ipsp working group                                             Man Li
Internet Draft                                                  Nokia
Expires May October 2004                                    David Arneson
                                                                   N/A
                                                            Avri Doria
                                                                   LTU
                                                                  ETRI
                                                           Jamie Jason
                                                                 Intel
                                                            Cliff Wang
                                                             SmartPipe
                                                       Markus Stenberg
                                                                   SSH

                                                        November 2003

                                                           April 2004

                       IPsec Policy Information Base
                      draft-ietf-ipsp-ipsecpib-09.txt
                      draft-ietf-ipsp-ipsecpib-10.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [1].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts. Internet-Drafts are draft documents valid for a maximum of
   six months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Copyright (C) The Internet Society (2003). (2004).  All Rights Reserved.
   Distribution of this memo is unlimited.

Abstract

   This document describes a portion of the Policy Information Base
   (PIB) for a device implementing the IP Security (IPsec)
   Architecture.  The provisioning classes defined here provide control
   of IPsec policy. These provisioning classes can be used with other
   non-IPsec provisioning classes (defined in other PIB modules) to
   provide for a comprehensive policy controlled mapping of service
   requirement to device capability and usage.

Li, et al                Expires May October 2004                       1
                    IPsec Policy Information Base       November 2003          April 2004

   Table of Contents

1. Introduction.......................................................3
2. Operation Overview.................................................3
3. Structure of IPsec PIB.............................................4
3.1 IPsec association group...........................................4 group...........................................5
3.1.1 IPsec rules.....................................................4 rules.....................................................5
3.1.2 IPsec actions...................................................5 actions...................................................6
3.1.3 IPsec associations..............................................6
3.1.4 IPsec proposals.................................................6 proposals.................................................7
3.2 AH transform group................................................6 group................................................7
3.3 ESP transform group...............................................6 group...............................................7
3.4 COMP transform group..............................................7
3.5 IKE association group.............................................7
3.6 Credential group..................................................8
3.7 Selector group....................................................8
3.8 Policy time period group..........................................9
3.9 Interface capability group........................................9 group.......................................10
4. Summary of the IPsec PIB...........................................9 PIB..........................................10
4.1 ipSecAssociation group............................................9 group...........................................10
4.1.1 ipSecRuleTable..................................................9 ipSecRuleTable.................................................10
4.1.2 ipSecActionSetTable............................................10
4.1.3 ipSecStaticActionTable.........................................10
4.1.4 ipSecNegotiationActionTable....................................10
4.1.5 ipSecAssociationTable..........................................10
4.1.6 ipSecProposalSetTable..........................................10
4.1.7 ipSecProposalTable.............................................10
4.2 ipSecAhTransform group...........................................10
4.2.1 ipSecAhTransformSetTable.......................................10
4.2.2 ipSecAhTransformTable..........................................10
4.3 ipSecEspTransform group..........................................10
4.3.1 ipSecEspTransformSetTable......................................10 ipSecEspTransformSetTable......................................11
4.3.2 ipSecEspTransformTable.........................................10 ipSecEspTransformTable.........................................11
4.4 ipSecCompTransform group.........................................10 group.........................................11
4.4.1 ipSecCompTransformSetTable.....................................10 ipSecCompTransformSetTable.....................................11
4.4.2 ipSecCompTransformTable........................................10 ipSecCompTransformTable........................................11
4.5 ipSecIkeAssociation group........................................10 group........................................11
4.5.1 ipSecIkeRuleTable..............................................10 ipSecIkeRuleTable..............................................11
4.5.2 ipSecIkeActionSetTable.........................................11
4.5.3 ipSecIkeAssociationTable.......................................11
4.5.4 ipSecIkeProposalSetTable.......................................11
4.5.5 ipSecIkeProposalTable..........................................11
4.5.6 ipSecIkePeerEndpointTable......................................11
4.6 ipSecCredential group............................................11
4.6.1 ipSecCredentialSetTable........................................11
4.6.2 ipSecCredentialTable...........................................11
4.6.3 ipSecCredentialFieldsTable.....................................11
4.7 ipSecSelector group..............................................11
4.7.1 ipSecSelectorSetTable..........................................11 ipSecSelectorSetTable..........................................12
4.7.2 ipSecSelectorTable.............................................11 ipSecSelectorTable.............................................12
4.7.3 ipSecAddressTable..............................................11 ipSecAddressTable..............................................12
4.7.4 ipSecL4PortTable...............................................11 ipSecL4PortTable...............................................12

   Li, et al            Expires May October 2004                        2
                    IPsec Policy Information Base       November 2003          April 2004

4.7.5 ipSecIpsoFilterSetTable........................................11 ipSecIpsoFilterSetTable........................................12
4.7.6 ipSecIpsoFilterTable...........................................11 ipSecIpsoFilterTable...........................................12
4.8 ipSecPolicyTimePeriod group......................................11 group......................................12
4.8.1 ipSecRuleTimePeriodTable.......................................12
4.8.2 ipSecRuleTimePeriodSetTable....................................12
4.9 ipSecIfCapability group..........................................12
4.9.1 ipSecIfCapsTable...............................................12
4.10 ipSecPolicyPibConformance group.................................12
5. The IPsec PIB Module..............................................12
6. Security Considerations...........................................93 Considerations...........................................89
7. RFC Editor Considerations.........................................94 Considerations.........................................90
8. IANA Considerations...............................................94 Considerations...............................................90
9. Normative References..............................................94 References..............................................90
10. Informative References...........................................95 References...........................................92
11. Author's Addresses...............................................96 Addresses...............................................92
12. IPR Disclosure Acknowledgement...................................93
13. Full Copyright Statement.........................................96 Statement.........................................93

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   RFC-2119 [2].

1. Introduction

   The policy rule classes (PRC) defined in this document contain
   parameters for IKE Internet Key Exchange (IKE) phase one and phase two
   negotiations. Details of these parameters can be found in [3],
   [7], [8], [10], [11], [12] and [14]. The PIB defined in this
   document is based on the IPsec configuration policy model [12].
   The concept of "Roles" described in [9], which scales to large
   networks, is adopted for distributing IPsec policy over the COPS-PR COPS-
   PR protocol [6].

2. Operation Overview

   As defined in [13], the management entity that downloads policy to
   IPsec-enabled devices will be called a Policy Decision Point (PDP)
   and the target IPsec-enabled devices will be called Policy
   Enforcement Points (PEP).

   After connecting to a PDP using COPS-PR [6] that is an extension
   of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes
   (PRCs) it supports as well as any limitations related to the
   implementations of theses classes and parameters. The PEP provides
   the above information using the frwkPrcSupportTable and the
   frwkCompLimitsTable defined in the framework PIB [9]. In addition,
   the PEP also reports the interface type capabilities and role
   combinations it supports using the frwkCapabilitySetTable and the

   Li, et al            Expires October 2004                        3
                    IPsec Policy Information Base          April 2004

   frwkRoleComboTable. Each row of the frwkCapabilitySetTable
   contains a capability set name and a reference to an instance of a

   Li, et al              Expires May 2004                          3
                    IPsec Policy Information Base       November 2003
   PRC that describes the capabilities of the interface type. The
   capability instances may reside in the ipSecIfCapsTable or in a
   table
   class defined in another PIB. Each row of the frwkRoleComboTable
   contains an interface capability set name and a role combination.

   Based on the interface capabilities and role combinations, the PDP
   provides the PEP with IPsec policy information. Later on, if any
   of the interface capabilities or role combinations of the PEP
   change, the PEP notifies the PDP. The PDP will then send a new set
   of IPsec policy information to the PEP. In addition, if the policy
   associated with a given interface capability and role combination
   changes, the PDP will deliver the new IPsec policy to all the PEPs
   that have registered with that interface capability and role
   combination.

3. Structure of IPsec PIB

   An IPsec policy consists of an ordered list of IPsec rules. Each
   rule is composed of a set of conditions and a set of actions. If a
   packet matches any of the conditions, the actions will be applied
   accordingly.

   The IPsec PIB module consists of nine groups. The selector group
   describes conditions to be associated with IPsec rules. The IPsec
   association group, AH Authentication Header (AH) transform group, ESP
   Encapsulating Security Payload (ESP) transform group, COMP IP Payload
   Compression Protocol (COMP) transform group, IKE association group
   and the credential group together describe actions to be associated
   with IPsec rules. The policy time period group specifies time
   periods during which a rule is valid. The interface capability group
   is used by a PEP to report the capabilities associated with its
   interface types.

   Each

   The IPsec PIB defined in this document is based on the IPsec
   configuration policy information model [12]. The structure and
   modularity of this PIB are similar to that of the IPsec
   configuration policy model. It is easy to observe the mapping of
   the IPsec association group, AH transform group, ESP transform
   group, COMP transform group, IKE association group, the credential
   group and the policy time period group into the configuration
   model. Note that the policy time period condition is included in
   the IPsec configuration policy information model [12] but it is
   specified in the policy core information model[23]. The IPsec
   selector group corresponds to the filters specified in the IPsec
   configuration policy model but it is in a slightly different
   structure in order to provide a scalable way of specifying a large
   number of filters.

   The modular design of the IPsec PIB provides many flexibilities.
   For example, the key exchange protocol and selectors used in a
   policy rule are specified by pointing to the corresponding policy

   Li, et al            Expires October 2004                        4
                    IPsec Policy Information Base          April 2004

   rule classes. Hence, to use key exchange protocols or selectors
   other than those specified in this PIB, simply direct the pointers
   to the corresponding policy rule classes specified in other PIB
   modules.

   The nine IPsec PIB groups is are discussed in the following sections.

3.1 IPsec association group

   This group specifies IPsec Security Associations.

3.1.1 IPsec rules

   The ipSecRuleTable is the starting point for specifying an IPsec
   policy. It contains an ordered list of IPsec rules. Each rule is
   associated with IfName, IfCapSetName, Roles and Direction attributes to
   indicate the interface type and role combinations as well as the
   direction of the interface to which this rule is to be applied.
   Each rule points to a set of selectors and, optionally, a set of IPSO
   IP Security Options (IPSO) filters to indicate the conditions
   associated with this rule. In addition, each rule has a pointer to
   a set of actions to indicate the actions associated with this
   rule. Hence if a packet matches a selector in the selector set
   and, if the reference to the IPSO filter set is not zero, it
   matches a filter in the IPSO filter set, the action(s) associated
   with this rule will be applied to the packet.

   Li, et al              Expires May 2004                          4
                    IPsec Policy Information Base       November 2003

   When a rule involves multiple actions, the ExecutionStrategy
   attribute indicates how these actions are executed. A value of
   "DoAll" means that all the actions MUST be applied to the packet
   according to a predefined order. A value of "DoUntilSuccess" means
   that the actions MUST be tried in sequence until a successful
   execution of a single action.

   For example, in a nested Security Associations (SA) case the
   actions of an initiator's rule might be structured as:

    ExecutionStrategy='Do All'
    |
    +---1--- IPsecTunnelAction    // set up SA from host to gateway
    |
    +---2--- IPsecTransportAction // set up SA from host through
                                  // tunnel to remote host

   Another example, showing a rule with fallback actions might be
   structured as:

    ExecutionStrategy='Do Until Success'
    |
    +---1--- IPsecTunnelAction // set up SA from host to gateway [A]
    |
    +---2--- IPsecTunnelAction // set up SA from host to gateway [B]

   Li, et al            Expires October 2004                        5
                    IPsec Policy Information Base          April 2004

   As an optional feature, IPsec associations may be established
   without being prompted by IP packets. The AutoStart attribute
   indicates if the IPsec association(s) of this rule should be set
   up automatically. Support of this attribute is optional.

3.1.2 IPsec actions

   IPsec actions may be of two types: Static Action and Negotiation
   Action.

   Static Actions do not require any negotiations. They include by-
   pass, discard, IKE rejection, pre-configured transport and pre-
   configured tunnel actions. The ipSecStaticActionTable specifies
   IPsec Static Actions. For a pre-configured transport or pre-
   configured tunnel action, it further points to a valid instance in
   another table class that describes a transform to be used, for example,
   the ipSecEspTransformTable. In addition, the SPI used for the
   transform is also defined in the table.

   Negotiation Actions require negotiations in order to establish
   Security Associations. They include transport and tunnel actions.
   The ipSecNegotiationActionTable specifies IPsec Negotiation
   Actions. It points to a valid instance in the
   ipSecAssociationTable that further defines the IPsec association
   to be established. For key exchange policy, the KeyExchangeId
   points to a valid instance in another table class that describes key

   Li, et al              Expires May 2004                          5
                    IPsec Policy Information Base       November 2003
   exchange procedures. If a single IKE phase one negotiation is used
   for the key exchange, this attribute MUST point to an instance in
   the ipSecIkeAssociationTable. If multiple IKE phase one
   negotiations (e.g., with different modes) are to be tried until
   success, this attribute SHOULD point to ipSecIkeRuleTable. For
   other key exchange methods, this attribute MAY point to an
   instance of a PRC defined in some other PIB module.

   The ipSecActionSetTable specifies sets of actions. Actions within
   a set form an ordered list. If an action within a set is a Static
   Action, the ActionId MUST point to a valid instance in the
   ipSecStaticActionTable. If the action is a Negotiation Action, the
   ActionId MUST point to a valid instance in the
   ipSecNegotiationActionTable. For other actions, the ActionId MAY
   point to an instance of a PRC defined in some other PIB module.

3.1.3 IPsec associations

   The ipSecAssociationTable specifies attributes associated with
   IPsec associations. For each association, it points to a set of
   proposals in the ipSecProposalSetTable that is associated with
   this association.

   The MinLifetimeSeconds and MinLifetimeKilobytes in the
   ipSecAssociationTable indicate the lifetime to propose for the
   IPsec association to be negotiated. They are different from the

   Li, et al            Expires October 2004                        6
                    IPsec Policy Information Base          April 2004

   time periods indicated by the IpSecRuleTimePeriodGroupId in the
   IpsecRuleTable. Those time periods specify when the given IPsec
   rule is valid.

3.1.4 IPsec proposals

   The ipSecProposalSetTable specifies sets of proposals. Proposals
   within a set are ordered with a preference value.

   The ipSecProposalTable specifies proposals. It points to sets of
   ESP transforms, AH transforms and IP COMP transforms. Within a
   proposal, sets of transforms of different types are logically
   ANDed. Transforms of the same type within a transform set are to
   be logically ORed. For example, if the proposal were

      ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
      AH  = { MD5, SHA-1 }

   then the one sending the proposal would want the other side to
   pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list
   AND one from the AH transform list (preferably MD5).

3.2 AH transform group

   The AH transform group describes sets of AH transforms.

3.3 ESP transform group

   Li, et al              Expires May 2004                          6
                    IPsec Policy Information Base       November 2003

   The ESP transform group describes sets of ESP transforms.

3.4 COMP transform group

   The COMP transform group describes sets of COMP transforms.

3.5 IKE association group

   This group specifies rules associated with IKE phase one
   negotiation. The rules are IKEv1 rules as specified in [10].

   The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional
   tables. Support of these tables is required only when a policy
   contains:

   - Multiple IKE phase one actions (e.g., with different exchange
   modes) that are associated with one IPsec association. These
   actions are to be tried in sequence till one success.

   - IKE phase one actions that start automatically.

   For the latter case, IKE rules may be distributed independently
   and the IfName IfCapSetName and Roles attributes in the ipSecIkeRuleTable
   indicate the interface type and role combinations to which this
   rule is to be applied.

   Li, et al            Expires October 2004                        7
                    IPsec Policy Information Base          April 2004

   The ipSecIkeActionSetTable specifies sets of actions. Actions
   within a set form an ordered list.

   The ipSecIkeAssociationTable contains parameters associated with
   IKE associations including the IKE identities to be used during
   IKE phase one negotiation. It points to a set of credentials
   specified in the ipSecCredentialTable. Any of the credentials in
   this set may be used during IKE phase one negotiation. In
   addition, each IKE association points to a set of IKE proposals to
   be associated with this association. If the Authentication Method
   for one or more of the IKE proposals is specified as PresharedKey
   in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey
   attribute contains the actual pre-shared key to be used for the
   proposal(s). This attribute is optional. If this attribute is not
   supported or contains a zero length octet, the pre-shared key MUST
   be obtained through other methods.

   The ipSecIkeProposalSetTable specifies sets of proposals.
   Proposals within a set are ordered with a preference value.The
   ipSecIkeProposalTable contains parameters associated with IKE
   proposals.

   The ipSecIkePeerEndpointTable specifies IKE peer endpoint
   information that includes acceptable peer identity and credentials
   for IKE phase one negotiation. It points to a set of credentials
   specified in the ipSecIkePeerEndpointCredentialSetTable. ipSecCredentialSetTable. Any of

   Li, et al              Expires May 2004                          7
                    IPsec Policy Information Base       November 2003 the credentials
   in the set is acceptable as a peer credential. The
   AddressType and the Address attributes are used only when IKE
   phase one negotiation starts automatically, i.e., the value of the
   AutoStart attribute in the ipSecIkeRuleTable is true. In which
   case, these two attributes together indicate the peer endpoint
   address.

3.6 Credential group

   This group specifies credentials to be used for IKE phase one
   negotiations.

   The ipSecCredentialSetTable specifies sets of credentials. The
   ipSecCredentialTable and ipSecCredentialFieldsTable together
   specify credentials. Each credential may contain multiple sub-
   fields. For example, a certificate may contain a unique serial
   number sub-field and an issuer name sub-field, etc. The
   ipSecCredentialFieldsTable defines the sub-fields and their values
   that MUST be matched against. The ipSecCredentialTable points to a
   set of criteria defined in the ipSecCredentialFieldsTable. The
   criteria MUST all be satisfied in order for a credential to be
   considered as acceptable. Certificates may also be revoked. The
   CrlDistributionPoint attribute in the ipSecCredentialTable
   indicates the Certificate Revocation List (CRL) distribution point
   where CRLs may be fetched.

3.7 Selector group

   This group specifies the selectors for IPsec rules.

   Li, et al            Expires October 2004                        8
                    IPsec Policy Information Base          April 2004

   The ipSecSelectorSetTable specifies sets of selectors. Selectors
   within a set form an ordered list. The SelectorId attribute points
   to a valid instance in another table class that describes a selector. To
   achieve scalability in policy distribution for large networks, it
   SHOULD point to the ipSecSelectorTable.

   The ipSecAddressTable specifies individual or ranges of IP
   addresses and the ipSecL4PortTable specifies individual or ranges
   of layer 4 ports. The ipSecSelectorTable has references to these
   two tables.  Each row in the selector table class can represent multiple
   selectors. These selectors are constructed as follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.

   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.

   Li, et al              Expires May 2004                          8
                    IPsec Policy Information Base       November 2003

   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.

   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.

   5. Construct all the possible combinations of the above four
   fields. Then add to the combinations the ipSecSelectorProtocol,
   ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
   the list of selectors.

   Selectors constructed from a single row have the same order within
   a selector set. The order is indicated by the Order attribute of
   the ipSecSelectorSetTable. The relative order among selectors
   constructed from a single row is unspecified. This is not an issue
   as long as these selectors are not over-lapping.

   The use of references in the ipSecSelectorTable instead of real IP
   addresses and port numbers reduces the number of bytes being
   pushed down to the PEP. Grouping of IP addresses and layer 4 ports
   serves the same purpose.

   The ipSecIpsoFilterSetTable specifies sets of IPSO filters.
   Filters within a set form an ordered list. The
   ipSecIpsoFilterTable contains IPSO filters.

3.8 Policy time period group

   This group specifies time periods during which a policy rule is
   valid. The ipSecRuleTimePeriodTable specifies a single time period
   within

   Li, et al            Expires October 2004                        9
                    IPsec Policy Information Base          April 2004

   of a day. day (or days). The ipSecRuleTimePeriodSetTable specifies allows the
   specification of multiple time periods.

   Implementation of this group is optional.

3.9 Interface capability group

   PEPs may have different capabilities. For example, some PEPs
   support nested Security Associations whereas others do not. This
   group allows a PEP to specify the capabilities associated with its
   different interface types.

   For ease of reference, a concise summary of the groups and tables
   is included in the next section.

4. Summary of the IPsec PIB

4.1 ipSecAssociation group
   This group specifies IPsec Security Associations.

4.1.1 ipSecRuleTable

   Li, et al              Expires May 2004                          9
                    IPsec Policy Information Base       November 2003
   This table class is the starting point for specifying an IPsec policy.
   It contains an ordered list of IPsec rules.

4.1.2 ipSecActionSetTable
   Specifies IPsec action sets.

4.1.3 ipSecStaticActionTable
   Specifies IPsec static actions.

4.1.4 ipSecNegotiationActionTable
   Specifies IPsec negotiation actions.

4.1.5 ipSecAssociationTable
   Specifies IPsec associations.

4.1.6 ipSecProposalSetTable
   Specifies IPsec proposal sets.

4.1.7 ipSecProposalTable
   Specifies IPsec proposals.

4.2 ipSecAhTransform group
   This group specifies AH Transforms.

4.2.1 ipSecAhTransformSetTable
   Specifies AH transform sets.

4.2.2 ipSecAhTransformTable
   Specifies AH transforms.

4.3 ipSecEspTransform group
   This group specifies ESP Transforms.

   Li, et al            Expires October 2004                       10
                    IPsec Policy Information Base          April 2004

4.3.1 ipSecEspTransformSetTable
   Specifies ESP transform sets.

4.3.2 ipSecEspTransformTable
   Specifies ESP transforms.

4.4 ipSecCompTransform group
   This group specifies Compression Transforms.

4.4.1 ipSecCompTransformSetTable
   Specifies IPComp IP compression transform sets.

4.4.2 ipSecCompTransformTable
   Specifies IP compression (IPCOMP) algorithms.

4.5 ipSecIkeAssociation group
   This group specifies IKE IKEv1 Security Associations.

4.5.1 ipSecIkeRuleTable
   Specifies IKE IKEv1 rules.

   Li, et al              Expires May 2004                         10
                    IPsec Policy Information Base       November 2003

4.5.2 ipSecIkeActionSetTable
   Specifies IKE IKEv1 action sets.

4.5.3 ipSecIkeAssociationTable
   Specifies IKE IKEv1 associations.

4.5.4 ipSecIkeProposalSetTable
   Specifies IKE IKEv1 proposal sets.

4.5.5 ipSecIkeProposalTable
   Specifies IKE IKEv1 proposals.

4.5.6 ipSecIkePeerEndpointTable
   Specifies IKE IKEv1 peer endpoints.

4.6 ipSecCredential group
   This group specifies credentials for IKE IKEv1 phase one negotiations.

4.6.1 ipSecCredentialSetTable
   Specifies credential sets.

4.6.2 ipSecCredentialTable
   Specifies credentials.

4.6.3 ipSecCredentialFieldsTable
   Specifies sets of credential sub-fields and their values to be
   matched against.

4.7 ipSecSelector group
   This group specifies selectors for IPsec associations.

   Li, et al            Expires October 2004                       11
                    IPsec Policy Information Base          April 2004

4.7.1 ipSecSelectorSetTable
   Specifies IPsec selector sets.

4.7.2 ipSecSelectorTable
   Specifies IPsec selectors.

4.7.3 ipSecAddressTable
   Specifies IP addresses.

4.7.4 ipSecL4PortTable
   Specifies layer four port numbers.

4.7.5 ipSecIpsoFilterSetTable
   Specifies IPSO filter sets.

4.7.6 ipSecIpsoFilterTable
   Specifies IPSO filters.

4.8 ipSecPolicyTimePeriod group
   This group specifies the time periods during which a policy rule
   is valid.

   Li, et al              Expires May 2004                         11
                    IPsec Policy Information Base       November 2003

4.8.1 ipSecRuleTimePeriodTable
   Specifies the time periods during which a policy rule is valid.

4.8.2 ipSecRuleTimePeriodSetTable
   Specifies time period sets.

4.9 ipSecIfCapability group
   This group specifies capabilities associated with interface types.

4.9.1 ipSecIfCapsTable
   Specifies capabilities that may be associated with an interface of
   a specific type.

4.10 ipSecPolicyPibConformance group
   This group specifies requirements for conformance to the IPsec
   Policy PIB.

5. The IPsec PIB Module

   IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN

   IMPORTS
   Unsigned32, Unsigned64, MODULE-IDENTITY,
   OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE,
   OBJECT-GROUP, pib
   FROM COPS-PR-SPPI           --[RFC3159]
   TruthValue
   FROM SNMPv2-TC              --[RFC2579]
   InstanceId, ReferenceId, TagId, TagReferenceId, Prid
   FROM COPS-PR-SPPI-TC        --[RFC3159]

   Li, et al            Expires October 2004                       12
                    IPsec Policy Information Base          April 2004

      SnmpAdminString
        FROM SNMP-FRAMEWORK-MIB     --[RFC3411]
   InetAddress, InetAddressType,
   InetAddressPrefixLength, InetPortNumber
        FROM INET-ADDRESS-MIB       --[RFC3291]
   DscpOrAny
        FROM DIFFSERV-DSCP-TC
   zeroDotZero
               FROM SNMPv2-SMI       --[RFC3289]
   IPv6FlowLabelOrAny
               FROM IPV6-FLOW-LABEL-MIB  --[RFC3595]
   RoleCombination
   FROM FRAMEWORK-TC-PIB; FRAMEWORK-TC-PIB      --[RFC3318]
    IpsecDoiIpcompTransform,IpsecDoiEspTransform,
    IpsecDoiIdentType,IpsecDoiAuthAlgorithm
        FROM IPSEC-IPSECACTION-MIB
           --[draft-ietf-ipsp-ipsecaction-mib-00.txt]
    IkeEncryptionAlgorithm,IkeAuthMethod,IkeHashAlgorithm,
    IkeGroupDescription
        FROM IPSEC-IKEACTION-MIB;
           --[ draft-ietf-ipsp-ikeaction-mib-00.txt]

   --
   -- module identity
   --

   ipSecPolicyPib MODULE-IDENTITY
   SUBJECT-CATEGORIES { xxxx (nn)  } -- IPsec Client Type -
   -- to be assigned by IANA. Suggest to use ipSec for xxxx -
   LAST-UPDATED "200311081800Z" "200404041800Z"
   ORGANIZATION "IETF ipsp WG"
   CONTACT-INFO "
   Man Li

   Li, et al              Expires May 2004                         12
                    IPsec Policy Information Base       November 2003
   Nokia
   5 Wayside Road,
   Burlington, MA 01803
   Phone: +1 781 993 3923
   Email: man.m.li@nokia.com

   Avri Doria
                Div. of Computer Communications
                Lulea University of Technology
                SE-971 87
                Lulea, Sweden
                Phone: +46 920 49 3030
   ETRI
   161 Gajeong-dong, Yuseong-gu
   Deajeon 305-350 Korea
   Email: avri@sm.luth.se avri@acm.org

   Jamie Jason
   Intel Corporation
   MS JF3-206
   2111 NE 25th Ave.
   Hillsboro, OR 97124
   Phone: +1 503 264 9531
   Fax: +1 503 264 9428
   Email: jamie.jason@intel.com

   Cliff Wang

   Li, et al            Expires October 2004                       13
                    IPsec Policy Information Base          April 2004

   SmartPipes Inc.
   Suite 300, 565 Metro Place South
   Dublin, OH 43017
   Phone: +1 614 923 6241
   Email: CWang@smartpipes.com

    Markus Stenberg
    SSH Communications Security Corp.
    Fredrikinkatu 42
    FIN-00100 Helsinki, Finland
    Phone: +358 20 500 7466
    Email: fingon@iki.fi"

   DESCRIPTION
   "This PIB module contains a set of policy rule classes that
   describe IPsec policies.

   Copyright (C) The Internet Society (2003). (2004). This version of this
   PIB module is part of RFC xxxx; see the RFC itself for full legal
   notices"

   REVISION "200311081800Z" "200404041800Z"
   DESCRIPTION
   "Initial version, published as RFC xxxx."
   -- xxxx to be assigned by IANA --
   ::= { pib yyy } -- yyy to be assigned by IANA --

   Li, et al              Expires May 2004                         13
                    IPsec Policy Information Base       November 2003

   --
   -- Textual Conventions
   --

   Unsigned16TC ::= TEXTUAL-CONVENTION
     DISPLAY-HINT "d"
     STATUS       current
     DESCRIPTION
     "An unsigned 16 bit integer."
     SYNTAX    Unsigned32 (0..65535)

   ipSecAssociation
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 }
   ipSecAhTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 }
   ipSecEspTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 }
   ipSecCompTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 }
   ipSecIkeAssociation
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 }
   ipSecCredential
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 6 }
   ipSecSelector
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 7 }
   ipSecPolicyTimePeriod
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 8 }
   ipSecIfCapability
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 9 }
   ipSecPolicyPibConformance
               OBJECT IDENTIFIER

   LocalOrUtcTimeTC ::= {ipSecPolicyPib 10 }

   --
   --
   -- The ipSecRuleTable
   --

   ipSecRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleEntry
     PIB-ACCESS install TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
   "This table is the starting point for specifying an IPsec policy.
   It contains an ordered list of IPsec rules.
     "
     ::= { ipSecAssociation  1 }

   ipSecRuleEntry OBJECT-TYPE Indicates whether to use local times or universal time (UTC)
   times. "
     SYNTAX IpSecRuleEntry    INTEGER {localTime(1),utcTime(2)}

   TimePeriodTC ::= TEXTUAL-CONVENTION
     DISPLAY-HINT "255t"
     STATUS       current
     DESCRIPTION
   "Specifies
     " An octet string that identifies an instance overall range of this class"
     PIB-INDEX { ipSecRulePrid }
     UNIQUENESS {
       ipSecRuleIfName,
       ipSecRuleRoles,
       ipSecRuleOrder calendar
   dates and times.  It reuses the format for an explicit time period

   Li, et al            Expires May October 2004                       14
                    IPsec Policy Information Base       November 2003

       }
     ::= { ipSecRuleTable 1 }

     IpSecRuleEntry ::= SEQUENCE {
        ipSecRulePrid InstanceId,
        ipSecRuleIfName SnmpAdminString,
        ipSecRuleRoles RoleCombination,
        ipSecRuleDirection INTEGER,
        ipSecRuleIpSecSelectorSetId TagReferenceId,
        ipSecRuleIpSecIpsoFilterSetId TagReferenceId,
        ipSecRuleIpSecActionSetId TagReferenceId,
        ipSecRuleActionExecutionStrategy          April 2004

   defined in [RFC 2445] : a string representing a starting date and
   time, in which the character 'T'  indicates the beginning of the
   time portion, followed by the solidus character '/', followed by a
   similar string representing an end date and time.  The first date
   indicates the beginning of the range, while the second date
   indicates the end.  Thus, the second date and time must be later
   than the first.  Date/times are expressed as substrings of the
   form yyyymmddThhmmss.

   There are also two special cases:

   -  If the first date/time is replaced with the string
   THISANDPRIOR, then the property indicates that a policy rule is
   valid [from now] until the date/time that appears after the '/'.

   - If the second date/time is replaced with the string
   THISANDFUTURE, then the property indicates that a policy rule
   becomes valid on the date/time that appears before the '/', and
   remains valid from that point on.

   This information is represented using the ISO/IEC IS 10646-1
   character set, encoded as an octet string using the UTF-8
   transformation format described in [RFC2279]."
     SYNTAX    OCTET STRING

   TimeOfDayTC ::= TEXTUAL-CONVENTION
     DISPLAY-HINT "255t"
     STATUS       current
     DESCRIPTION
     " An octet string that specifies a range of times in a day. It
   is formatted as follows:

   A  time  string beginning with the character 'T', followed by the
   solidus character '/', followed by a second time string.  The
   first time indicates the beginning of the range, while the second
   time indicates the end.  Times are expressed as substrings of the
   form Thhmmss.

   The second substring always identifies a later time than the first
   substring.  To allow for ranges that span midnight, however, the
   value of the second string may be smaller than the value of the
   first substring.  Thus, T080000/T210000 identifies the range from
   0800 until 2100, while T210000/T080000 identifies the range from
   2100 until 0800 of the following day.

   This information is represented using the ISO/IEC IS 10646-1
   character set, encoded as an octet string using the UTF-8
   transformation format described in [RFC2279]."
     SYNTAX    OCTET STRING

   MonthOfYearTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION

   Li, et al            Expires October 2004                       15
                    IPsec Policy Information Base          April 2004

     "Defines months of a year"
     SYNTAX BITS {january(0),february(1),march(2),april(3),
                  may(4),june(5),july(6),august(7),september(8),
                  october(9),november(10),december(11)}

   DayOfWeekTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     "Defines days of a week"
     SYNTAX BITS {sunday(0),monday(1),tuesday(2),wednesday(3),
                 thursday(4),friday(5),saturday(6)}

   DayOfMonthTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     "Defines days of a month"
     SYNTAX BITS
   {first(0),second(1),third(2),fourth(3),fifth(4),sixth(5),
    seventh(6),eighth(7),ninth(8),tenth(9),eleventh(10),
   twelfth(11),thirteenth(12),fourteenth(13),fifteenth(14),
   sixteenth(15),seventeenth(16),eighteenth(17),nineteenth(18),
   twentieth(19),twenty-first(20),twenty-second(21),
   twenty-third(22),twenty-fourth(23), twenty-fifth(24),
   twenty-sixth(25), twenty-seventh(26),twenty-eighth(27),
   twenty-ninth(28), thirty(29), thirty-first(30)}

   IpSecOrderTC ::= TEXTUAL-CONVENTION
     DISPLAY-HINT "d"
     STATUS       current
     DESCRIPTION
     "An unsigned 16 bit integer that defines the order of a set of
   rules. A smaller value indicates a higher precedence order"
     SYNTAX    Unsigned32 (0..65535)

   IpSecDirectionTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     "Specifies the direction of traffic to which an IPsec rule shall
   be applied"
     SYNTAX    INTEGER {in(1),out(2),bi-directional(3)}

   IpSecDFBitTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     " For tunnel security associations, this attribute specifies how
   the DF bit is managed.  Copy (1) indicates to copy the DF bit from
   the internal IP header to the external IP header. Set (2)
   indicates to set the DF bit of the external IP header to 1. Clear
   (3) indicates to clear the DF bit of the external IP header to 0.
   "
     SYNTAX    INTEGER {copy(1),set(2),clear(3)}

   IpSecExchangeModeTC ::= TEXTUAL-CONVENTION

   Li, et al            Expires October 2004                       16
                    IPsec Policy Information Base          April 2004

     STATUS       current
     DESCRIPTION
     " Specifies the negotiation mode that the Internet Key Exchange
   (IKE) server will use for phase one."
     SYNTAX    INTEGER {baseMode(0),mainMode(1),aggressiveMode(2)}

   IpSecActionTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     " Specifies the IPsec action to be applied to the traffic.
   transport(1) means that the packet should be protected with a
   security association in transport mode. tunnel(2) means that the
   packet should be protected with a security association in tunnel
   mode."
     SYNTAX    INTEGER {transport(1),tunnel(2)}

   IpSecCredTypeTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     " Specifies the type of credentials used for IKE phase one."
     SYNTAX    INTEGER {certificateX509(1),kerberosTicket(2)}

   IpSecGranularityTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     "Specifies how the proposed selector for the security
   association will be created. Subnet (0) indicates that the source
   and destination subnet masks of the filter entry are used. Address
   (1) indicates that only the source and destination IP addresses of
   the triggering packet are used. Protocol(2) indicates that the
   source and destination IP addresses and the IP protocol of the
   triggering packet are used. Port (3) indicates that the source and
   destination IP addresses and the IP protocol and the source and
   destination layer 4 ports of the triggering packet are used. "
     SYNTAX BITS {subnet(0),address(1),protocol(2),port(3)}

   IpSecIpsoClassificationTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     " Specifies IP security options (IPSO) classification level."
     REFERENCE "RFC 1108"
     SYNTAX    INTEGER {topSecret(61),secret(90),
                        confidential(150),unclassified(171)}

   IpSecIpsoProtectionTC ::= TEXTUAL-CONVENTION
     STATUS       current
     DESCRIPTION
     " Specifies IPSO protection level."
     REFERENCE "RFC 1108"
     SYNTAX    INTEGER {genser(0),siop-esi(1),sci(2),
                        nsa(3),doe(4)}

   Li, et al            Expires October 2004                       17
                    IPsec Policy Information Base          April 2004

   --
   -- Object identifiers
   --

   ipSecAssociation
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 }
   ipSecAhTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 }
   ipSecEspTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 }
   ipSecCompTransform
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 }
   ipSecIkeAssociation
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 }
   ipSecCredential
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 6 }
   ipSecSelector
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 7 }
   ipSecPolicyTimePeriod
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 8 }
   ipSecIfCapability
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 9 }
   ipSecPolicyPibConformance
               OBJECT IDENTIFIER ::= {ipSecPolicyPib 10 }

   --
   --
   -- The ipSecRuleTable
   --

   ipSecRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "This class is the starting point for specifying an IPsec policy.
   It contains an ordered list of IPsec rules.

   For each entry:

   1. ipSecRuleIfCapSetName must reference an existing capability set
   name in frwkCapabilitySetTable [FRC3318] .

   2. ipSecRuleRoles must reference an existing Role Combination in
   frwkRoleComboTable [RFC3318].

   If any or both of these requirements is not satisfied, the entry
   shall not be installed."
     ::= { ipSecAssociation  1 }

   Li, et al            Expires October 2004                       18
                    IPsec Policy Information Base          April 2004

   ipSecRuleEntry OBJECT-TYPE
     SYNTAX IpSecRuleEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRulePrid }
     UNIQUENESS {
       ipSecRuleIfCapSetName,
       ipSecRuleRoles,
       ipSecRuleOrder
       }
     ::= { ipSecRuleTable 1 }

     IpSecRuleEntry ::= SEQUENCE {
        ipSecRulePrid InstanceId,
        ipSecRuleIfCapSetName SnmpAdminString,
        ipSecRuleRoles RoleCombination,
        ipSecRuleDirection IpSecDirectionTC,
        ipSecRuleIpSecSelectorSetId TagReferenceId,
        ipSecRuleIpSecIpsoFilterSetId TagReferenceId,
        ipSecRuleIpSecActionSetId TagReferenceId,
        ipSecRuleActionExecutionStrategy INTEGER,
        ipSecRuleOrder Unsigned16TC, IpSecOrderTC,
        ipSecRuleLimitNegotiation INTEGER,
        ipSecRuleAutoStart TruthValue,
        ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId
   }

   ipSecRulePrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecRuleEntry  1 }

   ipSecRuleIfName

   ipSecRuleIfCapSetName OBJECT-TYPE
     SYNTAX SnmpAdminString
     STATUS current
     DESCRIPTION
   "The interface capability set to which this IPsec rule applies.
   The interface capability name specified by this attribute MUST
   exist in an entry of the frwkCapabilitySetTable [9] [RFC3318] prior to
   association with an instance of this class." class. The
   frwkCapabilitySetCapability attribute of that entry shall in turn
   point to an entry in the ipSecIfCaps table."
     ::= { ipSecRuleEntry  2 }

   ipSecRuleRoles OBJECT-TYPE
     SYNTAX RoleCombination
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       19
                    IPsec Policy Information Base          April 2004

   "Specifies the role combination of the interface to which this
   IPsec rule should apply. There must exist an instance in the
   frwkRoleComboTable [9] [RFC3318] specifying this role combination,
   together with the interface capability set specified by ipSecRuleIfName,
   ipSecRuleIfCapSetName, prior to association with an instance of
   this class."
     ::= { ipSecRuleEntry  3 }

   ipSecRuleDirection OBJECT-TYPE
     SYNTAX INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       }

   Li, et al              Expires May 2004                         15
                    IPsec Policy Information Base       November 2003 IpSecDirectionTC
     STATUS current
     DESCRIPTION
   "Specifies the direction of traffic to which this rule should
   apply."
     ::= { ipSecRuleEntry  4 }

   ipSecRuleIpSecSelectorSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecSelectorSetSelectorSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of selectors to be associated with this IPsec
   rule. "
     ::= { ipSecRuleEntry  5 }

   ipSecRuleIpSecIpsoFilterSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecIpsoFilterSetFilterSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of IPSO filters to be associated with this IPsec
   rule. A value of zero indicates that there are no IPSO filters
   associated with this rule.

   When the value of this attribute is not zero, the set of IPSO
   filters is ANDed with the set of Selectors specified by
   ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a
   selector in the selector sets and a filter in the IPSO filter sets
   before the actions associated with this rule can be applied."
     ::= { ipSecRuleEntry  6 }

   ipSecRuleIpSecActionSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecActionSetActionSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of IPsec actions to be associated with this
   rule."
     ::= { ipSecRuleEntry  7 }

   ipSecRuleActionExecutionStrategy OBJECT-TYPE
     SYNTAX INTEGER {
       doAll(1),

   Li, et al            Expires October 2004                       20
                    IPsec Policy Information Base          April 2004

       doUntilSuccess(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the strategy to be used in executing the sequenced
   actions in the action set identified by ipSecRuleIpSecActionSetId.

   DoAll (1) causes the execution of all the actions in the action
   set according to their defined precedence order. The precedence

   Li, et al              Expires May 2004                         16
                    IPsec Policy Information Base       November 2003 precedence
   order is specified by the ipSecActionSetOrder in the
   ipSecActionSetTable.

   DoUntilSuccess (2) causes the execution of actions according to
   their defined precedence order until a successful execution of a
   single action. The precedence order is specified by the
   ipSecActionSetOrder in the ipSecActionSetTable."
     ::= { ipSecRuleEntry  8 }

   ipSecRuleOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "Specifies the precedence order of the rule within all the rules
   associated with {IfName, Roles}. A smaller value indicates a
   higher precedence order. " {IfCapSetName, Roles}."
     ::= { ipSecRuleEntry  9 }

   ipSecRuleLimitNegotiation OBJECT-TYPE
     SYNTAX INTEGER {
       initiator(1),
       responder(2),
       both(3)
       }
     STATUS current
     DESCRIPTION
   "Limits the negotiation method. Before proceeding with a phase 2
   negotiation, the LimitNegotiation property of the IPsecRule is
   first checked to determine if the negotiation part indicated for
   the rule matches that of the current negotiation (Initiator,
   Responder, or Either).

   This attribute is ignored when an attempt is made to refresh an
   expiring SA (either security association (SA) since either side can initiate
   a refresh operation). operation.  The system can determine that the
   negotiation is a refresh operation by checking to see if the
   selector information matches that of an existing SA. If
   LimitNegotiation does not match and the selector corresponds to a
   new SA, the negotiation is stopped. "
     ::= { ipSecRuleEntry  10 }

   ipSecRuleAutoStart OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       21
                    IPsec Policy Information Base          April 2004

   "Indicates if this rule should shall be automatically executed." activated when it is
   instantiated, i.e., start negotiate or statically set security
   associations. If the value is changed to false later, there is no
   impact on the security associations that have already started.
   "
     ::= { ipSecRuleEntry  11 }

   ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         17
                    IPsec Policy Information Base       November 2003
   "Identifies an IPsec rule time period set, specified in
   ipSecRuleTimePeriodSetTable, that is associated with this rule.

   A value of zero indicates that this IPsec rule is always valid."
     ::= { ipSecRuleEntry  12 }

   --
   --
   -- The ipSecActionSetTable
   --

   ipSecActionSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecActionSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies a set of IPsec action sets." actions."
     ::= { ipSecAssociation  2 }

   ipSecActionSetEntry OBJECT-TYPE
     SYNTAX IpSecActionSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecActionSetPrid }
     UNIQUENESS {
       ipSecActionSetActionSetId,
       ipSecActionSetActionId,
       ipSecActionSetDoActionLogging,
       ipSecActionSetDoPacketLogging,
       ipSecActionSetOrder
       }
     ::= { ipSecActionSetTable 1 }

     IpSecActionSetEntry ::= SEQUENCE {
        ipSecActionSetPrid InstanceId,
        ipSecActionSetActionSetId TagId,
        ipSecActionSetActionId Prid,
        ipSecActionSetDoActionLogging TruthValue,
        ipSecActionSetDoPacketLogging TruthValue,
        ipSecActionSetOrder Unsigned16TC IpSecOrderTC
   }

   Li, et al            Expires October 2004                       22
                    IPsec Policy Information Base          April 2004

   ipSecActionSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecActionSetEntry  1 }

   ipSecActionSetActionSetId OBJECT-TYPE

   Li, et al              Expires May 2004                         18
                    IPsec Policy Information Base       November 2003
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPsec action set is composed of one or more IPsec actions.
   Each action
   Actions belonging to the same set has have the same ActionSetId."
     ::= { ipSecActionSetEntry  2 }

   ipSecActionSetActionId OBJECT-TYPE
     SYNTAX Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table that describes an
   action to be taken.

   For IPsec static actions, it MUST point to an instance in the
   ipSecStaticActionTable. For IPsec negotiation actions, it MUST
   point to an instance in the ipSecNegotiationActionTable. For other
   actions, it may point to an instance in of a table class specified by other
   PIB modules."
     ::= { ipSecActionSetEntry  3 }

   ipSecActionSetDoActionLogging OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether a log message is to be generated when the
   action is performed.  This applies for ipSecNegotiationActions
   with the meaning of logging a message when the negotiation is
   attempted (with the success or failure result). This also applies
   for ipSecStaticAction only for PreconfiguredTransport action
   (ipSecStaticActionAction = 4)  or PreconfiguredTunnel action
   (ipSecStaticActionAction = 5) with the meaning of logging a
   message when the preconfigured SA security association is actually
   installed in the SADB." security association database (SADB)."
     ::= { ipSecActionSetEntry  4 }

   ipSecActionSetDoPacketLogging OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether to log when the resulting security association
   is used to process a packet. For ipSecStaticActions, a log message
   is to be generated when the IPsecBypass, IPsecBypass (ipSecStaticActionAction =

   Li, et al            Expires October 2004                       23
                    IPsec Policy Information Base          April 2004

   1), IpsecDiscard (ipSecStaticActionAction = 2) or IKEReject
   (ipSecStaticActionAction = 3) actions are executed." executed. "
     ::= { ipSecActionSetEntry  5 }

   ipSecActionSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "Specifies the precedence order of the action within the action
   set. An action with a smaller precedence order is to be applied
   before one with a larger precedence order. "
   set."
     ::= { ipSecActionSetEntry  6 }

   Li, et al              Expires May 2004                         19
                    IPsec Policy Information Base       November 2003

   --
   --
   -- The ipSecStaticActionTable
   --

   ipSecStaticActionTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecStaticActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec static actions."
     ::= { ipSecAssociation  3 }

   ipSecStaticActionEntry OBJECT-TYPE
     SYNTAX IpSecStaticActionEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecStaticActionPrid }
     UNIQUENESS {
       ipSecStaticActionAction,
       ipSecStaticActionTunnelEndpointId,
       ipSecStaticActionDfHandling,
       ipSecStaticActionSpi,
       ipSecStaticActionLifetimeSeconds,
       ipSecStaticActionLifetimeKilobytes,
       ipSecStaticActionSaTransformId
       }
     ::= { ipSecStaticActionTable 1 }

     IpSecStaticActionEntry ::= SEQUENCE {
        ipSecStaticActionPrid InstanceId,
        ipSecStaticActionAction INTEGER,
        ipSecStaticActionTunnelEndpointId ReferenceId,
        ipSecStaticActionDfHandling INTEGER, IpSecDFBitTC,
        ipSecStaticActionSpi Unsigned32,
        ipSecStaticActionLifetimeSeconds Unsigned32,
        ipSecStaticActionLifetimeKilobytes Unsigned64,
        ipSecStaticActionSaTransformId Prid
   }

   Li, et al            Expires October 2004                       24
                    IPsec Policy Information Base          April 2004

   ipSecStaticActionPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecStaticActionEntry  1 }

   ipSecStaticActionAction OBJECT-TYPE
     SYNTAX INTEGER {

   Li, et al              Expires May 2004                         20
                    IPsec Policy Information Base       November 2003
       byPass(1),
       discard(2),
       ikeRejection(3),
       preConfiguredTransport(4),
       preConfiguredTunnel(5)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPsec action to be applied to the traffic. byPass
   (1) means that packets are to be allowed to pass in the clear.
   discard (2) means that packets are to be discarded. ikeRejection
   (3) means that that an IKE negotiation should not even be
   attempted or continued. preConfiguredTransport (4) means that an
   IPsec transport SA is pre-configured. preConfiguredTunnel (5)
   means that an IPsec tunnel SA is pre-configured. "
     ::= { ipSecStaticActionEntry  2 }

   ipSecStaticActionTunnelEndpointId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAddressEntry }
     STATUS current
     DESCRIPTION
   "When ipSecStaticActionAction is preConfiguredTunnel (5), this
   attribute indicates the peer gateway IP address. This address MUST
   be a single endpoint address.

   When ipSecStaticActionAction is not preConfiguredTunnel, this
   attribute MUST be zero."
     ::= { ipSecStaticActionEntry  3 }

   ipSecStaticActionDfHandling OBJECT-TYPE
     SYNTAX INTEGER {
       copy(1),
       set(2),
       clear(3)
       }
     STATUS current
     DESCRIPTION
   "When ipSecStaticActionAction is preConfiguredTunnel, this
   attribute specifies how the DF bit is managed.

   Copy (1) indicates to copy the DF bit from the internal IP header
   to the external IP header. Set (2) indicates to set the DF bit of
   the external IP header to 1. Clear (3) indicates to clear IpSecDFBitTC
     STATUS current
     DESCRIPTION
   "When ipSecStaticActionAction is preConfiguredTunnel, this
   attribute specifies how the DF bit of the external IP header to 0. is managed. When
   ipSecStaticActionAction is not preConfiguredTunnel, this attribute
   MUST be ignored. "
     ::= { ipSecStaticActionEntry  4 }

   ipSecStaticActionSpi OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current

   Li, et al            Expires May October 2004                         21                       25
                    IPsec Policy Information Base       November 2003          April 2004

     STATUS current
     DESCRIPTION
   "Specifies the SPI Security Parameter Index (SPI) to be used with the
   SA Transform identified by ipSecStaticActionSaTransformId.

   When ipSecStaticActionAction is neither
   preConfiguredTransportAction nor preConfiguredTunnelAction, this
   attribute MUST be ignored."
     ::= { ipSecStaticActionEntry  5 }

   ipSecStaticActionLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the amount of time (in seconds) that a security
   association derived from this action should be used. When
   ipSecStaticActionAction is neither preConfiguredTransportAction
   nor preConfiguredTunnelAction, this attribute MUST be ignored.

   A value of zero indicates that there is not a lifetime in seconds
   associated with this action (i.e., infinite lifetime). lifetime in seconds).
   This is consistent with [RFC3585].

   The actual lifetime of the preconfigured SA will be the smallest
   of the value of this LifetimeSeconds property and of the value of
   the MaxLifetimeSeconds property of the associated SA Transform.
   Except if the value of this LifetimeSeconds property is zero, then
   there will be no lifetime associated to this SA." SA.

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecStaticActionEntry  6 }

   ipSecStaticActionLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the SA lifetime in kilobytes. When
   ipSecStaticActionAction is neither preConfiguredTransportAction
   nor preConfiguredTunnelAction, this attribute MUST be ignored.

   A value of zero indicates that there is not a lifetime in byte
   count associated with this action (i.e., infinite lifetime). lifetime in byte
   count). This is consistent with [RFC3585].

   The actual lifetime of the preconfigured SA will be the smallest
   of the value of this LifetimeKilobytes property and of the value
   of the MaxLifetimeKilobytes property of the associated SA
   transform. Except if the value of this LifetimeKilobytes property
   is zero, then there will be no lifetime associated with this
   action.

   Li, et al            Expires October 2004                       26
                    IPsec Policy Information Base          April 2004

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence.
   "
     ::= { ipSecStaticActionEntry  7 }

   ipSecStaticActionSaTransformId OBJECT-TYPE
     SYNTAX Prid
     STATUS current

   Li, et al              Expires May 2004                         22
                    IPsec Policy Information Base       November 2003
     DESCRIPTION
   "A pointer to a valid instance in another table that describes an
   SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable."
     ::= { ipSecStaticActionEntry  8 }

   --
   --
   -- The ipSecNegotiationActionTable
   --

   ipSecNegotiationActionTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecNegotiationActionEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec negotiation actions."
     ::= { ipSecAssociation  4 }

   ipSecNegotiationActionEntry OBJECT-TYPE
     SYNTAX IpSecNegotiationActionEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecNegotiationActionPrid }
     UNIQUENESS {
       ipSecNegotiationActionAction,
       ipSecNegotiationActionTunnelEndpointId,
       ipSecNegotiationActionDfHandling,
       ipSecNegotiationActionIpSecSecurityAssociationId,
       ipSecNegotiationActionIpSecAssociationId,
       ipSecNegotiationActionKeyExchangeId
       }
     ::= { ipSecNegotiationActionTable 1 }

     IpSecNegotiationActionEntry ::= SEQUENCE {
        ipSecNegotiationActionPrid InstanceId,
        ipSecNegotiationActionAction INTEGER, IpSecActionTC,
        ipSecNegotiationActionTunnelEndpointId ReferenceId,
        ipSecNegotiationActionDfHandling INTEGER,
        ipSecNegotiationActionIpSecSecurityAssociationId IpSecDFBitTC,
        ipSecNegotiationActionIpSecAssociationId ReferenceId,
        ipSecNegotiationActionKeyExchangeId Prid
   }

   ipSecNegotiationActionPrid OBJECT-TYPE

   Li, et al            Expires October 2004                       27
                    IPsec Policy Information Base          April 2004

     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecNegotiationActionEntry  1 }

   ipSecNegotiationActionAction OBJECT-TYPE
     SYNTAX INTEGER {

   Li, et al              Expires May 2004                         23
                    IPsec Policy Information Base       November 2003

       transport(1),
       tunnel(2)
       } IpSecActionTC
     STATUS current
     DESCRIPTION
   "Specifies the IPsec action to be applied to the traffic.
   transport(1) means that the packet should be protected with a
   security association in transport mode. tunnel(2) means that the
   packet should be protected with a security association in tunnel
   mode.  If
   tunnel (2) is specified, ipSecActionTunnelEndpointId MUST also be
   specified."
     ::= { ipSecNegotiationActionEntry  2 }

   ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAddressEntry }
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is tunnel (2), this attribute indicates
   the peer gateway IP address. This address MUST be a single
   endpoint address.

   When ipSecActionAction is not tunnel, this attribute MUST be
   zero."
     ::= { ipSecNegotiationActionEntry  3 }

   ipSecNegotiationActionDfHandling OBJECT-TYPE
     SYNTAX INTEGER {
       copy(1),
       set(2),
       clear(3)
       } IpSecDFBitTC
     STATUS current
     DESCRIPTION
   "When ipSecActionAction is tunnel, this attribute specifies how
   the DF bit is managed.

   Copy (1) indicates to copy the DF bit from the internal IP header
   to the external IP header. Set (2) indicates to set the DF bit of
   the external IP header to 1. Clear (3) indicates to clear the DF
   bit of the external IP header to 0. When ipSecActionAction is not tunnel, this
   attribute MUST be ignored. "
     ::= { ipSecNegotiationActionEntry  4 }

   ipSecNegotiationActionIpSecSecurityAssociationId

   ipSecNegotiationActionIpSecAssociationId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAssociationEntry }
     STATUS current
     DESCRIPTION
   "Pointer to a valid instance in the ipSecAssociationTable."
     ::= { ipSecNegotiationActionEntry  5 }

   Li, et al              Expires May 2004                         24
                    IPsec Policy Information Base       November 2003

   ipSecNegotiationActionKeyExchangeId OBJECT-TYPE
     SYNTAX Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table that describes key
   exchange associations. If a single IKE IKEv1 phase one negotiation is
   used for the key exchange, this attribute MUST point to an

   Li, et al            Expires October 2004                       28
                    IPsec Policy Information Base          April 2004

   instance in the ipSecIkeAssociationTable. If multiple IKE IKEv1 phase
   one negotiations (e.g., with different modes) are to be tried
   until success, this attribute SHOULD point to ipSecIkeRuleTable.

   For other key exchange methods, this attribute may point to an
   instance of a PRC defined in some other PIB.

   A value of zeroDotZero means that there is no key exchange
   procedure associated."
     ::= { ipSecNegotiationActionEntry  6 }

   --
   --
   -- The ipSecAssociationTable
   --

   ipSecAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAssociationEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec associations."
     ::= { ipSecAssociation  5 }

   ipSecAssociationEntry OBJECT-TYPE
     SYNTAX IpSecAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAssociationPrid }
     UNIQUENESS {
       ipSecAssociationMinLifetimeSeconds,
       ipSecAssociationMinLifetimeKilobytes,
       ipSecAssociationIdleDurationSeconds,
       ipSecAssociationUsePfs,
       ipSecAssociationVendorId,
       ipSecAssociationUseKeyExchangeGroup,
       ipSecAssociationDhGroup,
       ipSecAssociationGranularity,
       ipSecAssociationProposalSetId
       }
     ::= { ipSecAssociationTable 1 }

     IpSecAssociationEntry ::= SEQUENCE {

   Li, et al              Expires May 2004                         25
                    IPsec Policy Information Base       November 2003
     ::= { ipSecAssociationTable 1 }

     IpSecAssociationEntry ::= SEQUENCE {
        ipSecAssociationPrid InstanceId,
        ipSecAssociationMinLifetimeSeconds Unsigned32,
        ipSecAssociationMinLifetimeKilobytes Unsigned64,
        ipSecAssociationIdleDurationSeconds Unsigned32,
        ipSecAssociationUsePfs TruthValue,
        ipSecAssociationVendorId OCTET STRING,
        ipSecAssociationUseKeyExchangeGroup TruthValue,
        ipSecAssociationDhGroup Unsigned16TC, IkeGroupDescription,
        ipSecAssociationGranularity INTEGER, IpSecGranularityTC,
        ipSecAssociationProposalSetId TagReferenceId

   Li, et al            Expires October 2004                       29
                    IPsec Policy Information Base          April 2004

   }

   ipSecAssociationPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecAssociationEntry  1 }

   ipSecAssociationMinLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the minimum SA seconds lifetime that will be accepted
   from a peer while negotiating an SA based upon this action.
   A value of zero indicates that there is no minimum lifetime
   enforced." in
   seconds enforced. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecAssociationEntry  2 }

   ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime that will be accepted
   from a negotiating peer while negotiating an SA based upon this
   action.  A value of zero indicates that there is no minimum
   lifetime enforced." in byte count enforced. This is consistent with
   [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecAssociationEntry  3 }

   ipSecAssociationIdleDurationSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies how long, in seconds, a security association may remain
   unused before it is deleted.

   A value of zero indicates that idle detection should not be used
   for the security association (only the seconds and kilobyte
   lifetimes will be used)." used). This is consistent with [RFC3585]. "
     ::= { ipSecAssociationEntry  4 }

   Li, et al            Expires May October 2004                         26                       30
                    IPsec Policy Information Base       November 2003

     ::= { ipSecAssociationEntry  4 }          April 2004

   ipSecAssociationUsePfs OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether or not to use PFS when refreshing keys."
     ::= { ipSecAssociationEntry  5 }

   ipSecAssociationVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the IKE Vendor ID. This attribute is used together with
   the property ipSecAssociationDhGroup (when it is in the vendor-
   specific range) to identify the key exchange group.  This
   attribute is ignored unless ipSecAssociationUsePFS is true and
   ipSecAssociationUseKeyExchangeGroup is false and
   ipSecAssociationDhGroup is in the vendor-specific range (32768-
   65535)."
     ::= { ipSecAssociationEntry  6 }

   ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether or not to use the same GroupId for phase 2 as
   was used in phase 1.  If UsePFS is false, then this attribute is
   ignored.

   A value of true indicates that the phase 2 GroupId should be the
   same as phase 1.  A value of false indicates that the group number
   specified by the ipSecSecurityAssociationDhGroup ipSecAssociationDhGroup attribute SHALL be used
   for phase 2. "
     ::= { ipSecAssociationEntry  7 }

   ipSecAssociationDhGroup OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the key exchange group to use for phase 2 when the
   property ipSecSecurityAssociationUsePfs is true and the property
   ipSecSecurityAssociationUseKeyExchangeGroup is false."
     ::= { ipSecAssociationEntry  8 }

   ipSecAssociationGranularity OBJECT-TYPE
     SYNTAX INTEGER {
       subnet(1),
       address(2),
       protocol(3),
       port(4)
       }
     STATUS current

   Li, et al              Expires May 2004                         27
                    IPsec Policy Information Base       November 2003

     DESCRIPTION
   "Specifies how the proposed selector for the security association
   will be created.

   A value of 1 (subnet) indicates that the source and destination
   subnet masks of the filter entry are used.

   A value of 2 (address) indicates that only the source and
   destination IP addresses of the triggering packet are used.

   A value of 3 (protocol) indicates that the source and destination
   IP addresses and the IP protocol of  6 }

   ipSecAssociationDhGroup OBJECT-TYPE
     SYNTAX IkeGroupDescription
     STATUS current
     DESCRIPTION
   "Specifies the triggering packet are
   used.

   A value of 4 (port) indicates that key exchange group to use for phase 2 when the source and destination IP
   addresses
   property ipSecAssociationUsePfs is true and the IP protocol and property
   ipSecAssociationUseKeyExchangeGroup is false.

   "
     ::= { ipSecAssociationEntry  7 }

   ipSecAssociationGranularity OBJECT-TYPE
     SYNTAX IpSecGranularityTC
     STATUS current
     DESCRIPTION
   "Specifies how the source and destination layer
   4 ports of proposed selector for the triggering packet are used. " security association
   will be created."
     ::= { ipSecAssociationEntry  9  8 }

   ipSecAssociationProposalSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecProposalSetProposalSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of IPsec proposals that is associated with this
   IPsec association."
     ::= { ipSecAssociationEntry  10  9 }

   --
   --
   -- The ipSecProposalSetTable

   Li, et al            Expires October 2004                       31
                    IPsec Policy Information Base          April 2004

   --

   ipSecProposalSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec proposal sets. Proposals within a set are ORed
   with preference order. "
     ::= { ipSecAssociation  6 }

   ipSecProposalSetEntry OBJECT-TYPE
     SYNTAX IpSecProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecProposalSetPrid }
     UNIQUENESS {
       ipSecProposalSetProposalSetId,
       ipSecProposalSetProposalId,
       ipSecProposalSetOrder

   Li, et al              Expires May 2004                         28
                    IPsec Policy Information Base       November 2003
       }
     ::= { ipSecProposalSetTable 1 }

     IpSecProposalSetEntry ::= SEQUENCE {
        ipSecProposalSetPrid InstanceId,
        ipSecProposalSetProposalSetId TagId,
        ipSecProposalSetProposalId ReferenceId,
        ipSecProposalSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecProposalSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecProposalSetEntry  1 }

   ipSecProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPsec proposal set is composed of one or more IPsec proposals.
   Each proposal
   Proposals belonging to the same set has have the same ProposalSetId."
     ::= { ipSecProposalSetEntry  2 }

   ipSecProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecProposalEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecProposalTable."
     ::= { ipSecProposalSetEntry  3 }

   Li, et al            Expires October 2004                       32
                    IPsec Policy Information Base          April 2004

   ipSecProposalSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the proposal
   identified by ipSecProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A smaller
   integer value indicates a higher preference." "
     ::= { ipSecProposalSetEntry  4 }

   --
   --
   -- The ipSecProposalTable
   --

   ipSecProposalTable OBJECT-TYPE

   Li, et al              Expires May 2004                         29
                    IPsec Policy Information Base       November 2003
     SYNTAX SEQUENCE OF IpSecProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec proposals. It has references to ESP, AH Encapsulating
   Security Payload (ESP), Authentication Header (AH) and
   IPCOMP IP Payload
   Compression Protocol (COMP) Transform sets. Within a proposal,
   different types of transforms are ANDed. Multiple transforms of
   the same type are ORed with preference order."
     ::= { ipSecAssociation  7 }

   ipSecProposalEntry OBJECT-TYPE
     SYNTAX IpSecProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecProposalPrid }
     UNIQUENESS {
       ipSecProposalEspTransformSetId,
       ipSecProposalAhTransformSetId,
       ipSecProposalCompTransformSetId
       }
     ::= { ipSecProposalTable 1 }

     IpSecProposalEntry ::= SEQUENCE {
        ipSecProposalPrid InstanceId,
        ipSecProposalEspTransformSetId TagReferenceId,
        ipSecProposalAhTransformSetId TagReferenceId,
        ipSecProposalCompTransformSetId TagReferenceId
   }

   ipSecProposalPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       33
                    IPsec Policy Information Base          April 2004

   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecProposalEntry  1 }

   ipSecProposalEspTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecEspTransformSetTransformSetId }
     STATUS current
     DESCRIPTION
   "An integer that identifies a set of ESP transforms, specified in
   ipSecEspTransformSetTable, that is associated with this proposal."
     ::= { ipSecProposalEntry  2 }

   ipSecProposalAhTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAhTransformSetTransformSetId }
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         30
                    IPsec Policy Information Base       November 2003
   "An integer that identifies an AH transform set, specified in
   ipSecAhTransformSetTable, that is associated with this proposal."
     ::= { ipSecProposalEntry  3 }

   ipSecProposalCompTransformSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCompTransformSetTransformSetId }
     STATUS current
     DESCRIPTION
   "An integer that identifies a set of IPComp transforms, specified
   in ipSecCompTransformSetTable, that is associated with this
   proposal."
     ::= { ipSecProposalEntry  4 }

   --
   --
   -- The ipSecAhTransformSetTable
   --

   ipSecAhTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies AH transform sets. Within a transform set, the
   transforms are ORed with preference order. "
     ::= { ipSecAhTransform  1 }

   ipSecAhTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAhTransformSetPrid }

   Li, et al            Expires October 2004                       34
                    IPsec Policy Information Base          April 2004

     UNIQUENESS {
       ipSecAhTransformSetTransformSetId,
       ipSecAhTransformSetTransformId,
       ipSecAhTransformSetOrder
       }
     ::= { ipSecAhTransformSetTable 1 }

     IpSecAhTransformSetEntry ::= SEQUENCE {
        ipSecAhTransformSetPrid InstanceId,
        ipSecAhTransformSetTransformSetId TagId,
        ipSecAhTransformSetTransformId ReferenceId,
        ipSecAhTransformSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecAhTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         31
                    IPsec Policy Information Base       November 2003
   "An integer index that uniquely identifies an instance of this
   class. "
     ::= { ipSecAhTransformSetEntry  1 }

   ipSecAhTransformSetTransformSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An AH transform set is composed of one or more AH transforms.
   Each transform
   Transforms belonging to the same set has have the same
   TransformSetId."
     ::= { ipSecAhTransformSetEntry  2 }

   ipSecAhTransformSetTransformId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAhTransformEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecAhTransformTable."
     ::= { ipSecAhTransformSetEntry  3 }

   ipSecAhTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecAhTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecAhTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A smaller integer value indicates a
   higher preference." order."
     ::= { ipSecAhTransformSetEntry  4 }

   --
   --
   -- The ipSecAhTransformTable

   Li, et al            Expires October 2004                       35
                    IPsec Policy Information Base          April 2004

   --

   ipSecAhTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAhTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies AH transforms."
     ::= { ipSecAhTransform  2 }

   ipSecAhTransformEntry OBJECT-TYPE
     SYNTAX IpSecAhTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAhTransformPrid }

   Li, et al              Expires May 2004                         32
                    IPsec Policy Information Base       November 2003
     UNIQUENESS {
       ipSecAhTransformTransformId,
       ipSecAhTransformIntegrityKey,
       ipSecAhTransformUseReplayPrevention,
       ipSecAhTransformReplayPreventionWindowSize,
       ipSecAhTransformVendorId,
       ipSecAhTransformMaxLifetimeSeconds,
       ipSecAhTransformMaxLifetimeKilobytes
       }
     ::= { ipSecAhTransformTable 1 }

     IpSecAhTransformEntry ::= SEQUENCE {
        ipSecAhTransformPrid InstanceId,
        ipSecAhTransformTransformId INTEGER, IpsecDoiAuthAlgorithm,
        ipSecAhTransformIntegrityKey OCTET STRING,
        ipSecAhTransformUseReplayPrevention TruthValue,
        ipSecAhTransformReplayPreventionWindowSize Unsigned32,
        ipSecAhTransformVendorId OCTET STRING,
        ipSecAhTransformMaxLifetimeSeconds Unsigned32,
        ipSecAhTransformMaxLifetimeKilobytes Unsigned64
   }

   ipSecAhTransformPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class. "
     ::= { ipSecAhTransformEntry  1 }

   ipSecAhTransformTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       md5(2),
       sha-1(3),
       des(4)
       } IpsecDoiAuthAlgorithm
     STATUS current
     DESCRIPTION
   "Specifies the transform ID of the AH algorithm to propose."
     ::= { ipSecAhTransformEntry  2 }

   ipSecAhTransformIntegrityKey OBJECT-TYPE
     SYNTAX OCTET STRING

   Li, et al            Expires October 2004                       36
                    IPsec Policy Information Base          April 2004

     STATUS current
     DESCRIPTION
   "When this AH transform instance is used for a Static Action, this
   attribute specifies the integrity key to be used. This attribute
   MUST be ignored when this AH transform instance is used for a
   Negotiation Action."
     ::= { ipSecAhTransformEntry  3 }

   ipSecAhTransformUseReplayPrevention OBJECT-TYPE
     SYNTAX TruthValue

   Li, et al              Expires May 2004                         33
                    IPsec Policy Information Base       November 2003
     STATUS current
     DESCRIPTION
   "Specifies whether to enable replay prevention detection."
     ::= { ipSecAhTransformEntry  4 }

   ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "bits"
     STATUS current
     DESCRIPTION
   "Specifies, in bits, the length of the sliding window used by the
   replay prevention detection mechanism. The value of this property
   is ignored if UseReplayPrevention is false. It is assumed that the
   window size will be take a value that is a power of 2."
     ::= { ipSecAhTransformEntry  5 }

   ipSecAhTransformVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the vendor ID for vendor-defined transforms."
     ::= { ipSecAhTransformEntry  6 }

   ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   A value of zero indicates that the default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime." lifetime. This is
   consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecAhTransformEntry  7  6 }

   ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
   lifetime. This is consistent with [RFC3585].

   Li, et al            Expires October 2004                       37
                    IPsec Policy Information Base          April 2004

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecAhTransformEntry  8  7 }

   --
   --
   -- The ipSecEspTransformSetTable
   --

   Li, et al              Expires May 2004                         34
                    IPsec Policy Information Base       November 2003

   ipSecEspTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies ESP transform sets. Within a transform set, the choices
   are ORed with preference order. "
     ::= { ipSecEspTransform  1 }

   ipSecEspTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecEspTransformSetPrid }
     UNIQUENESS {
       ipSecEspTransformSetTransformSetId,
       ipSecEspTransformSetTransformId,
       ipSecEspTransformSetOrder
       }
     ::= { ipSecEspTransformSetTable 1 }

     IpSecEspTransformSetEntry ::= SEQUENCE {
        ipSecEspTransformSetPrid InstanceId,
        ipSecEspTransformSetTransformSetId TagId,
        ipSecEspTransformSetTransformId ReferenceId,
        ipSecEspTransformSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecEspTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecEspTransformSetEntry  1 }

   ipSecEspTransformSetTransformSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       38
                    IPsec Policy Information Base          April 2004

   "An ESP transform set is composed of one or more ESP transforms.
   Each transform
   Transforms belonging to the same set has have the same
   TransformSetId."
     ::= { ipSecEspTransformSetEntry  2 }

   ipSecEspTransformSetTransformId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecEspTransformEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecEspTransformTable."
     ::= { ipSecEspTransformSetEntry  3 }

   Li, et al              Expires May 2004                         35
                    IPsec Policy Information Base       November 2003

   ipSecEspTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecEspTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecEspTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A smaller integer value indicates a
   higher preference." order."
     ::= { ipSecEspTransformSetEntry  4 }

   --
   --
   -- The ipSecEspTransformTable
   --

   ipSecEspTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecEspTransformEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies ESP transforms."
     ::= { ipSecEspTransform  2 }

   ipSecEspTransformEntry OBJECT-TYPE
     SYNTAX IpSecEspTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecEspTransformPrid }
     UNIQUENESS {
       ipSecEspTransformIntegrityTransformId,
       ipSecEspTransformCipherTransformId,
       ipSecEspTransformIntegrityKey,
       ipSecEspTransformCipherKey,
       ipSecEspTransformCipherKeyRounds,
       ipSecEspTransformCipherKeyLength,
       ipSecEspTransformUseReplayPrevention,
       ipSecEspTransformReplayPreventionWindowSize,
       ipSecEspTransformVendorId,

   Li, et al            Expires October 2004                       39
                    IPsec Policy Information Base          April 2004

       ipSecEspTransformMaxLifetimeSeconds,
       ipSecEspTransformMaxLifetimeKilobytes
       }
     ::= { ipSecEspTransformTable 1 }

     IpSecEspTransformEntry ::= SEQUENCE {
        ipSecEspTransformPrid InstanceId,
        ipSecEspTransformIntegrityTransformId INTEGER, IpsecDoiAuthAlgorithm,
        ipSecEspTransformCipherTransformId INTEGER, IpsecDoiEspTransform,
        ipSecEspTransformIntegrityKey OCTET STRING,

   Li, et al              Expires May 2004                         36
                    IPsec Policy Information Base       November 2003
        ipSecEspTransformCipherKey OCTET STRING,
        ipSecEspTransformCipherKeyRounds Unsigned16TC,
        ipSecEspTransformCipherKeyLength Unsigned16TC,
        ipSecEspTransformUseReplayPrevention TruthValue,
        ipSecEspTransformReplayPreventionWindowSize Unsigned32,
        ipSecEspTransformVendorId OCTET STRING,
        ipSecEspTransformMaxLifetimeSeconds Unsigned32,
        ipSecEspTransformMaxLifetimeKilobytes Unsigned64
   }

   ipSecEspTransformPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecEspTransformEntry  1 }

   ipSecEspTransformIntegrityTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       none(0),
       hmacMd5(1),
       hmacSha(2),
       desMac(3),
       kpdk(4)
       } IpsecDoiAuthAlgorithm
     STATUS current
     DESCRIPTION
   "Specifies the transform ID of the ESP integrity algorithm to
   propose."
     ::= { ipSecEspTransformEntry  2 }

   ipSecEspTransformCipherTransformId OBJECT-TYPE
     SYNTAX INTEGER {
       desIV64(1),
       des(2),
       tripleDES(3),
       rc5(4),
       idea(5),
       cast(6),
       blowfish(7),
       tripleIDEA(8),
       desIV32(9),
       rc4(10),
       null(11)
       } IpsecDoiEspTransform
     STATUS current
     DESCRIPTION
   "Specifies the transform ID of the ESP encryption algorithm to
   propose."
     ::= { ipSecEspTransformEntry  3 }

   ipSecEspTransformIntegrityKey OBJECT-TYPE

   Li, et al              Expires May 2004                         37
                    IPsec Policy Information Base       November 2003
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "When this ESP transform instance is used for a Static Action,
   this attribute specifies the integrity key to be used. This
   attribute MUST be ignored when this ESP transform instance is used
   for a Negotiation Action."
     ::= { ipSecEspTransformEntry  4 }

   Li, et al            Expires October 2004                       40
                    IPsec Policy Information Base          April 2004

   ipSecEspTransformCipherKey OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "When this ESP transform instance is used for a Static Action,
   this attribute specifies the cipher key to be used. This attribute
   MUST be ignored when this ESP transform instance is used for a
   Negotiation Action."
     ::= { ipSecEspTransformEntry  5 }

   ipSecEspTransformCipherKeyRounds OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the number of key rounds for the ESP encryption
   algorithm.  For encryption algorithms that use fixed number of key
   rounds, this value is ignored."
     ::= { ipSecEspTransformEntry  6 }

   ipSecEspTransformCipherKeyLength OBJECT-TYPE
     SYNTAX Unsigned16TC
     UNITS  "bits"
     STATUS current
     DESCRIPTION
   "Specifies, in bits, the key length for the ESP encryption
   algorithm. For encryption algorithms that use fixed-length keys,
   this value is ignored."
     ::= { ipSecEspTransformEntry  7 }

   ipSecEspTransformUseReplayPrevention OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether to enable replay prevention detection."
     ::= { ipSecEspTransformEntry  8 }

   ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "bits"
     STATUS current
     DESCRIPTION
   "Specifies, in bits, the length of the sliding window used by the
   replay prevention detection mechanism. The value of this property
   is ignored if UseReplayPrevention is false. It is assumed that the
   window size will be take a value that is a power of 2."
     ::= { ipSecEspTransformEntry  9 }

   Li, et al              Expires May 2004                         38
                    IPsec Policy Information Base       November 2003

   ipSecEspTransformVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the vendor ID for vendor-defined transforms."
     ::= { ipSecEspTransformEntry  10 }

   ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       41
                    IPsec Policy Information Base          April 2004

   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   A value of zero indicates that the default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime." lifetime. This is
   consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecEspTransformEntry  11  10 }

   ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
   lifetime. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecEspTransformEntry  12  11 }

   --
   --
   -- The ipSecCompTransformSetTable
   --

   ipSecCompTransformSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPComp IP COMP transform sets. Within a transform set, the
   choices are ORed with preference order."
     ::= { ipSecCompTransform  1 }

   ipSecCompTransformSetEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"

   Li, et al              Expires May 2004                         39
                    IPsec Policy Information Base       November 2003
     PIB-INDEX { ipSecCompTransformSetPrid }
     UNIQUENESS {
       ipSecCompTransformSetTransformSetId,
       ipSecCompTransformSetTransformId,
       ipSecCompTransformSetOrder
       }
     ::= { ipSecCompTransformSetTable 1 }

   Li, et al            Expires October 2004                       42
                    IPsec Policy Information Base          April 2004

     IpSecCompTransformSetEntry ::= SEQUENCE {
        ipSecCompTransformSetPrid InstanceId,
        ipSecCompTransformSetTransformSetId TagId,
        ipSecCompTransformSetTransformId ReferenceId,
        ipSecCompTransformSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecCompTransformSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCompTransformSetEntry  1 }

   ipSecCompTransformSetTransformSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPCOMP IP COMP transform set is composed of one or more IPCOMP IP COMP
   transforms. Each transform Transforms belonging to the same set has have the same
   TransformSetId."
     ::= { ipSecCompTransformSetEntry  2 }

   ipSecCompTransformSetTransformId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecCompTransformEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecCompTransformTable."
     ::= { ipSecCompTransformSetEntry  3 }

   ipSecCompTransformSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the transform
   identified by ipSecCompTransformSetTransformId within a transform
   set. The transform set is identified by
   ipSecCompTransformSetTransformSetId. Transforms within a set are
   ORed with preference order. A smaller integer value indicates a
   higher preference." order."
     ::= { ipSecCompTransformSetEntry  4 }

   Li, et al              Expires May 2004                         40
                    IPsec Policy Information Base       November 2003

   --
   --
   -- The ipSecCompTransformTable
   --

   ipSecCompTransformTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCompTransformEntry
     PIB-ACCESS install

   Li, et al            Expires October 2004                       43
                    IPsec Policy Information Base          April 2004

     STATUS current
     DESCRIPTION
   "Specifies IP compression (IPCOMP) COMP algorithms."
     ::= { ipSecCompTransform  2 }

   ipSecCompTransformEntry OBJECT-TYPE
     SYNTAX IpSecCompTransformEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCompTransformPrid }
     UNIQUENESS {
       ipSecCompTransformAlgorithm,
       ipSecCompTransformDictionarySize,
       ipSecCompTransformPrivateAlgorithm,
       ipSecCompTransformVendorId,
       ipSecCompTransformMaxLifetimeSeconds,
       ipSecCompTransformMaxLifetimeKilobytes
       }
     ::= { ipSecCompTransformTable 1 }

     IpSecCompTransformEntry ::= SEQUENCE {
        ipSecCompTransformPrid InstanceId,
        ipSecCompTransformAlgorithm INTEGER, IpsecDoiIpcompTransform,
        ipSecCompTransformDictionarySize Unsigned16TC,
        ipSecCompTransformPrivateAlgorithm Unsigned32,
        ipSecCompTransformVendorId OCTET STRING,
        ipSecCompTransformMaxLifetimeSeconds Unsigned32,
        ipSecCompTransformMaxLifetimeKilobytes Unsigned64
   }

   ipSecCompTransformPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCompTransformEntry  1 }

   ipSecCompTransformAlgorithm OBJECT-TYPE
     SYNTAX INTEGER {
       oui(1),
       deflate(2),
       lzs(3)
       }

   Li, et al              Expires May 2004                         41
                    IPsec Policy Information Base       November 2003 IpsecDoiIpcompTransform
     STATUS current
     DESCRIPTION
   "Specifies the transform ID of the IPCOMP IP COMP compression algorithm
   to propose."
     ::= { ipSecCompTransformEntry  2 }

   ipSecCompTransformDictionarySize OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the log2 maximum size of the dictionary for the
   compression algorithm.  For compression algorithms that have pre-
   defined dictionary sizes, this value is ignored."
     ::= { ipSecCompTransformEntry  3 }

   ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
     SYNTAX Unsigned32
     STATUS current
     DESCRIPTION
   "Specifies a private vendor-specific compression algorithm."
     ::= { ipSecCompTransformEntry  4 }

   ipSecCompTransformVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the vendor ID for vendor-defined transforms."
     ::= { ipSecCompTransformEntry  5 }

   ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE

   Li, et al            Expires October 2004                       44
                    IPsec Policy Information Base          April 2004

     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   A value of zero indicates that the default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime." lifetime. This is
   consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecCompTransformEntry  6  4 }

   ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
   lifetime. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecCompTransformEntry  7  5 }

   Li, et al              Expires May 2004                         42
                    IPsec Policy Information Base       November 2003

   --
   --
   -- The ipSecIkeRuleTable
   --

   ipSecIkeRuleTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeRuleEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE IKEv1 rules. This table class is required only when
   specifying:

   - Multiple IKE phase one actions (e.g., with different exchange
   modes) that are associated with one IPsec association. These
   actions are to be tried in sequence till one success.

   - IKE phase one actions that start automatically.

   Support

   For each entry:

   Li, et al            Expires October 2004                       45
                    IPsec Policy Information Base          April 2004

   1. ipSecIkeRuleIfCapSetName must reference an existing capability
   set name in frwkCapabilitySetTable [FRC3318] .

   2. ipSecIkeRuleRoles must reference an existing Role Combination
   in frwkRoleComboTable [RFC3318].

   If any or both of this table these requirements is optional." not satisfied, the entry
   shall not be installed."
     ::= { ipSecIkeAssociation  1 }

   ipSecIkeRuleEntry OBJECT-TYPE
     SYNTAX IpSecIkeRuleEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeRulePrid }
     UNIQUENESS {
       ipSecIkeRuleIfName,
       ipSecIkeRuleIfCapSetName,
       ipSecIkeRuleRoles,
       ipSecIkeRuleIkeActionSetId,
       ipSecIkeRuleActionExecutionStrategy,
       ipSecIkeRuleLimitNegotiation,
       ipSecIkeRuleAutoStart
       ipSecIkeRuleAutoStart,
       ipSecIkeRuleIpSecRuleTimePeriodGroupId
       }
     ::= { ipSecIkeRuleTable 1 }

     IpSecIkeRuleEntry ::= SEQUENCE {
        ipSecIkeRulePrid InstanceId,
        ipSecIkeRuleIfName
        ipSecIkeRuleIfCapSetName SnmpAdminString,
        ipSecIkeRuleRoles RoleCombination,
        ipSecIkeRuleIkeActionSetId TagReferenceId,
        ipSecIkeRuleActionExecutionStrategy INTEGER,
        ipSecIkeRuleLimitNegotiation INTEGER,
        ipSecIkeRuleAutoStart TruthValue,
        ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId
   }

   ipSecIkeRulePrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current

   Li, et al              Expires May 2004                         43
                    IPsec Policy Information Base       November 2003
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeRuleEntry  1 }

   ipSecIkeRuleIfName

   ipSecIkeRuleIfCapSetName OBJECT-TYPE
     SYNTAX SnmpAdminString
     STATUS current
     DESCRIPTION
   "The interface capability set to which this IKE rule applies. The
   interface capability name specified by this attribute must exist

   Li, et al            Expires October 2004                       46
                    IPsec Policy Information Base          April 2004

   in the frwkCapabilitySetTable [9] [RFC3318] prior to association with
   an instance of this class.

   This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
     ::= { ipSecIkeRuleEntry  2 }

   ipSecIkeRuleRoles OBJECT-TYPE
     SYNTAX RoleCombination
     STATUS current
     DESCRIPTION
   "Specifies the role combination of the interface to which this IKE
   rule should apply. There must exist an instance in the
   frwkRoleComboTable [9] [RFC3318] specifying this role combination,
   together with the interface capability set specified by
   ipSecIkeRuleIfName, prior to association with an instance of this
   class.

   This attribute MUST be ignored if ipSecIkeRuleAutoStart is false."
     ::= { ipSecIkeRuleEntry  3 }

   ipSecIkeRuleIkeActionSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecIkeActionSetActionSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of IKE actions to be associated with this rule."
     ::= { ipSecIkeRuleEntry  4 }

   ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE
     SYNTAX INTEGER {
       doAll(1),
       doUntilSuccess(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the strategy to be used in executing the sequenced
   actions in the action set identified by ipSecRuleIpSecActionSetId.

   DoAll (1) causes the execution of all the actions in the action
   set according to their defined precedence order. The precedence
   order is specified by the ipSecActionSetOrder in
   ipSecIkeActionSetTable.

   Li, et al              Expires May 2004                         44
                    IPsec Policy Information Base       November 2003

   DoUntilSuccess (2) causes the execution of actions according to
   their defined precedence order until a successful execution of a
   single action. The precedence order is specified by the
   ipSecActionSetOrder in ipSecIkeActionSetTable."
     ::= { ipSecIkeRuleEntry  5 }

   ipSecIkeRuleLimitNegotiation OBJECT-TYPE
     SYNTAX INTEGER {
       initiator(1),
       responder(2),

   Li, et al            Expires October 2004                       47
                    IPsec Policy Information Base          April 2004

       both(3)
       }
     STATUS current
     DESCRIPTION
   "Limits the negotiation method. Before proceeding with a phase 1
   negotiation, this property is checked to determine if the
   negotiation role of the rule matches that defined for the
   negotiation being undertaken (e.g., Initiator, Responder, or
   Both). If this check fails (e.g. the current role is IKE responder
   while the rule specifies IKE initiator), then the IKE negotiation
   is stopped. Note that this only applies to new IKE phase 1
   negotiations and has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists."
     ::= { ipSecIkeRuleEntry  6 }

   ipSecIkeRuleAutoStart OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Indicates if this rule should be automatically executed."
     ::= { ipSecIkeRuleEntry  7 }

   ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecRuleTimePeriodSetRuleTimePeriodSetId }
     STATUS current
     DESCRIPTION
   "Identifies a rule time period set, specified in
   ipSecRuleTimePeriodSetTable, that is associated with this rule.

   A value of zero indicates that this rule is always valid."
     ::= { ipSecIkeRuleEntry  8 }

   --
   --
   -- The ipSecIkeActionSetTable
   --

   ipSecIkeActionSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeActionSetEntry
     PIB-ACCESS install
     STATUS current

   Li, et al              Expires May 2004                         45
                    IPsec Policy Information Base       November 2003
     DESCRIPTION
   "Specifies IKE IKEv1 action sets."
     ::= { ipSecIkeAssociation  2 }

   ipSecIkeActionSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeActionSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeActionSetPrid }

   Li, et al            Expires October 2004                       48
                    IPsec Policy Information Base          April 2004

     UNIQUENESS {
       ipSecIkeActionSetActionSetId,
       ipSecIkeActionSetActionId,
       ipSecIkeActionSetOrder
       }
     ::= { ipSecIkeActionSetTable 1 }

     IpSecIkeActionSetEntry ::= SEQUENCE {
        ipSecIkeActionSetPrid InstanceId,
        ipSecIkeActionSetActionSetId TagId,
        ipSecIkeActionSetActionId ReferenceId,
        ipSecIkeActionSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecIkeActionSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeActionSetEntry  1 }

   ipSecIkeActionSetActionSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IKE action set is composed of one or more IKE actions. Each
   action Actions
   belonging to the same set has have the same ActionSetId."
     ::= { ipSecIkeActionSetEntry  2 }

   ipSecIkeActionSetActionId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIkeAssociationEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecIkeAssociationTable."
     ::= { ipSecIkeActionSetEntry  3 }

   ipSecIkeActionSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         46
                    IPsec Policy Information Base       November 2003
   "Specifies the precedence order of the action within the action
   set. An action with a smaller precedence order is to be tried
   before one with a larger precedence order. "
   set."
     ::= { ipSecIkeActionSetEntry  4 }

   --
   --
   -- The ipSecIkeAssociationTable
   --

   ipSecIkeAssociationTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeAssociationEntry

   Li, et al            Expires October 2004                       49
                    IPsec Policy Information Base          April 2004

     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE associations." IKEv1 associations. "
     ::= { ipSecIkeAssociation  3 }

   ipSecIkeAssociationEntry OBJECT-TYPE
     SYNTAX IpSecIkeAssociationEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeAssociationPrid }
     UNIQUENESS {
       ipSecIkeAssociationMinLiftetimeSeconds,
       ipSecIkeAssociationMinLifetimeKilobytes,
       ipSecIkeAssociationIdleDurationSeconds,
       ipSecIkeAssociationExchangeMode,
       ipSecIkeAssociationUseIkeIdentityType,
       ipSecIkeAssociationUseIkeIdentityValue,
       ipSecIkeAssociationIkePeerEndpoint,
       ipSecIkeAssociationPresharedKey,
       ipSecIkeAssociationVendorId,
       ipSecIkeAssociationAggressiveModeGroupId,
       ipSecIkeAssociationLocalCredentialId,
       ipSecIkeAssociationDoActionLogging,
       ipSecIkeAssociationIkeProposalSetId
       }
     ::= { ipSecIkeAssociationTable 1 }

     IpSecIkeAssociationEntry ::= SEQUENCE {
        ipSecIkeAssociationPrid InstanceId,
        ipSecIkeAssociationMinLiftetimeSeconds Unsigned32,
        ipSecIkeAssociationMinLifetimeKilobytes Unsigned64,
        ipSecIkeAssociationIdleDurationSeconds Unsigned32,
        ipSecIkeAssociationExchangeMode INTEGER, IpSecExchangeModeTC,
        ipSecIkeAssociationUseIkeIdentityType INTEGER, IpsecDoiIdentType,
        ipSecIkeAssociationUseIkeIdentityValue OCTET STRING,
        ipSecIkeAssociationIkePeerEndpoint ReferenceId,
        ipSecIkeAssociationPresharedKey OCTET STRING,
        ipSecIkeAssociationVendorId OCTET STRING,

   Li, et al              Expires May 2004                         47
                    IPsec Policy Information Base       November 2003
        ipSecIkeAssociationAggressiveModeGroupId Unsigned16TC, IkeGroupDescription,
        ipSecIkeAssociationLocalCredentialId TagReferenceId,
        ipSecIkeAssociationDoActionLogging TruthValue,
        ipSecIkeAssociationIkeProposalSetId TagReferenceId
   }

   ipSecIkeAssociationPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeAssociationEntry  1 }

   Li, et al            Expires October 2004                       50
                    IPsec Policy Information Base          April 2004

   ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the minimum SA seconds lifetime that will be accepted
   from a peer while negotiating an SA based upon this action.

   A value of zero indicates that there is no minimum lifetime
   enforced." in
   seconds enforced. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecIkeAssociationEntry  2 }

   ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the minimum kilobyte lifetime that will be accepted
   from a negotiating peer while negotiating an SA based upon this
   action.

   A value of zero indicates that there is no minimum lifetime
   enforced." in
   byte count enforced. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecIkeAssociationEntry  3 }

   ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies how long, in seconds, a security association may remain
   unused before it is deleted.

   A value of zero indicates that idle detection should not be used
   for the security association (only the seconds and kilobyte
   lifetimes will be used)." used). This is consistent with [RFC3585]. "
     ::= { ipSecIkeAssociationEntry  4 }

   ipSecIkeAssociationExchangeMode OBJECT-TYPE

   Li, et al              Expires May 2004                         48
                    IPsec Policy Information Base       November 2003
     SYNTAX INTEGER {
       baseMode(1),
       mainMode(2),
       aggressiveMode(4)
       } IpSecExchangeModeTC
     STATUS current
     DESCRIPTION
   "Specifies the negotiation mode that the IKE server will use for
   phase one."
     ::= { ipSecIkeAssociationEntry  5 }

   Li, et al            Expires October 2004                       51
                    IPsec Policy Information Base          April 2004

   ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       } IpsecDoiIdentType
     STATUS current
     DESCRIPTION
   "Specifies the type of IKE identity to use during IKE phase one
   negotiation."
     ::= { ipSecIkeAssociationEntry  6 }

   ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the ID payload value to be provided to the peer during
   IKE phase one negotiation."
     ::= { ipSecIkeAssociationEntry  7 }

   ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIkePeerEndpointEntry }
     STATUS current
     DESCRIPTION
   "Pointer to a valid instance in the ipSecIkePeerEndpointTable to
   indicate an IKE peer endpoint."
     ::= { ipSecIkeAssociationEntry  8 }

   ipSecIkeAssociationPresharedKey OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         49
                    IPsec Policy Information Base       November 2003
   "This attribute specifies the preshared key or secret to use for
   IKE authentication. This is the key for all the IKE proposals of
   this association that set ipSecIkeProposalAuthenticationMethod to
   presharedKey(1)."
     ::= { ipSecIkeAssociationEntry  9 }

   ipSecIkeAssociationVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the value to be used in the Vendor ID payload.

   A  It is a
   hash value of NULL as defined in [RFC2408]  Section 3.16.

   A zero length OCTET STRING means that Vendor ID payload will be
   neither generated nor accepted. A non-NULL value Otherwise, it means that a Vendor
   ID payload will be generated (when acting as an initiator) or is
   expected (when acting as a responder). "
     ::= { ipSecIkeAssociationEntry  10 }

   ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE
     SYNTAX Unsigned16TC IkeGroupDescription
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       52
                    IPsec Policy Information Base          April 2004

   "Specifies the group ID to be used for aggressive mode. This
   attribute is ignored unless the attribute
   ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If
   the value of this attribute is from the vendor-specific range
   (32768-65535), this attribute qualifies the group number." "
     ::= { ipSecIkeAssociationEntry  11 }

   ipSecIkeAssociationLocalCredentialId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCredentialSetSetId }
     STATUS current
     DESCRIPTION
   "Indicates a group of credentials. One of the credentials in the
   group MUST be used when establishing an IKE association with the
   peer endpoint."
     ::= { ipSecIkeAssociationEntry  12 }

   ipSecIkeAssociationDoActionLogging OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "Specifies whether a log message is to be generated when the
   negotiation is attempted (with the success or failure result)."
     ::= { ipSecIkeAssociationEntry  13 }

   ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecIkeProposalSetProposalSetId }
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         50
                    IPsec Policy Information Base       November 2003
   "Identifies a set of IKE proposals that is associated with this
   IKE association."
     ::= { ipSecIkeAssociationEntry  14 }

   --
   --
   -- The ipSecIkeProposalSetTable
   --

   ipSecIkeProposalSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE proposal sets. Proposals within a set are ORed with
   preference order. "
     ::= { ipSecIkeAssociation  4 }

   ipSecIkeProposalSetEntry OBJECT-TYPE
     SYNTAX IpSecIkeProposalSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeProposalSetPrid }

   Li, et al            Expires October 2004                       53
                    IPsec Policy Information Base          April 2004

     UNIQUENESS {
       ipSecIkeProposalSetProposalSetId,
       ipSecIkeProposalSetProposalId,
       ipSecIkeProposalSetOrder
       }
     ::= { ipSecIkeProposalSetTable 1 }

     IpSecIkeProposalSetEntry ::= SEQUENCE {
        ipSecIkeProposalSetPrid InstanceId,
        ipSecIkeProposalSetProposalSetId TagId,
        ipSecIkeProposalSetProposalId ReferenceId,
        ipSecIkeProposalSetOrder Unsigned16TC IpSecOrderTC
   }

   ipSecIkeProposalSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeProposalSetEntry  1 }

   ipSecIkeProposalSetProposalSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         51
                    IPsec Policy Information Base       November 2003
   "An IKE proposal set is composed of one or more IKE proposals.
   Each proposal
   Proposals belonging to the same set has the same ProposalSetId. "
     ::= { ipSecIkeProposalSetEntry  2 }

   ipSecIkeProposalSetProposalId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIkeProposalEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecIkeProposalTable."
     ::= { ipSecIkeProposalSetEntry  3 }

   ipSecIkeProposalSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the proposal
   identified by ipSecIkeProposalSetProposalId in a proposal set. The
   proposal set is identified by ipSecIkeProposalSetProposalSetId.
   Proposals within a set are ORed with preference order. A smaller
   integer value indicates a higher preference." order."
     ::= { ipSecIkeProposalSetEntry  4 }

   --
   --
   -- The ipSecIkeProposalTable
   --

   Li, et al            Expires October 2004                       54
                    IPsec Policy Information Base          April 2004

   ipSecIkeProposalTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkeProposalEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE IKEv1 proposals."
     ::= { ipSecIkeAssociation  5 }

   ipSecIkeProposalEntry OBJECT-TYPE
     SYNTAX IpSecIkeProposalEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkeProposalPrid }
     UNIQUENESS {
       ipSecIkeProposalMaxLifetimeSeconds,
       ipSecIkeProposalMaxLifetimeKilobytes,
       ipSecIkeProposalCipherAlgorithm,
       ipSecIkeProposalHashAlgorithm,
       ipSecIkeProposalAuthenticationMethod,
       ipSecIkeProposalPrfAlgorithm,
       ipSecIkeProposalIkeDhGroup,
       ipSecIkeProposalVendorId

   Li, et al              Expires May 2004                         52
                    IPsec Policy Information Base       November 2003
       ipSecIkeProposalIkeDhGroup
       }
     ::= { ipSecIkeProposalTable 1 }

     IpSecIkeProposalEntry ::= SEQUENCE {
        ipSecIkeProposalPrid InstanceId,
        ipSecIkeProposalMaxLifetimeSeconds Unsigned32,
        ipSecIkeProposalMaxLifetimeKilobytes Unsigned64,
        ipSecIkeProposalCipherAlgorithm INTEGER, IkeEncryptionAlgorithm,
        ipSecIkeProposalHashAlgorithm INTEGER, IkeHashAlgorithm,
        ipSecIkeProposalAuthenticationMethod INTEGER, IkeAuthMethod,
        ipSecIkeProposalPrfAlgorithm Unsigned16TC,
        ipSecIkeProposalIkeDhGroup Unsigned16TC,
        ipSecIkeProposalVendorId OCTET STRING IkeGroupDescription
   }

   ipSecIkeProposalPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIkeProposalEntry  1 }

   ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE
     SYNTAX Unsigned32
     UNITS  "seconds"
     STATUS current
     DESCRIPTION
   "Specifies the maximum amount of time to propose for a security
   association to remain valid.

   Li, et al            Expires October 2004                       55
                    IPsec Policy Information Base          April 2004

   A value of zero indicates that the default of 8 hours be used.  A
   non-zero value indicates the maximum seconds lifetime." lifetime. This is
   consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecIkeProposalEntry  2 }

   ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE
     SYNTAX Unsigned64
     UNITS  "kilobytes"
     STATUS current
     DESCRIPTION
   "Specifies the maximum kilobyte lifetime to propose for a security
   association to remain valid.

   A value of zero indicates that there should be no maximum kilobyte
   lifetime.  A non-zero value specifies the desired kilobyte
   lifetime."
   lifetime. This is consistent with [RFC3585].

   When both the LifetimeSeconds and LifetimeKilobytes are used, the
   first lifetime to expire takes precedence."
     ::= { ipSecIkeProposalEntry  3 }

   ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
     SYNTAX INTEGER {
       des-CBC(1),
       idea-CBC(2),
       blowfish-CBC(3),

   Li, et al              Expires May 2004                         53
                    IPsec Policy Information Base       November 2003

       rc5-R16-B64-CBC(4),
       tripleDes-CBC(5),
       cast-CBC(6)
       } IkeEncryptionAlgorithm
     STATUS current
     DESCRIPTION
   "Specifies the encryption algorithm to propose for the IKE
   association."
     ::= { ipSecIkeProposalEntry  4 }

   ipSecIkeProposalHashAlgorithm OBJECT-TYPE
     SYNTAX INTEGER {
       md5(1),
       sha-1(2),
       tiger(3)
       } IkeHashAlgorithm
     STATUS current
     DESCRIPTION
   "Specifies the hash algorithm to propose for the IKE association."
     ::= { ipSecIkeProposalEntry  5 }

   ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
     SYNTAX INTEGER {
       presharedKey(1),
       dssSignatures(2),
       rsaSignatures(3),
       rsaEncryption(4),
       revisedRsaEncryption(5),
       kerberos(6)
       } IkeAuthMethod
     STATUS current
     DESCRIPTION
   "Specifies the authentication method to propose for the IKE
   association."
     ::= { ipSecIkeProposalEntry  6 }

   ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the Psuedo-Random Function (PRF) to propose for the IKE
   association."
   association. As indicated in [RFC2409], there are currently no

   Li, et al            Expires October 2004                       56
                    IPsec Policy Information Base          April 2004

   negotiable pseudo-random functions defined in this document.
   Private use attribute values can be used for prf negotiation
   between consenting parties. "
     ::= { ipSecIkeProposalEntry  7 }

   ipSecIkeProposalIkeDhGroup OBJECT-TYPE
     SYNTAX Unsigned16TC IkeGroupDescription
     STATUS current
     DESCRIPTION
   "Specifies
   "The value of this property indicates the Diffie-Hellman group
   number to propose for the IKE association.

   The value of this property is to be ignored when doing aggressive
   mode."
     ::= { ipSecIkeProposalEntry  8 }

   Li, et al              Expires May 2004                         54
                    IPsec Policy Information Base       November 2003

   ipSecIkeProposalVendorId OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Further qualifies the key exchange group.  The property is
   ignored unless the exchange is not in aggressive mode and the
   property GroupID is in the vendor-specific range."
     ::= { ipSecIkeProposalEntry  9 }

   --
   --
   -- The ipSecIkePeerEndpointTable
   --

   ipSecIkePeerEndpointTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IKE peer endpoints."
     ::= { ipSecIkeAssociation  6 }

   ipSecIkePeerEndpointEntry OBJECT-TYPE
     SYNTAX IpSecIkePeerEndpointEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIkePeerEndpointPrid }
     UNIQUENESS {
       ipSecIkePeerEndpointIdentityType,
       ipSecIkePeerEndpointIdentityValue,
       ipSecIkePeerEndpointIsNegated,
       ipSecIkePeerEndpointAddress,
       ipSecIkePeerEndpointCredentialSetId
       }
     ::= { ipSecIkePeerEndpointTable 1 }

     IpSecIkePeerEndpointEntry ::= SEQUENCE {
        ipSecIkePeerEndpointPrid InstanceId,
        ipSecIkePeerEndpointIdentityType INTEGER, IpsecDoiIdentType,
        ipSecIkePeerEndpointIdentityValue OCTET STRING,
        ipSecIkePeerEndpointIsNegated TruthValue,
        ipSecIkePeerEndpointAddress ReferenceId,
        ipSecIkePeerEndpointCredentialSetId TagReferenceId
   }

   Li, et al            Expires October 2004                       57
                    IPsec Policy Information Base          April 2004

   ipSecIkePeerEndpointPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."

   Li, et al              Expires May 2004                         55
                    IPsec Policy Information Base       November 2003
     ::= { ipSecIkePeerEndpointEntry  1 }

   ipSecIkePeerEndpointIdentityType OBJECT-TYPE
     SYNTAX INTEGER {
       ipV4-Address(1),
       fqdn(2),
       user-Fqdn(3),
       ipV4-Subnet(4),
       ipV6-Address(5),
       ipV6-Subnet(6),
       ipV4-Address-Range(7),
       ipV6-Address-Range(8),
       der-Asn1-DN(9),
       der-Asn1-GN(10),
       key-Id(11)
       } IpsecDoiIdentType
     STATUS current
     DESCRIPTION
   "Specifies the type of identity that MUST be provided by the peer
   in the ID payload during IKE phase one negotiation."
     ::= { ipSecIkePeerEndpointEntry  2 }

   ipSecIkePeerEndpointIdentityValue OBJECT-TYPE
     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "Specifies the value to be matched with the ID payload provided by
   the peer during IKE phase one negotiation.

   The syntax may need to be converted for comparison. If the
   ipSecIkePeerEndpointIdentityType is a DistinguishedName, the name
   in the ipSecIkePeerEndpointIdentityValue
   is represented by an ordinary string value, but this value must be
   converted into a DER-encoded string before matching against the
   values extracted from IKE ID payloads at runtime.  The same
   applies to IPv4 & IPv6 addresses.

   Different Wildcards wildcard mechanisms can be used as well as the
   prefix notation for IPv4 addresses depending on the ID payload:

   - an IdentityValue of *@example.com will match an user FQDN ID
   payload of JDOE@EXAMPLE.COM

   - an IdentityValue of *.example.com will match a FQDN ID payload
   of WWW.EXAMPLE.COM

   - an IdentityValue of cn=*,ou=engineering,o=company,c=us will
   match a DER DN ID payload of cn=John Doe, ou=engineering,
   o=company, c=us

   - an IdentityValue of 193.190.125.0/24 192.0.2.0/24 will match an IPv4 address ID
   payload of 193.190.125.10.

   Li, et al              Expires May 2004                         56
                    IPsec Policy Information Base       November 2003 192.0.2.10.

   - an IdentityValue of 193.190.125.* 192.0.2.* will also match an IPv4 address ID
   payload of 193.190.125.10. 192.0.2.10.

   Li, et al            Expires October 2004                       58
                    IPsec Policy Information Base          April 2004

   The above wildcard mechanisms MUST be supported for all ID
   payloads supported by the local IKE entity.  The character *
   replaces 0 or multiple instances of any character."
     ::= { ipSecIkePeerEndpointEntry  3 }

   ipSecIkePeerEndpointIsNegated OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "This attribute behaves like a logical NOT for the peer identity.
   If the value of this attribute is 'true', the peer identity whose
   type is specified by ipSecIkePeerEndpointIdentityType MUST not
   match the vaule specified by ipSecIkePeerEndpointValue."
     ::= { ipSecIkePeerEndpointEntry  4 }

   ipSecIkePeerEndpointAddress OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecAddressEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid entry in the ipSecAddressTable to specify
   the endpoint address with which this PEP establishes IKE
   association. The pointed address MUST be a single endpoint
   address. This attribute is used only when the IKE association is
   to be started automatically. Hence, the value of this attribute
   MUST be zero if ipSecIkeRuleAutoStart is false.

   " false."
     ::= { ipSecIkePeerEndpointEntry  5 }

   ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecCredentialSetSetId }
     STATUS current
     DESCRIPTION
   "Identifies a set of credentials. Any one of the credentials in
   the set is acceptable as the IKE peer credential."
     ::= { ipSecIkePeerEndpointEntry  6 }

   --
   --
   -- The ipSecCredentialSetTable
   --

   ipSecCredentialSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         57
                    IPsec Policy Information Base       November 2003
   "Specifies credential sets.

   For IKE peer credentials, any one of the credentials in the set is
   acceptable as peer credential during IEK phase 1 negotiation. For

   Li, et al            Expires October 2004                       59
                    IPsec Policy Information Base          April 2004

   IKE local credentials, any one of the credentials in the set can
   be used in IKE phase 1 negotiation."
     ::= { ipSecCredential  1 }

   ipSecCredentialSetEntry OBJECT-TYPE
     SYNTAX IpSecCredentialSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCredentialSetPrid }
     UNIQUENESS {
       ipSecCredentialSetPrid,
       ipSecCredentialSetSetId,
       ipSecCredentialSetCredentialId
       }
     ::= { ipSecCredentialSetTable 1 }

     IpSecCredentialSetEntry ::= SEQUENCE {
        ipSecCredentialSetPrid InstanceId,
        ipSecCredentialSetSetId TagId,
        ipSecCredentialSetCredentialId ReferenceId
   }

   ipSecCredentialSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCredentialSetEntry  1 }

   ipSecCredentialSetSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "A credential set is composed of one or more credentials. Each
   credential
   Credentials belonging to the same set has have the same
   CredentialSetId."
     ::= { ipSecCredentialSetEntry  2 }

   ipSecCredentialSetCredentialId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecCredentialEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecCredentialTable."
     ::= { ipSecCredentialSetEntry  3 }

   --
   --
   -- The ipSecCredentialTable
   --

   Li, et al            Expires May October 2004                         58                       60
                    IPsec Policy Information Base       November 2003

   --
   --
   -- The ipSecCredentialTable
   --          April 2004

   ipSecCredentialTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies credentials."
     ::= { ipSecCredential  2 }

   ipSecCredentialEntry OBJECT-TYPE
     SYNTAX IpSecCredentialEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCredentialPrid }
     UNIQUENESS {
       ipSecCredentialCredentialType,
       ipSecCredentialFieldsId,
       ipSecCredentialCrlDistributionPoint
       }
     ::= { ipSecCredentialTable 1 }

     IpSecCredentialEntry ::= SEQUENCE {
        ipSecCredentialPrid InstanceId,
        ipSecCredentialCredentialType INTEGER, IpSecCredTypeTC,
        ipSecCredentialFieldsId TagReferenceId,
        ipSecCredentialCrlDistributionPoint OCTET STRING
   }

   ipSecCredentialPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCredentialEntry  1 }

   ipSecCredentialCredentialType OBJECT-TYPE
     SYNTAX INTEGER {
       certificateX509(1),
       kerberos-ticket(2)
       } IpSecCredTypeTC
     STATUS current
     DESCRIPTION
   "Specifies the type of credential to be matched."
     ::= { ipSecCredentialEntry  2 }

   ipSecCredentialFieldsId OBJECT-TYPE
     SYNTAX TagReferenceId

   Li, et al              Expires May 2004                         59
                    IPsec Policy Information Base       November 2003
     PIB-TAG    { ipSecCredentialFieldsSetId }
     STATUS current
     DESCRIPTION
   "Identifies a group of matching criteria to be used for the peer
   credential. The identified criteria MUST all be satisfied."
     ::= { ipSecCredentialEntry  3 }

   ipSecCredentialCrlDistributionPoint OBJECT-TYPE

   Li, et al            Expires October 2004                       61
                    IPsec Policy Information Base          April 2004

     SYNTAX OCTET STRING
     STATUS current
     DESCRIPTION
   "When credential type is certificate X509, this attribute
   identifies the Certificate Revocation List (CRL) distribution
   point for this credential."
     ::= { ipSecCredentialEntry  4 }

   --
   --
   -- The ipSecCredentialFieldsTable
   --

   ipSecCredentialFieldsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies sets of credential sub-fields and their values to be
   matched against. "
     ::= { ipSecCredential  3 }

   ipSecCredentialFieldsEntry OBJECT-TYPE
     SYNTAX IpSecCredentialFieldsEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecCredentialFieldsPrid }
     UNIQUENESS {
       ipSecCredentialFieldsName,
       ipSecCredentialFieldsValue,
       ipSecCredentialFieldsIsNegated,
       ipSecCredentialFieldsSetId
       }
     ::= { ipSecCredentialFieldsTable 1 }

     IpSecCredentialFieldsEntry ::= SEQUENCE {
        ipSecCredentialFieldsPrid InstanceId,
        ipSecCredentialFieldsName OCTET STRING, SnmpAdminString,
        ipSecCredentialFieldsValue OCTET STRING, SnmpAdminString,
        ipSecCredentialFieldsIsNegated TruthValue,
        ipSecCredentialFieldsSetId TagId
   }

   Li, et al              Expires May 2004                         60
                    IPsec Policy Information Base       November 2003

   ipSecCredentialFieldsPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecCredentialFieldsEntry  1 }

   Li, et al            Expires October 2004                       62
                    IPsec Policy Information Base          April 2004

   ipSecCredentialFieldsName OBJECT-TYPE
     SYNTAX OCTET STRING SnmpAdminString
     STATUS current
     DESCRIPTION
   "Specifies the sub-field of the credential to match with. This is
   the string representation of a X.509 certificate attribute, e.g.
   serialNumber,  issuerName, subjectName, etc..
   " etc.."
     ::= { ipSecCredentialFieldsEntry  2 }

   ipSecCredentialFieldsValue OBJECT-TYPE
     SYNTAX OCTET STRING SnmpAdminString
     STATUS current
     DESCRIPTION
   "Specifies the value to match with for the sub-field identified by
   ipSecCredentialFieldsName. A wildcard mechanism can be used in the
   Value string. E.g., if the Name is subjectName then a Value of
   cn=*,ou=engineering,o=foo,c=be will match successfully a
   certificate whose subject attribute is cn=Jane Doe,
   ou=engineering, o=foo, c=be.  The wildcard character * can be used
   to represent 0 or several characters.

   If the ipSecCredentialFieldsName corresponds to a
   DistinguishedName, this value in the CIM class is represented by
   an ordinary a string value.
   However, an implementation must convert this string to a DER-encoded DER-
   encoded string before matching against the values extracted from
   credentials at runtime. "
     ::= { ipSecCredentialFieldsEntry  3 }

   ipSecCredentialFieldsIsNegated OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "This attribute behaves like a logical NOT for the credential
   field match. If the value of this attribute is 'true', the
   credential field specified by ipSecCredentialFieldsName MUST not
   match the vaule specified by ipSecCredentialFieldsValue."
     ::= { ipSecCredentialFieldsEntry  4 }

   ipSecCredentialFieldsSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the set this criteria belongs to. All criteria within a
   set MUST all be satisfied."

   Li, et al              Expires May 2004                         61
                    IPsec Policy Information Base       November 2003
     ::= { ipSecCredentialFieldsEntry  5 }

   --
   --
   -- The ipSecSelectorSetTable
   --

   ipSecSelectorSetTable OBJECT-TYPE

   Li, et al            Expires October 2004                       63
                    IPsec Policy Information Base          April 2004

     SYNTAX SEQUENCE OF IpSecSelectorSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec selector sets."
     ::= { ipSecSelector  1 }

   ipSecSelectorSetEntry OBJECT-TYPE
     SYNTAX IpSecSelectorSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecSelectorSetPrid }
     UNIQUENESS {
       ipSecSelectorSetSelectorSetId,
       ipSecSelectorSetSelectorId,
       ipSecSelectorSetOrder,
       ipSecSelectorSetIsNegated
       ipSecSelectorSetOrder
       }
     ::= { ipSecSelectorSetTable 1 }

     IpSecSelectorSetEntry ::= SEQUENCE {
        ipSecSelectorSetPrid InstanceId,
        ipSecSelectorSetSelectorSetId TagId,
        ipSecSelectorSetSelectorId Prid,
        ipSecSelectorSetOrder Unsigned16TC, IpSecOrderTC,
        ipSecSelectorSetIsNegated TruthValue
   }

   ipSecSelectorSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecSelectorSetEntry  1 }

   ipSecSelectorSetSelectorSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPsec selector set is composed of one or more IPsec selectors.
   Each selector
   Selectors belonging to the same set has have the same SelectorSetId."

   Li, et al              Expires May 2004                         62
                    IPsec Policy Information Base       November 2003
     ::= { ipSecSelectorSetEntry  2 }

   ipSecSelectorSetSelectorId OBJECT-TYPE
     SYNTAX Prid
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in another table class that describes
   selectors. To use selectors defined in this IPsec PIB module, this
   attribute MUST point to an instance in ipSecSelectorTable. This
   attribute may also point to an instance in a selector or filter
   table
   PRC defined in other PIB modules."
     ::= { ipSecSelectorSetEntry  3 }

   Li, et al            Expires October 2004                       64
                    IPsec Policy Information Base          April 2004

   ipSecSelectorSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the selectors
   identified by ipSecSelectorId within a selector set. The selector
   set is identified by ipSecSelectorSetId. A smaller integer value
   indicates a higher preference. All selectors constructed from the
   instance pointed by ipSecSelectorId have the same order." "
     ::= { ipSecSelectorSetEntry  4 }

   ipSecSelectorSetIsNegated OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "If the value of this attribute is 'true', the filters pointed by
   ipSecSelectorSetSelectorId SHALL be negated."
     ::= { ipSecSelectorSetEntry  5 }

   --
   --
   -- The ipSecSelectorTable
   --

   ipSecSelectorTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecSelectorEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPsec selectors. Each row in the selector table
   represents multiple selectors. These selectors are obtained as
   follows:

   1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorSrcAddressGroupId.

   Li, et al              Expires May 2004                         63
                    IPsec Policy Information Base       November 2003

   2. Substitute the ipSecSelectorDstAddressGroupId with all the IP
   addresses from the ipSecAddressTable whose ipSecAddressGroupId
   matches the ipSecSelectorDstAddressGroupId.

   3. Substitute the ipSecSelectorSrcPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorSrcPortGroupId.

   4. Substitute the ipSecSelectorDstPortGroupId with all the ports
   or ranges of port whose ipSecL4PortGroupId matches the
   ipSecSelectorDstPortGroupId.

   5. Construct all the possible combinations of the above four
   fields. Then add to the combinations the ipSecSelectorProtocol,
   ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form
   all the selectors.el attributes to form the list of selectors.

   Li, et al            Expires October 2004                       65
                    IPsec Policy Information Base          April 2004

   The relative order of the selectors constructed from a single row
   is unspecified. "
     ::= { ipSecSelector  2 }

   ipSecSelectorEntry OBJECT-TYPE
     SYNTAX IpSecSelectorEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecSelectorPrid }
     UNIQUENESS {
       ipSecSelectorSrcAddressGroupId,
       ipSecSelectorSrcPortGroupId,
       ipSecSelectorDstAddressGroupId,
       ipSecSelectorDstPortGroupId,
       ipSecSelectorProtocol,
       ipSecSelectorDscp,
       ipSecSelectorFlowLabel
       }
     ::= { ipSecSelectorTable 1 }

     IpSecSelectorEntry ::= SEQUENCE {
        ipSecSelectorPrid InstanceId,
        ipSecSelectorSrcAddressGroupId TagReferenceId,
        ipSecSelectorSrcPortGroupId TagReferenceId,
        ipSecSelectorDstAddressGroupId TagReferenceId,
        ipSecSelectorDstPortGroupId TagReferenceId,
        ipSecSelectorProtocol Unsigned32,
        ipSecSelectorDscp DscpOrAny,
        ipSecSelectorFlowLabel IPv6FlowLabelOrAny
   }

   ipSecSelectorPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         64
                    IPsec Policy Information Base       November 2003
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecSelectorEntry  1 }

   ipSecSelectorSrcAddressGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAddressGroupId }
     STATUS current
     DESCRIPTION
   "Indicates source addresses. All addresses in ipSecAddressTable
   whose ipSecAddressGroupId matches this value are included as
   source addresses.

   A value of zero indicates wildcard address, i.e., any address
   matches."
     ::= { ipSecSelectorEntry  2 }

   Li, et al            Expires October 2004                       66
                    IPsec Policy Information Base          April 2004

   ipSecSelectorSrcPortGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecL4PortGroupId }
     STATUS current
     DESCRIPTION
   "Indicates source layer 4 port numbers. All ports in ipSecL4Port
   whose ipSecL4PortGroupId matches this value are included.

   A value of zero indicates wildcard port, i.e., any port number
   matches."
     ::= { ipSecSelectorEntry  3 }

   ipSecSelectorDstAddressGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecAddressGroupId }
     STATUS current
     DESCRIPTION
   "Indicates destination addresses. All addresses in
   ipSecAddressTable whose ipSecAddressGroupId matches this value are
   included as destination addresses.

   A value of zero indicates wildcard address, i.e., any address
   matches."
     ::= { ipSecSelectorEntry  4 }

   ipSecSelectorDstPortGroupId OBJECT-TYPE
     SYNTAX TagReferenceId
     PIB-TAG    { ipSecL4PortGroupId }
     STATUS current
     DESCRIPTION
   "Indicates destination layer 4 port numbers. All ports in
   ipSecL4Port whose ipSecL4PortGroupId matches this value are
   included.

   A value of zero indicates wildcard port, i.e., any port number
   matches."

   Li, et al              Expires May 2004                         65
                    IPsec Policy Information Base       November 2003
     ::= { ipSecSelectorEntry  5 }

   ipSecSelectorProtocol OBJECT-TYPE
     SYNTAX Unsigned32 (0..255)
     STATUS current
     DESCRIPTION
   "The layer-4 protocol Id to match against the IPv4 protocol number
   or the IPv6 Next-Header number in the packet. A value of 255 means
   match all. Note the protocol number of 255 is reserved by IANA,
   and Next-Header number of 0 is used in IPv6."
     ::= { ipSecSelectorEntry  6 }

   ipSecSelectorDscp OBJECT-TYPE
     SYNTAX DscpOrAny
     STATUS current
     DESCRIPTION

   Li, et al            Expires October 2004                       67
                    IPsec Policy Information Base          April 2004

   "The value that the DSCP in the packet can have and match this
   filter. A value of -1 indicates that a specific DSCP value has not
   been defined and thus all DSCP values are considered a match."
     ::= { ipSecSelectorEntry  7 }

   ipSecSelectorFlowLabel OBJECT-TYPE
     SYNTAX IPv6FlowLabelOrAny
     STATUS current
     DESCRIPTION
   "The flow identifier or flow label in an IPv6 packet header that
   may be used to discriminate traffic flows.  The value of -1 is
   used to indicate a wildcard, i.e. any value."
     ::= { ipSecSelectorEntry  8 }

   --
   --
   -- The ipSecAddressTable
   --

   ipSecAddressTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecAddressEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "This table class allows the specification of a single IP address, a
   subnet consisting of an IP address and the prefix length, an IP
   address range, and a wild-card IP address.

   If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to
   specify a single IP address the values of ipSecAddressAddrMin and
   ipSecAddressAddrMax MUST be the same and the
   ipSecAddressAddrPrefixLength MUST have a value of 32 or greater
   (128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the
   values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the
   same and the ipSecAddressAddrPrefixLength MUST have a value
   between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP

   Li, et al              Expires May 2004                         66
                    IPsec Policy Information Base       November 2003
   address range, the values of ipSecAddressAddrMin and
   ipSecAddressAddrMax MUST be different and the
   ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for
   'ipv6' or 'ipv6z')

   If the address type is 'dns', ipSecAddressAddrMin and
   ipSecAddressAddrMax MUST contain the same 'dns' address. The
   ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the
   address value to IPv4 or IPv6 addresses MUST be done by the PEP at
   install time. A dns name may be mapped into multiple single IP
   addresses. Each of them becomes a single row in the resulted
   address table.

   To specify a wild-card IP address, the
   ipSecAddressAddrPrefixLength MUST be zero. "
     ::= { ipSecSelector  3 }

   Li, et al            Expires October 2004                       68
                    IPsec Policy Information Base          April 2004

   ipSecAddressEntry OBJECT-TYPE
     SYNTAX IpSecAddressEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecAddressPrid }
     UNIQUENESS {
       ipSecAddressAddressType,
       ipSecAddressAddrPrefixLength,
       ipSecAddressAddrMin,
       ipSecAddressAddrMax,
       ipSecAddressGroupId
       }
     ::= { ipSecAddressTable 1 }

     IpSecAddressEntry ::= SEQUENCE {
        ipSecAddressPrid InstanceId,
        ipSecAddressAddressType InetAddressType,
        ipSecAddressAddrPrefixLength InetAddressPrefixLength,
        ipSecAddressAddrMin InetAddress,
        ipSecAddressAddrMax InetAddress,
        ipSecAddressGroupId TagId
   }

   ipSecAddressPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecAddressEntry  1 }

   ipSecAddressAddressType OBJECT-TYPE
     SYNTAX InetAddressType
     STATUS current
     DESCRIPTION

   Li, et al              Expires May 2004                         67
                    IPsec Policy Information Base       November 2003
   "Specifies the type of IP address.

   While other types of addresses are defined in the InetAddressType
   textual convention, an IP filter can only use IPv4 and IPv6
   addresses directly to classify traffic. All other InetAddressTypes
   require mapping to the corresponding Ipv4 or IPv6 address before
   being used to classify traffic. Therefore, this object as such is
   not limited to IPv4 and IPv6 addresses, i.e., it can be assigned
   any of the valid values defined in the InetAddressType TC, but the
   mapping of the address values to IPv4 or IPv6 addresses must be
   done by the PEP at install time. "
     ::= { ipSecAddressEntry  2 }

   ipSecAddressAddrPrefixLength OBJECT-TYPE
     SYNTAX InetAddressPrefixLength
     STATUS current

   Li, et al            Expires October 2004                       69
                    IPsec Policy Information Base          April 2004

     DESCRIPTION
   "The length of a mask for the matching of IP address. This
   attribute is interpreted only if the InetAddressType is 'ipv4',
   'ipv4z', 'ipv6' or 'ipv6z'.

   Masks are constructed by setting bits in sequence from the most-
   significant bit downwards for ipSecAddressAddrPrefixLength bits
   length. All other bits in the mask, up to the  number needed to
   fill the length of the address ipSecAddressAddrMin are cleared to
   zero. A zero bit in the mask then means that the corresponding bit
   in the address always matches.

   In IPv4 addresses, a length of 0 indicates a match of any address.
   When ipSecAddressAddrMin and ipSecAddressAddrMax have the same
   value, a length of 32 or greater indicates a match of a single
   host address, and a length between 0 and 32 indicates the use of a
   CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have
   different values, this attribute MUST have a value of 32 to
   indicate an IP address range.

   In IPv6 addresses, a length of 0 indicates a match of any address.
   When ipSecAddressAddrMin and ipSecAddressAddrMax have the same
   value, a length of 128 or greater indicates a match of a single
   host address, and a length between 0 and 128 indicates the use of
   a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax
   have different values, this attribute MUST have a value of 128 in
   order to indicate an IP address range."
     ::= { ipSecAddressEntry  3 }

   ipSecAddressAddrMin OBJECT-TYPE
     SYNTAX InetAddress
     STATUS current
     DESCRIPTION
   "Specifies an IP address. The type of the address is specified by
   the ipSecAddressAddressType attribute. If the address type is
   'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute

   Li, et al              Expires May 2004                         68
                    IPsec Policy Information Base       November 2003
   ipSecAddressAddrPrefixLength indicates the number of bits that are
   relevant."
     ::= { ipSecAddressEntry  4 }

   ipSecAddressAddrMax OBJECT-TYPE
     SYNTAX InetAddress
     STATUS current
     DESCRIPTION
   "If a range of addresses is used then this specifies the ending
   address. The type of the address is specified by the
   ipSecAddressAddressType attribute.

   To specify a single IP addres or a subnet, this attribute MUST be
   the same as that of ipSecAddressAddrMin.

   When ipSecAddressAddressType is 'dns', this attribute MUST contain
   the same DNS address as ipSecAddressAddrMin"

   Li, et al            Expires October 2004                       70
                    IPsec Policy Information Base          April 2004

     ::= { ipSecAddressEntry  5 }

   ipSecAddressGroupId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this IP address, address range or subnet
   address belongs to."
     ::= { ipSecAddressEntry  6 }

   --
   --
   -- The ipSecL4PortTable
   --

   ipSecL4PortTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecL4PortEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies layer four port numbers."
     ::= { ipSecSelector  4 }

   ipSecL4PortEntry OBJECT-TYPE
     SYNTAX IpSecL4PortEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecL4PortPrid }
     UNIQUENESS {
       ipSecL4PortPortMin,
       ipSecL4PortPortMax,
       ipSecL4PortGroupId
       }
     ::= { ipSecL4PortTable 1 }

   Li, et al              Expires May 2004                         69
                    IPsec Policy Information Base       November 2003

     IpSecL4PortEntry ::= SEQUENCE {
        ipSecL4PortPrid InstanceId,
        ipSecL4PortPortMin InetPortNumber,
        ipSecL4PortPortMax InetPortNumber,
        ipSecL4PortGroupId TagId
   }

   ipSecL4PortPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecL4PortEntry  1 }

   ipSecL4PortPortMin OBJECT-TYPE

   Li, et al            Expires October 2004                       71
                    IPsec Policy Information Base          April 2004

     SYNTAX InetPortNumber
     STATUS current
     DESCRIPTION
   "Specifies a layer 4 port or the first layer 4 port number of a
   range of ports. The value of this attribute must be equal or less
   than that of ipSecL4PortPortMax.

   A value of zero indicates any port matches."
     ::= { ipSecL4PortEntry  2 }

   ipSecL4PortPortMax OBJECT-TYPE
     SYNTAX InetPortNumber
     STATUS current
     DESCRIPTION
   "Specifies the last layer 4 port in the range. If only a single
   port is specified, the value of this attribute must be equal to
   that of ipSecL4PortPortMin. Otherwise, the value of this attribute
   MUST be greater than that specified by ipSecL4PortPortMin.

   If ipSecL4PortPortMin is zero, this attribute MUST be ignored."
     ::= { ipSecL4PortEntry  3 }

   ipSecL4PortGroupId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "Specifies the group this port or port range belongs to."
     ::= { ipSecL4PortEntry  4 }

   --
   --
   -- The ipSecIpsoFilterSetTable
   --

   ipSecIpsoFilterSetTable OBJECT-TYPE

   Li, et al              Expires May 2004                         70
                    IPsec Policy Information Base       November 2003
     SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IP Security Options (IPSO) filter sets. Each set
   contains an ordered list of IPSO filter sets." filters. Please refer to
   [RFC1108] for details on IPSO."
     ::= { ipSecSelector  5 }

   ipSecIpsoFilterSetEntry OBJECT-TYPE
     SYNTAX IpSecIpsoFilterSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIpsoFilterSetPrid }
     UNIQUENESS {
       ipSecIpsoFilterSetFilterSetId,
       ipSecIpsoFilterSetFilterId,
       ipSecIpsoFilterSetOrder,
       ipSecIpsoFilterSetIsNegated

   Li, et al            Expires October 2004                       72
                    IPsec Policy Information Base          April 2004

       ipSecIpsoFilterSetOrder
       }
     ::= { ipSecIpsoFilterSetTable 1 }

     IpSecIpsoFilterSetEntry ::= SEQUENCE {
        ipSecIpsoFilterSetPrid InstanceId,
        ipSecIpsoFilterSetFilterSetId TagId,
        ipSecIpsoFilterSetFilterId ReferenceId,
        ipSecIpsoFilterSetOrder Unsigned16TC, IpSecOrderTC,
        ipSecIpsoFilterSetIsNegated TruthValue
   }

   ipSecIpsoFilterSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIpsoFilterSetEntry  1 }

   ipSecIpsoFilterSetFilterSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An IPSO filter set is composed of one or more IPSO filters. Each
   filter
   Filters belonging to the same set has have the same FilterSetId."
     ::= { ipSecIpsoFilterSetEntry  2 }

   ipSecIpsoFilterSetFilterId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecIpsoFilterEntry }
     STATUS current
     DESCRIPTION
   "A pointer to a valid instance in the ipSecIpsoFilterTable."
     ::= { ipSecIpsoFilterSetEntry  3 }

   Li, et al              Expires May 2004                         71
                    IPsec Policy Information Base       November 2003

   ipSecIpsoFilterSetOrder OBJECT-TYPE
     SYNTAX Unsigned16TC IpSecOrderTC
     STATUS current
     DESCRIPTION
   "An integer that specifies the precedence order of the filter
   identified by ipSecIpsoFilterSetFilterId within a filter set. The
   filter set is identified by ipSecIpsoFilterSetFilterSetId. A
   smaller integer value indicates a higher preference."
     ::= { ipSecIpsoFilterSetEntry  4 }

   ipSecIpsoFilterSetIsNegated OBJECT-TYPE
     SYNTAX TruthValue
     STATUS current
     DESCRIPTION
   "If the value of this attribute is 'true', the filter pointed by
   ipSecIpsoFilterSetFilterId SHALL be negated."
     ::= { ipSecIpsoFilterSetEntry  5 }

   --
   --
   -- The ipSecIpsoFilterTable
   --

   ipSecIpsoFilterTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIpsoFilterEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies IPSO filters."
     ::= { ipSecSelector  6 }

   ipSecIpsoFilterEntry OBJECT-TYPE
     SYNTAX IpSecIpsoFilterEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIpsoFilterPrid }
     UNIQUENESS {
       ipSecIpsoFilterMatchConditionType,
       ipSecIpsoFilterClassificationLevel,
       ipSecIpsoFilterProtectionAuthority
       }
     ::= { ipSecIpsoFilterTable 1 }

     IpSecIpsoFilterEntry ::= SEQUENCE {
        ipSecIpsoFilterPrid InstanceId,
        ipSecIpsoFilterMatchConditionType INTEGER,
        ipSecIpsoFilterClassificationLevel INTEGER,
        ipSecIpsoFilterProtectionAuthority INTEGER
   }

   ipSecIpsoFilterPrid OBJECT-TYPE

   Li, et al              Expires May 2004                         72
                    IPsec Policy Information Base       November 2003

     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIpsoFilterEntry  1 }

   ipSecIpsoFilterMatchConditionType OBJECT-TYPE
     SYNTAX INTEGER {
       classificationLevel(1),
       protectionAuthority(2)
       }
     STATUS current
     DESCRIPTION
   "Specifies the IPSO header field to be matched."
     ::= { ipSecIpsoFilterEntry  2 }

   ipSecIpsoFilterClassificationLevel OBJECT-TYPE
     SYNTAX INTEGER {
       topSecret(61),
       secret(90),
       confidential(150),
       unclassified(171)
       }
     STATUS current
     DESCRIPTION
   "Specifies the value for classification level to be matched
   against. This attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType of the filter
   identified by ipSecIpsoFilterSetFilterId within a filter set. The
   filter set is not 1 (classificationLevel)." identified by ipSecIpsoFilterSetFilterSetId."
     ::= { ipSecIpsoFilterEntry  3 ipSecIpsoFilterSetEntry  4 }

   ipSecIpsoFilterProtectionAuthority

   ipSecIpsoFilterSetIsNegated OBJECT-TYPE
     SYNTAX INTEGER {
       genser(0),
       siop-esi(1),
       sci(2),
       nsa(3),
       doe(4)
       } TruthValue
     STATUS current
     DESCRIPTION
   "Specifies
   "If the value for protection authority to be matched
   against. This of this attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority).
   " 'true', the filter pointed by
   ipSecIpsoFilterSetFilterId SHALL be negated."
     ::= { ipSecIpsoFilterEntry  4 ipSecIpsoFilterSetEntry  5 }

   --
   --
   -- The ipSecRuleTimePeriodTable
   --

   Li, et al            Expires May October 2004                       73
                    IPsec Policy Information Base       November 2003

   ipSecRuleTimePeriodTable          April 2004

   --
   --
   -- The ipSecIpsoFilterTable
   --

   ipSecIpsoFilterTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry IpSecIpsoFilterEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies the time periods during which a policy rule is valid.
   The values of the first five attributes in a row are ANDed
   together IP Security Options (IPSO) filters. Please refer to determine the validity period(s). If any of the five
   attributes is not present, it is treated as having value always
   enabled.  "
   [RFC1108] for details on IPSO."
     ::= { ipSecPolicyTimePeriod  1 ipSecSelector  6 }

   ipSecRuleTimePeriodEntry

   ipSecIpsoFilterEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodEntry IpSecIpsoFilterEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRuleTimePeriodPrid ipSecIpsoFilterPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime
       ipSecIpsoFilterMatchConditionType,
       ipSecIpsoFilterClassificationLevel,
       ipSecIpsoFilterProtectionAuthority
       }
     ::= { ipSecRuleTimePeriodTable ipSecIpsoFilterTable 1 }

     IpSecRuleTimePeriodEntry

     IpSecIpsoFilterEntry ::= SEQUENCE {
        ipSecRuleTimePeriodPrid
        ipSecIpsoFilterPrid InstanceId,
        ipSecRuleTimePeriodTimePeriod OCTET STRING,
        ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
        ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
        ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
        ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
        ipSecRuleTimePeriodLocalOrUtcTime INTEGER
        ipSecIpsoFilterMatchConditionType INTEGER,
        ipSecIpsoFilterClassificationLevel IpSecIpsoClassificationTC,
        ipSecIpsoFilterProtectionAuthority IpSecIpsoProtectionTC
   }

   ipSecRuleTimePeriodPrid

   ipSecIpsoFilterPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to that uniquely identify identifies an instance of this class"
   class."
     ::= { ipSecRuleTimePeriodEntry ipSecIpsoFilterEntry  1 }

   ipSecRuleTimePeriodTimePeriod

   ipSecIpsoFilterMatchConditionType OBJECT-TYPE
     SYNTAX OCTET STRING INTEGER {
       classificationLevel(1),
       protectionAuthority(2)
       }
     STATUS current
     DESCRIPTION
   "An octet string that identifies an overall range of calendar
   dates and times over which a policy rule is valid.  It reuses the
   format for an explicit time period defined in RFC 2445 : a string
   representing a starting date and time, in which
   "Specifies the character 'T' IPSO header field to be matched."
     ::= { ipSecIpsoFilterEntry  2 }

   Li, et al            Expires May October 2004                       74
                    IPsec Policy Information Base       November 2003

   indicates the beginning of the time portion, followed by the
   solidus character '/', followed by a similar string representing
   an end date and time.  The first date indicates the beginning of
   the range, while the second date indicates the end.  Thus,          April 2004

   ipSecIpsoFilterClassificationLevel OBJECT-TYPE
     SYNTAX IpSecIpsoClassificationTC
     STATUS current
     DESCRIPTION
   "Specifies the
   second date and time must value for classification level to be later than the first.  Date/times are
   expressed as substrings of the form yyyymmddThhmmss.

   There are also two special cases:

   -  If the first date/time is replaced with the string
   THISANDPRIOR, then the property indicates that a policy rule is
   valid [from now] until the date/time that appears after the '/'.

   - If the second date/time matched
   against. This attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType is replaced with the string
   THISANDFUTURE, then the property indicates that a policy rule
   becomes valid on the date/time that appears before the '/', and
   remains valid from that point on.
   " not 1 (classificationLevel)."
     ::= { ipSecRuleTimePeriodEntry  2 ipSecIpsoFilterEntry  3 }

   ipSecRuleTimePeriodMonthOfYearMask

   ipSecIpsoFilterProtectionAuthority OBJECT-TYPE
     SYNTAX OCTET STRING IpSecIpsoProtectionTC
     STATUS current
     DESCRIPTION
   "An octet string that specifies which months
   "Specifies the policy value for protection authority to be matched
   against. This attribute MUST be ignored if
   ipSecIpsoFilterMatchConditionType is valid
   for. not 2 (protectionAuthority).
   "
     ::= { ipSecIpsoFilterEntry  4 }

   --
   --
   -- The octet string is structured as follows:

   - a 4-octet length field, indicating the length of ipSecRuleTimePeriodTable
   --

   ipSecRuleTimePeriodTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies the entire
   octet string; this field is always set to 0x00000006 for this
   property;

   - time periods during which a 2-octet field consisting of 12 bits identifying the 12 months policy rule is valid.
   The values of the year, beginning with January and ending with December,
   followed by 4 bits that first five attributes in a row are always set ANDed
   together to '0'.  For each month,
   the value '1' indicates that determine the policy is valid for that month,
   and validity period(s). If any of the value '0' indicates that it five
   attributes is not valid.

    If this property is omitted, then the policy rule present, it is treated as
   valid for all twelve months." having value always
   enabled.  "
     ::= { ipSecRuleTimePeriodEntry  3 ipSecPolicyTimePeriod  1 }

   ipSecRuleTimePeriodDayOfMonthMask

   ipSecRuleTimePeriodEntry OBJECT-TYPE
     SYNTAX OCTET STRING IpSecRuleTimePeriodEntry
     STATUS current
     DESCRIPTION
   "An octet string that specifies which days of the month the policy
   is valid for. The octet string is structured as follows:

   -a 4-octet length field, indicating the length
   "Specifies an instance of the entire octet
   string; this field is always set to 0x0000000C for this property;

   -an 8-octet field consisting of 31 bits identifying the days of
   the month counting from the beginning, followed by 31 more bits class"
     PIB-INDEX { ipSecRuleTimePeriodPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodTimePeriod,
       ipSecRuleTimePeriodMonthOfYearMask,
       ipSecRuleTimePeriodDayOfMonthMask,
       ipSecRuleTimePeriodDayOfWeekMask,
       ipSecRuleTimePeriodTimeOfDayMask,
       ipSecRuleTimePeriodLocalOrUtcTime
       }
     ::= { ipSecRuleTimePeriodTable 1 }

   Li, et al            Expires May October 2004                       75
                    IPsec Policy Information Base       November 2003

   identifying the days of the month counting from the end, followed
   by 2 bits that are always set          April 2004

     IpSecRuleTimePeriodEntry ::= SEQUENCE {
        ipSecRuleTimePeriodPrid InstanceId,
        ipSecRuleTimePeriodTimePeriod TimePeriodTC,
        ipSecRuleTimePeriodMonthOfYearMask MonthOfYearTC,
        ipSecRuleTimePeriodDayOfMonthMask DayOfMonthTC,
        ipSecRuleTimePeriodDayOfWeekMask DayOfWeekTC,
        ipSecRuleTimePeriodTimeOfDayMask TimeOfDayTC,
        ipSecRuleTimePeriodLocalOrUtcTime LocalOrUtcTimeTC
   }

   ipSecRuleTimePeriodPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to '0'.  For each day, the value '1'
   indicates that the policy is valid for that day, uniquely identify an instance of this class"
     ::= { ipSecRuleTimePeriodEntry  1 }

   ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
     SYNTAX TimePeriodTC
     STATUS current
     DESCRIPTION
   "Identifies an overall range of calendar dates and the value '0'
   indicates that it times over
   which a policy rule is not valid.

   For valid."
     ::= { ipSecRuleTimePeriodEntry  2 }

   ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
     SYNTAX MonthOfYearTC
     STATUS current
     DESCRIPTION
   "Specifies months with fewer than 31 days, the digits corresponding to of a year during which a policy is valid."
     ::= { ipSecRuleTimePeriodEntry  3 }

   ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
     SYNTAX DayOfMonthTC
     STATUS current
     DESCRIPTION
   "Specifies days that the months do not have (counting in both directions) are
   ignored.
   " of a month during which a policy is valid."
     ::= { ipSecRuleTimePeriodEntry  4 }

   ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
     SYNTAX OCTET STRING DayOfWeekTC
     STATUS current
     DESCRIPTION
   "An octet string that specifies which
   "Specifies days of the week the policy
   is valid for. The octet string is structured as follows:

   - a 4-octet length field, indicating the length of the entire
   octet string; this field is always set to 0x00000005 for this
   property;

   - week during which a 1-octet field consisting of 7 bits identifying the 7 days of
   the week, beginning with Sunday and ending with Saturday, followed
   by 1 bit that is always set to '0'.  For each day of the week, the
   value '1' indicates that the policy is valid for that day, and the
   value '0' indicates that it is not valid.
   " valid."
     ::= { ipSecRuleTimePeriodEntry  5 }

   ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
     SYNTAX OCTET STRING TimeOfDayTC
     STATUS current
     DESCRIPTION
   "An octet string that specifies
   "Specifies a range of times in a day the
   policy is valid for. It is formatted as follows:

   A  time  string beginning with the character 'T', followed by the
   solidus character '/', followed by a second time string.  The
   first time indicates the beginning of the range, while the second
   time indicates the end.  Times are expressed as substrings of the
   form Thhmmss.

   The second substring always identifies a later time than the first
   substring.  To allow for ranges that span midnight, however, the
   value of the second string may be smaller than the value of the
   first substring.  Thus, T080000/T210000 identifies the range from
   0800 until 2100, while T210000/T080000 identifies the range from
   2100 until 0800 of the following day." a day during which a policy is
   valid."
     ::= { ipSecRuleTimePeriodEntry  6 }

   ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
     SYNTAX INTEGER {

   Li, et al            Expires May October 2004                       76
                    IPsec Policy Information Base       November 2003

       localTime(1),
       utcTime(2)
       }          April 2004

   ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
     SYNTAX LocalOrUtcTimeTC
     STATUS current
     DESCRIPTION
   "This property indicates
   "Indicates whether the times represented in this
   table class represent
   local times or UTC times.  There is no provision for mixing of
   local times and UTC times:  the value of this property applies to
   all of the other time-related properties."
     ::= { ipSecRuleTimePeriodEntry  7 }

   --
   --
   -- The ipSecRuleTimePeriodSetTable
   --

   ipSecRuleTimePeriodSetTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry
     PIB-ACCESS install
     STATUS current
     DESCRIPTION
   "Specifies time period sets. The ipSecRuleTimePeriodTable can
   specify only a single time period within a day. This table class enables
   the specification of multiple time periods within a day by
   grouping them into one set. "
     ::= { ipSecPolicyTimePeriod  2 }

   ipSecRuleTimePeriodSetEntry OBJECT-TYPE
     SYNTAX IpSecRuleTimePeriodSetEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecRuleTimePeriodSetPrid }
     UNIQUENESS {
       ipSecRuleTimePeriodSetRuleTimePeriodSetId,
       ipSecRuleTimePeriodSetRuleTimePeriodId
       }
     ::= { ipSecRuleTimePeriodSetTable 1 }

     IpSecRuleTimePeriodSetEntry ::= SEQUENCE {
        ipSecRuleTimePeriodSetPrid InstanceId,
        ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId,
        ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId
   }

   ipSecRuleTimePeriodSetPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index to uniquely identify an instance of this class"
     ::= { ipSecRuleTimePeriodSetEntry  1 }

   Li, et al            Expires May October 2004                       77
                    IPsec Policy Information Base       November 2003          April 2004

   ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE
     SYNTAX TagId
     STATUS current
     DESCRIPTION
   "An integer that uniquely identifies an ipSecRuleTimePeriod set. "
     ::= { ipSecRuleTimePeriodSetEntry  2 }

   ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE
     SYNTAX ReferenceId
     PIB-REFERENCES    {ipSecRuleTimePeriodEntry }
     STATUS current
     DESCRIPTION
   "An integer that identifies an ipSecRuleTimePeriod, specified by
   ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is
   included in this set."
     ::= { ipSecRuleTimePeriodSetEntry  3 }

   --
   --
   -- The ipSecIfCapsTable
   --

   ipSecIfCapsTable OBJECT-TYPE
     SYNTAX SEQUENCE OF IpSecIfCapsEntry
     PIB-ACCESS notify
     STATUS current
     DESCRIPTION
   "Specifies capabilities that may be associated with an interface
   of a specific type. The instances of this table class are referenced by
   the frwkCapabilitySetCapability attribute of the
   frwkCapabilitySetTable [9]." [RFC3318]."
     ::= { ipSecIfCapability  1 }

   ipSecIfCapsEntry OBJECT-TYPE
     SYNTAX IpSecIfCapsEntry
     STATUS current
     DESCRIPTION
   "Specifies an instance of this class"
     PIB-INDEX { ipSecIfCapsPrid }
     UNIQUENESS {
       ipSecIfCapsDirection,
       ipSecIfCapsMaxIpSecActions,
       ipSecIfCapsMaxIkeActions
       }
     ::= { ipSecIfCapsTable 1 }

     IpSecIfCapsEntry ::= SEQUENCE {
        ipSecIfCapsPrid InstanceId,
        ipSecIfCapsDirection INTEGER,
        ipSecIfCapsMaxIpSecActions Unsigned16TC,
        ipSecIfCapsMaxIkeActions Unsigned16TC
   }

   Li, et al            Expires May October 2004                       78
                    IPsec Policy Information Base       November 2003          April 2004

   ipSecIfCapsPrid OBJECT-TYPE
     SYNTAX InstanceId
     STATUS current
     DESCRIPTION
   "An integer index that uniquely identifies an instance of this
   class."
     ::= { ipSecIfCapsEntry  1 }

   ipSecIfCapsDirection OBJECT-TYPE
     SYNTAX INTEGER {
       in(1),
       out(2),
       bi-directional(3)
       }
     STATUS current
     DESCRIPTION
   "Specifies the direction for which this capability applies."
     ::= { ipSecIfCapsEntry  2 }

   ipSecIfCapsMaxIpSecActions OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the maximum number of actions an IPsec action set may
   contain. IPsec action sets are specified by the
   ipSecActionSetTable.

   A value of zero indicates that there is no maximum limit."
     ::= { ipSecIfCapsEntry  3 }

   ipSecIfCapsMaxIkeActions OBJECT-TYPE
     SYNTAX Unsigned16TC
     STATUS current
     DESCRIPTION
   "Specifies the maximum number of actions an IKE action set may
   contain. IKE action sets are specified by the
   ipSecIkeActionSetTable.

   A value of zero indicates that there is no maximum limit."
     ::= { ipSecIfCapsEntry  4 }

   --
   --
   -- Conformance Section
   --

   ipSecPolicyPibConformanceCompliances

   ipSecPolicyPibCompliances
       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 }

   ipSecPolicyPibConformanceGroups
       OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 }

   Li, et al            Expires May October 2004                       79
                    IPsec Policy Information Base       November 2003          April 2004

   ipSecPolicyPibCompliance MODULE-COMPLIANCE
       STATUS current
       DESCRIPTION
   "        Compliance statement"
       MODULE --this module
           MANDATORY-GROUPS {
           ipSecRuleGroup,
           ipSecActionSetGroup,
           ipSecStaticActionGroup,
           ipSecNegotiationActionGroup,
           ipSecAssociationGroup,
           ipSecProposalSetGroup,
           ipSecProposalGroup,
           ipSecAhTransformSetGroup,
           ipSecAhTransformGroup,
           ipSecEspTransformSetGroup,
           ipSecEspTransformGroup,
           ipSecCompTransformSetGroup,
           ipSecCompTransformGroup,
           ipSecIkeAssociationGroup,
           ipSecIkeProposalSetGroup,
           ipSecIkeProposalGroup,
           ipSecIkePeerEndpointGroup,
           ipSecCredentialSetGroup,
           ipSecCredentialGroup,
           ipSecCredentialFieldsGroup,
           ipSecSelectorSetGroup,
                ipSecSaGroup,
                ipSecIkeGroup,
                ipSecSelectorGroup,
           ipSecAddressGroup,
           ipSecL4PortGroup,
                ipSecIfCapsGroup
           }

       GROUP ipSecIkeRuleGroup
           DESCRIPTION
   "This group is mandatory if any of the following is supported: 1)
   multiple IKE phase one actions (e.g., with different exchange
   modes) are associated with an IPsec rule. These actions are to be
   tried in sequence till one success; 2) IKE phase one actions that
   start automatically."

       GROUP ipSecIkeActionSetGroup
           DESCRIPTION
   "This group is mandatory if any of the following is supported: 1)
   multiple IKE phase one actions (e.g., with different exchange
   modes) are associated with an IPsec rule. These actions are to be
   tried in sequence till one success; 2) IKE phase one actions that
   start automatically."

       GROUP ipSecIpsoFilterSetGroup
           DESCRIPTION
   "This group is mandatory if IPSO filter is supported."

   Li, et al              Expires May 2004                         80
                    IPsec Policy Information Base       November 2003

       GROUP ipSecIpsoFilterGroup
           DESCRIPTION
   "This group is mandatory if IPSO filter is supported."

       GROUP ipSecRuleTimePeriodGroup
           DESCRIPTION
   "This group is mandatory if policy scheduling is supported."

       GROUP ipSecRuleTimePeriodSetGroup
           DESCRIPTION
   "This group is mandatory if policy scheduling is supported."

       OBJECT ipSecRuleIpSecIpsoFilterSetId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecRuleLimitNegotiation
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION

   Li, et al            Expires October 2004                       80
                    IPsec Policy Information Base          April 2004

   "              Support of this attribute is optional"

       OBJECT ipSecRuleAutoStart
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecRuleIpSecRuleTimePeriodGroupId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecActionSetDoActionLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecActionSetDoPacketLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAssociationMinLifetimeSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAssociationMinLifetimeKilobytes
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

   Li, et al              Expires May 2004                         81
                    IPsec Policy Information Base       November 2003

       OBJECT ipSecAssociationIdleDurationSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAssociationVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAssociationUseKeyExchangeGroup
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAssociationGranularity
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAhTransformUseReplayPrevention
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAhTransformReplayPreventionWindowSize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecAhTransformVendorId

   Li, et al            Expires October 2004                       81
                    IPsec Policy Information Base          April 2004

       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecEspTransformCipherKeyRounds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecEspTransformCipherKeyLength
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecEspTransformUseReplayPrevention
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecEspTransformReplayPreventionWindowSize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION

   Li, et al              Expires May 2004                         82
                    IPsec Policy Information Base       November 2003

   "              Support of this attribute is optional"

       OBJECT ipSecEspTransformVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecCompTransformDictionarySize
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecCompTransformPrivateAlgorithm
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecCompTransformVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationMinLiftetimeSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationMinLifetimeKilobytes
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationIdleDurationSeconds
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationPresharedKey
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationVendorId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationAggressiveModeGroupId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationLocalCredentialId

   Li, et al            Expires May October 2004                         83                       82
                    IPsec Policy Information Base       November 2003          April 2004

       OBJECT ipSecIkeAssociationAggressiveModeGroupId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeAssociationDoActionLogging ipSecIkeAssociationLocalCredentialId
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeProposalPrfAlgorithm ipSecIkeAssociationDoActionLogging
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkeProposalVendorId ipSecIkeProposalPrfAlgorithm
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIkePeerEndpointAddress
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecIfCapsMaxIkeActions
       PIB-MIN-ACCESS not-accessible
       DESCRIPTION
   "              Support of this attribute is optional"

       OBJECT ipSecRuleActionExecutionStrategy
       SYNTAX INTEGER {
         doAll(1)
         }
       DESCRIPTION
   "              Support of doUntilSuccess(2) is not required"

       OBJECT ipSecStaticActionAction
       SYNTAX INTEGER {
         byPass(1),
         discard(2),
         preConfiguredTransport(4),
         preConfiguredTunnel(5)
         }
       DESCRIPTION
   "              Support of ikeRejection(3) is not required"

       ::= { ipSecPolicyPibConformanceCompliances ipSecPolicyPibCompliances 1 }

   ipSecRuleGroup

   ipSecSaGroup OBJECT-GROUP
       OBJECTS {
          ipSecRulePrid,
          ipSecRuleIfName,
          ipSecRuleRoles,

   Li, et al            Expires May October 2004                         84                       83
                    IPsec Policy Information Base       November 2003          April 2004

          ipSecRuleIfCapSetName,
          ipSecRuleRoles,
          ipSecRuleDirection,
          ipSecRuleIpSecSelectorSetId,
          ipSecRuleIpSecIpsoFilterSetId,
          ipSecRuleIpSecActionSetId,
          ipSecRuleActionExecutionStrategy,
          ipSecRuleOrder,
          ipSecRuleLimitNegotiation,
          ipSecRuleAutoStart,
          ipSecRuleIpSecRuleTimePeriodGroupId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  1 }

   ipSecActionSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecRuleIpSecRuleTimePeriodGroupId,

          ipSecActionSetPrid,
          ipSecActionSetActionSetId,
          ipSecActionSetActionId,
          ipSecActionSetDoActionLogging,
          ipSecActionSetDoPacketLogging,
          ipSecActionSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecActionSetTable."
       ::= { ipSecPolicyPibConformanceGroups  2 }

   ipSecStaticActionGroup OBJECT-GROUP
       OBJECTS {
          ipSecActionSetOrder,

          ipSecStaticActionPrid,
          ipSecStaticActionAction,
          ipSecStaticActionTunnelEndpointId,
          ipSecStaticActionDfHandling,
          ipSecStaticActionSpi,
          ipSecStaticActionLifetimeSeconds,
          ipSecStaticActionLifetimeKilobytes,
          ipSecStaticActionSaTransformId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecStaticActionTable."
       ::= { ipSecPolicyPibConformanceGroups  3 }

   ipSecNegotiationActionGroup OBJECT-GROUP
       OBJECTS {
          ipSecStaticActionAction,
          ipSecStaticActionTunnelEndpointId,
          ipSecStaticActionDfHandling,
          ipSecStaticActionSpi,
          ipSecStaticActionLifetimeSeconds,
          ipSecStaticActionLifetimeKilobytes,
          ipSecStaticActionSaTransformId,

          ipSecNegotiationActionPrid,
          ipSecNegotiationActionAction,
          ipSecNegotiationActionTunnelEndpointId,
          ipSecNegotiationActionDfHandling,
          ipSecNegotiationActionIpSecSecurityAssociationId,
          ipSecNegotiationActionKeyExchangeId

   Li, et al              Expires May 2004                         85
                    IPsec Policy Information Base       November 2003

          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecNegotiationActionTable."
       ::= { ipSecPolicyPibConformanceGroups  4 }

   ipSecAssociationGroup OBJECT-GROUP
       OBJECTS {
          ipSecNegotiationActionIpSecAssociationId,
          ipSecNegotiationActionKeyExchangeId,

          ipSecAssociationPrid,
          ipSecAssociationMinLifetimeSeconds,
          ipSecAssociationMinLifetimeKilobytes,
          ipSecAssociationIdleDurationSeconds,
          ipSecAssociationUsePfs,
          ipSecAssociationVendorId,
          ipSecAssociationUseKeyExchangeGroup,
          ipSecAssociationDhGroup,
          ipSecAssociationGranularity,
          ipSecAssociationProposalSetId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  5 }

   ipSecProposalSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecAssociationProposalSetId,

          ipSecProposalSetPrid,
          ipSecProposalSetProposalSetId,
          ipSecProposalSetProposalId,
          ipSecProposalSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  6 }

   ipSecProposalGroup OBJECT-GROUP
       OBJECTS {
          ipSecProposalSetOrder,

          ipSecProposalPrid,
          ipSecProposalEspTransformSetId,
          ipSecProposalAhTransformSetId,
          ipSecProposalCompTransformSetId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecProposalTable."
       ::= { ipSecPolicyPibConformanceGroups  7 }

   ipSecAhTransformSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecAhTransformSetPrid,
          ipSecAhTransformSetTransformSetId,
          ipSecAhTransformSetTransformId,

   Li, et al            Expires May October 2004                         86                       84
                    IPsec Policy Information Base       November 2003

          ipSecAhTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecAhTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  8 }

   ipSecAhTransformGroup OBJECT-GROUP
       OBJECTS {          April 2004

          ipSecProposalCompTransformSetId,

          ipSecAhTransformSetPrid,
          ipSecAhTransformSetTransformSetId,
          ipSecAhTransformSetTransformId,
          ipSecAhTransformSetOrder,

          ipSecAhTransformPrid,
          ipSecAhTransformTransformId,
          ipSecAhTransformIntegrityKey,
          ipSecAhTransformUseReplayPrevention,
          ipSecAhTransformReplayPreventionWindowSize,
          ipSecAhTransformVendorId,
          ipSecAhTransformMaxLifetimeSeconds,
          ipSecAhTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecAhTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  9 }

   ipSecEspTransformSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecAhTransformMaxLifetimeKilobytes,

          ipSecEspTransformSetPrid,
          ipSecEspTransformSetTransformSetId,
          ipSecEspTransformSetTransformId,
          ipSecEspTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecEspTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  10 }

   ipSecEspTransformGroup OBJECT-GROUP
       OBJECTS {
          ipSecEspTransformSetOrder,

          ipSecEspTransformPrid,
          ipSecEspTransformIntegrityTransformId,
          ipSecEspTransformCipherTransformId,
          ipSecEspTransformIntegrityKey,
          ipSecEspTransformCipherKey,
          ipSecEspTransformCipherKeyRounds,
          ipSecEspTransformCipherKeyLength,
          ipSecEspTransformUseReplayPrevention,
          ipSecEspTransformReplayPreventionWindowSize,
          ipSecEspTransformVendorId,
          ipSecEspTransformMaxLifetimeSeconds,
          ipSecEspTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecEspTransformTable."

   Li, et al              Expires May 2004                         87
                    IPsec Policy Information Base       November 2003

       ::= { ipSecPolicyPibConformanceGroups  11 }

   ipSecCompTransformSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecEspTransformMaxLifetimeKilobytes,

          ipSecCompTransformSetPrid,
          ipSecCompTransformSetTransformSetId,
          ipSecCompTransformSetTransformId,
          ipSecCompTransformSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecCompTransformSetTable."
       ::= { ipSecPolicyPibConformanceGroups  12 }

   ipSecCompTransformGroup OBJECT-GROUP
       OBJECTS {
          ipSecCompTransformSetOrder,

          ipSecCompTransformPrid,
          ipSecCompTransformAlgorithm,
          ipSecCompTransformDictionarySize,
          ipSecCompTransformPrivateAlgorithm,
          ipSecCompTransformVendorId,
          ipSecCompTransformMaxLifetimeSeconds,
          ipSecCompTransformMaxLifetimeKilobytes
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecCompTransformTable."
       ::= { ipSecPolicyPibConformanceGroups  13 }

   ipSecIkeRuleGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeRulePrid,
          ipSecIkeRuleIfName,
          ipSecIkeRuleRoles,
          ipSecIkeRuleIkeActionSetId,
          ipSecIkeRuleActionExecutionStrategy,
          ipSecIkeRuleLimitNegotiation,
          ipSecIkeRuleAutoStart,
          ipSecIkeRuleIpSecRuleTimePeriodGroupId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIkeRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  14 }

   ipSecIkeActionSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeActionSetPrid,
          ipSecIkeActionSetActionSetId,
          ipSecIkeActionSetActionId,
          ipSecIkeActionSetOrder
          }
       STATUS current

   Li, et al              Expires May 2004                         88
                    IPsec Policy Information Base       November 2003

       DESCRIPTION
   "Objects from the ipSecIkeActionSetTable."
   "This group specifies IPsec phase two rules"
       ::= { ipSecPolicyPibConformanceGroups  15  1 }

   ipSecIkeAssociationGroup

   ipSecIkeGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeAssociationPrid,
          ipSecIkeAssociationMinLiftetimeSeconds,
          ipSecIkeAssociationMinLifetimeKilobytes,

   Li, et al            Expires October 2004                       85
                    IPsec Policy Information Base          April 2004

          ipSecIkeAssociationIdleDurationSeconds,
          ipSecIkeAssociationExchangeMode,
          ipSecIkeAssociationUseIkeIdentityType,
          ipSecIkeAssociationUseIkeIdentityValue,
          ipSecIkeAssociationIkePeerEndpoint,
          ipSecIkeAssociationPresharedKey,
          ipSecIkeAssociationVendorId,
          ipSecIkeAssociationAggressiveModeGroupId,
          ipSecIkeAssociationLocalCredentialId,
          ipSecIkeAssociationDoActionLogging,
          ipSecIkeAssociationIkeProposalSetId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIkeAssociationTable."
       ::= { ipSecPolicyPibConformanceGroups  16 }

   ipSecIkeProposalSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeAssociationIkeProposalSetId,

          ipSecIkeProposalSetPrid,
          ipSecIkeProposalSetProposalSetId,
          ipSecIkeProposalSetProposalId,
          ipSecIkeProposalSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIkeProposalSetTable."
       ::= { ipSecPolicyPibConformanceGroups  17 }

   ipSecIkeProposalGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkeProposalSetOrder,

          ipSecIkeProposalPrid,
          ipSecIkeProposalMaxLifetimeSeconds,
          ipSecIkeProposalMaxLifetimeKilobytes,
          ipSecIkeProposalCipherAlgorithm,
          ipSecIkeProposalHashAlgorithm,
          ipSecIkeProposalAuthenticationMethod,
          ipSecIkeProposalPrfAlgorithm,
          ipSecIkeProposalIkeDhGroup,
          ipSecIkeProposalVendorId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIkeProposalTable."

   Li, et al              Expires May 2004                         89
                    IPsec Policy Information Base       November 2003

       ::= { ipSecPolicyPibConformanceGroups  18 }

   ipSecIkePeerEndpointGroup OBJECT-GROUP
       OBJECTS {

          ipSecIkePeerEndpointPrid,
          ipSecIkePeerEndpointIdentityType,
          ipSecIkePeerEndpointIdentityValue,
          ipSecIkePeerEndpointIsNegated,
          ipSecIkePeerEndpointAddress,
          ipSecIkePeerEndpointCredentialSetId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIkePeerEndpointTable."
       ::= { ipSecPolicyPibConformanceGroups  19 }

   ipSecCredentialSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecIkePeerEndpointCredentialSetId,

          ipSecCredentialSetPrid,
          ipSecCredentialSetSetId,
          ipSecCredentialSetCredentialId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecCredentialSetTable."
       ::= { ipSecPolicyPibConformanceGroups  20 }

   ipSecCredentialGroup OBJECT-GROUP
       OBJECTS {
          ipSecCredentialSetCredentialId,

          ipSecCredentialPrid,
          ipSecCredentialCredentialType,
          ipSecCredentialFieldsId,
          ipSecCredentialCrlDistributionPoint
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecCredentialTable."
       ::= { ipSecPolicyPibConformanceGroups  21 }

   ipSecCredentialFieldsGroup OBJECT-GROUP
       OBJECTS {
          ipSecCredentialCrlDistributionPoint,

          ipSecCredentialFieldsPrid,
          ipSecCredentialFieldsName,
          ipSecCredentialFieldsValue,
          ipSecCredentialFieldsIsNegated,
          ipSecCredentialFieldsSetId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecCredentialFieldsTable."
   "This group specifies IPsec phase one rules (IKEv1)"
       ::= { ipSecPolicyPibConformanceGroups  22  2 }

   ipSecSelectorSetGroup OBJECT-GROUP

   Li, et al            Expires May October 2004                         90                       86
                    IPsec Policy Information Base       November 2003          April 2004

   ipSecSelectorGroup OBJECT-GROUP
       OBJECTS {
          ipSecSelectorSetPrid,
          ipSecSelectorSetSelectorSetId,
          ipSecSelectorSetSelectorId,
          ipSecSelectorSetOrder,
          ipSecSelectorSetIsNegated
          ipSecSelectorSetIsNegated,

          ipSecSelectorPrid,
          ipSecSelectorSrcAddressGroupId,
          ipSecSelectorSrcPortGroupId,
          ipSecSelectorDstAddressGroupId,
          ipSecSelectorDstPortGroupId,
          ipSecSelectorProtocol,
          ipSecSelectorDscp,
          ipSecSelectorFlowLabel,

          ipSecAddressPrid,
          ipSecAddressAddressType,
          ipSecAddressAddrPrefixLength,
          ipSecAddressAddrMin,
          ipSecAddressAddrMax,
          ipSecAddressGroupId,

          ipSecL4PortPrid,
          ipSecL4PortPortMin,
          ipSecL4PortPortMax,
          ipSecL4PortGroupId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecSelectorSetTable."
   "This group specifeis IPsec selectors"
       ::= { ipSecPolicyPibConformanceGroups  23  3 }

   ipSecSelectorGroup

   ipSecIfCapsGroup OBJECT-GROUP
       OBJECTS {
          ipSecSelectorPrid,
          ipSecSelectorSrcAddressGroupId,
          ipSecSelectorSrcPortGroupId,
          ipSecSelectorDstAddressGroupId,
          ipSecSelectorDstPortGroupId,
          ipSecSelectorProtocol,
          ipSecSelectorDscp,
          ipSecSelectorFlowLabel
          ipSecIfCapsPrid,
          ipSecIfCapsDirection,
          ipSecIfCapsMaxIpSecActions,
          ipSecIfCapsMaxIkeActions
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecSelectorTable."
   "This group spedifies IPsec interface capabilities"
       ::= { ipSecPolicyPibConformanceGroups  24  4 }

   ipSecAddressGroup

   ipSecIkeRuleGroup OBJECT-GROUP
       OBJECTS {
          ipSecAddressPrid,
          ipSecAddressAddressType,
          ipSecAddressAddrPrefixLength,
          ipSecAddressAddrMin,
          ipSecAddressAddrMax,
          ipSecAddressGroupId
          ipSecIkeRulePrid,
          ipSecIkeRuleIfCapSetName,
          ipSecIkeRuleRoles,
          ipSecIkeRuleIkeActionSetId,
          ipSecIkeRuleActionExecutionStrategy,

   Li, et al            Expires October 2004                       87
                    IPsec Policy Information Base          April 2004

          ipSecIkeRuleLimitNegotiation,
          ipSecIkeRuleAutoStart,
          ipSecIkeRuleIpSecRuleTimePeriodGroupId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecAddressTable." ipSecIkeRuleTable."
       ::= { ipSecPolicyPibConformanceGroups  25  5 }

   ipSecL4PortGroup

   ipSecIkeActionSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecL4PortPrid,
          ipSecL4PortPortMin,
          ipSecL4PortPortMax,
          ipSecL4PortGroupId
          ipSecIkeActionSetPrid,
          ipSecIkeActionSetActionSetId,
          ipSecIkeActionSetActionId,
          ipSecIkeActionSetOrder
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecL4PortTable."
       ::= { ipSecPolicyPibConformanceGroups  26 }

   Li, et al              Expires May 2004                         91
                    IPsec Policy Information Base       November 2003 from the ipSecIkeActionSetTable."
       ::= { ipSecPolicyPibConformanceGroups  6 }

   ipSecIpsoFilterSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecIpsoFilterSetPrid,
          ipSecIpsoFilterSetFilterSetId,
          ipSecIpsoFilterSetFilterId,
          ipSecIpsoFilterSetOrder,
          ipSecIpsoFilterSetIsNegated
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIpsoFilterSetTable."
       ::= { ipSecPolicyPibConformanceGroups  27  7 }

   ipSecIpsoFilterGroup OBJECT-GROUP
       OBJECTS {
          ipSecIpsoFilterPrid,
          ipSecIpsoFilterMatchConditionType,
          ipSecIpsoFilterClassificationLevel,
          ipSecIpsoFilterProtectionAuthority
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIpsoFilterTable."
       ::= { ipSecPolicyPibConformanceGroups  28  8 }

   ipSecRuleTimePeriodGroup OBJECT-GROUP
       OBJECTS {
          ipSecRuleTimePeriodPrid,
          ipSecRuleTimePeriodTimePeriod,
          ipSecRuleTimePeriodMonthOfYearMask,
          ipSecRuleTimePeriodDayOfMonthMask,
          ipSecRuleTimePeriodDayOfWeekMask,

   Li, et al            Expires October 2004                       88
                    IPsec Policy Information Base          April 2004

          ipSecRuleTimePeriodTimeOfDayMask,
          ipSecRuleTimePeriodLocalOrUtcTime
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecRuleTimePeriodTable."
       ::= { ipSecPolicyPibConformanceGroups  29  9 }

   ipSecRuleTimePeriodSetGroup OBJECT-GROUP
       OBJECTS {
          ipSecRuleTimePeriodSetPrid,
          ipSecRuleTimePeriodSetRuleTimePeriodSetId,
          ipSecRuleTimePeriodSetRuleTimePeriodId
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecRuleTimePeriodSetTable."
       ::= { ipSecPolicyPibConformanceGroups  30 }

   ipSecIfCapsGroup OBJECT-GROUP

   Li, et al              Expires May 2004                         92
                    IPsec Policy Information Base       November 2003

       OBJECTS {
          ipSecIfCapsPrid,
          ipSecIfCapsDirection,
          ipSecIfCapsMaxIpSecActions,
          ipSecIfCapsMaxIkeActions
          }
       STATUS current
       DESCRIPTION
   "Objects from the ipSecIfCapsTable."
       ::= { ipSecPolicyPibConformanceGroups  31  10 }

   END

6. Security Considerations

   This document defines an IPsec PIB for configuring IPsec policies on
   IPsec enabled devices. As IPsec provides security services, it is
   critical that IPsec configuration data be protected at least as
   strongly as the desired IPsec policy.

   The ipSecEspTransformTable, ipSecAhTransformTable contain
   authentication and encryption keys for static IPsec security
   associations. These two attributes are ignored for IPsec security
   associations that are dynamically established. The
   ipSecIkeAssociationTable contains an optional pre-shared key for IKE
   authentication. Malicious access of the above PRCs can compromise
   the keys. As a result, they MUST NOT be observed by third parties.

   In addition, the PRCs in this PIB may contain information that may
   be sensitive from a business perspective, in that they may represent
   a customer's service contract or the filters that the service
   provider chooses to apply to a customer's traffic. All the tables
   except the ipSecIfCapsTable have a PIB-ACCESS clause of install.
   Malicious altering of the these PRCs may affect the IPsec behavior
   of the device being provisioned. Malicious access of the above PRCs
   also exposes policy information concerning how the device is
   provisioned.

   The ipSecIfCapsTable has a PIB-ACCESS clause of notify. Malicious
   access of the this PRC exposes information concerning the device
   being provisioned.

   The authentication and integrity of configuration information is of
   utmost importance to the security of a network. Administrators
   SHOULD carefully consider the potential threat environment involving

   Li, et al            Expires October 2004                       89
                    IPsec Policy Information Base          April 2004

   PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD
   authenticate one another and SHOULD use a transport protocol that
   supports data integrity and authentication. Administrators SHOULD
   also carefully consider the importance of confidentiality of their
   configuration information, because it may reveal private or
   confidential information about customer access, business
   relationships, keys, etc.  If these are concerns to the
   organization, then confidentiality SHOULD be used to transport the

   Li, et al              Expires May 2004                         93
                    IPsec Policy Information Base       November 2003
   information. Administrators SHOULD use IPSEC or TLS between PDP and
   PEP as described in [5] and [15] to provide necessary protections.

7. RFC Editor Considerations

   This document normatively

   Normatively references [9][12]which are in the IESG
   last call stage. [23][24]are Internet drafts. Please use the their
   corresponding RFC numbers prior to publishing of this document as a
   RFC.

8. IANA Considerations

   This document describes the ipSecPolicyPib Policy Information Base
   (PIB) module for registration under the "pib" branch registered with
   IANA. IANA has assigned PIB number <tbd> for it under the "pib"
   branch.

   IANA Considerations for SUBJECT-CATEGORIES follow the same
   requirements as specified in [5] [RFC2748] IANA Considerations for COPS
   Client Types. The IPsec PIB defines a new COPS Client Type. The IANA needs to
   assign this
   has assigned a COPS client type and XXXXX (tbd) as described in
   [RFC2748] IANA must also update Considerations.  IANA has updated the registry
   (http://www.iana.org/assignments/cops-parameters) for COPS Client
   Types as a result.

   The authors suggest the use of "ipSec" as the name of the
   ClientType.

9. Normative References

   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
      9, RFC 2026, October 1996.

   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997

   3.  S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
        November 1998.

   4.  F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling
        Core Object Specification (iCalendar)", (iCalendar) ", RFC 2445, November
        1998.

   Li, et al            Expires October 2004                       90
                    IPsec Policy Information Base          April 2004

   5.  J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry,
        "The COPS (Common Open Policy Service) Protocol", RFC 2748,
        January 2000.

   6.  K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
        Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage
        for Policy Provisioning", RFC 3084, March 2001.

   7.  D. Piper, "The Internet IP Security Domain of Interpretation
        for ISAKMP", RFC 2407, November 1998.

   Li, et al              Expires May 2004                         94
                    IPsec Policy Information Base       November 2003

   8.  S. Kent, R. Atkinson, "IP Encapsulating Security Payload
        (ESP)", (ESP)
        ", RFC 2406, November 1998.

   9.  M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
        Smith, F. Reichmeyer "Framework Policy Information Base",
        RFC 3318, March 2003.

   10.  D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", (IKE) ",
        RFC 2409, November 1998.

   11.  A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
        Compression Protocol (IPComp)", (IPComp) ", RFC 2393, August 1998.

   12.  J. Jason, L. Rafalow, E. Vyncke  "IPsec Configuration Policy
        Model", draft-ietf-ipsp-config-policy-model-06.txt, RFC 3585, August
        2002. 2003.

   13.  A. Westerinen, et al "Terminology for Policy-Based
        Management", RFC 3198, November 2001.

   14.  K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
        Smith, F. Reichmeyer, "Structure of Policy Provisioning
        Information", RFC 3159, August 2001.

   15.  K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose,
        S. Waldbusser, "Structure of Management Information Version 2
        (SMIv2)", STD 58, RFC 2578, April 1999.

   16.  K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case,M. Rose,
        S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC
        2579, April 1999.

   17.  F. Baker, K. Chan, A. Smith, "Management Information Base for
        the Differentiated Services Architecture", RFC 3289, May 2002.

   18.  M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder,
        "Textual Conventions for Internet Network Addresses.", RFC
        3291, May 2002.

   19.  D. Harrington, R. Presuhn, B. Wijnen, "An Architecture for
        Describing Simple Network Management Protocol (SNMP) Management
        Frameworks", RFC 3411, December 2002.

   Li, et al            Expires October 2004                       91
                    IPsec Policy Information Base          April 2004

   20.  B. Wijnen, "Textual Conventions for Ipv6 Flow Label", RFC 3595,
        September 2003.

   21.  S. Kent, "U.S. Department of Defense Security Options for the
        Internet Protocol", RFC 1108, November 1991.

   22.  B. Moore, E. Ellesson, J. Strassner, A. Westerinen, "Policy
        Core Information Model -- Version 1 Specification", RFC 3060,
        February 2001.

   23.  M. Baer, R. Charlet, W. Hardaker, R. Story, C. Wang, "IPsec
        Security Policy IPsec Action MIB", draft-ietf-ipsp-ipsecaction-
        mib-00.txt, January 2004.

   24.  M. Baer, R. Charlet, W. Hardaker, R. Story, C. Wang, " IPsec
        Security Policy IKE Action MIB", draft-ietf-ipsp-ikeaction-mib-
        00.txt, January 2004.

10. Informative References

   15.

   25. J. Walker, A. Kulkarni, "COPS Over TLS", draft-ietf-rap-cops-
   tls-04.txt, June 2002.

   Li, et al              Expires May 2004                         95
                    IPsec Policy Information Base       November 2003

11. Author's Addresses

   Man Li
   Nokia
   5 Wayside Road,
   Burlington, MA 01803
   Phone: +1 781 993 3923
   Email: man.m.li@nokia.com

   David Arneson
   Email: dla@mediaone.net

   Avri Doria
   Div. of Computer Communications
   Lulea University of Technology
   SE-971 87
   Lulea, Sweden
   Phone: +46 920 49 3030
   ETRI
   161 Gajeong-dong, Yuseong-gu
   Deajeon 305-350 Korea
   Email: avri@sm.luth.se avri@acm.org

   Jamie Jason
   Intel Corporation
   MS JF3-206
   2111 NE 25th Ave.
   Hillsboro, OR 97124
   Phone: +1 503 264 9531
   Email: jamie.jason@intel.com

   Cliff Wang
   SmartPipes Inc.

   Li, et al            Expires October 2004                       92
                    IPsec Policy Information Base          April 2004

   Suite 300, 565 Metro Place South
   Dublin, OH 43017
   Phone: +1 614 923 6241
   Email: CWang@smartpipes.com

   Markus Stenberg
   SSH Communications Security Corp.
   Fredrikinkatu 42
   FIN-00100 Helsinki, Finland
   Phone: +358 20 500 7466
   Email: fingon@iki.fi

12. IPR Disclosure Acknowledgement

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   and any of which I become aware will be disclosed, in according with
   RFC 2668.

13. Full Copyright Statement

   Copyright (C) The Internet Society (2003). (2004). All Rights Reserved.

   This document and translations of it may be copied and furnished
   to others, and derivative works that comment on or otherwise
   explain it or assist in its implementation may be prepared,
   copied, published and distributed, in whole or in part, without
   restriction of any kind, provided that the above copyright notice
   and this paragraph are included on all such copies and derivative

   Li, et al              Expires May 2004                         96
                    IPsec Policy Information Base       November 2003
   works.  However, this document itself may not be modified in any
   way, such as by removing the copyright notice or references to the
   Internet Society or other Internet organizations, except as needed
   for the purpose of developing Internet standards in which case the
   procedures for copyrights defined in the Internet Standards
   process must be followed, or as required to translate it into
   languages other than English.

   The limited permissions granted above are perpetual and will not
   be revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on
   an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

   Li, et al            Expires May October 2004                         97                       93