draft-ietf-ipsp-ipsecpib-09.txt   draft-ietf-ipsp-ipsecpib-10.txt 
ipsp working group Man Li ipsp working group Man Li
Internet Draft Nokia Internet Draft Nokia
Expires May 2004 David Arneson Expires October 2004 David Arneson
N/A N/A
Avri Doria Avri Doria
LTU ETRI
Jamie Jason Jamie Jason
Intel Intel
Cliff Wang Cliff Wang
SmartPipe SmartPipe
Markus Stenberg Markus Stenberg
SSH SSH
November 2003 April 2004
IPsec Policy Information Base IPsec Policy Information Base
draft-ietf-ipsp-ipsecpib-09.txt draft-ietf-ipsp-ipsecpib-10.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1]. all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Distribution of this memo is unlimited. Distribution of this memo is unlimited.
Abstract Abstract
This document describes a portion of the Policy Information Base This document describes a portion of the Policy Information Base
(PIB) for a device implementing the IP Security Architecture. The (PIB) for a device implementing the IP Security (IPsec)
provisioning classes defined here provide control of IPsec policy. Architecture. The provisioning classes defined here provide control
These provisioning classes can be used with other non-IPsec of IPsec policy. These provisioning classes can be used with other
provisioning classes (defined in other PIB modules) to provide for a non-IPsec provisioning classes (defined in other PIB modules) to
comprehensive policy controlled mapping of service requirement to provide for a comprehensive policy controlled mapping of service
device capability and usage. requirement to device capability and usage.
Li, et al Expires May 2004 1 Li, et al Expires October 2004 1
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
Table of Contents Table of Contents
1. Introduction.......................................................3 1. Introduction.......................................................3
2. Operation Overview.................................................3 2. Operation Overview.................................................3
3. Structure of IPsec PIB.............................................4 3. Structure of IPsec PIB.............................................4
3.1 IPsec association group...........................................4 3.1 IPsec association group...........................................5
3.1.1 IPsec rules.....................................................4 3.1.1 IPsec rules.....................................................5
3.1.2 IPsec actions...................................................5 3.1.2 IPsec actions...................................................6
3.1.3 IPsec associations..............................................6 3.1.3 IPsec associations..............................................6
3.1.4 IPsec proposals.................................................6 3.1.4 IPsec proposals.................................................7
3.2 AH transform group................................................6 3.2 AH transform group................................................7
3.3 ESP transform group...............................................6 3.3 ESP transform group...............................................7
3.4 COMP transform group..............................................7 3.4 COMP transform group..............................................7
3.5 IKE association group.............................................7 3.5 IKE association group.............................................7
3.6 Credential group..................................................8 3.6 Credential group..................................................8
3.7 Selector group....................................................8 3.7 Selector group....................................................8
3.8 Policy time period group..........................................9 3.8 Policy time period group..........................................9
3.9 Interface capability group........................................9 3.9 Interface capability group.......................................10
4. Summary of the IPsec PIB...........................................9 4. Summary of the IPsec PIB..........................................10
4.1 ipSecAssociation group............................................9 4.1 ipSecAssociation group...........................................10
4.1.1 ipSecRuleTable..................................................9 4.1.1 ipSecRuleTable.................................................10
4.1.2 ipSecActionSetTable............................................10 4.1.2 ipSecActionSetTable............................................10
4.1.3 ipSecStaticActionTable.........................................10 4.1.3 ipSecStaticActionTable.........................................10
4.1.4 ipSecNegotiationActionTable....................................10 4.1.4 ipSecNegotiationActionTable....................................10
4.1.5 ipSecAssociationTable..........................................10 4.1.5 ipSecAssociationTable..........................................10
4.1.6 ipSecProposalSetTable..........................................10 4.1.6 ipSecProposalSetTable..........................................10
4.1.7 ipSecProposalTable.............................................10 4.1.7 ipSecProposalTable.............................................10
4.2 ipSecAhTransform group...........................................10 4.2 ipSecAhTransform group...........................................10
4.2.1 ipSecAhTransformSetTable.......................................10 4.2.1 ipSecAhTransformSetTable.......................................10
4.2.2 ipSecAhTransformTable..........................................10 4.2.2 ipSecAhTransformTable..........................................10
4.3 ipSecEspTransform group..........................................10 4.3 ipSecEspTransform group..........................................10
4.3.1 ipSecEspTransformSetTable......................................10 4.3.1 ipSecEspTransformSetTable......................................11
4.3.2 ipSecEspTransformTable.........................................10 4.3.2 ipSecEspTransformTable.........................................11
4.4 ipSecCompTransform group.........................................10 4.4 ipSecCompTransform group.........................................11
4.4.1 ipSecCompTransformSetTable.....................................10 4.4.1 ipSecCompTransformSetTable.....................................11
4.4.2 ipSecCompTransformTable........................................10 4.4.2 ipSecCompTransformTable........................................11
4.5 ipSecIkeAssociation group........................................10 4.5 ipSecIkeAssociation group........................................11
4.5.1 ipSecIkeRuleTable..............................................10 4.5.1 ipSecIkeRuleTable..............................................11
4.5.2 ipSecIkeActionSetTable.........................................11 4.5.2 ipSecIkeActionSetTable.........................................11
4.5.3 ipSecIkeAssociationTable.......................................11 4.5.3 ipSecIkeAssociationTable.......................................11
4.5.4 ipSecIkeProposalSetTable.......................................11 4.5.4 ipSecIkeProposalSetTable.......................................11
4.5.5 ipSecIkeProposalTable..........................................11 4.5.5 ipSecIkeProposalTable..........................................11
4.5.6 ipSecIkePeerEndpointTable......................................11 4.5.6 ipSecIkePeerEndpointTable......................................11
4.6 ipSecCredential group............................................11 4.6 ipSecCredential group............................................11
4.6.1 ipSecCredentialSetTable........................................11 4.6.1 ipSecCredentialSetTable........................................11
4.6.2 ipSecCredentialTable...........................................11 4.6.2 ipSecCredentialTable...........................................11
4.6.3 ipSecCredentialFieldsTable.....................................11 4.6.3 ipSecCredentialFieldsTable.....................................11
4.7 ipSecSelector group..............................................11 4.7 ipSecSelector group..............................................11
4.7.1 ipSecSelectorSetTable..........................................11 4.7.1 ipSecSelectorSetTable..........................................12
4.7.2 ipSecSelectorTable.............................................11 4.7.2 ipSecSelectorTable.............................................12
4.7.3 ipSecAddressTable..............................................11 4.7.3 ipSecAddressTable..............................................12
4.7.4 ipSecL4PortTable...............................................11 4.7.4 ipSecL4PortTable...............................................12
Li, et al Expires May 2004 2 Li, et al Expires October 2004 2
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
4.7.5 ipSecIpsoFilterSetTable........................................11 4.7.5 ipSecIpsoFilterSetTable........................................12
4.7.6 ipSecIpsoFilterTable...........................................11 4.7.6 ipSecIpsoFilterTable...........................................12
4.8 ipSecPolicyTimePeriod group......................................11 4.8 ipSecPolicyTimePeriod group......................................12
4.8.1 ipSecRuleTimePeriodTable.......................................12 4.8.1 ipSecRuleTimePeriodTable.......................................12
4.8.2 ipSecRuleTimePeriodSetTable....................................12 4.8.2 ipSecRuleTimePeriodSetTable....................................12
4.9 ipSecIfCapability group..........................................12 4.9 ipSecIfCapability group..........................................12
4.9.1 ipSecIfCapsTable...............................................12 4.9.1 ipSecIfCapsTable...............................................12
4.10 ipSecPolicyPibConformance group.................................12 4.10 ipSecPolicyPibConformance group.................................12
5. The IPsec PIB Module..............................................12 5. The IPsec PIB Module..............................................12
6. Security Considerations...........................................93 6. Security Considerations...........................................89
7. RFC Editor Considerations.........................................94 7. RFC Editor Considerations.........................................90
8. IANA Considerations...............................................94 8. IANA Considerations...............................................90
9. Normative References..............................................94 9. Normative References..............................................90
10. Informative References...........................................95 10. Informative References...........................................92
11. Author's Addresses...............................................96 11. Author's Addresses...............................................92
12. Full Copyright Statement.........................................96 12. IPR Disclosure Acknowledgement...................................93
13. Full Copyright Statement.........................................93
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC-2119 [2]. RFC-2119 [2].
1. Introduction 1. Introduction
The policy rule classes (PRC) defined in this document contain The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. Details parameters for Internet Key Exchange (IKE) phase one and phase two
of these parameters can be found in [3], [7], [8], [10], [11], negotiations. Details of these parameters can be found in [3],
[12] and [14]. The PIB defined in this document is based on the [7], [8], [10], [11], [12] and [14]. The PIB defined in this
IPsec configuration policy model [12]. The concept of "Roles" document is based on the IPsec configuration policy model [12].
described in [9], which scales to large networks, is adopted for The concept of "Roles" described in [9], which scales to large
distributing IPsec policy over the COPS-PR protocol [6]. networks, is adopted for distributing IPsec policy over the COPS-
PR protocol [6].
2. Operation Overview 2. Operation Overview
As defined in [13], the management entity that downloads policy to As defined in [13], the management entity that downloads policy to
IPsec-enabled devices will be called a Policy Decision Point (PDP) IPsec-enabled devices will be called a Policy Decision Point (PDP)
and the target IPsec-enabled devices will be called Policy and the target IPsec-enabled devices will be called Policy
Enforcement Points (PEP). Enforcement Points (PEP).
After connecting to a PDP using COPS-PR [6] that is an extension After connecting to a PDP using COPS-PR [6] that is an extension
of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes
(PRCs) it supports as well as any limitations related to the (PRCs) it supports as well as any limitations related to the
implementations of theses classes and parameters. The PEP provides implementations of theses classes and parameters. The PEP provides
the above information using the frwkPrcSupportTable and the the above information using the frwkPrcSupportTable and the
frwkCompLimitsTable defined in the framework PIB [9]. In addition, frwkCompLimitsTable defined in the framework PIB [9]. In addition,
the PEP also reports the interface type capabilities and role the PEP also reports the interface type capabilities and role
combinations it supports using the frwkCapabilitySetTable and the combinations it supports using the frwkCapabilitySetTable and the
frwkRoleComboTable. Each row of the frwkCapabilitySetTable
contains a capability set name and a reference to an instance of a
Li, et al Expires May 2004 3 Li, et al Expires October 2004 3
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
frwkRoleComboTable. Each row of the frwkCapabilitySetTable
contains a capability set name and a reference to an instance of a
PRC that describes the capabilities of the interface type. The PRC that describes the capabilities of the interface type. The
capability instances may reside in the ipSecIfCapsTable or in a capability instances may reside in the ipSecIfCapsTable or in a
table defined in another PIB. Each row of the frwkRoleComboTable class defined in another PIB. Each row of the frwkRoleComboTable
contains an interface capability set name and a role combination. contains an interface capability set name and a role combination.
Based on the interface capabilities and role combinations, the PDP Based on the interface capabilities and role combinations, the PDP
provides the PEP with IPsec policy information. Later on, if any provides the PEP with IPsec policy information. Later on, if any
of the interface capabilities or role combinations of the PEP of the interface capabilities or role combinations of the PEP
change, the PEP notifies the PDP. The PDP will then send a new set change, the PEP notifies the PDP. The PDP will then send a new set
of IPsec policy information to the PEP. In addition, if the policy of IPsec policy information to the PEP. In addition, if the policy
associated with a given interface capability and role combination associated with a given interface capability and role combination
changes, the PDP will deliver the new IPsec policy to all the PEPs changes, the PDP will deliver the new IPsec policy to all the PEPs
that have registered with that interface capability and role that have registered with that interface capability and role
skipping to change at line 190 skipping to change at line 192
3. Structure of IPsec PIB 3. Structure of IPsec PIB
An IPsec policy consists of an ordered list of IPsec rules. Each An IPsec policy consists of an ordered list of IPsec rules. Each
rule is composed of a set of conditions and a set of actions. If a rule is composed of a set of conditions and a set of actions. If a
packet matches any of the conditions, the actions will be applied packet matches any of the conditions, the actions will be applied
accordingly. accordingly.
The IPsec PIB module consists of nine groups. The selector group The IPsec PIB module consists of nine groups. The selector group
describes conditions to be associated with IPsec rules. The IPsec describes conditions to be associated with IPsec rules. The IPsec
association group, AH transform group, ESP transform group, COMP association group, Authentication Header (AH) transform group,
transform group, IKE association group and the credential group Encapsulating Security Payload (ESP) transform group, IP Payload
together describe actions to be associated with IPsec rules. The Compression Protocol (COMP) transform group, IKE association group
policy time period group specifies time periods during which a and the credential group together describe actions to be associated
rule is valid. The interface capability group is used by a PEP to with IPsec rules. The policy time period group specifies time
report the capabilities associated with its interface types. periods during which a rule is valid. The interface capability group
is used by a PEP to report the capabilities associated with its
interface types.
Each of the nine groups is discussed in the following sections. The IPsec PIB defined in this document is based on the IPsec
configuration policy information model [12]. The structure and
modularity of this PIB are similar to that of the IPsec
configuration policy model. It is easy to observe the mapping of
the IPsec association group, AH transform group, ESP transform
group, COMP transform group, IKE association group, the credential
group and the policy time period group into the configuration
model. Note that the policy time period condition is included in
the IPsec configuration policy information model [12] but it is
specified in the policy core information model[23]. The IPsec
selector group corresponds to the filters specified in the IPsec
configuration policy model but it is in a slightly different
structure in order to provide a scalable way of specifying a large
number of filters.
The modular design of the IPsec PIB provides many flexibilities.
For example, the key exchange protocol and selectors used in a
policy rule are specified by pointing to the corresponding policy
Li, et al Expires October 2004 4
IPsec Policy Information Base April 2004
rule classes. Hence, to use key exchange protocols or selectors
other than those specified in this PIB, simply direct the pointers
to the corresponding policy rule classes specified in other PIB
modules.
The nine IPsec PIB groups are discussed in the following sections.
3.1 IPsec association group 3.1 IPsec association group
This group specifies IPsec Security Associations. This group specifies IPsec Security Associations.
3.1.1 IPsec rules 3.1.1 IPsec rules
The ipSecRuleTable is the starting point for specifying an IPsec The ipSecRuleTable is the starting point for specifying an IPsec
policy. It contains an ordered list of IPsec rules. Each rule is policy. It contains an ordered list of IPsec rules. Each rule is
associated with IfName, Roles and Direction attributes to indicate associated with IfCapSetName, Roles and Direction attributes to
the interface type and role combinations as well as the direction indicate the interface type and role combinations as well as the
of the interface to which this rule is to be applied. Each rule direction of the interface to which this rule is to be applied.
points to a set of selectors and, optionally, a set of IPSO Each rule points to a set of selectors and, optionally, a set of
filters to indicate the conditions associated with this rule. In IP Security Options (IPSO) filters to indicate the conditions
addition, each rule has a pointer to a set of actions to indicate associated with this rule. In addition, each rule has a pointer to
the actions associated with this rule. Hence if a packet matches a a set of actions to indicate the actions associated with this
selector in the selector set and, if the reference to the IPSO rule. Hence if a packet matches a selector in the selector set
filter set is not zero, it matches a filter in the IPSO filter and, if the reference to the IPSO filter set is not zero, it
set, the action(s) associated with this rule will be applied to matches a filter in the IPSO filter set, the action(s) associated
the packet. with this rule will be applied to the packet.
Li, et al Expires May 2004 4
IPsec Policy Information Base November 2003
When a rule involves multiple actions, the ExecutionStrategy When a rule involves multiple actions, the ExecutionStrategy
attribute indicates how these actions are executed. A value of attribute indicates how these actions are executed. A value of
"DoAll" means that all the actions MUST be applied to the packet "DoAll" means that all the actions MUST be applied to the packet
according to a predefined order. A value of "DoUntilSuccess" means according to a predefined order. A value of "DoUntilSuccess" means
that the actions MUST be tried in sequence until a successful that the actions MUST be tried in sequence until a successful
execution of a single action. execution of a single action.
For example, in a nested Security Associations case the actions of For example, in a nested Security Associations (SA) case the
an initiator's rule might be structured as: actions of an initiator's rule might be structured as:
ExecutionStrategy='Do All' ExecutionStrategy='Do All'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway +---1--- IPsecTunnelAction // set up SA from host to gateway
| |
+---2--- IPsecTransportAction // set up SA from host through +---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host // tunnel to remote host
Another example, showing a rule with fallback actions might be Another example, showing a rule with fallback actions might be
structured as: structured as:
ExecutionStrategy='Do Until Success' ExecutionStrategy='Do Until Success'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway [A] +---1--- IPsecTunnelAction // set up SA from host to gateway [A]
| |
+---2--- IPsecTunnelAction // set up SA from host to gateway [B] +---2--- IPsecTunnelAction // set up SA from host to gateway [B]
Li, et al Expires October 2004 5
IPsec Policy Information Base April 2004
As an optional feature, IPsec associations may be established As an optional feature, IPsec associations may be established
without being prompted by IP packets. The AutoStart attribute without being prompted by IP packets. The AutoStart attribute
indicates if the IPsec association(s) of this rule should be set indicates if the IPsec association(s) of this rule should be set
up automatically. Support of this attribute is optional. up automatically. Support of this attribute is optional.
3.1.2 IPsec actions 3.1.2 IPsec actions
IPsec actions may be of two types: Static Action and Negotiation IPsec actions may be of two types: Static Action and Negotiation
Action. Action.
Static Actions do not require any negotiations. They include by- Static Actions do not require any negotiations. They include by-
pass, discard, IKE rejection, pre-configured transport and pre- pass, discard, IKE rejection, pre-configured transport and pre-
configured tunnel actions. The ipSecStaticActionTable specifies configured tunnel actions. The ipSecStaticActionTable specifies
IPsec Static Actions. For a pre-configured transport or pre- IPsec Static Actions. For a pre-configured transport or pre-
configured tunnel action, it further points to a valid instance in configured tunnel action, it further points to a valid instance in
another table that describes a transform to be used, for example, another class that describes a transform to be used, for example,
the ipSecEspTransformTable. In addition, the SPI used for the the ipSecEspTransformTable. In addition, the SPI used for the
transform is also defined in the table. transform is also defined in the table.
Negotiation Actions require negotiations in order to establish Negotiation Actions require negotiations in order to establish
Security Associations. They include transport and tunnel actions. Security Associations. They include transport and tunnel actions.
The ipSecNegotiationActionTable specifies IPsec Negotiation The ipSecNegotiationActionTable specifies IPsec Negotiation
Actions. It points to a valid instance in the Actions. It points to a valid instance in the
ipSecAssociationTable that further defines the IPsec association ipSecAssociationTable that further defines the IPsec association
to be established. For key exchange policy, the KeyExchangeId to be established. For key exchange policy, the KeyExchangeId
points to a valid instance in another table that describes key points to a valid instance in another class that describes key
Li, et al Expires May 2004 5
IPsec Policy Information Base November 2003
exchange procedures. If a single IKE phase one negotiation is used exchange procedures. If a single IKE phase one negotiation is used
for the key exchange, this attribute MUST point to an instance in for the key exchange, this attribute MUST point to an instance in
the ipSecIkeAssociationTable. If multiple IKE phase one the ipSecIkeAssociationTable. If multiple IKE phase one
negotiations (e.g., with different modes) are to be tried until negotiations (e.g., with different modes) are to be tried until
success, this attribute SHOULD point to ipSecIkeRuleTable. For success, this attribute SHOULD point to ipSecIkeRuleTable. For
other key exchange methods, this attribute MAY point to an other key exchange methods, this attribute MAY point to an
instance of a PRC defined in some other PIB module. instance of a PRC defined in some other PIB module.
The ipSecActionSetTable specifies sets of actions. Actions within The ipSecActionSetTable specifies sets of actions. Actions within
a set form an ordered list. If an action within a set is a Static a set form an ordered list. If an action within a set is a Static
skipping to change at line 304 skipping to change at line 331
3.1.3 IPsec associations 3.1.3 IPsec associations
The ipSecAssociationTable specifies attributes associated with The ipSecAssociationTable specifies attributes associated with
IPsec associations. For each association, it points to a set of IPsec associations. For each association, it points to a set of
proposals in the ipSecProposalSetTable that is associated with proposals in the ipSecProposalSetTable that is associated with
this association. this association.
The MinLifetimeSeconds and MinLifetimeKilobytes in the The MinLifetimeSeconds and MinLifetimeKilobytes in the
ipSecAssociationTable indicate the lifetime to propose for the ipSecAssociationTable indicate the lifetime to propose for the
IPsec association to be negotiated. They are different from the IPsec association to be negotiated. They are different from the
Li, et al Expires October 2004 6
IPsec Policy Information Base April 2004
time periods indicated by the IpSecRuleTimePeriodGroupId in the time periods indicated by the IpSecRuleTimePeriodGroupId in the
IpsecRuleTable. Those time periods specify when the given IPsec IpsecRuleTable. Those time periods specify when the given IPsec
rule is valid. rule is valid.
3.1.4 IPsec proposals 3.1.4 IPsec proposals
The ipSecProposalSetTable specifies sets of proposals. Proposals The ipSecProposalSetTable specifies sets of proposals. Proposals
within a set are ordered with a preference value. within a set are ordered with a preference value.
The ipSecProposalTable specifies proposals. It points to sets of The ipSecProposalTable specifies proposals. It points to sets of
ESP transforms, AH transforms and COMP transforms. Within a ESP transforms, AH transforms and IP COMP transforms. Within a
proposal, sets of transforms of different types are logically proposal, sets of transforms of different types are logically
ANDed. Transforms of the same type within a transform set are to ANDed. Transforms of the same type within a transform set are to
be logically ORed. For example, if the proposal were be logically ORed. For example, if the proposal were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 } AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to then the one sending the proposal would want the other side to
pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list
AND one from the AH transform list (preferably MD5). AND one from the AH transform list (preferably MD5).
3.2 AH transform group 3.2 AH transform group
The AH transform group describes sets of AH transforms. The AH transform group describes sets of AH transforms.
3.3 ESP transform group 3.3 ESP transform group
Li, et al Expires May 2004 6
IPsec Policy Information Base November 2003
The ESP transform group describes sets of ESP transforms. The ESP transform group describes sets of ESP transforms.
3.4 COMP transform group 3.4 COMP transform group
The COMP transform group describes sets of COMP transforms. The COMP transform group describes sets of COMP transforms.
3.5 IKE association group 3.5 IKE association group
This group specifies rules associated with IKE phase one This group specifies rules associated with IKE phase one
negotiation. negotiation. The rules are IKEv1 rules as specified in [10].
The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional
tables. Support of these tables is required only when a policy tables. Support of these tables is required only when a policy
contains: contains:
- Multiple IKE phase one actions (e.g., with different exchange - Multiple IKE phase one actions (e.g., with different exchange
modes) that are associated with one IPsec association. These modes) that are associated with one IPsec association. These
actions are to be tried in sequence till one success. actions are to be tried in sequence till one success.
- IKE phase one actions that start automatically. - IKE phase one actions that start automatically.
For the latter case, IKE rules may be distributed independently For the latter case, IKE rules may be distributed independently
and the IfName and Roles attributes in the ipSecIkeRuleTable and the IfCapSetName and Roles attributes in the ipSecIkeRuleTable
indicate the interface type and role combinations to which this indicate the interface type and role combinations to which this
rule is to be applied. rule is to be applied.
Li, et al Expires October 2004 7
IPsec Policy Information Base April 2004
The ipSecIkeActionSetTable specifies sets of actions. Actions The ipSecIkeActionSetTable specifies sets of actions. Actions
within a set form an ordered list. within a set form an ordered list.
The ipSecIkeAssociationTable contains parameters associated with The ipSecIkeAssociationTable contains parameters associated with
IKE associations including the IKE identities to be used during IKE associations including the IKE identities to be used during
IKE phase one negotiation. It points to a set of credentials IKE phase one negotiation. It points to a set of credentials
specified in the ipSecCredentialTable. Any of the credentials in specified in the ipSecCredentialTable. Any of the credentials in
this set may be used during IKE phase one negotiation. In this set may be used during IKE phase one negotiation. In
addition, each IKE association points to a set of IKE proposals to addition, each IKE association points to a set of IKE proposals to
be associated with this association. If the Authentication Method be associated with this association. If the Authentication Method
skipping to change at line 386 skipping to change at line 417
be obtained through other methods. be obtained through other methods.
The ipSecIkeProposalSetTable specifies sets of proposals. The ipSecIkeProposalSetTable specifies sets of proposals.
Proposals within a set are ordered with a preference value.The Proposals within a set are ordered with a preference value.The
ipSecIkeProposalTable contains parameters associated with IKE ipSecIkeProposalTable contains parameters associated with IKE
proposals. proposals.
The ipSecIkePeerEndpointTable specifies IKE peer endpoint The ipSecIkePeerEndpointTable specifies IKE peer endpoint
information that includes acceptable peer identity and credentials information that includes acceptable peer identity and credentials
for IKE phase one negotiation. It points to a set of credentials for IKE phase one negotiation. It points to a set of credentials
specified in the ipSecIkePeerEndpointCredentialSetTable. Any of specified in the ipSecCredentialSetTable. Any of the credentials
in the set is acceptable as a peer credential.
Li, et al Expires May 2004 7
IPsec Policy Information Base November 2003
the credentials in the set is acceptable as a peer credential. The
AddressType and the Address attributes are used only when IKE
phase one negotiation starts automatically, i.e., the value of the
AutoStart attribute in the ipSecIkeRuleTable is true. In which
case, these two attributes together indicate the peer endpoint
address.
3.6 Credential group 3.6 Credential group
This group specifies credentials to be used for IKE phase one This group specifies credentials to be used for IKE phase one
negotiations. negotiations.
The ipSecCredentialSetTable specifies sets of credentials. The The ipSecCredentialSetTable specifies sets of credentials. The
ipSecCredentialTable and ipSecCredentialFieldsTable together ipSecCredentialTable and ipSecCredentialFieldsTable together
specify credentials. Each credential may contain multiple sub- specify credentials. Each credential may contain multiple sub-
fields. For example, a certificate may contain a unique serial fields. For example, a certificate may contain a unique serial
skipping to change at line 421 skipping to change at line 443
criteria MUST all be satisfied in order for a credential to be criteria MUST all be satisfied in order for a credential to be
considered as acceptable. Certificates may also be revoked. The considered as acceptable. Certificates may also be revoked. The
CrlDistributionPoint attribute in the ipSecCredentialTable CrlDistributionPoint attribute in the ipSecCredentialTable
indicates the Certificate Revocation List (CRL) distribution point indicates the Certificate Revocation List (CRL) distribution point
where CRLs may be fetched. where CRLs may be fetched.
3.7 Selector group 3.7 Selector group
This group specifies the selectors for IPsec rules. This group specifies the selectors for IPsec rules.
Li, et al Expires October 2004 8
IPsec Policy Information Base April 2004
The ipSecSelectorSetTable specifies sets of selectors. Selectors The ipSecSelectorSetTable specifies sets of selectors. Selectors
within a set form an ordered list. The SelectorId attribute points within a set form an ordered list. The SelectorId attribute points
to a valid instance in another table that describes a selector. To to a valid instance in another class that describes a selector. To
achieve scalability in policy distribution for large networks, it achieve scalability in policy distribution for large networks, it
SHOULD point to the ipSecSelectorTable. SHOULD point to the ipSecSelectorTable.
The ipSecAddressTable specifies individual or ranges of IP The ipSecAddressTable specifies individual or ranges of IP
addresses and the ipSecL4PortTable specifies individual or ranges addresses and the ipSecL4PortTable specifies individual or ranges
of layer 4 ports. The ipSecSelectorTable has references to these of layer 4 ports. The ipSecSelectorTable has references to these
two tables. Each row in the selector table can represent multiple two tables. Each row in the selector class can represent multiple
selectors. These selectors are constructed as follows: selectors. These selectors are constructed as follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
Li, et al Expires May 2004 8
IPsec Policy Information Base November 2003
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four 5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol, fields. Then add to the combinations the ipSecSelectorProtocol,
skipping to change at line 476 skipping to change at line 498
serves the same purpose. serves the same purpose.
The ipSecIpsoFilterSetTable specifies sets of IPSO filters. The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
Filters within a set form an ordered list. The Filters within a set form an ordered list. The
ipSecIpsoFilterTable contains IPSO filters. ipSecIpsoFilterTable contains IPSO filters.
3.8 Policy time period group 3.8 Policy time period group
This group specifies time periods during which a policy rule is This group specifies time periods during which a policy rule is
valid. The ipSecRuleTimePeriodTable specifies a single time period valid. The ipSecRuleTimePeriodTable specifies a single time period
within a day. The ipSecRuleTimePeriodSetTable specifies multiple
time periods. Li, et al Expires October 2004 9
IPsec Policy Information Base April 2004
of a day (or days). The ipSecRuleTimePeriodSetTable allows the
specification of multiple time periods.
Implementation of this group is optional. Implementation of this group is optional.
3.9 Interface capability group 3.9 Interface capability group
PEPs may have different capabilities. For example, some PEPs PEPs may have different capabilities. For example, some PEPs
support nested Security Associations whereas others do not. This support nested Security Associations whereas others do not. This
group allows a PEP to specify the capabilities associated with its group allows a PEP to specify the capabilities associated with its
different interface types. different interface types.
For ease of reference, a concise summary of the groups and tables For ease of reference, a concise summary of the groups and tables
is included in the next section. is included in the next section.
4. Summary of the IPsec PIB 4. Summary of the IPsec PIB
4.1 ipSecAssociation group 4.1 ipSecAssociation group
This group specifies IPsec Security Associations. This group specifies IPsec Security Associations.
4.1.1 ipSecRuleTable 4.1.1 ipSecRuleTable
This class is the starting point for specifying an IPsec policy.
Li, et al Expires May 2004 9
IPsec Policy Information Base November 2003
This table is the starting point for specifying an IPsec policy.
It contains an ordered list of IPsec rules. It contains an ordered list of IPsec rules.
4.1.2 ipSecActionSetTable 4.1.2 ipSecActionSetTable
Specifies IPsec action sets. Specifies IPsec action sets.
4.1.3 ipSecStaticActionTable 4.1.3 ipSecStaticActionTable
Specifies IPsec static actions. Specifies IPsec static actions.
4.1.4 ipSecNegotiationActionTable 4.1.4 ipSecNegotiationActionTable
Specifies IPsec negotiation actions. Specifies IPsec negotiation actions.
skipping to change at line 534 skipping to change at line 556
4.2.1 ipSecAhTransformSetTable 4.2.1 ipSecAhTransformSetTable
Specifies AH transform sets. Specifies AH transform sets.
4.2.2 ipSecAhTransformTable 4.2.2 ipSecAhTransformTable
Specifies AH transforms. Specifies AH transforms.
4.3 ipSecEspTransform group 4.3 ipSecEspTransform group
This group specifies ESP Transforms. This group specifies ESP Transforms.
Li, et al Expires October 2004 10
IPsec Policy Information Base April 2004
4.3.1 ipSecEspTransformSetTable 4.3.1 ipSecEspTransformSetTable
Specifies ESP transform sets. Specifies ESP transform sets.
4.3.2 ipSecEspTransformTable 4.3.2 ipSecEspTransformTable
Specifies ESP transforms. Specifies ESP transforms.
4.4 ipSecCompTransform group 4.4 ipSecCompTransform group
This group specifies Compression Transforms. This group specifies Compression Transforms.
4.4.1 ipSecCompTransformSetTable 4.4.1 ipSecCompTransformSetTable
Specifies IPComp transform sets. Specifies IP compression transform sets.
4.4.2 ipSecCompTransformTable 4.4.2 ipSecCompTransformTable
Specifies IP compression (IPCOMP) algorithms. Specifies IP compression algorithms.
4.5 ipSecIkeAssociation group 4.5 ipSecIkeAssociation group
This group specifies IKE Security Associations. This group specifies IKEv1 Security Associations.
4.5.1 ipSecIkeRuleTable 4.5.1 ipSecIkeRuleTable
Specifies IKE rules. Specifies IKEv1 rules.
Li, et al Expires May 2004 10
IPsec Policy Information Base November 2003
4.5.2 ipSecIkeActionSetTable 4.5.2 ipSecIkeActionSetTable
Specifies IKE action sets. Specifies IKEv1 action sets.
4.5.3 ipSecIkeAssociationTable 4.5.3 ipSecIkeAssociationTable
Specifies IKE associations. Specifies IKEv1 associations.
4.5.4 ipSecIkeProposalSetTable 4.5.4 ipSecIkeProposalSetTable
Specifies IKE proposal sets. Specifies IKEv1 proposal sets.
4.5.5 ipSecIkeProposalTable 4.5.5 ipSecIkeProposalTable
Specifies IKE proposals. Specifies IKEv1 proposals.
4.5.6 ipSecIkePeerEndpointTable 4.5.6 ipSecIkePeerEndpointTable
Specifies IKE peer endpoints. Specifies IKEv1 peer endpoints.
4.6 ipSecCredential group 4.6 ipSecCredential group
This group specifies credentials for IKE phase one negotiations. This group specifies credentials for IKEv1 phase one negotiations.
4.6.1 ipSecCredentialSetTable 4.6.1 ipSecCredentialSetTable
Specifies credential sets. Specifies credential sets.
4.6.2 ipSecCredentialTable 4.6.2 ipSecCredentialTable
Specifies credentials. Specifies credentials.
4.6.3 ipSecCredentialFieldsTable 4.6.3 ipSecCredentialFieldsTable
Specifies sets of credential sub-fields and their values to be Specifies sets of credential sub-fields and their values to be
matched against. matched against.
4.7 ipSecSelector group 4.7 ipSecSelector group
This group specifies selectors for IPsec associations. This group specifies selectors for IPsec associations.
Li, et al Expires October 2004 11
IPsec Policy Information Base April 2004
4.7.1 ipSecSelectorSetTable 4.7.1 ipSecSelectorSetTable
Specifies IPsec selector sets. Specifies IPsec selector sets.
4.7.2 ipSecSelectorTable 4.7.2 ipSecSelectorTable
Specifies IPsec selectors. Specifies IPsec selectors.
4.7.3 ipSecAddressTable 4.7.3 ipSecAddressTable
Specifies IP addresses. Specifies IP addresses.
4.7.4 ipSecL4PortTable 4.7.4 ipSecL4PortTable
skipping to change at line 611 skipping to change at line 636
4.7.5 ipSecIpsoFilterSetTable 4.7.5 ipSecIpsoFilterSetTable
Specifies IPSO filter sets. Specifies IPSO filter sets.
4.7.6 ipSecIpsoFilterTable 4.7.6 ipSecIpsoFilterTable
Specifies IPSO filters. Specifies IPSO filters.
4.8 ipSecPolicyTimePeriod group 4.8 ipSecPolicyTimePeriod group
This group specifies the time periods during which a policy rule This group specifies the time periods during which a policy rule
is valid. is valid.
Li, et al Expires May 2004 11
IPsec Policy Information Base November 2003
4.8.1 ipSecRuleTimePeriodTable 4.8.1 ipSecRuleTimePeriodTable
Specifies the time periods during which a policy rule is valid. Specifies the time periods during which a policy rule is valid.
4.8.2 ipSecRuleTimePeriodSetTable 4.8.2 ipSecRuleTimePeriodSetTable
Specifies time period sets. Specifies time period sets.
4.9 ipSecIfCapability group 4.9 ipSecIfCapability group
This group specifies capabilities associated with interface types. This group specifies capabilities associated with interface types.
4.9.1 ipSecIfCapsTable 4.9.1 ipSecIfCapsTable
skipping to change at line 639 skipping to change at line 661
Policy PIB. Policy PIB.
5. The IPsec PIB Module 5. The IPsec PIB Module
IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, Unsigned64, MODULE-IDENTITY, Unsigned32, Unsigned64, MODULE-IDENTITY,
OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE,
OBJECT-GROUP, pib OBJECT-GROUP, pib
FROM COPS-PR-SPPI FROM COPS-PR-SPPI --[RFC3159]
TruthValue TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC --[RFC2579]
InstanceId, ReferenceId, TagId, TagReferenceId, Prid InstanceId, ReferenceId, TagId, TagReferenceId, Prid
FROM COPS-PR-SPPI-TC FROM COPS-PR-SPPI-TC --[RFC3159]
Li, et al Expires October 2004 12
IPsec Policy Information Base April 2004
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB --[RFC3411]
InetAddress, InetAddressType, InetAddress, InetAddressType,
InetAddressPrefixLength, InetPortNumber InetAddressPrefixLength, InetPortNumber
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB --[RFC3291]
DscpOrAny DscpOrAny
FROM DIFFSERV-DSCP-TC FROM DIFFSERV-DSCP-TC --[RFC3289]
zeroDotZero
FROM SNMPv2-SMI
IPv6FlowLabelOrAny IPv6FlowLabelOrAny
FROM IPV6-FLOW-LABEL-MIB FROM IPV6-FLOW-LABEL-MIB --[RFC3595]
RoleCombination RoleCombination
FROM FRAMEWORK-TC-PIB; FROM FRAMEWORK-TC-PIB --[RFC3318]
IpsecDoiIpcompTransform,IpsecDoiEspTransform,
IpsecDoiIdentType,IpsecDoiAuthAlgorithm
FROM IPSEC-IPSECACTION-MIB
--[draft-ietf-ipsp-ipsecaction-mib-00.txt]
IkeEncryptionAlgorithm,IkeAuthMethod,IkeHashAlgorithm,
IkeGroupDescription
FROM IPSEC-IKEACTION-MIB;
--[ draft-ietf-ipsp-ikeaction-mib-00.txt]
--
-- module identity
--
ipSecPolicyPib MODULE-IDENTITY ipSecPolicyPib MODULE-IDENTITY
SUBJECT-CATEGORIES { xxxx (nn) } -- IPsec Client Type - SUBJECT-CATEGORIES { xxxx (nn) } -- IPsec Client Type
-- to be assigned by IANA. Suggest to use ipSec for xxxx - -- to be assigned by IANA. Suggest to use ipSec for xxxx
LAST-UPDATED "200311081800Z" LAST-UPDATED "200404041800Z"
ORGANIZATION "IETF ipsp WG" ORGANIZATION "IETF ipsp WG"
CONTACT-INFO " CONTACT-INFO "
Man Li Man Li
Li, et al Expires May 2004 12
IPsec Policy Information Base November 2003
Nokia Nokia
5 Wayside Road, 5 Wayside Road,
Burlington, MA 01803 Burlington, MA 01803
Phone: +1 781 993 3923 Phone: +1 781 993 3923
Email: man.m.li@nokia.com Email: man.m.li@nokia.com
Avri Doria Avri Doria
Div. of Computer Communications ETRI
Lulea University of Technology 161 Gajeong-dong, Yuseong-gu
SE-971 87 Deajeon 305-350 Korea
Lulea, Sweden Email: avri@acm.org
Phone: +46 920 49 3030
Email: avri@sm.luth.se
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1 503 264 9531 Phone: +1 503 264 9531
Fax: +1 503 264 9428 Fax: +1 503 264 9428
Email: jamie.jason@intel.com Email: jamie.jason@intel.com
Cliff Wang Cliff Wang
Li, et al Expires October 2004 13
IPsec Policy Information Base April 2004
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
Email: CWang@smartpipes.com Email: CWang@smartpipes.com
Markus Stenberg Markus Stenberg
SSH Communications Security Corp. SSH Communications Security Corp.
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 Helsinki, Finland FIN-00100 Helsinki, Finland
Phone: +358 20 500 7466 Phone: +358 20 500 7466
Email: fingon@iki.fi" Email: fingon@iki.fi"
DESCRIPTION DESCRIPTION
"This PIB module contains a set of policy rule classes that "This PIB module contains a set of policy rule classes that
describe IPsec policies. describe IPsec policies.
Copyright (C) The Internet Society (2003). This version of this PIB Copyright (C) The Internet Society (2004). This version of this
module is part of RFC xxxx; see the RFC itself for full legal PIB module is part of RFC xxxx; see the RFC itself for full legal
notices" notices"
REVISION "200311081800Z" REVISION "200404041800Z"
DESCRIPTION DESCRIPTION
"Initial version, published as RFC xxxx." "Initial version, published as RFC xxxx."
-- xxxx to be assigned by IANA -- -- xxxx to be assigned by IANA --
::= { pib yyy } -- yyy to be assigned by IANA -- ::= { pib yyy } -- yyy to be assigned by IANA --
Li, et al Expires May 2004 13 --
IPsec Policy Information Base November 2003 -- Textual Conventions
--
Unsigned16TC ::= TEXTUAL-CONVENTION Unsigned16TC ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An unsigned 16 bit integer." "An unsigned 16 bit integer."
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
LocalOrUtcTimeTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" Indicates whether to use local times or universal time (UTC)
times. "
SYNTAX INTEGER {localTime(1),utcTime(2)}
TimePeriodTC ::= TEXTUAL-CONVENTION
DISPLAY-HINT "255t"
STATUS current
DESCRIPTION
" An octet string that identifies an overall range of calendar
dates and times. It reuses the format for an explicit time period
Li, et al Expires October 2004 14
IPsec Policy Information Base April 2004
defined in [RFC 2445] : a string representing a starting date and
time, in which the character 'T' indicates the beginning of the
time portion, followed by the solidus character '/', followed by a
similar string representing an end date and time. The first date
indicates the beginning of the range, while the second date
indicates the end. Thus, the second date and time must be later
than the first. Date/times are expressed as substrings of the
form yyyymmddThhmmss.
There are also two special cases:
- If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and
remains valid from that point on.
This information is represented using the ISO/IEC IS 10646-1
character set, encoded as an octet string using the UTF-8
transformation format described in [RFC2279]."
SYNTAX OCTET STRING
TimeOfDayTC ::= TEXTUAL-CONVENTION
DISPLAY-HINT "255t"
STATUS current
DESCRIPTION
" An octet string that specifies a range of times in a day. It
is formatted as follows:
A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The
first time indicates the beginning of the range, while the second
time indicates the end. Times are expressed as substrings of the
form Thhmmss.
The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the
value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from
0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day.
This information is represented using the ISO/IEC IS 10646-1
character set, encoded as an octet string using the UTF-8
transformation format described in [RFC2279]."
SYNTAX OCTET STRING
MonthOfYearTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
Li, et al Expires October 2004 15
IPsec Policy Information Base April 2004
"Defines months of a year"
SYNTAX BITS {january(0),february(1),march(2),april(3),
may(4),june(5),july(6),august(7),september(8),
october(9),november(10),december(11)}
DayOfWeekTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Defines days of a week"
SYNTAX BITS {sunday(0),monday(1),tuesday(2),wednesday(3),
thursday(4),friday(5),saturday(6)}
DayOfMonthTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Defines days of a month"
SYNTAX BITS
{first(0),second(1),third(2),fourth(3),fifth(4),sixth(5),
seventh(6),eighth(7),ninth(8),tenth(9),eleventh(10),
twelfth(11),thirteenth(12),fourteenth(13),fifteenth(14),
sixteenth(15),seventeenth(16),eighteenth(17),nineteenth(18),
twentieth(19),twenty-first(20),twenty-second(21),
twenty-third(22),twenty-fourth(23), twenty-fifth(24),
twenty-sixth(25), twenty-seventh(26),twenty-eighth(27),
twenty-ninth(28), thirty(29), thirty-first(30)}
IpSecOrderTC ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"An unsigned 16 bit integer that defines the order of a set of
rules. A smaller value indicates a higher precedence order"
SYNTAX Unsigned32 (0..65535)
IpSecDirectionTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Specifies the direction of traffic to which an IPsec rule shall
be applied"
SYNTAX INTEGER {in(1),out(2),bi-directional(3)}
IpSecDFBitTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" For tunnel security associations, this attribute specifies how
the DF bit is managed. Copy (1) indicates to copy the DF bit from
the internal IP header to the external IP header. Set (2)
indicates to set the DF bit of the external IP header to 1. Clear
(3) indicates to clear the DF bit of the external IP header to 0.
"
SYNTAX INTEGER {copy(1),set(2),clear(3)}
IpSecExchangeModeTC ::= TEXTUAL-CONVENTION
Li, et al Expires October 2004 16
IPsec Policy Information Base April 2004
STATUS current
DESCRIPTION
" Specifies the negotiation mode that the Internet Key Exchange
(IKE) server will use for phase one."
SYNTAX INTEGER {baseMode(0),mainMode(1),aggressiveMode(2)}
IpSecActionTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" Specifies the IPsec action to be applied to the traffic.
transport(1) means that the packet should be protected with a
security association in transport mode. tunnel(2) means that the
packet should be protected with a security association in tunnel
mode."
SYNTAX INTEGER {transport(1),tunnel(2)}
IpSecCredTypeTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" Specifies the type of credentials used for IKE phase one."
SYNTAX INTEGER {certificateX509(1),kerberosTicket(2)}
IpSecGranularityTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Specifies how the proposed selector for the security
association will be created. Subnet (0) indicates that the source
and destination subnet masks of the filter entry are used. Address
(1) indicates that only the source and destination IP addresses of
the triggering packet are used. Protocol(2) indicates that the
source and destination IP addresses and the IP protocol of the
triggering packet are used. Port (3) indicates that the source and
destination IP addresses and the IP protocol and the source and
destination layer 4 ports of the triggering packet are used. "
SYNTAX BITS {subnet(0),address(1),protocol(2),port(3)}
IpSecIpsoClassificationTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" Specifies IP security options (IPSO) classification level."
REFERENCE "RFC 1108"
SYNTAX INTEGER {topSecret(61),secret(90),
confidential(150),unclassified(171)}
IpSecIpsoProtectionTC ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
" Specifies IPSO protection level."
REFERENCE "RFC 1108"
SYNTAX INTEGER {genser(0),siop-esi(1),sci(2),
nsa(3),doe(4)}
Li, et al Expires October 2004 17
IPsec Policy Information Base April 2004
--
-- Object identifiers
--
ipSecAssociation ipSecAssociation
OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 }
ipSecAhTransform ipSecAhTransform
OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 }
ipSecEspTransform ipSecEspTransform
OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 }
ipSecCompTransform ipSecCompTransform
OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 }
ipSecIkeAssociation ipSecIkeAssociation
OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 } OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 }
skipping to change at line 760 skipping to change at line 986
-- --
-- --
-- The ipSecRuleTable -- The ipSecRuleTable
-- --
ipSecRuleTable OBJECT-TYPE ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry SYNTAX SEQUENCE OF IpSecRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is the starting point for specifying an IPsec policy. "This class is the starting point for specifying an IPsec policy.
It contains an ordered list of IPsec rules. " It contains an ordered list of IPsec rules.
For each entry:
1. ipSecRuleIfCapSetName must reference an existing capability set
name in frwkCapabilitySetTable [FRC3318] .
2. ipSecRuleRoles must reference an existing Role Combination in
frwkRoleComboTable [RFC3318].
If any or both of these requirements is not satisfied, the entry
shall not be installed."
::= { ipSecAssociation 1 } ::= { ipSecAssociation 1 }
Li, et al Expires October 2004 18
IPsec Policy Information Base April 2004
ipSecRuleEntry OBJECT-TYPE ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry SYNTAX IpSecRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRulePrid } PIB-INDEX { ipSecRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecRuleIfName, ipSecRuleIfCapSetName,
ipSecRuleRoles, ipSecRuleRoles,
ipSecRuleOrder ipSecRuleOrder
Li, et al Expires May 2004 14
IPsec Policy Information Base November 2003
} }
::= { ipSecRuleTable 1 } ::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE { IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid InstanceId, ipSecRulePrid InstanceId,
ipSecRuleIfName SnmpAdminString, ipSecRuleIfCapSetName SnmpAdminString,
ipSecRuleRoles RoleCombination, ipSecRuleRoles RoleCombination,
ipSecRuleDirection INTEGER, ipSecRuleDirection IpSecDirectionTC,
ipSecRuleIpSecSelectorSetId TagReferenceId, ipSecRuleIpSecSelectorSetId TagReferenceId,
ipSecRuleIpSecIpsoFilterSetId TagReferenceId, ipSecRuleIpSecIpsoFilterSetId TagReferenceId,
ipSecRuleIpSecActionSetId TagReferenceId, ipSecRuleIpSecActionSetId TagReferenceId,
ipSecRuleActionExecutionStrategy INTEGER, ipSecRuleActionExecutionStrategy INTEGER,
ipSecRuleOrder Unsigned16TC, ipSecRuleOrder IpSecOrderTC,
ipSecRuleLimitNegotiation INTEGER, ipSecRuleLimitNegotiation INTEGER,
ipSecRuleAutoStart TruthValue, ipSecRuleAutoStart TruthValue,
ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecRulePrid OBJECT-TYPE ipSecRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecRuleEntry 1 } ::= { ipSecRuleEntry 1 }
ipSecRuleIfName OBJECT-TYPE ipSecRuleIfCapSetName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IPsec rule applies. "The interface capability set to which this IPsec rule applies.
The interface capability name specified by this attribute MUST The interface capability name specified by this attribute MUST
exist in the frwkCapabilitySetTable [9] prior to association with exist in an entry of the frwkCapabilitySetTable [RFC3318] prior to
an instance of this class." association with an instance of this class. The
frwkCapabilitySetCapability attribute of that entry shall in turn
point to an entry in the ipSecIfCaps table."
::= { ipSecRuleEntry 2 } ::= { ipSecRuleEntry 2 }
ipSecRuleRoles OBJECT-TYPE ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 19
IPsec Policy Information Base April 2004
"Specifies the role combination of the interface to which this "Specifies the role combination of the interface to which this
IPsec rule should apply. There must exist an instance in the IPsec rule should apply. There must exist an instance in the
frwkRoleComboTable [9] specifying this role combination, together frwkRoleComboTable [RFC3318] specifying this role combination,
with the interface capability set specified by ipSecRuleIfName, together with the interface capability set specified by
prior to association with an instance of this class." ipSecRuleIfCapSetName, prior to association with an instance of
this class."
::= { ipSecRuleEntry 3 } ::= { ipSecRuleEntry 3 }
ipSecRuleDirection OBJECT-TYPE ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecDirectionTC
in(1),
out(2),
bi-directional(3)
}
Li, et al Expires May 2004 15
IPsec Policy Information Base November 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the direction of traffic to which this rule should "Specifies the direction of traffic to which this rule should
apply." apply."
::= { ipSecRuleEntry 4 } ::= { ipSecRuleEntry 4 }
ipSecRuleIpSecSelectorSetId OBJECT-TYPE ipSecRuleIpSecSelectorSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecSelectorSetSelectorSetId } PIB-TAG { ipSecSelectorSetSelectorSetId }
STATUS current STATUS current
skipping to change at line 878 skipping to change at line 1113
PIB-TAG { ipSecActionSetActionSetId } PIB-TAG { ipSecActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IPsec actions to be associated with this "Identifies a set of IPsec actions to be associated with this
rule." rule."
::= { ipSecRuleEntry 7 } ::= { ipSecRuleEntry 7 }
ipSecRuleActionExecutionStrategy OBJECT-TYPE ipSecRuleActionExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
doAll(1), doAll(1),
Li, et al Expires October 2004 20
IPsec Policy Information Base April 2004
doUntilSuccess(2) doUntilSuccess(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
Li, et al Expires May 2004 16
IPsec Policy Information Base November 2003
order is specified by the ipSecActionSetOrder in the order is specified by the ipSecActionSetOrder in the
ipSecActionSetTable. ipSecActionSetTable.
DoUntilSuccess (2) causes the execution of actions according to DoUntilSuccess (2) causes the execution of actions according to
their defined precedence order until a successful execution of a their defined precedence order until a successful execution of a
single action. The precedence order is specified by the single action. The precedence order is specified by the
ipSecActionSetOrder in the ipSecActionSetTable." ipSecActionSetOrder in the ipSecActionSetTable."
::= { ipSecRuleEntry 8 } ::= { ipSecRuleEntry 8 }
ipSecRuleOrder OBJECT-TYPE ipSecRuleOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the rule within all the rules "Specifies the precedence order of the rule within all the rules
associated with {IfName, Roles}. A smaller value indicates a associated with {IfCapSetName, Roles}."
higher precedence order. "
::= { ipSecRuleEntry 9 } ::= { ipSecRuleEntry 9 }
ipSecRuleLimitNegotiation OBJECT-TYPE ipSecRuleLimitNegotiation OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
initiator(1), initiator(1),
responder(2), responder(2),
both(3) both(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Limits the negotiation method. Before proceeding with a phase 2 "Limits the negotiation method. Before proceeding with a phase 2
negotiation, the LimitNegotiation property of the IPsecRule is negotiation, the LimitNegotiation property of the IPsecRule is
first checked to determine if the negotiation part indicated for first checked to determine if the negotiation part indicated for
the rule matches that of the current negotiation (Initiator, the rule matches that of the current negotiation (Initiator,
Responder, or Either). Responder, or Either).
This attribute is ignored when an attempt is made to refresh an This attribute is ignored when an attempt is made to refresh an
expiring SA (either side can initiate a refresh operation). The expiring security association (SA) since either side can initiate
system can determine that the negotiation is a refresh operation a refresh operation. The system can determine that the
by checking to see if the selector information matches that of an negotiation is a refresh operation by checking to see if the
existing SA. If LimitNegotiation does not match and the selector selector information matches that of an existing SA. If
corresponds to a new SA, the negotiation is stopped. " LimitNegotiation does not match and the selector corresponds to a
new SA, the negotiation is stopped. "
::= { ipSecRuleEntry 10 } ::= { ipSecRuleEntry 10 }
ipSecRuleAutoStart OBJECT-TYPE ipSecRuleAutoStart OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if this rule should be automatically executed."
Li, et al Expires October 2004 21
IPsec Policy Information Base April 2004
"Indicates if this rule shall be activated when it is
instantiated, i.e., start negotiate or statically set security
associations. If the value is changed to false later, there is no
impact on the security associations that have already started.
"
::= { ipSecRuleEntry 11 } ::= { ipSecRuleEntry 11 }
ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 17
IPsec Policy Information Base November 2003
"Identifies an IPsec rule time period set, specified in "Identifies an IPsec rule time period set, specified in
ipSecRuleTimePeriodSetTable, that is associated with this rule. ipSecRuleTimePeriodSetTable, that is associated with this rule.
A value of zero indicates that this IPsec rule is always valid." A value of zero indicates that this IPsec rule is always valid."
::= { ipSecRuleEntry 12 } ::= { ipSecRuleEntry 12 }
-- --
-- --
-- The ipSecActionSetTable -- The ipSecActionSetTable
-- --
ipSecActionSetTable OBJECT-TYPE ipSecActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionSetEntry SYNTAX SEQUENCE OF IpSecActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec action sets." "Specifies a set of IPsec actions."
::= { ipSecAssociation 2 } ::= { ipSecAssociation 2 }
ipSecActionSetEntry OBJECT-TYPE ipSecActionSetEntry OBJECT-TYPE
SYNTAX IpSecActionSetEntry SYNTAX IpSecActionSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecActionSetPrid } PIB-INDEX { ipSecActionSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecActionSetActionSetId, ipSecActionSetActionSetId,
ipSecActionSetActionId,
ipSecActionSetDoActionLogging,
ipSecActionSetDoPacketLogging,
ipSecActionSetOrder ipSecActionSetOrder
} }
::= { ipSecActionSetTable 1 } ::= { ipSecActionSetTable 1 }
IpSecActionSetEntry ::= SEQUENCE { IpSecActionSetEntry ::= SEQUENCE {
ipSecActionSetPrid InstanceId, ipSecActionSetPrid InstanceId,
ipSecActionSetActionSetId TagId, ipSecActionSetActionSetId TagId,
ipSecActionSetActionId Prid, ipSecActionSetActionId Prid,
ipSecActionSetDoActionLogging TruthValue, ipSecActionSetDoActionLogging TruthValue,
ipSecActionSetDoPacketLogging TruthValue, ipSecActionSetDoPacketLogging TruthValue,
ipSecActionSetOrder Unsigned16TC ipSecActionSetOrder IpSecOrderTC
} }
Li, et al Expires October 2004 22
IPsec Policy Information Base April 2004
ipSecActionSetPrid OBJECT-TYPE ipSecActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecActionSetEntry 1 } ::= { ipSecActionSetEntry 1 }
ipSecActionSetActionSetId OBJECT-TYPE ipSecActionSetActionSetId OBJECT-TYPE
Li, et al Expires May 2004 18
IPsec Policy Information Base November 2003
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec action set is composed of one or more IPsec actions. "An IPsec action set is composed of one or more IPsec actions.
Each action belonging to the same set has the same ActionSetId." Actions belonging to the same set have the same ActionSetId."
::= { ipSecActionSetEntry 2 } ::= { ipSecActionSetEntry 2 }
ipSecActionSetActionId OBJECT-TYPE ipSecActionSetActionId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes an "A pointer to a valid instance in another table that describes an
action to be taken. action to be taken.
For IPsec static actions, it MUST point to an instance in the For IPsec static actions, it MUST point to an instance in the
ipSecStaticActionTable. ipSecStaticActionTable. For IPsec negotiation actions, it MUST
point to an instance in the ipSecNegotiationActionTable. For other
For IPsec negotiation actions, it MUST point to an instance in the actions, it may point to an instance of a class specified by other
ipSecNegotiationActionTable. For other actions, it may point to an PIB modules."
instance in a table specified by other PIB modules."
::= { ipSecActionSetEntry 3 } ::= { ipSecActionSetEntry 3 }
ipSecActionSetDoActionLogging OBJECT-TYPE ipSecActionSetDoActionLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether a log message is to be generated when the "Specifies whether a log message is to be generated when the
action is performed. This applies for ipSecNegotiationActions action is performed. This applies for ipSecNegotiationActions
with the meaning of logging a message when the negotiation is with the meaning of logging a message when the negotiation is
attempted (with the success or failure result). This also applies attempted (with the success or failure result). This also applies
for ipSecStaticAction only for PreconfiguredTransport action or for ipSecStaticAction only for PreconfiguredTransport action
PreconfiguredTunnel action with the meaning of logging a message (ipSecStaticActionAction = 4) or PreconfiguredTunnel action
when the preconfigured SA is actually installed in the SADB." (ipSecStaticActionAction = 5) with the meaning of logging a
message when the preconfigured security association is actually
installed in the security association database (SADB)."
::= { ipSecActionSetEntry 4 } ::= { ipSecActionSetEntry 4 }
ipSecActionSetDoPacketLogging OBJECT-TYPE ipSecActionSetDoPacketLogging OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to log when the resulting security association "Specifies whether to log when the resulting security association
is used to process a packet. For ipSecStaticActions, a log message is used to process a packet. For ipSecStaticActions, a log message
is to be generated when the IPsecBypass, IpsecDiscard or IKEReject is to be generated when the IPsecBypass (ipSecStaticActionAction =
actions are executed."
Li, et al Expires October 2004 23
IPsec Policy Information Base April 2004
1), IpsecDiscard (ipSecStaticActionAction = 2) or IKEReject
(ipSecStaticActionAction = 3) actions are executed. "
::= { ipSecActionSetEntry 5 } ::= { ipSecActionSetEntry 5 }
ipSecActionSetOrder OBJECT-TYPE ipSecActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be applied set."
before one with a larger precedence order. "
::= { ipSecActionSetEntry 6 } ::= { ipSecActionSetEntry 6 }
Li, et al Expires May 2004 19
IPsec Policy Information Base November 2003
-- --
-- --
-- The ipSecStaticActionTable -- The ipSecStaticActionTable
-- --
ipSecStaticActionTable OBJECT-TYPE ipSecStaticActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecStaticActionEntry SYNTAX SEQUENCE OF IpSecStaticActionEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 1094 skipping to change at line 1331
ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeSeconds,
ipSecStaticActionLifetimeKilobytes, ipSecStaticActionLifetimeKilobytes,
ipSecStaticActionSaTransformId ipSecStaticActionSaTransformId
} }
::= { ipSecStaticActionTable 1 } ::= { ipSecStaticActionTable 1 }
IpSecStaticActionEntry ::= SEQUENCE { IpSecStaticActionEntry ::= SEQUENCE {
ipSecStaticActionPrid InstanceId, ipSecStaticActionPrid InstanceId,
ipSecStaticActionAction INTEGER, ipSecStaticActionAction INTEGER,
ipSecStaticActionTunnelEndpointId ReferenceId, ipSecStaticActionTunnelEndpointId ReferenceId,
ipSecStaticActionDfHandling INTEGER, ipSecStaticActionDfHandling IpSecDFBitTC,
ipSecStaticActionSpi Unsigned32, ipSecStaticActionSpi Unsigned32,
ipSecStaticActionLifetimeSeconds Unsigned32, ipSecStaticActionLifetimeSeconds Unsigned32,
ipSecStaticActionLifetimeKilobytes Unsigned64, ipSecStaticActionLifetimeKilobytes Unsigned64,
ipSecStaticActionSaTransformId Prid ipSecStaticActionSaTransformId Prid
} }
Li, et al Expires October 2004 24
IPsec Policy Information Base April 2004
ipSecStaticActionPrid OBJECT-TYPE ipSecStaticActionPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecStaticActionEntry 1 } ::= { ipSecStaticActionEntry 1 }
ipSecStaticActionAction OBJECT-TYPE ipSecStaticActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
Li, et al Expires May 2004 20
IPsec Policy Information Base November 2003
byPass(1), byPass(1),
discard(2), discard(2),
ikeRejection(3), ikeRejection(3),
preConfiguredTransport(4), preConfiguredTransport(4),
preConfiguredTunnel(5) preConfiguredTunnel(5)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. byPass "Specifies the IPsec action to be applied to the traffic. byPass
(1) means that packets are to be allowed to pass in the clear. (1) means that packets are to be allowed to pass in the clear.
skipping to change at line 1146 skipping to change at line 1382
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel (5), this "When ipSecStaticActionAction is preConfiguredTunnel (5), this
attribute indicates the peer gateway IP address. This address MUST attribute indicates the peer gateway IP address. This address MUST
be a single endpoint address. be a single endpoint address.
When ipSecStaticActionAction is not preConfiguredTunnel, this When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be zero." attribute MUST be zero."
::= { ipSecStaticActionEntry 3 } ::= { ipSecStaticActionEntry 3 }
ipSecStaticActionDfHandling OBJECT-TYPE ipSecStaticActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecDFBitTC
copy(1),
set(2),
clear(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecStaticActionAction is preConfiguredTunnel, this "When ipSecStaticActionAction is preConfiguredTunnel, this
attribute specifies how the DF bit is managed. attribute specifies how the DF bit is managed. When
ipSecStaticActionAction is not preConfiguredTunnel, this attribute
Copy (1) indicates to copy the DF bit from the internal IP header MUST be ignored. "
to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0.
When ipSecStaticActionAction is not preConfiguredTunnel, this
attribute MUST be ignored. "
::= { ipSecStaticActionEntry 4 } ::= { ipSecStaticActionEntry 4 }
ipSecStaticActionSpi OBJECT-TYPE ipSecStaticActionSpi OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current
Li, et al Expires May 2004 21 Li, et al Expires October 2004 25
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
STATUS current
DESCRIPTION DESCRIPTION
"Specifies the SPI to be used with the SA Transform identified by "Specifies the Security Parameter Index (SPI) to be used with the
ipSecStaticActionSaTransformId. SA Transform identified by ipSecStaticActionSaTransformId.
When ipSecStaticActionAction is neither When ipSecStaticActionAction is neither
preConfiguredTransportAction nor preConfiguredTunnelAction, this preConfiguredTransportAction nor preConfiguredTunnelAction, this
attribute MUST be ignored." attribute MUST be ignored."
::= { ipSecStaticActionEntry 5 } ::= { ipSecStaticActionEntry 5 }
ipSecStaticActionLifetimeSeconds OBJECT-TYPE ipSecStaticActionLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the amount of time (in seconds) that a security "Specifies the amount of time (in seconds) that a security
association derived from this action should be used. When association derived from this action should be used. When
ipSecStaticActionAction is neither preConfiguredTransportAction ipSecStaticActionAction is neither preConfiguredTransportAction
nor preConfiguredTunnelAction, this attribute MUST be ignored. nor preConfiguredTunnelAction, this attribute MUST be ignored.
A value of zero indicates that there is not a lifetime associated A value of zero indicates that there is not a lifetime in seconds
with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime in seconds).
This is consistent with [RFC3585].
The actual lifetime of the preconfigured SA will be the smallest The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeSeconds property and of the value of of the value of this LifetimeSeconds property and of the value of
the MaxLifetimeSeconds property of the associated SA Transform. the MaxLifetimeSeconds property of the associated SA Transform.
Except if the value of this LifetimeSeconds property is zero, then Except if the value of this LifetimeSeconds property is zero, then
there will be no lifetime associated to this SA." there will be no lifetime associated to this SA.
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecStaticActionEntry 6 } ::= { ipSecStaticActionEntry 6 }
ipSecStaticActionLifetimeKilobytes OBJECT-TYPE ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the SA lifetime in kilobytes. When "Specifies the SA lifetime in kilobytes. When
ipSecStaticActionAction is neither preConfiguredTransportAction ipSecStaticActionAction is neither preConfiguredTransportAction
nor preConfiguredTunnelAction, this attribute MUST be ignored. nor preConfiguredTunnelAction, this attribute MUST be ignored.
A value of zero indicates that there is not a lifetime associated A value of zero indicates that there is not a lifetime in byte
with this action (i.e., infinite lifetime). count associated with this action (i.e., infinite lifetime in byte
count). This is consistent with [RFC3585].
The actual lifetime of the preconfigured SA will be the smallest The actual lifetime of the preconfigured SA will be the smallest
of the value of this LifetimeKilobytes property and of the value of the value of this LifetimeKilobytes property and of the value
of the MaxLifetimeKilobytes property of the associated SA of the MaxLifetimeKilobytes property of the associated SA
transform. Except if the value of this LifetimeKilobytes property transform. Except if the value of this LifetimeKilobytes property
is zero, then there will be no lifetime associated with this is zero, then there will be no lifetime associated with this
action. action.
Li, et al Expires October 2004 26
IPsec Policy Information Base April 2004
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence.
" "
::= { ipSecStaticActionEntry 7 } ::= { ipSecStaticActionEntry 7 }
ipSecStaticActionSaTransformId OBJECT-TYPE ipSecStaticActionSaTransformId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
Li, et al Expires May 2004 22
IPsec Policy Information Base November 2003
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes an "A pointer to a valid instance in another table that describes an
SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable." SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
::= { ipSecStaticActionEntry 8 } ::= { ipSecStaticActionEntry 8 }
-- --
-- --
-- The ipSecNegotiationActionTable -- The ipSecNegotiationActionTable
-- --
skipping to change at line 1257 skipping to change at line 1490
ipSecNegotiationActionEntry OBJECT-TYPE ipSecNegotiationActionEntry OBJECT-TYPE
SYNTAX IpSecNegotiationActionEntry SYNTAX IpSecNegotiationActionEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecNegotiationActionPrid } PIB-INDEX { ipSecNegotiationActionPrid }
UNIQUENESS { UNIQUENESS {
ipSecNegotiationActionAction, ipSecNegotiationActionAction,
ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionTunnelEndpointId,
ipSecNegotiationActionDfHandling, ipSecNegotiationActionDfHandling,
ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionIpSecAssociationId,
ipSecNegotiationActionKeyExchangeId ipSecNegotiationActionKeyExchangeId
} }
::= { ipSecNegotiationActionTable 1 } ::= { ipSecNegotiationActionTable 1 }
IpSecNegotiationActionEntry ::= SEQUENCE { IpSecNegotiationActionEntry ::= SEQUENCE {
ipSecNegotiationActionPrid InstanceId, ipSecNegotiationActionPrid InstanceId,
ipSecNegotiationActionAction INTEGER, ipSecNegotiationActionAction IpSecActionTC,
ipSecNegotiationActionTunnelEndpointId ReferenceId, ipSecNegotiationActionTunnelEndpointId ReferenceId,
ipSecNegotiationActionDfHandling INTEGER, ipSecNegotiationActionDfHandling IpSecDFBitTC,
ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionIpSecAssociationId ReferenceId,
ipSecNegotiationActionKeyExchangeId Prid ipSecNegotiationActionKeyExchangeId Prid
} }
ipSecNegotiationActionPrid OBJECT-TYPE ipSecNegotiationActionPrid OBJECT-TYPE
Li, et al Expires October 2004 27
IPsec Policy Information Base April 2004
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecNegotiationActionEntry 1 } ::= { ipSecNegotiationActionEntry 1 }
ipSecNegotiationActionAction OBJECT-TYPE ipSecNegotiationActionAction OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecActionTC
Li, et al Expires May 2004 23
IPsec Policy Information Base November 2003
transport(1),
tunnel(2)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPsec action to be applied to the traffic. "Specifies the IPsec action to be applied to the traffic. If
transport(1) means that the packet should be protected with a tunnel (2) is specified, ipSecActionTunnelEndpointId MUST also be
security association in transport mode. tunnel(2) means that the specified."
packet should be protected with a security association in tunnel
mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId
MUST also be specified."
::= { ipSecNegotiationActionEntry 2 } ::= { ipSecNegotiationActionEntry 2 }
ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry } PIB-REFERENCES {ipSecAddressEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel (2), this attribute indicates "When ipSecActionAction is tunnel (2), this attribute indicates
the peer gateway IP address. This address MUST be a single the peer gateway IP address. This address MUST be a single
endpoint address. endpoint address.
When ipSecActionAction is not tunnel, this attribute MUST be When ipSecActionAction is not tunnel, this attribute MUST be
zero." zero."
::= { ipSecNegotiationActionEntry 3 } ::= { ipSecNegotiationActionEntry 3 }
ipSecNegotiationActionDfHandling OBJECT-TYPE ipSecNegotiationActionDfHandling OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecDFBitTC
copy(1),
set(2),
clear(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When ipSecActionAction is tunnel, this attribute specifies how "When ipSecActionAction is tunnel, this attribute specifies how
the DF bit is managed. the DF bit is managed. When ipSecActionAction is not tunnel, this
attribute MUST be ignored. "
Copy (1) indicates to copy the DF bit from the internal IP header
to the external IP header. Set (2) indicates to set the DF bit of
the external IP header to 1. Clear (3) indicates to clear the DF
bit of the external IP header to 0.
When ipSecActionAction is not tunnel, this attribute MUST be
ignored. "
::= { ipSecNegotiationActionEntry 4 } ::= { ipSecNegotiationActionEntry 4 }
ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE ipSecNegotiationActionIpSecAssociationId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAssociationEntry } PIB-REFERENCES {ipSecAssociationEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Pointer to a valid instance in the ipSecAssociationTable." "Pointer to a valid instance in the ipSecAssociationTable."
::= { ipSecNegotiationActionEntry 5 } ::= { ipSecNegotiationActionEntry 5 }
Li, et al Expires May 2004 24
IPsec Policy Information Base November 2003
ipSecNegotiationActionKeyExchangeId OBJECT-TYPE ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes key "A pointer to a valid instance in another table that describes key
exchange associations. If a single IKE phase one negotiation is exchange associations. If a single IKEv1 phase one negotiation is
used for the key exchange, this attribute MUST point to an used for the key exchange, this attribute MUST point to an
instance in the ipSecIkeAssociationTable. If multiple IKE phase
Li, et al Expires October 2004 28
IPsec Policy Information Base April 2004
instance in the ipSecIkeAssociationTable. If multiple IKEv1 phase
one negotiations (e.g., with different modes) are to be tried one negotiations (e.g., with different modes) are to be tried
until success, this attribute SHOULD point to ipSecIkeRuleTable. until success, this attribute SHOULD point to ipSecIkeRuleTable.
For other key exchange methods, this attribute may point to an For other key exchange methods, this attribute may point to an
instance of a PRC defined in some other PIB. instance of a PRC defined in some other PIB.
A value of zeroDotZero means that there is no key exchange A value of zeroDotZero means that there is no key exchange
procedure associated." procedure associated."
::= { ipSecNegotiationActionEntry 6 } ::= { ipSecNegotiationActionEntry 6 }
skipping to change at line 1384 skipping to change at line 1601
SYNTAX IpSecAssociationEntry SYNTAX IpSecAssociationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAssociationPrid } PIB-INDEX { ipSecAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeSeconds,
ipSecAssociationMinLifetimeKilobytes, ipSecAssociationMinLifetimeKilobytes,
ipSecAssociationIdleDurationSeconds, ipSecAssociationIdleDurationSeconds,
ipSecAssociationUsePfs, ipSecAssociationUsePfs,
ipSecAssociationVendorId,
ipSecAssociationUseKeyExchangeGroup, ipSecAssociationUseKeyExchangeGroup,
ipSecAssociationDhGroup, ipSecAssociationDhGroup,
ipSecAssociationGranularity, ipSecAssociationGranularity,
ipSecAssociationProposalSetId ipSecAssociationProposalSetId
} }
::= { ipSecAssociationTable 1 } ::= { ipSecAssociationTable 1 }
IpSecAssociationEntry ::= SEQUENCE { IpSecAssociationEntry ::= SEQUENCE {
Li, et al Expires May 2004 25
IPsec Policy Information Base November 2003
ipSecAssociationPrid InstanceId, ipSecAssociationPrid InstanceId,
ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeSeconds Unsigned32,
ipSecAssociationMinLifetimeKilobytes Unsigned64, ipSecAssociationMinLifetimeKilobytes Unsigned64,
ipSecAssociationIdleDurationSeconds Unsigned32, ipSecAssociationIdleDurationSeconds Unsigned32,
ipSecAssociationUsePfs TruthValue, ipSecAssociationUsePfs TruthValue,
ipSecAssociationVendorId OCTET STRING,
ipSecAssociationUseKeyExchangeGroup TruthValue, ipSecAssociationUseKeyExchangeGroup TruthValue,
ipSecAssociationDhGroup Unsigned16TC, ipSecAssociationDhGroup IkeGroupDescription,
ipSecAssociationGranularity INTEGER, ipSecAssociationGranularity IpSecGranularityTC,
ipSecAssociationProposalSetId TagReferenceId ipSecAssociationProposalSetId TagReferenceId
Li, et al Expires October 2004 29
IPsec Policy Information Base April 2004
} }
ipSecAssociationPrid OBJECT-TYPE ipSecAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecAssociationEntry 1 } ::= { ipSecAssociationEntry 1 }
ipSecAssociationMinLifetimeSeconds OBJECT-TYPE ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime in
enforced." seconds enforced. This is consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecAssociationEntry 2 } ::= { ipSecAssociationEntry 2 }
ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. A value of zero indicates that there is no minimum action. A value of zero indicates that there is no minimum
lifetime enforced." lifetime in byte count enforced. This is consistent with
[RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecAssociationEntry 3 } ::= { ipSecAssociationEntry 3 }
ipSecAssociationIdleDurationSeconds OBJECT-TYPE ipSecAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how long, in seconds, a security association may remain "Specifies how long, in seconds, a security association may remain
unused before it is deleted. unused before it is deleted.
A value of zero indicates that idle detection should not be used A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte for the security association (only the seconds and kilobyte
lifetimes will be used)." lifetimes will be used). This is consistent with [RFC3585]. "
Li, et al Expires May 2004 26
IPsec Policy Information Base November 2003
::= { ipSecAssociationEntry 4 } ::= { ipSecAssociationEntry 4 }
Li, et al Expires October 2004 30
IPsec Policy Information Base April 2004
ipSecAssociationUsePfs OBJECT-TYPE ipSecAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether or not to use PFS when refreshing keys." "Specifies whether or not to use PFS when refreshing keys."
::= { ipSecAssociationEntry 5 } ::= { ipSecAssociationEntry 5 }
ipSecAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the IKE Vendor ID. This attribute is used together with
the property ipSecAssociationDhGroup (when it is in the vendor-
specific range) to identify the key exchange group. This
attribute is ignored unless ipSecAssociationUsePFS is true and
ipSecAssociationUseKeyExchangeGroup is false and
ipSecAssociationDhGroup is in the vendor-specific range (32768-
65535)."
::= { ipSecAssociationEntry 6 }
ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether or not to use the same GroupId for phase 2 as "Specifies whether or not to use the same GroupId for phase 2 as
was used in phase 1. If UsePFS is false, then this attribute is was used in phase 1. If UsePFS is false, then this attribute is
ignored. ignored.
A value of true indicates that the phase 2 GroupId should be the A value of true indicates that the phase 2 GroupId should be the
same as phase 1. A value of false indicates that the group number same as phase 1. A value of false indicates that the group number
specified by the ipSecSecurityAssociationDhGroup attribute SHALL specified by the ipSecAssociationDhGroup attribute SHALL be used
be used for phase 2. " for phase 2. "
::= { ipSecAssociationEntry 7 } ::= { ipSecAssociationEntry 6 }
ipSecAssociationDhGroup OBJECT-TYPE ipSecAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IkeGroupDescription
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the key exchange group to use for phase 2 when the "Specifies the key exchange group to use for phase 2 when the
property ipSecSecurityAssociationUsePfs is true and the property property ipSecAssociationUsePfs is true and the property
ipSecSecurityAssociationUseKeyExchangeGroup is false." ipSecAssociationUseKeyExchangeGroup is false.
::= { ipSecAssociationEntry 8 }
"
::= { ipSecAssociationEntry 7 }
ipSecAssociationGranularity OBJECT-TYPE ipSecAssociationGranularity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecGranularityTC
subnet(1),
address(2),
protocol(3),
port(4)
}
STATUS current STATUS current
Li, et al Expires May 2004 27
IPsec Policy Information Base November 2003
DESCRIPTION DESCRIPTION
"Specifies how the proposed selector for the security association "Specifies how the proposed selector for the security association
will be created. will be created."
::= { ipSecAssociationEntry 8 }
A value of 1 (subnet) indicates that the source and destination
subnet masks of the filter entry are used.
A value of 2 (address) indicates that only the source and
destination IP addresses of the triggering packet are used.
A value of 3 (protocol) indicates that the source and destination
IP addresses and the IP protocol of the triggering packet are
used.
A value of 4 (port) indicates that the source and destination IP
addresses and the IP protocol and the source and destination layer
4 ports of the triggering packet are used. "
::= { ipSecAssociationEntry 9 }
ipSecAssociationProposalSetId OBJECT-TYPE ipSecAssociationProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecProposalSetProposalSetId } PIB-TAG { ipSecProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IPsec proposals that is associated with this "Identifies a set of IPsec proposals that is associated with this
IPsec association." IPsec association."
::= { ipSecAssociationEntry 10 } ::= { ipSecAssociationEntry 9 }
-- --
-- --
-- The ipSecProposalSetTable -- The ipSecProposalSetTable
Li, et al Expires October 2004 31
IPsec Policy Information Base April 2004
-- --
ipSecProposalSetTable OBJECT-TYPE ipSecProposalSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalSetEntry SYNTAX SEQUENCE OF IpSecProposalSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposal sets. Proposals within a set are ORed "Specifies IPsec proposal sets. Proposals within a set are ORed
with preference order. " with preference order. "
::= { ipSecAssociation 6 } ::= { ipSecAssociation 6 }
ipSecProposalSetEntry OBJECT-TYPE ipSecProposalSetEntry OBJECT-TYPE
SYNTAX IpSecProposalSetEntry SYNTAX IpSecProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalSetPrid } PIB-INDEX { ipSecProposalSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalSetProposalSetId, ipSecProposalSetProposalSetId,
ipSecProposalSetProposalId,
ipSecProposalSetOrder ipSecProposalSetOrder
Li, et al Expires May 2004 28
IPsec Policy Information Base November 2003
} }
::= { ipSecProposalSetTable 1 } ::= { ipSecProposalSetTable 1 }
IpSecProposalSetEntry ::= SEQUENCE { IpSecProposalSetEntry ::= SEQUENCE {
ipSecProposalSetPrid InstanceId, ipSecProposalSetPrid InstanceId,
ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalSetId TagId,
ipSecProposalSetProposalId ReferenceId, ipSecProposalSetProposalId ReferenceId,
ipSecProposalSetOrder Unsigned16TC ipSecProposalSetOrder IpSecOrderTC
} }
ipSecProposalSetPrid OBJECT-TYPE ipSecProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecProposalSetEntry 1 } ::= { ipSecProposalSetEntry 1 }
ipSecProposalSetProposalSetId OBJECT-TYPE ipSecProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec proposal set is composed of one or more IPsec proposals. "An IPsec proposal set is composed of one or more IPsec proposals.
Each proposal belonging to the same set has the same Proposals belonging to the same set have the same ProposalSetId."
ProposalSetId."
::= { ipSecProposalSetEntry 2 } ::= { ipSecProposalSetEntry 2 }
ipSecProposalSetProposalId OBJECT-TYPE ipSecProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecProposalEntry } PIB-REFERENCES {ipSecProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecProposalTable." "A pointer to a valid instance in the ipSecProposalTable."
::= { ipSecProposalSetEntry 3 } ::= { ipSecProposalSetEntry 3 }
Li, et al Expires October 2004 32
IPsec Policy Information Base April 2004
ipSecProposalSetOrder OBJECT-TYPE ipSecProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecProposalSetProposalId in a proposal set. The identified by ipSecProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecProposalSetProposalSetId. proposal set is identified by ipSecProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A smaller Proposals within a set are ORed with preference order. "
integer value indicates a higher preference."
::= { ipSecProposalSetEntry 4 } ::= { ipSecProposalSetEntry 4 }
-- --
-- --
-- The ipSecProposalTable -- The ipSecProposalTable
-- --
ipSecProposalTable OBJECT-TYPE ipSecProposalTable OBJECT-TYPE
Li, et al Expires May 2004 29
IPsec Policy Information Base November 2003
SYNTAX SEQUENCE OF IpSecProposalEntry SYNTAX SEQUENCE OF IpSecProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec proposals. It has references to ESP, AH and "Specifies IPsec proposals. It has references to Encapsulating
IPCOMP Transform sets. Within a proposal, different types of Security Payload (ESP), Authentication Header (AH) and IP Payload
transforms are ANDed. Multiple transforms of the same type are Compression Protocol (COMP) Transform sets. Within a proposal,
ORed with preference order." different types of transforms are ANDed. Multiple transforms of
the same type are ORed with preference order."
::= { ipSecAssociation 7 } ::= { ipSecAssociation 7 }
ipSecProposalEntry OBJECT-TYPE ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry SYNTAX IpSecProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecProposalPrid } PIB-INDEX { ipSecProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecProposalEspTransformSetId, ipSecProposalEspTransformSetId,
skipping to change at line 1657 skipping to change at line 1841
ipSecProposalPrid InstanceId, ipSecProposalPrid InstanceId,
ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalEspTransformSetId TagReferenceId,
ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId,
ipSecProposalCompTransformSetId TagReferenceId ipSecProposalCompTransformSetId TagReferenceId
} }
ipSecProposalPrid OBJECT-TYPE ipSecProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 33
IPsec Policy Information Base April 2004
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecProposalEntry 1 } ::= { ipSecProposalEntry 1 }
ipSecProposalEspTransformSetId OBJECT-TYPE ipSecProposalEspTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecEspTransformSetTransformSetId } PIB-TAG { ipSecEspTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of ESP transforms, specified in "An integer that identifies a set of ESP transforms, specified in
ipSecEspTransformSetTable, that is associated with this proposal." ipSecEspTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 2 } ::= { ipSecProposalEntry 2 }
ipSecProposalAhTransformSetId OBJECT-TYPE ipSecProposalAhTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAhTransformSetTransformSetId } PIB-TAG { ipSecAhTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 30
IPsec Policy Information Base November 2003
"An integer that identifies an AH transform set, specified in "An integer that identifies an AH transform set, specified in
ipSecAhTransformSetTable, that is associated with this proposal." ipSecAhTransformSetTable, that is associated with this proposal."
::= { ipSecProposalEntry 3 } ::= { ipSecProposalEntry 3 }
ipSecProposalCompTransformSetId OBJECT-TYPE ipSecProposalCompTransformSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCompTransformSetTransformSetId } PIB-TAG { ipSecCompTransformSetTransformSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that identifies a set of IPComp transforms, specified "An integer that identifies a set of IPComp transforms, specified
skipping to change at line 1713 skipping to change at line 1897
"Specifies AH transform sets. Within a transform set, the "Specifies AH transform sets. Within a transform set, the
transforms are ORed with preference order. " transforms are ORed with preference order. "
::= { ipSecAhTransform 1 } ::= { ipSecAhTransform 1 }
ipSecAhTransformSetEntry OBJECT-TYPE ipSecAhTransformSetEntry OBJECT-TYPE
SYNTAX IpSecAhTransformSetEntry SYNTAX IpSecAhTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformSetPrid } PIB-INDEX { ipSecAhTransformSetPrid }
Li, et al Expires October 2004 34
IPsec Policy Information Base April 2004
UNIQUENESS { UNIQUENESS {
ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformSetId,
ipSecAhTransformSetTransformId,
ipSecAhTransformSetOrder ipSecAhTransformSetOrder
} }
::= { ipSecAhTransformSetTable 1 } ::= { ipSecAhTransformSetTable 1 }
IpSecAhTransformSetEntry ::= SEQUENCE { IpSecAhTransformSetEntry ::= SEQUENCE {
ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetPrid InstanceId,
ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformSetId TagId,
ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetTransformId ReferenceId,
ipSecAhTransformSetOrder Unsigned16TC ipSecAhTransformSetOrder IpSecOrderTC
} }
ipSecAhTransformSetPrid OBJECT-TYPE ipSecAhTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 31
IPsec Policy Information Base November 2003
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformSetEntry 1 } ::= { ipSecAhTransformSetEntry 1 }
ipSecAhTransformSetTransformSetId OBJECT-TYPE ipSecAhTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An AH transform set is composed of one or more AH transforms. "An AH transform set is composed of one or more AH transforms.
Each transform belonging to the same set has the same Transforms belonging to the same set have the same
TransformSetId." TransformSetId."
::= { ipSecAhTransformSetEntry 2 } ::= { ipSecAhTransformSetEntry 2 }
ipSecAhTransformSetTransformId OBJECT-TYPE ipSecAhTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAhTransformEntry } PIB-REFERENCES {ipSecAhTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecAhTransformTable." "A pointer to a valid instance in the ipSecAhTransformTable."
::= { ipSecAhTransformSetEntry 3 } ::= { ipSecAhTransformSetEntry 3 }
ipSecAhTransformSetOrder OBJECT-TYPE ipSecAhTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecAhTransformSetTransformId within a transform identified by ipSecAhTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecAhTransformSetTransformSetId. Transforms within a set are ipSecAhTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order."
higher preference."
::= { ipSecAhTransformSetEntry 4 } ::= { ipSecAhTransformSetEntry 4 }
-- --
-- --
-- The ipSecAhTransformTable -- The ipSecAhTransformTable
Li, et al Expires October 2004 35
IPsec Policy Information Base April 2004
-- --
ipSecAhTransformTable OBJECT-TYPE ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry SYNTAX SEQUENCE OF IpSecAhTransformEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies AH transforms." "Specifies AH transforms."
::= { ipSecAhTransform 2 } ::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry SYNTAX IpSecAhTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAhTransformPrid } PIB-INDEX { ipSecAhTransformPrid }
Li, et al Expires May 2004 32
IPsec Policy Information Base November 2003
UNIQUENESS { UNIQUENESS {
ipSecAhTransformTransformId, ipSecAhTransformTransformId,
ipSecAhTransformIntegrityKey, ipSecAhTransformIntegrityKey,
ipSecAhTransformUseReplayPrevention, ipSecAhTransformUseReplayPrevention,
ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformReplayPreventionWindowSize,
ipSecAhTransformVendorId,
ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeSeconds,
ipSecAhTransformMaxLifetimeKilobytes ipSecAhTransformMaxLifetimeKilobytes
} }
::= { ipSecAhTransformTable 1 } ::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE { IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid InstanceId, ipSecAhTransformPrid InstanceId,
ipSecAhTransformTransformId INTEGER, ipSecAhTransformTransformId IpsecDoiAuthAlgorithm,
ipSecAhTransformIntegrityKey OCTET STRING, ipSecAhTransformIntegrityKey OCTET STRING,
ipSecAhTransformUseReplayPrevention TruthValue, ipSecAhTransformUseReplayPrevention TruthValue,
ipSecAhTransformReplayPreventionWindowSize Unsigned32, ipSecAhTransformReplayPreventionWindowSize Unsigned32,
ipSecAhTransformVendorId OCTET STRING,
ipSecAhTransformMaxLifetimeSeconds Unsigned32, ipSecAhTransformMaxLifetimeSeconds Unsigned32,
ipSecAhTransformMaxLifetimeKilobytes Unsigned64 ipSecAhTransformMaxLifetimeKilobytes Unsigned64
} }
ipSecAhTransformPrid OBJECT-TYPE ipSecAhTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class. " class. "
::= { ipSecAhTransformEntry 1 } ::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiAuthAlgorithm
md5(2),
sha-1(3),
des(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the AH algorithm to propose." "Specifies the transform ID of the AH algorithm to propose."
::= { ipSecAhTransformEntry 2 } ::= { ipSecAhTransformEntry 2 }
ipSecAhTransformIntegrityKey OBJECT-TYPE ipSecAhTransformIntegrityKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
Li, et al Expires October 2004 36
IPsec Policy Information Base April 2004
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When this AH transform instance is used for a Static Action, this "When this AH transform instance is used for a Static Action, this
attribute specifies the integrity key to be used. This attribute attribute specifies the integrity key to be used. This attribute
MUST be ignored when this AH transform instance is used for a MUST be ignored when this AH transform instance is used for a
Negotiation Action." Negotiation Action."
::= { ipSecAhTransformEntry 3 } ::= { ipSecAhTransformEntry 3 }
ipSecAhTransformUseReplayPrevention OBJECT-TYPE ipSecAhTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
Li, et al Expires May 2004 33
IPsec Policy Information Base November 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies whether to enable replay prevention detection."
::= { ipSecAhTransformEntry 4 } ::= { ipSecAhTransformEntry 4 }
ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "bits"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the length of the sliding window used by the "Specifies, in bits, the length of the sliding window used by the
replay prevention detection mechanism. The value of this property replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2." window size will take a value that is a power of 2."
::= { ipSecAhTransformEntry 5 } ::= { ipSecAhTransformEntry 5 }
ipSecAhTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecAhTransformEntry 6 }
ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime. This is
::= { ipSecAhTransformEntry 7 } consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecAhTransformEntry 6 }
ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime. This is consistent with [RFC3585].
::= { ipSecAhTransformEntry 8 }
Li, et al Expires October 2004 37
IPsec Policy Information Base April 2004
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecAhTransformEntry 7 }
-- --
-- --
-- The ipSecEspTransformSetTable -- The ipSecEspTransformSetTable
-- --
Li, et al Expires May 2004 34
IPsec Policy Information Base November 2003
ipSecEspTransformSetTable OBJECT-TYPE ipSecEspTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformSetEntry SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies ESP transform sets. Within a transform set, the choices "Specifies ESP transform sets. Within a transform set, the choices
are ORed with preference order. " are ORed with preference order. "
::= { ipSecEspTransform 1 } ::= { ipSecEspTransform 1 }
ipSecEspTransformSetEntry OBJECT-TYPE ipSecEspTransformSetEntry OBJECT-TYPE
SYNTAX IpSecEspTransformSetEntry SYNTAX IpSecEspTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecEspTransformSetPrid } PIB-INDEX { ipSecEspTransformSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformSetId,
ipSecEspTransformSetTransformId,
ipSecEspTransformSetOrder ipSecEspTransformSetOrder
} }
::= { ipSecEspTransformSetTable 1 } ::= { ipSecEspTransformSetTable 1 }
IpSecEspTransformSetEntry ::= SEQUENCE { IpSecEspTransformSetEntry ::= SEQUENCE {
ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetPrid InstanceId,
ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformSetId TagId,
ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetTransformId ReferenceId,
ipSecEspTransformSetOrder Unsigned16TC ipSecEspTransformSetOrder IpSecOrderTC
} }
ipSecEspTransformSetPrid OBJECT-TYPE ipSecEspTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecEspTransformSetEntry 1 } ::= { ipSecEspTransformSetEntry 1 }
ipSecEspTransformSetTransformSetId OBJECT-TYPE ipSecEspTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 38
IPsec Policy Information Base April 2004
"An ESP transform set is composed of one or more ESP transforms. "An ESP transform set is composed of one or more ESP transforms.
Each transform belonging to the same set has the same Transforms belonging to the same set have the same
TransformSetId." TransformSetId."
::= { ipSecEspTransformSetEntry 2 } ::= { ipSecEspTransformSetEntry 2 }
ipSecEspTransformSetTransformId OBJECT-TYPE ipSecEspTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecEspTransformEntry } PIB-REFERENCES {ipSecEspTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecEspTransformTable." "A pointer to a valid instance in the ipSecEspTransformTable."
::= { ipSecEspTransformSetEntry 3 } ::= { ipSecEspTransformSetEntry 3 }
Li, et al Expires May 2004 35
IPsec Policy Information Base November 2003
ipSecEspTransformSetOrder OBJECT-TYPE ipSecEspTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecEspTransformSetTransformId within a transform identified by ipSecEspTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecEspTransformSetTransformSetId. Transforms within a set are ipSecEspTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order."
higher preference."
::= { ipSecEspTransformSetEntry 4 } ::= { ipSecEspTransformSetEntry 4 }
-- --
-- --
-- The ipSecEspTransformTable -- The ipSecEspTransformTable
-- --
ipSecEspTransformTable OBJECT-TYPE ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry SYNTAX SEQUENCE OF IpSecEspTransformEntry
PIB-ACCESS install PIB-ACCESS install
skipping to change at line 2000 skipping to change at line 2176
PIB-INDEX { ipSecEspTransformPrid } PIB-INDEX { ipSecEspTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecEspTransformIntegrityTransformId, ipSecEspTransformIntegrityTransformId,
ipSecEspTransformCipherTransformId, ipSecEspTransformCipherTransformId,
ipSecEspTransformIntegrityKey, ipSecEspTransformIntegrityKey,
ipSecEspTransformCipherKey, ipSecEspTransformCipherKey,
ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyRounds,
ipSecEspTransformCipherKeyLength, ipSecEspTransformCipherKeyLength,
ipSecEspTransformUseReplayPrevention, ipSecEspTransformUseReplayPrevention,
ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformReplayPreventionWindowSize,
ipSecEspTransformVendorId,
Li, et al Expires October 2004 39
IPsec Policy Information Base April 2004
ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeSeconds,
ipSecEspTransformMaxLifetimeKilobytes ipSecEspTransformMaxLifetimeKilobytes
} }
::= { ipSecEspTransformTable 1 } ::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE { IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid InstanceId, ipSecEspTransformPrid InstanceId,
ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformIntegrityTransformId IpsecDoiAuthAlgorithm,
ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherTransformId IpsecDoiEspTransform,
ipSecEspTransformIntegrityKey OCTET STRING, ipSecEspTransformIntegrityKey OCTET STRING,
Li, et al Expires May 2004 36
IPsec Policy Information Base November 2003
ipSecEspTransformCipherKey OCTET STRING, ipSecEspTransformCipherKey OCTET STRING,
ipSecEspTransformCipherKeyRounds Unsigned16TC, ipSecEspTransformCipherKeyRounds Unsigned16TC,
ipSecEspTransformCipherKeyLength Unsigned16TC, ipSecEspTransformCipherKeyLength Unsigned16TC,
ipSecEspTransformUseReplayPrevention TruthValue, ipSecEspTransformUseReplayPrevention TruthValue,
ipSecEspTransformReplayPreventionWindowSize Unsigned32, ipSecEspTransformReplayPreventionWindowSize Unsigned32,
ipSecEspTransformVendorId OCTET STRING,
ipSecEspTransformMaxLifetimeSeconds Unsigned32, ipSecEspTransformMaxLifetimeSeconds Unsigned32,
ipSecEspTransformMaxLifetimeKilobytes Unsigned64 ipSecEspTransformMaxLifetimeKilobytes Unsigned64
} }
ipSecEspTransformPrid OBJECT-TYPE ipSecEspTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecEspTransformEntry 1 } ::= { ipSecEspTransformEntry 1 }
ipSecEspTransformIntegrityTransformId OBJECT-TYPE ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiAuthAlgorithm
none(0),
hmacMd5(1),
hmacSha(2),
desMac(3),
kpdk(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP integrity algorithm to "Specifies the transform ID of the ESP integrity algorithm to
propose." propose."
::= { ipSecEspTransformEntry 2 } ::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiEspTransform
desIV64(1),
des(2),
tripleDES(3),
rc5(4),
idea(5),
cast(6),
blowfish(7),
tripleIDEA(8),
desIV32(9),
rc4(10),
null(11)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the ESP encryption algorithm to "Specifies the transform ID of the ESP encryption algorithm to
propose." propose."
::= { ipSecEspTransformEntry 3 } ::= { ipSecEspTransformEntry 3 }
ipSecEspTransformIntegrityKey OBJECT-TYPE ipSecEspTransformIntegrityKey OBJECT-TYPE
Li, et al Expires May 2004 37
IPsec Policy Information Base November 2003
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When this ESP transform instance is used for a Static Action, "When this ESP transform instance is used for a Static Action,
this attribute specifies the integrity key to be used. This this attribute specifies the integrity key to be used. This
attribute MUST be ignored when this ESP transform instance is used attribute MUST be ignored when this ESP transform instance is used
for a Negotiation Action." for a Negotiation Action."
::= { ipSecEspTransformEntry 4 } ::= { ipSecEspTransformEntry 4 }
Li, et al Expires October 2004 40
IPsec Policy Information Base April 2004
ipSecEspTransformCipherKey OBJECT-TYPE ipSecEspTransformCipherKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When this ESP transform instance is used for a Static Action, "When this ESP transform instance is used for a Static Action,
this attribute specifies the cipher key to be used. This attribute this attribute specifies the cipher key to be used. This attribute
MUST be ignored when this ESP transform instance is used for a MUST be ignored when this ESP transform instance is used for a
Negotiation Action." Negotiation Action."
::= { ipSecEspTransformEntry 5 } ::= { ipSecEspTransformEntry 5 }
skipping to change at line 2102 skipping to change at line 2257
SYNTAX Unsigned16TC SYNTAX Unsigned16TC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the number of key rounds for the ESP encryption "Specifies the number of key rounds for the ESP encryption
algorithm. For encryption algorithms that use fixed number of key algorithm. For encryption algorithms that use fixed number of key
rounds, this value is ignored." rounds, this value is ignored."
::= { ipSecEspTransformEntry 6 } ::= { ipSecEspTransformEntry 6 }
ipSecEspTransformCipherKeyLength OBJECT-TYPE ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX Unsigned16TC
UNITS "bits"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the key length for the ESP encryption "Specifies, in bits, the key length for the ESP encryption
algorithm. For encryption algorithms that use fixed-length keys, algorithm. For encryption algorithms that use fixed-length keys,
this value is ignored." this value is ignored."
::= { ipSecEspTransformEntry 7 } ::= { ipSecEspTransformEntry 7 }
ipSecEspTransformUseReplayPrevention OBJECT-TYPE ipSecEspTransformUseReplayPrevention OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies whether to enable replay prevention detection." "Specifies whether to enable replay prevention detection."
::= { ipSecEspTransformEntry 8 } ::= { ipSecEspTransformEntry 8 }
ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "bits"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies, in bits, the length of the sliding window used by the "Specifies, in bits, the length of the sliding window used by the
replay prevention detection mechanism. The value of this property replay prevention detection mechanism. The value of this property
is ignored if UseReplayPrevention is false. It is assumed that the is ignored if UseReplayPrevention is false. It is assumed that the
window size will be power of 2." window size will take a value that is a power of 2."
::= { ipSecEspTransformEntry 9 } ::= { ipSecEspTransformEntry 9 }
Li, et al Expires May 2004 38
IPsec Policy Information Base November 2003
ipSecEspTransformVendorId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecEspTransformEntry 10 }
ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 41
IPsec Policy Information Base April 2004
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime. This is
::= { ipSecEspTransformEntry 11 } consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecEspTransformEntry 10 }
ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime. This is consistent with [RFC3585].
::= { ipSecEspTransformEntry 12 }
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecEspTransformEntry 11 }
-- --
-- --
-- The ipSecCompTransformSetTable -- The ipSecCompTransformSetTable
-- --
ipSecCompTransformSetTable OBJECT-TYPE ipSecCompTransformSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformSetEntry SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPComp transform sets. Within a transform set, the "Specifies IP COMP transform sets. Within a transform set, the
choices are ORed with preference order." choices are ORed with preference order."
::= { ipSecCompTransform 1 } ::= { ipSecCompTransform 1 }
ipSecCompTransformSetEntry OBJECT-TYPE ipSecCompTransformSetEntry OBJECT-TYPE
SYNTAX IpSecCompTransformSetEntry SYNTAX IpSecCompTransformSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
Li, et al Expires May 2004 39
IPsec Policy Information Base November 2003
PIB-INDEX { ipSecCompTransformSetPrid } PIB-INDEX { ipSecCompTransformSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformSetId,
ipSecCompTransformSetTransformId,
ipSecCompTransformSetOrder ipSecCompTransformSetOrder
} }
::= { ipSecCompTransformSetTable 1 } ::= { ipSecCompTransformSetTable 1 }
Li, et al Expires October 2004 42
IPsec Policy Information Base April 2004
IpSecCompTransformSetEntry ::= SEQUENCE { IpSecCompTransformSetEntry ::= SEQUENCE {
ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetPrid InstanceId,
ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformSetId TagId,
ipSecCompTransformSetTransformId ReferenceId, ipSecCompTransformSetTransformId ReferenceId,
ipSecCompTransformSetOrder Unsigned16TC ipSecCompTransformSetOrder IpSecOrderTC
} }
ipSecCompTransformSetPrid OBJECT-TYPE ipSecCompTransformSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCompTransformSetEntry 1 } ::= { ipSecCompTransformSetEntry 1 }
ipSecCompTransformSetTransformSetId OBJECT-TYPE ipSecCompTransformSetTransformSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPCOMP transform set is composed of one or more IPCOMP "An IPCOMP transform set is composed of one or more IPCOMP
transforms. Each transform belonging to the same set has the same transforms. Transforms belonging to the same set have the same
TransformSetId." TransformSetId."
::= { ipSecCompTransformSetEntry 2 } ::= { ipSecCompTransformSetEntry 2 }
ipSecCompTransformSetTransformId OBJECT-TYPE ipSecCompTransformSetTransformId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecCompTransformEntry } PIB-REFERENCES {ipSecCompTransformEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecCompTransformTable." "A pointer to a valid instance in the ipSecCompTransformTable."
::= { ipSecCompTransformSetEntry 3 } ::= { ipSecCompTransformSetEntry 3 }
ipSecCompTransformSetOrder OBJECT-TYPE ipSecCompTransformSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the transform "An integer that specifies the precedence order of the transform
identified by ipSecCompTransformSetTransformId within a transform identified by ipSecCompTransformSetTransformId within a transform
set. The transform set is identified by set. The transform set is identified by
ipSecCompTransformSetTransformSetId. Transforms within a set are ipSecCompTransformSetTransformSetId. Transforms within a set are
ORed with preference order. A smaller integer value indicates a ORed with preference order."
higher preference."
::= { ipSecCompTransformSetEntry 4 } ::= { ipSecCompTransformSetEntry 4 }
Li, et al Expires May 2004 40
IPsec Policy Information Base November 2003
-- --
-- --
-- The ipSecCompTransformTable -- The ipSecCompTransformTable
-- --
ipSecCompTransformTable OBJECT-TYPE ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry SYNTAX SEQUENCE OF IpSecCompTransformEntry
PIB-ACCESS install PIB-ACCESS install
Li, et al Expires October 2004 43
IPsec Policy Information Base April 2004
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IP compression (IPCOMP) algorithms." "Specifies IP COMP algorithms."
::= { ipSecCompTransform 2 } ::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry SYNTAX IpSecCompTransformEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCompTransformPrid } PIB-INDEX { ipSecCompTransformPrid }
UNIQUENESS { UNIQUENESS {
ipSecCompTransformAlgorithm, ipSecCompTransformAlgorithm,
ipSecCompTransformDictionarySize, ipSecCompTransformDictionarySize,
ipSecCompTransformPrivateAlgorithm,
ipSecCompTransformVendorId,
ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeSeconds,
ipSecCompTransformMaxLifetimeKilobytes ipSecCompTransformMaxLifetimeKilobytes
} }
::= { ipSecCompTransformTable 1 } ::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE { IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid InstanceId, ipSecCompTransformPrid InstanceId,
ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformAlgorithm IpsecDoiIpcompTransform,
ipSecCompTransformDictionarySize Unsigned16TC, ipSecCompTransformDictionarySize Unsigned16TC,
ipSecCompTransformPrivateAlgorithm Unsigned32,
ipSecCompTransformVendorId OCTET STRING,
ipSecCompTransformMaxLifetimeSeconds Unsigned32, ipSecCompTransformMaxLifetimeSeconds Unsigned32,
ipSecCompTransformMaxLifetimeKilobytes Unsigned64 ipSecCompTransformMaxLifetimeKilobytes Unsigned64
} }
ipSecCompTransformPrid OBJECT-TYPE ipSecCompTransformPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCompTransformEntry 1 } ::= { ipSecCompTransformEntry 1 }
ipSecCompTransformAlgorithm OBJECT-TYPE ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiIpcompTransform
oui(1),
deflate(2),
lzs(3)
}
Li, et al Expires May 2004 41
IPsec Policy Information Base November 2003
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the transform ID of the IPCOMP compression algorithm to "Specifies the transform ID of the IP COMP compression algorithm
propose." to propose."
::= { ipSecCompTransformEntry 2 } ::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX Unsigned16TC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the log2 maximum size of the dictionary for the "Specifies the log2 maximum size of the dictionary for the
compression algorithm. For compression algorithms that have pre- compression algorithm. For compression algorithms that have pre-
defined dictionary sizes, this value is ignored." defined dictionary sizes, this value is ignored."
::= { ipSecCompTransformEntry 3 } ::= { ipSecCompTransformEntry 3 }
ipSecCompTransformPrivateAlgorithm OBJECT-TYPE ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies a private vendor-specific compression algorithm."
::= { ipSecCompTransformEntry 4 }
ipSecCompTransformVendorId OBJECT-TYPE Li, et al Expires October 2004 44
SYNTAX OCTET STRING IPsec Policy Information Base April 2004
STATUS current
DESCRIPTION
"Specifies the vendor ID for vendor-defined transforms."
::= { ipSecCompTransformEntry 5 }
ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime. This is
::= { ipSecCompTransformEntry 6 } consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecCompTransformEntry 4 }
ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime. This is consistent with [RFC3585].
::= { ipSecCompTransformEntry 7 }
Li, et al Expires May 2004 42 When both the LifetimeSeconds and LifetimeKilobytes are used, the
IPsec Policy Information Base November 2003 first lifetime to expire takes precedence."
::= { ipSecCompTransformEntry 5 }
-- --
-- --
-- The ipSecIkeRuleTable -- The ipSecIkeRuleTable
-- --
ipSecIkeRuleTable OBJECT-TYPE ipSecIkeRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeRuleEntry SYNTAX SEQUENCE OF IpSecIkeRuleEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE rules. This table is required only when specifying: "Specifies IKEv1 rules. This class is required only when
specifying:
- Multiple IKE phase one actions (e.g., with different exchange - Multiple IKE phase one actions (e.g., with different exchange
modes) that are associated with one IPsec association. These modes) that are associated with one IPsec association. These
actions are to be tried in sequence till one success. actions are to be tried in sequence till one success.
- IKE phase one actions that start automatically. - IKE phase one actions that start automatically.
Support of this table is optional." For each entry:
Li, et al Expires October 2004 45
IPsec Policy Information Base April 2004
1. ipSecIkeRuleIfCapSetName must reference an existing capability
set name in frwkCapabilitySetTable [FRC3318] .
2. ipSecIkeRuleRoles must reference an existing Role Combination
in frwkRoleComboTable [RFC3318].
If any or both of these requirements is not satisfied, the entry
shall not be installed."
::= { ipSecIkeAssociation 1 } ::= { ipSecIkeAssociation 1 }
ipSecIkeRuleEntry OBJECT-TYPE ipSecIkeRuleEntry OBJECT-TYPE
SYNTAX IpSecIkeRuleEntry SYNTAX IpSecIkeRuleEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeRulePrid } PIB-INDEX { ipSecIkeRulePrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeRuleIfName, ipSecIkeRuleIfCapSetName,
ipSecIkeRuleRoles, ipSecIkeRuleRoles,
ipSecIkeRuleIkeActionSetId, ipSecIkeRuleIkeActionSetId,
ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleActionExecutionStrategy,
ipSecIkeRuleLimitNegotiation, ipSecIkeRuleLimitNegotiation,
ipSecIkeRuleAutoStart ipSecIkeRuleAutoStart,
ipSecIkeRuleIpSecRuleTimePeriodGroupId
} }
::= { ipSecIkeRuleTable 1 } ::= { ipSecIkeRuleTable 1 }
IpSecIkeRuleEntry ::= SEQUENCE { IpSecIkeRuleEntry ::= SEQUENCE {
ipSecIkeRulePrid InstanceId, ipSecIkeRulePrid InstanceId,
ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleIfCapSetName SnmpAdminString,
ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleRoles RoleCombination,
ipSecIkeRuleIkeActionSetId TagReferenceId, ipSecIkeRuleIkeActionSetId TagReferenceId,
ipSecIkeRuleActionExecutionStrategy INTEGER, ipSecIkeRuleActionExecutionStrategy INTEGER,
ipSecIkeRuleLimitNegotiation INTEGER, ipSecIkeRuleLimitNegotiation INTEGER,
ipSecIkeRuleAutoStart TruthValue, ipSecIkeRuleAutoStart TruthValue,
ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
} }
ipSecIkeRulePrid OBJECT-TYPE ipSecIkeRulePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Li, et al Expires May 2004 43
IPsec Policy Information Base November 2003
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeRuleEntry 1 } ::= { ipSecIkeRuleEntry 1 }
ipSecIkeRuleIfName OBJECT-TYPE ipSecIkeRuleIfCapSetName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The interface capability set to which this IKE rule applies. The "The interface capability set to which this IKE rule applies. The
interface capability name specified by this attribute must exist interface capability name specified by this attribute must exist
in the frwkCapabilitySetTable [9] prior to association with an
instance of this class. Li, et al Expires October 2004 46
IPsec Policy Information Base April 2004
in the frwkCapabilitySetTable [RFC3318] prior to association with
an instance of this class.
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 2 } ::= { ipSecIkeRuleEntry 2 }
ipSecIkeRuleRoles OBJECT-TYPE ipSecIkeRuleRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the role combination of the interface to which this IKE "Specifies the role combination of the interface to which this IKE
rule should apply. There must exist an instance in the rule should apply. There must exist an instance in the
frwkRoleComboTable [9] specifying this role combination, together frwkRoleComboTable [RFC3318] specifying this role combination,
with the interface capability set specified by ipSecIkeRuleIfName, together with the interface capability set specified by
prior to association with an instance of this class. ipSecIkeRuleIfName, prior to association with an instance of this
class.
This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
::= { ipSecIkeRuleEntry 3 } ::= { ipSecIkeRuleEntry 3 }
ipSecIkeRuleIkeActionSetId OBJECT-TYPE ipSecIkeRuleIkeActionSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIkeActionSetActionSetId } PIB-TAG { ipSecIkeActionSetActionSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of IKE actions to be associated with this rule." "Identifies a set of IKE actions to be associated with this rule."
skipping to change at line 2461 skipping to change at line 2614
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the strategy to be used in executing the sequenced "Specifies the strategy to be used in executing the sequenced
actions in the action set identified by ipSecRuleIpSecActionSetId. actions in the action set identified by ipSecRuleIpSecActionSetId.
DoAll (1) causes the execution of all the actions in the action DoAll (1) causes the execution of all the actions in the action
set according to their defined precedence order. The precedence set according to their defined precedence order. The precedence
order is specified by the ipSecActionSetOrder in order is specified by the ipSecActionSetOrder in
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
Li, et al Expires May 2004 44
IPsec Policy Information Base November 2003
DoUntilSuccess (2) causes the execution of actions according to DoUntilSuccess (2) causes the execution of actions according to
their defined precedence order until a successful execution of a their defined precedence order until a successful execution of a
single action. The precedence order is specified by the single action. The precedence order is specified by the
ipSecActionSetOrder in ipSecIkeActionSetTable." ipSecActionSetOrder in ipSecIkeActionSetTable."
::= { ipSecIkeRuleEntry 5 } ::= { ipSecIkeRuleEntry 5 }
ipSecIkeRuleLimitNegotiation OBJECT-TYPE ipSecIkeRuleLimitNegotiation OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
initiator(1), initiator(1),
responder(2), responder(2),
Li, et al Expires October 2004 47
IPsec Policy Information Base April 2004
both(3) both(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Limits the negotiation method. Before proceeding with a phase 1 "Limits the negotiation method. Before proceeding with a phase 1
negotiation, this property is checked to determine if the negotiation, this property is checked to determine if the
negotiation role of the rule matches that defined for the negotiation role of the rule matches that defined for the
negotiation being undertaken (e.g., Initiator, Responder, or negotiation being undertaken (e.g., Initiator, Responder, or
Both). If this check fails (e.g. the current role is IKE responder Both). If this check fails (e.g. the current role is IKE responder
while the rule specifies IKE initiator), then the IKE negotiation while the rule specifies IKE initiator), then the IKE negotiation
skipping to change at line 2516 skipping to change at line 2670
-- --
-- --
-- The ipSecIkeActionSetTable -- The ipSecIkeActionSetTable
-- --
ipSecIkeActionSetTable OBJECT-TYPE ipSecIkeActionSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeActionSetEntry SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
Li, et al Expires May 2004 45
IPsec Policy Information Base November 2003
DESCRIPTION DESCRIPTION
"Specifies IKE action sets." "Specifies IKEv1 action sets."
::= { ipSecIkeAssociation 2 } ::= { ipSecIkeAssociation 2 }
ipSecIkeActionSetEntry OBJECT-TYPE ipSecIkeActionSetEntry OBJECT-TYPE
SYNTAX IpSecIkeActionSetEntry SYNTAX IpSecIkeActionSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeActionSetPrid } PIB-INDEX { ipSecIkeActionSetPrid }
Li, et al Expires October 2004 48
IPsec Policy Information Base April 2004
UNIQUENESS { UNIQUENESS {
ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionSetId,
ipSecIkeActionSetActionId,
ipSecIkeActionSetOrder ipSecIkeActionSetOrder
} }
::= { ipSecIkeActionSetTable 1 } ::= { ipSecIkeActionSetTable 1 }
IpSecIkeActionSetEntry ::= SEQUENCE { IpSecIkeActionSetEntry ::= SEQUENCE {
ipSecIkeActionSetPrid InstanceId, ipSecIkeActionSetPrid InstanceId,
ipSecIkeActionSetActionSetId TagId, ipSecIkeActionSetActionSetId TagId,
ipSecIkeActionSetActionId ReferenceId, ipSecIkeActionSetActionId ReferenceId,
ipSecIkeActionSetOrder Unsigned16TC ipSecIkeActionSetOrder IpSecOrderTC
} }
ipSecIkeActionSetPrid OBJECT-TYPE ipSecIkeActionSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeActionSetEntry 1 } ::= { ipSecIkeActionSetEntry 1 }
ipSecIkeActionSetActionSetId OBJECT-TYPE ipSecIkeActionSetActionSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IKE action set is composed of one or more IKE actions. Each "An IKE action set is composed of one or more IKE actions. Actions
action belonging to the same set has the same ActionSetId." belonging to the same set have the same ActionSetId."
::= { ipSecIkeActionSetEntry 2 } ::= { ipSecIkeActionSetEntry 2 }
ipSecIkeActionSetActionId OBJECT-TYPE ipSecIkeActionSetActionId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkeAssociationEntry } PIB-REFERENCES {ipSecIkeAssociationEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIkeAssociationTable." "A pointer to a valid instance in the ipSecIkeAssociationTable."
::= { ipSecIkeActionSetEntry 3 } ::= { ipSecIkeActionSetEntry 3 }
ipSecIkeActionSetOrder OBJECT-TYPE ipSecIkeActionSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 46
IPsec Policy Information Base November 2003
"Specifies the precedence order of the action within the action "Specifies the precedence order of the action within the action
set. An action with a smaller precedence order is to be tried set."
before one with a larger precedence order. "
::= { ipSecIkeActionSetEntry 4 } ::= { ipSecIkeActionSetEntry 4 }
-- --
-- --
-- The ipSecIkeAssociationTable -- The ipSecIkeAssociationTable
-- --
ipSecIkeAssociationTable OBJECT-TYPE ipSecIkeAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeAssociationEntry SYNTAX SEQUENCE OF IpSecIkeAssociationEntry
Li, et al Expires October 2004 49
IPsec Policy Information Base April 2004
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE associations." "Specifies IKEv1 associations. "
::= { ipSecIkeAssociation 3 } ::= { ipSecIkeAssociation 3 }
ipSecIkeAssociationEntry OBJECT-TYPE ipSecIkeAssociationEntry OBJECT-TYPE
SYNTAX IpSecIkeAssociationEntry SYNTAX IpSecIkeAssociationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeAssociationPrid } PIB-INDEX { ipSecIkeAssociationPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLiftetimeSeconds,
skipping to change at line 2622 skipping to change at line 2774
ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationDoActionLogging,
ipSecIkeAssociationIkeProposalSetId ipSecIkeAssociationIkeProposalSetId
} }
::= { ipSecIkeAssociationTable 1 } ::= { ipSecIkeAssociationTable 1 }
IpSecIkeAssociationEntry ::= SEQUENCE { IpSecIkeAssociationEntry ::= SEQUENCE {
ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationPrid InstanceId,
ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
ipSecIkeAssociationMinLifetimeKilobytes Unsigned64, ipSecIkeAssociationMinLifetimeKilobytes Unsigned64,
ipSecIkeAssociationIdleDurationSeconds Unsigned32, ipSecIkeAssociationIdleDurationSeconds Unsigned32,
ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationExchangeMode IpSecExchangeModeTC,
ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityType IpsecDoiIdentType,
ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
ipSecIkeAssociationIkePeerEndpoint ReferenceId, ipSecIkeAssociationIkePeerEndpoint ReferenceId,
ipSecIkeAssociationPresharedKey OCTET STRING, ipSecIkeAssociationPresharedKey OCTET STRING,
ipSecIkeAssociationVendorId OCTET STRING, ipSecIkeAssociationVendorId OCTET STRING,
ipSecIkeAssociationAggressiveModeGroupId IkeGroupDescription,
Li, et al Expires May 2004 47
IPsec Policy Information Base November 2003
ipSecIkeAssociationAggressiveModeGroupId Unsigned16TC,
ipSecIkeAssociationLocalCredentialId TagReferenceId, ipSecIkeAssociationLocalCredentialId TagReferenceId,
ipSecIkeAssociationDoActionLogging TruthValue, ipSecIkeAssociationDoActionLogging TruthValue,
ipSecIkeAssociationIkeProposalSetId TagReferenceId ipSecIkeAssociationIkeProposalSetId TagReferenceId
} }
ipSecIkeAssociationPrid OBJECT-TYPE ipSecIkeAssociationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeAssociationEntry 1 } ::= { ipSecIkeAssociationEntry 1 }
Li, et al Expires October 2004 50
IPsec Policy Information Base April 2004
ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted "Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action. from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime in
enforced." seconds enforced. This is consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecIkeAssociationEntry 2 } ::= { ipSecIkeAssociationEntry 2 }
ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted "Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this from a negotiating peer while negotiating an SA based upon this
action. action.
A value of zero indicates that there is no minimum lifetime A value of zero indicates that there is no minimum lifetime in
enforced." byte count enforced. This is consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecIkeAssociationEntry 3 } ::= { ipSecIkeAssociationEntry 3 }
ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies how long, in seconds, a security association may remain "Specifies how long, in seconds, a security association may remain
unused before it is deleted. unused before it is deleted.
A value of zero indicates that idle detection should not be used A value of zero indicates that idle detection should not be used
for the security association (only the seconds and kilobyte for the security association (only the seconds and kilobyte
lifetimes will be used)." lifetimes will be used). This is consistent with [RFC3585]. "
::= { ipSecIkeAssociationEntry 4 } ::= { ipSecIkeAssociationEntry 4 }
ipSecIkeAssociationExchangeMode OBJECT-TYPE ipSecIkeAssociationExchangeMode OBJECT-TYPE
SYNTAX IpSecExchangeModeTC
Li, et al Expires May 2004 48
IPsec Policy Information Base November 2003
SYNTAX INTEGER {
baseMode(1),
mainMode(2),
aggressiveMode(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for "Specifies the negotiation mode that the IKE server will use for
phase one." phase one."
::= { ipSecIkeAssociationEntry 5 } ::= { ipSecIkeAssociationEntry 5 }
Li, et al Expires October 2004 51
IPsec Policy Information Base April 2004
ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiIdentType
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of IKE identity to use during IKE phase one "Specifies the type of IKE identity to use during IKE phase one
negotiation." negotiation."
::= { ipSecIkeAssociationEntry 6 } ::= { ipSecIkeAssociationEntry 6 }
ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 2741 skipping to change at line 2881
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Pointer to a valid instance in the ipSecIkePeerEndpointTable to "Pointer to a valid instance in the ipSecIkePeerEndpointTable to
indicate an IKE peer endpoint." indicate an IKE peer endpoint."
::= { ipSecIkeAssociationEntry 8 } ::= { ipSecIkeAssociationEntry 8 }
ipSecIkeAssociationPresharedKey OBJECT-TYPE ipSecIkeAssociationPresharedKey OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 49
IPsec Policy Information Base November 2003
"This attribute specifies the preshared key or secret to use for "This attribute specifies the preshared key or secret to use for
IKE authentication. This is the key for all the IKE proposals of IKE authentication. This is the key for all the IKE proposals of
this association that set ipSecIkeProposalAuthenticationMethod to this association that set ipSecIkeProposalAuthenticationMethod to
presharedKey(1)." presharedKey(1)."
::= { ipSecIkeAssociationEntry 9 } ::= { ipSecIkeAssociationEntry 9 }
ipSecIkeAssociationVendorId OBJECT-TYPE ipSecIkeAssociationVendorId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to be used in the Vendor ID payload. "Specifies the value to be used in the Vendor ID payload. It is a
hash value as defined in [RFC2408] Section 3.16.
A value of NULL means that Vendor ID payload will be neither A zero length OCTET STRING means that Vendor ID payload will be
generated nor accepted. A non-NULL value means that a Vendor ID neither generated nor accepted. Otherwise, it means that a Vendor
payload will be generated (when acting as an initiator) or is ID payload will be generated (when acting as an initiator) or is
expected (when acting as a responder). " expected (when acting as a responder). "
::= { ipSecIkeAssociationEntry 10 } ::= { ipSecIkeAssociationEntry 10 }
ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IkeGroupDescription
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 52
IPsec Policy Information Base April 2004
"Specifies the group ID to be used for aggressive mode. This "Specifies the group ID to be used for aggressive mode. This
attribute is ignored unless the attribute attribute is ignored unless the attribute
ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). "
the value of this attribute is from the vendor-specific range
(32768-65535), this attribute qualifies the group number."
::= { ipSecIkeAssociationEntry 11 } ::= { ipSecIkeAssociationEntry 11 }
ipSecIkeAssociationLocalCredentialId OBJECT-TYPE ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId } PIB-TAG { ipSecCredentialSetSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates a group of credentials. One of the credentials in the "Indicates a group of credentials. One of the credentials in the
group MUST be used when establishing an IKE association with the group MUST be used when establishing an IKE association with the
peer endpoint." peer endpoint."
skipping to change at line 2797 skipping to change at line 2936
DESCRIPTION DESCRIPTION
"Specifies whether a log message is to be generated when the "Specifies whether a log message is to be generated when the
negotiation is attempted (with the success or failure result)." negotiation is attempted (with the success or failure result)."
::= { ipSecIkeAssociationEntry 13 } ::= { ipSecIkeAssociationEntry 13 }
ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecIkeProposalSetProposalSetId } PIB-TAG { ipSecIkeProposalSetProposalSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 50
IPsec Policy Information Base November 2003
"Identifies a set of IKE proposals that is associated with this "Identifies a set of IKE proposals that is associated with this
IKE association." IKE association."
::= { ipSecIkeAssociationEntry 14 } ::= { ipSecIkeAssociationEntry 14 }
-- --
-- --
-- The ipSecIkeProposalSetTable -- The ipSecIkeProposalSetTable
-- --
ipSecIkeProposalSetTable OBJECT-TYPE ipSecIkeProposalSetTable OBJECT-TYPE
skipping to change at line 2825 skipping to change at line 2960
"Specifies IKE proposal sets. Proposals within a set are ORed with "Specifies IKE proposal sets. Proposals within a set are ORed with
preference order. " preference order. "
::= { ipSecIkeAssociation 4 } ::= { ipSecIkeAssociation 4 }
ipSecIkeProposalSetEntry OBJECT-TYPE ipSecIkeProposalSetEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalSetEntry SYNTAX IpSecIkeProposalSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalSetPrid } PIB-INDEX { ipSecIkeProposalSetPrid }
Li, et al Expires October 2004 53
IPsec Policy Information Base April 2004
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalSetId,
ipSecIkeProposalSetProposalId,
ipSecIkeProposalSetOrder ipSecIkeProposalSetOrder
} }
::= { ipSecIkeProposalSetTable 1 } ::= { ipSecIkeProposalSetTable 1 }
IpSecIkeProposalSetEntry ::= SEQUENCE { IpSecIkeProposalSetEntry ::= SEQUENCE {
ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetPrid InstanceId,
ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalSetId TagId,
ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetProposalId ReferenceId,
ipSecIkeProposalSetOrder Unsigned16TC ipSecIkeProposalSetOrder IpSecOrderTC
} }
ipSecIkeProposalSetPrid OBJECT-TYPE ipSecIkeProposalSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeProposalSetEntry 1 } ::= { ipSecIkeProposalSetEntry 1 }
ipSecIkeProposalSetProposalSetId OBJECT-TYPE ipSecIkeProposalSetProposalSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 51
IPsec Policy Information Base November 2003
"An IKE proposal set is composed of one or more IKE proposals. "An IKE proposal set is composed of one or more IKE proposals.
Each proposal belonging to the same set has the same Proposals belonging to the same set has the same ProposalSetId. "
ProposalSetId. "
::= { ipSecIkeProposalSetEntry 2 } ::= { ipSecIkeProposalSetEntry 2 }
ipSecIkeProposalSetProposalId OBJECT-TYPE ipSecIkeProposalSetProposalId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIkeProposalEntry } PIB-REFERENCES {ipSecIkeProposalEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIkeProposalTable." "A pointer to a valid instance in the ipSecIkeProposalTable."
::= { ipSecIkeProposalSetEntry 3 } ::= { ipSecIkeProposalSetEntry 3 }
ipSecIkeProposalSetOrder OBJECT-TYPE ipSecIkeProposalSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the proposal "An integer that specifies the precedence order of the proposal
identified by ipSecIkeProposalSetProposalId in a proposal set. The identified by ipSecIkeProposalSetProposalId in a proposal set. The
proposal set is identified by ipSecIkeProposalSetProposalSetId. proposal set is identified by ipSecIkeProposalSetProposalSetId.
Proposals within a set are ORed with preference order. A smaller Proposals within a set are ORed with preference order."
integer value indicates a higher preference."
::= { ipSecIkeProposalSetEntry 4 } ::= { ipSecIkeProposalSetEntry 4 }
-- --
-- --
-- The ipSecIkeProposalTable -- The ipSecIkeProposalTable
-- --
Li, et al Expires October 2004 54
IPsec Policy Information Base April 2004
ipSecIkeProposalTable OBJECT-TYPE ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry SYNTAX SEQUENCE OF IpSecIkeProposalEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IKE proposals." "Specifies IKEv1 proposals."
::= { ipSecIkeAssociation 5 } ::= { ipSecIkeAssociation 5 }
ipSecIkeProposalEntry OBJECT-TYPE ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry SYNTAX IpSecIkeProposalEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIkeProposalPrid } PIB-INDEX { ipSecIkeProposalPrid }
UNIQUENESS { UNIQUENESS {
ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeSeconds,
ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalMaxLifetimeKilobytes,
ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalCipherAlgorithm,
ipSecIkeProposalHashAlgorithm, ipSecIkeProposalHashAlgorithm,
ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalAuthenticationMethod,
ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalPrfAlgorithm,
ipSecIkeProposalIkeDhGroup, ipSecIkeProposalIkeDhGroup
ipSecIkeProposalVendorId
Li, et al Expires May 2004 52
IPsec Policy Information Base November 2003
} }
::= { ipSecIkeProposalTable 1 } ::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE { IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid InstanceId, ipSecIkeProposalPrid InstanceId,
ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
ipSecIkeProposalMaxLifetimeKilobytes Unsigned64, ipSecIkeProposalMaxLifetimeKilobytes Unsigned64,
ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalCipherAlgorithm IkeEncryptionAlgorithm,
ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm IkeHashAlgorithm,
ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalAuthenticationMethod IkeAuthMethod,
ipSecIkeProposalPrfAlgorithm Unsigned16TC, ipSecIkeProposalPrfAlgorithm Unsigned16TC,
ipSecIkeProposalIkeDhGroup Unsigned16TC, ipSecIkeProposalIkeDhGroup IkeGroupDescription
ipSecIkeProposalVendorId OCTET STRING
} }
ipSecIkeProposalPrid OBJECT-TYPE ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIkeProposalEntry 1 } ::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum amount of time to propose for a security "Specifies the maximum amount of time to propose for a security
association to remain valid. association to remain valid.
Li, et al Expires October 2004 55
IPsec Policy Information Base April 2004
A value of zero indicates that the default of 8 hours be used. A A value of zero indicates that the default of 8 hours be used. A
non-zero value indicates the maximum seconds lifetime." non-zero value indicates the maximum seconds lifetime. This is
consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecIkeProposalEntry 2 } ::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned64 SYNTAX Unsigned64
UNITS "kilobytes" UNITS "kilobytes"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the maximum kilobyte lifetime to propose for a security "Specifies the maximum kilobyte lifetime to propose for a security
association to remain valid. association to remain valid.
A value of zero indicates that there should be no maximum kilobyte A value of zero indicates that there should be no maximum kilobyte
lifetime. A non-zero value specifies the desired kilobyte lifetime. A non-zero value specifies the desired kilobyte
lifetime." lifetime. This is consistent with [RFC3585].
When both the LifetimeSeconds and LifetimeKilobytes are used, the
first lifetime to expire takes precedence."
::= { ipSecIkeProposalEntry 3 } ::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IkeEncryptionAlgorithm
des-CBC(1),
idea-CBC(2),
blowfish-CBC(3),
Li, et al Expires May 2004 53
IPsec Policy Information Base November 2003
rc5-R16-B64-CBC(4),
tripleDes-CBC(5),
cast-CBC(6)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE "Specifies the encryption algorithm to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 4 } ::= { ipSecIkeProposalEntry 4 }
ipSecIkeProposalHashAlgorithm OBJECT-TYPE ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IkeHashAlgorithm
md5(1),
sha-1(2),
tiger(3)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association." "Specifies the hash algorithm to propose for the IKE association."
::= { ipSecIkeProposalEntry 5 } ::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IkeAuthMethod
presharedKey(1),
dssSignatures(2),
rsaSignatures(3),
rsaEncryption(4),
revisedRsaEncryption(5),
kerberos(6)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the authentication method to propose for the IKE "Specifies the authentication method to propose for the IKE
association." association."
::= { ipSecIkeProposalEntry 6 } ::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX Unsigned16TC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Psuedo-Random Function (PRF) to propose for the IKE "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
association." association. As indicated in [RFC2409], there are currently no
Li, et al Expires October 2004 56
IPsec Policy Information Base April 2004
negotiable pseudo-random functions defined in this document.
Private use attribute values can be used for prf negotiation
between consenting parties. "
::= { ipSecIkeProposalEntry 7 } ::= { ipSecIkeProposalEntry 7 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IkeGroupDescription
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the Diffie-Hellman group to propose for the IKE "The value of this property indicates the Diffie-Hellman group
association. The value of this property is to be ignored when number to propose for the IKE association.
doing aggressive mode."
::= { ipSecIkeProposalEntry 8 }
Li, et al Expires May 2004 54
IPsec Policy Information Base November 2003
ipSecIkeProposalVendorId OBJECT-TYPE The value of this property is to be ignored when doing aggressive
SYNTAX OCTET STRING mode."
STATUS current ::= { ipSecIkeProposalEntry 8 }
DESCRIPTION
"Further qualifies the key exchange group. The property is
ignored unless the exchange is not in aggressive mode and the
property GroupID is in the vendor-specific range."
::= { ipSecIkeProposalEntry 9 }
-- --
-- --
-- The ipSecIkePeerEndpointTable -- The ipSecIkePeerEndpointTable
-- --
ipSecIkePeerEndpointTable OBJECT-TYPE ipSecIkePeerEndpointTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
skipping to change at line 3063 skipping to change at line 3177
ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityType,
ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointIdentityValue,
ipSecIkePeerEndpointIsNegated, ipSecIkePeerEndpointIsNegated,
ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointAddress,
ipSecIkePeerEndpointCredentialSetId ipSecIkePeerEndpointCredentialSetId
} }
::= { ipSecIkePeerEndpointTable 1 } ::= { ipSecIkePeerEndpointTable 1 }
IpSecIkePeerEndpointEntry ::= SEQUENCE { IpSecIkePeerEndpointEntry ::= SEQUENCE {
ipSecIkePeerEndpointPrid InstanceId, ipSecIkePeerEndpointPrid InstanceId,
ipSecIkePeerEndpointIdentityType INTEGER, ipSecIkePeerEndpointIdentityType IpsecDoiIdentType,
ipSecIkePeerEndpointIdentityValue OCTET STRING, ipSecIkePeerEndpointIdentityValue OCTET STRING,
ipSecIkePeerEndpointIsNegated TruthValue, ipSecIkePeerEndpointIsNegated TruthValue,
ipSecIkePeerEndpointAddress ReferenceId, ipSecIkePeerEndpointAddress ReferenceId,
ipSecIkePeerEndpointCredentialSetId TagReferenceId ipSecIkePeerEndpointCredentialSetId TagReferenceId
} }
Li, et al Expires October 2004 57
IPsec Policy Information Base April 2004
ipSecIkePeerEndpointPrid OBJECT-TYPE ipSecIkePeerEndpointPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
Li, et al Expires May 2004 55
IPsec Policy Information Base November 2003
::= { ipSecIkePeerEndpointEntry 1 } ::= { ipSecIkePeerEndpointEntry 1 }
ipSecIkePeerEndpointIdentityType OBJECT-TYPE ipSecIkePeerEndpointIdentityType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpsecDoiIdentType
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of identity that MUST be provided by the peer "Specifies the type of identity that MUST be provided by the peer
in the ID payload during IKE phase one negotiation." in the ID payload during IKE phase one negotiation."
::= { ipSecIkePeerEndpointEntry 2 } ::= { ipSecIkePeerEndpointEntry 2 }
ipSecIkePeerEndpointIdentityValue OBJECT-TYPE ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3130 skipping to change at line 3231
- an IdentityValue of *@example.com will match an user FQDN ID - an IdentityValue of *@example.com will match an user FQDN ID
payload of JDOE@EXAMPLE.COM payload of JDOE@EXAMPLE.COM
- an IdentityValue of *.example.com will match a FQDN ID payload - an IdentityValue of *.example.com will match a FQDN ID payload
of WWW.EXAMPLE.COM of WWW.EXAMPLE.COM
- an IdentityValue of cn=*,ou=engineering,o=company,c=us will - an IdentityValue of cn=*,ou=engineering,o=company,c=us will
match a DER DN ID payload of cn=John Doe, ou=engineering, match a DER DN ID payload of cn=John Doe, ou=engineering,
o=company, c=us o=company, c=us
- an IdentityValue of 193.190.125.0/24 will match an IPv4 address - an IdentityValue of 192.0.2.0/24 will match an IPv4 address ID
ID payload of 193.190.125.10. payload of 192.0.2.10.
Li, et al Expires May 2004 56 - an IdentityValue of 192.0.2.* will also match an IPv4 address ID
IPsec Policy Information Base November 2003 payload of 192.0.2.10.
- an IdentityValue of 193.190.125.* will also match an IPv4 Li, et al Expires October 2004 58
address ID payload of 193.190.125.10. IPsec Policy Information Base April 2004
The above wildcard mechanisms MUST be supported for all ID The above wildcard mechanisms MUST be supported for all ID
payloads supported by the local IKE entity. The character * payloads supported by the local IKE entity. The character *
replaces 0 or multiple instances of any character." replaces 0 or multiple instances of any character."
::= { ipSecIkePeerEndpointEntry 3 } ::= { ipSecIkePeerEndpointEntry 3 }
ipSecIkePeerEndpointIsNegated OBJECT-TYPE ipSecIkePeerEndpointIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at line 3164 skipping to change at line 3265
ipSecIkePeerEndpointAddress OBJECT-TYPE ipSecIkePeerEndpointAddress OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecAddressEntry } PIB-REFERENCES {ipSecAddressEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid entry in the ipSecAddressTable to specify "A pointer to a valid entry in the ipSecAddressTable to specify
the endpoint address with which this PEP establishes IKE the endpoint address with which this PEP establishes IKE
association. The pointed address MUST be a single endpoint association. The pointed address MUST be a single endpoint
address. This attribute is used only when the IKE association is address. This attribute is used only when the IKE association is
to be started automatically. Hence, the value of this attribute to be started automatically. Hence, the value of this attribute
MUST be zero if ipSecIkeRuleAutoStart is false. MUST be zero if ipSecIkeRuleAutoStart is false."
"
::= { ipSecIkePeerEndpointEntry 5 } ::= { ipSecIkePeerEndpointEntry 5 }
ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecCredentialSetSetId } PIB-TAG { ipSecCredentialSetSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a set of credentials. Any one of the credentials in "Identifies a set of credentials. Any one of the credentials in
the set is acceptable as the IKE peer credential." the set is acceptable as the IKE peer credential."
::= { ipSecIkePeerEndpointEntry 6 } ::= { ipSecIkePeerEndpointEntry 6 }
skipping to change at line 3188 skipping to change at line 3287
-- --
-- --
-- The ipSecCredentialSetTable -- The ipSecCredentialSetTable
-- --
ipSecCredentialSetTable OBJECT-TYPE ipSecCredentialSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialSetEntry SYNTAX SEQUENCE OF IpSecCredentialSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 57
IPsec Policy Information Base November 2003
"Specifies credential sets. "Specifies credential sets.
For IKE peer credentials, any one of the credentials in the set is For IKE peer credentials, any one of the credentials in the set is
acceptable as peer credential during IEK phase 1 negotiation. For acceptable as peer credential during IEK phase 1 negotiation. For
Li, et al Expires October 2004 59
IPsec Policy Information Base April 2004
IKE local credentials, any one of the credentials in the set can IKE local credentials, any one of the credentials in the set can
be used in IKE phase 1 negotiation." be used in IKE phase 1 negotiation."
::= { ipSecCredential 1 } ::= { ipSecCredential 1 }
ipSecCredentialSetEntry OBJECT-TYPE ipSecCredentialSetEntry OBJECT-TYPE
SYNTAX IpSecCredentialSetEntry SYNTAX IpSecCredentialSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecCredentialSetPrid } PIB-INDEX { ipSecCredentialSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecCredentialSetPrid,
ipSecCredentialSetSetId, ipSecCredentialSetSetId,
ipSecCredentialSetCredentialId ipSecCredentialSetCredentialId
} }
::= { ipSecCredentialSetTable 1 } ::= { ipSecCredentialSetTable 1 }
IpSecCredentialSetEntry ::= SEQUENCE { IpSecCredentialSetEntry ::= SEQUENCE {
ipSecCredentialSetPrid InstanceId, ipSecCredentialSetPrid InstanceId,
ipSecCredentialSetSetId TagId, ipSecCredentialSetSetId TagId,
ipSecCredentialSetCredentialId ReferenceId ipSecCredentialSetCredentialId ReferenceId
} }
skipping to change at line 3231 skipping to change at line 3329
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialSetEntry 1 } ::= { ipSecCredentialSetEntry 1 }
ipSecCredentialSetSetId OBJECT-TYPE ipSecCredentialSetSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A credential set is composed of one or more credentials. Each "A credential set is composed of one or more credentials.
credential belonging to the same set has the same Credentials belonging to the same set have the same
CredentialSetId." CredentialSetId."
::= { ipSecCredentialSetEntry 2 } ::= { ipSecCredentialSetEntry 2 }
ipSecCredentialSetCredentialId OBJECT-TYPE ipSecCredentialSetCredentialId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecCredentialEntry } PIB-REFERENCES {ipSecCredentialEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecCredentialTable." "A pointer to a valid instance in the ipSecCredentialTable."
::= { ipSecCredentialSetEntry 3 } ::= { ipSecCredentialSetEntry 3 }
Li, et al Expires May 2004 58
IPsec Policy Information Base November 2003
-- --
-- --
-- The ipSecCredentialTable -- The ipSecCredentialTable
-- --
Li, et al Expires October 2004 60
IPsec Policy Information Base April 2004
ipSecCredentialTable OBJECT-TYPE ipSecCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCredentialEntry SYNTAX SEQUENCE OF IpSecCredentialEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies credentials." "Specifies credentials."
::= { ipSecCredential 2 } ::= { ipSecCredential 2 }
ipSecCredentialEntry OBJECT-TYPE ipSecCredentialEntry OBJECT-TYPE
SYNTAX IpSecCredentialEntry SYNTAX IpSecCredentialEntry
skipping to change at line 3275 skipping to change at line 3373
PIB-INDEX { ipSecCredentialPrid } PIB-INDEX { ipSecCredentialPrid }
UNIQUENESS { UNIQUENESS {
ipSecCredentialCredentialType, ipSecCredentialCredentialType,
ipSecCredentialFieldsId, ipSecCredentialFieldsId,
ipSecCredentialCrlDistributionPoint ipSecCredentialCrlDistributionPoint
} }
::= { ipSecCredentialTable 1 } ::= { ipSecCredentialTable 1 }
IpSecCredentialEntry ::= SEQUENCE { IpSecCredentialEntry ::= SEQUENCE {
ipSecCredentialPrid InstanceId, ipSecCredentialPrid InstanceId,
ipSecCredentialCredentialType INTEGER, ipSecCredentialCredentialType IpSecCredTypeTC,
ipSecCredentialFieldsId TagReferenceId, ipSecCredentialFieldsId TagReferenceId,
ipSecCredentialCrlDistributionPoint OCTET STRING ipSecCredentialCrlDistributionPoint OCTET STRING
} }
ipSecCredentialPrid OBJECT-TYPE ipSecCredentialPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialEntry 1 } ::= { ipSecCredentialEntry 1 }
ipSecCredentialCredentialType OBJECT-TYPE ipSecCredentialCredentialType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecCredTypeTC
certificateX509(1),
kerberos-ticket(2)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the type of credential to be matched." "Specifies the type of credential to be matched."
::= { ipSecCredentialEntry 2 } ::= { ipSecCredentialEntry 2 }
ipSecCredentialFieldsId OBJECT-TYPE ipSecCredentialFieldsId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
Li, et al Expires May 2004 59
IPsec Policy Information Base November 2003
PIB-TAG { ipSecCredentialFieldsSetId } PIB-TAG { ipSecCredentialFieldsSetId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Identifies a group of matching criteria to be used for the peer "Identifies a group of matching criteria to be used for the peer
credential. The identified criteria MUST all be satisfied." credential. The identified criteria MUST all be satisfied."
::= { ipSecCredentialEntry 3 } ::= { ipSecCredentialEntry 3 }
ipSecCredentialCrlDistributionPoint OBJECT-TYPE ipSecCredentialCrlDistributionPoint OBJECT-TYPE
Li, et al Expires October 2004 61
IPsec Policy Information Base April 2004
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When credential type is certificate X509, this attribute "When credential type is certificate X509, this attribute
identifies the Certificate Revocation List (CRL) distribution identifies the Certificate Revocation List (CRL) distribution
point for this credential." point for this credential."
::= { ipSecCredentialEntry 4 } ::= { ipSecCredentialEntry 4 }
-- --
-- --
skipping to change at line 3350 skipping to change at line 3445
UNIQUENESS { UNIQUENESS {
ipSecCredentialFieldsName, ipSecCredentialFieldsName,
ipSecCredentialFieldsValue, ipSecCredentialFieldsValue,
ipSecCredentialFieldsIsNegated, ipSecCredentialFieldsIsNegated,
ipSecCredentialFieldsSetId ipSecCredentialFieldsSetId
} }
::= { ipSecCredentialFieldsTable 1 } ::= { ipSecCredentialFieldsTable 1 }
IpSecCredentialFieldsEntry ::= SEQUENCE { IpSecCredentialFieldsEntry ::= SEQUENCE {
ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsPrid InstanceId,
ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsName SnmpAdminString,
ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsValue SnmpAdminString,
ipSecCredentialFieldsIsNegated TruthValue, ipSecCredentialFieldsIsNegated TruthValue,
ipSecCredentialFieldsSetId TagId ipSecCredentialFieldsSetId TagId
} }
Li, et al Expires May 2004 60
IPsec Policy Information Base November 2003
ipSecCredentialFieldsPrid OBJECT-TYPE ipSecCredentialFieldsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecCredentialFieldsEntry 1 } ::= { ipSecCredentialFieldsEntry 1 }
Li, et al Expires October 2004 62
IPsec Policy Information Base April 2004
ipSecCredentialFieldsName OBJECT-TYPE ipSecCredentialFieldsName OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the sub-field of the credential to match with. This is "Specifies the sub-field of the credential to match with. This is
the string representation of a X.509 certificate attribute, e.g. the string representation of a X.509 certificate attribute, e.g.
serialNumber, issuerName, subjectName, etc.. serialNumber, issuerName, subjectName, etc.."
"
::= { ipSecCredentialFieldsEntry 2 } ::= { ipSecCredentialFieldsEntry 2 }
ipSecCredentialFieldsValue OBJECT-TYPE ipSecCredentialFieldsValue OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value to match with for the sub-field identified by "Specifies the value to match with for the sub-field identified by
ipSecCredentialFieldsName. A wildcard mechanism can be used in the ipSecCredentialFieldsName. A wildcard mechanism can be used in the
Value string. E.g., if the Name is subjectName then a Value of Value string. E.g., if the Name is subjectName then a Value of
cn=*,ou=engineering,o=foo,c=be will match successfully a cn=*,ou=engineering,o=foo,c=be will match successfully a
certificate whose subject attribute is cn=Jane Doe, certificate whose subject attribute is cn=Jane Doe,
ou=engineering, o=foo, c=be. The wildcard character * can be used ou=engineering, o=foo, c=be. The wildcard character * can be used
to represent 0 or several characters. to represent 0 or several characters.
If the ipSecCredentialFieldsName corresponds to a If the ipSecCredentialFieldsName corresponds to a
DistinguishedName, this value in the CIM class is represented by DistinguishedName, this value is represented by a string value.
an ordinary string value. However, an implementation must convert However, an implementation must convert this string to a DER-
this string to a DER-encoded string before matching against the encoded string before matching against the values extracted from
values extracted from credentials at runtime. " credentials at runtime. "
::= { ipSecCredentialFieldsEntry 3 } ::= { ipSecCredentialFieldsEntry 3 }
ipSecCredentialFieldsIsNegated OBJECT-TYPE ipSecCredentialFieldsIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute behaves like a logical NOT for the credential "This attribute behaves like a logical NOT for the credential
field match. If the value of this attribute is 'true', the field match. If the value of this attribute is 'true', the
credential field specified by ipSecCredentialFieldsName MUST not credential field specified by ipSecCredentialFieldsName MUST not
match the vaule specified by ipSecCredentialFieldsValue." match the vaule specified by ipSecCredentialFieldsValue."
::= { ipSecCredentialFieldsEntry 4 } ::= { ipSecCredentialFieldsEntry 4 }
ipSecCredentialFieldsSetId OBJECT-TYPE ipSecCredentialFieldsSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the set this criteria belongs to. All criteria within a "Specifies the set this criteria belongs to. All criteria within a
set MUST all be satisfied." set MUST all be satisfied."
Li, et al Expires May 2004 61
IPsec Policy Information Base November 2003
::= { ipSecCredentialFieldsEntry 5 } ::= { ipSecCredentialFieldsEntry 5 }
-- --
-- --
-- The ipSecSelectorSetTable -- The ipSecSelectorSetTable
-- --
ipSecSelectorSetTable OBJECT-TYPE ipSecSelectorSetTable OBJECT-TYPE
Li, et al Expires October 2004 63
IPsec Policy Information Base April 2004
SYNTAX SEQUENCE OF IpSecSelectorSetEntry SYNTAX SEQUENCE OF IpSecSelectorSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selector sets." "Specifies IPsec selector sets."
::= { ipSecSelector 1 } ::= { ipSecSelector 1 }
ipSecSelectorSetEntry OBJECT-TYPE ipSecSelectorSetEntry OBJECT-TYPE
SYNTAX IpSecSelectorSetEntry SYNTAX IpSecSelectorSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecSelectorSetPrid } PIB-INDEX { ipSecSelectorSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorSetId,
ipSecSelectorSetSelectorId, ipSecSelectorSetOrder
ipSecSelectorSetOrder,
ipSecSelectorSetIsNegated
} }
::= { ipSecSelectorSetTable 1 } ::= { ipSecSelectorSetTable 1 }
IpSecSelectorSetEntry ::= SEQUENCE { IpSecSelectorSetEntry ::= SEQUENCE {
ipSecSelectorSetPrid InstanceId, ipSecSelectorSetPrid InstanceId,
ipSecSelectorSetSelectorSetId TagId, ipSecSelectorSetSelectorSetId TagId,
ipSecSelectorSetSelectorId Prid, ipSecSelectorSetSelectorId Prid,
ipSecSelectorSetOrder Unsigned16TC, ipSecSelectorSetOrder IpSecOrderTC,
ipSecSelectorSetIsNegated TruthValue ipSecSelectorSetIsNegated TruthValue
} }
ipSecSelectorSetPrid OBJECT-TYPE ipSecSelectorSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorSetEntry 1 } ::= { ipSecSelectorSetEntry 1 }
ipSecSelectorSetSelectorSetId OBJECT-TYPE ipSecSelectorSetSelectorSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPsec selector set is composed of one or more IPsec selectors. "An IPsec selector set is composed of one or more IPsec selectors.
Each selector belonging to the same set has the same Selectors belonging to the same set have the same SelectorSetId."
SelectorSetId."
Li, et al Expires May 2004 62
IPsec Policy Information Base November 2003
::= { ipSecSelectorSetEntry 2 } ::= { ipSecSelectorSetEntry 2 }
ipSecSelectorSetSelectorId OBJECT-TYPE ipSecSelectorSetSelectorId OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in another table that describes "A pointer to a valid instance in another class that describes
selectors. To use selectors defined in this IPsec PIB module, this selectors. To use selectors defined in this IPsec PIB module, this
attribute MUST point to an instance in ipSecSelectorTable. This attribute MUST point to an instance in ipSecSelectorTable. This
attribute may also point to an instance in a selector or filter attribute may also point to an instance in a selector or filter
table defined in other PIB modules." PRC defined in other PIB modules."
::= { ipSecSelectorSetEntry 3 } ::= { ipSecSelectorSetEntry 3 }
Li, et al Expires October 2004 64
IPsec Policy Information Base April 2004
ipSecSelectorSetOrder OBJECT-TYPE ipSecSelectorSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the selectors "An integer that specifies the precedence order of the selectors
identified by ipSecSelectorId within a selector set. The selector identified by ipSecSelectorId within a selector set. The selector
set is identified by ipSecSelectorSetId. A smaller integer value set is identified by ipSecSelectorSetId. "
indicates a higher preference. All selectors constructed from the
instance pointed by ipSecSelectorId have the same order."
::= { ipSecSelectorSetEntry 4 } ::= { ipSecSelectorSetEntry 4 }
ipSecSelectorSetIsNegated OBJECT-TYPE ipSecSelectorSetIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the value of this attribute is 'true', the filters pointed by "If the value of this attribute is 'true', the filters pointed by
ipSecSelectorSetSelectorId SHALL be negated." ipSecSelectorSetSelectorId SHALL be negated."
::= { ipSecSelectorSetEntry 5 } ::= { ipSecSelectorSetEntry 5 }
skipping to change at line 3522 skipping to change at line 3610
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPsec selectors. Each row in the selector table "Specifies IPsec selectors. Each row in the selector table
represents multiple selectors. These selectors are obtained as represents multiple selectors. These selectors are obtained as
follows: follows:
1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorSrcAddressGroupId. matches the ipSecSelectorSrcAddressGroupId.
Li, et al Expires May 2004 63
IPsec Policy Information Base November 2003
2. Substitute the ipSecSelectorDstAddressGroupId with all the IP 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
addresses from the ipSecAddressTable whose ipSecAddressGroupId addresses from the ipSecAddressTable whose ipSecAddressGroupId
matches the ipSecSelectorDstAddressGroupId. matches the ipSecSelectorDstAddressGroupId.
3. Substitute the ipSecSelectorSrcPortGroupId with all the ports 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorSrcPortGroupId. ipSecSelectorSrcPortGroupId.
4. Substitute the ipSecSelectorDstPortGroupId with all the ports 4. Substitute the ipSecSelectorDstPortGroupId with all the ports
or ranges of port whose ipSecL4PortGroupId matches the or ranges of port whose ipSecL4PortGroupId matches the
ipSecSelectorDstPortGroupId. ipSecSelectorDstPortGroupId.
5. Construct all the possible combinations of the above four 5. Construct all the possible combinations of the above four
fields. Then add to the combinations the ipSecSelectorProtocol, fields. Then add to the combinations the ipSecSelectorProtocol,
ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
all the selectors.el attributes to form the list of selectors. all the selectors.
Li, et al Expires October 2004 65
IPsec Policy Information Base April 2004
The relative order of the selectors constructed from a single row The relative order of the selectors constructed from a single row
is unspecified. " is unspecified. "
::= { ipSecSelector 2 } ::= { ipSecSelector 2 }
ipSecSelectorEntry OBJECT-TYPE ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry SYNTAX IpSecSelectorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
skipping to change at line 3578 skipping to change at line 3666
ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId,
ipSecSelectorProtocol Unsigned32, ipSecSelectorProtocol Unsigned32,
ipSecSelectorDscp DscpOrAny, ipSecSelectorDscp DscpOrAny,
ipSecSelectorFlowLabel IPv6FlowLabelOrAny ipSecSelectorFlowLabel IPv6FlowLabelOrAny
} }
ipSecSelectorPrid OBJECT-TYPE ipSecSelectorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 64
IPsec Policy Information Base November 2003
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecSelectorEntry 1 } ::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressGroupId OBJECT-TYPE ipSecSelectorSrcAddressGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecAddressGroupId } PIB-TAG { ipSecAddressGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates source addresses. All addresses in ipSecAddressTable "Indicates source addresses. All addresses in ipSecAddressTable
whose ipSecAddressGroupId matches this value are included as whose ipSecAddressGroupId matches this value are included as
source addresses. source addresses.
A value of zero indicates wildcard address, i.e., any address A value of zero indicates wildcard address, i.e., any address
matches." matches."
::= { ipSecSelectorEntry 2 } ::= { ipSecSelectorEntry 2 }
Li, et al Expires October 2004 66
IPsec Policy Information Base April 2004
ipSecSelectorSrcPortGroupId OBJECT-TYPE ipSecSelectorSrcPortGroupId OBJECT-TYPE
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId } PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates source layer 4 port numbers. All ports in ipSecL4Port "Indicates source layer 4 port numbers. All ports in ipSecL4Port
whose ipSecL4PortGroupId matches this value are included. whose ipSecL4PortGroupId matches this value are included.
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
skipping to change at line 3635 skipping to change at line 3722
SYNTAX TagReferenceId SYNTAX TagReferenceId
PIB-TAG { ipSecL4PortGroupId } PIB-TAG { ipSecL4PortGroupId }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates destination layer 4 port numbers. All ports in "Indicates destination layer 4 port numbers. All ports in
ipSecL4Port whose ipSecL4PortGroupId matches this value are ipSecL4Port whose ipSecL4PortGroupId matches this value are
included. included.
A value of zero indicates wildcard port, i.e., any port number A value of zero indicates wildcard port, i.e., any port number
matches." matches."
Li, et al Expires May 2004 65
IPsec Policy Information Base November 2003
::= { ipSecSelectorEntry 5 } ::= { ipSecSelectorEntry 5 }
ipSecSelectorProtocol OBJECT-TYPE ipSecSelectorProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255) SYNTAX Unsigned32 (0..255)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The layer-4 protocol Id to match against the IPv4 protocol number "The layer-4 protocol Id to match against the IPv4 protocol number
or the IPv6 Next-Header number in the packet. A value of 255 means or the IPv6 Next-Header number in the packet. A value of 255 means
match all. Note the protocol number of 255 is reserved by IANA, match all. Note the protocol number of 255 is reserved by IANA,
and Next-Header number of 0 is used in IPv6." and Next-Header number of 0 is used in IPv6."
::= { ipSecSelectorEntry 6 } ::= { ipSecSelectorEntry 6 }
ipSecSelectorDscp OBJECT-TYPE ipSecSelectorDscp OBJECT-TYPE
SYNTAX DscpOrAny SYNTAX DscpOrAny
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 67
IPsec Policy Information Base April 2004
"The value that the DSCP in the packet can have and match this "The value that the DSCP in the packet can have and match this
filter. A value of -1 indicates that a specific DSCP value has not filter. A value of -1 indicates that a specific DSCP value has not
been defined and thus all DSCP values are considered a match." been defined and thus all DSCP values are considered a match."
::= { ipSecSelectorEntry 7 } ::= { ipSecSelectorEntry 7 }
ipSecSelectorFlowLabel OBJECT-TYPE ipSecSelectorFlowLabel OBJECT-TYPE
SYNTAX IPv6FlowLabelOrAny SYNTAX IPv6FlowLabelOrAny
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The flow identifier or flow label in an IPv6 packet header that "The flow identifier or flow label in an IPv6 packet header that
skipping to change at line 3679 skipping to change at line 3766
-- --
-- --
-- The ipSecAddressTable -- The ipSecAddressTable
-- --
ipSecAddressTable OBJECT-TYPE ipSecAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAddressEntry SYNTAX SEQUENCE OF IpSecAddressEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table allows the specification of a single IP address, a "This class allows the specification of a single IP address, a
subnet consisting of an IP address and the prefix length, an IP subnet consisting of an IP address and the prefix length, an IP
address range, and a wild-card IP address. address range, and a wild-card IP address.
If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to
specify a single IP address the values of ipSecAddressAddrMin and specify a single IP address the values of ipSecAddressAddrMin and
ipSecAddressAddrMax MUST be the same and the ipSecAddressAddrMax MUST be the same and the
ipSecAddressAddrPrefixLength MUST have a value of 32 or greater ipSecAddressAddrPrefixLength MUST have a value of 32 or greater
(128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the (128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the
values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the
same and the ipSecAddressAddrPrefixLength MUST have a value same and the ipSecAddressAddrPrefixLength MUST have a value
between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP
Li, et al Expires May 2004 66
IPsec Policy Information Base November 2003
address range, the values of ipSecAddressAddrMin and address range, the values of ipSecAddressAddrMin and
ipSecAddressAddrMax MUST be different and the ipSecAddressAddrMax MUST be different and the
ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for
'ipv6' or 'ipv6z') 'ipv6' or 'ipv6z')
If the address type is 'dns', ipSecAddressAddrMin and If the address type is 'dns', ipSecAddressAddrMin and
ipSecAddressAddrMax MUST contain the same 'dns' address. The ipSecAddressAddrMax MUST contain the same 'dns' address. The
ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the
address value to IPv4 or IPv6 addresses MUST be done by the PEP at address value to IPv4 or IPv6 addresses MUST be done by the PEP at
install time. A dns name may be mapped into multiple single IP install time. A dns name may be mapped into multiple single IP
addresses. Each of them becomes a single row in the resulted addresses. Each of them becomes a single row in the resulted
address table. address table.
To specify a wild-card IP address, the To specify a wild-card IP address, the
ipSecAddressAddrPrefixLength MUST be zero. " ipSecAddressAddrPrefixLength MUST be zero. "
::= { ipSecSelector 3 } ::= { ipSecSelector 3 }
Li, et al Expires October 2004 68
IPsec Policy Information Base April 2004
ipSecAddressEntry OBJECT-TYPE ipSecAddressEntry OBJECT-TYPE
SYNTAX IpSecAddressEntry SYNTAX IpSecAddressEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecAddressPrid } PIB-INDEX { ipSecAddressPrid }
UNIQUENESS { UNIQUENESS {
ipSecAddressAddressType, ipSecAddressAddressType,
ipSecAddressAddrPrefixLength, ipSecAddressAddrPrefixLength,
ipSecAddressAddrMin, ipSecAddressAddrMin,
skipping to change at line 3748 skipping to change at line 3834
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecAddressEntry 1 } ::= { ipSecAddressEntry 1 }
ipSecAddressAddressType OBJECT-TYPE ipSecAddressAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Li, et al Expires May 2004 67
IPsec Policy Information Base November 2003
"Specifies the type of IP address. "Specifies the type of IP address.
While other types of addresses are defined in the InetAddressType While other types of addresses are defined in the InetAddressType
textual convention, an IP filter can only use IPv4 and IPv6 textual convention, an IP filter can only use IPv4 and IPv6
addresses directly to classify traffic. All other InetAddressTypes addresses directly to classify traffic. All other InetAddressTypes
require mapping to the corresponding Ipv4 or IPv6 address before require mapping to the corresponding Ipv4 or IPv6 address before
being used to classify traffic. Therefore, this object as such is being used to classify traffic. Therefore, this object as such is
not limited to IPv4 and IPv6 addresses, i.e., it can be assigned not limited to IPv4 and IPv6 addresses, i.e., it can be assigned
any of the valid values defined in the InetAddressType TC, but the any of the valid values defined in the InetAddressType TC, but the
mapping of the address values to IPv4 or IPv6 addresses must be mapping of the address values to IPv4 or IPv6 addresses must be
done by the PEP at install time. " done by the PEP at install time. "
::= { ipSecAddressEntry 2 } ::= { ipSecAddressEntry 2 }
ipSecAddressAddrPrefixLength OBJECT-TYPE ipSecAddressAddrPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
STATUS current STATUS current
Li, et al Expires October 2004 69
IPsec Policy Information Base April 2004
DESCRIPTION DESCRIPTION
"The length of a mask for the matching of IP address. This "The length of a mask for the matching of IP address. This
attribute is interpreted only if the InetAddressType is 'ipv4', attribute is interpreted only if the InetAddressType is 'ipv4',
'ipv4z', 'ipv6' or 'ipv6z'. 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the most- Masks are constructed by setting bits in sequence from the most-
significant bit downwards for ipSecAddressAddrPrefixLength bits significant bit downwards for ipSecAddressAddrPrefixLength bits
length. All other bits in the mask, up to the number needed to length. All other bits in the mask, up to the number needed to
fill the length of the address ipSecAddressAddrMin are cleared to fill the length of the address ipSecAddressAddrMin are cleared to
zero. A zero bit in the mask then means that the corresponding bit zero. A zero bit in the mask then means that the corresponding bit
skipping to change at line 3793 skipping to change at line 3879
host address, and a length between 0 and 32 indicates the use of a host address, and a length between 0 and 32 indicates the use of a
CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have
different values, this attribute MUST have a value of 32 to different values, this attribute MUST have a value of 32 to
indicate an IP address range. indicate an IP address range.
In IPv6 addresses, a length of 0 indicates a match of any address. In IPv6 addresses, a length of 0 indicates a match of any address.
When ipSecAddressAddrMin and ipSecAddressAddrMax have the same When ipSecAddressAddrMin and ipSecAddressAddrMax have the same
value, a length of 128 or greater indicates a match of a single value, a length of 128 or greater indicates a match of a single
host address, and a length between 0 and 128 indicates the use of host address, and a length between 0 and 128 indicates the use of
a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax
have different values, this attribute MUST have a value of 128 in have different values, this attribute MUST have value of 128 in
order to indicate an IP address range." order to indicate an IP address range."
::= { ipSecAddressEntry 3 } ::= { ipSecAddressEntry 3 }
ipSecAddressAddrMin OBJECT-TYPE ipSecAddressAddrMin OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an IP address. The type of the address is specified by "Specifies an IP address. The type of the address is specified by
the ipSecAddressAddressType attribute. If the address type is the ipSecAddressAddressType attribute. If the address type is
'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute
Li, et al Expires May 2004 68
IPsec Policy Information Base November 2003
ipSecAddressAddrPrefixLength indicates the number of bits that are ipSecAddressAddrPrefixLength indicates the number of bits that are
relevant." relevant."
::= { ipSecAddressEntry 4 } ::= { ipSecAddressEntry 4 }
ipSecAddressAddrMax OBJECT-TYPE ipSecAddressAddrMax OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If a range of addresses is used then this specifies the ending "If a range of addresses is used then this specifies the ending
address. The type of the address is specified by the address. The type of the address is specified by the
ipSecAddressAddressType attribute. ipSecAddressAddressType attribute.
To specify a single IP addres or a subnet, this attribute MUST be To specify a single IP addres or a subnet, this attribute MUST be
the same as that of ipSecAddressAddrMin. the same as that of ipSecAddressAddrMin.
When ipSecAddressAddressType is 'dns', this attribute MUST contain When ipSecAddressAddressType is 'dns', this attribute MUST contain
the same DNS address as ipSecAddressAddrMin" the same DNS address as ipSecAddressAddrMin"
Li, et al Expires October 2004 70
IPsec Policy Information Base April 2004
::= { ipSecAddressEntry 5 } ::= { ipSecAddressEntry 5 }
ipSecAddressGroupId OBJECT-TYPE ipSecAddressGroupId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the group this IP address, address range or subnet "Specifies the group this IP address, address range or subnet
address belongs to." address belongs to."
::= { ipSecAddressEntry 6 } ::= { ipSecAddressEntry 6 }
skipping to change at line 3861 skipping to change at line 3947
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecL4PortPrid } PIB-INDEX { ipSecL4PortPrid }
UNIQUENESS { UNIQUENESS {
ipSecL4PortPortMin, ipSecL4PortPortMin,
ipSecL4PortPortMax, ipSecL4PortPortMax,
ipSecL4PortGroupId ipSecL4PortGroupId
} }
::= { ipSecL4PortTable 1 } ::= { ipSecL4PortTable 1 }
Li, et al Expires May 2004 69
IPsec Policy Information Base November 2003
IpSecL4PortEntry ::= SEQUENCE { IpSecL4PortEntry ::= SEQUENCE {
ipSecL4PortPrid InstanceId, ipSecL4PortPrid InstanceId,
ipSecL4PortPortMin InetPortNumber, ipSecL4PortPortMin InetPortNumber,
ipSecL4PortPortMax InetPortNumber, ipSecL4PortPortMax InetPortNumber,
ipSecL4PortGroupId TagId ipSecL4PortGroupId TagId
} }
ipSecL4PortPrid OBJECT-TYPE ipSecL4PortPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecL4PortEntry 1 } ::= { ipSecL4PortEntry 1 }
ipSecL4PortPortMin OBJECT-TYPE ipSecL4PortPortMin OBJECT-TYPE
Li, et al Expires October 2004 71
IPsec Policy Information Base April 2004
SYNTAX InetPortNumber SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies a layer 4 port or the first layer 4 port number of a "Specifies a layer 4 port or the first layer 4 port number of a
range of ports. The value of this attribute must be equal or less range of ports. The value of this attribute must be equal or less
than that of ipSecL4PortPortMax. than that of ipSecL4PortPortMax.
A value of zero indicates any port matches." A value of zero indicates any port matches."
::= { ipSecL4PortEntry 2 } ::= { ipSecL4PortEntry 2 }
skipping to change at line 3915 skipping to change at line 4002
DESCRIPTION DESCRIPTION
"Specifies the group this port or port range belongs to." "Specifies the group this port or port range belongs to."
::= { ipSecL4PortEntry 4 } ::= { ipSecL4PortEntry 4 }
-- --
-- --
-- The ipSecIpsoFilterSetTable -- The ipSecIpsoFilterSetTable
-- --
ipSecIpsoFilterSetTable OBJECT-TYPE ipSecIpsoFilterSetTable OBJECT-TYPE
Li, et al Expires May 2004 70
IPsec Policy Information Base November 2003
SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSO filter sets." "Specifies IP Security Options (IPSO) filter sets. Each set
contains an ordered list of IPSO filters. Please refer to
[RFC1108] for details on IPSO."
::= { ipSecSelector 5 } ::= { ipSecSelector 5 }
ipSecIpsoFilterSetEntry OBJECT-TYPE ipSecIpsoFilterSetEntry OBJECT-TYPE
SYNTAX IpSecIpsoFilterSetEntry SYNTAX IpSecIpsoFilterSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIpsoFilterSetPrid } PIB-INDEX { ipSecIpsoFilterSetPrid }
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterSetId,
ipSecIpsoFilterSetFilterId,
ipSecIpsoFilterSetOrder, Li, et al Expires October 2004 72
ipSecIpsoFilterSetIsNegated IPsec Policy Information Base April 2004
ipSecIpsoFilterSetOrder
} }
::= { ipSecIpsoFilterSetTable 1 } ::= { ipSecIpsoFilterSetTable 1 }
IpSecIpsoFilterSetEntry ::= SEQUENCE { IpSecIpsoFilterSetEntry ::= SEQUENCE {
ipSecIpsoFilterSetPrid InstanceId, ipSecIpsoFilterSetPrid InstanceId,
ipSecIpsoFilterSetFilterSetId TagId, ipSecIpsoFilterSetFilterSetId TagId,
ipSecIpsoFilterSetFilterId ReferenceId, ipSecIpsoFilterSetFilterId ReferenceId,
ipSecIpsoFilterSetOrder Unsigned16TC, ipSecIpsoFilterSetOrder IpSecOrderTC,
ipSecIpsoFilterSetIsNegated TruthValue ipSecIpsoFilterSetIsNegated TruthValue
} }
ipSecIpsoFilterSetPrid OBJECT-TYPE ipSecIpsoFilterSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIpsoFilterSetEntry 1 } ::= { ipSecIpsoFilterSetEntry 1 }
ipSecIpsoFilterSetFilterSetId OBJECT-TYPE ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An IPSO filter set is composed of one or more IPSO filters. Each "An IPSO filter set is composed of one or more IPSO filters.
filter belonging to the same set has the same FilterSetId." Filters belonging to the same set have the same FilterSetId."
::= { ipSecIpsoFilterSetEntry 2 } ::= { ipSecIpsoFilterSetEntry 2 }
ipSecIpsoFilterSetFilterId OBJECT-TYPE ipSecIpsoFilterSetFilterId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
PIB-REFERENCES {ipSecIpsoFilterEntry } PIB-REFERENCES {ipSecIpsoFilterEntry }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A pointer to a valid instance in the ipSecIpsoFilterTable." "A pointer to a valid instance in the ipSecIpsoFilterTable."
::= { ipSecIpsoFilterSetEntry 3 } ::= { ipSecIpsoFilterSetEntry 3 }
Li, et al Expires May 2004 71
IPsec Policy Information Base November 2003
ipSecIpsoFilterSetOrder OBJECT-TYPE ipSecIpsoFilterSetOrder OBJECT-TYPE
SYNTAX Unsigned16TC SYNTAX IpSecOrderTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that specifies the precedence order of the filter "An integer that specifies the precedence order of the filter
identified by ipSecIpsoFilterSetFilterId within a filter set. The identified by ipSecIpsoFilterSetFilterId within a filter set. The
filter set is identified by ipSecIpsoFilterSetFilterSetId. A filter set is identified by ipSecIpsoFilterSetFilterSetId."
smaller integer value indicates a higher preference."
::= { ipSecIpsoFilterSetEntry 4 } ::= { ipSecIpsoFilterSetEntry 4 }
ipSecIpsoFilterSetIsNegated OBJECT-TYPE ipSecIpsoFilterSetIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the value of this attribute is 'true', the filter pointed by "If the value of this attribute is 'true', the filter pointed by
ipSecIpsoFilterSetFilterId SHALL be negated." ipSecIpsoFilterSetFilterId SHALL be negated."
::= { ipSecIpsoFilterSetEntry 5 } ::= { ipSecIpsoFilterSetEntry 5 }
Li, et al Expires October 2004 73
IPsec Policy Information Base April 2004
-- --
-- --
-- The ipSecIpsoFilterTable -- The ipSecIpsoFilterTable
-- --
ipSecIpsoFilterTable OBJECT-TYPE ipSecIpsoFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIpsoFilterEntry SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies IPSO filters." "Specifies IP Security Options (IPSO) filters. Please refer to
[RFC1108] for details on IPSO."
::= { ipSecSelector 6 } ::= { ipSecSelector 6 }
ipSecIpsoFilterEntry OBJECT-TYPE ipSecIpsoFilterEntry OBJECT-TYPE
SYNTAX IpSecIpsoFilterEntry SYNTAX IpSecIpsoFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIpsoFilterPrid } PIB-INDEX { ipSecIpsoFilterPrid }
UNIQUENESS { UNIQUENESS {
ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterMatchConditionType,
ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterClassificationLevel,
ipSecIpsoFilterProtectionAuthority ipSecIpsoFilterProtectionAuthority
} }
::= { ipSecIpsoFilterTable 1 } ::= { ipSecIpsoFilterTable 1 }
IpSecIpsoFilterEntry ::= SEQUENCE { IpSecIpsoFilterEntry ::= SEQUENCE {
ipSecIpsoFilterPrid InstanceId, ipSecIpsoFilterPrid InstanceId,
ipSecIpsoFilterMatchConditionType INTEGER, ipSecIpsoFilterMatchConditionType INTEGER,
ipSecIpsoFilterClassificationLevel INTEGER, ipSecIpsoFilterClassificationLevel IpSecIpsoClassificationTC,
ipSecIpsoFilterProtectionAuthority INTEGER ipSecIpsoFilterProtectionAuthority IpSecIpsoProtectionTC
} }
ipSecIpsoFilterPrid OBJECT-TYPE ipSecIpsoFilterPrid OBJECT-TYPE
Li, et al Expires May 2004 72
IPsec Policy Information Base November 2003
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIpsoFilterEntry 1 } ::= { ipSecIpsoFilterEntry 1 }
ipSecIpsoFilterMatchConditionType OBJECT-TYPE ipSecIpsoFilterMatchConditionType OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
classificationLevel(1), classificationLevel(1),
protectionAuthority(2) protectionAuthority(2)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the IPSO header field to be matched." "Specifies the IPSO header field to be matched."
::= { ipSecIpsoFilterEntry 2 } ::= { ipSecIpsoFilterEntry 2 }
Li, et al Expires October 2004 74
IPsec Policy Information Base April 2004
ipSecIpsoFilterClassificationLevel OBJECT-TYPE ipSecIpsoFilterClassificationLevel OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecIpsoClassificationTC
topSecret(61),
secret(90),
confidential(150),
unclassified(171)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value for classification level to be matched "Specifies the value for classification level to be matched
against. This attribute MUST be ignored if against. This attribute MUST be ignored if
ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)." ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)."
::= { ipSecIpsoFilterEntry 3 } ::= { ipSecIpsoFilterEntry 3 }
ipSecIpsoFilterProtectionAuthority OBJECT-TYPE ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
SYNTAX INTEGER { SYNTAX IpSecIpsoProtectionTC
genser(0),
siop-esi(1),
sci(2),
nsa(3),
doe(4)
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the value for protection authority to be matched "Specifies the value for protection authority to be matched
against. This attribute MUST be ignored if against. This attribute MUST be ignored if
ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority). ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
" "
::= { ipSecIpsoFilterEntry 4 } ::= { ipSecIpsoFilterEntry 4 }
-- --
-- --
-- The ipSecRuleTimePeriodTable -- The ipSecRuleTimePeriodTable
-- --
Li, et al Expires May 2004 73
IPsec Policy Information Base November 2003
ipSecRuleTimePeriodTable OBJECT-TYPE ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the time periods during which a policy rule is valid. "Specifies the time periods during which a policy rule is valid.
The values of the first five attributes in a row are ANDed The values of the first five attributes in a row are ANDed
together to determine the validity period(s). If any of the five together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always attributes is not present, it is treated as having value always
enabled. " enabled. "
skipping to change at line 4114 skipping to change at line 4186
UNIQUENESS { UNIQUENESS {
ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodTimePeriod,
ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodMonthOfYearMask,
ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfMonthMask,
ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodDayOfWeekMask,
ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodTimeOfDayMask,
ipSecRuleTimePeriodLocalOrUtcTime ipSecRuleTimePeriodLocalOrUtcTime
} }
::= { ipSecRuleTimePeriodTable 1 } ::= { ipSecRuleTimePeriodTable 1 }
Li, et al Expires October 2004 75
IPsec Policy Information Base April 2004
IpSecRuleTimePeriodEntry ::= SEQUENCE { IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodPrid InstanceId,
ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodTimePeriod TimePeriodTC,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask MonthOfYearTC,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask DayOfMonthTC,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask DayOfWeekTC,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask TimeOfDayTC,
ipSecRuleTimePeriodLocalOrUtcTime INTEGER ipSecRuleTimePeriodLocalOrUtcTime LocalOrUtcTimeTC
} }
ipSecRuleTimePeriodPrid OBJECT-TYPE ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 } ::= { ipSecRuleTimePeriodEntry 1 }
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX TimePeriodTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that identifies an overall range of calendar "Identifies an overall range of calendar dates and times over
dates and times over which a policy rule is valid. It reuses the which a policy rule is valid."
format for an explicit time period defined in RFC 2445 : a string
representing a starting date and time, in which the character 'T'
Li, et al Expires May 2004 74
IPsec Policy Information Base November 2003
indicates the beginning of the time portion, followed by the
solidus character '/', followed by a similar string representing
an end date and time. The first date indicates the beginning of
the range, while the second date indicates the end. Thus, the
second date and time must be later than the first. Date/times are
expressed as substrings of the form yyyymmddThhmmss.
There are also two special cases:
- If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and
remains valid from that point on.
"
::= { ipSecRuleTimePeriodEntry 2 } ::= { ipSecRuleTimePeriodEntry 2 }
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX MonthOfYearTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which months the policy is valid "Specifies months of a year during which a policy is valid."
for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000006 for this
property;
- a 2-octet field consisting of 12 bits identifying the 12 months
of the year, beginning with January and ending with December,
followed by 4 bits that are always set to '0'. For each month,
the value '1' indicates that the policy is valid for that month,
and the value '0' indicates that it is not valid.
If this property is omitted, then the policy rule is treated as
valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 } ::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX DayOfMonthTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the month the policy "Specifies days of a month during which a policy is valid."
is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire octet
string; this field is always set to 0x0000000C for this property;
-an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits
Li, et al Expires May 2004 75
IPsec Policy Information Base November 2003
identifying the days of the month counting from the end, followed
by 2 bits that are always set to '0'. For each day, the value '1'
indicates that the policy is valid for that day, and the value '0'
indicates that it is not valid.
For months with fewer than 31 days, the digits corresponding to
days that the months do not have (counting in both directions) are
ignored.
"
::= { ipSecRuleTimePeriodEntry 4 } ::= { ipSecRuleTimePeriodEntry 4 }
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX DayOfWeekTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies which days of the week the policy "Specifies days of a week during which a policy is valid."
is valid for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000005 for this
property;
- a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday, followed
by 1 bit that is always set to '0'. For each day of the week, the
value '1' indicates that the policy is valid for that day, and the
value '0' indicates that it is not valid.
"
::= { ipSecRuleTimePeriodEntry 5 } ::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX TimeOfDayTC
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that specifies a range of times in a day the "Specifies a range of times in a day during which a policy is
policy is valid for. It is formatted as follows: valid."
A time string beginning with the character 'T', followed by the
solidus character '/', followed by a second time string. The
first time indicates the beginning of the range, while the second
time indicates the end. Times are expressed as substrings of the
form Thhmmss.
The second substring always identifies a later time than the first
substring. To allow for ranges that span midnight, however, the
value of the second string may be smaller than the value of the
first substring. Thus, T080000/T210000 identifies the range from
0800 until 2100, while T210000/T080000 identifies the range from
2100 until 0800 of the following day."
::= { ipSecRuleTimePeriodEntry 6 } ::= { ipSecRuleTimePeriodEntry 6 }
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE Li, et al Expires October 2004 76
SYNTAX INTEGER { IPsec Policy Information Base April 2004
Li, et al Expires May 2004 76
IPsec Policy Information Base November 2003
localTime(1), ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
utcTime(2) SYNTAX LocalOrUtcTimeTC
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This property indicates whether the times represented in this "Indicates whether the times represented in this class represent
table represent local times or UTC times. There is no provision local times or UTC times. There is no provision for mixing of
for mixing of local times and UTC times: the value of this local times and UTC times: the value of this property applies to
property applies to all of the other time-related properties." all of the other time-related properties."
::= { ipSecRuleTimePeriodEntry 7 } ::= { ipSecRuleTimePeriodEntry 7 }
-- --
-- --
-- The ipSecRuleTimePeriodSetTable -- The ipSecRuleTimePeriodSetTable
-- --
ipSecRuleTimePeriodSetTable OBJECT-TYPE ipSecRuleTimePeriodSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies time period sets. The ipSecRuleTimePeriodTable can "Specifies time period sets. The ipSecRuleTimePeriodTable can
specify only a single time period within a day. This table enables specify only a single time period within a day. This class enables
the specification of multiple time periods within a day by the specification of multiple time periods within a day by
grouping them into one set. " grouping them into one set. "
::= { ipSecPolicyTimePeriod 2 } ::= { ipSecPolicyTimePeriod 2 }
ipSecRuleTimePeriodSetEntry OBJECT-TYPE ipSecRuleTimePeriodSetEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodSetEntry SYNTAX IpSecRuleTimePeriodSetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecRuleTimePeriodSetPrid } PIB-INDEX { ipSecRuleTimePeriodSetPrid }
skipping to change at line 4309 skipping to change at line 4297
ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
} }
ipSecRuleTimePeriodSetPrid OBJECT-TYPE ipSecRuleTimePeriodSetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify an instance of this class" "An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodSetEntry 1 } ::= { ipSecRuleTimePeriodSetEntry 1 }
Li, et al Expires May 2004 77 Li, et al Expires October 2004 77
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
SYNTAX TagId SYNTAX TagId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod set. " "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
::= { ipSecRuleTimePeriodSetEntry 2 } ::= { ipSecRuleTimePeriodSetEntry 2 }
ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
SYNTAX ReferenceId SYNTAX ReferenceId
skipping to change at line 4340 skipping to change at line 4328
-- --
-- The ipSecIfCapsTable -- The ipSecIfCapsTable
-- --
ipSecIfCapsTable OBJECT-TYPE ipSecIfCapsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIfCapsEntry SYNTAX SEQUENCE OF IpSecIfCapsEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies capabilities that may be associated with an interface "Specifies capabilities that may be associated with an interface
of a specific type. The instances of this table are referenced by of a specific type. The instances of this class are referenced by
the frwkCapabilitySetCapability attribute of the the frwkCapabilitySetCapability attribute of the
frwkCapabilitySetTable [9]." frwkCapabilitySetTable [RFC3318]."
::= { ipSecIfCapability 1 } ::= { ipSecIfCapability 1 }
ipSecIfCapsEntry OBJECT-TYPE ipSecIfCapsEntry OBJECT-TYPE
SYNTAX IpSecIfCapsEntry SYNTAX IpSecIfCapsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies an instance of this class" "Specifies an instance of this class"
PIB-INDEX { ipSecIfCapsPrid } PIB-INDEX { ipSecIfCapsPrid }
UNIQUENESS { UNIQUENESS {
ipSecIfCapsDirection, ipSecIfCapsDirection,
skipping to change at line 4365 skipping to change at line 4353
} }
::= { ipSecIfCapsTable 1 } ::= { ipSecIfCapsTable 1 }
IpSecIfCapsEntry ::= SEQUENCE { IpSecIfCapsEntry ::= SEQUENCE {
ipSecIfCapsPrid InstanceId, ipSecIfCapsPrid InstanceId,
ipSecIfCapsDirection INTEGER, ipSecIfCapsDirection INTEGER,
ipSecIfCapsMaxIpSecActions Unsigned16TC, ipSecIfCapsMaxIpSecActions Unsigned16TC,
ipSecIfCapsMaxIkeActions Unsigned16TC ipSecIfCapsMaxIkeActions Unsigned16TC
} }
Li, et al Expires May 2004 78 Li, et al Expires October 2004 78
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
ipSecIfCapsPrid OBJECT-TYPE ipSecIfCapsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index that uniquely identifies an instance of this "An integer index that uniquely identifies an instance of this
class." class."
::= { ipSecIfCapsEntry 1 } ::= { ipSecIfCapsEntry 1 }
ipSecIfCapsDirection OBJECT-TYPE ipSecIfCapsDirection OBJECT-TYPE
skipping to change at line 4414 skipping to change at line 4402
ipSecIkeActionSetTable. ipSecIkeActionSetTable.
A value of zero indicates that there is no maximum limit." A value of zero indicates that there is no maximum limit."
::= { ipSecIfCapsEntry 4 } ::= { ipSecIfCapsEntry 4 }
-- --
-- --
-- Conformance Section -- Conformance Section
-- --
ipSecPolicyPibConformanceCompliances ipSecPolicyPibCompliances
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }
ipSecPolicyPibConformanceGroups ipSecPolicyPibConformanceGroups
OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }
Li, et al Expires May 2004 79 Li, et al Expires October 2004 79
IPsec Policy Information Base November 2003 IPsec Policy Information Base April 2004
ipSecPolicyPibCompliance MODULE-COMPLIANCE ipSecPolicyPibCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
" Compliance statement" " Compliance statement"
MODULE --this module MODULE --this module
MANDATORY-GROUPS { MANDATORY-GROUPS {
ipSecRuleGroup, ipSecSaGroup,
ipSecActionSetGroup, ipSecIkeGroup,
ipSecStaticActionGroup,
ipSecNegotiationActionGroup,
ipSecAssociationGroup,
ipSecProposalSetGroup,
ipSecProposalGroup,
ipSecAhTransformSetGroup,
ipSecAhTransformGroup,
ipSecEspTransformSetGroup,
ipSecEspTransformGroup,
ipSecCompTransformSetGroup,
ipSecCompTransformGroup,
ipSecIkeAssociationGroup,
ipSecIkeProposalSetGroup,
ipSecIkeProposalGroup,
ipSecIkePeerEndpointGroup,
ipSecCredentialSetGroup,
ipSecCredentialGroup,
ipSecCredentialFieldsGroup,
ipSecSelectorSetGroup,
ipSecSelectorGroup, ipSecSelectorGroup,
ipSecAddressGroup,
ipSecL4PortGroup,
ipSecIfCapsGroup ipSecIfCapsGroup
} }
GROUP ipSecIkeRuleGroup GROUP ipSecIkeRuleGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if any of the following is supported: 1) "This group is mandatory if any of the following is supported: 1)
multiple IKE phase one actions (e.g., with different exchange multiple IKE phase one actions (e.g., with different exchange
modes) are associated with an IPsec rule. These actions are to be modes) are associated with an IPsec rule. These actions are to be
tried in sequence till one success; 2) IKE phase one actions that tried in sequence till one success; 2) IKE phase one actions that
start automatically." start automatically."
skipping to change at line 4476 skipping to change at line 4443
"This group is mandatory if any of the following is supported: 1) "This group is mandatory if any of the following is supported: 1)
multiple IKE phase one actions (e.g., with different exchange multiple IKE phase one actions (e.g., with different exchange
modes) are associated with an IPsec rule. These actions are to be modes) are associated with an IPsec rule. These actions are to be
tried in sequence till one success; 2) IKE phase one actions that tried in sequence till one success; 2) IKE phase one actions that
start automatically." start automatically."
GROUP ipSecIpsoFilterSetGroup GROUP ipSecIpsoFilterSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
Li, et al Expires May 2004 80
IPsec Policy Information Base November 2003
GROUP ipSecIpsoFilterGroup GROUP ipSecIpsoFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if IPSO filter is supported." "This group is mandatory if IPSO filter is supported."
GROUP ipSecRuleTimePeriodGroup GROUP ipSecRuleTimePeriodGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if policy scheduling is supported." "This group is mandatory if policy scheduling is supported."
GROUP ipSecRuleTimePeriodSetGroup GROUP ipSecRuleTimePeriodSetGroup
DESCRIPTION DESCRIPTION
"This group is mandatory if policy scheduling is supported." "This group is mandatory if policy scheduling is supported."
OBJECT ipSecRuleIpSecIpsoFilterSetId OBJECT ipSecRuleIpSecIpsoFilterSetId
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
" Support of this attribute is optional" " Support of this attribute is optional"
OBJECT ipSecRuleLimitNegotiation OBJECT ipSecRuleLimitNegotiation
PIB-MIN-ACCESS not-accessible PIB-MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
Li, et al Expires October 2004 80
IPsec Policy Information Base April 2004
" Support of this attribute is optional" " Support of this attribute is optional"