draft-ietf-ipsp-ipsecpib-04.txt   draft-ietf-ipsp-ipsecpib-05.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires August 2002 David Arneson Expires February 2003 David Arneson
N/A N/A
Avri Doria Avri Doria
LTU LTU
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
Markus Stenberg Markus Stenberg
SSH SSH
February 2002 August 2002
IPsec Policy Information Base IPsec Policy Information Base
draft-ietf-ipsp-ipsecpib-04.txt draft-ietf-ipsp-ipsecpib-05.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
skipping to change at line 52 skipping to change at line 52
configuring IPsec policy at IPsec-enabled devices (e.g., security configuring IPsec policy at IPsec-enabled devices (e.g., security
gateways). Instances of these classes reside in a virtual gateways). Instances of these classes reside in a virtual
information store called the IPsec Policy Information Base (PIB). information store called the IPsec Policy Information Base (PIB).
The COPS protocol [5] with extensions for provisioning [6] is used The COPS protocol [5] with extensions for provisioning [6] is used
to transmit this IPsec policy information to IPsec-enabled to transmit this IPsec policy information to IPsec-enabled
devices. The PRCs defined in this IPsec PIB are intended for use devices. The PRCs defined in this IPsec PIB are intended for use
by the COPS-PR IPsec client type. These PRCs are in addition to by the COPS-PR IPsec client type. These PRCs are in addition to
any other PIBs that may be defined for the IPsec client type, as any other PIBs that may be defined for the IPsec client type, as
well as the PRCs defined in the Framework PIB [9]. well as the PRCs defined in the Framework PIB [9].
Li, et al Expires August, 2002 1 Li, et al Expires February, 2003 1
IPsec Policy Information Base February, 2002
IPsec Policy Information Base August, 2002
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2]. RFC-2119 [2].
1. Introduction 1. Introduction
The policy rule classes (PRC) defined in this document contain The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. Details parameters for IKE phase one and phase two negotiations. Details
of these parameters can be found in [12], [10], [8], [3], [7], of these parameters can be found in [3], [7], [8], [10], [11],
[11] and [14]. The PIB defined in this document is based on the [12] and [14]. The PIB defined in this document is based on the
IPsec configuration policy model [12]. The rule and role approach IPsec configuration policy model [12]. The rule and role approach
proposed in [13], which scales to large networks, is adopted for proposed in [13], which scales to large networks, is adopted for
distributing IPsec policy over the COPS-PR protocol [6]. distributing IPsec policy over the COPS-PR protocol [6].
2. Operation Overview 2. Operation Overview
Following the policy framework convention [13], the management Following the policy framework convention [13], the management
entity that downloads policy to IPsec-enabled devices will be entity that downloads policy to IPsec-enabled devices will be
called a Policy Decision Point (PDP) and the target IPsec-enabled called a Policy Decision Point (PDP) and the target IPsec-enabled
devices will be called Policy Enforcement Points (PEP). devices will be called Policy Enforcement Points (PEP).
skipping to change at line 104 skipping to change at line 105
Based on the interface capabilities and role combinations, the PDP Based on the interface capabilities and role combinations, the PDP
provides the PEP with IPsec policy information. Later on, if any provides the PEP with IPsec policy information. Later on, if any
of the interface capabilities or role combinations of the PEP of the interface capabilities or role combinations of the PEP
change, the PEP notifies the PDP. The PDP will then send a new set change, the PEP notifies the PDP. The PDP will then send a new set
of IPsec policy information to the PEP. In addition, if the policy of IPsec policy information to the PEP. In addition, if the policy
associated with a given interface capability and role combination associated with a given interface capability and role combination
changes, the PDP will deliver the new IPsec policy to all the PEPs changes, the PDP will deliver the new IPsec policy to all the PEPs
that have registered with that interface capability and role that have registered with that interface capability and role
combination. combination.
Li, et al Expires August, 2002 2 Li, et al Expires February, 2003 2
IPsec Policy Information Base February, 2002
IPsec Policy Information Base August, 2002
3. Structure of IPsec PIB 3. Structure of IPsec PIB
An IPsec policy consists of an ordered list of IPsec rules. Each An IPsec policy consists of an ordered list of IPsec rules. Each
rule is composed of a set of conditions and a set of actions. If a rule is composed of a set of conditions and a set of actions. If a
packet matches any of the conditions, the actions will be applied packet matches any of the conditions, the actions will be applied
accordingly. accordingly.
The IPsec PIB module consists of nine groups. The selector group The IPsec PIB module consists of nine groups. The selector group
describes conditions to be associated with IPsec rules. The IPsec describes conditions to be associated with IPsec rules. The IPsec
association group, AH transform group, ESP transform group, COMP association group, AH transform group, ESP transform group, COMP
transform group, IKE association group and the credential group transform group, IKE association group and the credential group
together describe actions to be associated with IPsec rules. The together describe actions to be associated with IPsec rules. The
policy time period group specifies time periods during which a policy time period group specifies time periods during which a
rule is valid. The interface capability group is used by a PEP to rule is valid. The interface capability group is used by a PEP to
report the capabilities associated with its interface types. report the capabilities associated with its interface types.
Each of the nine groups is discussed in the following sections.
3.1 IPsec association group 3.1 IPsec association group
This group specifies IPsec Security Associations. This group specifies IPsec Security Associations.
3.1.1 IPsec rules
The ipSecRuleTable is the starting point for specifying an IPsec The ipSecRuleTable is the starting point for specifying an IPsec
policy. It contains an ordered list of IPsec rules. Each rule is policy. It contains an ordered list of IPsec rules. Each rule is
associated with IfName, Roles and Direction attributes to indicate associated with IfName, Roles and Direction attributes to indicate
the interface type and role combinations as well as the direction the interface type and role combinations as well as the direction
of the interface to which this rule is to be applied. Each rule of the interface to which this rule is to be applied. Each rule
points to a set of selectors and, optionally, a set of IPSO points to a set of selectors and, optionally, a set of IPSO
filters to indicate the conditions associated with this rule. In filters to indicate the conditions associated with this rule. In
addition, each rule has a pointer to a set of actions to indicate addition, each rule has a pointer to a set of actions to indicate
the actions associated with this rule. Hence if a packet matches a the actions associated with this rule. Hence if a packet matches a
selector in the selector set and, if the reference to the IPSO selector in the selector set and, if the reference to the IPSO
skipping to change at line 156 skipping to change at line 162
execution of a single action. execution of a single action.
For example, in a nested Security Associations case the actions of For example, in a nested Security Associations case the actions of
an initiator's rule might be structured as: an initiator's rule might be structured as:
ExecutionStrategy='Do All' ExecutionStrategy='Do All'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway +---1--- IPsecTunnelAction // set up SA from host to gateway
| |
+---2--- IPsecTransportAction // set up SA from host through +---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host
Li, et al Expires August, 2002 3 Li, et al Expires February, 2003 3
IPsec Policy Information Base February, 2002
IPsec Policy Information Base August, 2002
// tunnel to remote host
Another example, showing a rule with fallback actions might be Another example, showing a rule with fallback actions might be
structured as: structured as:
ExecutionStrategy='Do Until Success' ExecutionStrategy='Do Until Success'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway [A] +---1--- IPsecTunnelAction // set up SA from host to gateway [A]
| |
+---2--- IPsecTunnelAction // set up SA from host to gateway [B] +---2--- IPsecTunnelAction // set up SA from host to gateway [B]
As an optional feature, IPsec associations may be established As an optional feature, IPsec associations may be established
without being prompted by IP packets. The AutoStart attribute without being prompted by IP packets. The AutoStart attribute
indicates if the IPsec association(s) of this rule should be set indicates if the IPsec association(s) of this rule should be set
up automatically. Support of this attribute is optional. up automatically. Support of this attribute is optional.
IPsec actions may be of two types: Static Action and Negotiation 3.1.2 IPsec actions
Action. Static Actions do not require any negotiations. They
include by-pass, discard, IKE rejection, pre-configured transport
and pre-configured tunnel actions. Negotiation Actions require
negotiations in order to establish Security Associations. They
include transport and tunnel actions.
The ipSecActionSetTable specifies sets of actions. Actions within IPsec actions may be of two types: Static Action and Negotiation
a set form an ordered list. If an action within a set is a Static Action.
Action, the ActionId MUST point to a valid instance in the
ipSecStaticActionTable. If the action is a Negotiation Action, the
ActionId MUST point to a valid instance in the
ipSecNegotiationActionTable. For other actions, the ActionId MAY
point to an instance of a PRC defined in some other PIB module.
The ipSecStaticActionTable specifies IPsec Static Actions. For a Static Actions do not require any negotiations. They include by-
pre-configured transport or pre-configured tunnel action, it pass, discard, IKE rejection, pre-configured transport and pre-
further points to a valid instance in another table that describes configured tunnel actions. The ipSecStaticActionTable specifies
a transform to be used, for example, the ipSecEspTransformTable. IPsec Static Actions. For a pre-configured transport or pre-
In addition, the SPI used for the transform is also defined in the configured tunnel action, it further points to a valid instance in
table. another table that describes a transform to be used, for example,
the ipSecEspTransformTable. In addition, the SPI used for the
transform is also defined in the table.
Negotiation Actions require negotiations in order to establish
Security Associations. They include transport and tunnel actions.
The ipSecNegotiationActionTable specifies IPsec Negotiation The ipSecNegotiationActionTable specifies IPsec Negotiation
Actions. It points to a valid instance in the Actions. It points to a valid instance in the
ipSecAssociationTable that further defines the IPsec association ipSecAssociationTable that further defines the IPsec association
to be established. For key exchange policy, the KeyExchangeId to be established. For key exchange policy, the KeyExchangeId
points to a valid instance in another table that describes key points to a valid instance in another table that describes key
exchange procedures. If a single IKE phase one negotiation is used exchange procedures. If a single IKE phase one negotiation is used
for the key exchange, this attribute MUST point to an instance in for the key exchange, this attribute MUST point to an instance in
the ipSecIkeAssociationTable. If multiple IKE phase one the ipSecIkeAssociationTable. If multiple IKE phase one
negotiations (e.g., with different modes) are to be tried until negotiations (e.g., with different modes) are to be tried until
success, this attribute SHOULD point to ipSecIkeRuleTable. For success, this attribute SHOULD point to ipSecIkeRuleTable. For
other key exchange methods, this attribute MAY point to an other key exchange methods, this attribute MAY point to an
instance of a PRC defined in some other PIB module. instance of a PRC defined in some other PIB module.
The ipSecActionSetTable specifies sets of actions. Actions within
a set form an ordered list. If an action within a set is a Static
Action, the ActionId MUST point to a valid instance in the
ipSecStaticActionTable. If the action is a Negotiation Action, the
ActionId MUST point to a valid instance in the
ipSecNegotiationActionTable. For other actions, the ActionId MAY
point to an instance of a PRC defined in some other PIB module.
Li, et al Expires February, 2003 4
IPsec Policy Information Base August, 2002
3.1.3 IPsec associations
The ipSecAssociationTable specifies attributes associated with The ipSecAssociationTable specifies attributes associated with
IPsec associations. For each association, it points to a set of IPsec associations. For each association, it points to a set of
proposals in the ipSecProposalSetTable that is associated with proposals in the ipSecProposalSetTable that is associated with
this association. this association.
Li, et al Expires August, 2002 4 The MinLifetimeSeconds and MinLifetimeKilobytes in the
IPsec Policy Information Base February, 2002 ipSecAssociationTable indicate the lifetime to propose for the
IPsec association to be negotiated. They are different from the
time periods indicated by the IpSecRuleTimePeriodGroupId in the
IpsecRuleTable. Those time periods specify when the given IPsec
rule is valid.
3.1.4 IPsec proposals
The ipSecProposalSetTable specifies sets of proposals. Proposals The ipSecProposalSetTable specifies sets of proposals. Proposals
within a set are ordered with a preference value. within a set are ordered with a preference value.
The ipSecProposalTable specifies proposals. It points to sets of The ipSecProposalTable specifies proposals. It points to sets of
ESP transforms, AH transforms and COMP transforms. Within a ESP transforms, AH transforms and COMP transforms. Within a
proposal, sets of transforms of different types are logically proposal, sets of transforms of different types are logically
ANDed. Transforms of the same type within a transform set are to ANDed. Transforms of the same type within a transform set are to
be logically ORed. For example, if the proposal were be logically ORed. For example, if the proposal were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 } AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to then the one sending the proposal would want the other side to
pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list
AND one from the AH transform list (preferably MD5). AND one from the AH transform list (preferably MD5).
3.2 AH, ESP and COMP transform groups 3.2 AH transform group
The AH, ESP and COMP transform groups describe sets of AH, ESP and The AH transform group describes sets of AH transforms.
COMP transforms respectively.
3.3 IKE association group 3.3 ESP transform group
The ESP transform group describes sets of ESP transforms.
3.4 COMP transform group
The COMP transform group describes sets of COMP transforms.
3.5 IKE association group
This group specifies rules associated with IKE phase one This group specifies rules associated with IKE phase one
negotiation. negotiation.
The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional
tables. Support of these tables is required only when a policy tables. Support of these tables is required only when a policy
contains: contains:
Li, et al Expires February, 2003 5
IPsec Policy Information Base August, 2002
- Multiple IKE phase one actions (e.g., with different exchange - Multiple IKE phase one actions (e.g., with different exchange
modes) that are associated with one IPsec association. These modes) that are associated with one IPsec association. These
actions are to be tried in sequence till one success. actions are to be tried in sequence till one success.
- IKE phase one actions that start automatically. - IKE phase one actions that start automatically.
For the latter case, IKE rules may be distributed independently For the latter case, IKE rules may be distributed independently
and the IfName and Roles attributes in the ipSecIkeRuleTable and the IfName and Roles attributes in the ipSecIkeRuleTable
indicate the interface type and role combinations to which this indicate the interface type and role combinations to which this
rule is to be applied. rule is to be applied.
skipping to change at line 270 skipping to change at line 303
within a set form an ordered list. within a set form an ordered list.
The ipSecIkeAssociationTable contains parameters associated with The ipSecIkeAssociationTable contains parameters associated with
IKE associations including the IKE identities to be used during IKE associations including the IKE identities to be used during
IKE phase one negotiation. It points to a set of credentials IKE phase one negotiation. It points to a set of credentials
specified in the ipSecCredentialTable. Any of the credentials in specified in the ipSecCredentialTable. Any of the credentials in
this set may be used during IKE phase one negotiation. In this set may be used during IKE phase one negotiation. In
addition, each IKE association points to a set of IKE proposals to addition, each IKE association points to a set of IKE proposals to
be associated with this association. If the Authentication Method be associated with this association. If the Authentication Method
for one or more of the IKE proposals is specified as PresharedKey for one or more of the IKE proposals is specified as PresharedKey
Li, et al Expires August, 2002 5
IPsec Policy Information Base February, 2002
in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey
attribute contains the actual pre-shared key to be used for the attribute contains the actual pre-shared key to be used for the
proposal(s). This attribute is optional. If this attribute is not proposal(s). This attribute is optional. If this attribute is not
supported or contains a zero length octet, the pre-shared key MUST supported or contains a zero length octet, the pre-shared key MUST
be obtained through other methods. be obtained through other methods.
The ipSecIkeProposalSetTable specifies sets of proposals. The ipSecIkeProposalSetTable specifies sets of proposals.
Proposals within a set are ordered with a preference value.The Proposals within a set are ordered with a preference value.The
ipSecIkeProposalTable contains parameters associated with IKE ipSecIkeProposalTable contains parameters associated with IKE
proposals. proposals.
skipping to change at line 296 skipping to change at line 325
information that includes acceptable peer identity and credentials information that includes acceptable peer identity and credentials
for IKE phase one negotiation. It points to a set of credentials for IKE phase one negotiation. It points to a set of credentials
specified in the ipSecIkePeerEndpointCredentialSetTable. Any of specified in the ipSecIkePeerEndpointCredentialSetTable. Any of
the credentials in the set is acceptable as a peer credential. The the credentials in the set is acceptable as a peer credential. The
AddressType and the Address attributes are used only when IKE AddressType and the Address attributes are used only when IKE
phase one negotiation starts automatically, i.e., the value of the phase one negotiation starts automatically, i.e., the value of the
AutoStart attribute in the ipSecIkeRuleTable is true. In which AutoStart attribute in the ipSecIkeRuleTable is true. In which
case, these two attributes together indicate the peer endpoint case, these two attributes together indicate the peer endpoint
address. address.
3.4 Credential group 3.6 Credential group
This group specifies credentials to be used for IKE phase one This group specifies credentials to be used for IKE phase one
negotiations. negotiations.
The ipSecCredentialSetTable specifies sets of credentials. The The ipSecCredentialSetTable specifies sets of credentials. The
ipSecCredentialTable and ipSecCredentialFieldsTable together ipSecCredentialTable and ipSecCredentialFieldsTable together
specify credentials. Each credential may contain multiple sub- specify credentials. Each credential may contain multiple sub-
Li, et al Expires February, 2003 6
IPsec Policy Information Base August, 2002
fields. For example, a certificate may contain a unique serial fields. For example, a certificate may contain a unique serial
number sub-field and an issuer name sub-field, etc. The number sub-field and an issuer name sub-field, etc. The
ipSecCredentialFieldsTable defines the sub-fields and their values ipSecCredentialFieldsTable defines the sub-fields and their values
that MUST be matched against. The ipSecCredentialTable points to a that MUST be matched against. The ipSecCredentialTable points to a
set of criteria defined in the ipSecCredentialFieldsTable. The set of criteria defined in the ipSecCredentialFieldsTable. The
criteria MUST all be satisfied in order for a credential to be criteria MUST all be satisfied in order for a credential to be
considered as acceptable. Certificates may also be revoked. The considered as acceptable. Certificates may also be revoked. The
CrlDistributionPoint attribute in the ipSecCredentialTable CrlDistributionPoint attribute in the ipSecCredentialTable
indicates the Certificate Revocation List (CRL) distribution point indicates the Certificate Revocation List (CRL) distribution point
where CRLs may be fetched. where CRLs may be fetched.
3.5 Selector group 3.7 Selector group
This group specifies the selectors for IPsec rules. This group specifies the selectors for IPsec rules.
The ipSecSelectorSetTable specifies sets of selectors. Selectors The ipSecSelectorSetTable specifies sets of selectors. Selectors
within a set form an ordered list. The SelectorId attribute points within a set form an ordered list. The SelectorId attribute points
to a valid instance in another table that describes a selector. To to a valid instance in another table that describes a selector. To
achieve scalability in policy distribution for large networks, it achieve scalability in policy distribution for large networks, it
SHOULD point to the ipSecSelectorTable. SHOULD point to the ipSecSelectorTable.
Li, et al Expires August, 2002 6
IPsec Policy Information Base February, 2002
The ipSecAddressTable specifies individual or ranges of IP The ipSecAddressTable specifies individual or ranges of IP
addresses and the ipSecL4PortTable specifies individual or ranges addresses and the ipSecL4PortTable specifies individual or ranges
of layer 4 ports. The ipSecSelectorTable has references to these of layer 4 ports. The ipSecSelectorTable has references to these
two tables. Each row in the selector table can represent multiple two tables. Each row in the selector table can represent multiple
selectors. These selectors are constructed as follows: selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
skipping to change at line 358 skipping to change at line 389
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four 5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol, fields. Then add to the combinations the ipSecSelectorProtocol,
ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
the list of selectors. the list of selectors.
Selectors constructed from a single row have the same order within Selectors constructed from a single row have the same order within
a selector set. The order is indicated by the Order attribute of a selector set. The order is indicated by the Order attribute of
the ipSecSelectorSetTable. The relative order among selectors the ipSecSelectorSetTable. The relative order among selectors
Li, et al Expires February, 2003 7
IPsec Policy Information Base August, 2002
constructed from a single row is unspecified. This is not an issue constructed from a single row is unspecified. This is not an issue
as long as these selectors are not over-lapping. as long as these selectors are not over-lapping.
The use of references in the ipSecSelectorTable instead of real IP The use of references in the ipSecSelectorTable instead of real IP
addresses and port numbers reduces the number of bytes being addresses and port numbers reduces the number of bytes being
pushed down to the PEP. Grouping of IP addresses and layer 4 ports pushed down to the PEP. Grouping of IP addresses and layer 4 ports
serves the same purpose. serves the same purpose.
The ipSecIpsoFilterSetTable specifies sets of IPSO filters. The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
Filters within a set form an ordered list. The Filters within a set form an ordered list. The
ipSecIpsoFilterTable contains IPSO filters. ipSecIpsoFilterTable contains IPSO filters.
3.6 Policy time period group 3.8 Policy time period group
This group specifies time periods during which a policy rule is This group specifies time periods during which a policy rule is
valid. The ipSecRuleTimePeriodTable specifies a single time period valid. The ipSecRuleTimePeriodTable specifies a single time period
within a day. The ipSecRuleTimePeriodSetTable specifies multiple within a day. The ipSecRuleTimePeriodSetTable specifies multiple
time periods. time periods.
Implementation of this group is optional. Implementation of this group is optional.
3.7 Interface capability group 3.9 Interface capability group
Li, et al Expires August, 2002 7
IPsec Policy Information Base February, 2002
PEPs may have different capabilities. For example, some PEPs PEPs may have different capabilities. For example, some PEPs
support nested Security Associations whereas others do not. This support nested Security Associations whereas others do not. This
group allows a PEP to specify the capabilities associated with its group allows a PEP to specify the capabilities associated with its
different interface types. different interface types.
For ease of reference, a concise summary of the groups and tables For ease of reference, a concise summary of the groups and tables
is included in the next section. is included in the next section.
4. Summary of the IPsec PIB 4. Summary of the IPsec PIB
skipping to change at line 414 skipping to change at line 447
4.1.3 ipSecStaticActionTable 4.1.3 ipSecStaticActionTable
Specifies IPsec static actions. Specifies IPsec static actions.
4.1.4 ipSecNegotiationActionTable 4.1.4 ipSecNegotiationActionTable
Specifies IPsec negotiation actions. Specifies IPsec negotiation actions.
4.1.5 ipSecAssociationTable 4.1.5 ipSecAssociationTable
Specifies IPsec associations. Specifies IPsec associations.
4.1.6 ipSecProposalSetTable 4.1.6 ipSecProposalSetTable
Li, et al Expires February, 2003 8
IPsec Policy Information Base August, 2002
Specifies IPsec proposal sets. Specifies IPsec proposal sets.
4.1.7 ipSecProposalTable 4.1.7 ipSecProposalTable
Specifies IPsec proposals. Specifies IPsec proposals.
4.2 ipSecAhTransform group 4.2 ipSecAhTransform group
This group specifies AH Transforms. This group specifies AH Transforms.
4.2.1 ipSecAhTransformSetTable 4.2.1 ipSecAhTransformSetTable
Specifies AH transform sets. Specifies AH transform sets.
skipping to change at line 437 skipping to change at line 475
4.3 ipSecEspTransform group 4.3 ipSecEspTransform group
This group specifies ESP Transforms. This group specifies ESP Transforms.
4.3.1 ipSecEspTransformSetTable 4.3.1 ipSecEspTransformSetTable
Specifies ESP transform sets. Specifies ESP transform sets.
4.3.2 ipSecEspTransformTable 4.3.2 ipSecEspTransformTable
Specifies ESP transforms. Specifies ESP transforms.
Li, et al Expires August, 2002 8
IPsec Policy Information Base February, 2002
4.4 ipSecCompTransform group 4.4 ipSecCompTransform group
This group specifies Compression Transforms. This group specifies Compression Transforms.
4.4.1 ipSecCompTransformSetTable 4.4.1 ipSecCompTransformSetTable
Specifies IPComp transform sets. Specifies IPComp transform sets.
4.4.2 ipSecCompTransformTable 4.4.2 ipSecCompTransformTable
Specifies IP compression (IPCOMP) algorithms. Specifies IP compression (IPCOMP) algorithms.
4.5 ipSecIkeAssociation group 4.5 ipSecIkeAssociation group
skipping to change at line 470 skipping to change at line 505
4.5.4 ipSecIkeProposalSetTable 4.5.4 ipSecIkeProposalSetTable
Specifies IKE proposal sets. Specifies IKE proposal sets.
4.5.5 ipSecIkeProposalTable 4.5.5 ipSecIkeProposalTable
Specifies IKE proposals. Specifies IKE proposals.
4.5.6 ipSecIkePeerEndpointTable 4.5.6 ipSecIkePeerEndpointTable
Specifies IKE peer endpoints. Specifies IKE peer endpoints.
Li, et al Expires February, 2003 9
IPsec Policy Information Base August, 2002
4.6 ipSecCredential group 4.6 ipSecCredential group
This group specifies credentials for IKE phase one negotiations. This group specifies credentials for IKE phase one negotiations.
4.6.1 ipSecCredentialSetTable 4.6.1 ipSecCredentialSetTable
Specifies credential sets. Specifies credential sets.
4.6.2 ipSecCredentialTable 4.6.2 ipSecCredentialTable
Specifies credentials. Specifies credentials.
4.6.3 ipSecCredentialFieldsTable 4.6.3 ipSecCredentialFieldsTable
skipping to change at line 492 skipping to change at line 531
4.7 ipSecSelector group 4.7 ipSecSelector group
This group specifies selectors for IPsec associations. This group specifies selectors for IPsec associations.
4.7.1 ipSecSelectorSetTable 4.7.1 ipSecSelectorSetTable
Specifies IPsec selector sets. Specifies IPsec selector sets.
4.7.2 ipSecSelectorTable 4.7.2 ipSecSelectorTable
Specifies IPsec selectors. Specifies IPsec selectors.
Li, et al Expires August, 2002 9
IPsec Policy Information Base February, 2002
4.7.3 ipSecAddressTable 4.7.3 ipSecAddressTable
Specifies IP addresses. Specifies IP addresses.
4.7.4 ipSecL4PortTable 4.7.4 ipSecL4PortTable
Specifies layer four port numbers. Specifies layer four port numbers.
4.7.5 ipSecIpsoFilterSetTable 4.7.5 ipSecIpsoFilterSetTable
Specifies IPSO filter sets. Specifies IPSO filter sets.
4.7.6 ipSecIpsoFilterTable 4.7.6 ipSecIpsoFilterTable
skipping to change at line 525 skipping to change at line 561
Specifies time period sets. Specifies time period sets.
4.9 ipSecIfCapability group 4.9 ipSecIfCapability group
This group specifies capabilities associated with interface types. This group specifies capabilities associated with interface types.
4.9.1 ipSecIfCapsTable 4.9.1 ipSecIfCapsTable
Specifies capabilities that may be associated with an interface of Specifies capabilities that may be associated with an interface of
a specific type. a specific type.
4.10 ipSecPolicyPibConformance group 4.10 ipSecPolicyPibConformance group
Li, et al Expires February, 2003 10
IPsec Policy Information Base August, 2002
This group specifies requirements for conformance to the IPsec This group specifies requirements for conformance to the IPsec
Policy PIB. Policy PIB.
5. The IPsec PIB Module 5. The IPsec PIB Module
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
InstanceId, ReferenceId, TagId, TagReferenceId InstanceId, ReferenceId, TagId, TagReferenceId
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
RoleCombination RoleCombination
FROM FRAMEWORK-TC-PIB; FROM FRAMEWORK-TC-PIB;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORY { tbd } -- IPsec Client Type -- SUBJECT-CATEGORIES { tbd } -- IPsec Client Type --
LAST-UPDATED "200202241800Z" LAST-UPDATED "200202241800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
Li, et al Expires August, 2002 10
IPsec Policy Information Base February, 2002
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Div. of Computer Communications Div. of Computer Communications
skipping to change at line 581 skipping to change at line 618
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
Email: jamie.jason@intel.com Email: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
Li, et al Expires February, 2003 11
IPsec Policy Information Base August, 2002
Email: CWang@smartpipes.com Email: CWang@smartpipes.com
Markus Stenberg Markus Stenberg
SSH Communications Security Corp. SSH Communications Security Corp.
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 Helsinki, Finland FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466 Phone: +358 20 500 7466
Email: markus.stenberg@ssh.com" Email: markus.stenberg@ssh.com"
DESCRIPTION DESCRIPTION
skipping to change at line 602 skipping to change at line 644
describe IPsec policies." describe IPsec policies."
::= { pib yyy } ű- yyy to be assigned by IANA -- ::= { pib yyy } ű- yyy to be assigned by IANA --
Unsigned16 ::= TEXTUAL-CONVENTION Unsigned16 ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An unsigned 16 bit integer." "An unsigned 16 bit integer."
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
ipSecAssociation OBJECT-IDENTITY ipSecAssociation OBJECT-IDENTITY
Li, et al Expires August, 2002 11
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies IPsec Security Associations." "This group specifies IPsec Security Associations."
::= { ipSecPolicyPib 1 } ::= { ipSecPolicyPib 1 }
ipSecAhTransform OBJECT-IDENTITY ipSecAhTransform OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies AH Transforms." "This group specifies AH Transforms."
::= { ipSecPolicyPib 2 } ::= { ipSecPolicyPib 2 }
skipping to change at line 636 skipping to change at line 674
"This group specifies Comp Transforms." "This group specifies Comp Transforms."
::= { ipSecPolicyPib 4 } ::= { ipSecPolicyPib 4 }
ipSecIkeAssociation OBJECT-IDENTITY ipSecIkeAssociation OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies IKE Security Associations." "This group specifies IKE Security Associations."
::= { ipSecPolicyPib 5 } ::= { ipSecPolicyPib 5 }
ipSecCredential OBJECT-IDENTITY ipSecCredential OBJECT-IDENTITY
Li, et al Expires February, 2003 12
IPsec Policy Information Base August, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies credentials for IKE phase one negotiations." "This group specifies credentials for IKE phase one negotiations."
::= { ipSecPolicyPib 6 } ::= { ipSecPolicyPib 6 }
ipSecSelector OBJECT-IDENTITY ipSecSelector OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies selectors for IPsec associations." "This group specifies selectors for IPsec associations."
::= { ipSecPolicyPib 7 } ::= { ipSecPolicyPib 7 }
skipping to change at line 659 skipping to change at line 702
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule "This group specifies the time periods during which a policy rule
is valid." is valid."
::= { ipSecPolicyPib 8 } ::= { ipSecPolicyPib 8 }
ipSecIfCapability OBJECT-IDENTITY ipSecIfCapability OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies capabilities associated with interface "This group specifies capabilities associated with interface
types." types."
Li, et al Expires August, 2002 12
IPsec Policy Information Base February, 2002
::= { ipSecPolicyPib 9 } ::= { ipSecPolicyPib 9 }
ipSecPolicyPibConformance OBJECT-IDENTITY ipSecPolicyPibConformance OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies requirements for conformance to the IPsec "This group specifies requirements for conformance to the IPsec
Policy PIB" Policy PIB"
::= { ipSecPolicyPib 10 } ::= { ipSecPolicyPib 10 }
-- --
skipping to change at line 692 skipping to change at line 731
"This table is the starting point for specifying an IPsec policy. "This table is the starting point for specifying an IPsec policy.
It contains an ordered list of IPsec rules. " It contains an ordered list of IPsec rules. "
::= { ipSecAssociation 1 } ::= { ipSecAssociation 1 }
ipSecRuleEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRulePrid } PIB-INDEX { ipSecRulePrid }
Li, et al Expires February, 2003 13
IPsec Policy Information Base August, 2002
UNIQUENESS { UNIQUENESS {
ipSecRuleIfName, ipSecRuleIfName,
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleOrder ipSecRuleOrder
} }
::= { ipSecRuleTable 1 } ::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid InstanceId, ipSecRulePrid InstanceId,
ipSecRuleIfName SnmpAdminString, ipSecRuleIfName SnmpAdminString,
skipping to change at line 715 skipping to change at line 759
ipSecRuleipSecIpsoFilterSetId TagReferenceId, ipSecRuleipSecIpsoFilterSetId TagReferenceId,
ipSecRuleIpSecActionSetId TagReferenceId, ipSecRuleIpSecActionSetId TagReferenceId,
ipSecRuleActionExecutionStrategy INTEGER, ipSecRuleActionExecutionStrategy INTEGER,
ipSecRuleOrder Unsigned16, ipSecRuleOrder Unsigned16,
ipSecRuleLimitNegotiation INTEGER, ipSecRuleLimitNegotiation INTEGER,
ipSecRuleAutoStart TruthValue, ipSecRuleAutoStart TruthValue,
ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecRulePrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
Li, et al Expires August, 2002 13
IPsec Policy Information Base February, 2002
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleIfName OBJECT-TYPE ipSecRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
skipping to change at line 749 skipping to change at line 789
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this "Specifies the role combination of the interface to which this
IPsec rule should apply. There must exist an instance in the IPsec rule should apply. There must exist an instance in the
frwkIfCapSetRoleComboTable [FR-PIB] specifying this role frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified combination, together with the interface capability set specified
by ipSecRuleIfName, prior to association with an instance of this by ipSecRuleIfName, prior to association with an instance of this
class." class."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 3 }
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
Li, et al Expires February, 2003 14
IPsec Policy Information Base August, 2002
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "Specifies the direction of traffic to which this rule should
apply." apply."
::= { ipSecRuleEntry 4 } ::= { ipSecRuleEntry 4 }
skipping to change at line 772 skipping to change at line 817
PIB-TAG { ipSecSelectorSetSelectorSetId } PIB-TAG { ipSecSelectorSetSelectorSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of selectors to be associated with this IPsec "Identifies a set of selectors to be associated with this IPsec
rule. " rule. "
::= { ipSecRuleEntry 5 } ::= { ipSecRuleEntry 5 }
ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE ipSecRuleipSecIpsoFilterSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIpsoFilterSetFilterSetId } PIB-TAG { ipSecIpsoFilterSetFilterSetId }
Li, et al Expires August, 2002 14
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IPSO filters to be associated with this IPsec "Identifies a set of IPSO filters to be associated with this IPsec
rule. A value of zero indicates that there are no IPSO filters rule. A value of zero indicates that there are no IPSO filters
associated with this rule. associated with this rule.
When the value of this attribute is not zero, the set of IPSO When the value of this attribute is not zero, the set of IPSO
filters is ANDed with the set of Selectors specified by filters is ANDed with the set of Selectors specified by
ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
selector in the selector sets and a filter in the IPSO filter sets selector in the selector sets and a filter in the IPSO filter sets
skipping to change at line 805 skipping to change at line 846
rule." rule."
::= { ipSecRuleEntry 7 } ::= { ipSecRuleEntry 7 }
ipSecRuleActionExecutionStrategy OBJECT-TYPE ipSecRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
doAll(1), doAll(1),
doUntilSuccess(2) doUntilSuccess(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 15
IPsec Policy Information Base August, 2002
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in the order is specified by the ipSecActionSetOrder in the
ipSecActionSetTable. ipSecActionSetTable.
DoUntilSuccess (2) causes the execution of actions according to DoUntilSuccess (2) causes the execution of actions according to
their defined precedence order until a successful execution of a their defined precedence order until a successful execution of a
skipping to change at line 829 skipping to change at line 875
ipSecRuleOrder OBJECT-TYPE ipSecRuleOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the rule within all the rules "Specifies the precedence order of the rule within all the rules
associated with {IfName, Roles}. A smaller value indicates a associated with {IfName, Roles}. A smaller value indicates a
higher precedence order. " higher precedence order. "
::= { ipSecRuleEntry 9 } ::= { ipSecRuleEntry 9 }
ipSecRuleLimitNegotiation OBJECT-TYPE ipSecRuleLimitNegotiation OBJECT-TYPE
Li, et al Expires August, 2002 15
IPsec Policy Information Base February, 2002
SYNTAX INTEGER { SYNTAX INTEGER {
initiator(1), initiator(1),
responder(2), responder(2),
both(3) both(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Limits the negotiation method. Before proceeding with a phase 2 "Limits the negotiation method. Before proceeding with a phase 2
negotiation, the LimitNegotiation property of the IPsecRule is negotiation, the LimitNegotiation property of the IPsecRule is
first checked to determine if the negotiation part indicated for first checked to determine if the negotiation part indicated for
skipping to change at line 862 skipping to change at line 904
::= { ipSecRuleEntry 10 } ::= { ipSecRuleEntry 10 }
ipSecRuleAutoStart OBJECT-TYPE ipSecRuleAutoStart OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if this rule should be automatically executed." "Indicates if this rule should be automatically executed."
::= { ipSecRuleEntry 11 } ::= { ipSecRuleEntry 11 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
Li, et al Expires February, 2003 16
IPsec Policy Information Base August, 2002
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies an IPsec rule time period set, specified in "Identifies an IPsec rule time period set, specified in
ipSecRuleTimePeriodSetTable, that is associated with this rule. ipSecRuleTimePeriodSetTable, that is associated with this rule.
A value of zero indicates that this IPsec rule is always valid." A value of zero indicates that this IPsec rule is always valid."
::= { ipSecRuleEntry 12 } ::= { ipSecRuleEntry 12 }
skipping to change at line 885 skipping to change at line 932
-- --
ipSecActionSetTable OBJECT-TYPE ipSecActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionSetEntry SYNTAX SEQUENCE OF IpSecActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec action sets." "Specifies IPsec action sets."
::= { ipSecAssociation 2 } ::= { ipSecAssociation 2 }
Li, et al Expires August, 2002 16
IPsec Policy Information Base February, 2002
ipSecActionSetEntry OBJECT-TYPE ipSecActionSetEntry OBJECT-TYPE
SYNTAX IpSecActionSetEntry SYNTAX IpSecActionSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecActionSetPrid } PIB-INDEX { ipSecActionSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecActionSetActionSetId, ipSecActionSetActionSetId,
ipSecActionSetActionId, ipSecActionSetActionId,
ipSecActionSetDoActionLogging, ipSecActionSetDoActionLogging,
skipping to change at line 916 skipping to change at line 960
ipSecActionSetActionId Prid, ipSecActionSetActionId Prid,
ipSecActionSetDoActionLogging TruthValue, ipSecActionSetDoActionLogging TruthValue,
ipSecActionSetDoPacketLogging TruthValue, ipSecActionSetDoPacketLogging TruthValue,
ipSecActionSetOrder Unsigned16 ipSecActionSetOrder Unsigned16
} }
ipSecActionSetPrid OBJECT-TYPE ipSecActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 17
IPsec Policy Information Base August, 2002
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecActionSetEntry 1 } ::= { ipSecActionSetEntry 1 }
ipSecActionSetActionSetId OBJECT-TYPE ipSecActionSetActionSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec action set is composed of one or more IPsec actions. "An IPsec action set is composed of one or more IPsec actions.
Each action belonging to the same set has the same ActionSetId." Each action belonging to the same set has the same ActionSetId."
skipping to change at line 941 skipping to change at line 990
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes an "A pointer to a valid instance in another table that describes an
action to be taken. action to be taken.
For IPsec static actions, it MUST point to an instance in the For IPsec static actions, it MUST point to an instance in the
ipSecStaticActionTable. ipSecStaticActionTable.
For IPsec negotiation actions, it MUST point to an instance in the For IPsec negotiation actions, it MUST point to an instance in the
ipSecNegotiationActionTable. For other actions, it may point to an ipSecNegotiationActionTable. For other actions, it may point to an
instance in a table specified by other PIB modules." instance in a table specified by other PIB modules."
Li, et al Expires August, 2002 17
IPsec Policy Information Base February, 2002
::= { ipSecActionSetEntry 3 } ::= { ipSecActionSetEntry 3 }
ipSecActionSetDoActionLogging OBJECT-TYPE ipSecActionSetDoActionLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether a log message is to be generated when the "Specifies whether a log message is to be generated when the
action is performed. This applies for ipSecNegotiationActions action is performed. This applies for ipSecNegotiationActions
with the meaning of logging a message when the negotiation is with the meaning of logging a message when the negotiation is
attempted (with the success or failure result). This also applies attempted (with the success or failure result). This also applies
skipping to change at line 973 skipping to change at line 1018
DESCRIPTION DESCRIPTION
"Specifies whether to log when the resulting security association "Specifies whether to log when the resulting security association
is used to process a packet. For ipSecStaticActions, a log message is used to process a packet. For ipSecStaticActions, a log message
is to be generated when the IPsecBypass, IpsecDiscard or IKEReject is to be generated when the IPsecBypass, IpsecDiscard or IKEReject
actions are executed." actions are executed."
::= { ipSecActionSetEntry 5 } ::= { ipSecActionSetEntry 5 }
ipSecActionSetOrder OBJECT-TYPE ipSecActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
Li, et al Expires February, 2003 18
IPsec Policy Information Base August, 2002
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be applied set. An action with a smaller precedence order is to be applied
before one with a larger precedence order. " before one with a larger precedence order. "
::= { ipSecActionSetEntry 6 } ::= { ipSecActionSetEntry 6 }
-- --
-- --
-- The ipSecStaticActionTable -- The ipSecStaticActionTable
-- --
skipping to change at line 997 skipping to change at line 1047
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec static actions." "Specifies IPsec static actions."
::= { ipSecAssociation 3 } ::= { ipSecAssociation 3 }
ipSecStaticActionEntry OBJECT-TYPE ipSecStaticActionEntry OBJECT-TYPE
SYNTAX IpSecStaticActionEntry SYNTAX IpSecStaticActionEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
Li, et al Expires August, 2002 18
IPsec Policy Information Base February, 2002
PIB-INDEX { ipSecStaticActionPrid } PIB-INDEX { ipSecStaticActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecStaticActionAction, ipSecStaticActionAction,
ipSecStaticActionTunnelEndpointId, ipSecStaticActionTunnelEndpointId,
ipSecStaticActionDfHandling, ipSecStaticActionDfHandling,
ipSecStaticActionSpi, ipSecStaticActionSpi,
ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeSeconds,
ipSecStaticActionLifetimeKilobytes, ipSecStaticActionLifetimeKilobytes,
ipSecStaticActionSaTransformId ipSecStaticActionSaTransformId
} }
skipping to change at line 1028 skipping to change at line 1074
ipSecStaticActionSpi Unsigned32, ipSecStaticActionSpi Unsigned32,
ipSecStaticActionLifetimeSeconds Unsigned32, ipSecStaticActionLifetimeSeconds Unsigned32,
ipSecStaticActionLifetimeKilobytes Unsigned32, ipSecStaticActionLifetimeKilobytes Unsigned32,
ipSecStaticActionSaTransformId Prid ipSecStaticActionSaTransformId Prid
} }
ipSecStaticActionPrid OBJECT-TYPE ipSecStaticActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 19
IPsec Policy Information Base August, 2002
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecStaticActionEntry 1 } ::= { ipSecStaticActionEntry 1 }
ipSecStaticActionAction OBJECT-TYPE ipSecStaticActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
byPass(1), byPass(1),
discard(2), discard(2),
ikeRejection(3), ikeRejection(3),
preConfiguredTransport(4), preConfiguredTransport(4),
skipping to change at line 1054 skipping to change at line 1105
discard (2) means that packets are to be discarded. ikeRejection discard (2) means that packets are to be discarded. ikeRejection
(3) means that that an IKE negotiation should not even be (3) means that that an IKE negotiation should not even be
attempted or continued. preConfiguredTransport (4) means that an attempted or continued. preConfiguredTransport (4) means that an
IPsec transport SA is pre-configured. preConfiguredTunnel (5) IPsec transport SA is pre-configured. preConfiguredTunnel (5)
means that an IPsec tunnel SA is pre-configured. " means that an IPsec tunnel SA is pre-configured. "
::= { ipSecStaticActionEntry 2 } ::= { ipSecStaticActionEntry 2 }
ipSecStaticActionTunnelEndpointId OBJECT-TYPE ipSecStaticActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry } PIB-REFERENCES {ipSecAddressEntry }
Li, et al Expires August, 2002 19
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel (5), this "When ipSecStaticActionAction is preConfiguredTunnel (5), this
attribute indicates the peer gateway IP address. This address MUST attribute indicates the peer gateway IP address. This address MUST
be a single endpoint address. be a single endpoint address.
When ipSecStaticActionAction is not preConfiguredTunnel, this When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be zero." attribute MUST be zero."
::= { ipSecStaticActionEntry 3 } ::= { ipSecStaticActionEntry 3 }
skipping to change at line 1084 skipping to change at line 1131
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel, this "When ipSecStaticActionAction is preConfiguredTunnel, this
attribute specifies how the DF bit is managed. attribute specifies how the DF bit is managed.
Copy (1) indicates to copy the DF bit from the internal IP header Copy (1) indicates to copy the DF bit from the internal IP header
to the external IP header. Set (2) indicates to set the DF bit of to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0. bit of the external IP header to 0.
Li, et al Expires February, 2003 20
IPsec Policy Information Base August, 2002
When ipSecStaticActionAction is not preConfiguredTunnel, this When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be ignored. " attribute MUST be ignored. "
::= { ipSecStaticActionEntry 4 } ::= { ipSecStaticActionEntry 4 }
ipSecStaticActionSpi OBJECT-TYPE ipSecStaticActionSpi OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the SPI to be used with the SA Transform identified by "Specifies the SPI to be used with the SA Transform identified by
ipSecStaticActionSaTransformId. ipSecStaticActionSaTransformId.
skipping to change at line 1112 skipping to change at line 1163
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time (in seconds) that a security "Specifies the amount of time (in seconds) that a security
association derived from this action should be used. When association derived from this action should be used. When
ipSecStaticActionAction is neither preConfiguredTransportAction ipSecStaticActionAction is neither preConfiguredTransportAction
nor preConfiguredTunnelAction, this attribute MUST be ignored. nor preConfiguredTunnelAction, this attribute MUST be ignored.
A value of zero indicates that there is not a lifetime associated A value of zero indicates that there is not a lifetime associated
with this action (i.e., infinite lifetime). with this action (i.e., infinite lifetime).
Li, et al Expires August, 2002 20
IPsec Policy Information Base February, 2002
The actual lifetime of the preconfigured SA will be the smallest The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeSeconds property and of the value of of the value of this LifetimeSeconds property and of the value of
the MaxLifetimeSeconds property of the associated SA Transform. the MaxLifetimeSeconds property of the associated SA Transform.
Except if the value of this LifetimeSeconds property is zero, then Except if the value of this LifetimeSeconds property is zero, then
there will be no lifetime associated to this SA." there will be no lifetime associated to this SA."
::= { ipSecStaticActionEntry 6 } ::= { ipSecStaticActionEntry 6 }
ipSecStaticActionLifetimeKilobytes OBJECT-TYPE ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
skipping to change at line 1140 skipping to change at line 1188
A value of zero indicates that there is not a lifetime associated A value of zero indicates that there is not a lifetime associated
with this action (i.e., infinite lifetime). with this action (i.e., infinite lifetime).
The actual lifetime of the preconfigured SA will be the smallest The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeKilobytes property and of the value of the value of this LifetimeKilobytes property and of the value
of the MaxLifetimeKilobytes property of the associated SA of the MaxLifetimeKilobytes property of the associated SA
transform. Except if the value of this LifetimeKilobytes property transform. Except if the value of this LifetimeKilobytes property
is zero, then there will be no lifetime associated with this is zero, then there will be no lifetime associated with this
action. action.
" "
Li, et al Expires February, 2003 21
IPsec Policy Information Base August, 2002
::= { ipSecStaticActionEntry 7 } ::= { ipSecStaticActionEntry 7 }
ipSecStaticActionSaTransformId OBJECT-TYPE ipSecStaticActionSaTransformId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes an "A pointer to a valid instance in another table that describes an
SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable." SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
::= { ipSecStaticActionEntry 8 } ::= { ipSecStaticActionEntry 8 }
skipping to change at line 1166 skipping to change at line 1219
SYNTAX SEQUENCE OF IpSecNegotiationActionEntry SYNTAX SEQUENCE OF IpSecNegotiationActionEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec negotiation actions." "Specifies IPsec negotiation actions."
::= { ipSecAssociation 4 } ::= { ipSecAssociation 4 }
ipSecNegotiationActionEntry OBJECT-TYPE ipSecNegotiationActionEntry OBJECT-TYPE
SYNTAX IpSecNegotiationActionEntry SYNTAX IpSecNegotiationActionEntry
STATUS current STATUS current
Li, et al Expires August, 2002 21
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecNegotiationActionPrid } PIB-INDEX { ipSecNegotiationActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecNegotiationActionAction, ipSecNegotiationActionAction,
ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling, ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionIpSecSecurityAssociationId,
ipSecNegotiationActionKeyExchangeId ipSecNegotiationActionKeyExchangeId
} }
skipping to change at line 1195 skipping to change at line 1244
ipSecNegotiationActionTunnelEndpointId ReferenceId, ipSecNegotiationActionTunnelEndpointId ReferenceId,
ipSecNegotiationActionDfHandling INTEGER, ipSecNegotiationActionDfHandling INTEGER,
ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
ipSecNegotiationActionKeyExchangeId Prid ipSecNegotiationActionKeyExchangeId Prid
} }
ipSecNegotiationActionPrid OBJECT-TYPE ipSecNegotiationActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 22
IPsec Policy Information Base August, 2002
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecNegotiationActionEntry 1 } ::= { ipSecNegotiationActionEntry 1 }
ipSecNegotiationActionAction OBJECT-TYPE ipSecNegotiationActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
transport(1), transport(1),
tunnel(2) tunnel(2)
} }
STATUS current STATUS current
skipping to change at line 1223 skipping to change at line 1277
ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry } PIB-REFERENCES {ipSecAddressEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel (2), this attribute indicates "When ipSecActionAction is tunnel (2), this attribute indicates
the peer gateway IP address. This address MUST be a single the peer gateway IP address. This address MUST be a single
endpoint address. endpoint address.
Li, et al Expires August, 2002 22
IPsec Policy Information Base February, 2002
When ipSecActionAction is not tunnel, this attribute MUST be When ipSecActionAction is not tunnel, this attribute MUST be
zero." zero."
::= { ipSecNegotiationActionEntry 3 } ::= { ipSecNegotiationActionEntry 3 }
ipSecNegotiationActionDfHandling OBJECT-TYPE ipSecNegotiationActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
copy(1), copy(1),
set(2), set(2),
clear(3) clear(3)
} }
skipping to change at line 1251 skipping to change at line 1302
Copy (1) indicates to copy the DF bit from the internal IP header Copy (1) indicates to copy the DF bit from the internal IP header
to the external IP header. Set (2) indicates to set the DF bit of to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0. bit of the external IP header to 0.
When ipSecActionAction is not tunnel, this attribute MUST be When ipSecActionAction is not tunnel, this attribute MUST be
ignored. " ignored. "
::= { ipSecNegotiationActionEntry 4 } ::= { ipSecNegotiationActionEntry 4 }
ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
Li, et al Expires February, 2003 23
IPsec Policy Information Base August, 2002
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAssociationEntry } PIB-REFERENCES {ipSecAssociationEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Pointer to a valid instance in the "Pointer to a valid instance in the
ipSecSecurityAssociationTable." ipSecSecurityAssociationTable."
::= { ipSecNegotiationActionEntry 5 } ::= { ipSecNegotiationActionEntry 5 }
ipSecNegotiationActionKeyExchangeId OBJECT-TYPE ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
skipping to change at line 1278 skipping to change at line 1334
until success, this attribute SHOULD point to ipSecIkeRuleTable. until success, this attribute SHOULD point to ipSecIkeRuleTable.
For other key exchange methods, this attribute may point to an For other key exchange methods, this attribute may point to an
instance of a PRC defined in some other PIB. instance of a PRC defined in some other PIB.
A value of zero means that there is no key exchange procedure A value of zero means that there is no key exchange procedure
associated." associated."
::= { ipSecNegotiationActionEntry 6 } ::= { ipSecNegotiationActionEntry 6 }
-- --
Li, et al Expires August, 2002 23
IPsec Policy Information Base February, 2002
-- --
-- The ipSecAssociationTable -- The ipSecAssociationTable
-- --
ipSecAssociationTable OBJECT-TYPE ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec associations." "Specifies IPsec associations."
skipping to change at line 1307 skipping to change at line 1359
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAssociationPrid } PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationIdleDurationSeconds, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
ipSecAssociationUseKeyExchangeGroup, ipSecAssociationUseKeyExchangeGroup,
Li, et al Expires February, 2003 24
IPsec Policy Information Base August, 2002
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity, ipSecAssociationGranularity,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid InstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32,
skipping to change at line 1335 skipping to change at line 1392
ipSecAssociationPrid OBJECT-TYPE ipSecAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecAssociationEntry 1 } ::= { ipSecAssociationEntry 1 }
ipSecAssociationMinLifetimeSeconds OBJECT-TYPE ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
Li, et al Expires August, 2002 24
IPsec Policy Information Base February, 2002
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
skipping to change at line 1365 skipping to change at line 1418
lifetime enforced." lifetime enforced."
::= { ipSecAssociationEntry 3 } ::= { ipSecAssociationEntry 3 }
ipSecAssociationIdleDurationSeconds OBJECT-TYPE ipSecAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how long, in seconds, a security association may remain "Specifies how long, in seconds, a security association may remain
unused before it is deleted. unused before it is deleted.
Li, et al Expires February, 2003 25
IPsec Policy Information Base August, 2002
A value of zero indicates that idle detection should not be used A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte for the security association (only the seconds and kilobyte
lifetimes will be used)." lifetimes will be used)."
::= { ipSecAssociationEntry 4 } ::= { ipSecAssociationEntry 4 }
ipSecAssociationUsePfs OBJECT-TYPE ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether or not to use PFS when refreshing keys." "Specifies whether or not to use PFS when refreshing keys."
skipping to change at line 1392 skipping to change at line 1449
the property ipSecAssociationDhGroup (when it is in the vendor- the property ipSecAssociationDhGroup (when it is in the vendor-
specific range) to identify the key exchange group. This specific range) to identify the key exchange group. This
attribute is ignored unless ipSecAssociationUsePFS is true and attribute is ignored unless ipSecAssociationUsePFS is true and
ipSecAssociationUseKeyExchangeGroup is false and ipSecAssociationUseKeyExchangeGroup is false and
ipSecAssociationDhGroup is in the vendor-specific range (32768- ipSecAssociationDhGroup is in the vendor-specific range (32768-
65535)." 65535)."
::= { ipSecAssociationEntry 6 } ::= { ipSecAssociationEntry 6 }
ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
Li, et al Expires August, 2002 25
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether or not to use the same GroupId for phase 2 as "Specifies whether or not to use the same GroupId for phase 2 as
was used in phase 1. If UsePFS is false, then this attribute is was used in phase 1. If UsePFS is false, then this attribute is
ignored. ignored.
A value of true indicates that the phase 2 GroupId should be the A value of true indicates that the phase 2 GroupId should be the
same as phase 1. A value of false indicates that the group number same as phase 1. A value of false indicates that the group number
specified by the ipSecSecurityAssociationDhGroup attribute SHALL specified by the ipSecSecurityAssociationDhGroup attribute SHALL
be used for phase 2. " be used for phase 2. "
skipping to change at line 1421 skipping to change at line 1474
DESCRIPTION DESCRIPTION
"Specifies the key exchange group to use for phase 2 when the "Specifies the key exchange group to use for phase 2 when the
property ipSecSecurityAssociationUsePfs is true and the property property ipSecSecurityAssociationUsePfs is true and the property
ipSecSecurityAssociationUseKeyExchangeGroup is false." ipSecSecurityAssociationUseKeyExchangeGroup is false."
::= { ipSecAssociationEntry 8 } ::= { ipSecAssociationEntry 8 }
ipSecAssociationGranularity OBJECT-TYPE ipSecAssociationGranularity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
subnet(1), subnet(1),
address(2), address(2),
Li, et al Expires February, 2003 26
IPsec Policy Information Base August, 2002
protocol(3), protocol(3),
port(4) port(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how the proposed selector for the security association "Specifies how the proposed selector for the security association
will be created. will be created.
A value of 1 (subnet) indicates that the source and destination A value of 1 (subnet) indicates that the source and destination
subnet masks of the filter entry are used. subnet masks of the filter entry are used.
skipping to change at line 1449 skipping to change at line 1507
A value of 4 (port) indicates that the source and destination IP A value of 4 (port) indicates that the source and destination IP
addresses and the IP protocol and the source and destination layer addresses and the IP protocol and the source and destination layer
4 ports of the triggering packet are used. " 4 ports of the triggering packet are used. "
::= { ipSecAssociationEntry 9 } ::= { ipSecAssociationEntry 9 }
ipSecAssociationProposalSetId OBJECT-TYPE ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecProposalSetProposalSetId } PIB-TAG { ipSecProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 26
IPsec Policy Information Base February, 2002
"Identifies a set of IPsec proposals that is associated with this "Identifies a set of IPsec proposals that is associated with this
IPsec association." IPsec association."
::= { ipSecAssociationEntry 10 } ::= { ipSecAssociationEntry 10 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
-- --
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
skipping to change at line 1477 skipping to change at line 1531
"Specifies IPsec proposal sets. Proposals within a set are ORed "Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order. " with preference order. "
::= { ipSecAssociation 6 } ::= { ipSecAssociation 6 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalSetPrid } PIB-INDEX { ipSecProposalSetPrid }
Li, et al Expires February, 2003 27
IPsec Policy Information Base August, 2002
UNIQUENESS { UNIQUENESS {
ipSecProposalSetProposalSetId, ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId, ipSecProposalSetProposalId,
ipSecProposalSetOrder ipSecProposalSetOrder
} }
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid InstanceId, ipSecProposalSetPrid InstanceId,
ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalSetId TagId,
skipping to change at line 1503 skipping to change at line 1562
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecProposalSetEntry 1 } ::= { ipSecProposalSetEntry 1 }
ipSecProposalSetProposalSetId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 27
IPsec Policy Information Base February, 2002
"An IPsec proposal set is composed of one or more IPsec proposals. "An IPsec proposal set is composed of one or more IPsec proposals.
Each proposal belonging to the same set has the same Each proposal belonging to the same set has the same
ProposalSetId." ProposalSetId."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecProposalEntry } PIB-REFERENCES {ipSecProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 1533 skipping to change at line 1588
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A smaller Proposals within a set are ORed with preference order. A smaller
integer value indicates a higher preference." integer value indicates a higher preference."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
-- --
-- --
Li, et al Expires February, 2003 28
IPsec Policy Information Base August, 2002
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposals. It has references to ESP, AH and "Specifies IPsec proposals. It has references to ESP, AH and
IPCOMP Transform sets. Within a proposal, different types of IPCOMP Transform sets. Within a proposal, different types of
skipping to change at line 1560 skipping to change at line 1620
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalPrid } PIB-INDEX { ipSecProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId, ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId ipSecProposalCompTransformSetId
} }
::= { ipSecProposalTable 1 } ::= { ipSecProposalTable 1 }
Li, et al Expires August, 2002 28
IPsec Policy Information Base February, 2002
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid InstanceId, ipSecProposalPrid InstanceId,
ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId ipSecProposalCompTransformSetId TagReferenceId
} }
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 1589 skipping to change at line 1646
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecEspTransformSetTransformSetId } PIB-TAG { ipSecEspTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms, specified in "An integer that identifies a set of ESP transforms, specified in
ipSecEspTransformSetTable, that is associated with this proposal." ipSecEspTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
Li, et al Expires February, 2003 29
IPsec Policy Information Base August, 2002
PIB-TAG { ipSecAhTransformSetTransformSetId } PIB-TAG { ipSecAhTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform set, specified in "An integer that identifies an AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal." ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
ipSecProposalCompTransformSetId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCompTransformSetTransformSetId } PIB-TAG { ipSecCompTransformSetTransformSetId }
skipping to change at line 1614 skipping to change at line 1676
::= { ipSecProposalEntry 4 } ::= { ipSecProposalEntry 4 }
-- --
-- --
-- The ipSecAhTransformSetTable -- The ipSecAhTransformSetTable
-- --
ipSecAhTransformSetTable OBJECT-TYPE ipSecAhTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformSetEntry SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
Li, et al Expires August, 2002 29
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transform sets. Within a transform set, the "Specifies AH transform sets. Within a transform set, the
transforms are ORed with preference order. " transforms are ORed with preference order. "
::= { ipSecAhTransform 1 } ::= { ipSecAhTransform 1 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAhTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 1645 skipping to change at line 1703
::= { ipSecAhTransformSetTable 1 } ::= { ipSecAhTransformSetTable 1 }
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetTransformId ReferenceId,
ipSecAhTransformSetOrder Unsigned16 ipSecAhTransformSetOrder Unsigned16
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAhTransformSetPrid OBJECT-TYPE
Li, et al Expires February, 2003 30
IPsec Policy Information Base August, 2002
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformSetEntry 1 } ::= { ipSecAhTransformSetEntry 1 }
ipSecAhTransformSetTransformSetId OBJECT-TYPE ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
skipping to change at line 1671 skipping to change at line 1734
ipSecAhTransformSetTransformId OBJECT-TYPE ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAhTransformEntry } PIB-REFERENCES {ipSecAhTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecAhTransformTable." "A pointer to a valid instance in the ipSecAhTransformTable."
::= { ipSecAhTransformSetEntry 3 } ::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
Li, et al Expires August, 2002 30
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform identified by ipSecAhTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order. A smaller integer value indicates a
higher preference." higher preference."
::= { ipSecAhTransformSetEntry 4 } ::= { ipSecAhTransformSetEntry 4 }
skipping to change at line 1701 skipping to change at line 1760
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transforms." "Specifies AH transforms."
::= { ipSecAhTransform 2 } ::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
Li, et al Expires February, 2003 31
IPsec Policy Information Base August, 2002
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformPrid } PIB-INDEX { ipSecAhTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecAhTransformTransformId, ipSecAhTransformTransformId,
ipSecAhTransformIntegrityKey, ipSecAhTransformIntegrityKey,
ipSecAhTransformUseReplayPrevention, ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformReplayPreventionWindowSize,
ipSecAhTransformVendorId, ipSecAhTransformVendorId,
ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeSeconds,
skipping to change at line 1727 skipping to change at line 1791
ipSecAhTransformTransformId INTEGER, ipSecAhTransformTransformId INTEGER,
ipSecAhTransformIntegrityKey OCTET STRING, ipSecAhTransformIntegrityKey OCTET STRING,
ipSecAhTransformUseReplayPrevention TruthValue, ipSecAhTransformUseReplayPrevention TruthValue,
ipSecAhTransformReplayPreventionWindowSize Unsigned32, ipSecAhTransformReplayPreventionWindowSize Unsigned32,
ipSecAhTransformVendorId OCTET STRING, ipSecAhTransformVendorId OCTET STRING,
ipSecAhTransformMaxLifetimeSeconds Unsigned32, ipSecAhTransformMaxLifetimeSeconds Unsigned32,
ipSecAhTransformMaxLifetimeKilobytes Unsigned32 ipSecAhTransformMaxLifetimeKilobytes Unsigned32
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecAhTransformPrid OBJECT-TYPE
Li, et al Expires August, 2002 31
IPsec Policy Information Base February, 2002
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(2), md5(2),
skipping to change at line 1759 skipping to change at line 1819
ipSecAhTransformIntegrityKey OBJECT-TYPE ipSecAhTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When this AH transform instance is used for a Static Action, this "When this AH transform instance is used for a Static Action, this
attribute specifies the integrity key to be used. This attribute attribute specifies the integrity key to be used. This attribute
MUST be ignored when this AH transform instance is used for a MUST be ignored when this AH transform instance is used for a
Negotiation Action." Negotiation Action."
::= { ipSecAhTransformEntry 3 } ::= { ipSecAhTransformEntry 3 }
Li, et al Expires February, 2003 32
IPsec Policy Information Base August, 2002
ipSecAhTransformUseReplayPrevention OBJECT-TYPE ipSecAhTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies whether to enable replay prevention detection."
::= { ipSecAhTransformEntry 4 } ::= { ipSecAhTransformEntry 4 }
ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
skipping to change at line 1784 skipping to change at line 1848
::= { ipSecAhTransformEntry 5 } ::= { ipSecAhTransformEntry 5 }
ipSecAhTransformVendorId OBJECT-TYPE ipSecAhTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms." "Specifies the vendor ID for vendor-defined transforms."
::= { ipSecAhTransformEntry 6 } ::= { ipSecAhTransformEntry 6 }
ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
Li, et al Expires August, 2002 32
IPsec Policy Information Base February, 2002
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecAhTransformEntry 7 } ::= { ipSecAhTransformEntry 7 }
skipping to change at line 1815 skipping to change at line 1875
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecAhTransformEntry 8 } ::= { ipSecAhTransformEntry 8 }
-- --
-- --
-- The ipSecEspTransformSetTable -- The ipSecEspTransformSetTable
-- --
Li, et al Expires February, 2003 33
IPsec Policy Information Base August, 2002
ipSecEspTransformSetTable OBJECT-TYPE ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies ESP transform sets. Within a transform set, the choices "Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order. " are ORed with preference order. "
::= { ipSecEspTransform 1 } ::= { ipSecEspTransform 1 }
ipSecEspTransformSetEntry OBJECT-TYPE ipSecEspTransformSetEntry OBJECT-TYPE
skipping to change at line 1840 skipping to change at line 1904
UNIQUENESS { UNIQUENESS {
ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId, ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder ipSecEspTransformSetOrder
} }
::= { ipSecEspTransformSetTable 1 } ::= { ipSecEspTransformSetTable 1 }
IpSecEspTransformSetEntry ::= SEQUENCE { IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetPrid InstanceId,
ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformSetId TagId,
Li, et al Expires August, 2002 33
IPsec Policy Information Base February, 2002
ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetTransformId ReferenceId,
ipSecEspTransformSetOrder Unsigned16 ipSecEspTransformSetOrder Unsigned16
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
skipping to change at line 1871 skipping to change at line 1931
Each transform belonging to the same set has the same Each transform belonging to the same set has the same
TransformSetId." TransformSetId."
::= { ipSecEspTransformSetEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecEspTransformEntry } PIB-REFERENCES {ipSecEspTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecEspTransformTable." "A pointer to a valid instance in the ipSecEspTransformTable."
Li, et al Expires February, 2003 34
IPsec Policy Information Base August, 2002
::= { ipSecEspTransformSetEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecEspTransformSetTransformId within a transform identified by ipSecEspTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecEspTransformSetTransformSetId. Transforms within a set are ipSecEspTransformSetTransformSetId. Transforms within a set are
skipping to change at line 1896 skipping to change at line 1961
-- --
-- The ipSecEspTransformTable -- The ipSecEspTransformTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies ESP transforms." "Specifies ESP transforms."
Li, et al Expires August, 2002 34
IPsec Policy Information Base February, 2002
::= { ipSecEspTransform 2 } ::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry SYNTAX IpSecEspTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecEspTransformPrid } PIB-INDEX { ipSecEspTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
skipping to change at line 1927 skipping to change at line 1988
ipSecEspTransformVendorId, ipSecEspTransformVendorId,
ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeSeconds,
ipSecEspTransformMaxLifetimeKilobytes ipSecEspTransformMaxLifetimeKilobytes
} }
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid InstanceId, ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER,
Li, et al Expires February, 2003 35
IPsec Policy Information Base August, 2002
ipSecEspTransformIntegrityKey OCTET STRING, ipSecEspTransformIntegrityKey OCTET STRING,
ipSecEspTransformCipherKey OCTET STRING, ipSecEspTransformCipherKey OCTET STRING,
ipSecEspTransformCipherKeyRounds Unsigned16, ipSecEspTransformCipherKeyRounds Unsigned16,
ipSecEspTransformCipherKeyLength Unsigned16, ipSecEspTransformCipherKeyLength Unsigned16,
ipSecEspTransformUseReplayPrevention TruthValue, ipSecEspTransformUseReplayPrevention TruthValue,
ipSecEspTransformReplayPreventionWindowSize Unsigned32, ipSecEspTransformReplayPreventionWindowSize Unsigned32,
ipSecEspTransformVendorId OCTET STRING, ipSecEspTransformVendorId OCTET STRING,
ipSecEspTransformMaxLifetimeSeconds Unsigned32, ipSecEspTransformMaxLifetimeSeconds Unsigned32,
ipSecEspTransformMaxLifetimeKilobytes Unsigned32 ipSecEspTransformMaxLifetimeKilobytes Unsigned32
} }
skipping to change at line 1953 skipping to change at line 2019
class." class."
::= { ipSecEspTransformEntry 1 } ::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
none(0), none(0),
hmacMd5(1), hmacMd5(1),
hmacSha(2), hmacSha(2),
desMac(3), desMac(3),
kpdk(4) kpdk(4)
Li, et al Expires August, 2002 35
IPsec Policy Information Base February, 2002
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP integrity algorithm to "Specifies the transform ID of the ESP integrity algorithm to
propose." propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
desIV64(1), desIV64(1),
skipping to change at line 1984 skipping to change at line 2046
desIV32(9), desIV32(9),
rc4(10), rc4(10),
null(11) null(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP encryption algorithm to "Specifies the transform ID of the ESP encryption algorithm to
propose." propose."
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
Li, et al Expires February, 2003 36
IPsec Policy Information Base August, 2002
ipSecEspTransformIntegrityKey OBJECT-TYPE ipSecEspTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When this ESP transform instance is used for a Static Action, "When this ESP transform instance is used for a Static Action,
this attribute specifies the integrity key to be used. This this attribute specifies the integrity key to be used. This
attribute MUST be ignored when this ESP transform instance is used attribute MUST be ignored when this ESP transform instance is used
for a Negotiation Action." for a Negotiation Action."
::= { ipSecEspTransformEntry 4 } ::= { ipSecEspTransformEntry 4 }
skipping to change at line 2008 skipping to change at line 2074
"When this ESP transform instance is used for a Static Action, "When this ESP transform instance is used for a Static Action,
this attribute specifies the cipher key to be used. This attribute this attribute specifies the cipher key to be used. This attribute
MUST be ignored when this ESP transform instance is used for a MUST be ignored when this ESP transform instance is used for a
Negotiation Action." Negotiation Action."
::= { ipSecEspTransformEntry 5 } ::= { ipSecEspTransformEntry 5 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 36
IPsec Policy Information Base February, 2002
"Specifies the number of key rounds for the ESP encryption "Specifies the number of key rounds for the ESP encryption
algorithm. For encryption algorithms that use fixed number of key algorithm. For encryption algorithms that use fixed number of key
rounds, this value is ignored." rounds, this value is ignored."
::= { ipSecEspTransformEntry 6 } ::= { ipSecEspTransformEntry 6 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the key length for the ESP encryption "Specifies, in bits, the key length for the ESP encryption
skipping to change at line 2041 skipping to change at line 2103
::= { ipSecEspTransformEntry 8 } ::= { ipSecEspTransformEntry 8 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the length of the sliding window used by the "Specifies, in bits, the length of the sliding window used by the
replay prevention detection mechanism. The value of this property replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2." window size will be power of 2."
Li, et al Expires February, 2003 37
IPsec Policy Information Base August, 2002
::= { ipSecEspTransformEntry 9 } ::= { ipSecEspTransformEntry 9 }
ipSecEspTransformVendorId OBJECT-TYPE ipSecEspTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms." "Specifies the vendor ID for vendor-defined transforms."
::= { ipSecEspTransformEntry 10 } ::= { ipSecEspTransformEntry 10 }
ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
skipping to change at line 2065 skipping to change at line 2132
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecEspTransformEntry 11 } ::= { ipSecEspTransformEntry 11 }
ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 37
IPsec Policy Information Base February, 2002
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecEspTransformEntry 12 } ::= { ipSecEspTransformEntry 12 }
-- --
-- --
skipping to change at line 2097 skipping to change at line 2160
"Specifies IPComp transform sets. Within a transform set, the "Specifies IPComp transform sets. Within a transform set, the
choices are ORed with preference order." choices are ORed with preference order."
::= { ipSecCompTransform 1 } ::= { ipSecCompTransform 1 }
ipSecCompTransformSetEntry OBJECT-TYPE ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry SYNTAX IpSecCompTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformSetPrid } PIB-INDEX { ipSecCompTransformSetPrid }
Li, et al Expires February, 2003 38
IPsec Policy Information Base August, 2002
UNIQUENESS { UNIQUENESS {
ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId, ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder ipSecCompTransformSetOrder
} }
::= { ipSecCompTransformSetTable 1 } ::= { ipSecCompTransformSetTable 1 }
IpSecCompTransformSetEntry ::= SEQUENCE { IpSecCompTransformSetEntry ::= SEQUENCE {
ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetPrid InstanceId,
ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformSetId TagId,
skipping to change at line 2121 skipping to change at line 2189
ipSecCompTransformSetPrid OBJECT-TYPE ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCompTransformSetEntry 1 } ::= { ipSecCompTransformSetEntry 1 }
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
Li, et al Expires August, 2002 38
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPCOMP transform set is composed of one or more IPCOMP "An IPCOMP transform set is composed of one or more IPCOMP
transforms. Each transform belonging to the same set has the same transforms. Each transform belonging to the same set has the same
TransformSetId." TransformSetId."
::= { ipSecCompTransformSetEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecCompTransformEntry } PIB-REFERENCES {ipSecCompTransformEntry }
skipping to change at line 2153 skipping to change at line 2217
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecCompTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order. A smaller integer value indicates a
higher preference." higher preference."
::= { ipSecCompTransformSetEntry 4 } ::= { ipSecCompTransformSetEntry 4 }
-- --
Li, et al Expires February, 2003 39
IPsec Policy Information Base August, 2002
-- --
-- The ipSecCompTransformTable -- The ipSecCompTransformTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP compression (IPCOMP) algorithms." "Specifies IP compression (IPCOMP) algorithms."
skipping to change at line 2177 skipping to change at line 2246
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformPrid } PIB-INDEX { ipSecCompTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecCompTransformAlgorithm, ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize, ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm, ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId, ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeSeconds,
Li, et al Expires August, 2002 39
IPsec Policy Information Base February, 2002
ipSecCompTransformMaxLifetimeKilobytes ipSecCompTransformMaxLifetimeKilobytes
} }
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId, ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformAlgorithm INTEGER,
ipSecCompTransformDictionarySize Unsigned16, ipSecCompTransformDictionarySize Unsigned16,
ipSecCompTransformPrivateAlgorithm Unsigned32, ipSecCompTransformPrivateAlgorithm Unsigned32,
ipSecCompTransformVendorId OCTET STRING, ipSecCompTransformVendorId OCTET STRING,
skipping to change at line 2210 skipping to change at line 2275
class." class."
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
oui(1), oui(1),
deflate(2), deflate(2),
lzs(3) lzs(3)
} }
STATUS current STATUS current
Li, et al Expires February, 2003 40
IPsec Policy Information Base August, 2002
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the IPCOMP compression algorithm to "Specifies the transform ID of the IPCOMP compression algorithm to
propose." propose."
::= { ipSecCompTransformEntry 2 } ::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the log2 maximum size of the dictionary for the "Specifies the log2 maximum size of the dictionary for the
skipping to change at line 2234 skipping to change at line 2304
ipSecCompTransformPrivateAlgorithm OBJECT-TYPE ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a private vendor-specific compression algorithm." "Specifies a private vendor-specific compression algorithm."
::= { ipSecCompTransformEntry 4 } ::= { ipSecCompTransformEntry 4 }
ipSecCompTransformVendorId OBJECT-TYPE ipSecCompTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
Li, et al Expires August, 2002 40
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms." "Specifies the vendor ID for vendor-defined transforms."
::= { ipSecCompTransformEntry 5 } ::= { ipSecCompTransformEntry 5 }
ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
skipping to change at line 2266 skipping to change at line 2332
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecCompTransformEntry 7 } ::= { ipSecCompTransformEntry 7 }
-- --
Li, et al Expires February, 2003 41
IPsec Policy Information Base August, 2002
-- --
-- The ipSecIkeRuleTable -- The ipSecIkeRuleTable
-- --
ipSecIkeRuleTable OBJECT-TYPE ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE rules. This table is required only when specifying: "Specifies IKE rules. This table is required only when specifying:
skipping to change at line 2290 skipping to change at line 2361
- IKE phase one actions that start automatically. - IKE phase one actions that start automatically.
Support of this table is optional." Support of this table is optional."
::= { ipSecIkeAssociation 1 } ::= { ipSecIkeAssociation 1 }
ipSecIkeRuleEntry OBJECT-TYPE ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 41
IPsec Policy Information Base February, 2002
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeRulePrid } PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeRuleIfName, ipSecIkeRuleIfName,
ipSecIkeRuleRoles, ipSecIkeRuleRoles,
ipSecIkeRuleIkeActionSetId, ipSecIkeRuleIkeActionSetId,
ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleActionExecutionStrategy,
ipSecIkeRuleLimitNegotiation, ipSecIkeRuleLimitNegotiation,
ipSecIkeRuleAutoStart ipSecIkeRuleAutoStart
} }
skipping to change at line 2323 skipping to change at line 2390
ipSecIkeRuleAutoStart TruthValue, ipSecIkeRuleAutoStart TruthValue,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
Li, et al Expires February, 2003 42
IPsec Policy Information Base August, 2002
::= { ipSecIkeRuleEntry 1 } ::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleIfName OBJECT-TYPE ipSecIkeRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IKE rule applies. The "The interface capability set to which this IKE rule applies. The
interface capability name specified by this attribute must exist interface capability name specified by this attribute must exist
in the frwkIfCapSetTable [FR-PIB] prior to association with an in the frwkIfCapSetTable [FR-PIB] prior to association with an
instance of this class. instance of this class.
skipping to change at line 2348 skipping to change at line 2420
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this IKE "Specifies the role combination of the interface to which this IKE
rule should apply. There must exist an instance in the rule should apply. There must exist an instance in the
frwkIfCapSetRoleComboTable [FR-PIB] specifying this role frwkIfCapSetRoleComboTable [FR-PIB] specifying this role
combination, together with the interface capability set specified combination, together with the interface capability set specified
by ipSecIkeRuleIfName, prior to association with an instance of by ipSecIkeRuleIfName, prior to association with an instance of
this class. this class.
Li, et al Expires August, 2002 42
IPsec Policy Information Base February, 2002
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIkeActionSetId OBJECT-TYPE ipSecIkeRuleIkeActionSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIkeActionSetActionSetId } PIB-TAG { ipSecIkeActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IKE actions to be associated with this rule." "Identifies a set of IKE actions to be associated with this rule."
::= { ipSecIkeRuleEntry 4 } ::= { ipSecIkeRuleEntry 4 }
skipping to change at line 2379 skipping to change at line 2448
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in order is specified by the ipSecActionSetOrder in
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
DoUntilSuccess (2) causes the execution of actions according to DoUntilSuccess (2) causes the execution of actions according to
their defined precedence order until a successful execution of a their defined precedence order until a successful execution of a
Li, et al Expires February, 2003 43
IPsec Policy Information Base August, 2002
single action. The precedence order is specified by the single action. The precedence order is specified by the
ipSecActionSetOrder in ipSecIkeActionSetTable." ipSecActionSetOrder in ipSecIkeActionSetTable."
::= { ipSecIkeRuleEntry 5 } ::= { ipSecIkeRuleEntry 5 }
ipSecIkeRuleLimitNegotiation OBJECT-TYPE ipSecIkeRuleLimitNegotiation OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
initiator(1), initiator(1),
responder(2), responder(2),
both(3) both(3)
} }
skipping to change at line 2403 skipping to change at line 2477
negotiation role of the rule matches that defined for the negotiation role of the rule matches that defined for the
negotiation being undertaken (e.g., Initiator, Responder, or negotiation being undertaken (e.g., Initiator, Responder, or
Both). If this check fails (e.g. the current role is IKE responder Both). If this check fails (e.g. the current role is IKE responder
while the rule specifies IKE initiator), then the IKE negotiation while the rule specifies IKE initiator), then the IKE negotiation
is stopped. Note that this only applies to new IKE phase 1 is stopped. Note that this only applies to new IKE phase 1
negotiations and has no effect on either renegotiation or refresh negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists." operations with peers for which an established SA already exists."
::= { ipSecIkeRuleEntry 6 } ::= { ipSecIkeRuleEntry 6 }
ipSecIkeRuleAutoStart OBJECT-TYPE ipSecIkeRuleAutoStart OBJECT-TYPE
Li, et al Expires August, 2002 43
IPsec Policy Information Base February, 2002
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if this rule should be automatically executed." "Indicates if this rule should be automatically executed."
::= { ipSecIkeRuleEntry 7 } ::= { ipSecIkeRuleEntry 7 }
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
skipping to change at line 2435 skipping to change at line 2505
-- --
-- The ipSecIkeActionSetTable -- The ipSecIkeActionSetTable
-- --
ipSecIkeActionSetTable OBJECT-TYPE ipSecIkeActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeActionSetEntry SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE action sets." "Specifies IKE action sets."
Li, et al Expires February, 2003 44
IPsec Policy Information Base August, 2002
::= { ipSecIkeAssociation 2 } ::= { ipSecIkeAssociation 2 }
ipSecIkeActionSetEntry OBJECT-TYPE ipSecIkeActionSetEntry OBJECT-TYPE
SYNTAX IpSecIkeActionSetEntry SYNTAX IpSecIkeActionSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeActionSetPrid } PIB-INDEX { ipSecIkeActionSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionSetId,
skipping to change at line 2459 skipping to change at line 2534
IpSecIkeActionSetEntry ::= SEQUENCE { IpSecIkeActionSetEntry ::= SEQUENCE {
ipSecIkeActionSetPrid InstanceId, ipSecIkeActionSetPrid InstanceId,
ipSecIkeActionSetActionSetId TagId, ipSecIkeActionSetActionSetId TagId,
ipSecIkeActionSetActionId Prid, ipSecIkeActionSetActionId Prid,
ipSecIkeActionSetOrder Unsigned16 ipSecIkeActionSetOrder Unsigned16
} }
ipSecIkeActionSetPrid OBJECT-TYPE ipSecIkeActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Li, et al Expires August, 2002 44
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeActionSetEntry 1 } ::= { ipSecIkeActionSetEntry 1 }
ipSecIkeActionSetActionSetId OBJECT-TYPE ipSecIkeActionSetActionSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2493 skipping to change at line 2564
ipSecIkeActionSetOrder OBJECT-TYPE ipSecIkeActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be tried set. An action with a smaller precedence order is to be tried
before one with a larger precedence order. " before one with a larger precedence order. "
::= { ipSecIkeActionSetEntry 4 } ::= { ipSecIkeActionSetEntry 4 }
Li, et al Expires February, 2003 45
IPsec Policy Information Base August, 2002
-- --
-- --
-- The ipSecIkeAssociationTable -- The ipSecIkeAssociationTable
-- --
ipSecIkeAssociationTable OBJECT-TYPE ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2515 skipping to change at line 2590
ipSecIkeAssociationEntry OBJECT-TYPE ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry SYNTAX IpSecIkeAssociationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeAssociationPrid } PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
Li, et al Expires August, 2002 45
IPsec Policy Information Base February, 2002
ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationIdleDurationSeconds,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationUseIkeIdentityValue,
ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationIkePeerEndpoint,
ipSecIkeAssociationPresharedKey, ipSecIkeAssociationPresharedKey,
ipSecIkeAssociationVendorId, ipSecIkeAssociationVendorId,
ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationAggressiveModeGroupId,
ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationLocalCredentialId,
ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationDoActionLogging,
skipping to change at line 2548 skipping to change at line 2619
ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER,
ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
ipSecIkeAssociationIkePeerEndpoint ReferenceId, ipSecIkeAssociationIkePeerEndpoint ReferenceId,
ipSecIkeAssociationPresharedKey OCTET STRING, ipSecIkeAssociationPresharedKey OCTET STRING,
ipSecIkeAssociationVendorId OCTET STRING, ipSecIkeAssociationVendorId OCTET STRING,
ipSecIkeAssociationAggressiveModeGroupId Unsigned16, ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
ipSecIkeAssociationLocalCredentialId TagReferenceId, ipSecIkeAssociationLocalCredentialId TagReferenceId,
ipSecIkeAssociationDoActionLogging TruthValue, ipSecIkeAssociationDoActionLogging TruthValue,
ipSecIkeAssociationIkeProposalSetId TagReferenceId ipSecIkeAssociationIkeProposalSetId TagReferenceId
Li, et al Expires February, 2003 46
IPsec Policy Information Base August, 2002
} }
ipSecIkeAssociationPrid OBJECT-TYPE ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeAssociationEntry 1 } ::= { ipSecIkeAssociationEntry 1 }
skipping to change at line 2572 skipping to change at line 2648
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeAssociationEntry 2 } ::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
Li, et al Expires August, 2002 46
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeAssociationEntry 3 } ::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
skipping to change at line 2605 skipping to change at line 2677
::= { ipSecIkeAssociationEntry 4 } ::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
baseMode(1), baseMode(1),
mainMode(2), mainMode(2),
aggressiveMode(4) aggressiveMode(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 47
IPsec Policy Information Base August, 2002
"Specifies the negotiation mode that the IKE server will use for "Specifies the negotiation mode that the IKE server will use for
phase one." phase one."
::= { ipSecIkeAssociationEntry 5 } ::= { ipSecIkeAssociationEntry 5 }
ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
skipping to change at line 2629 skipping to change at line 2706
der-Asn1-DN(9), der-Asn1-DN(9),
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one "Specifies the type of IKE identity to use during IKE phase one
negotiation." negotiation."
::= { ipSecIkeAssociationEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
Li, et al Expires August, 2002 47
IPsec Policy Information Base February, 2002
ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ID payload value to be provided to the peer during "Specifies the ID payload value to be provided to the peer during
IKE phase one negotiation." IKE phase one negotiation."
::= { ipSecIkeAssociationEntry 7 } ::= { ipSecIkeAssociationEntry 7 }
ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
skipping to change at line 2661 skipping to change at line 2735
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute specifies the preshared key or secret to use for "This attribute specifies the preshared key or secret to use for
IKE authentication. This is the key for all the IKE proposals of IKE authentication. This is the key for all the IKE proposals of
this association that set ipSecIkeProposalAuthenticationMethod to this association that set ipSecIkeProposalAuthenticationMethod to
presharedKey(1)." presharedKey(1)."
::= { ipSecIkeAssociationEntry 9 } ::= { ipSecIkeAssociationEntry 9 }
ipSecIkeAssociationVendorId OBJECT-TYPE ipSecIkeAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
Li, et al Expires February, 2003 48
IPsec Policy Information Base August, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to be used in the Vendor ID payload. "Specifies the value to be used in the Vendor ID payload.
A value of NULL means that Vendor ID payload will be neither A value of NULL means that Vendor ID payload will be neither
generated nor accepted. A non-NULL value means that a Vendor ID generated nor accepted. A non-NULL value means that a Vendor ID
payload will be generated (when acting as an initiator) or is payload will be generated (when acting as an initiator) or is
expected (when acting as a responder). " expected (when acting as a responder). "
::= { ipSecIkeAssociationEntry 10 } ::= { ipSecIkeAssociationEntry 10 }
skipping to change at line 2685 skipping to change at line 2764
"Specifies the group ID to be used for aggressive mode. This "Specifies the group ID to be used for aggressive mode. This
attribute is ignored unless the attribute attribute is ignored unless the attribute
ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
the value of this attribute is from the vendor-specific range the value of this attribute is from the vendor-specific range
(32768-65535), this attribute qualifies the group number." (32768-65535), this attribute qualifies the group number."
::= { ipSecIkeAssociationEntry 11 } ::= { ipSecIkeAssociationEntry 11 }
ipSecIkeAssociationLocalCredentialId OBJECT-TYPE ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId } PIB-TAG { ipSecCredentialSetSetId }
Li, et al Expires August, 2002 48
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates a group of credentials. One of the credentials in the "Indicates a group of credentials. One of the credentials in the
group MUST be used when establishing an IKE association with the group MUST be used when establishing an IKE association with the
peer endpoint." peer endpoint."
::= { ipSecIkeAssociationEntry 12 } ::= { ipSecIkeAssociationEntry 12 }
ipSecIkeAssociationDoActionLogging OBJECT-TYPE ipSecIkeAssociationDoActionLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
skipping to change at line 2718 skipping to change at line 2793
DESCRIPTION DESCRIPTION
"Identifies a set of IKE proposals that is associated with this "Identifies a set of IKE proposals that is associated with this
IKE association." IKE association."
::= { ipSecIkeAssociationEntry 14 } ::= { ipSecIkeAssociationEntry 14 }
-- --
-- --
-- The ipSecIkeProposalSetTable -- The ipSecIkeProposalSetTable
-- --
Li, et al Expires February, 2003 49
IPsec Policy Information Base August, 2002
ipSecIkeProposalSetTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposal sets. Proposals within a set are ORed with "Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. " preference order. "
::= { ipSecIkeAssociation 4 } ::= { ipSecIkeAssociation 4 }
ipSecIkeProposalSetEntry OBJECT-TYPE ipSecIkeProposalSetEntry OBJECT-TYPE
skipping to change at line 2741 skipping to change at line 2820
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalSetPrid } PIB-INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId, ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder ipSecIkeProposalSetOrder
} }
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
Li, et al Expires August, 2002 49
IPsec Policy Information Base February, 2002
ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned16 ipSecIkeProposalSetOrder Unsigned16
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2774 skipping to change at line 2849
Each proposal belonging to the same set has the same Each proposal belonging to the same set has the same
ProposalSetId. " ProposalSetId. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkeProposalEntry } PIB-REFERENCES {ipSecIkeProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIkeProposalTable." "A pointer to a valid instance in the ipSecIkeProposalTable."
Li, et al Expires February, 2003 50
IPsec Policy Information Base August, 2002
::= { ipSecIkeProposalSetEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId. proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A smaller Proposals within a set are ORed with preference order. A smaller
skipping to change at line 2797 skipping to change at line 2877
-- --
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 50
IPsec Policy Information Base February, 2002
"Specifies IKE proposals." "Specifies IKE proposals."
::= { ipSecIkeAssociation 5 } ::= { ipSecIkeAssociation 5 }
ipSecIkeProposalEntry OBJECT-TYPE ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry SYNTAX IpSecIkeProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalPrid } PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
skipping to change at line 2830 skipping to change at line 2906
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid InstanceId, ipSecIkeProposalPrid InstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32,
ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalCipherAlgorithm INTEGER,
ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER,
ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER,
ipSecIkeProposalPrfAlgorithm Unsigned16, ipSecIkeProposalPrfAlgorithm Unsigned16,
Li, et al Expires February, 2003 51
IPsec Policy Information Base August, 2002
ipSecIkeProposalIkeDhGroup Unsigned16, ipSecIkeProposalIkeDhGroup Unsigned16,
ipSecIkeProposalVendorId OCTET STRING ipSecIkeProposalVendorId OCTET STRING
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
skipping to change at line 2854 skipping to change at line 2935
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
Li, et al Expires August, 2002 51
IPsec Policy Information Base February, 2002
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
skipping to change at line 2887 skipping to change at line 2964
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(1), md5(1),
Li, et al Expires February, 2003 52
IPsec Policy Information Base August, 2002
sha-1(2), sha-1(2),
tiger(3) tiger(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association." "Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
skipping to change at line 2911 skipping to change at line 2993
revisedRsaEncryption(5), revisedRsaEncryption(5),
kerberos(6) kerberos(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
Li, et al Expires August, 2002 52
IPsec Policy Information Base February, 2002
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
skipping to change at line 2943 skipping to change at line 3021
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Further qualifies the key exchange group. The property is "Further qualifies the key exchange group. The property is
ignored unless the exchange is not in aggressive mode and the ignored unless the exchange is not in aggressive mode and the
property GroupID is in the vendor-specific range." property GroupID is in the vendor-specific range."
::= { ipSecIkeProposalEntry 9 } ::= { ipSecIkeProposalEntry 9 }
-- --
-- --
-- The ipSecIkePeerEndpointTable -- The ipSecIkePeerEndpointTable
Li, et al Expires February, 2003 53
IPsec Policy Information Base August, 2002
-- --
ipSecIkePeerEndpointTable OBJECT-TYPE ipSecIkePeerEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE peer endpoints." "Specifies IKE peer endpoints."
::= { ipSecIkeAssociation 6 } ::= { ipSecIkeAssociation 6 }
skipping to change at line 2968 skipping to change at line 3051
PIB-INDEX { ipSecIkePeerEndpointPrid } PIB-INDEX { ipSecIkePeerEndpointPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityType,
ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointIdentityValue,
ipSecIkePeerEndpointAddressType, ipSecIkePeerEndpointAddressType,
ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointAddress,
ipSecIkePeerEndpointCredentialSetId ipSecIkePeerEndpointCredentialSetId
} }
::= { ipSecIkePeerEndpointTable 1 } ::= { ipSecIkePeerEndpointTable 1 }
Li, et al Expires August, 2002 53
IPsec Policy Information Base February, 2002
IpSecIkePeerEndpointEntry ::= SEQUENCE { IpSecIkePeerEndpointEntry ::= SEQUENCE {
ipSecIkePeerEndpointPrid InstanceId, ipSecIkePeerEndpointPrid InstanceId,
ipSecIkePeerEndpointIdentityType INTEGER, ipSecIkePeerEndpointIdentityType INTEGER,
ipSecIkePeerEndpointIdentityValue OCTET STRING, ipSecIkePeerEndpointIdentityValue OCTET STRING,
ipSecIkePeerEndpointAddressType INTEGER, ipSecIkePeerEndpointAddressType INTEGER,
ipSecIkePeerEndpointAddress OCTET STRING, ipSecIkePeerEndpointAddress OCTET STRING,
ipSecIkePeerEndpointCredentialSetId TagReferenceId ipSecIkePeerEndpointCredentialSetId TagReferenceId
} }
ipSecIkePeerEndpointPrid OBJECT-TYPE ipSecIkePeerEndpointPrid OBJECT-TYPE
skipping to change at line 2999 skipping to change at line 3079
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
ipV4-Address-Range(7), ipV4-Address-Range(7),
ipV6-Address-Range(8), ipV6-Address-Range(8),
der-Asn1-DN(9), der-Asn1-DN(9),
Li, et al Expires February, 2003 54
IPsec Policy Information Base August, 2002
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of identity that MUST be provided by the peer "Specifies the type of identity that MUST be provided by the peer
in the ID payload during IKE phase one negotiation." in the ID payload during IKE phase one negotiation."
::= { ipSecIkePeerEndpointEntry 2 } ::= { ipSecIkePeerEndpointEntry 2 }
ipSecIkePeerEndpointIdentityValue OBJECT-TYPE ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to be matched with the ID payload provided by "Specifies the value to be matched with the ID payload provided by
the peer during IKE phase one negotiation. the peer during IKE phase one negotiation.
Different Wildcards wildcard mechanisms can be used as well as the Different Wildcards wildcard mechanisms can be used as well as the
prefix notation for IPv4 addresses depending on the ID payload: prefix notation for IPv4 addresses depending on the ID payload:
- an IdentityValue of "*@company.com" will match an user FQDN ID - an IdentityValue of *@company.com will match an user FQDN ID
payload of "JDOE@COMPANY.COM" payload of JDOE@COMPANY.COM
- an IdentityValue of "*.company.com" will match a FQDN ID payload
of "WWW.COMPANY.COM"
Li, et al Expires August, 2002 54 - an IdentityValue of *.company.com will match a FQDN ID payload
IPsec Policy Information Base February, 2002 of WWW.COMPANY.COM
- an IdentityValue of "cn=*,ou=engineering,o=company,c=us" will - an IdentityValue of cn=*,ou=engineering,o=company,c=us will
match a DER DN ID payload of "cn=John Doe, ou=engineering, match a DER DN ID payload of cn=John Doe, ou=engineering,
o=company, c=us" o=company, c=us
- an IdentityValue of "193.190.125.0/24" will match an IPv4 - an IdentityValue of 193.190.125.0/24 will match an IPv4 address
address ID payload of 193.190.125.10. ID payload of 193.190.125.10.
- an IdentityValue of "193.190.125.*" will also match an IPv4 - an IdentityValue of 193.190.125.* will also match an IPv4
address ID payload of 193.190.125.10. address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID The above wildcard mechanisms MUST be supported for all ID
payloads supported by the local IKE entity. The character "*" payloads supported by the local IKE entity. The character *
replaces 0 or multiple instances of any character." replaces 0 or multiple instances of any character."
::= { ipSecIkePeerEndpointEntry 3 } ::= { ipSecIkePeerEndpointEntry 3 }
ipSecIkePeerEndpointAddressType OBJECT-TYPE ipSecIkePeerEndpointAddressType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4(1), ipV4(1),
ipV6(2) ipV6(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE peer endpoint address type. This attribute MUST be "Specifies IKE peer endpoint address type. This attribute MUST be
ignored if ipSecIkeRuleAutoStart is false." ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkePeerEndpointEntry 4 } ::= { ipSecIkePeerEndpointEntry 4 }
ipSecIkePeerEndpointAddress OBJECT-TYPE ipSecIkePeerEndpointAddress OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
Li, et al Expires February, 2003 55
IPsec Policy Information Base August, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an endpoint address with which this PEP establishes IKE "Specifies an endpoint address with which this PEP establishes IKE
association. This attribute is used only when the IKE association association. This attribute is used only when the IKE association
is to be started automatically. Hence, this attribute MUST be is to be started automatically. Hence, this attribute MUST be
ignored if ipSecIkeRuleAutoStart is false." ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkePeerEndpointEntry 5 } ::= { ipSecIkePeerEndpointEntry 5 }
ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
skipping to change at line 3078 skipping to change at line 3165
"Identifies a set of credentials. Any one of the credentials in "Identifies a set of credentials. Any one of the credentials in
the set is acceptable as the IKE peer credential." the set is acceptable as the IKE peer credential."
::= { ipSecIkePeerEndpointEntry 6 } ::= { ipSecIkePeerEndpointEntry 6 }
-- --
-- --
-- The ipSecCredentialSetTable -- The ipSecCredentialSetTable
-- --
ipSecCredentialSetTable OBJECT-TYPE ipSecCredentialSetTable OBJECT-TYPE
Li, et al Expires August, 2002 55
IPsec Policy Information Base February, 2002
SYNTAX SEQUENCE OF IpSecCredentialSetEntry SYNTAX SEQUENCE OF IpSecCredentialSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies credential sets. "Specifies credential sets.
For IKE peer credentials, any one of the credentials in the set is For IKE peer credentials, any one of the credentials in the set is
acceptable as peer credential during IEK phase 1 negotiation. For acceptable as peer credential during IEK phase 1 negotiation. For
IKE local credentials, any one of the credentials in the set can IKE local credentials, any one of the credentials in the set can
be used in IKE phase 1 negotiation." be used in IKE phase 1 negotiation."
skipping to change at line 3111 skipping to change at line 3194
ipSecCredentialSetPrid, ipSecCredentialSetPrid,
ipSecCredentialSetSetId, ipSecCredentialSetSetId,
ipSecCredentialSetCredentialId ipSecCredentialSetCredentialId
} }
::= { ipSecCredentialSetTable 1 } ::= { ipSecCredentialSetTable 1 }
IpSecCredentialSetEntry ::= SEQUENCE { IpSecCredentialSetEntry ::= SEQUENCE {
ipSecCredentialSetPrid InstanceId, ipSecCredentialSetPrid InstanceId,
ipSecCredentialSetSetId TagId, ipSecCredentialSetSetId TagId,
ipSecCredentialSetCredentialId ReferenceId ipSecCredentialSetCredentialId ReferenceId
Li, et al Expires February, 2003 56
IPsec Policy Information Base August, 2002
} }
ipSecCredentialSetPrid OBJECT-TYPE ipSecCredentialSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialSetEntry 1 } ::= { ipSecCredentialSetEntry 1 }
skipping to change at line 3135 skipping to change at line 3223
"A credential set is composed of one or more credentials. Each "A credential set is composed of one or more credentials. Each
credential belonging to the same set has the same credential belonging to the same set has the same
CredentialSetId." CredentialSetId."
::= { ipSecCredentialSetEntry 2 } ::= { ipSecCredentialSetEntry 2 }
ipSecCredentialSetCredentialId OBJECT-TYPE ipSecCredentialSetCredentialId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecCredentialEntry } PIB-REFERENCES {ipSecCredentialEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 56
IPsec Policy Information Base February, 2002
"A pointer to a valid instance in the ipSecCredentialTable." "A pointer to a valid instance in the ipSecCredentialTable."
::= { ipSecCredentialSetEntry 3 } ::= { ipSecCredentialSetEntry 3 }
-- --
-- --
-- The ipSecCredentialTable -- The ipSecCredentialTable
-- --
ipSecCredentialTable OBJECT-TYPE ipSecCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialEntry SYNTAX SEQUENCE OF IpSecCredentialEntry
skipping to change at line 3168 skipping to change at line 3252
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCredentialPrid } PIB-INDEX { ipSecCredentialPrid }
UNIQUENESS { UNIQUENESS {
ipSecCredentialCredentialType, ipSecCredentialCredentialType,
ipSecCredentialFieldsId, ipSecCredentialFieldsId,
ipSecCredentialCrlDistributionPoint ipSecCredentialCrlDistributionPoint
} }
::= { ipSecCredentialTable 1 } ::= { ipSecCredentialTable 1 }
Li, et al Expires February, 2003 57
IPsec Policy Information Base August, 2002
IpSecCredentialEntry ::= SEQUENCE { IpSecCredentialEntry ::= SEQUENCE {
ipSecCredentialPrid InstanceId, ipSecCredentialPrid InstanceId,
ipSecCredentialCredentialType INTEGER, ipSecCredentialCredentialType INTEGER,
ipSecCredentialFieldsId TagReferenceId, ipSecCredentialFieldsId TagReferenceId,
ipSecCredentialCrlDistributionPoint OCTET STRING ipSecCredentialCrlDistributionPoint OCTET STRING
} }
ipSecCredentialPrid OBJECT-TYPE ipSecCredentialPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 3191 skipping to change at line 3279
::= { ipSecCredentialEntry 1 } ::= { ipSecCredentialEntry 1 }
ipSecCredentialCredentialType OBJECT-TYPE ipSecCredentialCredentialType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
certificateX509(1), certificateX509(1),
kerberos-ticket(2) kerberos-ticket(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of credential to be matched." "Specifies the type of credential to be matched."
Li, et al Expires August, 2002 57
IPsec Policy Information Base February, 2002
::= { ipSecCredentialEntry 2 } ::= { ipSecCredentialEntry 2 }
ipSecCredentialFieldsId OBJECT-TYPE ipSecCredentialFieldsId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialFieldsSetId } PIB-TAG { ipSecCredentialFieldsSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a group of matching criteria to be used for the peer "Identifies a group of matching criteria to be used for the peer
credential. The identified criteria MUST all be satisfied." credential. The identified criteria MUST all be satisfied."
::= { ipSecCredentialEntry 3 } ::= { ipSecCredentialEntry 3 }
skipping to change at line 3223 skipping to change at line 3307
::= { ipSecCredentialEntry 4 } ::= { ipSecCredentialEntry 4 }
-- --
-- --
-- The ipSecCredentialFieldsTable -- The ipSecCredentialFieldsTable
-- --
ipSecCredentialFieldsTable OBJECT-TYPE ipSecCredentialFieldsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
PIB-ACCESS install PIB-ACCESS install
Li, et al Expires February, 2003 58
IPsec Policy Information Base August, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies sets of credential sub-fields and their values to be "Specifies sets of credential sub-fields and their values to be
matched against. " matched against. "
::= { ipSecCredential 3 } ::= { ipSecCredential 3 }
ipSecCredentialFieldsEntry OBJECT-TYPE ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry SYNTAX IpSecCredentialFieldsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3247 skipping to change at line 3336
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsSetId ipSecCredentialFieldsSetId
} }
::= { ipSecCredentialFieldsTable 1 } ::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE { IpSecCredentialFieldsEntry ::= SEQUENCE {
ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsName OCTET STRING,
ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsValue OCTET STRING,
ipSecCredentialFieldsSetId TagId ipSecCredentialFieldsSetId TagId
Li, et al Expires August, 2002 58
IPsec Policy Information Base February, 2002
} }
ipSecCredentialFieldsPrid OBJECT-TYPE ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialFieldsEntry 1 } ::= { ipSecCredentialFieldsEntry 1 }
ipSecCredentialFieldsName OBJECT-TYPE ipSecCredentialFieldsName OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-field of the credential to match with. This is "Specifies the sub-field of the credential to match with. This is
the string representation of a X.509 certificate attribute, e.g.: the string representation of a X.509 certificate attribute, e.g.
"serialNumber", "issuerName", "subjectName", etc.. serialNumber, issuerName, subjectName, etc."
"
::= { ipSecCredentialFieldsEntry 2 } ::= { ipSecCredentialFieldsEntry 2 }
ipSecCredentialFieldsValue OBJECT-TYPE ipSecCredentialFieldsValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to match with for the sub-field identified by "Specifies the value to match with for the sub-field identified by
ipSecCredentialFieldsName. A wildcard mechanism can be used in the ipSecCredentialFieldsName. A wildcard mechanism can be used in the
Value string. E.g., if the Name is "subjectName" then a Value of Value string. E.g., if the Name is subjectName then a Value of
"cn=*,ou=engineering,o=foo,c=be" will match successfully a cn=*,ou=engineering,o=foo,c=be will match successfully a
certificate whose subject attribute is "cn=Jane Doe, certificate whose subject attribute is cn=Jane Doe,
ou=engineering, o=foo, c=be". The wildcard character '*' can be
used to represent 0 or several characters." Li, et al Expires February, 2003 59
IPsec Policy Information Base August, 2002
ou=engineering, o=foo, c=be. The wildcard character * can be used
to represent 0 or several characters."
::= { ipSecCredentialFieldsEntry 3 } ::= { ipSecCredentialFieldsEntry 3 }
ipSecCredentialFieldsSetId OBJECT-TYPE ipSecCredentialFieldsSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the set this criteria belongs to. All criteria within a "Specifies the set this criteria belongs to. All criteria within a
set MUST all be satisfied." set MUST all be satisfied."
::= { ipSecCredentialFieldsEntry 4 } ::= { ipSecCredentialFieldsEntry 4 }
skipping to change at line 3303 skipping to change at line 3392
-- --
-- The ipSecSelectorSetTable -- The ipSecSelectorSetTable
-- --
ipSecSelectorSetTable OBJECT-TYPE ipSecSelectorSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorSetEntry SYNTAX SEQUENCE OF IpSecSelectorSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selector sets." "Specifies IPsec selector sets."
Li, et al Expires August, 2002 59
IPsec Policy Information Base February, 2002
::= { ipSecSelector 1 } ::= { ipSecSelector 1 }
ipSecSelectorSetEntry OBJECT-TYPE ipSecSelectorSetEntry OBJECT-TYPE
SYNTAX IpSecSelectorSetEntry SYNTAX IpSecSelectorSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecSelectorSetPrid } PIB-INDEX { ipSecSelectorSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorSetId,
skipping to change at line 3337 skipping to change at line 3422
} }
ipSecSelectorSetPrid OBJECT-TYPE ipSecSelectorSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorSetEntry 1 } ::= { ipSecSelectorSetEntry 1 }
Li, et al Expires February, 2003 60
IPsec Policy Information Base August, 2002
ipSecSelectorSetSelectorSetId OBJECT-TYPE ipSecSelectorSetSelectorSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec selector set is composed of one or more IPsec selectors. "An IPsec selector set is composed of one or more IPsec selectors.
Each selector belonging to the same set has the same Each selector belonging to the same set has the same
SelectorSetId." SelectorSetId."
::= { ipSecSelectorSetEntry 2 } ::= { ipSecSelectorSetEntry 2 }
ipSecSelectorSetSelectorId OBJECT-TYPE ipSecSelectorSetSelectorId OBJECT-TYPE
skipping to change at line 3360 skipping to change at line 3449
"A pointer to a valid instance in another table that describes "A pointer to a valid instance in another table that describes
selectors. To use selectors defined in this IPsec PIB module, this selectors. To use selectors defined in this IPsec PIB module, this
attribute MUST point to an instance in ipSecSelectorTable. This attribute MUST point to an instance in ipSecSelectorTable. This
attribute may also point to an instance in a selector or filter attribute may also point to an instance in a selector or filter
table defined in other PIB modules." table defined in other PIB modules."
::= { ipSecSelectorSetEntry 3 } ::= { ipSecSelectorSetEntry 3 }
ipSecSelectorSetOrder OBJECT-TYPE ipSecSelectorSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
Li, et al Expires August, 2002 60
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the selectors "An integer that specifies the precedence order of the selectors
identified by ipSecSelectorId within a selector set. The selector identified by ipSecSelectorId within a selector set. The selector
set is identified by ipSecSelectorSetId. A smaller integer value set is identified by ipSecSelectorSetId. A smaller integer value
indicates a higher preference. All selectors constructed from the indicates a higher preference. All selectors constructed from the
instance pointed by ipSecSelectorId have the same order." instance pointed by ipSecSelectorId have the same order."
::= { ipSecSelectorSetEntry 4 } ::= { ipSecSelectorSetEntry 4 }
-- --
-- --
skipping to change at line 3390 skipping to change at line 3475
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selectors. Each row in the selector table "Specifies IPsec selectors. Each row in the selector table
represents multiple selectors. These selectors are obtained as represents multiple selectors. These selectors are obtained as
follows: follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
Li, et al Expires February, 2003 61
IPsec Policy Information Base August, 2002
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
skipping to change at line 3416 skipping to change at line 3505
The relative order of the selectors constructed from a single row The relative order of the selectors constructed from a single row
is unspecified. " is unspecified. "
::= { ipSecSelector 2 } ::= { ipSecSelector 2 }
ipSecSelectorEntry OBJECT-TYPE ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry SYNTAX IpSecSelectorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
Li, et al Expires August, 2002 61
IPsec Policy Information Base February, 2002
PIB-INDEX { ipSecSelectorPrid } PIB-INDEX { ipSecSelectorPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId, ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId, ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorDscp, ipSecSelectorDscp,
ipSecSelectorFlowLabel ipSecSelectorFlowLabel
} }
skipping to change at line 3447 skipping to change at line 3532
ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol INTEGER, ipSecSelectorProtocol INTEGER,
ipSecSelectorDscp INTEGER, ipSecSelectorDscp INTEGER,
ipSecSelectorFlowLabel OCTET STRING ipSecSelectorFlowLabel OCTET STRING
} }
ipSecSelectorPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 62
IPsec Policy Information Base August, 2002
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAddressGroupId } PIB-TAG { ipSecAddressGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates source addresses. All addresses in ipSecAddressTable "Indicates source addresses. All addresses in ipSecAddressTable
skipping to change at line 3472 skipping to change at line 3562
::= { ipSecSelectorEntry 2 } ::= { ipSecSelectorEntry 2 }
ipSecSelectorSrcPortGroupId OBJECT-TYPE ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId } PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates source layer 4 port numbers. All ports in ipSecL4Port "Indicates source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId matches this value are included. whose ipSecL4PortGroupId matches this value are included.
Li, et al Expires August, 2002 62
IPsec Policy Information Base February, 2002
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
::= { ipSecSelectorEntry 3 } ::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAddressGroupId } PIB-TAG { ipSecAddressGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates destination addresses. All addresses in "Indicates destination addresses. All addresses in
skipping to change at line 3503 skipping to change at line 3590
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId } PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates destination layer 4 port numbers. All ports in "Indicates destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId matches this value are ipSecL4Port whose ipSecL4PortGroupId matches this value are
included. included.
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
Li, et al Expires February, 2003 63
IPsec Policy Information Base August, 2002
::= { ipSecSelectorEntry 5 } ::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255) SYNTAX INTEGER (0..255)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP protocol to match against a packet's protocol. A "Specifies IP protocol to match against a packet's protocol. A
value of zero indicates wildcard protocol, i.e., any protocol value of zero indicates wildcard protocol, i.e., any protocol
matches." matches."
::= { ipSecSelectorEntry 6 } ::= { ipSecSelectorEntry 6 }
skipping to change at line 3526 skipping to change at line 3618
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the DSCP value to match against the DSCP in a packet "Specifies the DSCP value to match against the DSCP in a packet
header. A value of -1 indicates match all." header. A value of -1 indicates match all."
::= { ipSecSelectorEntry 7 } ::= { ipSecSelectorEntry 7 }
ipSecSelectorFlowLabel OBJECT-TYPE ipSecSelectorFlowLabel OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 63
IPsec Policy Information Base February, 2002
"Specifies the Flow Label to match against the Flow Label field in "Specifies the Flow Label to match against the Flow Label field in
the IPv6 header of a packet. This attribute MUST be a zero length the IPv6 header of a packet. This attribute MUST be a zero length
OCTET STRING when specifying selectors for IPv4 packets." OCTET STRING when specifying selectors for IPv4 packets."
::= { ipSecSelectorEntry 8 } ::= { ipSecSelectorEntry 8 }
-- --
-- --
-- The ipSecAddressTable -- The ipSecAddressTable
-- --
skipping to change at line 3559 skipping to change at line 3647
ipSecAddressAddrMask MUST be specified. " ipSecAddressAddrMask MUST be specified. "
::= { ipSecSelector 3 } ::= { ipSecSelector 3 }
ipSecAddressEntry OBJECT-TYPE ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry SYNTAX IpSecAddressEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAddressPrid } PIB-INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
Li, et al Expires February, 2003 64
IPsec Policy Information Base August, 2002
ipSecAddressAddressType, ipSecAddressAddressType,
ipSecAddressAddrMask, ipSecAddressAddrMask,
ipSecAddressAddrMin, ipSecAddressAddrMin,
ipSecAddressAddrMax, ipSecAddressAddrMax,
ipSecAddressGroupId ipSecAddressGroupId
} }
::= { ipSecAddressTable 1 } ::= { ipSecAddressTable 1 }
IpSecAddressEntry ::= SEQUENCE { IpSecAddressEntry ::= SEQUENCE {
ipSecAddressPrid InstanceId, ipSecAddressPrid InstanceId,
skipping to change at line 3582 skipping to change at line 3675
ipSecAddressAddrMax OCTET STRING, ipSecAddressAddrMax OCTET STRING,
ipSecAddressGroupId TagId ipSecAddressGroupId TagId
} }
ipSecAddressPrid OBJECT-TYPE ipSecAddressPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
Li, et al Expires August, 2002 64
IPsec Policy Information Base February, 2002
::= { ipSecAddressEntry 1 } ::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE ipSecAddressAddressType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
fqdn(2), fqdn(2),
user-Fqdn(3), user-Fqdn(3),
ipV4-Subnet(4), ipV4-Subnet(4),
ipV6-Address(5), ipV6-Address(5),
ipV6-Subnet(6), ipV6-Subnet(6),
skipping to change at line 3616 skipping to change at line 3705
ipSecAddressAddrMask OBJECT-TYPE ipSecAddressAddrMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mask for the matching of the IP address. A zero bit in the mask "A mask for the matching of the IP address. A zero bit in the mask
means that the corresponding bit in the address always matches. means that the corresponding bit in the address always matches.
This attribute MUST be ignored when ipSecAddressAddressType is not This attribute MUST be ignored when ipSecAddressAddressType is not
of IPv4 or IPv6 type." of IPv4 or IPv6 type."
Li, et al Expires February, 2003 65
IPsec Policy Information Base August, 2002
::= { ipSecAddressEntry 3 } ::= { ipSecAddressEntry 3 }
ipSecAddressAddrMin OBJECT-TYPE ipSecAddressAddrMin OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IP address. " "Specifies an IP address. "
::= { ipSecAddressEntry 4 } ::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE ipSecAddressAddrMax OBJECT-TYPE
skipping to change at line 3639 skipping to change at line 3733
"If a range of addresses is used then this specifies the ending "If a range of addresses is used then this specifies the ending
address. The type of this address must be the same as the address. The type of this address must be the same as the
ipSecAddressAddrMin. ipSecAddressAddrMin.
If no range is specified then this attribute MUST be a zero length If no range is specified then this attribute MUST be a zero length
OCTET STRING." OCTET STRING."
::= { ipSecAddressEntry 5 } ::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecAddressGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
Li, et al Expires August, 2002 65
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IP address, address range or subnet "Specifies the group this IP address, address range or subnet
address belongs to." address belongs to."
::= { ipSecAddressEntry 6 } ::= { ipSecAddressEntry 6 }
-- --
-- --
-- The ipSecL4PortTable -- The ipSecL4PortTable
-- --
skipping to change at line 3672 skipping to change at line 3762
ipSecL4PortEntry OBJECT-TYPE ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecL4PortPrid } PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS { UNIQUENESS {
ipSecL4PortPortMin, ipSecL4PortPortMin,
ipSecL4PortPortMax, ipSecL4PortPortMax,
ipSecL4PortGroupId ipSecL4PortGroupId
Li, et al Expires February, 2003 66
IPsec Policy Information Base August, 2002
} }
::= { ipSecL4PortTable 1 } ::= { ipSecL4PortTable 1 }
IpSecL4PortEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid InstanceId, ipSecL4PortPrid InstanceId,
ipSecL4PortPortMin Unsigned16, ipSecL4PortPortMin Unsigned16,
ipSecL4PortPortMax Unsigned16, ipSecL4PortPortMax Unsigned16,
ipSecL4PortGroupId TagId ipSecL4PortGroupId TagId
} }
skipping to change at line 3694 skipping to change at line 3789
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecL4PortEntry 1 } ::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 66
IPsec Policy Information Base February, 2002
"Specifies a layer 4 port or the first layer 4 port number of a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports. The value of this attribute must be equal or less range of ports. The value of this attribute must be equal or less
than that of ipSecL4PortPortMax. than that of ipSecL4PortPortMax.
A value of zero indicates any port matches." A value of zero indicates any port matches."
::= { ipSecL4PortEntry 2 } ::= { ipSecL4PortEntry 2 }
ipSecL4PortPortMax OBJECT-TYPE ipSecL4PortPortMax OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
skipping to change at line 3729 skipping to change at line 3820
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this port or port range belongs to." "Specifies the group this port or port range belongs to."
::= { ipSecL4PortEntry 4 } ::= { ipSecL4PortEntry 4 }
-- --
-- --
-- The ipSecIpsoFilterSetTable -- The ipSecIpsoFilterSetTable
-- --
Li, et al Expires February, 2003 67
IPsec Policy Information Base August, 2002
ipSecIpsoFilterSetTable OBJECT-TYPE ipSecIpsoFilterSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSO filter sets." "Specifies IPSO filter sets."
::= { ipSecSelector 5 } ::= { ipSecSelector 5 }
ipSecIpsoFilterSetEntry OBJECT-TYPE ipSecIpsoFilterSetEntry OBJECT-TYPE
SYNTAX IpSecIpsoFilterSetEntry SYNTAX IpSecIpsoFilterSetEntry
skipping to change at line 3750 skipping to change at line 3845
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIpsoFilterSetPrid } PIB-INDEX { ipSecIpsoFilterSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterSetId,
ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetFilterId,
ipSecIpsoFilterSetOrder ipSecIpsoFilterSetOrder
} }
::= { ipSecIpsoFilterSetTable 1 } ::= { ipSecIpsoFilterSetTable 1 }
Li, et al Expires August, 2002 67
IPsec Policy Information Base February, 2002
IpSecIpsoFilterSetEntry ::= SEQUENCE { IpSecIpsoFilterSetEntry ::= SEQUENCE {
ipSecIpsoFilterSetPrid InstanceId, ipSecIpsoFilterSetPrid InstanceId,
ipSecIpsoFilterSetFilterSetId TagId, ipSecIpsoFilterSetFilterSetId TagId,
ipSecIpsoFilterSetFilterId ReferenceId, ipSecIpsoFilterSetFilterId ReferenceId,
ipSecIpsoFilterSetOrder Unsigned16 ipSecIpsoFilterSetOrder Unsigned16
} }
ipSecIpsoFilterSetPrid OBJECT-TYPE ipSecIpsoFilterSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 3784 skipping to change at line 3876
::= { ipSecIpsoFilterSetEntry 2 } ::= { ipSecIpsoFilterSetEntry 2 }
ipSecIpsoFilterSetFilterId OBJECT-TYPE ipSecIpsoFilterSetFilterId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIpsoFilterEntry } PIB-REFERENCES {ipSecIpsoFilterEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIpsoFilterTable." "A pointer to a valid instance in the ipSecIpsoFilterTable."
::= { ipSecIpsoFilterSetEntry 3 } ::= { ipSecIpsoFilterSetEntry 3 }
Li, et al Expires February, 2003 68
IPsec Policy Information Base August, 2002
ipSecIpsoFilterSetOrder OBJECT-TYPE ipSecIpsoFilterSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the filter "An integer that specifies the precedence order of the filter
identified by ipSecIpsoFilterSetFilterId within a filter set. The identified by ipSecIpsoFilterSetFilterId within a filter set. The
filter set is identified by ipSecIpsoFilterSetFilterSetId. A filter set is identified by ipSecIpsoFilterSetFilterSetId. A
smaller integer value indicates a higher preference." smaller integer value indicates a higher preference."
::= { ipSecIpsoFilterSetEntry 4 } ::= { ipSecIpsoFilterSetEntry 4 }
skipping to change at line 3805 skipping to change at line 3901
-- --
-- The ipSecIpsoFilterTable -- The ipSecIpsoFilterTable
-- --
ipSecIpsoFilterTable OBJECT-TYPE ipSecIpsoFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIpsoFilterEntry SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSO filters." "Specifies IPSO filters."
Li, et al Expires August, 2002 68
IPsec Policy Information Base February, 2002
::= { ipSecSelector 6 } ::= { ipSecSelector 6 }
ipSecIpsoFilterEntry OBJECT-TYPE ipSecIpsoFilterEntry OBJECT-TYPE
SYNTAX IpSecIpsoFilterEntry SYNTAX IpSecIpsoFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIpsoFilterPrid } PIB-INDEX { ipSecIpsoFilterPrid }
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterMatchConditionType,
skipping to change at line 3840 skipping to change at line 3932
ipSecIpsoFilterPrid OBJECT-TYPE ipSecIpsoFilterPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIpsoFilterEntry 1 } ::= { ipSecIpsoFilterEntry 1 }
ipSecIpsoFilterMatchConditionType OBJECT-TYPE ipSecIpsoFilterMatchConditionType OBJECT-TYPE
Li, et al Expires February, 2003 69
IPsec Policy Information Base August, 2002
SYNTAX INTEGER { SYNTAX INTEGER {
classificationLevel(1), classificationLevel(1),
protectionAuthority(2) protectionAuthority(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPSO header field to be matched." "Specifies the IPSO header field to be matched."
::= { ipSecIpsoFilterEntry 2 } ::= { ipSecIpsoFilterEntry 2 }
ipSecIpsoFilterClassificationLevel OBJECT-TYPE ipSecIpsoFilterClassificationLevel OBJECT-TYPE
skipping to change at line 3863 skipping to change at line 3960
confidential(150), confidential(150),
unclassified(171) unclassified(171)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value for classification level to be matched "Specifies the value for classification level to be matched
against. This attribute MUST be ignored if against. This attribute MUST be ignored if
ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)." ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)."
::= { ipSecIpsoFilterEntry 3 } ::= { ipSecIpsoFilterEntry 3 }
Li, et al Expires August, 2002 69
IPsec Policy Information Base February, 2002
ipSecIpsoFilterProtectionAuthority OBJECT-TYPE ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
genser(0), genser(0),
siop-esi(1), siop-esi(1),
sci(2), sci(2),
nsa(3), nsa(3),
doe(4) doe(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3895 skipping to change at line 3989
-- --
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the time periods during which a policy rule is valid. "Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five together to determine the validity period(s). If any of the five
Li, et al Expires February, 2003 70
IPsec Policy Information Base August, 2002
attributes is not present, it is treated as having value always attributes is not present, it is treated as having value always
enabled. " enabled. "
::= { ipSecPolicyTimePeriod 1 } ::= { ipSecPolicyTimePeriod 1 }
ipSecRuleTimePeriodEntry OBJECT-TYPE ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry SYNTAX IpSecRuleTimePeriodEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRuleTimePeriodPrid } PIB-INDEX { ipSecRuleTimePeriodPrid }
skipping to change at line 3917 skipping to change at line 4016
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE { IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodPrid InstanceId,
Li, et al Expires August, 2002 70
IPsec Policy Information Base February, 2002
ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime INTEGER ipSecRuleTimePeriodLocalOrUtcTime INTEGER
} }
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
skipping to change at line 3953 skipping to change at line 4048
representing a starting date and time, in which the character 'T' representing a starting date and time, in which the character 'T'
indicates the beginning of the time portion, followed by the indicates the beginning of the time portion, followed by the
solidus character '/', followed by a similar string representing solidus character '/', followed by a similar string representing
an end date and time. The first date indicates the beginning of an end date and time. The first date indicates the beginning of
the range, while the second date indicates the end. Thus, the the range, while the second date indicates the end. Thus, the
second date and time must be later than the first. Date/times are second date and time must be later than the first. Date/times are
expressed as substrings of the form yyyymmddThhmmss. expressed as substrings of the form yyyymmddThhmmss.
There are also two special cases: There are also two special cases:
Li, et al Expires February, 2003 71
IPsec Policy Information Base August, 2002
- If the first date/time is replaced with the string - If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'. valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string - If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and becomes valid on the date/time that appears before the '/', and
remains valid from that point on. remains valid from that point on.
" "
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
skipping to change at line 3975 skipping to change at line 4074
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "An octet string that specifies which months the policy is valid
for. The octet string is structured as follows: for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire - a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000006 for this octet string; this field is always set to 0x00000006 for this
property; property;
Li, et al Expires August, 2002 71
IPsec Policy Information Base February, 2002
- a 2-octet field consisting of 12 bits identifying the 12 months - a 2-octet field consisting of 12 bits identifying the 12 months
of the year, beginning with January and ending with December, of the year, beginning with January and ending with December,
followed by 4 bits that are always set to '0'. For each month, followed by 4 bits that are always set to '0'. For each month,
the value '1' indicates that the policy is valid for that month, the value '1' indicates that the policy is valid for that month,
and the value '0' indicates that it is not valid. and the value '0' indicates that it is not valid.
If this property is omitted, then the policy rule is treated as If this property is omitted, then the policy rule is treated as
valid for all twelve months." valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
skipping to change at line 4008 skipping to change at line 4104
-an 8-octet field consisting of 31 bits identifying the days of -an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits the month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed identifying the days of the month counting from the end, followed
by 2 bits that are always set to '0'. For each day, the value '1' by 2 bits that are always set to '0'. For each day, the value '1'
indicates that the policy is valid for that day, and the value '0' indicates that the policy is valid for that day, and the value '0'
indicates that it is not valid. indicates that it is not valid.
For months with fewer than 31 days, the digits corresponding to For months with fewer than 31 days, the digits corresponding to
days that the months do not have (counting in both directions) are days that the months do not have (counting in both directions) are
ignored. ignored.
Li, et al Expires February, 2003 72
IPsec Policy Information Base August, 2002
" "
::= { ipSecRuleTimePeriodEntry 4 } ::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the week the policy "An octet string that specifies which days of the week the policy
is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
skipping to change at line 4030 skipping to change at line 4131
property; property;
- a 1-octet field consisting of 7 bits identifying the 7 days of - a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday, followed the week, beginning with Sunday and ending with Saturday, followed
by 1 bit that is always set to '0'. For each day of the week, the by 1 bit that is always set to '0'. For each day of the week, the
value '1' indicates that the policy is valid for that day, and the value '1' indicates that the policy is valid for that day, and the
value '0' indicates that it is not valid. value '0' indicates that it is not valid.
" "
::= { ipSecRuleTimePeriodEntry 5 } ::= { ipSecRuleTimePeriodEntry 5 }
Li, et al Expires August, 2002 72
IPsec Policy Information Base February, 2002
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies a range of times in a day the "An octet string that specifies a range of times in a day the
policy is valid for. It is formatted as follows: policy is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The solidus character '/', followed by a second time string. The
first time indicates the beginning of the range, while the second first time indicates the beginning of the range, while the second
skipping to change at line 4063 skipping to change at line 4161
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
localTime(1), localTime(1),
utcTime(2) utcTime(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This property indicates whether the times represented in this "This property indicates whether the times represented in this
table represent local times or UTC times. There is no provision table represent local times or UTC times. There is no provision
Li, et al Expires February, 2003 73
IPsec Policy Information Base August, 2002
for mixing of local times and UTC times: the value of this for mixing of local times and UTC times: the value of this
property applies to all of the other time-related properties." property applies to all of the other time-related properties."
::= { ipSecRuleTimePeriodEntry 7 } ::= { ipSecRuleTimePeriodEntry 7 }
-- --
-- --
-- The ipSecRuleTimePeriodSetTable -- The ipSecRuleTimePeriodSetTable
-- --
ipSecRuleTimePeriodSetTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
skipping to change at line 4085 skipping to change at line 4188
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies time period sets. The ipSecRuleTimePeriodTable can "Specifies time period sets. The ipSecRuleTimePeriodTable can
specify only a single time period within a day. This table enables specify only a single time period within a day. This table enables
the specification of multiple time periods within a day by the specification of multiple time periods within a day by
grouping them into one set. " grouping them into one set. "
::= { ipSecPolicyTimePeriod 2 } ::= { ipSecPolicyTimePeriod 2 }
ipSecRuleTimePeriodSetEntry OBJECT-TYPE ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry SYNTAX IpSecRuleTimePeriodSetEntry
Li, et al Expires August, 2002 73
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRuleTimePeriodSetPrid } PIB-INDEX { ipSecRuleTimePeriodSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId ipSecRuleTimePeriodSetRuleTimePeriodId
} }
::= { ipSecRuleTimePeriodSetTable 1 } ::= { ipSecRuleTimePeriodSetTable 1 }
skipping to change at line 4119 skipping to change at line 4218
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod set. " "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
::= { ipSecRuleTimePeriodSetEntry 2 } ::= { ipSecRuleTimePeriodSetEntry 2 }
Li, et al Expires February, 2003 74
IPsec Policy Information Base August, 2002
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecRuleTimePeriodEntry } PIB-REFERENCES {ipSecRuleTimePeriodEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by "An integer that identifies an ipSecRuleTimePeriod, specified by
ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
included in this set." included in this set."
::= { ipSecRuleTimePeriodSetEntry 3 } ::= { ipSecRuleTimePeriodSetEntry 3 }
skipping to change at line 4141 skipping to change at line 4244
-- The ipSecIfCapsTable -- The ipSecIfCapsTable
-- --
ipSecIfCapsTable OBJECT-TYPE ipSecIfCapsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIfCapsEntry SYNTAX SEQUENCE OF IpSecIfCapsEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies capabilities that may be associated with an interface "Specifies capabilities that may be associated with an interface
of a specific type. The instances of this table are referenced by of a specific type. The instances of this table are referenced by
Li, et al Expires August, 2002 74
IPsec Policy Information Base February, 2002
the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR- the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR-
PIB]." PIB]."
::= { ipSecIfCapability 1 } ::= { ipSecIfCapability 1 }
ipSecIfCapsEntry OBJECT-TYPE ipSecIfCapsEntry OBJECT-TYPE
SYNTAX IpSecIfCapsEntry SYNTAX IpSecIfCapsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIfCapsPrid } PIB-INDEX { ipSecIfCapsPrid }
skipping to change at line 4175 skipping to change at line 4274
ipSecIfCapsMaxIpSecActions Unsigned16, ipSecIfCapsMaxIpSecActions Unsigned16,
ipSecIfCapsMaxIkeActions Unsigned16 ipSecIfCapsMaxIkeActions Unsigned16
} }
ipSecIfCapsPrid OBJECT-TYPE ipSecIfCapsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
Li, et al Expires February, 2003 75
IPsec Policy Information Base August, 2002
::= { ipSecIfCapsEntry 1 } ::= { ipSecIfCapsEntry 1 }
ipSecIfCapsDirection OBJECT-TYPE ipSecIfCapsDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 4199 skipping to change at line 4303
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum number of actions an IPsec action set may "Specifies the maximum number of actions an IPsec action set may
contain. IPsec action sets are specified by the contain. IPsec action sets are specified by the
ipSecActionSetTable. ipSecActionSetTable.
A value of zero indicates that there is no maximum limit." A value of zero indicates that there is no maximum limit."
::= { ipSecIfCapsEntry 3 } ::= { ipSecIfCapsEntry 3 }
Li, et al Expires August, 2002 75
IPsec Policy Information Base February, 2002
ipSecIfCapsMaxIkeActions OBJECT-TYPE ipSecIfCapsMaxIkeActions OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum number of actions an IKE action set may "Specifies the maximum number of actions an IKE action set may
contain. IKE action sets are specified by the contain. IKE action sets are specified by the
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
A value of zero indicates that there is no maximum limit." A value of zero indicates that there is no maximum limit."
::= { ipSecIfCapsEntry 4 } ::= { ipSecIfCapsEntry 4 }
skipping to change at line 4230 skipping to change at line 4331
ipSecPolicyPibConformanceGroups ipSecPolicyPibConformanceGroups
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
IPsecPibCompilance MODULE-COMPLIANCE IPsecPibCompilance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Compliance statement" " Compliance statement"
MODULE ű- this module MODULE ű- this module
MANDATORY-GROUPS { MANDATORY-GROUPS {
Li, et al Expires February, 2003 76
IPsec Policy Information Base August, 2002
ipSecRuleGroup, ipSecRuleGroup,
ipSecActionSetGroup, ipSecActionSetGroup,
ipSecStaticActionGroup, ipSecStaticActionGroup,
ipSecNegotiationActionGroup, ipSecNegotiationActionGroup,
ipSecAssociationGroup, ipSecAssociationGroup,
ipSecProposalSetGroup, ipSecProposalSetGroup,
ipSecProposalGroup, ipSecProposalGroup,
ipSecAhTransformSetGroup, ipSecAhTransformSetGroup,
ipSecAhTransformGroup, ipSecAhTransformGroup,
ipSecEspTransformSetGroup, ipSecEspTransformSetGroup,
skipping to change at line 4253 skipping to change at line 4359
ipSecIkeAssociationGroup, ipSecIkeAssociationGroup,
ipSecIkeProposalSetGroup, ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup, ipSecIkeProposalGroup,
ipSecIkePeerEndpointGroup, ipSecIkePeerEndpointGroup,
ipSecCredentialSetGroup, ipSecCredentialSetGroup,
ipSecCredentialGroup, ipSecCredentialGroup,
ipSecCredentialFieldsGroup, ipSecCredentialFieldsGroup,
ipSecSelectorSetGroup, ipSecSelectorSetGroup,
ipSecSelectorGroup, ipSecSelectorGroup,
ipSecAddressGroup, ipSecAddressGroup,
Li, et al Expires August, 2002 76
IPsec Policy Information Base February, 2002
ipSecL4PortGroup, ipSecL4PortGroup,
ipSecIfCapsGroup ipSecIfCapsGroup
} }
GROUP ipSecIkeRuleGroup GROUP ipSecIkeRuleGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if any of the following is supported: 1) "This group is mandatory if any of the following is supported: 1)
multiple IKE phase one actions (e.g., with different exchange multiple IKE phase one actions (e.g., with different exchange
modes) are associated with an IPsec rule. These actions are to be modes) are associated with an IPsec rule. These actions are to be
tried in sequence till one success; 2) IKE phase one actions that tried in sequence till one success; 2) IKE phase one actions that
skipping to change at line 4287 skipping to change at line 4389
GROUP ipSecIpsoFilterSetGroup GROUP ipSecIpsoFilterSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
GROUP ipSecIpsoFilterGroup GROUP ipSecIpsoFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
GROUP ipSecRuleTimePeriodGroup GROUP ipSecRuleTimePeriodGroup
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 77
IPsec Policy Information Base August, 2002
"This group is mandatory if policy scheduling is supported." "This group is mandatory if policy scheduling is supported."
GROUP ipSecRuleTimePeriodSetGroup GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if policy scheduling is supported." "This group is mandatory if policy scheduling is supported."
OBJECT ipSecRuleipSecIpsoFilterSetId OBJECT ipSecRuleipSecIpsoFilterSetId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4310 skipping to change at line 4417
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecRuleAutoStart OBJECT ipSecRuleAutoStart
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecRuleIpSecRuleTimePeriodGroupId OBJECT ipSecRuleIpSecRuleTimePeriodGroupId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
Li, et al Expires August, 2002 77
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecActionSetDoActionLogging OBJECT ipSecActionSetDoActionLogging
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecActionSetDoPacketLogging OBJECT ipSecActionSetDoPacketLogging
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
skipping to change at line 4344 skipping to change at line 4447
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationIdleDurationSeconds OBJECT ipSecAssociationIdleDurationSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationVendorId OBJECT ipSecAssociationVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
Li, et al Expires February, 2003 78
IPsec Policy Information Base August, 2002
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationUseKeyExchangeGroup OBJECT ipSecAssociationUseKeyExchangeGroup
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationGranularity OBJECT ipSecAssociationGranularity
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
skipping to change at line 4367 skipping to change at line 4475
OBJECT ipSecAhTransformUseReplayPrevention OBJECT ipSecAhTransformUseReplayPrevention
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAhTransformReplayPreventionWindowSize OBJECT ipSecAhTransformReplayPreventionWindowSize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires August, 2002 78
IPsec Policy Information Base February, 2002
OBJECT ipSecAhTransformVendorId OBJECT ipSecAhTransformVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformCipherKeyRounds OBJECT ipSecEspTransformCipherKeyRounds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4400 skipping to change at line 4505
OBJECT ipSecEspTransformReplayPreventionWindowSize OBJECT ipSecEspTransformReplayPreventionWindowSize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformVendorId OBJECT ipSecEspTransformVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires February, 2003 79
IPsec Policy Information Base August, 2002
OBJECT ipSecCompTransformDictionarySize OBJECT ipSecCompTransformDictionarySize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecCompTransformPrivateAlgorithm OBJECT ipSecCompTransformPrivateAlgorithm
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4423 skipping to change at line 4532
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationMinLiftetimeSeconds OBJECT ipSecIkeAssociationMinLiftetimeSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationMinLifetimeKilobytes OBJECT ipSecIkeAssociationMinLifetimeKilobytes
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
Li, et al Expires August, 2002 79
IPsec Policy Information Base February, 2002
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationIdleDurationSeconds OBJECT ipSecIkeAssociationIdleDurationSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationPresharedKey OBJECT ipSecIkeAssociationPresharedKey
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
skipping to change at line 4457 skipping to change at line 4562
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationLocalCredentialId OBJECT ipSecIkeAssociationLocalCredentialId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationDoActionLogging OBJECT ipSecIkeAssociationDoActionLogging
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
Li, et al Expires February, 2003 80
IPsec Policy Information Base August, 2002
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeProposalPrfAlgorithm OBJECT ipSecIkeProposalPrfAlgorithm
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeProposalVendorId OBJECT ipSecIkeProposalVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
skipping to change at line 4480 skipping to change at line 4590
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkePeerEndpointAddress OBJECT ipSecIkePeerEndpointAddress
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIfCapsMaxIkeActions OBJECT ipSecIfCapsMaxIkeActions
Li, et al Expires August, 2002 80
IPsec Policy Information Base February, 2002
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecRuleActionExecutionStrategy OBJECT ipSecRuleActionExecutionStrategy
SYNTAX INTEGER { SYNTAX INTEGER {
doAll(1) doAll(1)
} }
DESCRIPTION DESCRIPTION
" Support of doUntilSuccess(2) is not required" " Support of doUntilSuccess(2) is not required"
skipping to change at line 4514 skipping to change at line 4620
::= { ipSecPolicyPibConformanceCompliances 1 } ::= { ipSecPolicyPibConformanceCompliances 1 }
ipSecRuleGroup OBJECT-GROUP ipSecRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecRuleIfName, ipSecRuleIfName,
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleDirection, ipSecRuleDirection,
ipSecRuleIpSecSelectorSetId, ipSecRuleIpSecSelectorSetId,
ipSecRuleipSecIpsoFilterSetId, ipSecRuleipSecIpsoFilterSetId,
Li, et al Expires February, 2003 81
IPsec Policy Information Base August, 2002
ipSecRuleIpSecActionSetId, ipSecRuleIpSecActionSetId,
ipSecRuleActionExecutionStrategy, ipSecRuleActionExecutionStrategy,
ipSecRuleOrder, ipSecRuleOrder,
ipSecRuleLimitNegotiation, ipSecRuleLimitNegotiation,
ipSecRuleAutoStart, ipSecRuleAutoStart,
ipSecRuleIpSecRuleTimePeriodGroupId ipSecRuleIpSecRuleTimePeriodGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTable." "Objects from the ipSecRuleTable."
skipping to change at line 4537 skipping to change at line 4648
OBJECTS { OBJECTS {
ipSecActionSetActionSetId, ipSecActionSetActionSetId,
ipSecActionSetActionId, ipSecActionSetActionId,
ipSecActionSetDoActionLogging, ipSecActionSetDoActionLogging,
ipSecActionSetDoPacketLogging, ipSecActionSetDoPacketLogging,
ipSecActionSetOrder ipSecActionSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecActionSetTable." "Objects from the ipSecActionSetTable."
Li, et al Expires August, 2002 81
IPsec Policy Information Base February, 2002
::= { ipSecPolicyPibConformanceGroups 2 } ::= { ipSecPolicyPibConformanceGroups 2 }
ipSecStaticActionGroup OBJECT-GROUP ipSecStaticActionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecStaticActionAction, ipSecStaticActionAction,
ipSecStaticActionTunnelEndpointId, ipSecStaticActionTunnelEndpointId,
ipSecStaticActionDfHandling, ipSecStaticActionDfHandling,
ipSecStaticActionSpi, ipSecStaticActionSpi,
ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeSeconds,
ipSecStaticActionLifetimeKilobytes, ipSecStaticActionLifetimeKilobytes,
skipping to change at line 4571 skipping to change at line 4678
ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling, ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionIpSecSecurityAssociationId,
ipSecNegotiationActionKeyExchangeId ipSecNegotiationActionKeyExchangeId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecNegotiationActionTable." "Objects from the ipSecNegotiationActionTable."
::= { ipSecPolicyPibConformanceGroups 4 } ::= { ipSecPolicyPibConformanceGroups 4 }
Li, et al Expires February, 2003 82
IPsec Policy Information Base August, 2002
ipSecAssociationGroup OBJECT-GROUP ipSecAssociationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationIdleDurationSeconds, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
ipSecAssociationUseKeyExchangeGroup, ipSecAssociationUseKeyExchangeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity, ipSecAssociationGranularity,
skipping to change at line 4594 skipping to change at line 4705
DESCRIPTION DESCRIPTION
"Objects from the ipSecAssociationTable." "Objects from the ipSecAssociationTable."
::= { ipSecPolicyPibConformanceGroups 5 } ::= { ipSecPolicyPibConformanceGroups 5 }
ipSecProposalSetGroup OBJECT-GROUP ipSecProposalSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecProposalSetProposalSetId, ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId, ipSecProposalSetProposalId,
ipSecProposalSetOrder ipSecProposalSetOrder
} }
Li, et al Expires August, 2002 82
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecProposalSetTable." "Objects from the ipSecProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 6 } ::= { ipSecPolicyPibConformanceGroups 6 }
ipSecProposalGroup OBJECT-GROUP ipSecProposalGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId, ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId ipSecProposalCompTransformSetId
skipping to change at line 4628 skipping to change at line 4735
ipSecAhTransformSetOrder ipSecAhTransformSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAhTransformSetTable." "Objects from the ipSecAhTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 8 } ::= { ipSecPolicyPibConformanceGroups 8 }
ipSecAhTransformGroup OBJECT-GROUP ipSecAhTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecAhTransformTransformId, ipSecAhTransformTransformId,
Li, et al Expires February, 2003 83
IPsec Policy Information Base August, 2002
ipSecAhTransformIntegrityKey, ipSecAhTransformIntegrityKey,
ipSecAhTransformUseReplayPrevention, ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformReplayPreventionWindowSize,
ipSecAhTransformVendorId, ipSecAhTransformVendorId,
ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeSeconds,
ipSecAhTransformMaxLifetimeKilobytes ipSecAhTransformMaxLifetimeKilobytes
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAhTransformTable." "Objects from the ipSecAhTransformTable."
skipping to change at line 4651 skipping to change at line 4763
OBJECTS { OBJECTS {
ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId, ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder ipSecEspTransformSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecEspTransformSetTable." "Objects from the ipSecEspTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 10 } ::= { ipSecPolicyPibConformanceGroups 10 }
Li, et al Expires August, 2002 83
IPsec Policy Information Base February, 2002
ipSecEspTransformGroup OBJECT-GROUP ipSecEspTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformIntegrityKey, ipSecEspTransformIntegrityKey,
ipSecEspTransformCipherKey, ipSecEspTransformCipherKey,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength, ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention, ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformReplayPreventionWindowSize,
skipping to change at line 4684 skipping to change at line 4793
OBJECTS { OBJECTS {
ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId, ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder ipSecCompTransformSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCompTransformSetTable." "Objects from the ipSecCompTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 12 } ::= { ipSecPolicyPibConformanceGroups 12 }
Li, et al Expires February, 2003 84
IPsec Policy Information Base August, 2002
ipSecCompTransformGroup OBJECT-GROUP ipSecCompTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCompTransformAlgorithm, ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize, ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm, ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId, ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeSeconds,
ipSecCompTransformMaxLifetimeKilobytes ipSecCompTransformMaxLifetimeKilobytes
} }
STATUS current STATUS current
skipping to change at line 4707 skipping to change at line 4820
ipSecIkeRuleGroup OBJECT-GROUP ipSecIkeRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIkeRuleIfName, ipSecIkeRuleIfName,
ipSecIkeRuleRoles, ipSecIkeRuleRoles,
ipSecIkeRuleIkeActionSetId, ipSecIkeRuleIkeActionSetId,
ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleActionExecutionStrategy,
ipSecIkeRuleLimitNegotiation, ipSecIkeRuleLimitNegotiation,
ipSecIkeRuleAutoStart, ipSecIkeRuleAutoStart,
ipSecIkeRuleIpSecRuleTimePeriodGroupId ipSecIkeRuleIpSecRuleTimePeriodGroupId
Li, et al Expires August, 2002 84
IPsec Policy Information Base February, 2002
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeRuleTable." "Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 14 } ::= { ipSecPolicyPibConformanceGroups 14 }
ipSecIkeActionSetGroup OBJECT-GROUP ipSecIkeActionSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionSetId,
ipSecIkeActionSetActionId, ipSecIkeActionSetActionId,
skipping to change at line 4741 skipping to change at line 4850
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationIdleDurationSeconds,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationUseIkeIdentityValue,
ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationIkePeerEndpoint,
ipSecIkeAssociationPresharedKey, ipSecIkeAssociationPresharedKey,
ipSecIkeAssociationVendorId, ipSecIkeAssociationVendorId,
ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationAggressiveModeGroupId,
ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationLocalCredentialId,
Li, et al Expires February, 2003 85
IPsec Policy Information Base August, 2002
ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationDoActionLogging,
ipSecIkeAssociationIkeProposalSetId ipSecIkeAssociationIkeProposalSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeAssociationTable." "Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 16 } ::= { ipSecPolicyPibConformanceGroups 16 }
ipSecIkeProposalSetGroup OBJECT-GROUP ipSecIkeProposalSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at line 4764 skipping to change at line 4878
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeProposalSetTable." "Objects from the ipSecIkeProposalSetTable."
::= { ipSecPolicyPibConformanceGroups 17 } ::= { ipSecPolicyPibConformanceGroups 17 }
ipSecIkeProposalGroup OBJECT-GROUP ipSecIkeProposalGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
Li, et al Expires August, 2002 85
IPsec Policy Information Base February, 2002
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalIkeDhGroup, ipSecIkeProposalIkeDhGroup,
ipSecIkeProposalVendorId ipSecIkeProposalVendorId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeProposalTable." "Objects from the ipSecIkeProposalTable."
skipping to change at line 4798 skipping to change at line 4908
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkePeerEndpointTable." "Objects from the ipSecIkePeerEndpointTable."
::= { ipSecPolicyPibConformanceGroups 19 } ::= { ipSecPolicyPibConformanceGroups 19 }
ipSecCredentialSetGroup OBJECT-GROUP ipSecCredentialSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCredentialSetSetId, ipSecCredentialSetSetId,
ipSecCredentialSetCredentialId ipSecCredentialSetCredentialId
} }
Li, et al Expires February, 2003 86
IPsec Policy Information Base August, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCredentialSetTable." "Objects from the ipSecCredentialSetTable."
::= { ipSecPolicyPibConformanceGroups 20 } ::= { ipSecPolicyPibConformanceGroups 20 }
ipSecCredentialGroup OBJECT-GROUP ipSecCredentialGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCredentialCredentialType, ipSecCredentialCredentialType,
ipSecCredentialFieldsId, ipSecCredentialFieldsId,
ipSecCredentialCrlDistributionPoint ipSecCredentialCrlDistributionPoint
skipping to change at line 4821 skipping to change at line 4936
"Objects from the ipSecCredentialTable." "Objects from the ipSecCredentialTable."
::= { ipSecPolicyPibConformanceGroups 21 } ::= { ipSecPolicyPibConformanceGroups 21 }
ipSecCredentialFieldsGroup OBJECT-GROUP ipSecCredentialFieldsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCredentialFieldsName, ipSecCredentialFieldsName,
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsSetId ipSecCredentialFieldsSetId
} }
STATUS current STATUS current
Li, et al Expires August, 2002 86
IPsec Policy Information Base February, 2002
DESCRIPTION DESCRIPTION
"Objects from the ipSecCredentialFieldsTable." "Objects from the ipSecCredentialFieldsTable."
::= { ipSecPolicyPibConformanceGroups 22 } ::= { ipSecPolicyPibConformanceGroups 22 }
ipSecSelectorSetGroup OBJECT-GROUP ipSecSelectorSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorSetId,
ipSecSelectorSetSelectorId, ipSecSelectorSetSelectorId,
ipSecSelectorSetOrder ipSecSelectorSetOrder
} }
skipping to change at line 4855 skipping to change at line 4966
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorDscp, ipSecSelectorDscp,
ipSecSelectorFlowLabel ipSecSelectorFlowLabel
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecSelectorTable." "Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 24 } ::= { ipSecPolicyPibConformanceGroups 24 }
Li, et al Expires February, 2003 87
IPsec Policy Information Base August, 2002
ipSecAddressGroup OBJECT-GROUP ipSecAddressGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecAddressAddressType, ipSecAddressAddressType,
ipSecAddressAddrMask, ipSecAddressAddrMask,
ipSecAddressAddrMin, ipSecAddressAddrMin,
ipSecAddressAddrMax, ipSecAddressAddrMax,
ipSecAddressGroupId ipSecAddressGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 4879 skipping to change at line 4994
OBJECTS { OBJECTS {
ipSecL4PortPortMin, ipSecL4PortPortMin,
ipSecL4PortPortMax, ipSecL4PortPortMax,
ipSecL4PortGroupId ipSecL4PortGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecL4PortTable." "Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 26 } ::= { ipSecPolicyPibConformanceGroups 26 }
Li, et al Expires August, 2002 87
IPsec Policy Information Base February, 2002
ipSecIpsoFilterSetGroup OBJECT-GROUP ipSecIpsoFilterSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterSetId,
ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetFilterId,
ipSecIpsoFilterSetOrder ipSecIpsoFilterSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIpsoFilterSetTable." "Objects from the ipSecIpsoFilterSetTable."
::= { ipSecPolicyPibConformanceGroups 27 } ::= { ipSecPolicyPibConformanceGroups 27 }
skipping to change at line 4911 skipping to change at line 5023
"Objects from the ipSecIpsoFilterTable." "Objects from the ipSecIpsoFilterTable."
::= { ipSecPolicyPibConformanceGroups 28 } ::= { ipSecPolicyPibConformanceGroups 28 }
ipSecRuleTimePeriodGroup OBJECT-GROUP ipSecRuleTimePeriodGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
Li, et al Expires February, 2003 88
IPsec Policy Information Base August, 2002
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTimePeriodTable." "Objects from the ipSecRuleTimePeriodTable."
::= { ipSecPolicyPibConformanceGroups 29 } ::= { ipSecPolicyPibConformanceGroups 29 }
ipSecRuleTimePeriodSetGroup OBJECT-GROUP ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodSetId,
skipping to change at line 4934 skipping to change at line 5051
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTimePeriodSetTable." "Objects from the ipSecRuleTimePeriodSetTable."
::= { ipSecPolicyPibConformanceGroups 30 } ::= { ipSecPolicyPibConformanceGroups 30 }
ipSecIfCapsGroup OBJECT-GROUP ipSecIfCapsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIfCapsDirection, ipSecIfCapsDirection,
ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIpSecActions,
ipSecIfCapsMaxIkeActions ipSecIfCapsMaxIkeActions
} }
Li, et al Expires August, 2002 88
IPsec Policy Information Base February, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIfCapsTable." "Objects from the ipSecIfCapsTable."
::= { ipSecPolicyPibConformanceGroups 31 } ::= { ipSecPolicyPibConformanceGroups 31 }
END END
6. Security Considerations 6. Security Considerations
Since COPS is used to carry the PIB defined in this document, the The authentication and integrity of configuration information is of
security and protection of the information can be provided by utmost importance to the security of a network. Administrators
either COPS or a combination of COPS and other security protocols, SHOULD carefully consider the potential threat environment involving
e.g., IPsec or TLS. PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD
authenticate one another and SHOULD use a transport protocol that
supports data integrity and authentication. Administrators SHOULD
also carefully consider the importance of confidentiality of their
configuration information, because it may reveal private or
confidential information about customer access, business
relationships, etc. If these are concerns to the organization, then
confidentiality SHOULD be used to transport the information.
7. References 7. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996. 9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997 Levels", BCP 14, RFC 2119, March 1997
Li, et al Expires February, 2003 89
IPsec Policy Information Base August, 2002
3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, 3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998. November 1998.
4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling 4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling
Core Object Specification (iCalendar)", RFC 2445, November 1998. Core Object Specification (iCalendar)", RFC 2445, November 1998.
5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, 5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry,
"The COPS (Common Open Policy Service) Protocol" RFC 2748, January "The COPS (Common Open Policy Service) Protocol" RFC 2748, January
2000. 2000.
skipping to change at line 4990 skipping to change at line 5114
9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. 9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", draft- Smith, F. Reichmeyer "Framework Policy Information Base", draft-
ietf-rap-frameworkpib-06.txt, November 2001. ietf-rap-frameworkpib-06.txt, November 2001.
10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC 10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
2409, November 1998. 2409, November 1998.
11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload 11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
Compression Protocol (IPComp)", RFC 2393, August 1998. Compression Protocol (IPComp)", RFC 2393, August 1998.
Li, et al Expires August, 2002 89
IPsec Policy Information Base February, 2002
12. J. Jason, L. Rafalow, E. Vyncke ˘IPsec Configuration Policy 12. J. Jason, L. Rafalow, E. Vyncke ˘IPsec Configuration Policy
Model,÷ draft-ietf-ipsp-config-policy-model-04.txt, November 2001. Model,÷ draft-ietf-ipsp-config-policy-model-04.txt, November 2001.
13. B. Moore, E. Ellesson, J. Strassner, ˘Policy Core Information 13. B. Moore, E. Ellesson, J. Strassner, ˘Policy Core Information
Model -- Version 1 Specification÷, RFC 3060, February 2000. Model -- Version 1 Specification÷, RFC 3060, February 2000.
14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. 14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Smith, F. Reichmeyer, "Structure of Policy Provisioning
Information," RFC 3159, August 2001. Information," RFC 3159, August 2001.
skipping to change at line 5015 skipping to change at line 5136
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
David Arneson David Arneson
Email: dla@mediaone.net Email: dla@mediaone.net
Li, et al Expires February, 2003 90
IPsec Policy Information Base August, 2002
Avri Doria Avri Doria
Div. of Computer Communications Div. of Computer Communications
Lulea University of Technology Lulea University of Technology
SE-971 87 SE-971 87
Lulea, Sweden Lulea, Sweden
Phone: +46 920 49 3030 Phone: +46 920 49 3030
Email: avri@sm.luth.se Email: avri@sm.luth.se
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
skipping to change at line 5045 skipping to change at line 5170
Phone: +1 614 923 6241 Phone: +1 614 923 6241
Email: CWang@smartpipes.com Email: CWang@smartpipes.com
Markus Stenberg Markus Stenberg
SSH Communications Security Corp. SSH Communications Security Corp.
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 Helsinki, Finland FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466 Phone: +358 20 500 7466
Email: markus.stenberg@ssh.com Email: markus.stenberg@ssh.com
Li, et al Expires August, 2002 90 9. Full Copyright Statement
IPsec Policy Information Base February, 2002
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved. "Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared, explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to the way, such as by removing the copyright notice or references to the
Internet Society or other Internet organizations, except as needed Internet Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which case the for the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards procedures for copyrights defined in the Internet Standards
process must be followed, or as required to translate it into. process must be followed, or as required to translate it into.
Table of Contents Table of Contents
1. Introduction.......................................................2
2. Operation Overview.................................................2
3. Structure of IPsec PIB.............................................3
3.1 IPsec association group...........................................3
3.1.1 IPsec rules.....................................................3
1. Introduction 2 Li, et al Expires February, 2003 91
2. Operation Overview 2
3. Structure of IPsec PIB 3
3.1 IPsec association group 3
3.2 AH, ESP and COMP transform groups 5
3.3 IKE association group 5
3.4 Credential group 6
3.5 Selector group 6
3.6 Policy time period group 7
3.7 Interface capability group 7
4. Summary of the IPsec PIB 8
4.1 ipSecAssociation group 8
4.1.1 ipSecRuleTable 8
4.1.2 ipSecActionSetTable 8
4.1.3 ipSecStaticActionTable 8
4.1.4 ipSecNegotiationActionTable 8
4.1.5 ipSecAssociationTable 8
4.1.6 ipSecProposalSetTable 8
4.1.7 ipSecProposalTable 8
4.2 ipSecAhTransform group 8
4.2.1 ipSecAhTransformSetTable 8
4.2.2 ipSecAhTransformTable 8
4.3 ipSecEspTransform group 8
4.3.1 ipSecEspTransformSetTable 8
4.3.2 ipSecEspTransformTable 8
4.4 ipSecCompTransform group 9
4.4.1 ipSecCompTransformSetTable 9
4.4.2 ipSecCompTransformTable 9
4.5 ipSecIkeAssociation group 9
4.5.1 ipSecIkeRuleTable 9
4.5.2 ipSecIkeActionSetTable 9
4.5.3 ipSecIkeAssociationTable 9
4.5.4 ipSecIkeProposalSetTable 9
4.5.5 ipSecIkeProposalTable 9
Li, et al Expires August, 2002 91 IPsec Policy Information Base August, 2002
IPsec Policy Information Base February, 2002
4.5.6 ipSecIkePeerEndpointTable 9 3.1.2 IPsec actions...................................................4
4.6 ipSecCredential group 9 3.1.3 IPsec associations..............................................5
4.6.1 ipSecCredentialSetTable 9 3.1.4 IPsec proposals.................................................5
4.6.2 ipSecCredentialTable 9 3.2 AH transform group................................................5
4.6.3 ipSecCredentialFieldsTable 9 3.3 ESP transform group...............................................5
4.7 ipSecSelector group 9 3.4 COMP transform group..............................................5
4.7.1 ipSecSelectorSetTable 9 3.5 IKE association group.............................................5
4.7.2 ipSecSelectorTable 9 3.6 Credential group..................................................6
4.7.3 ipSecAddressTable 10 3.7 Selector group....................................................7
4.7.4 ipSecL4PortTable 10 3.8 Policy time period group..........................................8
4.7.5 ipSecIpsoFilterSetTable 10 3.9 Interface capability group........................................8
4.7.6 ipSecIpsoFilterTable 10 4. Summary of the IPsec PIB...........................................8
4.8 ipSecPolicyTimePeriod group 10 4.1 ipSecAssociation group............................................8
4.8.1 ipSecRuleTimePeriodTable 10 4.1.1 ipSecRuleTable..................................................8
4.8.2 ipSecRuleTimePeriodSetTable 10 4.1.2 ipSecActionSetTable.............................................8
4.9 ipSecIfCapability group 10 4.1.3 ipSecStaticActionTable..........................................8
4.9.1 ipSecIfCapsTable 10 4.1.4 ipSecNegotiationActionTable.....................................8
4.10 ipSecPolicyPibConformance group 10 4.1.5 ipSecAssociationTable...........................................8
5. The IPsec PIB Module 10 4.1.6 ipSecProposalSetTable...........................................8
6. Security Considerations 89 4.1.7 ipSecProposalTable..............................................9
7. References 89 4.2 ipSecAhTransform group............................................9
8. Author's Addresses 90 4.2.1 ipSecAhTransformSetTable........................................9
4.2.2 ipSecAhTransformTable...........................................9
4.3 ipSecEspTransform group...........................................9
4.3.1 ipSecEspTransformSetTable.......................................9
4.3.2 ipSecEspTransformTable..........................................9
4.4 ipSecCompTransform group..........................................9
4.4.1 ipSecCompTransformSetTable......................................9
4.4.2 ipSecCompTransformTable.........................................9
4.5 ipSecIkeAssociation group.........................................9
4.5.1 ipSecIkeRuleTable...............................................9
4.5.2 ipSecIkeActionSetTable..........................................9
4.5.3 ipSecIkeAssociationTable........................................9
4.5.4 ipSecIkeProposalSetTable........................................9
4.5.5 ipSecIkeProposalTable...........................................9
4.5.6 ipSecIkePeerEndpointTable.......................................9
4.6 ipSecCredential group............................................10
4.6.1 ipSecCredentialSetTable........................................10
4.6.2 ipSecCredentialTable...........................................10
4.6.3 ipSecCredentialFieldsTable.....................................10
4.7 ipSecSelector group..............................................10
4.7.1 ipSecSelectorSetTable..........................................10
4.7.2 ipSecSelectorTable.............................................10
4.7.3 ipSecAddressTable..............................................10
4.7.4 ipSecL4PortTable...............................................10
4.7.5 ipSecIpsoFilterSetTable........................................10
4.7.6 ipSecIpsoFilterTable...........................................10
4.8 ipSecPolicyTimePeriod group......................................10
4.8.1 ipSecRuleTimePeriodTable.......................................10
4.8.2 ipSecRuleTimePeriodSetTable....................................10
4.9 ipSecIfCapability group..........................................10
4.9.1 ipSecIfCapsTable...............................................10
4.10 ipSecPolicyPibConformance group.................................10
Li, et al Expires August, 2002 92 Li, et al Expires February, 2003 92
IPsec Policy Information Base August, 2002
5. The IPsec PIB Module..............................................11
6. Security Considerations...........................................89
7. References........................................................89
8. Author's Addresses................................................90
9. Full Copyright Statement..........................................91
Li, et al Expires February, 200