeActionSetOrder Unsigned16
   }

   ipSecCredentialFieldsPrid

   ipSecIkeActionSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION

   Li, et al            Expires January, August, 2002                       44
                    IPsec Policy Information Base          July, 2001      February, 2002

     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecCredentialFieldsEntry ipSecIkeActionSetEntry  1 }

   ipSecCredentialFieldsName

   ipSecIkeActionSetActionSetId OBJECT-TYPE
     SYNTAX OCTET STRING TagId
     STATUS current
     DESCRIPTION
   "Specifies the sub-field
   "An IKE action set is composed of the credential one or more IKE actions. Each
   action belonging to match with." the same set has the same ActionSetId."
     ::= { ipSecCredentialFieldsEntry ipSecIkeActionSetEntry  2 }

   ipSecCredentialFieldsValue

   ipSecIkeActionSetActionId OBJECT-TYPE
     SYNTAX OCTET STRING Prid
     STATUS current
     DESCRIPTION
   "Specifies the value
   "A pointer to match with the ipSecCredentialFieldsName
   in a credential." valid instance in the ipSecIkeAssociationTable."
     ::= { ipSecCredentialFieldsEntry ipSecIkeActionSetEntry  3 }

   ipSecCredentialFieldsGroupId

   ipSecIkeActionSetOrder OBJECT-TYPE
     SYNTAX TagId Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the group this criteria belongs to. All criteria within
   a group are ANDed." precedence order of the action within the action
   set. An action with a smaller precedence order is to be tried
   before one with a larger precedence order. "
     ::= { ipSecCredentialFieldsEntry ipSecIkeActionSetEntry  4 }

   --
   --
   -- The ipSecEspTransformSetTable ipSecIkeAssociationTable
   --

   ipSecEspTransformSetTable

   ipSecIkeAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformSetEntry IpSecIkeAssociationEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies ESP transform sets. Within a transform set, the choices
   are ORed with preference order."
     INDEX { ipSecEspTransformSetPrid }
     UNIQUENESS {
       ipSecEspTransformSetTransformSetId,
       ipSecEspTransformSetTransformId,
       ipSecEspTransformSetOrder
       } IKE associations."
     ::= { ipSecEspTransform  1 ipSecIkeAssociation  3 }

   ipSecEspTransformSetEntry

   ipSecIkeAssociationEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformSetEntry IpSecIkeAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::=
     PIB-INDEX { ipSecEspTransformSetTable 1 ipSecIkeAssociationPrid }
     UNIQUENESS {
       ipSecIkeAssociationMinLiftetimeSeconds,
       ipSecIkeAssociationMinLifetimeKilobytes,

   Li, et al            Expires January, August, 2002                       45
                    IPsec Policy Information Base          July, 2001

     IpSecEspTransformSetEntry      February, 2002

       ipSecIkeAssociationIdleDurationSeconds,
       ipSecIkeAssociationExchangeMode,
       ipSecIkeAssociationUseIkeIdentityType,
       ipSecIkeAssociationUseIkeIdentityValue,
       ipSecIkeAssociationIkePeerEndpoint,
       ipSecIkeAssociationPresharedKey,
       ipSecIkeAssociationVendorId,
       ipSecIkeAssociationAggressiveModeGroupId,
       ipSecIkeAssociationLocalCredentialId,
       ipSecIkeAssociationDoActionLogging,
       ipSecIkeAssociationIkeProposalSetId
       }
     ::= { ipSecIkeAssociationTable 1 }

     IpSecIkeAssociationEntry ::= SEQUENCE {
        ipSecEspTransformSetPrid
        ipSecIkeAssociationPrid InstanceId,
        ipSecEspTransformSetTransformSetId TagId,
        ipSecEspTransformSetTransformId
        ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
        ipSecIkeAssociationMinLifetimeKilobytes Unsigned32,
        ipSecIkeAssociationIdleDurationSeconds Unsigned32,
        ipSecIkeAssociationExchangeMode INTEGER,
        ipSecIkeAssociationUseIkeIdentityType INTEGER,
        ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
        ipSecIkeAssociationIkePeerEndpoint ReferenceId,
        ipSecEspTransformSetOrder Unsigned32
        ipSecIkeAssociationPresharedKey OCTET STRING,
        ipSecIkeAssociationVendorId OCTET STRING,
        ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
        ipSecIkeAssociationLocalCredentialId TagReferenceId,
        ipSecIkeAssociationDoActionLogging TruthValue,
        ipSecIkeAssociationIkeProposalSetId TagReferenceId
   }

   ipSecEspTransformSetPrid

   ipSecIkeAssociationPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecEspTransformSetEntry ipSecIkeAssociationEntry  1 }

   ipSecEspTransformSetTransformSetId

   ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
     SYNTAX TagId Unsigned32
     STATUS current
     DESCRIPTION
   "An integer
   "Specifies the minimum SA seconds lifetime that identifies will be accepted
   from a set peer while negotiating an SA based upon this action.

   A value of ESP transforms" zero indicates that there is no minimum lifetime
   enforced."
     ::= { ipSecEspTransformSetEntry ipSecIkeAssociationEntry  2 }

   ipSecEspTransformSetTransformId

   ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX ReferenceId Unsigned32
     STATUS current

   Li, et al            Expires August, 2002                       46
                    IPsec Policy Information Base      February, 2002

     DESCRIPTION
   "An integer
   "Specifies the minimum kilobyte lifetime that identifies will be accepted
   from a negotiating peer while negotiating an ESP transform, specified by
   ipSecEspTransformPrid in ipSecEspTransformTable, SA based upon this
   action.

   A value of zero indicates that there is included
   in this set." no minimum lifetime
   enforced."
     ::= { ipSecEspTransformSetEntry ipSecIkeAssociationEntry  3 }

   ipSecEspTransformSetOrder

   ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "An integer
   "Specifies how long, in seconds, a security association may remain
   unused before it is deleted.

   A value of zero indicates that specifies idle detection should not be used
   for the precedence order of security association (only the transform
   identified by ipSecEspTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecEspTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A given precedence order is positioned
   before one with a higher-valued precedence order." seconds and kilobyte
   lifetimes will be used)."
     ::= { ipSecEspTransformSetEntry ipSecIkeAssociationEntry  4 }

   --
   --
   -- The ipSecEspTransformTable
   --

   ipSecEspTransformTable

   ipSecIkeAssociationExchangeMode OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformEntry
     PIB-ACCESS install
     STATUS current

   Li, et al           Expires January, 2002                      46
                    IPsec Policy Information Base          July, 2001

     DESCRIPTION
   "Specifies ESP transforms."
     INDEX { ipSecEspTransformPrid }
     UNIQUENESS {
       ipSecEspTransformIntegrityTransformId,
       ipSecEspTransformCipherTransformId,
       ipSecEspTransformCipherKeyRounds,
       ipSecEspTransformCipherKeyLength,
       ipSecEspTransformUseReplayPrevention,
       ipSecEspTransformReplayPreventionWindowSize
       }
     ::= INTEGER { ipSecEspTransform  2
       baseMode(1),
       mainMode(2),
       aggressiveMode(4)
       }

   ipSecEspTransformEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= { ipSecEspTransformTable 1 }

     IpSecEspTransformEntry ::= SEQUENCE {
        ipSecEspTransformPrid InstanceId,
        ipSecEspTransformIntegrityTransformId INTEGER,
        ipSecEspTransformCipherTransformId INTEGER,
        ipSecEspTransformCipherKeyRounds Unsigned32,
        ipSecEspTransformCipherKeyLength Unsigned32,
        ipSecEspTransformUseReplayPrevention TruthValue,
        ipSecEspTransformReplayPreventionWindowSize Unsigned32
   }

   ipSecEspTransformPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class" the negotiation mode that the IKE server will use for
   phase one."
     ::= { ipSecEspTransformEntry  1 ipSecIkeAssociationEntry  5 }

   ipSecEspTransformIntegrityTransformId

   ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
     SYNTAX INTEGER {
       none(0),
       hmacMd5(1),
       hmacSha(2),
       desMac(3),
       kpdk(4)
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the ESP integrity algorithm type of IKE identity to propose." use during IKE phase one
   negotiation."
     ::= { ipSecEspTransformEntry  2 ipSecIkeAssociationEntry  6 }

   ipSecEspTransformCipherTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       desIV64(1),

   Li, et al            Expires January, August, 2002                       47
                    IPsec Policy Information Base          July, 2001

       des(2),
       tripleDES(3),
       rc5(4),
       idea(5),
       cast(6),
       blowfish(7),
       tripleIDEA(8),
       desIV32(9),
       rc4(10),
       null(11)
       }      February, 2002

   ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the ESP cipher/encryption algorithm ID payload value to propose." be provided to the peer during
   IKE phase one negotiation."
     ::= { ipSecEspTransformEntry  3 ipSecIkeAssociationEntry  7 }

   ipSecEspTransformCipherKeyRounds

   ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
     SYNTAX Unsigned32 ReferenceId
     PIB-REFERENCES    {ipSecIkePeerEndpointEntry }
     STATUS current
     DESCRIPTION
   "Specifies the number of key rounds for
   "Pointer to a valid instance in the ESP cipher algorithm
   specified by the attribute ipSecEspTransformCipherTransformId." ipSecIkePeerEndpointTable to
   indicate an IKE peer endpoint."
     ::= { ipSecEspTransformEntry  4 ipSecIkeAssociationEntry  8 }

   ipSecEspTransformCipherKeyLength

   ipSecIkeAssociationPresharedKey OBJECT-TYPE
     SYNTAX Unsigned32 OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies
   "This attribute specifies the length of preshared key or secret to use for
   IKE authentication. This is the ESP cipher key in bits." for all the IKE proposals of
   this association that set ipSecIkeProposalAuthenticationMethod to
   presharedKey(1)."
     ::= { ipSecEspTransformEntry  5 ipSecIkeAssociationEntry  9 }

   ipSecEspTransformUseReplayPrevention

   ipSecIkeAssociationVendorId OBJECT-TYPE
     SYNTAX TruthValue OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies whether the value to enable replay prevention detection." be used in the Vendor ID payload.

   A value of NULL means that Vendor ID payload will be neither
   generated nor accepted. A non-NULL value means that a Vendor ID
   payload will be generated (when acting as an initiator) or is
   expected (when acting as a responder). "
     ::= { ipSecEspTransformEntry  6 ipSecIkeAssociationEntry  10 }

   ipSecEspTransformReplayPreventionWindowSize

   ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
     SYNTAX Unsigned32 Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the length group ID to be used for aggressive mode. This
   attribute is ignored unless the attribute
   ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
   the value of this attribute is from the window used by replay prevention
   detection mechanism." vendor-specific range
   (32768-65535), this attribute qualifies the group number."
     ::= { ipSecEspTransformEntry  7 ipSecIkeAssociationEntry  11 }

   --
   --
   -- The ipSecAhTransformSetTable
   --

   ipSecAhTransformSetTable

   ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCredentialSetSetId }

   Li, et al            Expires January, August, 2002                       48
                    IPsec Policy Information Base          July, 2001

     SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
     PIB-ACCESS install      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies  AH transform sets. Within
   "Indicates a transform set, group of credentials. One of the choices
   are ORed credentials in the
   group MUST be used when establishing an IKE association with preference order."
     INDEX { ipSecAhTransformSetPrid }
     UNIQUENESS {
       ipSecAhTransformSetTransformSetId,
       ipSecAhTransformSetTransformId,
       ipSecAhTransformSetOrder
       } the
   peer endpoint."
     ::= { ipSecAhTransform  1 ipSecIkeAssociationEntry  12 }

   ipSecAhTransformSetEntry

   ipSecIkeAssociationDoActionLogging OBJECT-TYPE
     SYNTAX IpSecAhTransformSetEntry TruthValue
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= { ipSecAhTransformSetTable 1 }

     IpSecAhTransformSetEntry whether a log message is to be generated when the
   negotiation is attempted (with the success or failure result)."
     ::= SEQUENCE {
        ipSecAhTransformSetPrid InstanceId,
        ipSecAhTransformSetTransformSetId TagId,
        ipSecAhTransformSetTransformId ReferenceId,
        ipSecAhTransformSetOrder Unsigned32 ipSecIkeAssociationEntry  13 }

   ipSecAhTransformSetPrid

   ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
     SYNTAX InstanceId TagReferenceId
     PIB-TAG    { ipSecIkeProposalSetProposalSetId }
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance
   "Identifies a set of this class"
     ::= IKE proposals that is associated with this
   IKE association."
     ::= { ipSecAhTransformSetEntry  1 ipSecIkeAssociationEntry  14 }

   ipSecAhTransformSetTransformSetId

   --
   --
   -- The ipSecIkeProposalSetTable
   --

   ipSecIkeProposalSetTable OBJECT-TYPE
     SYNTAX TagId SEQUENCE OF IpSecIkeProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "An integer that identifies an AH transform set."
   "Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order. "
     ::= { ipSecAhTransformSetEntry  2 ipSecIkeAssociation  4 }

   ipSecAhTransformSetTransformId

   ipSecIkeProposalSetEntry OBJECT-TYPE
     SYNTAX ReferenceId IpSecIkeProposalSetEntry
     STATUS current
     DESCRIPTION
   "An integer that identifies
   "Specifies an AH transform, as specified by
   ipSecAhTransform in ipSecAhTransformTable, that is included in instance of this set." class"
     PIB-INDEX { ipSecIkeProposalSetPrid }
     UNIQUENESS {
       ipSecIkeProposalSetProposalSetId,
       ipSecIkeProposalSetProposalId,
       ipSecIkeProposalSetOrder
       }
     ::= { ipSecAhTransformSetEntry  3 ipSecIkeProposalSetTable 1 }

   ipSecAhTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned32

     IpSecIkeProposalSetEntry ::= SEQUENCE {

   Li, et al            Expires January, August, 2002                       49
                    IPsec Policy Information Base          July, 2001      February, 2002

        ipSecIkeProposalSetPrid InstanceId,
        ipSecIkeProposalSetProposalSetId TagId,
        ipSecIkeProposalSetProposalId ReferenceId,
        ipSecIkeProposalSetOrder Unsigned16
   }

   ipSecIkeProposalSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeProposalSetEntry  1 }

   ipSecIkeProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IKE proposal set is composed of one or more IKE proposals.
   Each proposal belonging to the same set has the same
   ProposalSetId. "
     ::= { ipSecIkeProposalSetEntry  2 }

   ipSecIkeProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIkeProposalEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecIkeProposalTable."
     ::= { ipSecIkeProposalSetEntry  3 }

   ipSecIkeProposalSetOrder OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform proposal
   identified by ipSecAhTransformSetTransformId within ipSecIkeProposalSetProposalId in a transform proposal set. The transform
   proposal set is identified by
   ipSecAhTransformSetTransformSetId. Transforms ipSecIkeProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A given precedence order is positioned
   before one with smaller
   integer value indicates a higher-valued precedence order." higher preference."
     ::= { ipSecAhTransformSetEntry ipSecIkeProposalSetEntry  4 }

   --
   --
   -- The ipSecAhTransformTable ipSecIkeProposalTable
   --

   ipSecAhTransformTable

   ipSecIkeProposalTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformEntry IpSecIkeProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION

   Li, et al            Expires August, 2002                       50
                    IPsec Policy Information Base      February, 2002

   "Specifies  AH transforms."
     INDEX { ipSecAhTransformPrid }
     UNIQUENESS {
       ipSecAhTransformTransformId,
       ipSecAhTransformUseReplayPrevention,
       ipSecAhTransformReplayPreventionWindowSize
       } IKE proposals."
     ::= { ipSecAhTransform  2 ipSecIkeAssociation  5 }

   ipSecAhTransformEntry

   ipSecIkeProposalEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformEntry IpSecIkeProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeProposalPrid }
     UNIQUENESS {
       ipSecIkeProposalMaxLifetimeSeconds,
       ipSecIkeProposalMaxLifetimeKilobytes,
       ipSecIkeProposalCipherAlgorithm,
       ipSecIkeProposalHashAlgorithm,
       ipSecIkeProposalAuthenticationMethod,
       ipSecIkeProposalPrfAlgorithm,
       ipSecIkeProposalIkeDhGroup,
       ipSecIkeProposalVendorId
       }
     ::= { ipSecAhTransformTable ipSecIkeProposalTable 1 }

     IpSecAhTransformEntry

     IpSecIkeProposalEntry ::= SEQUENCE {
        ipSecAhTransformPrid
        ipSecIkeProposalPrid InstanceId,
        ipSecAhTransformTransformId
        ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
        ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
        ipSecIkeProposalCipherAlgorithm INTEGER,
        ipSecAhTransformUseReplayPrevention TruthValue,
        ipSecAhTransformReplayPreventionWindowSize Unsigned32
        ipSecIkeProposalHashAlgorithm INTEGER,
        ipSecIkeProposalAuthenticationMethod INTEGER,
        ipSecIkeProposalPrfAlgorithm Unsigned16,
        ipSecIkeProposalIkeDhGroup Unsigned16,
        ipSecIkeProposalVendorId OCTET STRING
   }

   ipSecAhTransformPrid

   ipSecIkeProposalPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class "
   class."
     ::= { ipSecAhTransformEntry ipSecIkeProposalEntry  1 }

   ipSecAhTransformTransformId

   ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX INTEGER Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   A value of zero indicates that the default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime."
     ::= { ipSecIkeProposalEntry  2 }

   ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE

   Li, et al            Expires January, August, 2002                      50                       51
                    IPsec Policy Information Base          July, 2001

       md5(2),
       sha-1(3),
       des(4)
       }      February, 2002

     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies the AH hash algorithm maximum kilobyte lifetime to propose." propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
     ::= { ipSecAhTransformEntry  2 ipSecIkeProposalEntry  3 }

   ipSecAhTransformUseReplayPrevention

   ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
     SYNTAX TruthValue INTEGER {
       des-CBC(1),
       idea-CBC(2),
       blowfish-CBC(3),
       rc5-R16-B64-CBC(4),
       tripleDes-CBC(5),
       cast-CBC(6)
       }
     STATUS current
     DESCRIPTION
   "Specifies whether the encryption algorithm to enable replay prevention detection." propose for the IKE
   association."
     ::= { ipSecAhTransformEntry  3 ipSecIkeProposalEntry  4 }

   ipSecAhTransformReplayPreventionWindowSize

   ipSecIkeProposalHashAlgorithm OBJECT-TYPE
     SYNTAX Unsigned32 INTEGER {
       md5(1),
       sha-1(2),
       tiger(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the length of hash algorithm to propose for the window used by replay prevention
   detection mechanism." IKE association."
     ::= { ipSecAhTransformEntry  4 ipSecIkeProposalEntry  5 }

   --
   --
   -- The ipSecCompTransformSetTable
   --

   ipSecCompTransformSetTable

   ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
     PIB-ACCESS install INTEGER {
       presharedKey(1),
       dssSignatures(2),
       rsaSignatures(3),
       rsaEncryption(4),
       revisedRsaEncryption(5),
       kerberos(6)
       }
     STATUS current
     DESCRIPTION
   "Specifies IPComp transform sets. Within a transform set, the
   choices are ORed with preference order."
     INDEX { ipSecCompTransformSetPrid }
     UNIQUENESS {
       ipSecCompTransformSetTransformSetId,
       ipSecCompTransformSetTransformId,
       ipSecCompTransformSetOrder
       } authentication method to propose for the IKE
   association."
     ::= { ipSecCompTransform  1 ipSecIkeProposalEntry  6 }

   ipSecCompTransformSetEntry

   ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
     SYNTAX IpSecCompTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     ::= { ipSecCompTransformSetTable 1 }

     IpSecCompTransformSetEntry ::= SEQUENCE {

   Li, et al            Expires January, August, 2002                      51                       52
                    IPsec Policy Information Base          July, 2001

        ipSecCompTransformSetPrid InstanceId,
        ipSecCompTransformSetTransformSetId TagId,
        ipSecCompTransformSetTransformId ReferenceId,
        ipSecCompTransformSetOrder Unsigned32
   }

   ipSecCompTransformSetPrid OBJECT-TYPE      February, 2002

     SYNTAX InstanceId Unsigned16
     STATUS current
     DESCRIPTION
   "An integer index
   "Specifies the Psuedo-Random Function (PRF) to uniquely identify an instance of this class"
     ::= { ipSecCompTransformSetEntry  1 }

   ipSecCompTransformSetTransformSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPComp transform set" propose for the IKE
   association."
     ::= { ipSecCompTransformSetEntry  2 ipSecIkeProposalEntry  7 }

   ipSecCompTransformSetTransformId

   ipSecIkeProposalIkeDhGroup OBJECT-TYPE
     SYNTAX ReferenceId Unsigned16
     STATUS current
     DESCRIPTION
   "An integer that identifies an IPComp Transform, specified by
   ipSecCompTransformPrid in ipSecCompTransformTable, that is
   included in
   "Specifies the Diffie-Hellman group to propose for the IKE
   association. The value of this set." property is to be ignored when
   doing aggressive mode."
     ::= { ipSecCompTransformSetEntry  3 ipSecIkeProposalEntry  8 }

   ipSecCompTransformSetOrder

   ipSecIkeProposalVendorId OBJECT-TYPE
     SYNTAX Unsigned32 OCTET STRING
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of
   "Further qualifies the transform
   identified by ipSecCompTransformSetTransformId within a transform
   set. key exchange group.  The transform set property is identified by
   ipSecCompTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A given precedence order
   ignored unless the exchange is positioned
   before one with a higher-valued precedence order." not in aggressive mode and the
   property GroupID is in the vendor-specific range."
     ::= { ipSecCompTransformSetEntry  4 ipSecIkeProposalEntry  9 }

   --
   --
   -- The ipSecCompTransformTable ipSecIkePeerEndpointTable
   --

   ipSecCompTransformTable

   ipSecIkePeerEndpointTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformEntry IpSecIkePeerEndpointEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPComp transforms."

   Li, et al           Expires January, 2002                      52
                    IPsec Policy Information Base          July, 2001

     INDEX { ipSecCompTransformPrid }
     UNIQUENESS {
       ipSecCompTransformAlgorithm,
       ipSecCompTransformDictionarySize,
       ipSecCompTransformPrivateAlgorithm
       } IKE peer endpoints."
     ::= { ipSecCompTransform  2 ipSecIkeAssociation  6 }

   ipSecCompTransformEntry

   ipSecIkePeerEndpointEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformEntry IpSecIkePeerEndpointEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkePeerEndpointPrid }
     UNIQUENESS {
       ipSecIkePeerEndpointIdentityType,
       ipSecIkePeerEndpointIdentityValue,
       ipSecIkePeerEndpointAddressType,
       ipSecIkePeerEndpointAddress,
       ipSecIkePeerEndpointCredentialSetId
       }
     ::= { ipSecCompTransformTable ipSecIkePeerEndpointTable 1 }

     IpSecCompTransformEntry

   Li, et al            Expires August, 2002                       53
                    IPsec Policy Information Base      February, 2002

     IpSecIkePeerEndpointEntry ::= SEQUENCE {
        ipSecCompTransformPrid
        ipSecIkePeerEndpointPrid InstanceId,
        ipSecCompTransformAlgorithm
        ipSecIkePeerEndpointIdentityType INTEGER,
        ipSecCompTransformDictionarySize Unsigned32,
        ipSecCompTransformPrivateAlgorithm Unsigned32
        ipSecIkePeerEndpointIdentityValue OCTET STRING,
        ipSecIkePeerEndpointAddressType INTEGER,
        ipSecIkePeerEndpointAddress OCTET STRING,
        ipSecIkePeerEndpointCredentialSetId TagReferenceId
   }

   ipSecCompTransformPrid

   ipSecIkePeerEndpointPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecCompTransformEntry ipSecIkePeerEndpointEntry  1 }

   ipSecCompTransformAlgorithm

   ipSecIkePeerEndpointIdentityType OBJECT-TYPE
     SYNTAX INTEGER {
       oui(1),
       deflate(2),
       lzs(3)
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPComp compression algorithm to propose." type of identity that MUST be provided by the peer
   in the ID payload during IKE phase one negotiation."
     ::= { ipSecCompTransformEntry ipSecIkePeerEndpointEntry  2 }

   ipSecCompTransformDictionarySize

   ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
     SYNTAX Unsigned32 OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the log2 maximum size value to be matched with the ID payload provided by
   the peer during IKE phase one negotiation.

   Different Wildcards wildcard mechanisms can be used as well as the
   prefix notation for IPv4 addresses depending on the ID payload:

   - an IdentityValue of "*@company.com" will match an user FQDN ID
   payload of "JDOE@COMPANY.COM"

   - an IdentityValue of "*.company.com" will match a FQDN ID payload
   of "WWW.COMPANY.COM"

   Li, et al            Expires August, 2002                       54
                    IPsec Policy Information Base      February, 2002

   - an IdentityValue of "cn=*,ou=engineering,o=company,c=us" will
   match a DER DN ID payload of "cn=John Doe, ou=engineering,
   o=company, c=us"

   - an IdentityValue of "193.190.125.0/24" will match an IPv4
   address ID payload of 193.190.125.10.

   - an IdentityValue of "193.190.125.*" will also match an IPv4
   address ID payload of 193.190.125.10.

   The above wildcard mechanisms MUST be supported for all ID
   payloads supported by the dictionary." local IKE entity.  The character "*"
   replaces 0 or multiple instances of any character."
     ::= { ipSecCompTransformEntry ipSecIkePeerEndpointEntry  3 }

   ipSecCompTransformPrivateAlgorithm

   ipSecIkePeerEndpointAddressType OBJECT-TYPE
     SYNTAX Unsigned32 INTEGER {
       ipV4(1),
       ipV6(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies a specific vendor algorithm that will IKE peer endpoint address type. This attribute MUST be used.  "
   ignored if ipSecIkeRuleAutoStart is false."
     ::= { ipSecCompTransformEntry ipSecIkePeerEndpointEntry  4 }

   Li, et al           Expires January, 2002                      53
                    IPsec Policy Information Base          July, 2001

   --
   --
   -- The ipSecRuleTimePeriodTable
   --

   ipSecRuleTimePeriodTable

   ipSecIkePeerEndpointAddress OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
     PIB-ACCESS install OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the time periods during an endpoint address with which a policy rule this PEP establishes IKE
   association. This attribute is valid.
   The values of used only when the first five attributes in a row are ANDed
   together IKE association
   is to determine the validity period(s). If any of the five
   attributes is not present, it be started automatically. Hence, this attribute MUST be
   ignored if ipSecIkeRuleAutoStart is treated as having value always
   enabled.  "
     INDEX false."
     ::= { ipSecRuleTimePeriodPrid ipSecIkePeerEndpointEntry  5 }
     UNIQUENESS

   ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime ipSecCredentialSetSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of credentials. Any one of the credentials in
   the set is acceptable as the IKE peer credential."
     ::= { ipSecPolicyTimePeriod ipSecIkePeerEndpointEntry  6 }

   --
   --
   -- The ipSecCredentialSetTable
   --

   ipSecCredentialSetTable OBJECT-TYPE

   Li, et al            Expires August, 2002                       55
                    IPsec Policy Information Base      February, 2002

     SYNTAX SEQUENCE OF IpSecCredentialSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies credential sets.

   For IKE peer credentials, any one of the credentials in the set is
   acceptable as peer credential during IEK phase 1 negotiation. For
   IKE local credentials, any one of the credentials in the set can
   be used in IKE phase 1 negotiation."
     ::= { ipSecCredential  1 }

   ipSecRuleTimePeriodEntry

   ipSecCredentialSetEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodEntry IpSecCredentialSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCredentialSetPrid }
     UNIQUENESS {
       ipSecCredentialSetPrid,
       ipSecCredentialSetSetId,
       ipSecCredentialSetCredentialId
       }
     ::= { ipSecRuleTimePeriodTable ipSecCredentialSetTable 1 }

     IpSecRuleTimePeriodEntry

     IpSecCredentialSetEntry ::= SEQUENCE {
        ipSecRuleTimePeriodPrid
        ipSecCredentialSetPrid InstanceId,
        ipSecRuleTimePeriodTimePeriod OCTET STRING,
        ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
        ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
        ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
        ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
        ipSecRuleTimePeriodLocalOrUtcTime INTEGER
        ipSecCredentialSetSetId TagId,
        ipSecCredentialSetCredentialId ReferenceId
   }

   ipSecRuleTimePeriodPrid

   ipSecCredentialSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecRuleTimePeriodEntry ipSecCredentialSetEntry  1 }

   ipSecRuleTimePeriodTimePeriod

   ipSecCredentialSetSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "A credential set is composed of one or more credentials. Each
   credential belonging to the same set has the same
   CredentialSetId."
     ::= { ipSecCredentialSetEntry  2 }

   ipSecCredentialSetCredentialId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecCredentialEntry }
     STATUS current
     DESCRIPTION

   Li, et al            Expires January, August, 2002                      54                       56
                    IPsec Policy Information Base          July, 2001      February, 2002

   "A pointer to a valid instance in the ipSecCredentialTable."
     ::= { ipSecCredentialSetEntry  3 }

   --
   --
   -- The ipSecCredentialTable
   --

   ipSecCredentialTable OBJECT-TYPE
     SYNTAX OCTET STRING SEQUENCE OF IpSecCredentialEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "An octet string that identifies
   "Specifies credentials."
     ::= { ipSecCredential  2 }

   ipSecCredentialEntry OBJECT-TYPE
     SYNTAX IpSecCredentialEntry
     STATUS current
     DESCRIPTION
   "Specifies an overall range instance of calendar
   dates and times over which a policy rule is this class"
     PIB-INDEX { ipSecCredentialPrid }
     UNIQUENESS {
       ipSecCredentialCredentialType,
       ipSecCredentialFieldsId,
       ipSecCredentialCrlDistributionPoint
       }
     ::= { ipSecCredentialTable 1 }

     IpSecCredentialEntry ::= SEQUENCE {
        ipSecCredentialPrid InstanceId,
        ipSecCredentialCredentialType INTEGER,
        ipSecCredentialFieldsId TagReferenceId,
        ipSecCredentialCrlDistributionPoint OCTET STRING
   }

   ipSecCredentialPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCredentialEntry  1 }

   ipSecCredentialCredentialType OBJECT-TYPE
     SYNTAX INTEGER {
       certificateX509(1),
       kerberos-ticket(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the type of credential to be matched."

   Li, et al            Expires August, 2002                       57
                    IPsec Policy Information Base      February, 2002

     ::= { ipSecCredentialEntry  2 }

   ipSecCredentialFieldsId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCredentialFieldsSetId }
     STATUS current
     DESCRIPTION
   "Identifies a group of matching criteria to be used for the peer
   credential. The identified criteria MUST all be satisfied."
     ::= { ipSecCredentialEntry  3 }

   ipSecCredentialCrlDistributionPoint OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "When credential type is certificate X509, this attribute
   identifies the Certificate Revocation List (CRL) distribution
   point for this credential."
     ::= { ipSecCredentialEntry  4 }

   --
   --
   -- The ipSecCredentialFieldsTable
   --

   ipSecCredentialFieldsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies sets of credential sub-fields and their values to be
   matched against. "
     ::= { ipSecCredential  3 }

   ipSecCredentialFieldsEntry OBJECT-TYPE
     SYNTAX IpSecCredentialFieldsEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCredentialFieldsPrid }
     UNIQUENESS {
       ipSecCredentialFieldsName,
       ipSecCredentialFieldsValue,
       ipSecCredentialFieldsSetId
       }
     ::= { ipSecCredentialFieldsTable 1 }

     IpSecCredentialFieldsEntry ::= SEQUENCE {
        ipSecCredentialFieldsPrid InstanceId,
        ipSecCredentialFieldsName OCTET STRING,
        ipSecCredentialFieldsValue OCTET STRING,
        ipSecCredentialFieldsSetId TagId

   Li, et al            Expires August, 2002                       58
                    IPsec Policy Information Base      February, 2002

   }

   ipSecCredentialFieldsPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCredentialFieldsEntry  1 }

   ipSecCredentialFieldsName OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the sub-field of the credential to match with. This is
   the string representation of a X.509 certificate attribute, e.g.:
   "serialNumber",  "issuerName", "subjectName", etc..
   "
     ::= { ipSecCredentialFieldsEntry  2 }

   ipSecCredentialFieldsValue OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the value to match with for the sub-field identified by
   ipSecCredentialFieldsName. A wildcard mechanism can be used in the
   Value string. E.g., if the Name is "subjectName" then a Value of
   "cn=*,ou=engineering,o=foo,c=be" will match successfully a
   certificate whose subject attribute is "cn=Jane Doe,
   ou=engineering, o=foo, c=be".  The wildcard character '*' can be
   used to represent 0 or several characters."
     ::= { ipSecCredentialFieldsEntry  3 }

   ipSecCredentialFieldsSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the set this criteria belongs to. All criteria within a
   set MUST all be satisfied."
     ::= { ipSecCredentialFieldsEntry  4 }

   --
   --
   -- The ipSecSelectorSetTable
   --

   ipSecSelectorSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecSelectorSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec selector sets."

   Li, et al            Expires August, 2002                       59
                    IPsec Policy Information Base      February, 2002

     ::= { ipSecSelector  1 }

   ipSecSelectorSetEntry OBJECT-TYPE
     SYNTAX IpSecSelectorSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecSelectorSetPrid }
     UNIQUENESS {
       ipSecSelectorSetSelectorSetId,
       ipSecSelectorSetSelectorId,
       ipSecSelectorSetOrder
       }
     ::= { ipSecSelectorSetTable 1 }

     IpSecSelectorSetEntry ::= SEQUENCE {
        ipSecSelectorSetPrid InstanceId,
        ipSecSelectorSetSelectorSetId TagId,
        ipSecSelectorSetSelectorId Prid,
        ipSecSelectorSetOrder Unsigned16
   }

   ipSecSelectorSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecSelectorSetEntry  1 }

   ipSecSelectorSetSelectorSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPsec selector set is composed of one or more IPsec selectors.
   Each selector belonging to the same set has the same
   SelectorSetId."
     ::= { ipSecSelectorSetEntry  2 }

   ipSecSelectorSetSelectorId OBJECT-TYPE
     SYNTAX Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table that describes
   selectors. To use selectors defined in this IPsec PIB module, this
   attribute MUST point to an instance in ipSecSelectorTable. This
   attribute may also point to an instance in a selector or filter
   table defined in other PIB modules."
     ::= { ipSecSelectorSetEntry  3 }

   ipSecSelectorSetOrder OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current

   Li, et al            Expires August, 2002                       60
                    IPsec Policy Information Base      February, 2002

     DESCRIPTION
   "An integer that specifies the precedence order of the selectors
   identified by ipSecSelectorId within a selector set. The selector
   set is identified by ipSecSelectorSetId. A smaller integer value
   indicates a higher preference. All selectors constructed from the
   instance pointed by ipSecSelectorId have the same order."
     ::= { ipSecSelectorSetEntry  4 }

   --
   --
   -- The ipSecSelectorTable
   --

   ipSecSelectorTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecSelectorEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec selectors. Each row in the selector table
   represents multiple selectors. These selectors are obtained as
   follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.

   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.

   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.

   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.

   5. Construct all the possible combinations of the above four
   fields. Then add to the combinations the ipSecSelectorProtocol,
   ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
   all the selectors.el attributes to form the list of selectors.

   The relative order of the selectors constructed from a single row
   is unspecified. "
     ::= { ipSecSelector  2 }

   ipSecSelectorEntry OBJECT-TYPE
     SYNTAX IpSecSelectorEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"

   Li, et al            Expires August, 2002                       61
                    IPsec Policy Information Base      February, 2002

     PIB-INDEX { ipSecSelectorPrid }
     UNIQUENESS {
       ipSecSelectorSrcAddressGroupId,
       ipSecSelectorSrcPortGroupId,
       ipSecSelectorDstAddressGroupId,
       ipSecSelectorDstPortGroupId,
       ipSecSelectorProtocol,
       ipSecSelectorDscp,
       ipSecSelectorFlowLabel
       }
     ::= { ipSecSelectorTable 1 }

     IpSecSelectorEntry ::= SEQUENCE {
        ipSecSelectorPrid InstanceId,
        ipSecSelectorSrcAddressGroupId TagReferenceId,
        ipSecSelectorSrcPortGroupId TagReferenceId,
        ipSecSelectorDstAddressGroupId TagReferenceId,
        ipSecSelectorDstPortGroupId TagReferenceId,
        ipSecSelectorProtocol INTEGER,
        ipSecSelectorDscp INTEGER,
        ipSecSelectorFlowLabel OCTET STRING
   }

   ipSecSelectorPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecSelectorEntry  1 }

   ipSecSelectorSrcAddressGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAddressGroupId }
     STATUS current
     DESCRIPTION
   "Indicates source addresses. All addresses in ipSecAddressTable
   whose ipSecAddressGroupId matches this value are included as
   source addresses.

   A value of zero indicates wildcard address, i.e., any address
   matches."
     ::= { ipSecSelectorEntry  2 }

   ipSecSelectorSrcPortGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecL4PortGroupId }
     STATUS current
     DESCRIPTION
   "Indicates source layer 4 port numbers. All ports in ipSecL4Port
   whose ipSecL4PortGroupId matches this value are included.

   Li, et al            Expires August, 2002                       62
                    IPsec Policy Information Base      February, 2002

   A value of zero indicates wildcard port, i.e., any port number
   matches."
     ::= { ipSecSelectorEntry  3 }

   ipSecSelectorDstAddressGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAddressGroupId }
     STATUS current
     DESCRIPTION
   "Indicates destination addresses. All addresses in
   ipSecAddressTable whose ipSecAddressGroupId matches this value are
   included as destination addresses.

   A value of zero indicates wildcard address, i.e., any address
   matches."
     ::= { ipSecSelectorEntry  4 }

   ipSecSelectorDstPortGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecL4PortGroupId }
     STATUS current
     DESCRIPTION
   "Indicates destination layer 4 port numbers. All ports in
   ipSecL4Port whose ipSecL4PortGroupId matches this value are
   included.

   A value of zero indicates wildcard port, i.e., any port number
   matches."
     ::= { ipSecSelectorEntry  5 }

   ipSecSelectorProtocol OBJECT-TYPE
     SYNTAX INTEGER (0..255)
     STATUS current
     DESCRIPTION
   "Specifies IP protocol to match against a packet's protocol. A
   value of zero indicates wildcard protocol, i.e., any protocol
   matches."
     ::= { ipSecSelectorEntry  6 }

   ipSecSelectorDscp OBJECT-TYPE
     SYNTAX INTEGER (-1..63)
     STATUS current
     DESCRIPTION
   "Specifies the DSCP value to match against the DSCP in a packet
   header. A value of -1 indicates match all."
     ::= { ipSecSelectorEntry  7 }

   ipSecSelectorFlowLabel OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION

   Li, et al            Expires August, 2002                       63
                    IPsec Policy Information Base      February, 2002

   "Specifies the Flow Label to match against the Flow Label field in
   the IPv6 header of a packet. This attribute MUST be a zero length
   OCTET STRING when specifying selectors for IPv4 packets."
     ::= { ipSecSelectorEntry  8 }

   --
   --
   -- The ipSecAddressTable
   --

   ipSecAddressTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAddressEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IP addresses. To specify a single IP address,
   ipSecAddressAddrMin MUST be specified. To specify a range of
   addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST
   be specified. To specify a subnet, both ipSecAddressAddrMin and
   ipSecAddressAddrMask MUST be specified. "
     ::= { ipSecSelector  3 }

   ipSecAddressEntry OBJECT-TYPE
     SYNTAX IpSecAddressEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAddressPrid }
     UNIQUENESS {
       ipSecAddressAddressType,
       ipSecAddressAddrMask,
       ipSecAddressAddrMin,
       ipSecAddressAddrMax,
       ipSecAddressGroupId
       }
     ::= { ipSecAddressTable 1 }

     IpSecAddressEntry ::= SEQUENCE {
        ipSecAddressPrid InstanceId,
        ipSecAddressAddressType INTEGER,
        ipSecAddressAddrMask OCTET STRING,
        ipSecAddressAddrMin OCTET STRING,
        ipSecAddressAddrMax OCTET STRING,
        ipSecAddressGroupId TagId
   }

   ipSecAddressPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."

   Li, et al            Expires August, 2002                       64
                    IPsec Policy Information Base      February, 2002

     ::= { ipSecAddressEntry  1 }

   ipSecAddressAddressType OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       }
     STATUS current
     DESCRIPTION
   "Specifies the address type. "
     ::= { ipSecAddressEntry  2 }

   ipSecAddressAddrMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "A mask for the matching of the IP address. A zero bit in the mask
   means that the corresponding bit in the address always matches.

   This attribute MUST be ignored when ipSecAddressAddressType is not
   of IPv4 or IPv6 type."
     ::= { ipSecAddressEntry  3 }

   ipSecAddressAddrMin OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies an IP address. "
     ::= { ipSecAddressEntry  4 }

   ipSecAddressAddrMax OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "If a range of addresses is used then this specifies the ending
   address. The type of this address must be the same as the
   ipSecAddressAddrMin.

   If no range is specified then this attribute MUST be a zero length
   OCTET STRING."
     ::= { ipSecAddressEntry  5 }

   ipSecAddressGroupId OBJECT-TYPE
     SYNTAX TagId

   Li, et al            Expires August, 2002                       65
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies the group this IP address, address range or subnet
   address belongs to."
     ::= { ipSecAddressEntry  6 }

   --
   --
   -- The ipSecL4PortTable
   --

   ipSecL4PortTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecL4PortEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies layer four port numbers."
     ::= { ipSecSelector  4 }

   ipSecL4PortEntry OBJECT-TYPE
     SYNTAX IpSecL4PortEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecL4PortPrid }
     UNIQUENESS {
       ipSecL4PortPortMin,
       ipSecL4PortPortMax,
       ipSecL4PortGroupId
       }
     ::= { ipSecL4PortTable 1 }

     IpSecL4PortEntry ::= SEQUENCE {
        ipSecL4PortPrid InstanceId,
        ipSecL4PortPortMin Unsigned16,
        ipSecL4PortPortMax Unsigned16,
        ipSecL4PortGroupId TagId
   }

   ipSecL4PortPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecL4PortEntry  1 }

   ipSecL4PortPortMin OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION

   Li, et al            Expires August, 2002                       66
                    IPsec Policy Information Base      February, 2002

   "Specifies a layer 4 port or the first layer 4 port number of a
   range of ports. The value of this attribute must be equal or less
   than that of ipSecL4PortPortMax.

   A value of zero indicates any port matches."
     ::= { ipSecL4PortEntry  2 }

   ipSecL4PortPortMax OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the last layer 4 port in the range. If only a single
   port is specified, the value of this attribute must be equal to
   that of ipSecL4PortPortMin. Otherwise, the value of this attribute
   MUST be greater than that specified by ipSecL4PortPortMin.

   If ipSecL4PortPortMin is zero, this attribute MUST be ignored."
     ::= { ipSecL4PortEntry  3 }

   ipSecL4PortGroupId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this port or port range belongs to."
     ::= { ipSecL4PortEntry  4 }

   --
   --
   -- The ipSecIpsoFilterSetTable
   --

   ipSecIpsoFilterSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPSO filter sets."
     ::= { ipSecSelector  5 }

   ipSecIpsoFilterSetEntry OBJECT-TYPE
     SYNTAX IpSecIpsoFilterSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIpsoFilterSetPrid }
     UNIQUENESS {
       ipSecIpsoFilterSetFilterSetId,
       ipSecIpsoFilterSetFilterId,
       ipSecIpsoFilterSetOrder
       }
     ::= { ipSecIpsoFilterSetTable 1 }

   Li, et al            Expires August, 2002                       67
                    IPsec Policy Information Base      February, 2002

     IpSecIpsoFilterSetEntry ::= SEQUENCE {
        ipSecIpsoFilterSetPrid InstanceId,
        ipSecIpsoFilterSetFilterSetId TagId,
        ipSecIpsoFilterSetFilterId ReferenceId,
        ipSecIpsoFilterSetOrder Unsigned16
   }

   ipSecIpsoFilterSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIpsoFilterSetEntry  1 }

   ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPSO filter set is composed of one or more IPSO filters. Each
   filter belonging to the same set has the same FilterSetId."
     ::= { ipSecIpsoFilterSetEntry  2 }

   ipSecIpsoFilterSetFilterId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIpsoFilterEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecIpsoFilterTable."
     ::= { ipSecIpsoFilterSetEntry  3 }

   ipSecIpsoFilterSetOrder OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the filter
   identified by ipSecIpsoFilterSetFilterId within a filter set. The
   filter set is identified by ipSecIpsoFilterSetFilterSetId. A
   smaller integer value indicates a higher preference."
     ::= { ipSecIpsoFilterSetEntry  4 }

   --
   --
   -- The ipSecIpsoFilterTable
   --

   ipSecIpsoFilterTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPSO filters."

   Li, et al            Expires August, 2002                       68
                    IPsec Policy Information Base      February, 2002

     ::= { ipSecSelector  6 }

   ipSecIpsoFilterEntry OBJECT-TYPE
     SYNTAX IpSecIpsoFilterEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIpsoFilterPrid }
     UNIQUENESS {
       ipSecIpsoFilterMatchConditionType,
       ipSecIpsoFilterClassificationLevel,
       ipSecIpsoFilterProtectionAuthority
       }
     ::= { ipSecIpsoFilterTable 1 }

     IpSecIpsoFilterEntry ::= SEQUENCE {
        ipSecIpsoFilterPrid InstanceId,
        ipSecIpsoFilterMatchConditionType INTEGER,
        ipSecIpsoFilterClassificationLevel INTEGER,
        ipSecIpsoFilterProtectionAuthority INTEGER
   }

   ipSecIpsoFilterPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIpsoFilterEntry  1 }

   ipSecIpsoFilterMatchConditionType OBJECT-TYPE
     SYNTAX INTEGER {
       classificationLevel(1),
       protectionAuthority(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPSO header field to be matched."
     ::= { ipSecIpsoFilterEntry  2 }

   ipSecIpsoFilterClassificationLevel OBJECT-TYPE
     SYNTAX INTEGER {
       topSecret(61),
       secret(90),
       confidential(150),
       unclassified(171)
       }
     STATUS current
     DESCRIPTION
   "Specifies the value for classification level to be matched
   against. This attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)."
     ::= { ipSecIpsoFilterEntry  3 }

   Li, et al            Expires August, 2002                       69
                    IPsec Policy Information Base      February, 2002

   ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
     SYNTAX INTEGER {
       genser(0),
       siop-esi(1),
       sci(2),
       nsa(3),
       doe(4)
       }
     STATUS current
     DESCRIPTION
   "Specifies the value for protection authority to be matched
   against. This attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
   "
     ::= { ipSecIpsoFilterEntry  4 }

   --
   --
   -- The ipSecRuleTimePeriodTable
   --

   ipSecRuleTimePeriodTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies the time periods during which a policy rule is valid.
   The values of the first five attributes in a row are ANDed
   together to determine the validity period(s). If any of the five
   attributes is not present, it is treated as having value always
   enabled.  "
     ::= { ipSecPolicyTimePeriod  1 }

   ipSecRuleTimePeriodEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRuleTimePeriodPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime
       }
     ::= { ipSecRuleTimePeriodTable 1 }

     IpSecRuleTimePeriodEntry ::= SEQUENCE {
        ipSecRuleTimePeriodPrid InstanceId,

   Li, et al            Expires August, 2002                       70
                    IPsec Policy Information Base      February, 2002

        ipSecRuleTimePeriodTimePeriod OCTET STRING,
        ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
        ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
        ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
        ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
        ipSecRuleTimePeriodLocalOrUtcTime INTEGER
   }

   ipSecRuleTimePeriodPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecRuleTimePeriodEntry  1 }

   ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that identifies an overall range of calendar
   dates and times over which a policy rule is valid.  It reuses the
   format for an explicit time period defined in RFC 2445 : a string
   representing a starting date and time, in which the character 'T'
   indicates the beginning of the time portion, followed by the
   solidus character '/', followed by a similar string representing
   an end date and time.  The first date indicates the beginning of
   the range, while the second date indicates the end.  Thus, the
   second date and time must be later than the first.  Date/times are
   expressed as substrings of the form yyyymmddThhmmss.

   There are also two special cases:

   -  If the first date/time is replaced with the string
   THISANDPRIOR, then the property indicates that a policy rule is
   valid [from now] until the date/time that appears after the '/'.

   - If the second date/time is replaced with the string
   THISANDFUTURE, then the property indicates that a policy rule
   becomes valid on the date/time that appears before the '/', and
   remains valid from that point on.
   "
     ::= { ipSecRuleTimePeriodEntry  2 }

   ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies which months the policy is valid
   for.  The octet string is structured as follows:

   - a 4-octet length field, indicating the length of the entire
   octet string; this field is always set to 0x00000006 for this
   property;

   Li, et al            Expires August, 2002                       71
                    IPsec Policy Information Base      February, 2002

   - a 2-octet field consisting of 12 bits identifying the 12 months
   of the year, beginning with January and ending with December,
   followed by 4 bits that are always set to '0'.  For each month,
   the value '1' indicates that the policy is valid for that month,
   and the value '0' indicates that it is not valid.  It reuses

    If this property is omitted, then the policy rule is treated as
   valid for all twelve months."
     ::= { ipSecRuleTimePeriodEntry  3 }

   ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies which days of the month the policy
   is valid for. The octet string is structured as follows:

   -a 4-octet length field, indicating the length of the entire octet
   string; this field is always set to 0x0000000C for this property;

   -an 8-octet field consisting of 31 bits identifying the
   format days of
   the month counting from the beginning, followed by 31 more bits
   identifying the days of the month counting from the end, followed
   by 2 bits that are always set to '0'.  For each day, the value '1'
   indicates that the policy is valid for an explicit time period defined that day, and the value '0'
   indicates that it is not valid.

   For months with fewer than 31 days, the digits corresponding to
   days that the months do not have (counting in RFC 2445 : a both directions) are
   ignored.
   "
     ::= { ipSecRuleTimePeriodEntry  4 }

   ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string
   representing that specifies which days of the week the policy
   is valid for. The octet string is structured as follows:

   - a starting date 4-octet length field, indicating the length of the entire
   octet string; this field is always set to 0x00000005 for this
   property;

   - a 1-octet field consisting of 7 bits identifying the 7 days of
   the week, beginning with Sunday and time, in which ending with Saturday, followed
   by 1 bit that is always set to '0'.  For each day of the character 'T' week, the
   value '1' indicates that the policy is valid for that day, and the
   value '0' indicates that it is not valid.
   "
     ::= { ipSecRuleTimePeriodEntry  5 }

   Li, et al            Expires August, 2002                       72
                    IPsec Policy Information Base      February, 2002

   ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string that specifies a range of times in a day the
   policy is valid for. It is formatted as follows:

   A  time  string beginning of with the time portion, character 'T', followed by the
   solidus character '/', followed by a similar string representing
   an end date and time. second time string.  The
   first date time indicates the beginning of the range, while the second date
   time indicates the end.  Thus,  Times are expressed as substrings of the
   form Thhmmss.

   The second date and substring always identifies a later time must than the first
   substring.  To allow for ranges that span midnight, however, the
   value of the second string may be later smaller than the first.  Date/times are
   expressed as substrings value of the
   first substring.  Thus, T080000/T210000 identifies the range from
   0800 until 2100, while T210000/T080000 identifies the range from
   2100 until 0800 of the following day."
     ::= { ipSecRuleTimePeriodEntry  6 }

   ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
     SYNTAX INTEGER {
       localTime(1),
       utcTime(2)
       }
     STATUS current
     DESCRIPTION
   "This property indicates whether the times represented in this
   table represent local times or UTC times.  There is no provision
   for mixing of local times and UTC times:  the value of this
   property applies to all of the other time-related properties."
     ::= { ipSecRuleTimePeriodEntry  7 }

   --
   --
   -- The ipSecRuleTimePeriodSetTable
   --

   ipSecRuleTimePeriodSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies time period sets. The ipSecRuleTimePeriodTable can
   specify only a single time period within a day. This table enables
   the specification of multiple time periods within a day by
   grouping them into one set. "
     ::= { ipSecPolicyTimePeriod  2 }

   ipSecRuleTimePeriodSetEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodSetEntry

   Li, et al            Expires August, 2002                       73
                    IPsec Policy Information Base      February, 2002

     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRuleTimePeriodSetPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodSetRuleTimePeriodSetId,
       ipSecRuleTimePeriodSetRuleTimePeriodId
       }
     ::= { ipSecRuleTimePeriodSetTable 1 }

     IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
        ipSecRuleTimePeriodSetPrid InstanceId,
        ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
        ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
   }

   ipSecRuleTimePeriodSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of the form yyyymmddThhmmss.

   There are also two special cases:

   -  If the first date/time is replaced with the string
   THISANDPRIOR, then the property indicates this class"
     ::= { ipSecRuleTimePeriodSetEntry  1 }

   ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An integer that a policy rule is
   valid [from now] until the date/time uniquely identifies an ipSecRuleTimePeriod set. "
     ::= { ipSecRuleTimePeriodSetEntry  2 }

   ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecRuleTimePeriodEntry }
     STATUS current
     DESCRIPTION
   "An integer that appears after the '/'.

   - If identifies an ipSecRuleTimePeriod, specified by
   ipSecRuleTimePeriodPrid in the second date/time ipSecRuleTimePeriodTable, that is replaced with the string
   THISANDFUTURE, then the property indicates
   included in this set."
     ::= { ipSecRuleTimePeriodSetEntry  3 }

   --
   --
   -- The ipSecIfCapsTable
   --

   ipSecIfCapsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIfCapsEntry
     PIB-ACCESS notify
     STATUS current
     DESCRIPTION
   "Specifies capabilities that may be associated with an interface
   of a policy rule
   becomes valid on specific type. The instances of this table are referenced by

   Li, et al            Expires August, 2002                       74
                    IPsec Policy Information Base      February, 2002

   the date/time that appears before frwkIfCapSetCapability attribute of the '/', and
   remains valid from frwkIfCapSetTable [FR-
   PIB]."
     ::= { ipSecIfCapability  1 }

   ipSecIfCapsEntry OBJECT-TYPE
     SYNTAX IpSecIfCapsEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIfCapsPrid }
     UNIQUENESS {
       ipSecIfCapsDirection,
       ipSecIfCapsMaxIpSecActions,
       ipSecIfCapsMaxIkeActions
       }
     ::= { ipSecIfCapsTable 1 }

     IpSecIfCapsEntry ::= SEQUENCE {
        ipSecIfCapsPrid InstanceId,
        ipSecIfCapsDirection INTEGER,
        ipSecIfCapsMaxIpSecActions Unsigned16,
        ipSecIfCapsMaxIkeActions Unsigned16
   }

   ipSecIfCapsPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that point on.
   " uniquely identifies an instance of this
   class."
     ::= { ipSecRuleTimePeriodEntry  2 ipSecIfCapsEntry  1 }

   ipSecRuleTimePeriodMonthOfYearMask

   ipSecIfCapsDirection OBJECT-TYPE
     SYNTAX OCTET STRING INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       }
     STATUS current
     DESCRIPTION
   "An octet string that specifies which months the policy is valid
   for.  The octet string is structured as follows:

   - a 4-octet length field, indicating the length of
   "Specifies the entire
   octet string; this field is always set to 0x00000006 direction for which this
   property;

   - a 2-octet field consisting of 12 bits identifying capability applies."
     ::= { ipSecIfCapsEntry  2 }

   ipSecIfCapsMaxIpSecActions OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the 12 months maximum number of the year, beginning with January and ending with December,
   followed by 4 bits that are always actions an IPsec action set to '0'.  For each month, may
   contain. IPsec action sets are specified by the
   ipSecActionSetTable.

   A value '1' of zero indicates that the policy there is valid for that month,
   and no maximum limit."
     ::= { ipSecIfCapsEntry  3 }

   Li, et al            Expires August, 2002                       75
                    IPsec Policy Information Base      February, 2002

   ipSecIfCapsMaxIkeActions OBJECT-TYPE
     SYNTAX Unsigned16
     STATUS current
     DESCRIPTION
   "Specifies the maximum number of actions an IKE action set may
   contain. IKE action sets are specified by the
   ipSecIkeActionSetTable.

   A value '0' of zero indicates that it is not valid.

    If this property is omitted, then the policy rule there is treated as
   valid for all twelve months." no maximum limit."
     ::= { ipSecRuleTimePeriodEntry  3 ipSecIfCapsEntry  4 }

   ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
     SYNTAX OCTET STRING

   --
   --
   -- Conformance Section
   --

   ipSecPolicyPibConformanceCompliances
       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }

   ipSecPolicyPibConformanceGroups
       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }

   IPsecPibCompilance MODULE-COMPLIANCE
       STATUS current
       DESCRIPTION
   "        Compliance statement"
       MODULE ű- this module
           MANDATORY-GROUPS {
           ipSecRuleGroup,
           ipSecActionSetGroup,
           ipSecStaticActionGroup,
           ipSecNegotiationActionGroup,
           ipSecAssociationGroup,
           ipSecProposalSetGroup,
           ipSecProposalGroup,
           ipSecAhTransformSetGroup,
           ipSecAhTransformGroup,
           ipSecEspTransformSetGroup,
           ipSecEspTransformGroup,
           ipSecCompTransformSetGroup,
           ipSecCompTransformGroup,
           ipSecIkeAssociationGroup,
           ipSecIkeProposalSetGroup,
           ipSecIkeProposalGroup,
           ipSecIkePeerEndpointGroup,
           ipSecCredentialSetGroup,
           ipSecCredentialGroup,
           ipSecCredentialFieldsGroup,
           ipSecSelectorSetGroup,
           ipSecSelectorGroup,
           ipSecAddressGroup,

   Li, et al            Expires January, August, 2002                      55                       76
                    IPsec Policy Information Base          July, 2001

   "An octet string that specifies which days of the month the policy
   is valid for. The octet string      February, 2002

           ipSecL4PortGroup,
           ipSecIfCapsGroup
           }

       GROUP ipSecIkeRuleGroup
           DESCRIPTION
   "This group is structured as follows:

   -a 4-octet length field, indicating the length mandatory if any of the entire octet
   string; this field following is always set to 0x0000000C for this property;

   -an 8-octet field consisting of 31 bits identifying the days of
   the month counting from the beginning, followed by 31 more bits
   identifying the days of the month counting from the end, followed
   by 2 bits that supported: 1)
   multiple IKE phase one actions (e.g., with different exchange
   modes) are associated with an IPsec rule. These actions are always set to '0'.  For each day, the value '1'
   indicates be
   tried in sequence till one success; 2) IKE phase one actions that the policy
   start automatically."

       GROUP ipSecIkeActionSetGroup
           DESCRIPTION
   "This group is valid for that day, and mandatory if any of the value '0'
   indicates that it following is not valid.

   For months supported: 1)
   multiple IKE phase one actions (e.g., with fewer than 31 days, the digits corresponding different exchange
   modes) are associated with an IPsec rule. These actions are to
   days that the months do not have (counting be
   tried in both directions) are
   ignored.
   "
     ::= { ipSecRuleTimePeriodEntry  4 }

   ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "An octet string sequence till one success; 2) IKE phase one actions that specifies which days of the week the
   start automatically."

       GROUP ipSecIpsoFilterSetGroup
           DESCRIPTION
   "This group is mandatory if IPSO filter is supported."

       GROUP ipSecIpsoFilterGroup
           DESCRIPTION
   "This group is mandatory if IPSO filter is supported."

       GROUP ipSecRuleTimePeriodGroup
           DESCRIPTION
   "This group is mandatory if policy scheduling is valid for. The octet string supported."

       GROUP ipSecRuleTimePeriodSetGroup
           DESCRIPTION
   "This group is mandatory if policy scheduling is structured as follows:

   - a 4-octet length field, indicating the length supported."

       OBJECT ipSecRuleipSecIpsoFilterSetId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the entire
   octet string; this field attribute is always set to 0x00000005 for optional"

       OBJECT ipSecRuleLimitNegotiation
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this
   property;

   - a 1-octet field consisting attribute is optional"

       OBJECT ipSecRuleAutoStart
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of 7 bits identifying the 7 days this attribute is optional"

       OBJECT ipSecRuleIpSecRuleTimePeriodGroupId
       PIB-MIN-ACCESS not-accessible

   Li, et al            Expires August, 2002                       77
                    IPsec Policy Information Base      February, 2002

       DESCRIPTION
   "              Support of
   the week, beginning with Sunday and ending with Saturday, followed
   by 1 bit that this attribute is always set to '0'.  For each day optional"

       OBJECT ipSecActionSetDoActionLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the week, the
   value '1' indicates that the policy this attribute is valid for that day, and the
   value '0' indicates that it optional"

       OBJECT ipSecActionSetDoPacketLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is not valid. optional"

       OBJECT ipSecAssociationMinLifetimeSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "
     ::= { ipSecRuleTimePeriodEntry  5 }

   ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current              Support of this attribute is optional"

       OBJECT ipSecAssociationMinLifetimeKilobytes
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "An octet string that specifies a range
   "              Support of times in a day the
   policy this attribute is valid for. It optional"

       OBJECT ipSecAssociationIdleDurationSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is formatted as follows:

   A  time  string beginning with the character 'T', followed by the
   solidus character '/', followed by a second time string.  The
   first time indicates the beginning optional"

       OBJECT ipSecAssociationVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the range, while the second
   time indicates the end.  Times are expressed as substrings this attribute is optional"

       OBJECT ipSecAssociationUseKeyExchangeGroup
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the
   form Thhmmss.

   The second substring always identifies a later time than the first
   substring.  To allow for ranges that span midnight, however, the this attribute is optional"

       OBJECT ipSecAssociationGranularity
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAhTransformUseReplayPrevention
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAhTransformReplayPreventionWindowSize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

   Li, et al            Expires January, August, 2002                      56                       78
                    IPsec Policy Information Base          July, 2001

   value of the second string may be smaller than the value      February, 2002

       OBJECT ipSecAhTransformVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the
   first substring.  Thus, T080000/T210000 identifies the range from
   0800 until 2100, while T210000/T080000 identifies the range from
   2100 until 0800 this attribute is optional"

       OBJECT ipSecEspTransformCipherKeyRounds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the following day."
     ::= { ipSecRuleTimePeriodEntry  6 }

   ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
     SYNTAX INTEGER {
       localTime(1),
       utcTime(2)
       }
     STATUS current this attribute is optional"

       OBJECT ipSecEspTransformCipherKeyLength
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "This property indicates whether the times represented in
   "              Support of this
   table represent local times or UTC times.  There attribute is no provision
   for mixing optional"

       OBJECT ipSecEspTransformUseReplayPrevention
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of local times and UTC times:  the value this attribute is optional"

       OBJECT ipSecEspTransformReplayPreventionWindowSize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this
   property applies to all attribute is optional"

       OBJECT ipSecEspTransformVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the other time-related properties."
     ::= { ipSecRuleTimePeriodEntry  7 }

   --
   --
   -- The ipSecRuleTimePeriodSetTable
   --

   ipSecRuleTimePeriodSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
     PIB-ACCESS install
     STATUS current this attribute is optional"

       OBJECT ipSecCompTransformDictionarySize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "Specifies multiple time period sets. The ipSecRuleTimePeriodTable
   can specify only a single time period within a day. This table
   enables the specification
   "              Support of multiple time periods within a day by
   grouping them into one set. this attribute is optional"

       OBJECT ipSecCompTransformPrivateAlgorithm
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "
     INDEX { ipSecRuleTimePeriodSetPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodSetRuleTimePeriodSetId,
       ipSecRuleTimePeriodSetRuleTimePeriodId
       }
     ::= { ipSecPolicyTimePeriod  2 }

   ipSecRuleTimePeriodSetEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodSetEntry
     STATUS current              Support of this attribute is optional"

       OBJECT ipSecCompTransformVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "Specifies an instance
   "              Support of this class"
     ::= { ipSecRuleTimePeriodSetTable 1 }

     IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
        ipSecRuleTimePeriodSetPrid InstanceId,
        ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
        ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
   } attribute is optional"

       OBJECT ipSecIkeAssociationMinLiftetimeSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationMinLifetimeKilobytes
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION

   Li, et al            Expires January, August, 2002                      57                       79
                    IPsec Policy Information Base          July, 2001

   ipSecRuleTimePeriodSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current      February, 2002

   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationIdleDurationSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "An integer index to uniquely identify an instance
   "              Support of this class"
     ::= { ipSecRuleTimePeriodSetEntry  1 }

   ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current attribute is optional"

       OBJECT ipSecIkeAssociationPresharedKey
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "An integer that uniquely identifies an ipSecRuleTimePeriod set.
   "
     ::= { ipSecRuleTimePeriodSetEntry  2 }

   ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
     SYNTAX ReferenceId
     STATUS current              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "An integer that identifies an ipSecRuleTimePeriod, specified by
   ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that
   "              Support of this attribute is
   included in optional"

       OBJECT ipSecIkeAssociationAggressiveModeGroupId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this set."
     ::= { ipSecRuleTimePeriodSetEntry  3 }

   --
   --
   -- The ipSecIfCapsTable
   --

   ipSecIfCapsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIfCapsEntry
     PIB-ACCESS install
     STATUS current attribute is optional"

       OBJECT ipSecIkeAssociationLocalCredentialId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "Specifies capabilities that may be associated with an interface
   "              Support of a specific type. The instances this attribute is optional"

       OBJECT ipSecIkeAssociationDoActionLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this table are referenced by
   the frwkIfCapSetCapability attribute is optional"

       OBJECT ipSecIkeProposalPrfAlgorithm
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of the frwkIfCapSetTable [FR-
   PIB]."
     INDEX { ipSecIfCapsPrid }
     UNIQUENESS {
       ipSecIfCapsDirection,
       ipSecIfCapsMaxActions
       }
     ::= { ipSecIfCaps  1 }

   ipSecIfCapsEntry OBJECT-TYPE
     SYNTAX IpSecIfCapsEntry
     STATUS current this attribute is optional"

       OBJECT ipSecIkeProposalVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "Specifies an instance
   "              Support of this class"
     ::= { ipSecIfCapsTable 1 } attribute is optional"

       OBJECT ipSecIkePeerEndpointAddressType
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkePeerEndpointAddress
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIfCapsMaxIkeActions

   Li, et al            Expires January, August, 2002                      58                       80
                    IPsec Policy Information Base          July, 2001

     IpSecIfCapsEntry ::= SEQUENCE      February, 2002

       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecRuleActionExecutionStrategy
       SYNTAX INTEGER {
        ipSecIfCapsPrid InstanceId,
        ipSecIfCapsDirection INTEGER,
        ipSecIfCapsMaxActions Unsigned32
         doAll(1)
         }

   ipSecIfCapsPrid OBJECT-TYPE
       DESCRIPTION
   "              Support of doUntilSuccess(2) is not required"

       OBJECT ipSecStaticActionAction
       SYNTAX InstanceId
     STATUS current INTEGER {
         byPass(1),
         discard(2),
         preConfiguredTransport(4),
         preConfiguredTunnel(5)
         }
       DESCRIPTION
   "An integer index to uniquely identify an instance
   "              Support of this class." ikeRejection(3) is not required"

       ::= { ipSecPolicyPibConformanceCompliances 1 }

   ipSecRuleGroup OBJECT-GROUP
       OBJECTS {
          ipSecRuleIfName,
          ipSecRuleRoles,
          ipSecRuleDirection,
          ipSecRuleIpSecSelectorSetId,
          ipSecRuleipSecIpsoFilterSetId,
          ipSecRuleIpSecActionSetId,
          ipSecRuleActionExecutionStrategy,
          ipSecRuleOrder,
          ipSecRuleLimitNegotiation,
          ipSecRuleAutoStart,
          ipSecRuleIpSecRuleTimePeriodGroupId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecRuleTable."
       ::= { ipSecIfCapsEntry ipSecPolicyPibConformanceGroups  1 }

   ipSecIfCapsDirection OBJECT-TYPE
     SYNTAX INTEGER

   ipSecActionSetGroup OBJECT-GROUP
       OBJECTS {
       in(1),
       out(2),
       bi-directional(3)
          ipSecActionSetActionSetId,
          ipSecActionSetActionId,
          ipSecActionSetDoActionLogging,
          ipSecActionSetDoPacketLogging,
          ipSecActionSetOrder
          }
       STATUS current
       DESCRIPTION
   "Specifies the direction for which
   "Objects from the capability applies." ipSecActionSetTable."

   Li, et al            Expires August, 2002                       81
                    IPsec Policy Information Base      February, 2002

       ::= { ipSecIfCapsEntry ipSecPolicyPibConformanceGroups  2 }

   ipSecIfCapsMaxActions OBJECT-TYPE
     SYNTAX Unsigned32

   ipSecStaticActionGroup OBJECT-GROUP
       OBJECTS {
          ipSecStaticActionAction,
          ipSecStaticActionTunnelEndpointId,
          ipSecStaticActionDfHandling,
          ipSecStaticActionSpi,
          ipSecStaticActionLifetimeSeconds,
          ipSecStaticActionLifetimeKilobytes,
          ipSecStaticActionSaTransformId
          }
       STATUS current
       DESCRIPTION
   "Specifies the maxmum number of actions an action group may
   contain. Actions that are specified in the ipSecActionTable and
   have the same ipSecActionActionGroupId value belong to
   "Objects from the same
   action group.

   A value of zero indicates that there is no maximum limit." ipSecStaticActionTable."
       ::= { ipSecIfCapsEntry ipSecPolicyPibConformanceGroups  3 }

   --
   --
   -- Conformance Section
   --

   ipSecPolicyPibConformanceCompliances
       OBJECT IDENTIFIER ::=

   ipSecNegotiationActionGroup OBJECT-GROUP
       OBJECTS { ipSecPolicyPibConformance 1
          ipSecNegotiationActionAction,
          ipSecNegotiationActionTunnelEndpointId,
          ipSecNegotiationActionDfHandling,
          ipSecNegotiationActionIpSecSecurityAssociationId,
          ipSecNegotiationActionKeyExchangeId
          }

   ipSecPolicyPibConformanceGroups
       OBJECT IDENTIFIER
       STATUS current
       DESCRIPTION
   "Objects from the ipSecNegotiationActionTable."
       ::= { ipSecPolicyPibConformance 2 ipSecPolicyPibConformanceGroups  4 }

   ipSecAssociationGroup OBJECT-GROUP
       OBJECTS {
          ipSecAssociationMinLifetimeSeconds,
          ipSecAssociationMinLifetimeKilobytes,
          ipSecAssociationIdleDurationSeconds,
          ipSecAssociationUsePfs,
          ipSecAssociationVendorId,
          ipSecAssociationUseKeyExchangeGroup,
          ipSecAssociationDhGroup,
          ipSecAssociationGranularity,
          ipSecAssociationProposalSetId
          }

   IPSecPibCompilance MODULE-COMPLIANCE
       STATUS current
       DESCRIPTION
   "        Compliance statement"
       MODULE MANDATORY-GROUPS
   "Objects from the ipSecAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  5 }

   ipSecProposalSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecProposalSetProposalSetId,
          ipSecProposalSetProposalId,
          ipSecProposalSetOrder
          }

   Li, et al            Expires January, August, 2002                      59                       82
                    IPsec Policy Information Base          July, 2001

           ipSecAddressGroup,
           ipSecL4PortGroup,
           ipSecSelectorGroup,
           ipSecRuleGroup,
           ipSecActionGroup,
           ipSecAssociationGroup,
           ipSecProposalSetGroup,
           ipSecProposalGroup,
           ipSecIkeAssociationGroup,
           ipSecIkeRuleGroup,
           ipSecIkeProposalSetGroup,
           ipSecIkeProposalGroup,
           ipSecIkeEndpointGroup,
           ipSecPeerCredentialGroup,
           ipSecCredentialFieldsGroup,
           ipSecEspTransformSetGroup,
           ipSecEspTransformGroup,
           ipSecAhTransformSetGroup,
           ipSecAhTransformGroup,
           ipSecCompTransformSetGroup,
           ipSecCompTransformGroup,
           ipSecIfCapsGroup,      February, 2002

       STATUS current
       DESCRIPTION
   "Objects from the ipSecProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  6 }

       GROUP ipSecRuleTimePeriodGroup

   ipSecProposalGroup OBJECT-GROUP
       OBJECTS {
          ipSecProposalEspTransformSetId,
          ipSecProposalAhTransformSetId,
          ipSecProposalCompTransformSetId
          }
       STATUS current
       DESCRIPTION
   "The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is
   supported."
       GROUP ipSecRuleTimePeriodSetGroup
   "Objects from the ipSecProposalTable."
       ::= { ipSecPolicyPibConformanceGroups  7 }

   ipSecAhTransformSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecAhTransformSetTransformSetId,
          ipSecAhTransformSetTransformId,
          ipSecAhTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling
   is supported."
   "Objects from the ipSecAhTransformSetTable."
       ::= { ipSecPolicyPibConformanceCompliances 1 ipSecPolicyPibConformanceGroups  8 }

   ipSecAddressGroup

   ipSecAhTransformGroup OBJECT-GROUP
       OBJECTS {
           AddressType,
           AddrMask,
           AddrMin,
           AddrMax,
           GroupId
          ipSecAhTransformTransformId,
          ipSecAhTransformIntegrityKey,
          ipSecAhTransformUseReplayPrevention,
          ipSecAhTransformReplayPreventionWindowSize,
          ipSecAhTransformVendorId,
          ipSecAhTransformMaxLifetimeSeconds,
          ipSecAhTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecAddressTable." ipSecAhTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  1  9 }
   ipSecL4PortGroup

   ipSecEspTransformSetGroup OBJECT-GROUP
       OBJECTS {
           PortMin,
           PortMax,
           GroupId
          ipSecEspTransformSetTransformSetId,
          ipSecEspTransformSetTransformId,
          ipSecEspTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecEspTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  10 }

   Li, et al            Expires January, August, 2002                      60                       83
                    IPsec Policy Information Base          July, 2001

       DESCRIPTION
   "    Objects from the ipSecL4PortTable."
       ::= { ipSecPolicyPibConformanceGroups  2 }
   ipSecSelectorGroup      February, 2002

   ipSecEspTransformGroup OBJECT-GROUP
       OBJECTS {
           SrcAddressGroupId,
           SrcPortGroupId,
           DstAddressGroupId,
           DstPortGroupId,
           Protocol,
           Granularity,
           Order,
           StartupCondition,
           IsOriginator,
           GroupId
          ipSecEspTransformIntegrityTransformId,
          ipSecEspTransformCipherTransformId,
          ipSecEspTransformIntegrityKey,
          ipSecEspTransformCipherKey,
          ipSecEspTransformCipherKeyRounds,
          ipSecEspTransformCipherKeyLength,
          ipSecEspTransformUseReplayPrevention,
          ipSecEspTransformReplayPreventionWindowSize,
          ipSecEspTransformVendorId,
          ipSecEspTransformMaxLifetimeSeconds,
          ipSecEspTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecSelectorTable." ipSecEspTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  3  11 }
   ipSecRuleGroup

   ipSecCompTransformSetGroup OBJECT-GROUP
       OBJECTS {
           IfName,
           Roles,
           Direction,
           IpSecSelectorGroupId,
           IpSecActionGroupId,
           IpSecRuleTimePeriodGroupId
          ipSecCompTransformSetTransformSetId,
          ipSecCompTransformSetTransformId,
          ipSecCompTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecRuleTable." ipSecCompTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  4  12 }
   ipSecActionGroup

   ipSecCompTransformGroup OBJECT-GROUP
       OBJECTS {
           Action,
           TunnelEndpointId,
           DfHandling,
           DoLogging,
           IpSecSecurityAssociationId,
           ActionGroupId,
           Order,
           IkeRuleId
          ipSecCompTransformAlgorithm,
          ipSecCompTransformDictionarySize,
          ipSecCompTransformPrivateAlgorithm,
          ipSecCompTransformVendorId,
          ipSecCompTransformMaxLifetimeSeconds,
          ipSecCompTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecActionTable." ipSecCompTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  5}
   ipSecAssociationGroup  13 }

   ipSecIkeRuleGroup OBJECT-GROUP
       OBJECTS {
           RefreshThresholdSeconds,
           RefreshThresholdKilobytes,
           MinLifetimeSeconds,
          ipSecIkeRuleIfName,
          ipSecIkeRuleRoles,
          ipSecIkeRuleIkeActionSetId,
          ipSecIkeRuleActionExecutionStrategy,
          ipSecIkeRuleLimitNegotiation,
          ipSecIkeRuleAutoStart,
          ipSecIkeRuleIpSecRuleTimePeriodGroupId

   Li, et al            Expires January, August, 2002                      61                       84
                    IPsec Policy Information Base          July, 2001

           MinLifetimeKilobytes,
           TrafficIdleTime,
           UsePfs,
           VendorId,
           UseIkeGroup,
           DhGroup,
           ProposalSetId      February, 2002

          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecSecurityAssociationTable." ipSecIkeRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  6  14 }
   ipSecProposalSetGroup

   ipSecIkeActionSetGroup OBJECT-GROUP
       OBJECTS {
           ProposalSetId,
           ProposalId,
           Order
          ipSecIkeActionSetActionSetId,
          ipSecIkeActionSetActionId,
          ipSecIkeActionSetOrder
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecProposalSetTable." ipSecIkeActionSetTable."
       ::= { ipSecPolicyPibConformanceGroups  7  15 }
   ipSecProposalGroup

   ipSecIkeAssociationGroup OBJECT-GROUP
       OBJECTS {
           LifetimeKilobytes,
           LifetimeSeconds,
           VendorId,
           EspTransformSetId,
           AhTransformSetId,
           CompTransformSetId
          ipSecIkeAssociationMinLiftetimeSeconds,
          ipSecIkeAssociationMinLifetimeKilobytes,
          ipSecIkeAssociationIdleDurationSeconds,
          ipSecIkeAssociationExchangeMode,
          ipSecIkeAssociationUseIkeIdentityType,
          ipSecIkeAssociationUseIkeIdentityValue,
          ipSecIkeAssociationIkePeerEndpoint,
          ipSecIkeAssociationPresharedKey,
          ipSecIkeAssociationVendorId,
          ipSecIkeAssociationAggressiveModeGroupId,
          ipSecIkeAssociationLocalCredentialId,
          ipSecIkeAssociationDoActionLogging,
          ipSecIkeAssociationIkeProposalSetId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecProposalTable." ipSecIkeAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  8  16 }
   ipSecIkeAssociationGroup

   ipSecIkeProposalSetGroup OBJECT-GROUP
       OBJECTS {
           RefreshThresholdSeconds,
           RefreshThresholdKilobytes,
           MinLiftetimeSeconds,
           MinLifetimeKilobytes,
           TrafficIdleTime,
           ExchangeMode,
           UseIkeIdentityType,
           RefreshThresholdDerivedKeys,
           IKEProposalSetId
          ipSecIkeProposalSetProposalSetId,
          ipSecIkeProposalSetProposalId,
          ipSecIkeProposalSetOrder
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIkeAssociationTable." ipSecIkeProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  9  17 }
   ipSecIkeRuleGroup

   ipSecIkeProposalGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeProposalMaxLifetimeSeconds,
          ipSecIkeProposalMaxLifetimeKilobytes,

   Li, et al            Expires January, August, 2002                      62                       85
                    IPsec Policy Information Base          July, 2001

           IfName,
           Roles,
           IkeAssiciationId,
           IpSecRuleTimePeriodGroupId,
           IkeEndpointGroupId      February, 2002

          ipSecIkeProposalCipherAlgorithm,
          ipSecIkeProposalHashAlgorithm,
          ipSecIkeProposalAuthenticationMethod,
          ipSecIkeProposalPrfAlgorithm,
          ipSecIkeProposalIkeDhGroup,
          ipSecIkeProposalVendorId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIkeRuleTable." ipSecIkeProposalTable."
       ::= { ipSecPolicyPibConformanceGroups  10  18 }
   ipSecIkeProposalSetGroup

   ipSecIkePeerEndpointGroup OBJECT-GROUP
       OBJECTS {
           ProposalSetId,
           ProposalId,
           Order
          ipSecIkePeerEndpointIdentityType,
          ipSecIkePeerEndpointIdentityValue,
          ipSecIkePeerEndpointAddressType,
          ipSecIkePeerEndpointAddress,
          ipSecIkePeerEndpointCredentialSetId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIkeProposalSetTable." ipSecIkePeerEndpointTable."
       ::= { ipSecPolicyPibConformanceGroups  11  19 }
   ipSecIkeProposalGroup

   ipSecCredentialSetGroup OBJECT-GROUP
       OBJECTS {
           MaxLifetimeSeconds,
           MaxLifetimeKilobytes,
           CipherAlgorithm,
           HashAlgorithm,
           AuthenticationMethod,
           LifetimeDerivedKeys,
           PrfAlgorithm,
           VendorId,
           IkeDhGroup
          ipSecCredentialSetSetId,
          ipSecCredentialSetCredentialId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIkeProposalTable." ipSecCredentialSetTable."
       ::= { ipSecPolicyPibConformanceGroups  12  20 }
   ipSecIkeEndpointGroup

   ipSecCredentialGroup OBJECT-GROUP
       OBJECTS {
           IdentityType,
           Identity,
           AddressType,
           Address,
           PeerCredentialId,
           StartupCondition,
           IsOriginator,
           GroupId
          ipSecCredentialCredentialType,
          ipSecCredentialFieldsId,
          ipSecCredentialCrlDistributionPoint
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIkeEndpointTable." ipSecCredentialTable."
       ::= { ipSecPolicyPibConformanceGroups  13  21 }
   ipSecPeerCredentialGroup

   ipSecCredentialFieldsGroup OBJECT-GROUP
       OBJECTS {
          ipSecCredentialFieldsName,
          ipSecCredentialFieldsValue,
          ipSecCredentialFieldsSetId
          }
       STATUS current

   Li, et al            Expires January, August, 2002                      63                       86
                    IPsec Policy Information Base          July, 2001

           CredentialType,
           FieldsGroupId,
           GroupId
          }
       STATUS current      February, 2002

       DESCRIPTION
   "    Objects
   "Objects from the ipSecPeerCredentialTable." ipSecCredentialFieldsTable."
       ::= { ipSecPolicyPibConformanceGroups  14  22 }
   ipSecCredentialFieldsGroup

   ipSecSelectorSetGroup OBJECT-GROUP
       OBJECTS {
           Name,
           Value,
           GroupId
          ipSecSelectorSetSelectorSetId,
          ipSecSelectorSetSelectorId,
          ipSecSelectorSetOrder
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecCredentialFieldsTable." ipSecSelectorSetTable."
       ::= { ipSecPolicyPibConformanceGroups  15  23 }
   ipSecEspTransformSetGroup

   ipSecSelectorGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          ipSecSelectorSrcAddressGroupId,
          ipSecSelectorSrcPortGroupId,
          ipSecSelectorDstAddressGroupId,
          ipSecSelectorDstPortGroupId,
          ipSecSelectorProtocol,
          ipSecSelectorDscp,
          ipSecSelectorFlowLabel
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecEspTransformSetTable." ipSecSelectorTable."
       ::= { ipSecPolicyPibConformanceGroups  16  24 }
   ipSecEspTransformGroup

   ipSecAddressGroup OBJECT-GROUP
       OBJECTS {
           IntegrityTransformId,
           CipherTransformId,
           CipherKeyRounds,
           CipherKeyLength,
           UseReplayPrevention,
           ReplayPreventionWindowSize
          ipSecAddressAddressType,
          ipSecAddressAddrMask,
          ipSecAddressAddrMin,
          ipSecAddressAddrMax,
          ipSecAddressGroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecEspTransformTable." ipSecAddressTable."
       ::= { ipSecPolicyPibConformanceGroups  17  25 }
   ipSecAhTransformSetGroup

   ipSecL4PortGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          ipSecL4PortPortMin,
          ipSecL4PortPortMax,
          ipSecL4PortGroupId
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecAhTransformSetTable." ipSecL4PortTable."
       ::= { ipSecPolicyPibConformanceGroups  18  26 }
   ipSecAhTransformGroup OBJECT-GROUP
       OBJECTS {

   Li, et al            Expires January, August, 2002                      64                       87
                    IPsec Policy Information Base          July, 2001

           TransformId,
           UseReplayPrevention,
           ReplayPreventionWindowSize
          }
       STATUS current
       DESCRIPTION
   "    Objects from the ipSecAhTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  19 }
   ipSecCompTransformSetGroup      February, 2002

   ipSecIpsoFilterSetGroup OBJECT-GROUP
       OBJECTS {
           TransformSetId,
           TransformId,
           Order
          ipSecIpsoFilterSetFilterSetId,
          ipSecIpsoFilterSetFilterId,
          ipSecIpsoFilterSetOrder
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecCompTransformSetTable." ipSecIpsoFilterSetTable."
       ::= { ipSecPolicyPibConformanceGroups  20  27 }
   ipSecCompTransformGroup

   ipSecIpsoFilterGroup OBJECT-GROUP
       OBJECTS {
           Algorithm,
           DictionarySize,
           PrivateAlgorithm
          ipSecIpsoFilterMatchConditionType,
          ipSecIpsoFilterClassificationLevel,
          ipSecIpsoFilterProtectionAuthority
          }
       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecCompTransformTable." ipSecIpsoFilterTable."
       ::= { ipSecPolicyPibConformanceGroups  21  28 }

   ipSecRuleTimePeriodGroup OBJECT-GROUP
       OBJECTS {
           TimePeriod,
           MonthOfYearMask,
           DayOfMonthMask,
           DayOfWeekMask,
           TimeOfDayMask,
           LocalOrUtcTime
          ipSecRuleTimePeriodTimePeriod,
          ipSecRuleTimePeriodMonthOfYearMask,
          ipSecRuleTimePeriodDayOfMonthMask,
          ipSecRuleTimePeriodDayOfWeekMask,
          ipSecRuleTimePeriodTimeOfDayMask,
          ipSecRuleTimePeriodLocalOrUtcTime
          }
       STATUS current
       DESCRIPTION
   "    The ipSecRuleTimePeriodGroup is mandatory if policy
   scheduling is supported."
   "Objects from the ipSecRuleTimePeriodTable."
       ::= { ipSecPolicyPibConformanceGroups  22  29 }

   ipSecRuleTimePeriodSetGroup OBJECT-GROUP
       OBJECTS {
           RuleTimePeriodSetId,
           RuleTimePeriodId
          ipSecRuleTimePeriodSetRuleTimePeriodSetId,
          ipSecRuleTimePeriodSetRuleTimePeriodId
          }
       STATUS current
       DESCRIPTION
   "    The ipSecRuleTimePeriodSetGroup is mandatory if policy
   scheduling is supported."
   "Objects from the ipSecRuleTimePeriodSetTable."
       ::= { ipSecPolicyPibConformanceGroups  23  30 }

   ipSecIfCapsGroup OBJECT-GROUP
       OBJECTS {
          ipSecIfCapsDirection,
          ipSecIfCapsMaxIpSecActions,
          ipSecIfCapsMaxIkeActions
          }

   Li, et al            Expires January, August, 2002                      65                       88
                    IPsec Policy Information Base          July, 2001

       OBJECTS {
           Direction,
           MaxActions
          }      February, 2002

       STATUS current
       DESCRIPTION
   "    Objects
   "Objects from the ipSecIfCapsTable.." ipSecIfCapsTable."
       ::= { ipSecPolicyPibConformanceGroups  24  31 }

END

7.

6. Security Considerations

   Since COPS is used to carry the PIB defined in this document, the
   security and protection of the information can be provided by
   either COPS or a combination of COPS and other security protocols,
   e.g., IPsec or TLS.

8.

7. References

   [AH]

   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
      9, RFC 2026, October 1996.

   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997

   3.  S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
   November 1998.

   [ARCH] S. Kent, R. Atkinson, ˘Security Architecture for the
   Internet Protocol÷, RFC 2401, November 1998.

   [ICALENDAR]

   4.  F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling
   Core Object Specification (iCalendar)", RFC 2445, November 1998.

   [COPS]

   5.  J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry,
   "The COPS (Common Open Policy Service) Protocol" RFC 2748, January
   2000.

   [COPS-PR]

   6.  K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
   Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning," RFC 3084, March 2001.

   [DOI]

   7.  D. Piper, "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [ESP]

   8.  S. Kent, R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   Li, et al           Expires January, 2002                      66
                    IPsec Policy Information Base          July, 2001

   [FR-PIB]

   9.  M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
   Smith, F. Reichmeyer "Framework Policy Information Base", draft-
   ietf-rap-frameworkpib-04.txt, March
   ietf-rap-frameworkpib-06.txt, November 2001.

   [IKE]

   10.  D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
   2409, November 1998.

   [IPCOMP]

   11.  A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
   Compression Protocol (IPComp)", RFC 2393, August 1998.

   [IPSEC-IM]

   Li, et al            Expires August, 2002                       89
                    IPsec Policy Information Base      February, 2002

   12.  J. Jason,˘IPSec Jason, L. Rafalow, E. Vyncke  ˘IPsec Configuration Policy
   Model,÷ draft-
   ietf-ipsp-config-policy-model-02.txt, march 2001.

   [ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner,
   ˘Internet Security Association and Key Management Protocol
   (ISAKMP)÷, RFC 2408, draft-ietf-ipsp-config-policy-model-04.txt, November 1998.

   [PCIM] 2001.

   13.  B. Moore, E. Ellesson, J. Strassner, ˘Policy Core Information
   Model -- Version 1 Specification÷, RFC 3060, February 2000.

   [SPPI]

   14.  K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
   Smith, F. Reichmeyer, "Structure of Policy Provisioning
   Information," draft-ietf-rap-sppi-07.txt, May RFC 3159, August 2001.

9.

8. Author's Addresses

   Man Li
   Nokia
   5 Wayside Road,
   Burlington, MA 01803
   Phone: +1 781 993 3923
   Email: man.m.li@nokia.com

   David Arneson
   Email: dla@mediaone.net

   Avri Doria
   Nortel Networks
   600
   Div. of Computer Communications
   Lulea University of Technology Park Drive
   Billerica, MA 01821
   SE-971 87
   Lulea, Sweden
   Phone: +1 401 663 5024 +46 920 49 3030
   Email: avri@nortelnetworks.com avri@sm.luth.se

   Jamie Jason
   Intel Corporation
   MS JF3-206
   2111 NE 25th Ave.
   Hillsboro, OR 97124
   Phone: +1 503 264 9531
   E-Mail:
   Email: jamie.jason@intel.com

   Li, et al           Expires January, 2002                      67
                    IPsec Policy Information Base          July, 2001

   Cliff Wang
   SmartPipes Inc.
   Suite 300, 565 Metro Place South
   Dublin, OH 43017
   Phone: +1 614 923 6241
   E-Mail:
   Email: CWang@smartpipes.com

   Markus Stenberg
   SSH Communications Security Corp.
   Fredrikinkatu 42
   FIN-00100 Helsinki, Finland
   Phone: +358 20 500 7466
   Email: markus.stenberg@ssh.com

   Li, et al            Expires August, 2002                       90
                    IPsec Policy Information Base      February, 2002

   Full Copyright Statement

   "Copyright (C) The Internet Society (date). All Rights Reserved.
   This document and translations of it may be copied and furnished
   to others, and derivative works that comment on or otherwise
   explain it or assist in its implmentation implementation may be prepared,
   copied, published and distributed, in whole or in part, without
   restriction of any kind, provided that the above copyright notice
   and this paragraph are included on all such copies and derivative
   works. However, this document itself may not be modified in any
   way, such as by removing the copyright notice or references to the
   Internet Society or other Internet organizations, except as needed
   for the purpose of developing Internet standards in which case the
   procedures for copyrights defined in the Internet Standards
   process must be followed, or as required to translate it into.

Table of Contents

1. Introduction                                                      2
2. Operation Overview                                                2
3. Structure of IPsec PIB                                            3
3.1 IPsec association group                                          3
3.2 AH, ESP and COMP transform groups                                5
3.3 IKE association group                                            5
3.4 Credential group                                                 6
3.5 Selector group                                                   6
3.6 Policy time period group                                         7
3.7 Interface capability group                                       7
4. Summary of the IPsec PIB                                          8
4.1 ipSecAssociation group                                           8
4.1.1 ipSecRuleTable                                                 8
4.1.2 ipSecActionSetTable                                            8
4.1.3 ipSecStaticActionTable                                         8
4.1.4 ipSecNegotiationActionTable                                    8
4.1.5 ipSecAssociationTable                                          8
4.1.6 ipSecProposalSetTable                                          8
4.1.7 ipSecProposalTable                                             8
4.2 ipSecAhTransform group                                           8
4.2.1 ipSecAhTransformSetTable                                       8
4.2.2 ipSecAhTransformTable                                          8
4.3 ipSecEspTransform group                                          8
4.3.1 ipSecEspTransformSetTable                                      8
4.3.2 ipSecEspTransformTable                                         8
4.4 ipSecCompTransform group                                         9
4.4.1 ipSecCompTransformSetTable                                     9
4.4.2 ipSecCompTransformTable                                        9
4.5 ipSecIkeAssociation group                                        9
4.5.1 ipSecIkeRuleTable                                              9
4.5.2 ipSecIkeActionSetTable                                         9
4.5.3 ipSecIkeAssociationTable                                       9
4.5.4 ipSecIkeProposalSetTable                                       9
4.5.5 ipSecIkeProposalTable                                          9

   Li, et al            Expires January, August, 2002                      68                       91
                    IPsec Policy Information Base      February, 2002

4.5.6 ipSecIkePeerEndpointTable                                      9
4.6 ipSecCredential group                                            9
4.6.1 ipSecCredentialSetTable                                        9
4.6.2 ipSecCredentialTable                                           9
4.6.3 ipSecCredentialFieldsTable                                     9
4.7 ipSecSelector group                                              9
4.7.1 ipSecSelectorSetTable                                          9
4.7.2 ipSecSelectorTable                                             9
4.7.3 ipSecAddressTable                                              10
4.7.4 ipSecL4PortTable                                               10
4.7.5 ipSecIpsoFilterSetTable                                        10
4.7.6 ipSecIpsoFilterTable                                           10
4.8 ipSecPolicyTimePeriod group                                      10
4.8.1 ipSecRuleTimePeriodTable                                       10
4.8.2 ipSecRuleTimePeriodSetTable                                    10
4.9 ipSecIfCapability group                                          10
4.9.1 ipSecIfCapsTable                                               10
4.10 ipSecPolicyPibConformance group                                 10
5. The IPsec PIB Module                                              10
6. Security Considerations                                           89
7. References                                                        89
8. Author's Addresses                                                90

   Li, et al            Expires August, 2002                       92