draft-ietf-ipsp-spd-mib-00.txt   draft-ietf-ipsp-spd-mib-01.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: July 19, 2004 R. Charlet Expires: April 20, 2005 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
SmartPipes, Inc. SmartPipes, Inc.
January 19, 2004 October 20, 2004
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-00.txt draft-ietf-ipsp-spd-mib-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with By submitting this Internet-Draft, I certify that any applicable
all provisions of Section 10 of RFC2026. patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that
groups may also distribute working documents as Internet-Drafts. other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at
www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 19, 2004. This Internet-Draft will expire on April 20, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
This document defines a SMIv2 Management Information Base (MIB) This document defines a SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPSec protocol. The policy-based packet filtering implementing the IPSec protocol. The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
of a firewall. This MIB module is designed with future extensibility of a firewall. This MIB module is designed with future extensibility
in mind. It is thus possible to externally add other packet filters in mind. It is thus possible to externally add other packet filters
and actions to the policy-based packet filtering system defined in and actions to the policy-based packet filtering system defined in
this document. this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . 4 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 4
4.1.1 Notational conventions . . . . . . . . . . . . . . . . . . . 4 4.1.1 Notational conventions . . . . . . . . . . . . . . . . 4
4.1.2 Implementing an example SPD policy . . . . . . . . . . . . . 5 4.1.2 Implementing an example SPD policy . . . . . . . . . . 5
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . 6 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 60
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 60 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 60
6.2 Protecting against in-authentic access . . . . . . . . . . . 61 6.2 Protecting against in-authentic access . . . . . . . . . . 61
6.3 Protecting against involuntary disclosure . . . . . . . . . 61 6.3 Protecting against involuntary disclosure . . . . . . . . 61
6.4 Bootstrapping your configuration . . . . . . . . . . . . . . 62 6.4 Bootstrapping your configuration . . . . . . . . . . . . . 61
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 62 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62
Normative References . . . . . . . . . . . . . . . . . . . . 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Informative References . . . . . . . . . . . . . . . . . . . 63 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 64 8.2 Informative References . . . . . . . . . . . . . . . . . . . 63
Intellectual Property and Copyright Statements . . . . . . . 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63
Intellectual Property and Copyright Statements . . . . . . . . 65
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
of a firewall. It is possible to add other packet transforming of a firewall. It is possible to add other packet transforming
actions to this MIB module if those actions needed to be performed actions to this MIB module if those actions needed to be performed
conditionally on filtered traffic. conditionally on filtered traffic.
skipping to change at page 4, line 18 skipping to change at page 4, line 18
filter object to provide for greater flexibility when creating filter object to provide for greater flexibility when creating
complex filters. complex filters.
4. MIB Module Overview 4. MIB Module Overview
The MIB module is modularized into several different parts: rules, The MIB module is modularized into several different parts: rules,
filters, and actions. The rules section connects endpoints and filters, and actions. The rules section connects endpoints and
groups of rules together. This is partially made up of the groups of rules together. This is partially made up of the
ipspEndpointToGroupTable, ipspGroupContentsTable, and the ipspEndpointToGroupTable, ipspGroupContentsTable, and the
ipspRuleDefinitionTable. Each row of the ipspRuleDefinitionTable ipspRuleDefinitionTable. Each row of the ipspRuleDefinitionTable
connects a filter(s) with an action(s). It is structured to allow for connects a filter(s) with an action(s). It is structured to allow
reuse through the future creation of extension tables that provide for reuse through the future creation of extension tables that
additional filters and/or actions. In fact, the companion documents provide additional filters and/or actions. In fact, the companion
to this one do just that to define IPsec and IKE specific actions to documents to this one do just that to define IPsec and IKE specific
be used within this SPD configuration MIB. actions to be used within this SPD configuration MIB.
The filter section of the MIB module is composed of all the different The filter section of the MIB module is composed of all the different
types of filters in the Policy Model. It is partially made up of the types of filters in the Policy Model. It is partially made up of the
trueFilter, ipspCompoundFilterTable, ipspIpHeaderFilterTable, trueFilter, ipspCompoundFilterTable, ipspIpHeaderFilterTable,
ipspIpOffsetFilterTable, ipspTimeFilterTable, and the ipspIpOffsetFilterTable, ipspTimeFilterTable, and the
ipspIpsoHeaderFilterTable. ipspIpsoHeaderFilterTable.
The action section of the MIB module contains different action types The action section of the MIB module contains different action types
from the Policy Model. This document contains only the basic actions from the Policy Model. This document contains only the basic actions
needed for firewall processing (accept, drop, log, ...) that an SPD needed for firewall processing (accept, drop, log, ...) that an SPD
skipping to change at page 6, line 20 skipping to change at page 6, line 20
We also need a rule to accept all other packets: We also need a rule to accept all other packets:
spdRuleDefinitionEntry(spdRuleDefName = "accept all") spdRuleDefinitionEntry(spdRuleDefName = "accept all")
= (spdRuleDefFilter = spdTrueFilter.0, = (spdRuleDefFilter = spdTrueFilter.0,
spdRuleDefAction = spdAcceptAction.0, spdRuleDefAction = spdAcceptAction.0,
spdRuleDefRowStatus = 5) -- createAndGo spdRuleDefRowStatus = 5) -- createAndGo
Now, we need to put these two rules into a group. We will put the Now, we need to put these two rules into a group. We will put the
"accept all" rule at the very end (i.e. assign it the highest "accept all" rule at the very end (i.e. assign it the highest
priority number), so it is matched last. Then, at an earlier priority priority number), so it is matched last. Then, at an earlier
(1000), we will insert the "drop from 10.6.6.6" rule. We will do priority (1000), we will insert the "drop from 10.6.6.6" rule. We
this by putting the rules into the group "incoming". will do this by putting the rules into the group "incoming".
SpdGroupContentsEntry(spdGroupContName = "incoming", SpdGroupContentsEntry(spdGroupContName = "incoming",
spdGroupContPriority = 65535) spdGroupContPriority = 65535)
= (spdGroupContComponentName = "accept all", = (spdGroupContComponentName = "accept all",
spdGroupContRowStatus = 5) -- createAndGo spdGroupContRowStatus = 5) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "incoming", SpdGroupContentsEntry(spdGroupContName = "incoming",
spdGroupContPriority = 1000) spdGroupContPriority = 1000)
= (spdGroupContComponentName = "drop from 10.6.6.6", = (spdGroupContComponentName = "drop from 10.6.6.6",
spdGroupContRowStatus = 5) -- createAndGo spdGroupContRowStatus = 5) -- createAndGo
skipping to change at page 13, line 38 skipping to change at page 13, line 38
finding the next largest spdGroupContPriority object shall finding the next largest spdGroupContPriority object shall
only be done if no actions were run when processing the only be done if no actions were run when processing the
last item for a given packet." last item for a given packet."
::= { spdConfigObjects 3 } ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a given sub-item within a policy group." "Defines a given sub-component within a policy group."
INDEX { spdGroupContName, spdGroupContPriority } INDEX { spdGroupContName, spdGroupContPriority }
::= { spdGroupContentsTable 1 } ::= { spdGroupContentsTable 1 }
SpdGroupContentsEntry ::= SEQUENCE { SpdGroupContentsEntry ::= SEQUENCE {
spdGroupContName SnmpAdminString, spdGroupContName SnmpAdminString,
spdGroupContPriority Integer32, spdGroupContPriority Integer32,
spdGroupContFilter VariablePointer, spdGroupContFilter VariablePointer,
spdGroupContComponentType INTEGER, spdGroupContComponentType INTEGER,
spdGroupContComponentName SnmpAdminString, spdGroupContComponentName SnmpAdminString,
spdGroupContLastChanged TimeStamp, spdGroupContLastChanged TimeStamp,
skipping to change at page 33, line 19 skipping to change at page 33, line 19
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpOffFiltName } INDEX { spdIpOffFiltName }
::= { spdIpOffsetFilterTable 1 } ::= { spdIpOffsetFilterTable 1 }
SpdIpOffsetFilterEntry ::= SEQUENCE { SpdIpOffsetFilterEntry ::= SEQUENCE {
spdIpOffFiltName SnmpAdminString, spdIpOffFiltName SnmpAdminString,
spdIpOffFiltOffset Integer32, spdIpOffFiltOffset Integer32,
spdIpOffFiltType INTEGER, spdIpOffFiltType INTEGER,
spdIpOffFiltNumber Integer32,
spdIpOffFiltValue OCTET STRING, spdIpOffFiltValue OCTET STRING,
spdIpOffFiltLastChanged TimeStamp, spdIpOffFiltLastChanged TimeStamp,
spdIpOffFiltStorageType StorageType, spdIpOffFiltStorageType StorageType,
spdIpOffFiltRowStatus RowStatus spdIpOffFiltRowStatus RowStatus
} }
spdIpOffFiltName OBJECT-TYPE spdIpOffFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 33, line 45 skipping to change at page 33, line 44
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This is the byte offset from the front of the IP packet "This is the byte offset from the front of the IP packet
where the value or arithmetic comparison is done. A where the value or arithmetic comparison is done. A
value of '0' indicates the first byte in the packet." value of '0' indicates the first byte in the packet."
::= { spdIpOffsetFilterEntry 2 } ::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltType OBJECT-TYPE spdIpOffFiltType OBJECT-TYPE
SYNTAX INTEGER { valueMatch(1), SYNTAX INTEGER { equal(1),
valueNotMatch(2), notEqual(2),
arithmeticEqual(3), arithmeticLess(3),
arithmeticNotEqual(4), arithmeticGreaterOrEqual(4),
arithmeticLess(5), arithmeticGreater(5),
arithmeticGreaterOrEqual(6), arithmeticLessOrEqual(6) }
arithmeticGreater(7),
arithmeticLessOrEqual(8) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This defines the various tests that are used when "This defines the various tests that are used when
evaluating a given filter. evaluating a given filter.
Once a row is 'active', this object's value may not be Once a row is 'active', this object's value may not be
changed unless the appropriate columns, changed unless the column, spdIpOffFiltValue, has been
spdIpOffFiltNumber or spdIpOffFiltValue, needed by the
new value to be imposed on this object have been
appropriately configured. appropriately configured.
The various tests definable in this table are as follows: The various tests definable in this table are as follows:
valueMatch: equal:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
matches a value in the packet starting at the given a value in the packet starting at the given offset in
offset in the packet and comparing the entire OCTET the packet and comparing the entire OCTET STRING of
STRING of 'spdIpOffFiltValue'. 'spdIpOffFiltValue'. Any numeric values compared this
way are assumed to be unsigned integer values in
network byte order of the same length as
'spdIpOffFiltValue'.
valueNotMatch: notEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', does - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
not match a value in the packet starting at the not match a value in the packet starting at the given
given offset in the packet and comparing to the offset in the packet and comparing to the entire OCTET
entire OCTET STRING of 'spdIpOffFiltValue'. STRING of 'spdIpOffFiltValue'. Any numeric values
compared this way are assumed to be unsigned integer
arithmeticEqual: values in network byte order of the same length as
- Tests if the Integer32, 'spdIpOffFiltNumber', is 'spdIpOffFiltValue'.
arithmetically equal ('=') to the 4 byte value
starting at the given offset within the packet. The
value in the packet is assumed to be in network byte
order.
arithmeticNotEqual:
- Tests if the Integer32, 'spdIpOffFiltNumber', is
arithmetically not equal ('!=') to the 4 byte value
starting at the given offset within the packet. The
value in the packet is assumed to be in network byte
order.
arithmeticLess: arithmeticLess:
- Tests if the Integer32, 'spdIpOffFiltNumber', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than ('<') the 4 byte value arithmetically less than ('<') the value starting at
starting at the given offset within the packet. The the given offset within the packet. The value in the
value in the packet is assumed to be in network byte packet is assumed to be an unsigned integer in network
order. byte order of the same length as 'spdIpOffFiltValue'.
arithmeticGreaterOrEqual: arithmeticGreaterOrEqual:
- Tests if the Integer32, 'spdIpOffFiltNumber', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically greater than or equal to ('>=') the 4 arithmetically greater than or equal to ('>=') the
byte value starting at the given offset within the value starting at the given offset within the packet.
packet. The value in the packet is assumed to be in The value in the packet is assumed to be an unsigned
network byte order. integer in network byte order of the same length as
'spdIpOffFiltValue'.
arithmeticGreater: arithmeticGreater:
- Tests if the Integer32, 'spdIpOffFiltNumber', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically greater than ('>') the 4 byte value arithmetically greater than ('>') the value starting at
starting at the given offset within the packet. The the given offset within the packet. The value in the
value in the packet is assumed to be in network byte packet is assumed to be an unsigned integer in network
order. byte order of the same length as 'spdIpOffFiltValue'.
arithmeticLessOrEqual: arithmeticLessOrEqual:
- Tests if the Integer32, 'spdIpOffFiltNumber', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than or equal to ('<=') the 4 arithmetically less than or equal to ('<=') the value
byte value starting at the given offset within the starting at the given offset within the packet. The
packet. The value in the packet is assumed to be in value in the packet is assumed to be an unsigned
network byte order." integer in network byte order of the same length as
'spdIpOffFiltValue'."
::= { spdIpOffsetFilterEntry 3 } ::= { spdIpOffsetFilterEntry 3 }
spdIpOffFiltNumber OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"spdIpOffFiltNumber is used for arithmetic matching of a
packets at spdIpOffFiltOffset. This object is only used
if one of the arithmetic types is chosen in
spdIpOffFiltType."
::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltValue OBJECT-TYPE spdIpOffFiltValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024)) SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdIpOffFiltValue is used for match comparisons of a "spdIpOffFiltValue is used for match comparisons of a
packet at spdIpOffFiltOffset. This object is only used packet at spdIpOffFiltOffset. This object is only used
if one of the match types is chosen in if one of the match types is chosen in
spdIpOffFiltType." spdIpOffFiltType."
::= { spdIpOffsetFilterEntry 5 } ::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE spdIpOffFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE spdIpOffFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 7 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements This object may not be set to active if the requirements
of the spdIpOffFiltType object are not met. In other of the spdIpOffFiltType object are not met. In other
words, if the associated value columns needed by a words, if the associated value columns needed by a
particular test have not been set, then attempting to particular test have not been set, then attempting to
change this row to an active state will result in an change this row to an active state will result in an
inconsistentValue error. See the spdIpOffFiltType inconsistentValue error. See the spdIpOffFiltType
object description for further details." object description for further details."
::= { spdIpOffsetFilterEntry 8 } ::= { spdIpOffsetFilterEntry 7 }
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
spdTimeFilterTable OBJECT-TYPE spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 58, line 26 skipping to change at page 58, line 4
spdIpHeadFiltSrcLowPort, spdIpHeadFiltSrcHighPort, spdIpHeadFiltSrcLowPort, spdIpHeadFiltSrcHighPort,
spdIpHeadFiltDstLowPort, spdIpHeadFiltDstHighPort, spdIpHeadFiltDstLowPort, spdIpHeadFiltDstHighPort,
spdIpHeadFiltProtocol, spdIpHeadFiltIPv6FlowLabel, spdIpHeadFiltProtocol, spdIpHeadFiltIPv6FlowLabel,
spdIpHeadFiltLastChanged, spdIpHeadFiltStorageType, spdIpHeadFiltLastChanged, spdIpHeadFiltStorageType,
spdIpHeadFiltRowStatus spdIpHeadFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy IP Header Filter Table Group." "The IPsec Policy IP Header Filter Table Group."
::= { spdGroups 7 } ::= { spdGroups 7 }
spdIPOffsetFilterGroup OBJECT-GROUP spdIPOffsetFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdIpOffFiltOffset, spdIpOffFiltType, spdIpOffFiltNumber, spdIpOffFiltOffset, spdIpOffFiltType,
spdIpOffFiltValue, spdIpOffFiltLastChanged, spdIpOffFiltValue, spdIpOffFiltLastChanged,
spdIpOffFiltStorageType, spdIpOffFiltRowStatus spdIpOffFiltStorageType, spdIpOffFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy IP Offset Filter Table Group." "The IPsec Policy IP Offset Filter Table Group."
::= { spdGroups 8 } ::= { spdGroups 8 }
spdTimeFilterGroup OBJECT-GROUP spdTimeFilterGroup OBJECT-GROUP
skipping to change at page 60, line 32 skipping to change at page 60, line 16
6.1 Introduction 6.1 Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides security services it is important services. Since IPsec provides security services it is important
that the IPsec configuration data be at least as protected as the that the IPsec configuration data be at least as protected as the
IPsec provided security service. There are two main threats you need IPsec provided security service. There are two main threats you need
to thwart when configuring IPsec devices. to thwart when configuring IPsec devices.
1. Malicious Configuration: only the official administrators should 1. Malicious Configuration: only the official administrators should
be allowed to configure a device. In other words, administrators' be allowed to configure a device. In other words,
identities should be authenticated and their access rights administrators' identities should be authenticated and their
checked before they are allowed to do device configuration. The access rights checked before they are allowed to do device
support for SET operations to the IPSP MIB in a non-secure configuration. The support for SET operations to the IPSP MIB in
environment, without proper protection, can have a negative a non-secure environment, without proper protection, can have a
effect on the security of the network traffic affected by the negative effect on the security of the network traffic affected
IPSP MIB. by the IPSP MIB.
2. Disclosure of Configuration: Malicious parties should not be 2. Disclosure of Configuration: Malicious parties should not be
able to read configuration data while the data is in network able to read configuration data while the data is in network
transit. Any knowledge about a device's IPsec policy transit. Any knowledge about a device's IPsec policy
configuration could help an unfriendly party compromise that configuration could help an unfriendly party compromise that
device and/or the network(s) it protects. It is thus important device and/or the network(s) it protects. It is thus important
to control even GET access to these objects and possibly to even to control even GET access to these objects and possibly to even
encrypt the values of these objects when sending them over the encrypt the values of these objects when sending them over the
network via SNMP. network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security. Even SNMP versions prior to SNMPv3 did not include adequate security.
if the network itself is secure (for example by using IPsec), even Even if the network itself is secure (for example by using IPsec),
then, there is no control as to who on the secure network is allowed even then, there is no control as to who on the secure network is
to access and GET/SET (read/change/create/delete) the objects in this allowed to access and GET/SET (read/change/create/delete) the objects
MIB module. in this MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
skipping to change at page 62, line 41 skipping to change at page 62, line 21
Lindy Foster (Sparta, Inc.) Lindy Foster (Sparta, Inc.)
John Gillis (ADC) John Gillis (ADC)
Jamie Jason (Intel Corporation) Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.) Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson) David Partain (Ericsson)
Lee Rafalow (IBM) Lee Rafalow (IBM)
Jon Saperia (JDS Consulting) Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems) Eric Vyncke (Cisco Systems)
Normative References 8. References
8.1 Normative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for "Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410, Internet-Standard Management Framework", RFC 3410,
December 2002. December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
skipping to change at page 63, line 39 skipping to change at page 63, line 22
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999. Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration [RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003. Policy Information Model", RFC 3585, August 2003.
Informative References 8.2 Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IPsec Action MIB", December Wang, "IPsec Security Policy IPsec Action MIB", December
2002. 2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IKE Action MIB", December Wang, "IPsec Security Policy IKE Action MIB", December
2002. 2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
skipping to change at page 64, line 35 skipping to change at page 64, line 19
Phone: +1 530 792 1913 Phone: +1 530 792 1913
EMail: hardaker@tislabs.com EMail: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
US US
EMail: rs-snmp@revelstone.com EMail: ipsp-mib@revelstone.com
Cliff Wang Cliff Wang
SmartPipes, Inc. SmartPipes, Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH, OH 43017 Dublin, OH, OH 43017
US US
EMail: cliffwang2000@yahoo.com EMail: cliffwang2000@yahoo.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; nor does it represent that it has
has made any effort to identify any such rights. Information on the made any independent effort to identify any such rights. Information
IETF's procedures with respect to rights in standards-track and on the procedures with respect to rights in RFC documents can be
standards-related documentation can be found in BCP-11. Copies of found in BCP 78 and BCP 79.
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to Copies of IPR disclosures made to the IETF Secretariat and any
obtain a general license or permission for the use of such assurances of licenses to be made available, or the result of an
proprietary rights by implementors or users of this specification can attempt made to obtain a general license or permission for the use of
be obtained from the IETF Secretariat. such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF at
Director. ietf-ipr@ietf.org.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved. Disclaimer of Validity
This document and translations of it may be copied and furnished to This document and the information contained herein are provided on an
others, and derivative works that comment on or otherwise explain it "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
or assist in its implementation may be prepared, copied, published OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
and distributed, in whole or in part, without restriction of any ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
kind, provided that the above copyright notice and this paragraph are INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
included on all such copies and derivative works. However, this INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
document itself may not be modified in any way, such as by removing WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be Copyright Statement
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an Copyright (C) The Internet Society (2004). This document is subject
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING to the rights, licenses and restrictions contained in BCP 78, and
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING except as set forth therein, the authors retain all their rights.
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/