draft-ietf-ipsp-ipsecpib-07.txt   draft-ietf-ipsp-ipsecpib-08.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires August 2003 David Arneson Expires Dec 2003 David Arneson
N/A N/A
Avri Doria Avri Doria
LTU LTU
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
Markus Stenberg Markus Stenberg
SSH SSH
January 2003 May 2003
IPsec Policy Information Base IPsec Policy Information Base
draft-ietf-ipsp-ipsecpib-07.txt draft-ietf-ipsp-ipsecpib-08.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright c The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Distribution of this memo is unlimited. Distribution of this memo is unlimited.
Abstract Abstract
This document describes a Policy Information Base (PIB) for a This document describes a portion of the Policy Information Base
device implementing the IP Security Architecture. The (PIB) for a device implementing the IP Security Architecture. The
provisioning classes defined here provide control of IPsec policy. provisioning classes defined here provide control of IPsec policy.
These provisioning classes can be used with other none IPsec These provisioning classes can be used with other non-IPsec
provisioning classes (defined in other PIBs) to provide for a provisioning classes (defined in other PIB modules) to provide for a
comprehensive policy controlled mapping of service requirement to comprehensive policy controlled mapping of service requirement to
device capability and usage. device capability and usage.
Li, et al Expires August 2003 1 Li, et al Expires December 2003 1
IPsec Policy Information Base January 2003 IPsec Policy Information Base May 2003
Table of Contents
1. Introduction.......................................................3
2. Operation Overview.................................................3
3. Structure of IPsec PIB.............................................4
3.1 IPsec association group...........................................4
3.1.1 IPsec rules.....................................................4
3.1.2 IPsec actions...................................................5
3.1.3 IPsec associations..............................................6
3.1.4 IPsec proposals.................................................6
3.2 AH transform group................................................6
3.3 ESP transform group...............................................6
3.4 COMP transform group..............................................7
3.5 IKE association group.............................................7
3.6 Credential group..................................................8
3.7 Selector group....................................................8
3.8 Policy time period group..........................................9
3.9 Interface capability group........................................9
4. Summary of the IPsec PIB...........................................9
4.1 ipSecAssociation group............................................9
4.1.1 ipSecRuleTable..................................................9
4.1.2 ipSecActionSetTable............................................10
4.1.3 ipSecStaticActionTable.........................................10
4.1.4 ipSecNegotiationActionTable....................................10
4.1.5 ipSecAssociationTable..........................................10
4.1.6 ipSecProposalSetTable..........................................10
4.1.7 ipSecProposalTable.............................................10
4.2 ipSecAhTransform group...........................................10
4.2.1 ipSecAhTransformSetTable.......................................10
4.2.2 ipSecAhTransformTable..........................................10
4.3 ipSecEspTransform group..........................................10
4.3.1 ipSecEspTransformSetTable......................................10
4.3.2 ipSecEspTransformTable.........................................10
4.4 ipSecCompTransform group.........................................10
4.4.1 ipSecCompTransformSetTable.....................................10
4.4.2 ipSecCompTransformTable........................................10
4.5 ipSecIkeAssociation group........................................10
4.5.1 ipSecIkeRuleTable..............................................10
4.5.2 ipSecIkeActionSetTable.........................................11
4.5.3 ipSecIkeAssociationTable.......................................11
4.5.4 ipSecIkeProposalSetTable.......................................11
4.5.5 ipSecIkeProposalTable..........................................11
4.5.6 ipSecIkePeerEndpointTable......................................11
4.6 ipSecCredential group............................................11
4.6.1 ipSecCredentialSetTable........................................11
4.6.2 ipSecCredentialTable...........................................11
4.6.3 ipSecCredentialFieldsTable.....................................11
4.7 ipSecSelector group..............................................11
4.7.1 ipSecSelectorSetTable..........................................11
4.7.2 ipSecSelectorTable.............................................11
4.7.3 ipSecAddressTable..............................................11
4.7.4 ipSecL4PortTable...............................................11
Li, et al Expires December 2003 2
IPsec Policy Information Base May 2003
4.7.5 ipSecIpsoFilterSetTable........................................11
4.7.6 ipSecIpsoFilterTable...........................................11
4.8 ipSecPolicyTimePeriod group......................................11
4.8.1 ipSecRuleTimePeriodTable.......................................12
4.8.2 ipSecRuleTimePeriodSetTable....................................12
4.9 ipSecIfCapability group..........................................12
4.9.1 ipSecIfCapsTable...............................................12
4.10 ipSecPolicyPibConformance group.................................12
5. The IPsec PIB Module..............................................12
6. Security Considerations...........................................93
7. RFC Editor Considerations.........................................94
8. IANA Considerations...............................................94
9. Normative References..............................................94
10. Informative References...........................................95
11. Author's Addresses...............................................96
12. Full Copyright Statement.........................................96
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2]. RFC-2119 [2].
1. Introduction 1. Introduction
skipping to change at line 89 skipping to change at line 162
After connecting to a PDP using COPS-PR [6] that is an extension After connecting to a PDP using COPS-PR [6] that is an extension
of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes
(PRCs) it supports as well as any limitations related to the (PRCs) it supports as well as any limitations related to the
implementations of theses classes and parameters. The PEP provides implementations of theses classes and parameters. The PEP provides
the above information using the frwkPrcSupportTable and the the above information using the frwkPrcSupportTable and the
frwkCompLimitsTable defined in the framework PIB [9]. In addition, frwkCompLimitsTable defined in the framework PIB [9]. In addition,
the PEP also reports the interface type capabilities and role the PEP also reports the interface type capabilities and role
combinations it supports using the frwkCapabilitySetTable and the combinations it supports using the frwkCapabilitySetTable and the
frwkRoleComboTable. Each row of the frwkCapabilitySetTable frwkRoleComboTable. Each row of the frwkCapabilitySetTable
contains a capability set name and a reference to an instance of a contains a capability set name and a reference to an instance of a
Li, et al Expires December 2003 3
IPsec Policy Information Base May 2003
PRC that describes the capabilities of the interface type. The PRC that describes the capabilities of the interface type. The
capability instances may reside in the ipSecIfCapsTable or in a capability instances may reside in the ipSecIfCapsTable or in a
table defined in another PIB. Each row of the frwkRoleComboTable table defined in another PIB. Each row of the frwkRoleComboTable
contains an interface capability set name and a role combination. contains an interface capability set name and a role combination.
Based on the interface capabilities and role combinations, the PDP Based on the interface capabilities and role combinations, the PDP
provides the PEP with IPsec policy information. Later on, if any provides the PEP with IPsec policy information. Later on, if any
of the interface capabilities or role combinations of the PEP of the interface capabilities or role combinations of the PEP
change, the PEP notifies the PDP. The PDP will then send a new set change, the PEP notifies the PDP. The PDP will then send a new set
of IPsec policy information to the PEP. In addition, if the policy of IPsec policy information to the PEP. In addition, if the policy
associated with a given interface capability and role combination associated with a given interface capability and role combination
changes, the PDP will deliver the new IPsec policy to all the PEPs changes, the PDP will deliver the new IPsec policy to all the PEPs
that have registered with that interface capability and role that have registered with that interface capability and role
combination. combination.
Li, et al Expires August 2003 2
IPsec Policy Information Base January 2003
3. Structure of IPsec PIB 3. Structure of IPsec PIB
An IPsec policy consists of an ordered list of IPsec rules. Each An IPsec policy consists of an ordered list of IPsec rules. Each
rule is composed of a set of conditions and a set of actions. If a rule is composed of a set of conditions and a set of actions. If a
packet matches any of the conditions, the actions will be applied packet matches any of the conditions, the actions will be applied
accordingly. accordingly.
The IPsec PIB module consists of nine groups. The selector group The IPsec PIB module consists of nine groups. The selector group
describes conditions to be associated with IPsec rules. The IPsec describes conditions to be associated with IPsec rules. The IPsec
association group, AH transform group, ESP transform group, COMP association group, AH transform group, ESP transform group, COMP
skipping to change at line 145 skipping to change at line 219
of the interface to which this rule is to be applied. Each rule of the interface to which this rule is to be applied. Each rule
points to a set of selectors and, optionally, a set of IPSO points to a set of selectors and, optionally, a set of IPSO
filters to indicate the conditions associated with this rule. In filters to indicate the conditions associated with this rule. In
addition, each rule has a pointer to a set of actions to indicate addition, each rule has a pointer to a set of actions to indicate
the actions associated with this rule. Hence if a packet matches a the actions associated with this rule. Hence if a packet matches a
selector in the selector set and, if the reference to the IPSO selector in the selector set and, if the reference to the IPSO
filter set is not zero, it matches a filter in the IPSO filter filter set is not zero, it matches a filter in the IPSO filter
set, the action(s) associated with this rule will be applied to set, the action(s) associated with this rule will be applied to
the packet. the packet.
Li, et al Expires December 2003 4
IPsec Policy Information Base May 2003
When a rule involves multiple actions, the ExecutionStrategy When a rule involves multiple actions, the ExecutionStrategy
attribute indicates how these actions are executed. A value of attribute indicates how these actions are executed. A value of
"DoAll" means that all the actions MUST be applied to the packet "DoAll" means that all the actions MUST be applied to the packet
according to a predefined order. A value of "DoUntilSuccess" means according to a predefined order. A value of "DoUntilSuccess" means
that the actions MUST be tried in sequence until a successful that the actions MUST be tried in sequence until a successful
execution of a single action. execution of a single action.
For example, in a nested Security Associations case the actions of For example, in a nested Security Associations case the actions of
an initiator's rule might be structured as: an initiator's rule might be structured as:
ExecutionStrategy='Do All' ExecutionStrategy='Do All'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway +---1--- IPsecTunnelAction // set up SA from host to gateway
| |
+---2--- IPsecTransportAction // set up SA from host through +---2--- IPsecTransportAction // set up SA from host through
Li, et al Expires August 2003 3
IPsec Policy Information Base January 2003
// tunnel to remote host // tunnel to remote host
Another example, showing a rule with fallback actions might be Another example, showing a rule with fallback actions might be
structured as: structured as:
ExecutionStrategy='Do Until Success' ExecutionStrategy='Do Until Success'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway [A] +---1--- IPsecTunnelAction // set up SA from host to gateway [A]
| |
+---2--- IPsecTunnelAction // set up SA from host to gateway [B] +---2--- IPsecTunnelAction // set up SA from host to gateway [B]
skipping to change at line 201 skipping to change at line 274
the ipSecEspTransformTable. In addition, the SPI used for the the ipSecEspTransformTable. In addition, the SPI used for the
transform is also defined in the table. transform is also defined in the table.
Negotiation Actions require negotiations in order to establish Negotiation Actions require negotiations in order to establish
Security Associations. They include transport and tunnel actions. Security Associations. They include transport and tunnel actions.
The ipSecNegotiationActionTable specifies IPsec Negotiation The ipSecNegotiationActionTable specifies IPsec Negotiation
Actions. It points to a valid instance in the Actions. It points to a valid instance in the
ipSecAssociationTable that further defines the IPsec association ipSecAssociationTable that further defines the IPsec association
to be established. For key exchange policy, the KeyExchangeId to be established. For key exchange policy, the KeyExchangeId
points to a valid instance in another table that describes key points to a valid instance in another table that describes key
Li, et al Expires December 2003 5
IPsec Policy Information Base May 2003
exchange procedures. If a single IKE phase one negotiation is used exchange procedures. If a single IKE phase one negotiation is used
for the key exchange, this attribute MUST point to an instance in for the key exchange, this attribute MUST point to an instance in
the ipSecIkeAssociationTable. If multiple IKE phase one the ipSecIkeAssociationTable. If multiple IKE phase one
negotiations (e.g., with different modes) are to be tried until negotiations (e.g., with different modes) are to be tried until
success, this attribute SHOULD point to ipSecIkeRuleTable. For success, this attribute SHOULD point to ipSecIkeRuleTable. For
other key exchange methods, this attribute MAY point to an other key exchange methods, this attribute MAY point to an
instance of a PRC defined in some other PIB module. instance of a PRC defined in some other PIB module.
The ipSecActionSetTable specifies sets of actions. Actions within The ipSecActionSetTable specifies sets of actions. Actions within
a set form an ordered list. If an action within a set is a Static a set form an ordered list. If an action within a set is a Static
Action, the ActionId MUST point to a valid instance in the Action, the ActionId MUST point to a valid instance in the
ipSecStaticActionTable. If the action is a Negotiation Action, the ipSecStaticActionTable. If the action is a Negotiation Action, the
ActionId MUST point to a valid instance in the ActionId MUST point to a valid instance in the
ipSecNegotiationActionTable. For other actions, the ActionId MAY ipSecNegotiationActionTable. For other actions, the ActionId MAY
point to an instance of a PRC defined in some other PIB module. point to an instance of a PRC defined in some other PIB module.
Li, et al Expires August 2003 4
IPsec Policy Information Base January 2003
3.1.3 IPsec associations 3.1.3 IPsec associations
The ipSecAssociationTable specifies attributes associated with The ipSecAssociationTable specifies attributes associated with
IPsec associations. For each association, it points to a set of IPsec associations. For each association, it points to a set of
proposals in the ipSecProposalSetTable that is associated with proposals in the ipSecProposalSetTable that is associated with
this association. this association.
The MinLifetimeSeconds and MinLifetimeKilobytes in the The MinLifetimeSeconds and MinLifetimeKilobytes in the
ipSecAssociationTable indicate the lifetime to propose for the ipSecAssociationTable indicate the lifetime to propose for the
IPsec association to be negotiated. They are different from the IPsec association to be negotiated. They are different from the
skipping to change at line 258 skipping to change at line 332
then the one sending the proposal would want the other side to then the one sending the proposal would want the other side to
pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list
AND one from the AH transform list (preferably MD5). AND one from the AH transform list (preferably MD5).
3.2 AH transform group 3.2 AH transform group
The AH transform group describes sets of AH transforms. The AH transform group describes sets of AH transforms.
3.3 ESP transform group 3.3 ESP transform group
Li, et al Expires December 2003 6
IPsec Policy Information Base May 2003
The ESP transform group describes sets of ESP transforms. The ESP transform group describes sets of ESP transforms.
3.4 COMP transform group 3.4 COMP transform group
The COMP transform group describes sets of COMP transforms. The COMP transform group describes sets of COMP transforms.
3.5 IKE association group 3.5 IKE association group
This group specifies rules associated with IKE phase one This group specifies rules associated with IKE phase one
negotiation. negotiation.
The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional
tables. Support of these tables is required only when a policy tables. Support of these tables is required only when a policy
contains: contains:
Li, et al Expires August 2003 5
IPsec Policy Information Base January 2003
- Multiple IKE phase one actions (e.g., with different exchange - Multiple IKE phase one actions (e.g., with different exchange
modes) that are associated with one IPsec association. These modes) that are associated with one IPsec association. These
actions are to be tried in sequence till one success. actions are to be tried in sequence till one success.
- IKE phase one actions that start automatically. - IKE phase one actions that start automatically.
For the latter case, IKE rules may be distributed independently For the latter case, IKE rules may be distributed independently
and the IfName and Roles attributes in the ipSecIkeRuleTable and the IfName and Roles attributes in the ipSecIkeRuleTable
indicate the interface type and role combinations to which this indicate the interface type and role combinations to which this
rule is to be applied. rule is to be applied.
skipping to change at line 313 skipping to change at line 387
The ipSecIkeProposalSetTable specifies sets of proposals. The ipSecIkeProposalSetTable specifies sets of proposals.
Proposals within a set are ordered with a preference value.The Proposals within a set are ordered with a preference value.The
ipSecIkeProposalTable contains parameters associated with IKE ipSecIkeProposalTable contains parameters associated with IKE
proposals. proposals.
The ipSecIkePeerEndpointTable specifies IKE peer endpoint The ipSecIkePeerEndpointTable specifies IKE peer endpoint
information that includes acceptable peer identity and credentials information that includes acceptable peer identity and credentials
for IKE phase one negotiation. It points to a set of credentials for IKE phase one negotiation. It points to a set of credentials
specified in the ipSecIkePeerEndpointCredentialSetTable. Any of specified in the ipSecIkePeerEndpointCredentialSetTable. Any of
Li, et al Expires December 2003 7
IPsec Policy Information Base May 2003
the credentials in the set is acceptable as a peer credential. The the credentials in the set is acceptable as a peer credential. The
AddressType and the Address attributes are used only when IKE AddressType and the Address attributes are used only when IKE
phase one negotiation starts automatically, i.e., the value of the phase one negotiation starts automatically, i.e., the value of the
AutoStart attribute in the ipSecIkeRuleTable is true. In which AutoStart attribute in the ipSecIkeRuleTable is true. In which
case, these two attributes together indicate the peer endpoint case, these two attributes together indicate the peer endpoint
address. address.
3.6 Credential group 3.6 Credential group
This group specifies credentials to be used for IKE phase one This group specifies credentials to be used for IKE phase one
negotiations. negotiations.
The ipSecCredentialSetTable specifies sets of credentials. The The ipSecCredentialSetTable specifies sets of credentials. The
ipSecCredentialTable and ipSecCredentialFieldsTable together ipSecCredentialTable and ipSecCredentialFieldsTable together
specify credentials. Each credential may contain multiple sub- specify credentials. Each credential may contain multiple sub-
Li, et al Expires August 2003 6
IPsec Policy Information Base January 2003
fields. For example, a certificate may contain a unique serial fields. For example, a certificate may contain a unique serial
number sub-field and an issuer name sub-field, etc. The number sub-field and an issuer name sub-field, etc. The
ipSecCredentialFieldsTable defines the sub-fields and their values ipSecCredentialFieldsTable defines the sub-fields and their values
that MUST be matched against. The ipSecCredentialTable points to a that MUST be matched against. The ipSecCredentialTable points to a
set of criteria defined in the ipSecCredentialFieldsTable. The set of criteria defined in the ipSecCredentialFieldsTable. The
criteria MUST all be satisfied in order for a credential to be criteria MUST all be satisfied in order for a credential to be
considered as acceptable. Certificates may also be revoked. The considered as acceptable. Certificates may also be revoked. The
CrlDistributionPoint attribute in the ipSecCredentialTable CrlDistributionPoint attribute in the ipSecCredentialTable
indicates the Certificate Revocation List (CRL) distribution point indicates the Certificate Revocation List (CRL) distribution point
where CRLs may be fetched. where CRLs may be fetched.
skipping to change at line 367 skipping to change at line 441
selectors. These selectors are constructed as follows: selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
Li, et al Expires December 2003 8
IPsec Policy Information Base May 2003
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four 5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol, fields. Then add to the combinations the ipSecSelectorProtocol,
ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
the list of selectors. the list of selectors.
Selectors constructed from a single row have the same order within Selectors constructed from a single row have the same order within
a selector set. The order is indicated by the Order attribute of a selector set. The order is indicated by the Order attribute of
the ipSecSelectorSetTable. The relative order among selectors the ipSecSelectorSetTable. The relative order among selectors
Li, et al Expires August 2003 7
IPsec Policy Information Base January 2003
constructed from a single row is unspecified. This is not an issue constructed from a single row is unspecified. This is not an issue
as long as these selectors are not over-lapping. as long as these selectors are not over-lapping.
The use of references in the ipSecSelectorTable instead of real IP The use of references in the ipSecSelectorTable instead of real IP
addresses and port numbers reduces the number of bytes being addresses and port numbers reduces the number of bytes being
pushed down to the PEP. Grouping of IP addresses and layer 4 ports pushed down to the PEP. Grouping of IP addresses and layer 4 ports
serves the same purpose. serves the same purpose.
The ipSecIpsoFilterSetTable specifies sets of IPSO filters. The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
Filters within a set form an ordered list. The Filters within a set form an ordered list. The
skipping to change at line 424 skipping to change at line 497
For ease of reference, a concise summary of the groups and tables For ease of reference, a concise summary of the groups and tables
is included in the next section. is included in the next section.
4. Summary of the IPsec PIB 4. Summary of the IPsec PIB
4.1 ipSecAssociation group 4.1 ipSecAssociation group
This group specifies IPsec Security Associations. This group specifies IPsec Security Associations.
4.1.1 ipSecRuleTable 4.1.1 ipSecRuleTable
Li, et al Expires December 2003 9
IPsec Policy Information Base May 2003
This table is the starting point for specifying an IPsec policy. This table is the starting point for specifying an IPsec policy.
It contains an ordered list of IPsec rules. It contains an ordered list of IPsec rules.
4.1.2 ipSecActionSetTable 4.1.2 ipSecActionSetTable
Specifies IPsec action sets. Specifies IPsec action sets.
4.1.3 ipSecStaticActionTable 4.1.3 ipSecStaticActionTable
Specifies IPsec static actions. Specifies IPsec static actions.
4.1.4 ipSecNegotiationActionTable 4.1.4 ipSecNegotiationActionTable
Specifies IPsec negotiation actions. Specifies IPsec negotiation actions.
4.1.5 ipSecAssociationTable 4.1.5 ipSecAssociationTable
Specifies IPsec associations. Specifies IPsec associations.
4.1.6 ipSecProposalSetTable 4.1.6 ipSecProposalSetTable
Li, et al Expires August 2003 8
IPsec Policy Information Base January 2003
Specifies IPsec proposal sets. Specifies IPsec proposal sets.
4.1.7 ipSecProposalTable 4.1.7 ipSecProposalTable
Specifies IPsec proposals. Specifies IPsec proposals.
4.2 ipSecAhTransform group 4.2 ipSecAhTransform group
This group specifies AH Transforms. This group specifies AH Transforms.
4.2.1 ipSecAhTransformSetTable 4.2.1 ipSecAhTransformSetTable
Specifies AH transform sets. Specifies AH transform sets.
skipping to change at line 482 skipping to change at line 555
4.4.2 ipSecCompTransformTable 4.4.2 ipSecCompTransformTable
Specifies IP compression (IPCOMP) algorithms. Specifies IP compression (IPCOMP) algorithms.
4.5 ipSecIkeAssociation group 4.5 ipSecIkeAssociation group
This group specifies IKE Security Associations. This group specifies IKE Security Associations.
4.5.1 ipSecIkeRuleTable 4.5.1 ipSecIkeRuleTable
Specifies IKE rules. Specifies IKE rules.
Li, et al Expires December 2003 10
IPsec Policy Information Base May 2003
4.5.2 ipSecIkeActionSetTable 4.5.2 ipSecIkeActionSetTable
Specifies IKE action sets. Specifies IKE action sets.
4.5.3 ipSecIkeAssociationTable 4.5.3 ipSecIkeAssociationTable
Specifies IKE associations. Specifies IKE associations.
4.5.4 ipSecIkeProposalSetTable 4.5.4 ipSecIkeProposalSetTable
Specifies IKE proposal sets. Specifies IKE proposal sets.
4.5.5 ipSecIkeProposalTable 4.5.5 ipSecIkeProposalTable
Specifies IKE proposals. Specifies IKE proposals.
4.5.6 ipSecIkePeerEndpointTable 4.5.6 ipSecIkePeerEndpointTable
Specifies IKE peer endpoints. Specifies IKE peer endpoints.
Li, et al Expires August 2003 9
IPsec Policy Information Base January 2003
4.6 ipSecCredential group 4.6 ipSecCredential group
This group specifies credentials for IKE phase one negotiations. This group specifies credentials for IKE phase one negotiations.
4.6.1 ipSecCredentialSetTable 4.6.1 ipSecCredentialSetTable
Specifies credential sets. Specifies credential sets.
4.6.2 ipSecCredentialTable 4.6.2 ipSecCredentialTable
Specifies credentials. Specifies credentials.
4.6.3 ipSecCredentialFieldsTable 4.6.3 ipSecCredentialFieldsTable
skipping to change at line 538 skipping to change at line 611
4.7.5 ipSecIpsoFilterSetTable 4.7.5 ipSecIpsoFilterSetTable
Specifies IPSO filter sets. Specifies IPSO filter sets.
4.7.6 ipSecIpsoFilterTable 4.7.6 ipSecIpsoFilterTable
Specifies IPSO filters. Specifies IPSO filters.
4.8 ipSecPolicyTimePeriod group 4.8 ipSecPolicyTimePeriod group
This group specifies the time periods during which a policy rule This group specifies the time periods during which a policy rule
is valid. is valid.
Li, et al Expires December 2003 11
IPsec Policy Information Base May 2003
4.8.1 ipSecRuleTimePeriodTable 4.8.1 ipSecRuleTimePeriodTable
Specifies the time periods during which a policy rule is valid. Specifies the time periods during which a policy rule is valid.
4.8.2 ipSecRuleTimePeriodSetTable 4.8.2 ipSecRuleTimePeriodSetTable
Specifies time period sets. Specifies time period sets.
4.9 ipSecIfCapability group 4.9 ipSecIfCapability group
This group specifies capabilities associated with interface types. This group specifies capabilities associated with interface types.
4.9.1 ipSecIfCapsTable 4.9.1 ipSecIfCapsTable
Specifies capabilities that may be associated with an interface of Specifies capabilities that may be associated with an interface of
a specific type. a specific type.
4.10 ipSecPolicyPibConformance group 4.10 ipSecPolicyPibConformance group
Li, et al Expires August 2003 10
IPsec Policy Information Base January 2003
This group specifies requirements for conformance to the IPsec This group specifies requirements for conformance to the IPsec
Policy PIB. Policy PIB.
5. The IPsec PIB Module 5. The IPsec PIB Module
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, Unsigned64, Integer32, MODULE-IDENTITY,
TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP, pib OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE,
OBJECT-GROUP, pib
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
InstanceId, ReferenceId, TagId, TagReferenceId, Prid InstanceId, ReferenceId, TagId, TagReferenceId, Prid
FROM COPS-PR-SPPI-TC FROM COPS-PR-SPPI-TC
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB
InetAddress, InetAddressType, InetAddress, InetAddressType,
InetAddressPrefixLength, InetPortNumber InetAddressPrefixLength, InetPortNumber
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB
DscpOrAny DscpOrAny
FROM DIFFSERV-DSCP-TC FROM DIFFSERV-DSCP-TC
zeroDotZero zeroDotZero
FROM SNMPv2-SMI FROM SNMPv2-SMI
RoleCombination RoleCombination
FROM FRAMEWORK-TC-PIB; FROM FRAMEWORK-TC-PIB;
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORIES { tbd } -- IPsec Client Type - SUBJECT-CATEGORIES { tbd } -- IPsec Client Type -
-- to be assigned by IANA - -- to be assigned by IANA -
LAST-UPDATED "200301021800Z" -- suggest to use "ipSec"
LAST-UPDATED "200316051800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Nokia Nokia
Li, et al Expires December 2003 12
IPsec Policy Information Base May 2003
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Div. of Computer Communications Div. of Computer Communications
Lulea University of Technology Lulea University of Technology
SE-971 87 SE-971 87
Lulea, Sweden Lulea, Sweden
Phone: +46 920 49 3030 Phone: +46 920 49 3030
Email: avri@sm.luth.se Email: avri@sm.luth.se
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Li, et al Expires August 2003 11
IPsec Policy Information Base January 2003
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
Email: jamie.jason@intel.com Email: jamie.jason@intel.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
skipping to change at line 633 skipping to change at line 707
Markus Stenberg Markus Stenberg
SSH Communications Security Corp. SSH Communications Security Corp.
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 Helsinki, Finland FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466 Phone: +358 20 500 7466
Email: fingon@iki.fi" Email: fingon@iki.fi"
DESCRIPTION DESCRIPTION
"This PIB module contains a set of policy rule classes that "This PIB module contains a set of policy rule classes that
describe IPsec policies." describe IPsec policies.
REVISION "200301021800Z"
Copyright (C) The Internet Society (2003). This version of this PIB
module is part of RFC xxxx; see the RFC itself for full legal
notices"
REVISION "200316051800Z"
DESCRIPTION DESCRIPTION
"Initial version, published as RFC xxxx." "Initial version, published as RFC xxxx."
-- yyy to be assigned by IANA -- -- xxxx to be assigned by IANA --
::= { pib yyy } -- yyy to be assigned by IANA -- ::= { pib yyy } -- yyy to be assigned by IANA --
Unsigned16 ::= TEXTUAL-CONVENTION Unsigned16 ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An unsigned 16 bit integer."
SYNTAX Unsigned32 (0..65535)
ipSecAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies IPsec Security Associations."
::= { ipSecPolicyPib 1 }
ipSecAhTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies AH Transforms."
::= { ipSecPolicyPib 2 }
ipSecEspTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies ESP Transforms."
Li, et al Expires August 2003 12
IPsec Policy Information Base January 2003
::= { ipSecPolicyPib 3 } Li, et al Expires December 2003 13
IPsec Policy Information Base May 2003
ipSecCompTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies Comp Transforms."
::= { ipSecPolicyPib 4 }
ipSecIkeAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies IKE Security Associations."
::= { ipSecPolicyPib 5 }
ipSecCredential OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies credentials for IKE phase one negotiations."
::= { ipSecPolicyPib 6 }
ipSecSelector OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies selectors for IPsec associations."
::= { ipSecPolicyPib 7 }
ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies the time periods during which a policy rule "An unsigned 16 bit integer."
is valid." SYNTAX Unsigned32 (0..65535)
::= { ipSecPolicyPib 8 }
ipSecIfCapability OBJECT-IDENTITY IPv6FlowLabelOrAny ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group specifies capabilities associated with interface "The flow identifier or Flow Label in an IPv6 packet header that may
types." be used to discriminate traffic flows. The value of -1 is used to
::= { ipSecPolicyPib 9 } indicate a wildcard, i.e. any value."
SYNTAX Integer32 (-1 | 0..1048575)
ipSecPolicyPibConformance OBJECT-IDENTITY ipSecAssociation
STATUS current OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 }
DESCRIPTION ipSecAhTransform
"This group specifies requirements for conformance to the IPsec OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 }
Policy PIB" ipSecEspTransform
::= { ipSecPolicyPib 10 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 }
ipSecCompTransform
OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 }
ipSecIkeAssociation
OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 }
ipSecCredential
OBJECT IDENTIFIER ::= {ipSecPolicyPib 6 }
ipSecSelector
OBJECT IDENTIFIER ::= {ipSecPolicyPib 7 }
ipSecPolicyTimePeriod
OBJECT IDENTIFIER ::= {ipSecPolicyPib 8 }
ipSecIfCapability
OBJECT IDENTIFIER ::= {ipSecPolicyPib 9 }
ipSecPolicyPibConformance
OBJECT IDENTIFIER ::= {ipSecPolicyPib 10 }
-- --
-- --
-- The ipSecRuleTable -- The ipSecRuleTable
-- --
Li, et al Expires August 2003 13
IPsec Policy Information Base January 2003
ipSecRuleTable OBJECT-TYPE ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is the starting point for specifying an IPsec policy. "This table is the starting point for specifying an IPsec policy.
It contains an ordered list of IPsec rules. " It contains an ordered list of IPsec rules. "
::= { ipSecAssociation 1 } ::= { ipSecAssociation 1 }
ipSecRuleEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
Li, et al Expires December 2003 14
IPsec Policy Information Base May 2003
SYNTAX IpSecRuleEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRulePrid } PIB-INDEX { ipSecRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleIfName, ipSecRuleIfName,
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleOrder ipSecRuleOrder
} }
skipping to change at line 774 skipping to change at line 821
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleIfName OBJECT-TYPE ipSecRuleIfName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IPsec rule applies. "The interface capability set to which this IPsec rule applies.
The interface capability name specified by this attribute MUST The interface capability name specified by this attribute MUST
exist in the frwkCapabilitySetTable [9] prior to association with exist in the frwkCapabilitySetTable [9] prior to association with
an instance of this class." an instance of this class."
Li, et al Expires August 2003 14
IPsec Policy Information Base January 2003
::= { ipSecRuleEntry 2 } ::= { ipSecRuleEntry 2 }
ipSecRuleRoles OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this "Specifies the role combination of the interface to which this
IPsec rule should apply. There must exist an instance in the IPsec rule should apply. There must exist an instance in the
frwkRoleComboTable [9] specifying this role combination, together frwkRoleComboTable [9] specifying this role combination, together
Li, et al Expires December 2003 15
IPsec Policy Information Base May 2003
with the interface capability set specified by ipSecRuleIfName, with the interface capability set specified by ipSecRuleIfName,
prior to association with an instance of this class." prior to association with an instance of this class."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 3 }
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
skipping to change at line 831 skipping to change at line 878
When the value of this attribute is not zero, the set of IPSO When the value of this attribute is not zero, the set of IPSO
filters is ANDed with the set of Selectors specified by filters is ANDed with the set of Selectors specified by
ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
selector in the selector sets and a filter in the IPSO filter sets selector in the selector sets and a filter in the IPSO filter sets
before the actions associated with this rule can be applied." before the actions associated with this rule can be applied."
::= { ipSecRuleEntry 6 } ::= { ipSecRuleEntry 6 }
ipSecRuleIpSecActionSetId OBJECT-TYPE ipSecRuleIpSecActionSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecActionSetActionSetId } PIB-TAG { ipSecActionSetActionSetId }
Li, et al Expires August 2003 15
IPsec Policy Information Base January 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IPsec actions to be associated with this "Identifies a set of IPsec actions to be associated with this
rule." rule."
::= { ipSecRuleEntry 7 } ::= { ipSecRuleEntry 7 }
ipSecRuleActionExecutionStrategy OBJECT-TYPE ipSecRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
doAll(1), doAll(1),
Li, et al Expires December 2003 16
IPsec Policy Information Base May 2003
doUntilSuccess(2) doUntilSuccess(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in the order is specified by the ipSecActionSetOrder in the
skipping to change at line 888 skipping to change at line 935
DESCRIPTION DESCRIPTION
"Limits the negotiation method. Before proceeding with a phase 2 "Limits the negotiation method. Before proceeding with a phase 2
negotiation, the LimitNegotiation property of the IPsecRule is negotiation, the LimitNegotiation property of the IPsecRule is
first checked to determine if the negotiation part indicated for first checked to determine if the negotiation part indicated for
the rule matches that of the current negotiation (Initiator, the rule matches that of the current negotiation (Initiator,
Responder, or Either). Responder, or Either).
This attribute is ignored when an attempt is made to refresh an This attribute is ignored when an attempt is made to refresh an
expiring SA (either side can initiate a refresh operation). The expiring SA (either side can initiate a refresh operation). The
system can determine that the negotiation is a refresh operation system can determine that the negotiation is a refresh operation
Li, et al Expires August 2003 16
IPsec Policy Information Base January 2003
by checking to see if the selector information matches that of an by checking to see if the selector information matches that of an
existing SA. If LimitNegotiation does not match and the selector existing SA. If LimitNegotiation does not match and the selector
corresponds to a new SA, the negotiation is stopped. " corresponds to a new SA, the negotiation is stopped. "
::= { ipSecRuleEntry 10 } ::= { ipSecRuleEntry 10 }
ipSecRuleAutoStart OBJECT-TYPE ipSecRuleAutoStart OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 17
IPsec Policy Information Base May 2003
"Indicates if this rule should be automatically executed." "Indicates if this rule should be automatically executed."
::= { ipSecRuleEntry 11 } ::= { ipSecRuleEntry 11 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies an IPsec rule time period set, specified in "Identifies an IPsec rule time period set, specified in
ipSecRuleTimePeriodSetTable, that is associated with this rule. ipSecRuleTimePeriodSetTable, that is associated with this rule.
skipping to change at line 944 skipping to change at line 991
UNIQUENESS { UNIQUENESS {
ipSecActionSetActionSetId, ipSecActionSetActionSetId,
ipSecActionSetActionId, ipSecActionSetActionId,
ipSecActionSetDoActionLogging, ipSecActionSetDoActionLogging,
ipSecActionSetDoPacketLogging, ipSecActionSetDoPacketLogging,
ipSecActionSetOrder ipSecActionSetOrder
} }
::= { ipSecActionSetTable 1 } ::= { ipSecActionSetTable 1 }
IpSecActionSetEntry ::= SEQUENCE { IpSecActionSetEntry ::= SEQUENCE {
Li, et al Expires August 2003 17
IPsec Policy Information Base January 2003
ipSecActionSetPrid InstanceId, ipSecActionSetPrid InstanceId,
ipSecActionSetActionSetId TagId, ipSecActionSetActionSetId TagId,
ipSecActionSetActionId Prid, ipSecActionSetActionId Prid,
ipSecActionSetDoActionLogging TruthValue, ipSecActionSetDoActionLogging TruthValue,
ipSecActionSetDoPacketLogging TruthValue, ipSecActionSetDoPacketLogging TruthValue,
ipSecActionSetOrder Unsigned16 ipSecActionSetOrder Unsigned16
} }
ipSecActionSetPrid OBJECT-TYPE ipSecActionSetPrid OBJECT-TYPE
Li, et al Expires December 2003 18
IPsec Policy Information Base May 2003
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecActionSetEntry 1 } ::= { ipSecActionSetEntry 1 }
ipSecActionSetActionSetId OBJECT-TYPE ipSecActionSetActionSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
skipping to change at line 1001 skipping to change at line 1048
"Specifies whether a log message is to be generated when the "Specifies whether a log message is to be generated when the
action is performed. This applies for ipSecNegotiationActions action is performed. This applies for ipSecNegotiationActions
with the meaning of logging a message when the negotiation is with the meaning of logging a message when the negotiation is
attempted (with the success or failure result). This also applies attempted (with the success or failure result). This also applies
for ipSecStaticAction only for PreconfiguredTransport action or for ipSecStaticAction only for PreconfiguredTransport action or
PreconfiguredTunnel action with the meaning of logging a message PreconfiguredTunnel action with the meaning of logging a message
when the preconfigured SA is actually installed in the SADB." when the preconfigured SA is actually installed in the SADB."
::= { ipSecActionSetEntry 4 } ::= { ipSecActionSetEntry 4 }
ipSecActionSetDoPacketLogging OBJECT-TYPE ipSecActionSetDoPacketLogging OBJECT-TYPE
Li, et al Expires August 2003 18
IPsec Policy Information Base January 2003
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to log when the resulting security association "Specifies whether to log when the resulting security association
is used to process a packet. For ipSecStaticActions, a log message is used to process a packet. For ipSecStaticActions, a log message
is to be generated when the IPsecBypass, IpsecDiscard or IKEReject is to be generated when the IPsecBypass, IpsecDiscard or IKEReject
actions are executed." actions are executed."
::= { ipSecActionSetEntry 5 } ::= { ipSecActionSetEntry 5 }
Li, et al Expires December 2003 19
IPsec Policy Information Base May 2003
ipSecActionSetOrder OBJECT-TYPE ipSecActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be applied set. An action with a smaller precedence order is to be applied
before one with a larger precedence order. " before one with a larger precedence order. "
::= { ipSecActionSetEntry 6 } ::= { ipSecActionSetEntry 6 }
-- --
skipping to change at line 1057 skipping to change at line 1103
ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeSeconds,
ipSecStaticActionLifetimeKilobytes, ipSecStaticActionLifetimeKilobytes,
ipSecStaticActionSaTransformId ipSecStaticActionSaTransformId
} }
::= { ipSecStaticActionTable 1 } ::= { ipSecStaticActionTable 1 }
IpSecStaticActionEntry ::= SEQUENCE { IpSecStaticActionEntry ::= SEQUENCE {
ipSecStaticActionPrid InstanceId, ipSecStaticActionPrid InstanceId,
ipSecStaticActionAction INTEGER, ipSecStaticActionAction INTEGER,
ipSecStaticActionTunnelEndpointId ReferenceId, ipSecStaticActionTunnelEndpointId ReferenceId,
Li, et al Expires August 2003 19
IPsec Policy Information Base January 2003
ipSecStaticActionDfHandling INTEGER, ipSecStaticActionDfHandling INTEGER,
ipSecStaticActionSpi Unsigned32, ipSecStaticActionSpi Unsigned32,
ipSecStaticActionLifetimeSeconds Unsigned32, ipSecStaticActionLifetimeSeconds Unsigned32,
ipSecStaticActionLifetimeKilobytes Unsigned64, ipSecStaticActionLifetimeKilobytes Unsigned64,
ipSecStaticActionSaTransformId Prid ipSecStaticActionSaTransformId Prid
} }
ipSecStaticActionPrid OBJECT-TYPE ipSecStaticActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Li, et al Expires December 2003 20
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecStaticActionEntry 1 } ::= { ipSecStaticActionEntry 1 }
ipSecStaticActionAction OBJECT-TYPE ipSecStaticActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
byPass(1), byPass(1),
discard(2), discard(2),
skipping to change at line 1114 skipping to change at line 1160
When ipSecStaticActionAction is not preConfiguredTunnel, this When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be zero." attribute MUST be zero."
::= { ipSecStaticActionEntry 3 } ::= { ipSecStaticActionEntry 3 }
ipSecStaticActionDfHandling OBJECT-TYPE ipSecStaticActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
copy(1), copy(1),
set(2), set(2),
clear(3) clear(3)
} }
Li, et al Expires August 2003 20
IPsec Policy Information Base January 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel, this "When ipSecStaticActionAction is preConfiguredTunnel, this
attribute specifies how the DF bit is managed. attribute specifies how the DF bit is managed.
Copy (1) indicates to copy the DF bit from the internal IP header Copy (1) indicates to copy the DF bit from the internal IP header
to the external IP header. Set (2) indicates to set the DF bit of to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0. bit of the external IP header to 0.
Li, et al Expires December 2003 21
IPsec Policy Information Base May 2003
When ipSecStaticActionAction is not preConfiguredTunnel, this When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be ignored. " attribute MUST be ignored. "
::= { ipSecStaticActionEntry 4 } ::= { ipSecStaticActionEntry 4 }
ipSecStaticActionSpi OBJECT-TYPE ipSecStaticActionSpi OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the SPI to be used with the SA Transform identified by "Specifies the SPI to be used with the SA Transform identified by
ipSecStaticActionSaTransformId. ipSecStaticActionSaTransformId.
skipping to change at line 1169 skipping to change at line 1214
the MaxLifetimeSeconds property of the associated SA Transform. the MaxLifetimeSeconds property of the associated SA Transform.
Except if the value of this LifetimeSeconds property is zero, then Except if the value of this LifetimeSeconds property is zero, then
there will be no lifetime associated to this SA." there will be no lifetime associated to this SA."
::= { ipSecStaticActionEntry 6 } ::= { ipSecStaticActionEntry 6 }
ipSecStaticActionLifetimeKilobytes OBJECT-TYPE ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 21
IPsec Policy Information Base January 2003
"Specifies the SA lifetime in kilobytes. When "Specifies the SA lifetime in kilobytes. When
ipSecStaticActionAction is neither preConfiguredTransportAction ipSecStaticActionAction is neither preConfiguredTransportAction
nor preConfiguredTunnelAction, this attribute MUST be ignored. nor preConfiguredTunnelAction, this attribute MUST be ignored.
A value of zero indicates that there is not a lifetime associated A value of zero indicates that there is not a lifetime associated
with this action (i.e., infinite lifetime). with this action (i.e., infinite lifetime).
The actual lifetime of the preconfigured SA will be the smallest The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeKilobytes property and of the value of the value of this LifetimeKilobytes property and of the value
of the MaxLifetimeKilobytes property of the associated SA of the MaxLifetimeKilobytes property of the associated SA
transform. Except if the value of this LifetimeKilobytes property transform. Except if the value of this LifetimeKilobytes property
Li, et al Expires December 2003 22
IPsec Policy Information Base May 2003
is zero, then there will be no lifetime associated with this is zero, then there will be no lifetime associated with this
action. action.
" "
::= { ipSecStaticActionEntry 7 } ::= { ipSecStaticActionEntry 7 }
ipSecStaticActionSaTransformId OBJECT-TYPE ipSecStaticActionSaTransformId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes an "A pointer to a valid instance in another table that describes an
skipping to change at line 1225 skipping to change at line 1270
PIB-INDEX { ipSecNegotiationActionPrid } PIB-INDEX { ipSecNegotiationActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecNegotiationActionAction, ipSecNegotiationActionAction,
ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling, ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionIpSecSecurityAssociationId,
ipSecNegotiationActionKeyExchangeId ipSecNegotiationActionKeyExchangeId
} }
::= { ipSecNegotiationActionTable 1 } ::= { ipSecNegotiationActionTable 1 }
Li, et al Expires August 2003 22
IPsec Policy Information Base January 2003
IpSecNegotiationActionEntry ::= SEQUENCE { IpSecNegotiationActionEntry ::= SEQUENCE {
ipSecNegotiationActionPrid InstanceId, ipSecNegotiationActionPrid InstanceId,
ipSecNegotiationActionAction INTEGER, ipSecNegotiationActionAction INTEGER,
ipSecNegotiationActionTunnelEndpointId ReferenceId, ipSecNegotiationActionTunnelEndpointId ReferenceId,
ipSecNegotiationActionDfHandling INTEGER, ipSecNegotiationActionDfHandling INTEGER,
ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId,
ipSecNegotiationActionKeyExchangeId Prid ipSecNegotiationActionKeyExchangeId Prid
} }
ipSecNegotiationActionPrid OBJECT-TYPE ipSecNegotiationActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Li, et al Expires December 2003 23
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecNegotiationActionEntry 1 } ::= { ipSecNegotiationActionEntry 1 }
ipSecNegotiationActionAction OBJECT-TYPE ipSecNegotiationActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
transport(1), transport(1),
tunnel(2) tunnel(2)
skipping to change at line 1281 skipping to change at line 1327
::= { ipSecNegotiationActionEntry 3 } ::= { ipSecNegotiationActionEntry 3 }
ipSecNegotiationActionDfHandling OBJECT-TYPE ipSecNegotiationActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
copy(1), copy(1),
set(2), set(2),
clear(3) clear(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 23
IPsec Policy Information Base January 2003
"When ipSecActionAction is tunnel, this attribute specifies how "When ipSecActionAction is tunnel, this attribute specifies how
the DF bit is managed. the DF bit is managed.
Copy (1) indicates to copy the DF bit from the internal IP header Copy (1) indicates to copy the DF bit from the internal IP header
to the external IP header. Set (2) indicates to set the DF bit of to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0. bit of the external IP header to 0.
When ipSecActionAction is not tunnel, this attribute MUST be When ipSecActionAction is not tunnel, this attribute MUST be
ignored. " ignored. "
::= { ipSecNegotiationActionEntry 4 } ::= { ipSecNegotiationActionEntry 4 }
Li, et al Expires December 2003 24
IPsec Policy Information Base May 2003
ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAssociationEntry } PIB-REFERENCES {ipSecAssociationEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Pointer to a valid instance in the "Pointer to a valid instance in the ipSecAssociationTable."
ipSecSecurityAssociationTable."
::= { ipSecNegotiationActionEntry 5 } ::= { ipSecNegotiationActionEntry 5 }
ipSecNegotiationActionKeyExchangeId OBJECT-TYPE ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes key "A pointer to a valid instance in another table that describes key
exchange associations. If a single IKE phase one negotiation is exchange associations. If a single IKE phase one negotiation is
used for the key exchange, this attribute MUST point to an used for the key exchange, this attribute MUST point to an
instance in the ipSecIkeAssociationTable. If multiple IKE phase instance in the ipSecIkeAssociationTable. If multiple IKE phase
skipping to change at line 1337 skipping to change at line 1381
-- --
ipSecAssociationTable OBJECT-TYPE ipSecAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAssociationEntry SYNTAX SEQUENCE OF IpSecAssociationEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec associations." "Specifies IPsec associations."
::= { ipSecAssociation 5 } ::= { ipSecAssociation 5 }
Li, et al Expires August 2003 24
IPsec Policy Information Base January 2003
ipSecAssociationEntry OBJECT-TYPE ipSecAssociationEntry OBJECT-TYPE
SYNTAX IpSecAssociationEntry SYNTAX IpSecAssociationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAssociationPrid } PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationIdleDurationSeconds, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
Li, et al Expires December 2003 25
IPsec Policy Information Base May 2003
ipSecAssociationUseKeyExchangeGroup, ipSecAssociationUseKeyExchangeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity, ipSecAssociationGranularity,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
ipSecAssociationPrid InstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
skipping to change at line 1393 skipping to change at line 1438
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
Li, et al Expires August 2003 25
IPsec Policy Information Base January 2003
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. A value of zero indicates that there is no minimum action. A value of zero indicates that there is no minimum
lifetime enforced." lifetime enforced."
::= { ipSecAssociationEntry 3 } ::= { ipSecAssociationEntry 3 }
ipSecAssociationIdleDurationSeconds OBJECT-TYPE ipSecAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
Li, et al Expires December 2003 26
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how long, in seconds, a security association may remain "Specifies how long, in seconds, a security association may remain
unused before it is deleted. unused before it is deleted.
A value of zero indicates that idle detection should not be used A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte for the security association (only the seconds and kilobyte
lifetimes will be used)." lifetimes will be used)."
::= { ipSecAssociationEntry 4 } ::= { ipSecAssociationEntry 4 }
skipping to change at line 1449 skipping to change at line 1494
ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether or not to use the same GroupId for phase 2 as "Specifies whether or not to use the same GroupId for phase 2 as
was used in phase 1. If UsePFS is false, then this attribute is was used in phase 1. If UsePFS is false, then this attribute is
ignored. ignored.
A value of true indicates that the phase 2 GroupId should be the A value of true indicates that the phase 2 GroupId should be the
same as phase 1. A value of false indicates that the group number same as phase 1. A value of false indicates that the group number
Li, et al Expires August 2003 26
IPsec Policy Information Base January 2003
specified by the ipSecSecurityAssociationDhGroup attribute SHALL specified by the ipSecSecurityAssociationDhGroup attribute SHALL
be used for phase 2. " be used for phase 2. "
::= { ipSecAssociationEntry 7 } ::= { ipSecAssociationEntry 7 }
ipSecAssociationDhGroup OBJECT-TYPE ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the key exchange group to use for phase 2 when the "Specifies the key exchange group to use for phase 2 when the
property ipSecSecurityAssociationUsePfs is true and the property property ipSecSecurityAssociationUsePfs is true and the property
ipSecSecurityAssociationUseKeyExchangeGroup is false." ipSecSecurityAssociationUseKeyExchangeGroup is false."
::= { ipSecAssociationEntry 8 } ::= { ipSecAssociationEntry 8 }
Li, et al Expires December 2003 27
IPsec Policy Information Base May 2003
ipSecAssociationGranularity OBJECT-TYPE ipSecAssociationGranularity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
subnet(1), subnet(1),
address(2), address(2),
protocol(3), protocol(3),
port(4) port(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how the proposed selector for the security association "Specifies how the proposed selector for the security association
skipping to change at line 1505 skipping to change at line 1549
PIB-TAG { ipSecProposalSetProposalSetId } PIB-TAG { ipSecProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IPsec proposals that is associated with this "Identifies a set of IPsec proposals that is associated with this
IPsec association." IPsec association."
::= { ipSecAssociationEntry 10 } ::= { ipSecAssociationEntry 10 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
Li, et al Expires August 2003 27
IPsec Policy Information Base January 2003
-- --
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalSetEntry SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed "Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order. " with preference order. "
::= { ipSecAssociation 6 } ::= { ipSecAssociation 6 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
Li, et al Expires December 2003 28
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalSetPrid } PIB-INDEX { ipSecProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalSetProposalSetId, ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId, ipSecProposalSetProposalId,
ipSecProposalSetOrder ipSecProposalSetOrder
} }
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
skipping to change at line 1562 skipping to change at line 1606
"An IPsec proposal set is composed of one or more IPsec proposals. "An IPsec proposal set is composed of one or more IPsec proposals.
Each proposal belonging to the same set has the same Each proposal belonging to the same set has the same
ProposalSetId." ProposalSetId."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecProposalEntry } PIB-REFERENCES {ipSecProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 28
IPsec Policy Information Base January 2003
"A pointer to a valid instance in the ipSecProposalTable." "A pointer to a valid instance in the ipSecProposalTable."
::= { ipSecProposalSetEntry 3 } ::= { ipSecProposalSetEntry 3 }
ipSecProposalSetOrder OBJECT-TYPE ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A smaller Proposals within a set are ORed with preference order. A smaller
integer value indicates a higher preference." integer value indicates a higher preference."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
Li, et al Expires December 2003 29
IPsec Policy Information Base May 2003
-- --
-- --
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 1618 skipping to change at line 1661
IpSecProposalEntry ::= SEQUENCE { IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid InstanceId, ipSecProposalPrid InstanceId,
ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId ipSecProposalCompTransformSetId TagReferenceId
} }
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Li, et al Expires August 2003 29
IPsec Policy Information Base January 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalEspTransformSetId OBJECT-TYPE ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecEspTransformSetTransformSetId } PIB-TAG { ipSecEspTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms, specified in "An integer that identifies a set of ESP transforms, specified in
ipSecEspTransformSetTable, that is associated with this proposal." ipSecEspTransformSetTable, that is associated with this proposal."
Li, et al Expires December 2003 30
IPsec Policy Information Base May 2003
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAhTransformSetTransformSetId } PIB-TAG { ipSecAhTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an AH transform set, specified in "An integer that identifies an AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal." ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
skipping to change at line 1674 skipping to change at line 1717
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transform sets. Within a transform set, the "Specifies AH transform sets. Within a transform set, the
transforms are ORed with preference order. " transforms are ORed with preference order. "
::= { ipSecAhTransform 1 } ::= { ipSecAhTransform 1 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAhTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 30
IPsec Policy Information Base January 2003
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformSetPrid } PIB-INDEX { ipSecAhTransformSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId, ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder ipSecAhTransformSetOrder
} }
::= { ipSecAhTransformSetTable 1 } ::= { ipSecAhTransformSetTable 1 }
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetTransformId ReferenceId,
Li, et al Expires December 2003 31
IPsec Policy Information Base May 2003
ipSecAhTransformSetOrder Unsigned16 ipSecAhTransformSetOrder Unsigned16
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformSetEntry 1 } ::= { ipSecAhTransformSetEntry 1 }
skipping to change at line 1731 skipping to change at line 1774
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform identified by ipSecAhTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order. A smaller integer value indicates a
higher preference." higher preference."
::= { ipSecAhTransformSetEntry 4 } ::= { ipSecAhTransformSetEntry 4 }
Li, et al Expires August 2003 31
IPsec Policy Information Base January 2003
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecAhTransformTable
-- --
ipSecAhTransformTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transforms." "Specifies AH transforms."
::= { ipSecAhTransform 2 } ::= { ipSecAhTransform 2 }
Li, et al Expires December 2003 32
IPsec Policy Information Base May 2003
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformPrid } PIB-INDEX { ipSecAhTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecAhTransformTransformId, ipSecAhTransformTransformId,
ipSecAhTransformIntegrityKey, ipSecAhTransformIntegrityKey,
ipSecAhTransformUseReplayPrevention, ipSecAhTransformUseReplayPrevention,
skipping to change at line 1786 skipping to change at line 1829
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
md5(2), md5(2),
Li, et al Expires August 2003 32
IPsec Policy Information Base January 2003
sha-1(3), sha-1(3),
des(4) des(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the AH algorithm to propose." "Specifies the transform ID of the AH algorithm to propose."
::= { ipSecAhTransformEntry 2 } ::= { ipSecAhTransformEntry 2 }
ipSecAhTransformIntegrityKey OBJECT-TYPE ipSecAhTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 33
IPsec Policy Information Base May 2003
"When this AH transform instance is used for a Static Action, this "When this AH transform instance is used for a Static Action, this
attribute specifies the integrity key to be used. This attribute attribute specifies the integrity key to be used. This attribute
MUST be ignored when this AH transform instance is used for a MUST be ignored when this AH transform instance is used for a
Negotiation Action." Negotiation Action."
::= { ipSecAhTransformEntry 3 } ::= { ipSecAhTransformEntry 3 }
ipSecAhTransformUseReplayPrevention OBJECT-TYPE ipSecAhTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 1844 skipping to change at line 1887
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecAhTransformEntry 7 } ::= { ipSecAhTransformEntry 7 }
Li, et al Expires August 2003 33
IPsec Policy Information Base January 2003
ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
Li, et al Expires December 2003 34
IPsec Policy Information Base May 2003
::= { ipSecAhTransformEntry 8 } ::= { ipSecAhTransformEntry 8 }
-- --
-- --
-- The ipSecEspTransformSetTable -- The ipSecEspTransformSetTable
-- --
ipSecEspTransformSetTable OBJECT-TYPE ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
skipping to change at line 1898 skipping to change at line 1942
ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetPrid InstanceId,
ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformSetId TagId,
ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetTransformId ReferenceId,
ipSecEspTransformSetOrder Unsigned16 ipSecEspTransformSetOrder Unsigned16
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 34
IPsec Policy Information Base January 2003
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecEspTransformSetEntry 1 } ::= { ipSecEspTransformSetEntry 1 }
ipSecEspTransformSetTransformSetId OBJECT-TYPE ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An ESP transform set is composed of one or more ESP transforms. "An ESP transform set is composed of one or more ESP transforms.
Each transform belonging to the same set has the same Each transform belonging to the same set has the same
TransformSetId." TransformSetId."
::= { ipSecEspTransformSetEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
Li, et al Expires December 2003 35
IPsec Policy Information Base May 2003
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecEspTransformEntry } PIB-REFERENCES {ipSecEspTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecEspTransformTable." "A pointer to a valid instance in the ipSecEspTransformTable."
::= { ipSecEspTransformSetEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
ipSecEspTransformSetOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
skipping to change at line 1954 skipping to change at line 1997
DESCRIPTION DESCRIPTION
"Specifies ESP transforms." "Specifies ESP transforms."
::= { ipSecEspTransform 2 } ::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry SYNTAX IpSecEspTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecEspTransformPrid } PIB-INDEX { ipSecEspTransformPrid }
Li, et al Expires August 2003 35
IPsec Policy Information Base January 2003
UNIQUENESS { UNIQUENESS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformIntegrityKey, ipSecEspTransformIntegrityKey,
ipSecEspTransformCipherKey, ipSecEspTransformCipherKey,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength, ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention, ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformReplayPreventionWindowSize,
ipSecEspTransformVendorId, ipSecEspTransformVendorId,
ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeSeconds,
ipSecEspTransformMaxLifetimeKilobytes ipSecEspTransformMaxLifetimeKilobytes
Li, et al Expires December 2003 36
IPsec Policy Information Base May 2003
} }
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid InstanceId, ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformIntegrityTransformId INTEGER,
ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER,
ipSecEspTransformIntegrityKey OCTET STRING, ipSecEspTransformIntegrityKey OCTET STRING,
ipSecEspTransformCipherKey OCTET STRING, ipSecEspTransformCipherKey OCTET STRING,
ipSecEspTransformCipherKeyRounds Unsigned16, ipSecEspTransformCipherKeyRounds Unsigned16,
skipping to change at line 2011 skipping to change at line 2054
desMac(3), desMac(3),
kpdk(4) kpdk(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP integrity algorithm to "Specifies the transform ID of the ESP integrity algorithm to
propose." propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
Li, et al Expires August 2003 36
IPsec Policy Information Base January 2003
SYNTAX INTEGER { SYNTAX INTEGER {
desIV64(1), desIV64(1),
des(2), des(2),
tripleDES(3), tripleDES(3),
rc5(4), rc5(4),
idea(5), idea(5),
cast(6), cast(6),
blowfish(7), blowfish(7),
tripleIDEA(8), tripleIDEA(8),
desIV32(9), desIV32(9),
rc4(10), rc4(10),
null(11) null(11)
Li, et al Expires December 2003 37
IPsec Policy Information Base May 2003
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP encryption algorithm to "Specifies the transform ID of the ESP encryption algorithm to
propose." propose."
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
ipSecEspTransformIntegrityKey OBJECT-TYPE ipSecEspTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
skipping to change at line 2067 skipping to change at line 2110
DESCRIPTION DESCRIPTION
"Specifies the number of key rounds for the ESP encryption "Specifies the number of key rounds for the ESP encryption
algorithm. For encryption algorithms that use fixed number of key algorithm. For encryption algorithms that use fixed number of key
rounds, this value is ignored." rounds, this value is ignored."
::= { ipSecEspTransformEntry 6 } ::= { ipSecEspTransformEntry 6 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 37
IPsec Policy Information Base January 2003
"Specifies, in bits, the key length for the ESP encryption "Specifies, in bits, the key length for the ESP encryption
algorithm. For encryption algorithms that use fixed-length keys, algorithm. For encryption algorithms that use fixed-length keys,
this value is ignored." this value is ignored."
::= { ipSecEspTransformEntry 7 } ::= { ipSecEspTransformEntry 7 }
ipSecEspTransformUseReplayPrevention OBJECT-TYPE ipSecEspTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies whether to enable replay prevention detection."
::= { ipSecEspTransformEntry 8 } ::= { ipSecEspTransformEntry 8 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
Li, et al Expires December 2003 38
IPsec Policy Information Base May 2003
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the length of the sliding window used by the "Specifies, in bits, the length of the sliding window used by the
replay prevention detection mechanism. The value of this property replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2." window size will be power of 2."
::= { ipSecEspTransformEntry 9 } ::= { ipSecEspTransformEntry 9 }
ipSecEspTransformVendorId OBJECT-TYPE ipSecEspTransformVendorId OBJECT-TYPE
skipping to change at line 2125 skipping to change at line 2168
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecEspTransformEntry 12 } ::= { ipSecEspTransformEntry 12 }
Li, et al Expires August 2003 38
IPsec Policy Information Base January 2003
-- --
-- --
-- The ipSecCompTransformSetTable -- The ipSecCompTransformSetTable
-- --
ipSecCompTransformSetTable OBJECT-TYPE ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 39
IPsec Policy Information Base May 2003
"Specifies IPComp transform sets. Within a transform set, the "Specifies IPComp transform sets. Within a transform set, the
choices are ORed with preference order." choices are ORed with preference order."
::= { ipSecCompTransform 1 } ::= { ipSecCompTransform 1 }
ipSecCompTransformSetEntry OBJECT-TYPE ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry SYNTAX IpSecCompTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformSetPrid } PIB-INDEX { ipSecCompTransformSetPrid }
skipping to change at line 2179 skipping to change at line 2223
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPCOMP transform set is composed of one or more IPCOMP "An IPCOMP transform set is composed of one or more IPCOMP
transforms. Each transform belonging to the same set has the same transforms. Each transform belonging to the same set has the same
TransformSetId." TransformSetId."
::= { ipSecCompTransformSetEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
Li, et al Expires August 2003 39
IPsec Policy Information Base January 2003
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecCompTransformEntry } PIB-REFERENCES {ipSecCompTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecCompTransformTable." "A pointer to a valid instance in the ipSecCompTransformTable."
::= { ipSecCompTransformSetEntry 3 } ::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 40
IPsec Policy Information Base May 2003
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecCompTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order. A smaller integer value indicates a
higher preference." higher preference."
::= { ipSecCompTransformSetEntry 4 } ::= { ipSecCompTransformSetEntry 4 }
-- --
-- --
skipping to change at line 2234 skipping to change at line 2279
ipSecCompTransformPrivateAlgorithm, ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId, ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeSeconds,
ipSecCompTransformMaxLifetimeKilobytes ipSecCompTransformMaxLifetimeKilobytes
} }
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId, ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformAlgorithm INTEGER,
Li, et al Expires August 2003 40
IPsec Policy Information Base January 2003
ipSecCompTransformDictionarySize Unsigned16, ipSecCompTransformDictionarySize Unsigned16,
ipSecCompTransformPrivateAlgorithm Unsigned32, ipSecCompTransformPrivateAlgorithm Unsigned32,
ipSecCompTransformVendorId OCTET STRING, ipSecCompTransformVendorId OCTET STRING,
ipSecCompTransformMaxLifetimeSeconds Unsigned32, ipSecCompTransformMaxLifetimeSeconds Unsigned32,
ipSecCompTransformMaxLifetimeKilobytes Unsigned64 ipSecCompTransformMaxLifetimeKilobytes Unsigned64
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecCompTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 41
IPsec Policy Information Base May 2003
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
oui(1), oui(1),
deflate(2), deflate(2),
lzs(3) lzs(3)
} }
skipping to change at line 2291 skipping to change at line 2336
ipSecCompTransformVendorId OBJECT-TYPE ipSecCompTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms." "Specifies the vendor ID for vendor-defined transforms."
::= { ipSecCompTransformEntry 5 } ::= { ipSecCompTransformEntry 5 }
ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
Li, et al Expires August 2003 41
IPsec Policy Information Base January 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecCompTransformEntry 6 } ::= { ipSecCompTransformEntry 6 }
ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
Li, et al Expires December 2003 42
IPsec Policy Information Base May 2003
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecCompTransformEntry 7 } ::= { ipSecCompTransformEntry 7 }
skipping to change at line 2347 skipping to change at line 2392
ipSecIkeRuleEntry OBJECT-TYPE ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeRulePrid } PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeRuleIfName, ipSecIkeRuleIfName,
ipSecIkeRuleRoles, ipSecIkeRuleRoles,
Li, et al Expires August 2003 42
IPsec Policy Information Base January 2003
ipSecIkeRuleIkeActionSetId, ipSecIkeRuleIkeActionSetId,
ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleActionExecutionStrategy,
ipSecIkeRuleLimitNegotiation, ipSecIkeRuleLimitNegotiation,
ipSecIkeRuleAutoStart ipSecIkeRuleAutoStart
} }
::= { ipSecIkeRuleTable 1 } ::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE { IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid InstanceId, ipSecIkeRulePrid InstanceId,
ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleIfName SnmpAdminString,
ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleRoles RoleCombination,
Li, et al Expires December 2003 43
IPsec Policy Information Base May 2003
ipSecIkeRuleIkeActionSetId TagReferenceId, ipSecIkeRuleIkeActionSetId TagReferenceId,
ipSecIkeRuleActionExecutionStrategy INTEGER, ipSecIkeRuleActionExecutionStrategy INTEGER,
ipSecIkeRuleLimitNegotiation INTEGER, ipSecIkeRuleLimitNegotiation INTEGER,
ipSecIkeRuleAutoStart TruthValue, ipSecIkeRuleAutoStart TruthValue,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 2404 skipping to change at line 2449
rule should apply. There must exist an instance in the rule should apply. There must exist an instance in the
frwkRoleComboTable [9] specifying this role combination, together frwkRoleComboTable [9] specifying this role combination, together
with the interface capability set specified by ipSecIkeRuleIfName, with the interface capability set specified by ipSecIkeRuleIfName,
prior to association with an instance of this class. prior to association with an instance of this class.
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIkeActionSetId OBJECT-TYPE ipSecIkeRuleIkeActionSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
Li, et al Expires August 2003 43
IPsec Policy Information Base January 2003
PIB-TAG { ipSecIkeActionSetActionSetId } PIB-TAG { ipSecIkeActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IKE actions to be associated with this rule." "Identifies a set of IKE actions to be associated with this rule."
::= { ipSecIkeRuleEntry 4 } ::= { ipSecIkeRuleEntry 4 }
ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
doAll(1), doAll(1),
doUntilSuccess(2) doUntilSuccess(2)
} }
Li, et al Expires December 2003 44
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in order is specified by the ipSecActionSetOrder in
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
skipping to change at line 2461 skipping to change at line 2506
operations with peers for which an established SA already exists." operations with peers for which an established SA already exists."
::= { ipSecIkeRuleEntry 6 } ::= { ipSecIkeRuleEntry 6 }
ipSecIkeRuleAutoStart OBJECT-TYPE ipSecIkeRuleAutoStart OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if this rule should be automatically executed." "Indicates if this rule should be automatically executed."
::= { ipSecIkeRuleEntry 7 } ::= { ipSecIkeRuleEntry 7 }
Li, et al Expires August 2003 44
IPsec Policy Information Base January 2003
ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a rule time period set, specified in "Identifies a rule time period set, specified in
ipSecRuleTimePeriodSetTable, that is associated with this rule. ipSecRuleTimePeriodSetTable, that is associated with this rule.
A value of zero indicates that this rule is always valid." A value of zero indicates that this rule is always valid."
::= { ipSecIkeRuleEntry 8 } ::= { ipSecIkeRuleEntry 8 }
Li, et al Expires December 2003 45
IPsec Policy Information Base May 2003
-- --
-- --
-- The ipSecIkeActionSetTable -- The ipSecIkeActionSetTable
-- --
ipSecIkeActionSetTable OBJECT-TYPE ipSecIkeActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeActionSetEntry SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2516 skipping to change at line 2561
} }
ipSecIkeActionSetPrid OBJECT-TYPE ipSecIkeActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeActionSetEntry 1 } ::= { ipSecIkeActionSetEntry 1 }
Li, et al Expires August 2003 45
IPsec Policy Information Base January 2003
ipSecIkeActionSetActionSetId OBJECT-TYPE ipSecIkeActionSetActionSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IKE action set is composed of one or more IKE actions. Each "An IKE action set is composed of one or more IKE actions. Each
action belonging to the same set has the same ActionSetId." action belonging to the same set has the same ActionSetId."
::= { ipSecIkeActionSetEntry 2 } ::= { ipSecIkeActionSetEntry 2 }
ipSecIkeActionSetActionId OBJECT-TYPE ipSecIkeActionSetActionId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkeAssociationEntry } PIB-REFERENCES {ipSecIkeAssociationEntry }
Li, et al Expires December 2003 46
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIkeAssociationTable." "A pointer to a valid instance in the ipSecIkeAssociationTable."
::= { ipSecIkeActionSetEntry 3 } ::= { ipSecIkeActionSetEntry 3 }
ipSecIkeActionSetOrder OBJECT-TYPE ipSecIkeActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
skipping to change at line 2571 skipping to change at line 2617
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeAssociationPrid } PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationIdleDurationSeconds,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationUseIkeIdentityValue,
ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationIkePeerEndpoint,
Li, et al Expires August 2003 46
IPsec Policy Information Base January 2003
ipSecIkeAssociationPresharedKey, ipSecIkeAssociationPresharedKey,
ipSecIkeAssociationVendorId, ipSecIkeAssociationVendorId,
ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationAggressiveModeGroupId,
ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationLocalCredentialId,
ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationDoActionLogging,
ipSecIkeAssociationIkeProposalSetId ipSecIkeAssociationIkeProposalSetId
} }
::= { ipSecIkeAssociationTable 1 } ::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE { IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationPrid InstanceId,
Li, et al Expires December 2003 47
IPsec Policy Information Base May 2003
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned64, ipSecIkeAssociationMinLifetimeKilobytes Unsigned64,
ipSecIkeAssociationIdleDurationSeconds Unsigned32, ipSecIkeAssociationIdleDurationSeconds Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationExchangeMode INTEGER,
ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER,
ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
ipSecIkeAssociationIkePeerEndpoint ReferenceId, ipSecIkeAssociationIkePeerEndpoint ReferenceId,
ipSecIkeAssociationPresharedKey OCTET STRING, ipSecIkeAssociationPresharedKey OCTET STRING,
ipSecIkeAssociationVendorId OCTET STRING, ipSecIkeAssociationVendorId OCTET STRING,
ipSecIkeAssociationAggressiveModeGroupId Unsigned16, ipSecIkeAssociationAggressiveModeGroupId Unsigned16,
skipping to change at line 2626 skipping to change at line 2672
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeAssociationEntry 2 } ::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 47
IPsec Policy Information Base January 2003
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime
enforced." enforced."
::= { ipSecIkeAssociationEntry 3 } ::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 48
IPsec Policy Information Base May 2003
"Specifies how long, in seconds, a security association may remain "Specifies how long, in seconds, a security association may remain
unused before it is deleted. unused before it is deleted.
A value of zero indicates that idle detection should not be used A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte for the security association (only the seconds and kilobyte
lifetimes will be used)." lifetimes will be used)."
::= { ipSecIkeAssociationEntry 4 } ::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
skipping to change at line 2683 skipping to change at line 2729
der-Asn1-DN(9), der-Asn1-DN(9),
der-Asn1-GN(10), der-Asn1-GN(10),
key-Id(11) key-Id(11)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one "Specifies the type of IKE identity to use during IKE phase one
negotiation." negotiation."
::= { ipSecIkeAssociationEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
Li, et al Expires August 2003 48
IPsec Policy Information Base January 2003
ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the ID payload value to be provided to the peer during "Specifies the ID payload value to be provided to the peer during
IKE phase one negotiation." IKE phase one negotiation."
::= { ipSecIkeAssociationEntry 7 } ::= { ipSecIkeAssociationEntry 7 }
ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkePeerEndpointEntry } PIB-REFERENCES {ipSecIkePeerEndpointEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 49
IPsec Policy Information Base May 2003
"Pointer to a valid instance in the ipSecIkePeerEndpointTable to "Pointer to a valid instance in the ipSecIkePeerEndpointTable to
indicate an IKE peer endpoint." indicate an IKE peer endpoint."
::= { ipSecIkeAssociationEntry 8 } ::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationPresharedKey OBJECT-TYPE ipSecIkeAssociationPresharedKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute specifies the preshared key or secret to use for "This attribute specifies the preshared key or secret to use for
IKE authentication. This is the key for all the IKE proposals of IKE authentication. This is the key for all the IKE proposals of
skipping to change at line 2739 skipping to change at line 2786
"Specifies the group ID to be used for aggressive mode. This "Specifies the group ID to be used for aggressive mode. This
attribute is ignored unless the attribute attribute is ignored unless the attribute
ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
the value of this attribute is from the vendor-specific range the value of this attribute is from the vendor-specific range
(32768-65535), this attribute qualifies the group number." (32768-65535), this attribute qualifies the group number."
::= { ipSecIkeAssociationEntry 11 } ::= { ipSecIkeAssociationEntry 11 }
ipSecIkeAssociationLocalCredentialId OBJECT-TYPE ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId } PIB-TAG { ipSecCredentialSetSetId }
Li, et al Expires August 2003 49
IPsec Policy Information Base January 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates a group of credentials. One of the credentials in the "Indicates a group of credentials. One of the credentials in the
group MUST be used when establishing an IKE association with the group MUST be used when establishing an IKE association with the
peer endpoint." peer endpoint."
::= { ipSecIkeAssociationEntry 12 } ::= { ipSecIkeAssociationEntry 12 }
ipSecIkeAssociationDoActionLogging OBJECT-TYPE ipSecIkeAssociationDoActionLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether a log message is to be generated when the "Specifies whether a log message is to be generated when the
negotiation is attempted (with the success or failure result)." negotiation is attempted (with the success or failure result)."
Li, et al Expires December 2003 50
IPsec Policy Information Base May 2003
::= { ipSecIkeAssociationEntry 13 } ::= { ipSecIkeAssociationEntry 13 }
ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIkeProposalSetProposalSetId } PIB-TAG { ipSecIkeProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IKE proposals that is associated with this "Identifies a set of IKE proposals that is associated with this
IKE association." IKE association."
::= { ipSecIkeAssociationEntry 14 } ::= { ipSecIkeAssociationEntry 14 }
skipping to change at line 2795 skipping to change at line 2842
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalSetPrid } PIB-INDEX { ipSecIkeProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId, ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder ipSecIkeProposalSetOrder
} }
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
Li, et al Expires August 2003 50
IPsec Policy Information Base January 2003
ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned16 ipSecIkeProposalSetOrder Unsigned16
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeProposalSetEntry 1 } ::= { ipSecIkeProposalSetEntry 1 }
Li, et al Expires December 2003 51
IPsec Policy Information Base May 2003
ipSecIkeProposalSetProposalSetId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IKE proposal set is composed of one or more IKE proposals. "An IKE proposal set is composed of one or more IKE proposals.
Each proposal belonging to the same set has the same Each proposal belonging to the same set has the same
ProposalSetId. " ProposalSetId. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
skipping to change at line 2851 skipping to change at line 2897
-- --
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 51
IPsec Policy Information Base January 2003
"Specifies IKE proposals." "Specifies IKE proposals."
::= { ipSecIkeAssociation 5 } ::= { ipSecIkeAssociation 5 }
ipSecIkeProposalEntry OBJECT-TYPE ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry SYNTAX IpSecIkeProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalPrid } PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
Li, et al Expires December 2003 52
IPsec Policy Information Base May 2003
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalIkeDhGroup, ipSecIkeProposalIkeDhGroup,
ipSecIkeProposalVendorId ipSecIkeProposalVendorId
} }
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid InstanceId, ipSecIkeProposalPrid InstanceId,
skipping to change at line 2908 skipping to change at line 2954
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime."
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
Li, et al Expires August 2003 52
IPsec Policy Information Base January 2003
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime."
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
Li, et al Expires December 2003 53
IPsec Policy Information Base May 2003
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
des-CBC(1), des-CBC(1),
idea-CBC(2), idea-CBC(2),
blowfish-CBC(3), blowfish-CBC(3),
rc5-R16-B64-CBC(4), rc5-R16-B64-CBC(4),
tripleDes-CBC(5), tripleDes-CBC(5),
cast-CBC(6) cast-CBC(6)
} }
STATUS current STATUS current
skipping to change at line 2965 skipping to change at line 3011
rsaEncryption(4), rsaEncryption(4),
revisedRsaEncryption(5), revisedRsaEncryption(5),
kerberos(6) kerberos(6)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
Li, et al Expires August 2003 53
IPsec Policy Information Base January 2003
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 54
IPsec Policy Information Base May 2003
"Specifies the Diffie-Hellman group to propose for the IKE "Specifies the Diffie-Hellman group to propose for the IKE
association. The value of this property is to be ignored when association. The value of this property is to be ignored when
doing aggressive mode." doing aggressive mode."
::= { ipSecIkeProposalEntry 8 } ::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalVendorId OBJECT-TYPE ipSecIkeProposalVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Further qualifies the key exchange group. The property is "Further qualifies the key exchange group. The property is
skipping to change at line 3019 skipping to change at line 3066
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkePeerEndpointPrid } PIB-INDEX { ipSecIkePeerEndpointPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityType,
ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointIdentityValue,
ipSecIkePeerEndpointIsNegated, ipSecIkePeerEndpointIsNegated,
ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointAddress,
ipSecIkePeerEndpointCredentialSetId ipSecIkePeerEndpointCredentialSetId
Li, et al Expires August 2003 54
IPsec Policy Information Base January 2003
} }
::= { ipSecIkePeerEndpointTable 1 } ::= { ipSecIkePeerEndpointTable 1 }
IpSecIkePeerEndpointEntry ::= SEQUENCE { IpSecIkePeerEndpointEntry ::= SEQUENCE {
ipSecIkePeerEndpointPrid InstanceId, ipSecIkePeerEndpointPrid InstanceId,
ipSecIkePeerEndpointIdentityType INTEGER, ipSecIkePeerEndpointIdentityType INTEGER,
ipSecIkePeerEndpointIdentityValue OCTET STRING, ipSecIkePeerEndpointIdentityValue OCTET STRING,
ipSecIkePeerEndpointIsNegated TruthValue, ipSecIkePeerEndpointIsNegated TruthValue,
ipSecIkePeerEndpointAddress ReferenceId, ipSecIkePeerEndpointAddress ReferenceId,
ipSecIkePeerEndpointCredentialSetId TagReferenceId ipSecIkePeerEndpointCredentialSetId TagReferenceId
} }
ipSecIkePeerEndpointPrid OBJECT-TYPE ipSecIkePeerEndpointPrid OBJECT-TYPE
Li, et al Expires December 2003 55
IPsec Policy Information Base May 2003
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkePeerEndpointEntry 1 } ::= { ipSecIkePeerEndpointEntry 1 }
ipSecIkePeerEndpointIdentityType OBJECT-TYPE ipSecIkePeerEndpointIdentityType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
ipV4-Address(1), ipV4-Address(1),
skipping to change at line 3075 skipping to change at line 3122
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to be matched with the ID payload provided by "Specifies the value to be matched with the ID payload provided by
the peer during IKE phase one negotiation. the peer during IKE phase one negotiation.
The syntax may need to be converted for comparison. If the The syntax may need to be converted for comparison. If the
ipSecIkePeerEndpointIdentityType is a DistinguishedName, the name ipSecIkePeerEndpointIdentityType is a DistinguishedName, the name
in the ipSecIkePeerEndpointIdentityValue in the ipSecIkePeerEndpointIdentityValue
is represented by an ordinary string value, but this value must be is represented by an ordinary string value, but this value must be
converted into a DER-encoded string before matching against the converted into a DER-encoded string before matching against the
Li, et al Expires August 2003 55
IPsec Policy Information Base January 2003
values extracted from IKE ID payloads at runtime. The same values extracted from IKE ID payloads at runtime. The same
applies to IPv4 & IPv6 addresses. applies to IPv4 & IPv6 addresses.
Different Wildcards wildcard mechanisms can be used as well as the Different Wildcards wildcard mechanisms can be used as well as the
prefix notation for IPv4 addresses depending on the ID payload: prefix notation for IPv4 addresses depending on the ID payload:
- an IdentityValue of *@example.com will match an user FQDN ID - an IdentityValue of *@example.com will match an user FQDN ID
payload of JDOE@EXAMPLE.COM payload of JDOE@EXAMPLE.COM
- an IdentityValue of *.example.com will match a FQDN ID payload - an IdentityValue of *.example.com will match a FQDN ID payload
of WWW.EXAMPLE.COM of WWW.EXAMPLE.COM
Li, et al Expires December 2003 56
IPsec Policy Information Base May 2003
- an IdentityValue of cn=*,ou=engineering,o=company,c=us will - an IdentityValue of cn=*,ou=engineering,o=company,c=us will
match a DER DN ID payload of cn=John Doe, ou=engineering, match a DER DN ID payload of cn=John Doe, ou=engineering,
o=company, c=us o=company, c=us
- an IdentityValue of 193.190.125.0/24 will match an IPv4 address - an IdentityValue of 193.190.125.0/24 will match an IPv4 address
ID payload of 193.190.125.10. ID payload of 193.190.125.10.
- an IdentityValue of 193.190.125.* will also match an IPv4 - an IdentityValue of 193.190.125.* will also match an IPv4
address ID payload of 193.190.125.10. address ID payload of 193.190.125.10.
skipping to change at line 3132 skipping to change at line 3178
the endpoint address with which this PEP establishes IKE the endpoint address with which this PEP establishes IKE
association. The pointed address MUST be a single endpoint association. The pointed address MUST be a single endpoint
address. This attribute is used only when the IKE association is address. This attribute is used only when the IKE association is
to be started automatically. Hence, the value of this attribute to be started automatically. Hence, the value of this attribute
MUST be zero if ipSecIkeRuleAutoStart is false. MUST be zero if ipSecIkeRuleAutoStart is false.
" "
::= { ipSecIkePeerEndpointEntry 5 } ::= { ipSecIkePeerEndpointEntry 5 }
ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
Li, et al Expires August 2003 56
IPsec Policy Information Base January 2003
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId } PIB-TAG { ipSecCredentialSetSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of credentials. Any one of the credentials in "Identifies a set of credentials. Any one of the credentials in
the set is acceptable as the IKE peer credential." the set is acceptable as the IKE peer credential."
::= { ipSecIkePeerEndpointEntry 6 } ::= { ipSecIkePeerEndpointEntry 6 }
-- --
-- --
-- The ipSecCredentialSetTable -- The ipSecCredentialSetTable
Li, et al Expires December 2003 57
IPsec Policy Information Base May 2003
-- --
ipSecCredentialSetTable OBJECT-TYPE ipSecCredentialSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialSetEntry SYNTAX SEQUENCE OF IpSecCredentialSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies credential sets. "Specifies credential sets.
For IKE peer credentials, any one of the credentials in the set is For IKE peer credentials, any one of the credentials in the set is
skipping to change at line 3189 skipping to change at line 3235
} }
ipSecCredentialSetPrid OBJECT-TYPE ipSecCredentialSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialSetEntry 1 } ::= { ipSecCredentialSetEntry 1 }
Li, et al Expires August 2003 57
IPsec Policy Information Base January 2003
ipSecCredentialSetSetId OBJECT-TYPE ipSecCredentialSetSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A credential set is composed of one or more credentials. Each "A credential set is composed of one or more credentials. Each
credential belonging to the same set has the same credential belonging to the same set has the same
CredentialSetId." CredentialSetId."
::= { ipSecCredentialSetEntry 2 } ::= { ipSecCredentialSetEntry 2 }
ipSecCredentialSetCredentialId OBJECT-TYPE ipSecCredentialSetCredentialId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
Li, et al Expires December 2003 58
IPsec Policy Information Base May 2003
PIB-REFERENCES {ipSecCredentialEntry } PIB-REFERENCES {ipSecCredentialEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecCredentialTable." "A pointer to a valid instance in the ipSecCredentialTable."
::= { ipSecCredentialSetEntry 3 } ::= { ipSecCredentialSetEntry 3 }
-- --
-- --
-- The ipSecCredentialTable -- The ipSecCredentialTable
-- --
skipping to change at line 3243 skipping to change at line 3290
::= { ipSecCredentialTable 1 } ::= { ipSecCredentialTable 1 }
IpSecCredentialEntry ::= SEQUENCE { IpSecCredentialEntry ::= SEQUENCE {
ipSecCredentialPrid InstanceId, ipSecCredentialPrid InstanceId,
ipSecCredentialCredentialType INTEGER, ipSecCredentialCredentialType INTEGER,
ipSecCredentialFieldsId TagReferenceId, ipSecCredentialFieldsId TagReferenceId,
ipSecCredentialCrlDistributionPoint OCTET STRING ipSecCredentialCrlDistributionPoint OCTET STRING
} }
ipSecCredentialPrid OBJECT-TYPE ipSecCredentialPrid OBJECT-TYPE
Li, et al Expires August 2003 58
IPsec Policy Information Base January 2003
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialEntry 1 } ::= { ipSecCredentialEntry 1 }
ipSecCredentialCredentialType OBJECT-TYPE ipSecCredentialCredentialType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
certificateX509(1), certificateX509(1),
kerberos-ticket(2) kerberos-ticket(2)
} }
Li, et al Expires December 2003 59
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of credential to be matched." "Specifies the type of credential to be matched."
::= { ipSecCredentialEntry 2 } ::= { ipSecCredentialEntry 2 }
ipSecCredentialFieldsId OBJECT-TYPE ipSecCredentialFieldsId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialFieldsSetId } PIB-TAG { ipSecCredentialFieldsSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3299 skipping to change at line 3346
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies sets of credential sub-fields and their values to be "Specifies sets of credential sub-fields and their values to be
matched against. " matched against. "
::= { ipSecCredential 3 } ::= { ipSecCredential 3 }
ipSecCredentialFieldsEntry OBJECT-TYPE ipSecCredentialFieldsEntry OBJECT-TYPE
SYNTAX IpSecCredentialFieldsEntry SYNTAX IpSecCredentialFieldsEntry
STATUS current STATUS current
Li, et al Expires August 2003 59
IPsec Policy Information Base January 2003
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCredentialFieldsPrid } PIB-INDEX { ipSecCredentialFieldsPrid }
UNIQUENESS { UNIQUENESS {
ipSecCredentialFieldsName, ipSecCredentialFieldsName,
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsIsNegated, ipSecCredentialFieldsIsNegated,
ipSecCredentialFieldsSetId ipSecCredentialFieldsSetId
} }
::= { ipSecCredentialFieldsTable 1 } ::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE { IpSecCredentialFieldsEntry ::= SEQUENCE {
Li, et al Expires December 2003 60
IPsec Policy Information Base May 2003
ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsName OCTET STRING,
ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsValue OCTET STRING,
ipSecCredentialFieldsIsNegated TruthValue, ipSecCredentialFieldsIsNegated TruthValue,
ipSecCredentialFieldsSetId TagId ipSecCredentialFieldsSetId TagId
} }
ipSecCredentialFieldsPrid OBJECT-TYPE ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 3355 skipping to change at line 3402
ipSecCredentialFieldsName. A wildcard mechanism can be used in the ipSecCredentialFieldsName. A wildcard mechanism can be used in the
Value string. E.g., if the Name is subjectName then a Value of Value string. E.g., if the Name is subjectName then a Value of
cn=*,ou=engineering,o=foo,c=be will match successfully a cn=*,ou=engineering,o=foo,c=be will match successfully a
certificate whose subject attribute is cn=Jane Doe, certificate whose subject attribute is cn=Jane Doe,
ou=engineering, o=foo, c=be. The wildcard character * can be used ou=engineering, o=foo, c=be. The wildcard character * can be used
to represent 0 or several characters. to represent 0 or several characters.
If the ipSecCredentialFieldsName corresponds to a If the ipSecCredentialFieldsName corresponds to a
DistinguishedName, this value in the CIM class is represented by DistinguishedName, this value in the CIM class is represented by
an ordinary string value. However, an implementation must convert an ordinary string value. However, an implementation must convert
Li, et al Expires August 2003 60
IPsec Policy Information Base January 2003
this string to a DER-encoded string before matching against the this string to a DER-encoded string before matching against the
values extracted from credentials at runtime. " values extracted from credentials at runtime. "
::= { ipSecCredentialFieldsEntry 3 } ::= { ipSecCredentialFieldsEntry 3 }
ipSecCredentialFieldsIsNegated OBJECT-TYPE ipSecCredentialFieldsIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute behaves like a logical NOT for the credential "This attribute behaves like a logical NOT for the credential
field match. If the value of this attribute is 'true', the field match. If the value of this attribute is 'true', the
credential field specified by ipSecCredentialFieldsName MUST not credential field specified by ipSecCredentialFieldsName MUST not
match the vaule specified by ipSecCredentialFieldsValue." match the vaule specified by ipSecCredentialFieldsValue."
::= { ipSecCredentialFieldsEntry 4 } ::= { ipSecCredentialFieldsEntry 4 }
Li, et al Expires December 2003 61
IPsec Policy Information Base May 2003
ipSecCredentialFieldsSetId OBJECT-TYPE ipSecCredentialFieldsSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the set this criteria belongs to. All criteria within a "Specifies the set this criteria belongs to. All criteria within a
set MUST all be satisfied." set MUST all be satisfied."
::= { ipSecCredentialFieldsEntry 5 } ::= { ipSecCredentialFieldsEntry 5 }
-- --
-- --
skipping to change at line 3411 skipping to change at line 3457
ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorSetId,
ipSecSelectorSetSelectorId, ipSecSelectorSetSelectorId,
ipSecSelectorSetOrder, ipSecSelectorSetOrder,
ipSecSelectorSetIsNegated ipSecSelectorSetIsNegated
} }
::= { ipSecSelectorSetTable 1 } ::= { ipSecSelectorSetTable 1 }
IpSecSelectorSetEntry ::= SEQUENCE { IpSecSelectorSetEntry ::= SEQUENCE {
ipSecSelectorSetPrid InstanceId, ipSecSelectorSetPrid InstanceId,
ipSecSelectorSetSelectorSetId TagId, ipSecSelectorSetSelectorSetId TagId,
Li, et al Expires August 2003 61
IPsec Policy Information Base January 2003
ipSecSelectorSetSelectorId Prid, ipSecSelectorSetSelectorId Prid,
ipSecSelectorSetOrder Unsigned16, ipSecSelectorSetOrder Unsigned16,
ipSecSelectorSetIsNegated TruthValue ipSecSelectorSetIsNegated TruthValue
} }
ipSecSelectorSetPrid OBJECT-TYPE ipSecSelectorSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorSetEntry 1 } ::= { ipSecSelectorSetEntry 1 }
Li, et al Expires December 2003 62
IPsec Policy Information Base May 2003
ipSecSelectorSetSelectorSetId OBJECT-TYPE ipSecSelectorSetSelectorSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec selector set is composed of one or more IPsec selectors. "An IPsec selector set is composed of one or more IPsec selectors.
Each selector belonging to the same set has the same Each selector belonging to the same set has the same
SelectorSetId." SelectorSetId."
::= { ipSecSelectorSetEntry 2 } ::= { ipSecSelectorSetEntry 2 }
ipSecSelectorSetSelectorId OBJECT-TYPE ipSecSelectorSetSelectorId OBJECT-TYPE
skipping to change at line 3467 skipping to change at line 3512
::= { ipSecSelectorSetEntry 4 } ::= { ipSecSelectorSetEntry 4 }
ipSecSelectorSetIsNegated OBJECT-TYPE ipSecSelectorSetIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the value of this attribute is 'true', the filters pointed by "If the value of this attribute is 'true', the filters pointed by
ipSecSelectorSetSelectorId SHALL be negated." ipSecSelectorSetSelectorId SHALL be negated."
::= { ipSecSelectorSetEntry 5 } ::= { ipSecSelectorSetEntry 5 }
Li, et al Expires August 2003 62
IPsec Policy Information Base January 2003
-- --
-- --
-- The ipSecSelectorTable -- The ipSecSelectorTable
-- --
ipSecSelectorTable OBJECT-TYPE ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry SYNTAX SEQUENCE OF IpSecSelectorEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selectors. Each row in the selector table "Specifies IPsec selectors. Each row in the selector table
represents multiple selectors. These selectors are obtained as represents multiple selectors. These selectors are obtained as
follows: follows:
Li, et al Expires December 2003 63
IPsec Policy Information Base May 2003
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
skipping to change at line 3523 skipping to change at line 3568
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecSelectorPrid } PIB-INDEX { ipSecSelectorPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId, ipSecSelectorSrcPortGroupId,
ipSecSelectorDstAddressGroupId, ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorDscp, ipSecSelectorDscp,
ipSecSelectorFlowLabel ipSecSelectorFlowLabel
Li, et al Expires August 2003 63
IPsec Policy Information Base January 2003
} }
::= { ipSecSelectorTable 1 } ::= { ipSecSelectorTable 1 }
IpSecSelectorEntry ::= SEQUENCE { IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid InstanceId, ipSecSelectorPrid InstanceId,
ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecSelectorSrcAddressGroupId TagReferenceId,
ipSecSelectorSrcPortGroupId TagReferenceId, ipSecSelectorSrcPortGroupId TagReferenceId,
ipSecSelectorDstAddressGroupId TagReferenceId, ipSecSelectorDstAddressGroupId TagReferenceId,
ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol Unsigned32, ipSecSelectorProtocol Unsigned32,
ipSecSelectorDscp DscpOrAny, ipSecSelectorDscp DscpOrAny,
ipSecSelectorFlowLabel Unsigned32 ipSecSelectorFlowLabel IPv6FlowLabelOrAny
} }
Li, et al Expires December 2003 64
IPsec Policy Information Base May 2003
ipSecSelectorPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
skipping to change at line 3579 skipping to change at line 3623
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
::= { ipSecSelectorEntry 3 } ::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddressGroupId OBJECT-TYPE ipSecSelectorDstAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAddressGroupId } PIB-TAG { ipSecAddressGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 64
IPsec Policy Information Base January 2003
"Indicates destination addresses. All addresses in "Indicates destination addresses. All addresses in
ipSecAddressTable whose ipSecAddressGroupId matches this value are ipSecAddressTable whose ipSecAddressGroupId matches this value are
included as destination addresses. included as destination addresses.
A value of zero indicates wildcard address, i.e., any address A value of zero indicates wildcard address, i.e., any address
matches." matches."
::= { ipSecSelectorEntry 4 } ::= { ipSecSelectorEntry 4 }
ipSecSelectorDstPortGroupId OBJECT-TYPE ipSecSelectorDstPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId } PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires December 2003 65
IPsec Policy Information Base May 2003
"Indicates destination layer 4 port numbers. All ports in "Indicates destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId matches this value are ipSecL4Port whose ipSecL4PortGroupId matches this value are
included. included.
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
::= { ipSecSelectorEntry 5 } ::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecSelectorProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255) SYNTAX Unsigned32 (0..255)
skipping to change at line 3624 skipping to change at line 3668
ipSecSelectorDscp OBJECT-TYPE ipSecSelectorDscp OBJECT-TYPE
SYNTAX DscpOrAny SYNTAX DscpOrAny
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value that the DSCP in the packet can have and match this "The value that the DSCP in the packet can have and match this
filter. A value of -1 indicates that a specific DSCP value has not filter. A value of -1 indicates that a specific DSCP value has not
been defined and thus all DSCP values are considered a match." been defined and thus all DSCP values are considered a match."
::= { ipSecSelectorEntry 7 } ::= { ipSecSelectorEntry 7 }
ipSecSelectorFlowLabel OBJECT-TYPE ipSecSelectorFlowLabel OBJECT-TYPE
SYNTAX Unsigned32 (0..1048575) SYNTAX IPv6FlowLabelOrAny
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The flow identifier in an IPv6 header." "The flow identifier or flow label in an IPv6 packet header that
may be used to discriminate traffic flows. The value of -1 is
used to indicate a wildcard, i.e. any value."
::= { ipSecSelectorEntry 8 } ::= { ipSecSelectorEntry 8 }
-- --
-- --
-- The ipSecAddressTable -- The ipSecAddressTable
-- --
Li, et al Expires August 2003 65
IPsec Policy Information Base January 2003
ipSecAddressTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP addresses. To specify a single IP address, "This table allows the specification of a single IP address, a
ipSecAddressAddrMin MUST be specified. To specify a range of subnet consisting of an IP address and the prefix length, an IP
addresses, both ipSecAddressAddrMin and ipSecAddressAddrMax MUST address range, and a wild-card IP address.
be specified. To specify a subnet, both ipSecAddressAddrMin and
ipSecAddressAddrMask MUST be specified. " If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to
specify a single IP address the values of ipSecAddressAddrMin and
Li, et al Expires December 2003 66
IPsec Policy Information Base May 2003
ipSecAddressAddrMax MUST be the same and the
ipSecAddressAddrPrefixLength MUST have a value of 32 or greater
(128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the
values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the
same and the ipSecAddressAddrPrefixLength MUST have a value
between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP
address range, the values of ipSecAddressAddrMin and
ipSecAddressAddrMax MUST be different and the
ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for
'ipv6' or 'ipv6z')
If the address type is 'dns', ipSecAddressAddrMin and
ipSecAddressAddrMax MUST contain the same 'dns' address. The
ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the
address value to IPv4 or IPv6 addresses MUST be done by the PEP at
install time. A dns name may be mapped into multiple single IP
addresses. Each of them becomes a single row in the resulted
address table.
To specify a wild-card IP address, the
ipSecAddressAddrPrefixLength MUST be zero. "
::= { ipSecSelector 3 } ::= { ipSecSelector 3 }
ipSecAddressEntry OBJECT-TYPE ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry SYNTAX IpSecAddressEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAddressPrid } PIB-INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
ipSecAddressAddressType, ipSecAddressAddressType,
skipping to change at line 3680 skipping to change at line 3749
ipSecAddressAddrMax InetAddress, ipSecAddressAddrMax InetAddress,
ipSecAddressGroupId TagId ipSecAddressGroupId TagId
} }
ipSecAddressPrid OBJECT-TYPE ipSecAddressPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
Li, et al Expires December 2003 67
IPsec Policy Information Base May 2003
::= { ipSecAddressEntry 1 } ::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE ipSecAddressAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of IP address. "Specifies the type of IP address.
While other types of addresses are defined in the InetAddressType While other types of addresses are defined in the InetAddressType
textual convention, an IP filter can only use IPv4 and IPv6 textual convention, an IP filter can only use IPv4 and IPv6
addresses directly to classify traffic. All other InetAddressTypes addresses directly to classify traffic. All other InetAddressTypes
Li, et al Expires August 2003 66
IPsec Policy Information Base January 2003
require mapping to the corresponding Ipv4 or IPv6 address before require mapping to the corresponding Ipv4 or IPv6 address before
being used to classify traffic. Therefore, this object as such is being used to classify traffic. Therefore, this object as such is
not limited to IPv4 and IPv6 addresses, i.e., it can be assigned not limited to IPv4 and IPv6 addresses, i.e., it can be assigned
any of the valid values defined in the InetAddressType TC, but the any of the valid values defined in the InetAddressType TC, but the
mapping of the address values to IPv4 or IPv6 addresses must be mapping of the address values to IPv4 or IPv6 addresses must be
done by the PEP at install time. " done by the PEP at install time. "
::= { ipSecAddressEntry 2 } ::= { ipSecAddressEntry 2 }
ipSecAddressAddrPrefixLength OBJECT-TYPE ipSecAddressAddrPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The length of a mask for the matching of the IP address specified "The length of a mask for the matching of IP address. This
by ipSecAddressAddrMin. This attribute is interpreted only if the attribute is interpreted only if the InetAddressType is 'ipv4',
InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'. 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the most- Masks are constructed by setting bits in sequence from the most-
significant bit downwards for ipSecAddressAddrPrefixLength bits significant bit downwards for ipSecAddressAddrPrefixLength bits
length. All other bits in the mask, up to the number needed to length. All other bits in the mask, up to the number needed to
fill the length of the address ipSecAddressAddr are cleared to fill the length of the address ipSecAddressAddrMin are cleared to
zero. A zero bit in the mask then means that the corresponding bit zero. A zero bit in the mask then means that the corresponding bit
in the address always matches. in the address always matches.
In IPv4 addresses, a length of 0 indicates a match of any address; In IPv4 addresses, a length of 0 indicates a match of any address.
a length of 32 indicates a match of a single host address, and a When ipSecAddressAddrMin and ipSecAddressAddrMax have the same
length between 0 and 32 indicates the use of a CIDR Prefix. IPv6 value, a length of 32 or greater indicates a match of a single
is similar, except that prefix lengths range from 0..128. host address, and a length between 0 and 32 indicates the use of a
CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have
different values, this attribute MUST have a value of 32 to
indicate an IP address range.
When ipSecAddressAddrMax is not a zero length OCTET STRING, this In IPv6 addresses, a length of 0 indicates a match of any address.
attribute MUST be ignored since a range of consecutive Internet When ipSecAddressAddrMin and ipSecAddressAddrMax have the same
addresses is being specified." value, a length of 128 or greater indicates a match of a single
host address, and a length between 0 and 128 indicates the use of
a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax
have different values, this attribute MUST have a value of 128 in
order to indicate an IP address range."
::= { ipSecAddressEntry 3 } ::= { ipSecAddressEntry 3 }
ipSecAddressAddrMin OBJECT-TYPE ipSecAddressAddrMin OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
Li, et al Expires December 2003 68
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IP address. If the address type is 'ipv4', 'ipv6', "Specifies an IP address. The type of the address is specified by
'ipv4z' or 'ipv6z' then, the attribute the ipSecAddressAddressType attribute. If the address type is
'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute
ipSecAddressAddrPrefixLength indicates the number of bits that are ipSecAddressAddrPrefixLength indicates the number of bits that are
relevant." relevant."
::= { ipSecAddressEntry 4 } ::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE ipSecAddressAddrMax OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If a range of addresses is used then this specifies the ending "If a range of addresses is used then this specifies the ending
address. The type of this address must be the same as the address. The type of the address is specified by the
ipSecAddressAddrMin. ipSecAddressAddressType attribute.
If no range is specified then this attribute MUST be a zero length
OCTET STRING. "
Li, et al Expires August 2003 67 To specify a single IP addres or a subnet, this attribute MUST be
IPsec Policy Information Base January 2003 the same as that of ipSecAddressAddrMin.
When ipSecAddressAddressType is 'dns', this attribute MUST contain
the same DNS address as ipSecAddressAddrMin"
::= { ipSecAddressEntry 5 } ::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecAddressGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IP address, address range or subnet "Specifies the group this IP address, address range or subnet
address belongs to." address belongs to."
::= { ipSecAddressEntry 6 } ::= { ipSecAddressEntry 6 }
skipping to change at line 3782 skipping to change at line 3862
"Specifies layer four port numbers." "Specifies layer four port numbers."
::= { ipSecSelector 4 } ::= { ipSecSelector 4 }
ipSecL4PortEntry OBJECT-TYPE ipSecL4PortEntry OBJECT-TYPE
SYNTAX IpSecL4PortEntry SYNTAX IpSecL4PortEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecL4PortPrid } PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS { UNIQUENESS {
Li, et al Expires December 2003 69
IPsec Policy Information Base May 2003
ipSecL4PortPortMin, ipSecL4PortPortMin,
ipSecL4PortPortMax, ipSecL4PortPortMax,
ipSecL4PortGroupId ipSecL4PortGroupId
} }
::= { ipSecL4PortTable 1 } ::= { ipSecL4PortTable 1 }
IpSecL4PortEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid InstanceId, ipSecL4PortPrid InstanceId,
ipSecL4PortPortMin InetPortNumber, ipSecL4PortPortMin InetPortNumber,
ipSecL4PortPortMax InetPortNumber, ipSecL4PortPortMax InetPortNumber,
skipping to change at line 3804 skipping to change at line 3888
ipSecL4PortPrid OBJECT-TYPE ipSecL4PortPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecL4PortEntry 1 } ::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
Li, et al Expires August 2003 68
IPsec Policy Information Base January 2003
SYNTAX InetPortNumber SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a layer 4 port or the first layer 4 port number of a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports. The value of this attribute must be equal or less range of ports. The value of this attribute must be equal or less
than that of ipSecL4PortPortMax. than that of ipSecL4PortPortMax.
A value of zero indicates any port matches." A value of zero indicates any port matches."
::= { ipSecL4PortEntry 2 } ::= { ipSecL4PortEntry 2 }
skipping to change at line 3838 skipping to change at line 3918
::= { ipSecL4PortEntry 3 } ::= { ipSecL4PortEntry 3 }
ipSecL4PortGroupId OBJECT-TYPE ipSecL4PortGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this port or port range belongs to." "Specifies the group this port or port range belongs to."
::= { ipSecL4PortEntry 4 } ::= { ipSecL4PortEntry 4 }
-- --
Li, et al Expires December 2003 70
IPsec Policy Information Base May 2003
-- --
-- The ipSecIpsoFilterSetTable -- The ipSecIpsoFilterSetTable
-- --
ipSecIpsoFilterSetTable OBJECT-TYPE ipSecIpsoFilterSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSO filter sets." "Specifies IPSO filter sets."
skipping to change at line 3860 skipping to change at line 3944
ipSecIpsoFilterSetEntry OBJECT-TYPE ipSecIpsoFilterSetEntry OBJECT-TYPE
SYNTAX IpSecIpsoFilterSetEntry SYNTAX IpSecIpsoFilterSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIpsoFilterSetPrid } PIB-INDEX { ipSecIpsoFilterSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterSetId,
ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetFilterId,
ipSecIpsoFilterSetOrder, ipSecIpsoFilterSetOrder,
Li, et al Expires August 2003 69
IPsec Policy Information Base January 2003
ipSecIpsoFilterSetIsNegated ipSecIpsoFilterSetIsNegated
} }
::= { ipSecIpsoFilterSetTable 1 } ::= { ipSecIpsoFilterSetTable 1 }
IpSecIpsoFilterSetEntry ::= SEQUENCE { IpSecIpsoFilterSetEntry ::= SEQUENCE {
ipSecIpsoFilterSetPrid InstanceId, ipSecIpsoFilterSetPrid InstanceId,
ipSecIpsoFilterSetFilterSetId TagId, ipSecIpsoFilterSetFilterSetId TagId,
ipSecIpsoFilterSetFilterId ReferenceId, ipSecIpsoFilterSetFilterId ReferenceId,
ipSecIpsoFilterSetOrder Unsigned16, ipSecIpsoFilterSetOrder Unsigned16,
ipSecIpsoFilterSetIsNegated TruthValue ipSecIpsoFilterSetIsNegated TruthValue
skipping to change at line 3895 skipping to change at line 3975
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPSO filter set is composed of one or more IPSO filters. Each "An IPSO filter set is composed of one or more IPSO filters. Each
filter belonging to the same set has the same FilterSetId." filter belonging to the same set has the same FilterSetId."
::= { ipSecIpsoFilterSetEntry 2 } ::= { ipSecIpsoFilterSetEntry 2 }
ipSecIpsoFilterSetFilterId OBJECT-TYPE ipSecIpsoFilterSetFilterId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIpsoFilterEntry } PIB-REFERENCES {ipSecIpsoFilterEntry }
Li, et al Expires December 2003 71
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIpsoFilterTable." "A pointer to a valid instance in the ipSecIpsoFilterTable."
::= { ipSecIpsoFilterSetEntry 3 } ::= { ipSecIpsoFilterSetEntry 3 }
ipSecIpsoFilterSetOrder OBJECT-TYPE ipSecIpsoFilterSetOrder OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the filter "An integer that specifies the precedence order of the filter
skipping to change at line 3918 skipping to change at line 4002
::= { ipSecIpsoFilterSetEntry 4 } ::= { ipSecIpsoFilterSetEntry 4 }
ipSecIpsoFilterSetIsNegated OBJECT-TYPE ipSecIpsoFilterSetIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the value of this attribute is 'true', the filter pointed by "If the value of this attribute is 'true', the filter pointed by
ipSecIpsoFilterSetFilterId SHALL be negated." ipSecIpsoFilterSetFilterId SHALL be negated."
::= { ipSecIpsoFilterSetEntry 5 } ::= { ipSecIpsoFilterSetEntry 5 }
Li, et al Expires August 2003 70
IPsec Policy Information Base January 2003
-- --
-- --
-- The ipSecIpsoFilterTable -- The ipSecIpsoFilterTable
-- --
ipSecIpsoFilterTable OBJECT-TYPE ipSecIpsoFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIpsoFilterEntry SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3950 skipping to change at line 4031
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterMatchConditionType,
ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterClassificationLevel,
ipSecIpsoFilterProtectionAuthority ipSecIpsoFilterProtectionAuthority
} }
::= { ipSecIpsoFilterTable 1 } ::= { ipSecIpsoFilterTable 1 }
IpSecIpsoFilterEntry ::= SEQUENCE { IpSecIpsoFilterEntry ::= SEQUENCE {
ipSecIpsoFilterPrid InstanceId, ipSecIpsoFilterPrid InstanceId,
ipSecIpsoFilterMatchConditionType INTEGER, ipSecIpsoFilterMatchConditionType INTEGER,
Li, et al Expires December 2003 72
IPsec Policy Information Base May 2003
ipSecIpsoFilterClassificationLevel INTEGER, ipSecIpsoFilterClassificationLevel INTEGER,
ipSecIpsoFilterProtectionAuthority INTEGER ipSecIpsoFilterProtectionAuthority INTEGER
} }
ipSecIpsoFilterPrid OBJECT-TYPE ipSecIpsoFilterPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
skipping to change at line 3972 skipping to change at line 4057
ipSecIpsoFilterMatchConditionType OBJECT-TYPE ipSecIpsoFilterMatchConditionType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
classificationLevel(1), classificationLevel(1),
protectionAuthority(2) protectionAuthority(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPSO header field to be matched." "Specifies the IPSO header field to be matched."
::= { ipSecIpsoFilterEntry 2 } ::= { ipSecIpsoFilterEntry 2 }
Li, et al Expires August 2003 71
IPsec Policy Information Base January 2003
ipSecIpsoFilterClassificationLevel OBJECT-TYPE ipSecIpsoFilterClassificationLevel OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
topSecret(61), topSecret(61),
secret(90), secret(90),
confidential(150), confidential(150),
unclassified(171) unclassified(171)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value for classification level to be matched "Specifies the value for classification level to be matched
skipping to change at line 4005 skipping to change at line 4087
doe(4) doe(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value for protection authority to be matched "Specifies the value for protection authority to be matched
against. This attribute MUST be ignored if against. This attribute MUST be ignored if
ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority). ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
" "
::= { ipSecIpsoFilterEntry 4 } ::= { ipSecIpsoFilterEntry 4 }
Li, et al Expires December 2003 73
IPsec Policy Information Base May 2003
-- --
-- --
-- The ipSecRuleTimePeriodTable -- The ipSecRuleTimePeriodTable
-- --
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 4027 skipping to change at line 4112
together to determine the validity period(s). If any of the five together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always attributes is not present, it is treated as having value always
enabled. " enabled. "
::= { ipSecPolicyTimePeriod 1 } ::= { ipSecPolicyTimePeriod 1 }
ipSecRuleTimePeriodEntry OBJECT-TYPE ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry SYNTAX IpSecRuleTimePeriodEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
Li, et al Expires August 2003 72
IPsec Policy Information Base January 2003
PIB-INDEX { ipSecRuleTimePeriodPrid } PIB-INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
skipping to change at line 4062 skipping to change at line 4143
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 } ::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
Li, et al Expires December 2003 74
IPsec Policy Information Base May 2003
DESCRIPTION DESCRIPTION
"An octet string that identifies an overall range of calendar "An octet string that identifies an overall range of calendar
dates and times over which a policy rule is valid. It reuses the dates and times over which a policy rule is valid. It reuses the
format for an explicit time period defined in RFC 2445 : a string format for an explicit time period defined in RFC 2445 : a string
representing a starting date and time, in which the character 'T' representing a starting date and time, in which the character 'T'
indicates the beginning of the time portion, followed by the indicates the beginning of the time portion, followed by the
solidus character '/', followed by a similar string representing solidus character '/', followed by a similar string representing
an end date and time. The first date indicates the beginning of an end date and time. The first date indicates the beginning of
the range, while the second date indicates the end. Thus, the the range, while the second date indicates the end. Thus, the
second date and time must be later than the first. Date/times are second date and time must be later than the first. Date/times are
skipping to change at line 4084 skipping to change at line 4169
There are also two special cases: There are also two special cases:
- If the first date/time is replaced with the string - If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'. valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string - If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and becomes valid on the date/time that appears before the '/', and
remains valid from that point on. remains valid from that point on.
Li, et al Expires August 2003 73
IPsec Policy Information Base January 2003
" "
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "An octet string that specifies which months the policy is valid
for. The octet string is structured as follows: for. The octet string is structured as follows:
skipping to change at line 4119 skipping to change at line 4200
valid for all twelve months." valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the month the policy "An octet string that specifies which days of the month the policy
is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
Li, et al Expires December 2003 75
IPsec Policy Information Base May 2003
-a 4-octet length field, indicating the length of the entire octet -a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x0000000C for this property; string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of -an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits the month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed identifying the days of the month counting from the end, followed
by 2 bits that are always set to '0'. For each day, the value '1' by 2 bits that are always set to '0'. For each day, the value '1'
indicates that the policy is valid for that day, and the value '0' indicates that the policy is valid for that day, and the value '0'
indicates that it is not valid. indicates that it is not valid.
skipping to change at line 4142 skipping to change at line 4226
" "
::= { ipSecRuleTimePeriodEntry 4 } ::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the week the policy "An octet string that specifies which days of the week the policy
is valid for. The octet string is structured as follows: is valid for. The octet string is structured as follows:
Li, et al Expires August 2003 74
IPsec Policy Information Base January 2003
- a 4-octet length field, indicating the length of the entire - a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000005 for this octet string; this field is always set to 0x00000005 for this
property; property;
- a 1-octet field consisting of 7 bits identifying the 7 days of - a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday, followed the week, beginning with Sunday and ending with Saturday, followed
by 1 bit that is always set to '0'. For each day of the week, the by 1 bit that is always set to '0'. For each day of the week, the
value '1' indicates that the policy is valid for that day, and the value '1' indicates that the policy is valid for that day, and the
value '0' indicates that it is not valid. value '0' indicates that it is not valid.
" "
skipping to change at line 4174 skipping to change at line 4255
A time string beginning with the character 'T', followed by the A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The solidus character '/', followed by a second time string. The
first time indicates the beginning of the range, while the second first time indicates the beginning of the range, while the second
time indicates the end. Times are expressed as substrings of the time indicates the end. Times are expressed as substrings of the
form Thhmmss. form Thhmmss.
The second substring always identifies a later time than the first The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the substring. To allow for ranges that span midnight, however, the
value of the second string may be smaller than the value of the value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from first substring. Thus, T080000/T210000 identifies the range from
Li, et al Expires December 2003 76
IPsec Policy Information Base May 2003
0800 until 2100, while T210000/T080000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day." 2100 until 0800 of the following day."
::= { ipSecRuleTimePeriodEntry 6 } ::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
localTime(1), localTime(1),
utcTime(2) utcTime(2)
} }
STATUS current STATUS current
skipping to change at line 4196 skipping to change at line 4281
table represent local times or UTC times. There is no provision table represent local times or UTC times. There is no provision
for mixing of local times and UTC times: the value of this for mixing of local times and UTC times: the value of this
property applies to all of the other time-related properties." property applies to all of the other time-related properties."
::= { ipSecRuleTimePeriodEntry 7 } ::= { ipSecRuleTimePeriodEntry 7 }
-- --
-- --
-- The ipSecRuleTimePeriodSetTable -- The ipSecRuleTimePeriodSetTable
-- --
Li, et al Expires August 2003 75
IPsec Policy Information Base January 2003
ipSecRuleTimePeriodSetTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies time period sets. The ipSecRuleTimePeriodTable can "Specifies time period sets. The ipSecRuleTimePeriodTable can
specify only a single time period within a day. This table enables specify only a single time period within a day. This table enables
the specification of multiple time periods within a day by the specification of multiple time periods within a day by
grouping them into one set. " grouping them into one set. "
::= { ipSecPolicyTimePeriod 2 } ::= { ipSecPolicyTimePeriod 2 }
skipping to change at line 4229 skipping to change at line 4311
} }
::= { ipSecRuleTimePeriodSetTable 1 } ::= { ipSecRuleTimePeriodSetTable 1 }
IpSecRuleTimePeriodSetEntry ::= SEQUENCE { IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
ipSecRuleTimePeriodSetPrid InstanceId, ipSecRuleTimePeriodSetPrid InstanceId,
ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
} }
ipSecRuleTimePeriodSetPrid OBJECT-TYPE ipSecRuleTimePeriodSetPrid OBJECT-TYPE
Li, et al Expires December 2003 77
IPsec Policy Information Base May 2003
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 4252 skipping to change at line 4338
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecRuleTimePeriodEntry } PIB-REFERENCES {ipSecRuleTimePeriodEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by "An integer that identifies an ipSecRuleTimePeriod, specified by
ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
included in this set." included in this set."
::= { ipSecRuleTimePeriodSetEntry 3 } ::= { ipSecRuleTimePeriodSetEntry 3 }
Li, et al Expires August 2003 76
IPsec Policy Information Base January 2003
-- --
-- --
-- The ipSecIfCapsTable -- The ipSecIfCapsTable
-- --
ipSecIfCapsTable OBJECT-TYPE ipSecIfCapsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIfCapsEntry SYNTAX SEQUENCE OF IpSecIfCapsEntry
PIB-ACCESS notify PIB-ACCESS Notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies capabilities that may be associated with an interface "Specifies capabilities that may be associated with an interface
of a specific type. The instances of this table are referenced by of a specific type. The instances of this table are referenced by
the frwkCapabilitySetCapability attribute of the the frwkCapabilitySetCapability attribute of the
frwkCapabilitySetTable [9]." frwkCapabilitySetTable [9]."
::= { ipSecIfCapability 1 } ::= { ipSecIfCapability 1 }
ipSecIfCapsEntry OBJECT-TYPE ipSecIfCapsEntry OBJECT-TYPE
SYNTAX IpSecIfCapsEntry SYNTAX IpSecIfCapsEntry
skipping to change at line 4284 skipping to change at line 4367
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIfCapsPrid } PIB-INDEX { ipSecIfCapsPrid }
UNIQUENESS { UNIQUENESS {
ipSecIfCapsDirection, ipSecIfCapsDirection,
ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIpSecActions,
ipSecIfCapsMaxIkeActions ipSecIfCapsMaxIkeActions
} }
::= { ipSecIfCapsTable 1 } ::= { ipSecIfCapsTable 1 }
Li, et al Expires December 2003 78
IPsec Policy Information Base May 2003
IpSecIfCapsEntry ::= SEQUENCE { IpSecIfCapsEntry ::= SEQUENCE {
ipSecIfCapsPrid InstanceId, ipSecIfCapsPrid InstanceId,
ipSecIfCapsDirection INTEGER, ipSecIfCapsDirection INTEGER,
ipSecIfCapsMaxIpSecActions Unsigned16, ipSecIfCapsMaxIpSecActions Unsigned16,
ipSecIfCapsMaxIkeActions Unsigned16 ipSecIfCapsMaxIkeActions Unsigned16
} }
ipSecIfCapsPrid OBJECT-TYPE ipSecIfCapsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
skipping to change at line 4307 skipping to change at line 4393
::= { ipSecIfCapsEntry 1 } ::= { ipSecIfCapsEntry 1 }
ipSecIfCapsDirection OBJECT-TYPE ipSecIfCapsDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
in(1), in(1),
out(2), out(2),
bi-directional(3) bi-directional(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 77
IPsec Policy Information Base January 2003
"Specifies the direction for which this capability applies." "Specifies the direction for which this capability applies."
::= { ipSecIfCapsEntry 2 } ::= { ipSecIfCapsEntry 2 }
ipSecIfCapsMaxIpSecActions OBJECT-TYPE ipSecIfCapsMaxIpSecActions OBJECT-TYPE
SYNTAX Unsigned16 SYNTAX Unsigned16
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum number of actions an IPsec action set may "Specifies the maximum number of actions an IPsec action set may
contain. IPsec action sets are specified by the contain. IPsec action sets are specified by the
ipSecActionSetTable. ipSecActionSetTable.
skipping to change at line 4341 skipping to change at line 4423
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
A value of zero indicates that there is no maximum limit." A value of zero indicates that there is no maximum limit."
::= { ipSecIfCapsEntry 4 } ::= { ipSecIfCapsEntry 4 }
-- --
-- --
-- Conformance Section -- Conformance Section
-- --
Li, et al Expires December 2003 79
IPsec Policy Information Base May 2003
ipSecPolicyPibConformanceCompliances ipSecPolicyPibConformanceCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
ipSecPolicyPibConformanceGroups ipSecPolicyPibConformanceGroups
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
ipSecPolicyPibCompliance MODULE-COMPLIANCE ipSecPolicyPibCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Compliance statement" " Compliance statement"
skipping to change at line 4363 skipping to change at line 4448
ipSecRuleGroup, ipSecRuleGroup,
ipSecActionSetGroup, ipSecActionSetGroup,
ipSecStaticActionGroup, ipSecStaticActionGroup,
ipSecNegotiationActionGroup, ipSecNegotiationActionGroup,
ipSecAssociationGroup, ipSecAssociationGroup,
ipSecProposalSetGroup, ipSecProposalSetGroup,
ipSecProposalGroup, ipSecProposalGroup,
ipSecAhTransformSetGroup, ipSecAhTransformSetGroup,
ipSecAhTransformGroup, ipSecAhTransformGroup,
ipSecEspTransformSetGroup, ipSecEspTransformSetGroup,
Li, et al Expires August 2003 78
IPsec Policy Information Base January 2003
ipSecEspTransformGroup, ipSecEspTransformGroup,
ipSecCompTransformSetGroup, ipSecCompTransformSetGroup,
ipSecCompTransformGroup, ipSecCompTransformGroup,
ipSecIkeAssociationGroup, ipSecIkeAssociationGroup,
ipSecIkeProposalSetGroup, ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup, ipSecIkeProposalGroup,
ipSecIkePeerEndpointGroup, ipSecIkePeerEndpointGroup,
ipSecCredentialSetGroup, ipSecCredentialSetGroup,
ipSecCredentialGroup, ipSecCredentialGroup,
ipSecCredentialFieldsGroup, ipSecCredentialFieldsGroup,
skipping to change at line 4397 skipping to change at line 4478
multiple IKE phase one actions (e.g., with different exchange multiple IKE phase one actions (e.g., with different exchange
modes) are associated with an IPsec rule. These actions are to be modes) are associated with an IPsec rule. These actions are to be
tried in sequence till one success; 2) IKE phase one actions that tried in sequence till one success; 2) IKE phase one actions that
start automatically." start automatically."
GROUP ipSecIkeActionSetGroup GROUP ipSecIkeActionSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if any of the following is supported: 1) "This group is mandatory if any of the following is supported: 1)
multiple IKE phase one actions (e.g., with different exchange multiple IKE phase one actions (e.g., with different exchange
modes) are associated with an IPsec rule. These actions are to be modes) are associated with an IPsec rule. These actions are to be
Li, et al Expires December 2003 80
IPsec Policy Information Base May 2003
tried in sequence till one success; 2) IKE phase one actions that tried in sequence till one success; 2) IKE phase one actions that
start automatically." start automatically."
GROUP ipSecIpsoFilterSetGroup GROUP ipSecIpsoFilterSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
GROUP ipSecIpsoFilterGroup GROUP ipSecIpsoFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
skipping to change at line 4421 skipping to change at line 4506
GROUP ipSecRuleTimePeriodSetGroup GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if policy scheduling is supported." "This group is mandatory if policy scheduling is supported."
OBJECT ipSecRuleIpSecIpsoFilterSetId OBJECT ipSecRuleIpSecIpsoFilterSetId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires August 2003 79
IPsec Policy Information Base January 2003
OBJECT ipSecRuleLimitNegotiation OBJECT ipSecRuleLimitNegotiation
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecRuleAutoStart OBJECT ipSecRuleAutoStart
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4454 skipping to change at line 4536
OBJECT ipSecActionSetDoPacketLogging OBJECT ipSecActionSetDoPacketLogging
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationMinLifetimeSeconds OBJECT ipSecAssociationMinLifetimeSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires December 2003 81
IPsec Policy Information Base May 2003
OBJECT ipSecAssociationMinLifetimeKilobytes OBJECT ipSecAssociationMinLifetimeKilobytes
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationIdleDurationSeconds OBJECT ipSecAssociationIdleDurationSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4476 skipping to change at line 4561
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationUseKeyExchangeGroup OBJECT ipSecAssociationUseKeyExchangeGroup
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAssociationGranularity OBJECT ipSecAssociationGranularity
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
Li, et al Expires August 2003 80
IPsec Policy Information Base January 2003
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAhTransformUseReplayPrevention OBJECT ipSecAhTransformUseReplayPrevention
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecAhTransformReplayPreventionWindowSize OBJECT ipSecAhTransformReplayPreventionWindowSize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
skipping to change at line 4510 skipping to change at line 4591
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformCipherKeyLength OBJECT ipSecEspTransformCipherKeyLength
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformUseReplayPrevention OBJECT ipSecEspTransformUseReplayPrevention
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
Li, et al Expires December 2003 82
IPsec Policy Information Base May 2003
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformReplayPreventionWindowSize OBJECT ipSecEspTransformReplayPreventionWindowSize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecEspTransformVendorId OBJECT ipSecEspTransformVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
skipping to change at line 4533 skipping to change at line 4618
OBJECT ipSecCompTransformDictionarySize OBJECT ipSecCompTransformDictionarySize
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecCompTransformPrivateAlgorithm OBJECT ipSecCompTransformPrivateAlgorithm
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires August 2003 81
IPsec Policy Information Base January 2003
OBJECT ipSecCompTransformVendorId OBJECT ipSecCompTransformVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationMinLiftetimeSeconds OBJECT ipSecIkeAssociationMinLiftetimeSeconds
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4566 skipping to change at line 4648
OBJECT ipSecIkeAssociationPresharedKey OBJECT ipSecIkeAssociationPresharedKey
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationVendorId OBJECT ipSecIkeAssociationVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
Li, et al Expires December 2003 83
IPsec Policy Information Base May 2003
OBJECT ipSecIkeAssociationAggressiveModeGroupId OBJECT ipSecIkeAssociationAggressiveModeGroupId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeAssociationLocalCredentialId OBJECT ipSecIkeAssociationLocalCredentialId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
skipping to change at line 4589 skipping to change at line 4674
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeProposalPrfAlgorithm OBJECT ipSecIkeProposalPrfAlgorithm
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkeProposalVendorId OBJECT ipSecIkeProposalVendorId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
Li, et al Expires August 2003 82
IPsec Policy Information Base January 2003
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIkePeerEndpointAddress OBJECT ipSecIkePeerEndpointAddress
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecIfCapsMaxIkeActions OBJECT ipSecIfCapsMaxIkeActions
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
skipping to change at line 4624 skipping to change at line 4705
byPass(1), byPass(1),
discard(2), discard(2),
preConfiguredTransport(4), preConfiguredTransport(4),
preConfiguredTunnel(5) preConfiguredTunnel(5)
} }
DESCRIPTION DESCRIPTION
" Support of ikeRejection(3) is not required" " Support of ikeRejection(3) is not required"
::= { ipSecPolicyPibConformanceCompliances 1 } ::= { ipSecPolicyPibConformanceCompliances 1 }
Li, et al Expires December 2003 84
IPsec Policy Information Base May 2003
ipSecRuleGroup OBJECT-GROUP ipSecRuleGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecRulePrid, ipSecRulePrid,
ipSecRuleIfName, ipSecRuleIfName,
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleDirection, ipSecRuleDirection,
ipSecRuleIpSecSelectorSetId, ipSecRuleIpSecSelectorSetId,
ipSecRuleIpSecIpsoFilterSetId, ipSecRuleIpSecIpsoFilterSetId,
ipSecRuleIpSecActionSetId, ipSecRuleIpSecActionSetId,
ipSecRuleActionExecutionStrategy, ipSecRuleActionExecutionStrategy,
skipping to change at line 4646 skipping to change at line 4730
ipSecRuleAutoStart, ipSecRuleAutoStart,
ipSecRuleIpSecRuleTimePeriodGroupId ipSecRuleIpSecRuleTimePeriodGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTable." "Objects from the ipSecRuleTable."
::= { ipSecPolicyPibConformanceGroups 1 } ::= { ipSecPolicyPibConformanceGroups 1 }
ipSecActionSetGroup OBJECT-GROUP ipSecActionSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Li, et al Expires August 2003 83
IPsec Policy Information Base January 2003
ipSecActionSetPrid, ipSecActionSetPrid,
ipSecActionSetActionSetId, ipSecActionSetActionSetId,
ipSecActionSetActionId, ipSecActionSetActionId,
ipSecActionSetDoActionLogging, ipSecActionSetDoActionLogging,
ipSecActionSetDoPacketLogging, ipSecActionSetDoPacketLogging,
ipSecActionSetOrder ipSecActionSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecActionSetTable." "Objects from the ipSecActionSetTable."
skipping to change at line 4680 skipping to change at line 4760
ipSecStaticActionLifetimeKilobytes, ipSecStaticActionLifetimeKilobytes,
ipSecStaticActionSaTransformId ipSecStaticActionSaTransformId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecStaticActionTable." "Objects from the ipSecStaticActionTable."
::= { ipSecPolicyPibConformanceGroups 3 } ::= { ipSecPolicyPibConformanceGroups 3 }
ipSecNegotiationActionGroup OBJECT-GROUP ipSecNegotiationActionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Li, et al Expires December 2003 85
IPsec Policy Information Base May 2003
ipSecNegotiationActionPrid, ipSecNegotiationActionPrid,
ipSecNegotiationActionAction, ipSecNegotiationActionAction,
ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling, ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionIpSecSecurityAssociationId,
ipSecNegotiationActionKeyExchangeId ipSecNegotiationActionKeyExchangeId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecNegotiationActionTable." "Objects from the ipSecNegotiationActionTable."
skipping to change at line 4703 skipping to change at line 4787
OBJECTS { OBJECTS {
ipSecAssociationPrid, ipSecAssociationPrid,
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationIdleDurationSeconds, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId, ipSecAssociationVendorId,
ipSecAssociationUseKeyExchangeGroup, ipSecAssociationUseKeyExchangeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity, ipSecAssociationGranularity,
Li, et al Expires August 2003 84
IPsec Policy Information Base January 2003
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAssociationTable." "Objects from the ipSecAssociationTable."
::= { ipSecPolicyPibConformanceGroups 5 } ::= { ipSecPolicyPibConformanceGroups 5 }
ipSecProposalSetGroup OBJECT-GROUP ipSecProposalSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecProposalSetPrid, ipSecProposalSetPrid,
skipping to change at line 4738 skipping to change at line 4818
ipSecProposalPrid, ipSecProposalPrid,
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
ipSecProposalAhTransformSetId, ipSecProposalAhTransformSetId,
ipSecProposalCompTransformSetId ipSecProposalCompTransformSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecProposalTable." "Objects from the ipSecProposalTable."
::= { ipSecPolicyPibConformanceGroups 7 } ::= { ipSecPolicyPibConformanceGroups 7 }
Li, et al Expires December 2003 86
IPsec Policy Information Base May 2003
ipSecAhTransformSetGroup OBJECT-GROUP ipSecAhTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecAhTransformSetPrid, ipSecAhTransformSetPrid,
ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId, ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder ipSecAhTransformSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAhTransformSetTable." "Objects from the ipSecAhTransformSetTable."
skipping to change at line 4760 skipping to change at line 4843
ipSecAhTransformGroup OBJECT-GROUP ipSecAhTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecAhTransformPrid, ipSecAhTransformPrid,
ipSecAhTransformTransformId, ipSecAhTransformTransformId,
ipSecAhTransformIntegrityKey, ipSecAhTransformIntegrityKey,
ipSecAhTransformUseReplayPrevention, ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformReplayPreventionWindowSize,
ipSecAhTransformVendorId, ipSecAhTransformVendorId,
ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeSeconds,
ipSecAhTransformMaxLifetimeKilobytes ipSecAhTransformMaxLifetimeKilobytes
Li, et al Expires August 2003 85
IPsec Policy Information Base January 2003
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAhTransformTable." "Objects from the ipSecAhTransformTable."
::= { ipSecPolicyPibConformanceGroups 9 } ::= { ipSecPolicyPibConformanceGroups 9 }
ipSecEspTransformSetGroup OBJECT-GROUP ipSecEspTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecEspTransformSetPrid, ipSecEspTransformSetPrid,
ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformSetId,
skipping to change at line 4794 skipping to change at line 4873
ipSecEspTransformPrid, ipSecEspTransformPrid,
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformIntegrityKey, ipSecEspTransformIntegrityKey,
ipSecEspTransformCipherKey, ipSecEspTransformCipherKey,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength, ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention, ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformReplayPreventionWindowSize,
ipSecEspTransformVendorId, ipSecEspTransformVendorId,
Li, et al Expires December 2003 87
IPsec Policy Information Base May 2003
ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeSeconds,
ipSecEspTransformMaxLifetimeKilobytes ipSecEspTransformMaxLifetimeKilobytes
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecEspTransformTable." "Objects from the ipSecEspTransformTable."
::= { ipSecPolicyPibConformanceGroups 11 } ::= { ipSecPolicyPibConformanceGroups 11 }
ipSecCompTransformSetGroup OBJECT-GROUP ipSecCompTransformSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at line 4817 skipping to change at line 4900
ipSecCompTransformSetOrder ipSecCompTransformSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCompTransformSetTable." "Objects from the ipSecCompTransformSetTable."
::= { ipSecPolicyPibConformanceGroups 12 } ::= { ipSecPolicyPibConformanceGroups 12 }
ipSecCompTransformGroup OBJECT-GROUP ipSecCompTransformGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCompTransformPrid, ipSecCompTransformPrid,
Li, et al Expires August 2003 86
IPsec Policy Information Base January 2003
ipSecCompTransformAlgorithm, ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize, ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm, ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId, ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeSeconds,
ipSecCompTransformMaxLifetimeKilobytes ipSecCompTransformMaxLifetimeKilobytes
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCompTransformTable." "Objects from the ipSecCompTransformTable."
skipping to change at line 4851 skipping to change at line 4930
ipSecIkeRuleAutoStart, ipSecIkeRuleAutoStart,
ipSecIkeRuleIpSecRuleTimePeriodGroupId ipSecIkeRuleIpSecRuleTimePeriodGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeRuleTable." "Objects from the ipSecIkeRuleTable."
::= { ipSecPolicyPibConformanceGroups 14 } ::= { ipSecPolicyPibConformanceGroups 14 }
ipSecIkeActionSetGroup OBJECT-GROUP ipSecIkeActionSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
Li, et al Expires December 2003 88
IPsec Policy Information Base May 2003
ipSecIkeActionSetPrid, ipSecIkeActionSetPrid,
ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionSetId,
ipSecIkeActionSetActionId, ipSecIkeActionSetActionId,
ipSecIkeActionSetOrder ipSecIkeActionSetOrder
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeActionSetTable." "Objects from the ipSecIkeActionSetTable."
::= { ipSecPolicyPibConformanceGroups 15 } ::= { ipSecPolicyPibConformanceGroups 15 }
skipping to change at line 4874 skipping to change at line 4957
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationMinLifetimeKilobytes,
ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationIdleDurationSeconds,
ipSecIkeAssociationExchangeMode, ipSecIkeAssociationExchangeMode,
ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityType,
ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationUseIkeIdentityValue,
ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationIkePeerEndpoint,
ipSecIkeAssociationPresharedKey, ipSecIkeAssociationPresharedKey,
ipSecIkeAssociationVendorId, ipSecIkeAssociationVendorId,
ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationAggressiveModeGroupId,
Li, et al Expires August 2003 87
IPsec Policy Information Base January 2003
ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationLocalCredentialId,
ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationDoActionLogging,
ipSecIkeAssociationIkeProposalSetId ipSecIkeAssociationIkeProposalSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeAssociationTable." "Objects from the ipSecIkeAssociationTable."
::= { ipSecPolicyPibConformanceGroups 16 } ::= { ipSecPolicyPibConformanceGroups 16 }
ipSecIkeProposalSetGroup OBJECT-GROUP ipSecIkeProposalSetGroup OBJECT-GROUP
skipping to change at line 4908 skipping to change at line 4987
ipSecIkeProposalGroup OBJECT-GROUP ipSecIkeProposalGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIkeProposalPrid, ipSecIkeProposalPrid,
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
Li, et al Expires December 2003 89
IPsec Policy Information Base May 2003
ipSecIkeProposalIkeDhGroup, ipSecIkeProposalIkeDhGroup,
ipSecIkeProposalVendorId ipSecIkeProposalVendorId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkeProposalTable." "Objects from the ipSecIkeProposalTable."
::= { ipSecPolicyPibConformanceGroups 18 } ::= { ipSecPolicyPibConformanceGroups 18 }
ipSecIkePeerEndpointGroup OBJECT-GROUP ipSecIkePeerEndpointGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at line 4931 skipping to change at line 5014
ipSecIkePeerEndpointIsNegated, ipSecIkePeerEndpointIsNegated,
ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointAddress,
ipSecIkePeerEndpointCredentialSetId ipSecIkePeerEndpointCredentialSetId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIkePeerEndpointTable." "Objects from the ipSecIkePeerEndpointTable."
::= { ipSecPolicyPibConformanceGroups 19 } ::= { ipSecPolicyPibConformanceGroups 19 }
ipSecCredentialSetGroup OBJECT-GROUP ipSecCredentialSetGroup OBJECT-GROUP
Li, et al Expires August 2003 88
IPsec Policy Information Base January 2003
OBJECTS { OBJECTS {
ipSecCredentialSetPrid, ipSecCredentialSetPrid,
ipSecCredentialSetSetId, ipSecCredentialSetSetId,
ipSecCredentialSetCredentialId ipSecCredentialSetCredentialId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCredentialSetTable." "Objects from the ipSecCredentialSetTable."
::= { ipSecPolicyPibConformanceGroups 20 } ::= { ipSecPolicyPibConformanceGroups 20 }
skipping to change at line 4965 skipping to change at line 5044
::= { ipSecPolicyPibConformanceGroups 21 } ::= { ipSecPolicyPibConformanceGroups 21 }
ipSecCredentialFieldsGroup OBJECT-GROUP ipSecCredentialFieldsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecCredentialFieldsPrid, ipSecCredentialFieldsPrid,
ipSecCredentialFieldsName, ipSecCredentialFieldsName,
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsIsNegated, ipSecCredentialFieldsIsNegated,
ipSecCredentialFieldsSetId ipSecCredentialFieldsSetId
} }
Li, et al Expires December 2003 90
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecCredentialFieldsTable." "Objects from the ipSecCredentialFieldsTable."
::= { ipSecPolicyPibConformanceGroups 22 } ::= { ipSecPolicyPibConformanceGroups 22 }
ipSecSelectorSetGroup OBJECT-GROUP ipSecSelectorSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecSelectorSetPrid, ipSecSelectorSetPrid,
ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorSetId,
ipSecSelectorSetSelectorId, ipSecSelectorSetSelectorId,
skipping to change at line 4988 skipping to change at line 5071
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecSelectorSetTable." "Objects from the ipSecSelectorSetTable."
::= { ipSecPolicyPibConformanceGroups 23 } ::= { ipSecPolicyPibConformanceGroups 23 }
ipSecSelectorGroup OBJECT-GROUP ipSecSelectorGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecSelectorPrid, ipSecSelectorPrid,
ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcAddressGroupId,
ipSecSelectorSrcPortGroupId, ipSecSelectorSrcPortGroupId,
Li, et al Expires August 2003 89
IPsec Policy Information Base January 2003
ipSecSelectorDstAddressGroupId, ipSecSelectorDstAddressGroupId,
ipSecSelectorDstPortGroupId, ipSecSelectorDstPortGroupId,
ipSecSelectorProtocol, ipSecSelectorProtocol,
ipSecSelectorDscp, ipSecSelectorDscp,
ipSecSelectorFlowLabel ipSecSelectorFlowLabel
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecSelectorTable." "Objects from the ipSecSelectorTable."
::= { ipSecPolicyPibConformanceGroups 24 } ::= { ipSecPolicyPibConformanceGroups 24 }
skipping to change at line 5022 skipping to change at line 5101
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecAddressTable." "Objects from the ipSecAddressTable."
::= { ipSecPolicyPibConformanceGroups 25 } ::= { ipSecPolicyPibConformanceGroups 25 }
ipSecL4PortGroup OBJECT-GROUP ipSecL4PortGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecL4PortPrid, ipSecL4PortPrid,
ipSecL4PortPortMin, ipSecL4PortPortMin,
ipSecL4PortPortMax, ipSecL4PortPortMax,
Li, et al Expires December 2003 91
IPsec Policy Information Base May 2003
ipSecL4PortGroupId ipSecL4PortGroupId
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecL4PortTable." "Objects from the ipSecL4PortTable."
::= { ipSecPolicyPibConformanceGroups 26 } ::= { ipSecPolicyPibConformanceGroups 26 }
ipSecIpsoFilterSetGroup OBJECT-GROUP ipSecIpsoFilterSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIpsoFilterSetPrid, ipSecIpsoFilterSetPrid,
skipping to change at line 5045 skipping to change at line 5128
ipSecIpsoFilterSetIsNegated ipSecIpsoFilterSetIsNegated
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIpsoFilterSetTable." "Objects from the ipSecIpsoFilterSetTable."
::= { ipSecPolicyPibConformanceGroups 27 } ::= { ipSecPolicyPibConformanceGroups 27 }
ipSecIpsoFilterGroup OBJECT-GROUP ipSecIpsoFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIpsoFilterPrid, ipSecIpsoFilterPrid,
Li, et al Expires August 2003 90
IPsec Policy Information Base January 2003
ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterMatchConditionType,
ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterClassificationLevel,
ipSecIpsoFilterProtectionAuthority ipSecIpsoFilterProtectionAuthority
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecIpsoFilterTable." "Objects from the ipSecIpsoFilterTable."
::= { ipSecPolicyPibConformanceGroups 28 } ::= { ipSecPolicyPibConformanceGroups 28 }
ipSecRuleTimePeriodGroup OBJECT-GROUP ipSecRuleTimePeriodGroup OBJECT-GROUP
skipping to change at line 5079 skipping to change at line 5158
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTimePeriodTable." "Objects from the ipSecRuleTimePeriodTable."
::= { ipSecPolicyPibConformanceGroups 29 } ::= { ipSecPolicyPibConformanceGroups 29 }
ipSecRuleTimePeriodSetGroup OBJECT-GROUP ipSecRuleTimePeriodSetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecRuleTimePeriodSetPrid, ipSecRuleTimePeriodSetPrid,
ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodSetId,
ipSecRuleTimePeriodSetRuleTimePeriodId ipSecRuleTimePeriodSetRuleTimePeriodId
} }
Li, et al Expires December 2003 92
IPsec Policy Information Base May 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the ipSecRuleTimePeriodSetTable." "Objects from the ipSecRuleTimePeriodSetTable."
::= { ipSecPolicyPibConformanceGroups 30 } ::= { ipSecPolicyPibConformanceGroups 30 }
ipSecIfCapsGroup OBJECT-GROUP ipSecIfCapsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipSecIfCapsPrid, ipSecIfCapsPrid,
ipSecIfCapsDirection, ipSecIfCapsDirection,
ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIpSecActions,
skipping to change at line 5102 skipping to change at line 5185
DESCRIPTION DESCRIPTION
"Objects from the ipSecIfCapsTable." "Objects from the ipSecIfCapsTable."
::= { ipSecPolicyPibConformanceGroups 31 } ::= { ipSecPolicyPibConformanceGroups 31 }
END END
6. Security Considerations 6. Security Considerations
This document defines an IPsec PIB for configuring IPsec policies on This document defines an IPsec PIB for configuring IPsec policies on
IPsec enabled devices. As IPsec provides security services, it is IPsec enabled devices. As IPsec provides security services, it is
Li, et al Expires August 2003 91
IPsec Policy Information Base January 2003
critical that IPsec configuration data be protected at least as critical that IPsec configuration data be protected at least as
strongly as the desired IPsec policy. strongly as the desired IPsec policy.
The ipSecEspTransformTable, ipSecAhTransformTable contain The ipSecEspTransformTable, ipSecAhTransformTable contain
authentication and encryption keys for static IPsec security authentication and encryption keys for static IPsec security
associations. These two attributes are ignored for IPsec security associations. These two attributes are ignored for IPsec security
associations that are dynamically established. The associations that are dynamically established. The
ipSecIkeAssociationTable contains an optional pre-shared key for IKE ipSecIkeAssociationTable contains an optional pre-shared key for IKE
authentication. Malicious access of the above PRCs can compromise authentication. Malicious access of the above PRCs can compromise
the keys. As a result, they MUST NOT be observed by third parties. the keys. As a result, they MUST NOT be observed by third parties.
skipping to change at line 5136 skipping to change at line 5215
The ipSecIfCapsTable has a PIB-ACCESS clause of notify. Malicious The ipSecIfCapsTable has a PIB-ACCESS clause of notify. Malicious
access of the this PRC exposes information concerning the device access of the this PRC exposes information concerning the device
being provisioned. being provisioned.
The authentication and integrity of configuration information is of The authentication and integrity of configuration information is of
utmost importance to the security of a network. Administrators utmost importance to the security of a network. Administrators
SHOULD carefully consider the potential threat environment involving SHOULD carefully consider the potential threat environment involving
PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD
authenticate one another and SHOULD use a transport protocol that authenticate one another and SHOULD use a transport protocol that
Li, et al Expires December 2003 93
IPsec Policy Information Base May 2003
supports data integrity and authentication. Administrators SHOULD supports data integrity and authentication. Administrators SHOULD
also carefully consider the importance of confidentiality of their also carefully consider the importance of confidentiality of their
configuration information, because it may reveal private or configuration information, because it may reveal private or
confidential information about customer access, business confidential information about customer access, business
relationships, keys, etc. If these are concerns to the relationships, keys, etc. If these are concerns to the
organization, then confidentiality SHOULD be used to transport the organization, then confidentiality SHOULD be used to transport the
information. Administrators SHOULD use IPSEC or TLS between PDP and information. Administrators SHOULD use IPSEC or TLS between PDP and
PEP as described in [5] and [15] to provide necessary protections. PEP as described in [5] and [15] to provide necessary protections.
7. RFC Editor Considerations 7. RFC Editor Considerations
This document normatively references [9][12]which are in the IESG This document normatively references [9][12]which are in the IESG
last call stage. Please use the corresponding RFC numbers prior to last call stage. Please use the corresponding RFC numbers prior to
publishing of this document as a RFC. publishing of this document as a RFC.
8. IANA Considerations 8. IANA Considerations
This document describes the ipSecPolicyPib Policy Information Base This document describes the ipSecPolicyPib Policy Information Base
(PIB) modules for standardization under the "pib" branch registered (PIB) module for registration under the "pib" branch registered with
with IANA. An IANA assigned PIB number is requested for it under the IANA. IANA has assigned PIB number <tbd> for it under the "pib"
"pib" branch. branch.
Li, et al Expires August 2003 92
IPsec Policy Information Base January 2003
IANA Considerations for SUBJECT-CATEGORIES follow the same IANA Considerations for SUBJECT-CATEGORIES follow the same
requirements as specified in [5] IANA Considerations for COPS Client requirements as specified in [5] IANA Considerations for COPS Client
Types. The IPsec PIB defines a new COPS Client Type in the Standards Types. The IPsec PIB defines a new COPS Client Type. IANA needs to
space, hence that needs a COPS client type assignment from IANA (as assign this type and IANA must also update the registry for COPS
described in [5] IANA Considerations). IANA must also update the Client Types as a result.
registry for COPS Client Types as a result.
The authors suggest the use of "ipSec" as the name of the
ClientType.
9. Normative References 9. Normative References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996. 9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997 Levels", BCP 14, RFC 2119, March 1997
3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, 3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998. November 1998.
4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling 4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling
Core Object Specification (iCalendar)", RFC 2445, November 1998. Core Object Specification (iCalendar)", RFC 2445, November
1998.
5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, 5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry,
"The COPS (Common Open Policy Service) Protocol", RFC 2748, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. January 2000.
Li, et al Expires December 2003 94
IPsec Policy Information Base May 2003
6. K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. 6. K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage
Policy Provisioning", RFC 3084, March 2001. for Policy Provisioning", RFC 3084, March 2001.
7. D. Piper, "The Internet IP Security Domain of Interpretation 7. D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
8. S. Kent, R. Atkinson, "IP Encapsulating Security Payload 8. S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. 9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", draft- Smith, F. Reichmeyer "Framework Policy Information Base",
ietf-rap-frameworkpib-09.txt, June 2002. RFC 3318, March 2003.
10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC 10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
2409, November 1998. 2409, November 1998.
11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload 11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
Compression Protocol (IPComp)", RFC 2393, August 1998. Compression Protocol (IPComp)", RFC 2393, August 1998.
12. J. Jason, L. Rafalow, E. Vyncke "IPsec Configuration Policy 12. J. Jason, L. Rafalow, E. Vyncke "IPsec Configuration Policy
Model", draft-ietf-ipsp-config-policy-model-06.txt, August 2002. Model", draft-ietf-ipsp-config-policy-model-06.txt, August
2002.
13. A. Westerinen, et al "Terminology for Policy-Based 13. A. Westerinen, et al "Terminology for Policy-Based
Management", RFC 3198, November 2001. Management", RFC 3198, November 2001.
Li, et al Expires August 2003 93
IPsec Policy Information Base January 2003
14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. 14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Smith, F. Reichmeyer, "Structure of Policy Provisioning
Information", RFC 3159, August 2001. Information", RFC 3159, August 2001.
15. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose,
S. Waldbusser, "Structure of Management Information Version 2
(SMIv2)", STD 58, RFC 2578, April 1999.
16. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case,M. Rose,
S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC
2579, April 1999.
17. F. Baker, K. Chan, A. Smith, "Management Information Base for
the Differentiated Services Architecture", RFC 3289, May 2002.
18. M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder,
"Textual Conventions for Internet Network Addresses.", RFC
3291, May 2002.
19. D. Harrington, R. Presuhn, B. Wijnen, "An Architecture for
Describing Simple Network Management Protocol (SNMP) Management
Frameworks", RFC 3411, December 2002.
10. Informative References 10. Informative References
Li, et al Expires December 2003 95
IPsec Policy Information Base May 2003
15. J. Walker, A. Kulkarni, "COPS Over TLS", draft-ietf-rap-cops- 15. J. Walker, A. Kulkarni, "COPS Over TLS", draft-ietf-rap-cops-
tls-04.txt, June 2002. tls-04.txt, June 2002.
11. Author's Addresses 11. Author's Addresses
Man Li Man Li
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
skipping to change at line 5268 skipping to change at line 5374
Markus Stenberg Markus Stenberg
SSH Communications Security Corp. SSH Communications Security Corp.
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 Helsinki, Finland FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466 Phone: +358 20 500 7466
Email: fingon@iki.fi Email: fingon@iki.fi
12. Full Copyright Statement 12. Full Copyright Statement
Li, et al Expires August 2003 94 Copyright (C) The Internet Society (2003). All Rights Reserved.
IPsec Policy Information Base January 2003
Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared, explain it or assist in its implementation may be prepared,
Li, et al Expires December 2003 96
IPsec Policy Information Base May 2003
copied, published and distributed, in whole or in part, without copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to the way, such as by removing the copyright notice or references to the
Internet Society or other Internet organizations, except as needed Internet Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which case the for the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards procedures for copyrights defined in the Internet Standards
process must be followed, or as required to translate it into process must be followed, or as required to translate it into
languages other than English. languages other than English.
skipping to change at line 5297 skipping to change at line 5404
The limited permissions granted above are perpetual and will not The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns. be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Table of Contents Li, et al Expires December 2003 97
1. Introduction.......................................................2
2. Operation Overview.................................................2
3. Structure of IPsec PIB.............................................3
3.1 IPsec association group...........................................3
3.1.1 IPsec rules.....................................................3
3.1.2 IPsec actions...................................................4
3.1.3 IPsec associations..............................................5
3.1.4 IPsec proposals.................................................5
3.2 AH transform group................................................5
3.3 ESP transform group...............................................5
3.4 COMP transform group..............................................5
3.5 IKE association group.............................................5
3.6 Credential group..................................................6
3.7 Selector group....................................................7
3.8 Policy time period group..........................................8
3.9 Interface capability group........................................8
4. Summary of the IPsec PIB...........................................8
4.1 ipSecAssociation group............................................8
4.1.1 ipSecRuleTable..................................................8
4.1.2 ipSecActionSetTable.............................................8
4.1.3 ipSecStaticActionTable..........................................8
4.1.4 ipSecNegotiationActionTable.....................................8
4.1.5 ipSecAssociationTable...........................................8
4.1.6 ipSecProposalSetTable...........................................8
4.1.7 ipSecProposalTable..............................................9
Li, et al Expires August 2003 95
IPsec Policy Information Base January 2003
4.2 ipSecAhTransform group............................................9
4.2.1 ipSecAhTransformSetTable........................................9
4.2.2 ipSecAhTransformTable...........................................9
4.3 ipSecEspTransform group...........................................9
4.3.1 ipSecEspTransformSetTable.......................................9
4.3.2 ipSecEspTransformTable..........................................9
4.4 ipSecCompTransform group..........................................9
4.4.1 ipSecCompTransformSetTable......................................9
4.4.2 ipSecCompTransformTable.........................................9
4.5 ipSecIkeAssociation group.........................................9
4.5.1 ipSecIkeRuleTable...............................................9
4.5.2 ipSecIkeActionSetTable..........................................9
4.5.3 ipSecIkeAssociationTable........................................9
4.5.4 ipSecIkeProposalSetTable........................................9
4.5.5 ipSecIkeProposalTable...........................................9
4.5.6 ipSecIkePeerEndpointTable.......................................9
4.6 ipSecCredential group............................................10
4.6.1 ipSecCredentialSetTable........................................10
4.6.2 ipSecCredentialTable...........................................10
4.6.3 ipSecCredentialFieldsTable.....................................10
4.7 ipSecSelector group..............................................10
4.7.1 ipSecSelectorSetTable..........................................10
4.7.2 ipSecSelectorTable.............................................10
4.7.3 ipSecAddressTable..............................................10
4.7.4 ipSecL4PortTable...............................................10
4.7.5 ipSecIpsoFilterSetTable........................................10
4.7.6 ipSecIpsoFilterTable...........................................10
4.8 ipSecPolicyTimePeriod group......................................10
4.8.1 ipSecRuleTimePeriodTable.......................................10
4.8.2 ipSecRuleTimePeriodSetTable....................................10
4.9 ipSecIfCapability group..........................................10
4.9.1 ipSecIfCapsTable...............................................10
4.10 ipSecPolicyPibConformance group.................................10
5. The IPsec PIB Module..............................................11
6. Security Considerations...........................................91
7. RFC Editor Considerations.........................................92
8. IANA Considerations...............................................92
9. Normative References..............................................93
10. Informative References...........................................94
11. Author's Addresses...............................................94
12. Full Copyright Statement.........................................94
Li, et al Expires August 2003 96
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/