draft-ietf-ipsp-spd-mib-01.txt   draft-ietf-ipsp-spd-mib-02.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: April 20, 2005 R. Charlet Expires: August 21, 2005 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
SmartPipes, Inc. ARO/North Carolina State
October 20, 2004 University
February 20, 2005
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-01.txt draft-ietf-ipsp-spd-mib-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable This document is an Internet-Draft and is subject to all provisions
patent or other IPR claims of which I am aware have been disclosed, of section 3 of RFC 3667. By submitting this Internet-Draft, each
and any of which I become aware will be disclosed, in accordance with author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 20, 2005. This Internet-Draft will expire on August 21, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines a SMIv2 Management Information Base (MIB) This document defines a SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPSec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions described in this document
nature than for IPsec configuration only, such as for configuration is of a more general nature than for IPsec configuration alone, such
of a firewall. This MIB module is designed with future extensibility as for configuration of a firewall. This MIB module is designed to
in mind. It is thus possible to externally add other packet filters be extensible with other enterprise or standards based defined packet
and actions to the policy-based packet filtering system defined in filters and actions.
this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 4 4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1 Notational conventions . . . . . . . . . . . . . . . . 4 4.1.1 Notational conventions . . . . . . . . . . . . . . . . 5
4.1.2 Implementing an example SPD policy . . . . . . . . . . 5 4.1.2 Implementing an example SPD policy . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 6 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 61
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 60 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 61
6.2 Protecting against in-authentic access . . . . . . . . . . 61 6.2 Protecting against in-authentic access . . . . . . . . . . 63
6.3 Protecting against involuntary disclosure . . . . . . . . 61 6.3 Protecting against involuntary disclosure . . . . . . . . 63
6.4 Bootstrapping your configuration . . . . . . . . . . . . . 61 6.4 Bootstrapping your configuration . . . . . . . . . . . . . 63
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 64
8.1 Normative References . . . . . . . . . . . . . . . . . . . . 62 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
8.2 Informative References . . . . . . . . . . . . . . . . . . . 63 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63 9.2 Informative References . . . . . . . . . . . . . . . . . . . 65
Intellectual Property and Copyright Statements . . . . . . . . 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 66
Intellectual Property and Copyright Statements . . . . . . . . 67
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
of a firewall. It is possible to add other packet transforming of a firewall. It is possible to extend this MIB module and add
actions to this MIB module if those actions needed to be performed other packet transforming actions that are performed conditionally on
conditionally on filtered traffic. network traffic.
Companion documents [RFCXXXX], [RFCYYYY] document actions which are Companion documents [RFCXXXX], [RFCYYYY] document actions which are
specific to IPsec and IKE. No IPsec or IKE specific actions are specific to IPsec and IKE. No IPsec or IKE specific actions are
defined within this document. defined within this document.
Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
these values are determined.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410] RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
3. Relationship to the DMTF Policy Model 3. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The contents of this document are also Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
This MIB module is a task specific derivation of the IPCP for use model. The IPCP document describes a model for configuring IPsec.
with SNMPv3. This MIB module is a task specific derivation (i.e. an SMIv2
instantiation) of the IPCP's IPsec configuration model for use with
SNMPv3.
The high-level areas where this MIB module diverges from the IPCP The high-level areas where this MIB module diverges from the IPCP
model are: model are:
o Policies, Groups, Conditions, and some levels of Action are o Policies, Groups, Conditions, and some levels of Actions are
generically named. That is we dropped prefixes like "SA", or generically named. In other words, IPsec specific prefixes like
"ipsec". This is because we feel that packet classification and "SA" (Security Association), or "IPsec" are not used. This naming
matching of conditions to actions is more general than IPsec and convention is used because packet classification and the matching
of conditions to actions is more general than IPsec. These tables
could possibly be reused by other packet transforming actions could possibly be reused by other packet transforming actions
which need to conditionally act on packets matching filters. which need to conditionally act on packets matching filters.
o Filters are implemented in a more generic and scalable manner, o Filters are implemented in a more generic and scalable manner,
rather than enforcing the condition/filtering pairing and their rather than enforcing the condition/filtering pairing of the IPCP
restrictions upon the user. The MIB module offers a compound and its restrictions upon the user. This MIB module offers a
filter object to provide for greater flexibility when creating compound filter object to provide for greater flexibility than the
complex filters. IPCP when creating complex filters.
4. MIB Module Overview 4. MIB Module Overview
The MIB module is modularized into several different parts: rules, The MIB module is modularized into several different parts: rules,
filters, and actions. The rules section connects endpoints and filters, and actions.
groups of rules together. This is partially made up of the
ipspEndpointToGroupTable, ipspGroupContentsTable, and the
ipspRuleDefinitionTable. Each row of the ipspRuleDefinitionTable
connects a filter(s) with an action(s). It is structured to allow
for reuse through the future creation of extension tables that
provide additional filters and/or actions. In fact, the companion
documents to this one do just that to define IPsec and IKE specific
actions to be used within this SPD configuration MIB.
The filter section of the MIB module is composed of all the different The rules section connects endpoints and groups of rules together.
types of filters in the Policy Model. It is partially made up of the This is made up of the spdEndpointToGroupTable,
trueFilter, ipspCompoundFilterTable, ipspIpHeaderFilterTable, spdGroupContentsTable, and the spdRuleDefinitionTable. Each row of
ipspIpOffsetFilterTable, ipspTimeFilterTable, and the the spdRuleDefinitionTable connects a filter to an action. It should
ipspIpsoHeaderFilterTable. also be noted that by referencing the spdCompoundFilterTable, the
spdRuleDefinitionTable's filter column can indicate a set of filters
to be processed. Likewise, by referencing the
spdCompoundActionTable, the spdRuleDefinitionTable's action column
can indicate multiple actions to be executed.
The action section of the MIB module contains different action types This MIB is structured to allow for reuse through the future creation
from the Policy Model. This document contains only the basic actions of extension tables that provide additional filters and/or actions.
needed for firewall processing (accept, drop, log, ...) that an SPD In fact, the companion documents to this one do just that to define
implementation will need. The companion documents define the IPsec IPsec and IKE specific actions to be used within this SPD
and IKE specific actions. configuration MIB.
The filter section of the MIB module is composed of the different
types of filters in the Policy Model. It is made up of the
spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
spdCompoundFilterTable, spdIpsoHeaderFilterTable.
The action section of this MIB module contains only the simple static
actions required for the firewall processing that an IPsec SPD
implementation requires (e.g. accept, drop, log, ...). The
companion documents to this document define the complex actions
necessary for IPsec and IKE negotiations.
As may have been noticed above, the MIB uses recursion similarly in
several different places. In particular the spdGroupContentsTable,
the spdCompoundFilterTable / spdSubfiltersTable combination, and the
spdCompoundActionTable / spdSubactionsTable combination can reference
themselves.
In the case of the spdGroupContentsTable, a row can indicate a rule
(i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another
set of one or more rows in the spdGroupContentsTable). In this way a
group can contain a set of rules and sub-groups. Sub-groups are just
other groups defined in the spdGroupContentsTable. There is no
inherit MIB limit to the nesting of groups within groups.
The spdCompoundFilterTable / spdSubfiltersTable combination and
spdCompoundActionTable / spdSubactionsTable combination are designed
almost identically with one being for filters and the other for
actions respectively. The following descriptions for the compound
filter tables can be directly applied to the compound action tables.
The combination of the tables spdCompoundFilterTable and
spdSubfiltersTable allow a user to create a set of filters that can
be treated by any table that references it as a single filter. A row
in the spdCompoundFilterTable has the basic configuration information
for the compound filter. It's name (spdCompFiltname) reference a set
of rows in the spdSubfiltersTable. Each row in spdSubfiltersTable
points at a row in another filter table. In this way, a set of
ordered filters making up the compound filter is created. Note that
it is possible for one of these rows in the spdSubfiltersTable to
point at a row in the spdCompoundFilterTable. This recursion allows
the creation of a filter set that include other filter sets within
it. There is no inherit MIB limit to the nesting of compound filters
within compound filters.
4.1 Usage Tutorial 4.1 Usage Tutorial
In order to make use of the tables contained in this document, a In order to make use of the tables contained in this document, a
general understanding of firewall processing must be first general understanding of firewall processing is necessary. The
understood. The processing of the security policy database involves processing of the security policy database involves applying a set of
applying a set of firewall rules to an interface on a device. The firewall rules to an interface on a device. The given set of rules
given set of rules to apply to any given interface is defined within to apply to any given interface is defined within the
the ipspEndpointToGroupTable table. This table maps a given ipspEndpointToGroupTable table. This table maps a given interface to
interface to a group of rules. The interface itself with in this a group of rules. In this table, the interface itself is specified
table is specified using its assigned address. There is also one using its assigned address. There is also one group of rules per
group of rules per direction (inbound and outbound). direction (ingress and egress).
4.1.1 Notational conventions 4.1.1 Notational conventions
Notes about the following example operations: Notes about the following example operations:
1. All of the example operations in the following section make use 1. All of the example operations in the following section make use
of default values for all columns not listed. The operations and of default values for all columns not listed. The operations and
close are the minimal SNMP Varbinds that must be sent. column values below are the minimal SNMP Varbinds that must be
sent.
2. The example operations are formatted such that a row (i.e. the 2. The example operations are formatted such that a row (i.e. the
table's Entry object) is operated on by using the indexes to that table's Entry object) is operated on by using the indexes to that
row and the column values for the that row. It is left as an row and the column values for the that row.
exercise for the reader to turn these into real SNMP operations
using real OIDs and real varbinds in a SET PDU. Example: 3. The following is a generic example of the notation used in the
following section's examples of this MIB's usage:
rowEntry(index1 = value1, rowEntry(index1 = value1,
index2 = value2) index2 = value2)
= (column1 = column_value1, = (column1 = column_value1,
column2 = column_value2) column2 = column_value2)
4. The following is a specific example of the notation used in the
following section's examples of this MIB's usage. In order to
set the address status column to deprecated for a row in the
IP-MIB::ipAddressTable with the index values of ipAddressAddrType
= ipv4 and ipAddressAddr = 192.0.2.1. The example notation would
look like the following:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4
ipAddressAddr = 0x0a000001 ) -- 192.0.2.1
= (ipAddressStatus = 2) -- deprecated
4.1.2 Implementing an example SPD policy 4.1.2 Implementing an example SPD policy
For our example, let us define and apply the following policy for all For our example, let us define and apply the following policy for all
incoming traffic on a network interface: ingress traffic on a network interface:
o Drop all packets from the host 10.6.6.6. o Drop all packets from the host 10.6.6.6.
o Accept all other packets. o Accept all other packets.
To do this, let us call the set of rules (as a group) "incoming" and To do this, let us call the set of rules (as a group) "ingress" and
apply them to the incoming traffic for the interface associated with apply them to the ingress traffic for the interface associated with
the IPv4 address "10.0.0.1". For these rules, let us apply a policy the IPv4 address 10.0.0.1. For these rules, let us apply a policy
that accepts all traffic except for packets that arrive from a host that accepts all traffic except for packets that arrive from a host
with an IPv4 address of "10.6.6.6". To achieve this policy, we would with an IPv4 address of "10.6.6.6". To achieve this policy, we would
follow these steps: follow these steps:
First, we need to create the rules to institute this policy. To First, we need to create the rules to institute this policy. To
accomplish this, first we have to create the filter for the host. We accomplish this, first we have to create the filter for the host. We
could do this using the following row insertion into the could do this using the following row insertion into the
spdIpHeaderFilterTable table: spdIpHeaderFilterTable table:
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "10.6.6.6") SpdIpHeaderFilterEntry(spdIpHeadFiltName = "10.6.6.6")
= (spdIpHeadFiltType = 0x80, -- sourceAddress = (spdIpHeadFiltType = 0x80, -- sourceAddress
spdIpHeadFiltIPVersion = 1, -- IPv4 spdIpHeadFiltIPVersion = 1, -- IPv4
spdIpHeadFiltSrcAddressBegin = 0x0a060606, spdIpHeadFiltSrcAddressBegin = 0x0a060606,
spdIpHeadFiltSrcAddressEnd = 0x0a060606, spdIpHeadFiltSrcAddressEnd = 0x0a060606,
spdIpHeadFiltRowStatus = 5) -- createAndGo spdIpHeadFiltRowStatus = 4) -- createAndGo
Next, we need to bind this filter to an action of "drop" in a new Next, we need to bind this filter to an action of "drop" in a new
rule. We can do this as follows: rule. We can do this as follows:
spdRuleDefinitionEntry(spdRuleDefName = "drop from 10.6.6.6") spdRuleDefinitionEntry(spdRuleDefName = "drop from 10.6.6.6")
= (spdRuleDefFilter = = (spdRuleDefFilter =
spdIpHeadFiltType.8.49.48.46.54.46.54.46.54, spdIpHeadFiltType.8.49.48.46.54.46.54.46.54,
spdRuleDefAction = spdDropAction.0, spdRuleDefAction = spdDropAction.0,
spdRuleDefRowStatus = 5) -- createAndGo spdRuleDefRowStatus = 4) -- createAndGo
We also need a rule to accept all other packets: We also need a rule to accept all other packets:
spdRuleDefinitionEntry(spdRuleDefName = "accept all") spdRuleDefinitionEntry(spdRuleDefName = "accept all")
= (spdRuleDefFilter = spdTrueFilter.0, = (spdRuleDefFilter = spdTrueFilter.0,
spdRuleDefAction = spdAcceptAction.0, spdRuleDefAction = spdAcceptAction.0,
spdRuleDefRowStatus = 5) -- createAndGo spdRuleDefRowStatus = 4) -- createAndGo
Now, we need to put these two rules into a group. We will put the Now, we need to put these two rules into a group. We will put the
"accept all" rule at the very end (i.e. assign it the highest "accept all" rule at the very end (i.e. assign it the highest
priority number), so it is matched last. Then, at an earlier priority number), so it is matched last. Then, at an earlier
priority (1000), we will insert the "drop from 10.6.6.6" rule. We priority (1000), we will insert the "drop from 10.6.6.6" rule. We
will do this by putting the rules into the group "incoming". will do this by putting the rules into the group "ingress".
SpdGroupContentsEntry(spdGroupContName = "incoming", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 65535) spdGroupContPriority = 65535)
= (spdGroupContComponentName = "accept all", = (spdGroupContComponentName = "accept all",
spdGroupContRowStatus = 5) -- createAndGo spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "incoming", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 1000) spdGroupContPriority = 1000)
= (spdGroupContComponentName = "drop from 10.6.6.6", = (spdGroupContComponentName = "drop from 10.6.6.6",
spdGroupContRowStatus = 5) -- createAndGo spdGroupContRowStatus = 4) -- createAndGo
Finally, we apply this group of rules to our interface: Finally, we apply this group of rules to our interface:
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- incoming SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
spdEndGroupIdentType = 4, -- IPv4 spdEndGroupIdentType = 4, -- IPv4
spdEndGroupAddress = 0x0a000001) spdEndGroupAddress = 0x0a000001)
= (spdEndGroupName = "incoming", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 5) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, our policy should take effect. of these rules have been applied, our policy should take effect.
5. MIB definition 5. MIB definition
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI mib-2 FROM SNMPv2-SMI
--rfc2578
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer, DateAndTime TimeStamp, StorageType, VariablePointer, DateAndTime
FROM SNMPv2-TC FROM SNMPv2-TC
--rfc2579
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
--rfc2580
SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB
--rfc3411
InetAddressType, InetAddress, InetPortNumber InetAddressType, InetAddress
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB
--rfc3291
diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB
--rfc3289
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200212100000Z" -- 12 December 2002 LAST-UPDATED "200502170000Z" -- 17 January 2005
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
Sparta, Inc. Sparta, Inc.
Phone: +1 530 902 3131 Phone: +1 530 902 3131
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com Email: hardaker@tislabs.com
skipping to change at page 8, line 9 skipping to change at page 9, line 29
Email: ipsp-mib@revelstone.com Email: ipsp-mib@revelstone.com
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: cliffwang2000@yahoo.com" E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION DESCRIPTION
"This MIB module defines configuration objects for managing "This MIB module defines configuration objects for managing
IPsec Security Policy. IPsec Security Policies.
Copyright (C) The Internet Society (2003). This version of Copyright (C) The Internet Society (2005). This version of
this MIB module is part of RFC XXXX, see the RFC itself for this MIB module is part of RFC ZZZZ, see the RFC itself for
full legal notices." full legal notices."
-- Revision History -- Revision History
REVISION "200401070000Z" -- 7 January 2004 REVISION "200502170000Z" -- 17 January 2005
DESCRIPTION "Initial version, published as RFC xxxx." DESCRIPTION "Initial version, published as RFC ZZZZ."
-- RFC-editor assigns xxxx -- RFC-editor assigns ZZZZ
-- XXX: To be assigned by IANA -- xxx: To be assigned by IANA
::= { mib-2 xxx } ::= { mib-2 xxx }
-- --
-- groups of related objects -- groups of related objects
-- --
spdConfigObjects OBJECT IDENTIFIER spdConfigObjects OBJECT IDENTIFIER
::= { spdMIB 1 } ::= { spdMIB 1 }
spdNotificationObjects OBJECT IDENTIFIER spdNotificationObjects OBJECT IDENTIFIER
::= { spdMIB 2 } ::= { spdMIB 2 }
spdConformanceObjects OBJECT IDENTIFIER spdConformanceObjects OBJECT IDENTIFIER
::= { spdMIB 3 } ::= { spdMIB 3 }
spdActions OBJECT IDENTIFIER spdActions OBJECT IDENTIFIER
::= { spdMIB 4 } ::= { spdMIB 4 }
-- Note: the following subassignments have been used in other MIBs:
-- IPSEC-IPSECACTION-MIB:
-- ipsaMIB MODULE-IDENTITY ::= { spdActions 1 }
-- IPSEC-IKEACTION-MIB:
-- ipiaMIB MODULE-IDENTITY ::= { spdActions 2 }
-- --
-- Textual Conventions -- Textual Conventions
-- --
SpdBooleanOperator ::= TEXTUAL-CONVENTION SpdBooleanOperator ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SpdBooleanOperator operator is used to specify "The SpdBooleanOperator operator is used to specify
whether sub-components in a decision making process are whether sub-components in a decision making process are
ANDed or ORed together to decide if the resulting ANDed or ORed together to decide if the resulting
skipping to change at page 9, line 17 skipping to change at page 10, line 31
SpdAdminStatus ::= TEXTUAL-CONVENTION SpdAdminStatus ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SpdAdminStatus is used to specify the administrative "The SpdAdminStatus is used to specify the administrative
status of an object. Objects which are disabled must not status of an object. Objects which are disabled must not
be used by the packet processing engine." be used by the packet processing engine."
SYNTAX INTEGER { enabled(1), disabled(2) } SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION SpdIPPacketLogging ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"SpdIPPacketLogging specifies whether or not an audit "SpdIPPacketLogging specifies whether or not an audit
message should be logged when a packet is passed through an message should be logged when a packet is passed through a
SA. A value of '-1' indicates no logging. A value of '0' Security Association (SA) and if some of that packet should
or greater indicates that logging should be done and how be included in the log event. A value of '-1' indicates no
many bytes of the beginning of the packet to place in the logging. A value of '0' or greater indicates that logging
log. Values greater than the size of the packet being should be done and how many bytes of the beginning of the
processed indicate that the entire packet should be sent. packet to place in the log. Values greater than the size of
the packet being processed indicate that the entire packet
should be sent.
Examples: Examples:
'-1' no logging '-1' no logging
'0' log but do not include any of the packet in the log '0' log but do not include any of the packet in the log
'20' log and include the first 20 bytes of the packet '20' log and include the first 20 bytes of the packet
in the log." in the log."
SYNTAX Integer32 (-1..65535) SYNTAX Integer32 (-1..65535)
-- --
-- Policy group definitions -- Policy group definitions
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIncomingPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on incoming global system policy that is to be applied on ingress
packets (I.E., arriving at a interface) when a given packets (I.E., arriving at a interface) when a given
endpoint does not contain a policy definition in the endpoint does not contain a policy definition in the
spdEndpointToGroupTable. Its value can be used as an index spdEndpointToGroupTable. Its value can be used as an index
into the spdGroupContentsTable to retrieve a list of into the spdGroupContentsTable to retrieve a list of
policies. A zero length string indicates no system wide policies. A zero length string indicates no system wide
policy exits and the default policy of 'accept' should be policy exits and the default policy of 'drop' should be
executed for incoming packets until one is imposed by executed for ingress packets until one is imposed by either
either this object or by the endpoint processing a given this object or by the endpoint processing a given packet."
packet."
::= { spdLocalConfigObjects 1 } ::= { spdLocalConfigObjects 1 }
spdOutgoingPolicyGroupName OBJECT-TYPE spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on outgoing global system policy that is to be applied on egress
packets (I.E., leaving an interface) when a given endpoint packets (I.E., leaving an interface) when a given endpoint
does not contain a policy definition in the does not contain a policy definition in the
spdEndpointToGroupTable. Its value can be used as an index spdEndpointToGroupTable. Its value can be used as an index
into the spdGroupContentsTable to retrieve a list of into the spdGroupContentsTable to retrieve a list of
policies. A zero length string indicates no system wide policies. A zero length string indicates no system wide
policy exits and the default policy of 'accept' should be policy exits and the default policy of 'drop' should be
executed for outgoing packets until one is imposed by either executed for egress packets until one is imposed by either
this object or by the endpoint processing a given packet." this object or by the endpoint processing a given packet."
::= { spdLocalConfigObjects 2 } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is used to map policy (groupings) onto an "This table is used to map policy (groupings) onto an
endpoint where traffic is to pass by. Any policy group endpoint where traffic is to pass by. Any policy group
assigned to an endpoint is then used to control access assigned to an endpoint is then used to control access
to the traffic passing by it. to the traffic passing by it.
If an endpoint has been configured with a policy group If an endpoint has been configured with a policy group
and no contained rule matches the incoming packet, the and no contained rule matches the ingress packet, the
default action in this case shall be to drop the packet. default action in this case shall be to drop the packet.
If no policy group has been assigned to an endpoint, If no policy group has been assigned to an endpoint,
then the policy group specified by then the policy group specified by
spdSystemPolicyGroupName should be used for the spdSystemPolicyGroupName should be used for the
endpoint." endpoint."
::= { spdConfigObjects 2 } ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mapping assigning a policy group to an endpoint." "A mapping assigning a policy group to an endpoint."
INDEX { spdEndGroupIdentType, spdEndGroupAddress } INDEX { spdEndGroupDirection, spdEndGroupIdentType,
spdEndGroupAddress }
::= { spdEndpointToGroupTable 1 } ::= { spdEndpointToGroupTable 1 }
SpdEndpointToGroupEntry ::= SEQUENCE { SpdEndpointToGroupEntry ::= SEQUENCE {
spdEndGroupDirection INTEGER, spdEndGroupDirection IfDirection,
spdEndGroupIdentType InetAddressType, spdEndGroupIdentType InetAddressType,
spdEndGroupAddress InetAddress, spdEndGroupAddress InetAddress,
spdEndGroupName SnmpAdminString, spdEndGroupName SnmpAdminString,
spdEndGroupLastChanged TimeStamp, spdEndGroupLastChanged TimeStamp,
spdEndGroupStorageType StorageType, spdEndGroupStorageType StorageType,
spdEndGroupRowStatus RowStatus spdEndGroupRowStatus RowStatus
} }
spdEndGroupDirection OBJECT-TYPE spdEndGroupDirection OBJECT-TYPE
SYNTAX INTEGER { incoming(1), outgoing(2) } SYNTAX IfDirection
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The direction of the packet crossing the interface. As "This object indicates which direction of packets crossing
packets arrive or leave an interface, the appropriate the interface should be associated with which
policy is applied according to the direction it is spdEndGroupName object. Ingress packets, or packets into
traveling: into or out of the device." the device match when this value is inbound(1). Egress
packets or packets out of the device match when this value
is outbound(2)."
::= { spdEndpointToGroupEntry 1 } ::= { spdEndpointToGroupEntry 1 }
spdEndGroupIdentType OBJECT-TYPE spdEndGroupIdentType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The Internet Protocol version of the address associated "The Internet Protocol version of the address associated
with a given endpoint. All addresses are represented as an with a given endpoint. All addresses are represented as an
array of octets in network byte order. When combined with array of octets in network byte order. When combined with
skipping to change at page 11, line 50 skipping to change at page 13, line 22
uniquely identify an endpoint that a set of policy groups uniquely identify an endpoint that a set of policy groups
should be applied to. Devices supporting IPv4 MUST support should be applied to. Devices supporting IPv4 MUST support
the ipv4 value, and devices supporting IPv6 MUST support the ipv4 value, and devices supporting IPv6 MUST support
the ipv6 value. the ipv6 value.
Values of unknown, ipv4z, ipv6z and dns are not legal Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object." values for this object."
::= { spdEndpointToGroupEntry 2 } ::= { spdEndpointToGroupEntry 2 }
spdEndGroupAddress OBJECT-TYPE spdEndGroupAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE (4|16)) SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The address of a given endpoint, the format of which is "The address of a given endpoint, the format of which is
specified by the spdEndGroupIdentType object." specified by the spdEndGroupIdentType object.
Note: Since spdEndGroupIdentType currently only allows IPv4
and IPv6 address this value should be either 4 or 16 octets
long. But Implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs in this table will have more than 128 sub-identifiers
and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3."
::= { spdEndpointToGroupEntry 3 } ::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE spdEndGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The policy group name to apply to this endpoint. The "The policy group name to apply to this endpoint. The
value of the spdEndGroupName object should then be used value of the spdEndGroupName object should then be used
as an index into the spdGroupContentsTable to come up as an index into the spdGroupContentsTable to come up
skipping to change at page 12, line 39 skipping to change at page 14, line 19
external means." external means."
::= { spdEndpointToGroupEntry 5 } ::= { spdEndpointToGroupEntry 5 }
spdEndGroupStorageType OBJECT-TYPE spdEndGroupStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdEndpointToGroupEntry 6 } ::= { spdEndpointToGroupEntry 6 }
spdEndGroupRowStatus OBJECT-TYPE spdEndGroupRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object may not be set to active until one or more This object is considered 'notReady' and may not be set to
active rows exist within the spdGroupContentsTable for active until one or more active rows exist within the
the group referenced by the spdEndGroupName object." spdGroupContentsTable for the group referenced by the
spdEndGroupName object."
::= { spdEndpointToGroupEntry 7 } ::= { spdEndpointToGroupEntry 7 }
-- --
-- policy group definition table -- policy group definition table
-- --
spdGroupContentsTable OBJECT-TYPE spdGroupContentsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdGroupContentsEntry SYNTAX SEQUENCE OF SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 13, line 38 skipping to change at page 15, line 21
finding the next largest spdGroupContPriority object shall finding the next largest spdGroupContPriority object shall
only be done if no actions were run when processing the only be done if no actions were run when processing the
last item for a given packet." last item for a given packet."
::= { spdConfigObjects 3 } ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a given sub-component within a policy group." "Defines a given sub-component within a policy group. A
sub-component is either a rule or another group as
indicated by spdGroupContCompontentType and referenced by
spdGroupContCompontentName."
INDEX { spdGroupContName, spdGroupContPriority } INDEX { spdGroupContName, spdGroupContPriority }
::= { spdGroupContentsTable 1 } ::= { spdGroupContentsTable 1 }
SpdGroupContentsEntry ::= SEQUENCE { SpdGroupContentsEntry ::= SEQUENCE {
spdGroupContName SnmpAdminString, spdGroupContName SnmpAdminString,
spdGroupContPriority Integer32, spdGroupContPriority Integer32,
spdGroupContFilter VariablePointer, spdGroupContFilter VariablePointer,
spdGroupContComponentType INTEGER, spdGroupContComponentType INTEGER,
spdGroupContComponentName SnmpAdminString, spdGroupContComponentName SnmpAdminString,
spdGroupContLastChanged TimeStamp, spdGroupContLastChanged TimeStamp,
skipping to change at page 14, line 27 skipping to change at page 16, line 14
"The priority (sequence number) of the sub-component in "The priority (sequence number) of the sub-component in
this group." this group."
::= { spdGroupContentsEntry 2 } ::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE spdGroupContFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdGroupContFilter points to a filter which is evaluated "spdGroupContFilter points to a filter which is evaluated
to determine whether the sub-component within this group to determine whether the spdGroupContComponentName within
should be exercised. Managers can use this object to this row should be exercised. Managers can use this object
classify groups of rules or subgroups together in order to classify groups of rules or subgroups together in order
to achieve a greater degree of control and optimization to achieve a greater degree of control and optimization
over the execution order of the items within the group. over the execution order of the items within the group. If
If the filter evaluates to false, the rule or subgroup the filter evaluates to false, the rule or subgroup will be
will be skipped and the next rule or subgroup will be skipped and the next rule or subgroup will be evaluated
evaluated instead. instead.
An example usage of this object would be to limit a An example usage of this object would be to limit a
group of rules to executing only when the IP packet group of rules to executing only when the IP packet
being process is designated to be processed by IKE. being process is designated to be processed by IKE.
This effecitevly creates a group of IKE specific rules. This effectively creates a group of IKE specific rules.
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may may be pointed to by this column. Implementations may
choose to provide support for other filter tables or choose to provide support for other filter tables or
scalars as well: scalars as well:
spdIpHeaderFilterTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned."
DEFVAL { spdTrueFilterInstance } DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
skipping to change at page 15, line 14 skipping to change at page 16, line 49
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned."
DEFVAL { spdTrueFilterInstance } DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { reserved(0), group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the spdGroupContComponentName object "Indicates whether the spdGroupContComponentName object
is the name of another group defined within the is the name of another group defined within the
spdGroupContentsTable or is the name of a rule defined spdGroupContentsTable or is the name of a rule defined
within the spdRuleDefinitionTable." within the spdRuleDefinitionTable."
DEFVAL { rule } DEFVAL { rule }
::= { spdGroupContentsEntry 4 } ::= { spdGroupContentsEntry 4 }
spdGroupContComponentName OBJECT-TYPE spdGroupContComponentName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name of the policy rule or subgroup contained within "The name of the policy rule or subgroup contained within
this group, as indicated by the this group, as indicated by the spdGroupContComponentType
spdGroupContComponentType object." object."
::= { spdGroupContentsEntry 5 } ::= { spdGroupContentsEntry 5 }
spdGroupContLastChanged OBJECT-TYPE spdGroupContLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdGroupContentsEntry 6 } ::= { spdGroupContentsEntry 6 }
spdGroupContStorageType OBJECT-TYPE spdGroupContStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdGroupContentsEntry 7 } ::= { spdGroupContentsEntry 7 }
spdGroupContRowStatus OBJECT-TYPE spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
skipping to change at page 17, line 25 skipping to change at page 19, line 14
"spdRuleDefName is the administratively assigned name of "spdRuleDefName is the administratively assigned name of
the rule referred to by the spdGroupContComponentName the rule referred to by the spdGroupContComponentName
object." object."
::= { spdRuleDefinitionEntry 1 } ::= { spdRuleDefinitionEntry 1 }
spdRuleDefDescription OBJECT-TYPE spdRuleDefDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user definable string. This field may be used for "A user defined string. This field may be used for
your administrative tracking purposes." administrative tracking purposes."
DEFVAL { "" } DEFVAL { "" }
::= { spdRuleDefinitionEntry 2 } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE spdRuleDefFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilter points to a filter which is used to "spdRuleDefFilter points to a filter which is used to
evaluate whether the action associated with this row evaluate whether the action associated with this row should
should be fired or not. The action will only fire if be fired or not. The action will only fire if the filter
the filter referenced by this object evaluates to TRUE referenced by this object evaluates to TRUE after first
after first applying any negation required by the applying any negation required by the
spdRuleDefFilterNegated object. spdRuleDefFilterNegated object.
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may may be pointed to by this column. Implementations may
choose to provide support for other filter tables or choose to provide support for other filter tables or
scalars as well: scalars as well:
spdIpHeaderFilterTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be returned.
returned. If the table or scalar pointed to by the If the table or scalar pointed to by the VariablePointer is
VariablePointer is not supported at all, then an not supported at all, then an inconsistentValue exception
inconsistentValue exception should be returned." should be returned."
::= { spdRuleDefinitionEntry 3 } ::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE spdRuleDefFilterNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilterNegated specifies whether the filter "spdRuleDefFilterNegated specifies whether the filter
referenced by the spdRuleDefFilter object should be referenced by the spdRuleDefFilter object should be
negated or not." negated or not."
skipping to change at page 18, line 33 skipping to change at page 20, line 23
spdRuleDefAction OBJECT-TYPE spdRuleDefAction OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It may, "This column points to the action to be taken. It may,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
spdCompoundActionTable spdCompoundActionTable
spdSaPreconfiguredActionTable ipsaSaPreconfiguredActionTable
spdIkeActionTable ipiaIkeActionTable
spdIpsecActionTable ipiaIpsecActionTable
It may also point to one of the scalar objects beneath It may also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error should be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
skipping to change at page 19, line 32 skipping to change at page 21, line 21
external means." external means."
::= { spdRuleDefinitionEntry 7 } ::= { spdRuleDefinitionEntry 7 }
spdRuleDefStorageType OBJECT-TYPE spdRuleDefStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdRuleDefinitionEntry 8 } ::= { spdRuleDefinitionEntry 8 }
spdRuleDefRowStatus OBJECT-TYPE spdRuleDefRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
skipping to change at page 20, line 29 skipping to change at page 22, line 21
spdCompoundFilterEntry OBJECT-TYPE spdCompoundFilterEntry OBJECT-TYPE
SYNTAX SpdCompoundFilterEntry SYNTAX SpdCompoundFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in the spdCompoundFilterTable. A filter "An entry in the spdCompoundFilterTable. A filter
defined by this table is considered to have a TRUE defined by this table is considered to have a TRUE
return value if and only if: return value if and only if:
spdCompFiltLogicType is AND and all of the sub-filters spdCompFiltLogicType is AND and all of the sub-filters
associated with it, as defined in the associated with it, as defined in the spdSubfiltersTable,
spdSubfiltersTable, are all true themselves (after are all true themselves (after applying any required
applying any requried negation as defined by the negation as defined by the ficFilterIsNegated object).
ficFilterIsNegated object).
spdCompFiltLogicType is OR and at least one of the spdCompFiltLogicType is OR and at least one of the
sub-filters associated with it, as defined in the sub-filters associated with it, as defined in the
spdSubfiltersTable, is true itself (after applying any spdSubfiltersTable, is true itself (after applying any
requried negation as defined by the ficFilterIsNegated required negation as defined by the ficFilterIsNegated
object)." object."
INDEX { spdCompFiltName } INDEX { spdCompFiltName }
::= { spdCompoundFilterTable 1 } ::= { spdCompoundFilterTable 1 }
SpdCompoundFilterEntry ::= SEQUENCE { SpdCompoundFilterEntry ::= SEQUENCE {
spdCompFiltName SnmpAdminString, spdCompFiltName SnmpAdminString,
spdCompFiltDescription SnmpAdminString, spdCompFiltDescription SnmpAdminString,
spdCompFiltLogicType SpdBooleanOperator, spdCompFiltLogicType SpdBooleanOperator,
spdCompFiltLastChanged TimeStamp, spdCompFiltLastChanged TimeStamp,
spdCompFiltStorageType StorageType, spdCompFiltStorageType StorageType,
spdCompFiltRowStatus RowStatus spdCompFiltRowStatus RowStatus
skipping to change at page 21, line 19 skipping to change at page 23, line 10
your administrative tracking purposes." your administrative tracking purposes."
::= { spdCompoundFilterEntry 1 } ::= { spdCompoundFilterEntry 1 }
spdCompFiltDescription OBJECT-TYPE spdCompFiltDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user definable string. You may use this field for "A user definable string. You may use this field for
your administrative tracking purposes." your administrative tracking purposes."
DEFVAL { ''H } DEFVAL { "" }
::= { spdCompoundFilterEntry 2 } ::= { spdCompoundFilterEntry 2 }
spdCompFiltLogicType OBJECT-TYPE spdCompFiltLogicType OBJECT-TYPE
SYNTAX SpdBooleanOperator SYNTAX SpdBooleanOperator
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the filters contained within this "Indicates whether the filters contained within this
filter are functionally ANDed or ORed together." filter are functionally ANDed or ORed together."
DEFVAL { and } DEFVAL { and }
skipping to change at page 21, line 49 skipping to change at page 23, line 40
external means." external means."
::= { spdCompoundFilterEntry 4 } ::= { spdCompoundFilterEntry 4 }
spdCompFiltStorageType OBJECT-TYPE spdCompFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundFilterEntry 5 } ::= { spdCompoundFilterEntry 5 }
spdCompFiltRowStatus OBJECT-TYPE spdCompFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
skipping to change at page 23, line 25 skipping to change at page 25, line 19
lists such that faster filters are evaluated first." lists such that faster filters are evaluated first."
::= { spdSubfiltersEntry 1 } ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The location of the contained filter. The value of this "The location of the contained filter. The value of this
column should be a VariablePointer which references the column should be a VariablePointer which references the
properties for the filter to be included in this properties for the filter to be included in this compound
compound filter. filter.
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may may be pointed to by this column. Implementations may
choose to provide support for other filter tables or choose to provide support for other filter tables or
scalars as well: scalars as well:
spdIpHeaderFilterTable diffServMultiFieldClfrTable
spdIpsoHeaderFilterTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
skipping to change at page 24, line 26 skipping to change at page 26, line 21
external means." external means."
::= { spdSubfiltersEntry 4 } ::= { spdSubfiltersEntry 4 }
spdSubFiltStorageType OBJECT-TYPE spdSubFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubfiltersEntry 5 } ::= { spdSubfiltersEntry 5 }
spdSubFiltRowStatus OBJECT-TYPE spdSubFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object can not be made active until the filter This object can not be made active until the filter
referenced by the ficSubFilter object is both defined referenced by the ficSubFilter object is both defined
and is active. An attempt to do so will result in an and is active. An attempt to do so will result in an
inconsistentValue error." inconsistentValue error.
If active, this object must remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met will result in an inconsistentValue error. The
two conditions are:
I. No active row in the SpdCompoundFilterTable exists
which has a matching spdCompFiltName.
II. Or at least one other active row in this table has a
matching spdCompFiltName."
::= { spdSubfiltersEntry 6 } ::= { spdSubfiltersEntry 6 }
-- --
-- Static Filters -- Static Filters
-- --
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE spdTrueFilter OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates a (automatic) true result for "This scalar indicates a (automatic) true result for
a filter. I.e. this is a filter that is always a filter. I.e. this is a filter that is always
true, useful for adding as a default filter for a true, useful for adding as a default filter for a
default action or a set of actions." default action or a set of actions."
::= { spdStaticFilters 1 } ::= { spdStaticFilters 1 }
skipping to change at page 25, line 18 skipping to change at page 27, line 27
DESCRIPTION DESCRIPTION
"This scalar indicates a (automatic) true result for "This scalar indicates a (automatic) true result for
a filter. I.e. this is a filter that is always a filter. I.e. this is a filter that is always
true, useful for adding as a default filter for a true, useful for adding as a default filter for a
default action or a set of actions." default action or a set of actions."
::= { spdStaticFilters 1 } ::= { spdStaticFilters 1 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 } spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
-- --
-- Policy IPHeader filter definition table
--
spdIpHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpHeaderFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of filter definitions to be
used within the spdRuleDefinitionTable or the
spdSubfilterTable table."
::= { spdConfigObjects 8 }
spdIpHeaderFilterEntry OBJECT-TYPE
SYNTAX SpdIpHeaderFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A definition of a particular filter."
INDEX { spdIpHeadFiltName }
::= { spdIpHeaderFilterTable 1 }
SpdIpHeaderFilterEntry ::= SEQUENCE {
spdIpHeadFiltName SnmpAdminString,
spdIpHeadFiltType BITS,
spdIpHeadFiltIPVersion InetAddressType,
spdIpHeadFiltSrcAddressBegin InetAddress,
spdIpHeadFiltSrcAddressEnd InetAddress,
spdIpHeadFiltDstAddressBegin InetAddress,
spdIpHeadFiltDstAddressEnd InetAddress,
spdIpHeadFiltSrcLowPort InetPortNumber,
spdIpHeadFiltSrcHighPort InetPortNumber,
spdIpHeadFiltDstLowPort InetPortNumber,
spdIpHeadFiltDstHighPort InetPortNumber,
spdIpHeadFiltProtocol Integer32,
spdIpHeadFiltIPv6FlowLabel Integer32,
spdIpHeadFiltLastChanged TimeStamp,
spdIpHeadFiltStorageType StorageType,
spdIpHeadFiltRowStatus RowStatus
}
spdIpHeadFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name for this filter."
::= { spdIpHeaderFilterEntry 1 }
spdIpHeadFiltType OBJECT-TYPE
SYNTAX BITS { sourceAddress(0), destinationAddress(1),
sourcePort(2), destinationPort(3),
protocol(4), ipv6FlowLabel(5) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This defines the various tests that are used when
evaluating a given filter. The results of each test are
ANDed together to produce the result of the entire
filter. When processing this filter, it is recommended
for efficiency reasons that the filter halt processing
the instant any of the specified tests fail.
Once a row is 'active', this object's value may not be
changed unless all the appropriate columns needed by the
new value to be imposed on this object have been
appropriately configured.
The various tests definable in this table are as
follows:
sourceAddress:
- Tests if the source address in the packet lies
between the spdIpHeadFiltSrcAddressBegin and
spdIpHeadFiltSrcAddressEnd objects.
Note that setting these two objects to the same
address will limit the search to the exact match of
a single address. The format and length of the
address objects are defined by the
spdIpHeadFiltIPVersion column.
A row in this table containing a spdIpHeadFiltType
object with the sourceAddress object bit but without
the spdIpHeadFiltIPVersion,
spdIpHeadFiltSrcAddressBegin and
spdIpHeadFiltSrcAddressEnd objects set will cause
the spdIpHeadFiltRowStatus object to return the
notReady state.
destinationAddress:
- Tests if the destination address in the packet lies
between the spdIpHeadFiltDstAddressBegin and
spdIpHeadFiltDstAddressEnd objects. Note that
setting these two objects to the same address will
limit the search to the exact match of a single
address. The format and length of the address
objects are defined by the spdIpHeadFiltIPVersion
column.
A row in this table containing a spdIpHeadFiltType
object with the destinationAddress object bit but
without the spdIpHeadFiltIPVersion,
spdIpHeadFiltDstAddressBegin and
spdIpHeadFiltDstAddressEnd objects set will cause
the spdIpHeadFiltRowStatus object to return the
notReady state.
sourcePort:
- Tests if the source port of IP packets using a
protocol that uses port numbers (at this time, UDP
or TCP) lies between the spdIpHeadFiltSrcLowPort and
spdIpHeadFiltSrcHighPort objects. Note that setting
these two objects to the same address will limit the
search to the exact match of a single port.
A row in this table containing a spdIpHeadFiltType
object with the sourcePort object bit but without
the spdIpHeadFiltSrcLowPort, and
spdIpHeadFiltSrcHighPort objects set will cause the
spdIpHeadFiltRowStatus object to return the notReady
state.
destinationPort:
- Tests if the source port of IP packets using a
protocol that uses port numbers (at this time, UDP
or TCP) lies between the spdIpHeadFiltDstLowPort and
spdIpHeadFiltDstHighPort objects. Note that setting
these two objects to the same address will limit the
search to the exact match of a single port.
A row in this table containing a spdIpHeadFiltType
object with the sourcePort object bit but without
the spdIpHeadFiltDstLowPort, and
spdIpHeadFiltDstHighPort objects set will cause the
spdIpHeadFiltRowStatus object to return the notReady
state.
protocol:
- Tests to see if the packet being processed is for
the given protocol type.
A row in this table containing a spdIpHeadFiltType
object with the protocol object bit but without the
spdIpHeadFiltProtocol object set will cause the
spdIpHeadFiltRowStatus object to return the notReady
state.
ipv6FlowLabel:
- Tests to see if the packet being processed contains
an ipv6 Flow Label which matches the value in the
ipfIPv6FlowLabel object. Setting this bit mandates
that for the packet to match the filter, it must be
an IPv6 packet.
A row in this table containing a spdIpHeadFiltType
object with the ipv6FlowLabel object bit but without
the ipfIPv6FlowLabel object set will cause the
spdIpHeadFiltRowStatus object to return the notReady
state."
::= { spdIpHeaderFilterEntry 2 }
spdIpHeadFiltIPVersion OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Internet Protocol version the addresses are to match
against. The value of this property determines the size
and format of the spdIpHeadFiltSrcAddressBegin,
spdIpHeadFiltSrcAddressEnd,
spdIpHeadFiltDstAddressBegin, and
spdIpHeadFiltDstAddressEnd objects.
Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object."
DEFVAL { ipv6 }
::= { spdIpHeaderFilterEntry 3 }
spdIpHeadFiltSrcAddressBegin OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The starting address of a source address range that the
packet must match against for this filter to be
considered TRUE.
This object is only used if sourceAddress is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 4 }
spdIpHeadFiltSrcAddressEnd OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The ending address of a source address range to check a
packet against, where the starting is specified by the
spdIpHeadFiltSrcAddressBegin object. Set this column to
the same value as the spdIpHeadFiltSrcAddressBegin
column to get an exact single address match.
This object is only used if sourceAddress is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 5 }
spdIpHeadFiltDstAddressBegin OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The starting address of a destination address range that
the packet must match against for this filter to be
considered TRUE.
This object is only used if destinationAddress is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 6 }
spdIpHeadFiltDstAddressEnd OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The ending address of a destination address range to
check a packet against, where the first is specified by
the spdIpHeadFiltDstAddressBegin object. Set this
column to the same value as the
spdIpHeadFiltDstAddressBegin column to get an exact
single address match.
This object is only used if destinationAddress is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 7 }
spdIpHeadFiltSrcLowPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The low port of the port range a packet's source must
match against. To match, the port number must be
greater than or equal to this value.
This object is only used if sourcePort is set in
spdIpHeadFiltType.
The value of 0 for this object is illegal."
::= { spdIpHeaderFilterEntry 8 }
spdIpHeadFiltSrcHighPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The high port of the port range a packet's source must
match against. To match, the port number must be less
than or equal to this value.
This object is only used if sourcePort is set in
spdIpHeadFiltType.
The value of 0 for this object is illegal."
::= { spdIpHeaderFilterEntry 9 }
spdIpHeadFiltDstLowPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The low port of the port range a packet's destination
must match against. To match, the port number must be
greater than or equal to this value.
This object is only used if destinationPort is set in
spdIpHeadFiltType.
The value of 0 for this object is illegal."
::= { spdIpHeaderFilterEntry 10 }
spdIpHeadFiltDstHighPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The high port of the port range a packet's destination
must match against. To match, the port number must be
less than or equal to this value.
This object is only used if destinationPort is set in
spdIpHeadFiltType.
The value of 0 for this object is illegal."
::= { spdIpHeaderFilterEntry 11 }
spdIpHeadFiltProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The protocol number the incoming packet must match
against for this filter to be evaluated as true.
This object is only used if protocol is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 12 }
spdIpHeadFiltIPv6FlowLabel OBJECT-TYPE
SYNTAX Integer32 (0..1048575)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IPv6 Flow Label that the packet must match against.
This object is only used if ipv6FlowLabel is set in
spdIpHeadFiltType."
::= { spdIpHeaderFilterEntry 13 }
spdIpHeadFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdIpHeaderFilterEntry 14 }
spdIpHeadFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { spdIpHeaderFilterEntry 15 }
spdIpHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
This object may not be set to active if the requirements
of the spdIpHeadFiltType object are not met. In other
words, if the associated value columns needed by a
particular test have not been set, then attempting to
change this row to an active state will result in an
inconsistentValue error. See the spdIpHeadFiltType
object description for further details."
::= { spdIpHeaderFilterEntry 16 }
--
-- Policy IP Offset filter definition table -- Policy IP Offset filter definition table
-- --
spdIpOffsetFilterTable OBJECT-TYPE spdIpOffsetFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of filter definitions to be "This table contains a list of filter definitions to be
used within the spdRuleDefinitionTable or the used within the spdRuleDefinitionTable or the
spdSubfilterTable." spdSubfiltersTable."
::= { spdConfigObjects 9 } ::= { spdConfigObjects 8 }
spdIpOffsetFilterEntry OBJECT-TYPE spdIpOffsetFilterEntry OBJECT-TYPE
SYNTAX SpdIpOffsetFilterEntry SYNTAX SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpOffFiltName } INDEX { spdIpOffFiltName }
::= { spdIpOffsetFilterTable 1 } ::= { spdIpOffsetFilterTable 1 }
skipping to change at page 35, line 44 skipping to change at page 30, line 32
external means." external means."
::= { spdIpOffsetFilterEntry 5 } ::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE spdIpOffFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements This object may not be set to active if the requirements
of the spdIpOffFiltType object are not met. In other of the spdIpOffFiltType object are not met. In other
words, if the associated value columns needed by a words, if the associated value columns needed by a
particular test have not been set, then attempting to particular test have not been set, then attempting to
change this row to an active state will result in an change this row to an active state will result in an
inconsistentValue error. See the spdIpOffFiltType inconsistentValue error. See the spdIpOffFiltType
object description for further details." object description for further details.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdIpOffsetFilterEntry 7 } ::= { spdIpOffsetFilterEntry 7 }
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
spdTimeFilterTable OBJECT-TYPE spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a table of filters which can be used to "Defines a table of filters which can be used to
effectively enable or disable policies based on a valid effectively enable or disable policies based on a valid
time range." time range."
::= { spdConfigObjects 10 } ::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE spdTimeFilterEntry OBJECT-TYPE
SYNTAX SpdTimeFilterEntry SYNTAX SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row describing a given time frame for which a policy "A row describing a given time frame for which a policy
may be filtered on to place the rule active or may be filtered on to place the rule active or
inactive." inactive."
INDEX { spdTimeFiltName } INDEX { spdTimeFiltName }
::= { spdTimeFilterTable 1 } ::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE { SpdTimeFilterEntry ::= SEQUENCE {
spdTimeFiltName SnmpAdminString, spdTimeFiltName SnmpAdminString,
spdTimeFiltPeriodStart DateAndTime, spdTimeFiltPeriodStart DateAndTime,
spdTimeFiltPeriodEnd DateAndTime, spdTimeFiltPeriodEnd DateAndTime,
spdTimeFiltMonthOfYearMask BITS, spdTimeFiltMonthOfYearMask BITS,
spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfMonthMask OCTET STRING,
spdTimeFiltDayOfWeekMask BITS, spdTimeFiltDayOfWeekMask BITS,
spdTimeFiltTimeOfDayMaskStart DateAndTime, spdTimeFiltStartTimeOfDayMask DateAndTime,
spdTimeFiltTimeOfDayMaskEnd DateAndTime, spdTimeFiltStopTimeOfDayMask DateAndTime,
spdTimeFiltLastChanged TimeStamp, spdTimeFiltLastChanged TimeStamp,
spdTimeFiltStorageType StorageType, spdTimeFiltStorageType StorageType,
spdTimeFiltRowStatus RowStatus spdTimeFiltRowStatus RowStatus
} }
spdTimeFiltName OBJECT-TYPE spdTimeFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 38, line 40 skipping to change at page 33, line 37
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which overlays the spdTimeFiltPeriodStart to "A bit mask which overlays the spdTimeFiltPeriodStart to
spdTimeFiltPeriodEnd date range to further restrict the spdTimeFiltPeriodEnd date range to further restrict the
time period to a restricted set of days within a given time period to a restricted set of days within a given
week." week."
DEFVAL { { monday, tuesday, wednesday, thursday, friday, DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } } saturday, sunday } }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 6 }
spdTimeFiltTimeOfDayMaskStart OBJECT-TYPE spdTimeFiltStartTimeOfDayMask OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the starting time of day for which this filter "Indicates the starting time of day for which this filter
evaluates to true. The date portions of the DateAndTime evaluates to true. The date portions of the DateAndTime
TC are ignored for purposes of evaluating this mask and TC are ignored for purposes of evaluating this mask and
only the time specific portions are used." only the time specific portions are used."
DEFVAL { '00000000000000002b0000'H } DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 7 } ::= { spdTimeFilterEntry 7 }
spdTimeFiltTimeOfDayMaskEnd OBJECT-TYPE
spdTimeFiltStopTimeOfDayMask OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the ending time of day for which this filter "Indicates the ending time of day for which this filter
evaluates to true. The date portions of the DateAndTime evaluates to true. The date portions of the DateAndTime TC
TC are ignored for purposes of evaluating this mask and are ignored for purposes of evaluating this mask and only
only the time specific portions are used. If this the time specific portions are used. If this starting and
starting and ending time values indicated by the ending time values indicated by the
spdTimeFiltTimeOfDayMaskStart and spdTimeFiltStartTimeOfDayMask and
spdTimeFiltTimeOfDayMaskEnd objects are equal, the spdTimeFiltStopTimeOfDayMask objects are equal, the filter
filter is expected to be evaluated over the entire 24 is expected to be evaluated over the entire 24 hour
hour period." period."
DEFVAL { '00000000000000002b0000'H } DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 8 } ::= { spdTimeFilterEntry 8 }
spdTimeFiltLastChanged OBJECT-TYPE spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdTimeFilterEntry 9 } ::= { spdTimeFilterEntry 9 }
spdTimeFiltStorageType OBJECT-TYPE spdTimeFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdTimeFilterEntry 10 } ::= { spdTimeFilterEntry 10 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this "This object indicates the conceptual status of this
row." row.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdTimeFilterEntry 11 } ::= { spdTimeFilterEntry 11 }
-- --
-- IPSO protection authority filtering -- IPSO protection authority filtering
-- --
spdIpsoHeaderFilterTable OBJECT-TYPE spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of IPSO header filter "This table contains a list of IPSO header filter
definitions to be used within the spdRuleDefinitionTable definitions to be used within the spdRuleDefinitionTable or
or the spdSubfilterTable. IPSO headers and their values the spdSubfiltersTable. IPSO headers and their values are
are described in RFC1108." described in RFC1108."
::= { spdConfigObjects 11 } ::= { spdConfigObjects 10 }
spdIpsoHeaderFilterEntry OBJECT-TYPE spdIpsoHeaderFilterEntry OBJECT-TYPE
SYNTAX SpdIpsoHeaderFilterEntry SYNTAX SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpsoHeadFiltName } INDEX { spdIpsoHeadFiltName }
::= { spdIpsoHeaderFilterTable 1 } ::= { spdIpsoHeaderFilterTable 1 }
skipping to change at page 41, line 27 skipping to change at page 36, line 33
RFC1108." RFC1108."
::= { spdIpsoHeaderFilterEntry 3 } ::= { spdIpsoHeaderFilterEntry 3 }
spdIpsoHeadFiltProtectionAuth OBJECT-TYPE spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
SYNTAX INTEGER { genser(0), siopesi(1), sci(2), SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
nsa(3), doe(4) } nsa(3), doe(4) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPSO protection authority header field value must "The IPSO protection authority header field value must
match the value in this column if the protection match the value in this column if the protection authority
authority bit is set in the spdIpsoHeadFiltType field. bit is set in the spdIpsoHeadFiltType field.
The values of these enumerations are defined by RFC1108. The values of these enumerations are defined by RFC1108.
Hence the reason the SMIv2 convention of not using 0 in Hence the reason the SMIv2 convention of not using 0 in
enum lists is violated here." enum lists is violated here."
::= { spdIpsoHeaderFilterEntry 4 } ::= { spdIpsoHeaderFilterEntry 4 }
spdIpsoHeadFiltLastChanged OBJECT-TYPE spdIpsoHeadFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
skipping to change at page 41, line 51 skipping to change at page 37, line 9
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdIpsoHeaderFilterEntry 5 } ::= { spdIpsoHeaderFilterEntry 5 }
spdIpsoHeadFiltStorageType OBJECT-TYPE spdIpsoHeadFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a storage
storage type of readOnly or permanent." type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpsoHeaderFilterEntry 6 } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements This object may not be set to active if the requirements of
of the spdIpsoHeadFiltType object are not met. In other the spdIpsoHeadFiltType object are not met. In other
words, if the associated value columns needed by a words, if the associated value columns needed by a
particular test have not been set, then attempting to particular test have not been set, then attempting to
change this row to an active state will result in an change this row to an active state will result in an
inconsistentValue error. See the spdIpsoHeadFiltType inconsistentValue error. See the spdIpsoHeadFiltType
object description for further details." object description for further details.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdIpsoHeaderFilterEntry 7 } ::= { spdIpsoHeaderFilterEntry 7 }
-- --
-- compound actions table -- compound actions table
-- --
spdCompoundActionTable OBJECT-TYPE spdCompoundActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundActionEntry SYNTAX SEQUENCE OF SpdCompoundActionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table used to allow multiple actions to be associated "Table used to allow multiple actions to be associated
with a rule. It uses the spdSubactionsTable to do with a rule. It uses the spdSubactionsTable to do
this." this."
::= { spdConfigObjects 12 } ::= { spdConfigObjects 11 }
spdCompoundActionEntry OBJECT-TYPE spdCompoundActionEntry OBJECT-TYPE
SYNTAX SpdCompoundActionEntry SYNTAX SpdCompoundActionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row in the spdCompoundActionTable." "A row in the spdCompoundActionTable."
INDEX { spdCompActName } INDEX { spdCompActName }
::= { spdCompoundActionTable 1 } ::= { spdCompoundActionTable 1 }
SpdCompoundActionEntry ::= SEQUENCE { SpdCompoundActionEntry ::= SEQUENCE {
skipping to change at page 43, line 17 skipping to change at page 38, line 31
spdCompActName OBJECT-TYPE spdCompActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This is an administratively assigned name of this "This is an administratively assigned name of this
compound action." compound action."
::= { spdCompoundActionEntry 1 } ::= { spdCompoundActionEntry 1 }
spdCompActExecutionStrategy OBJECT-TYPE spdCompActExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { reserved(0), SYNTAX INTEGER { doAll(1),
doAll(1),
doUntilSuccess(2), doUntilSuccess(2),
doUntilFailure(3) } doUntilFailure(3) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates how the sub-actions are executed "This object indicates how the sub-actions are executed
based on the success of the actions as they finish based on the success of the actions as they finish
executing. executing.
doAll - run each sub-action regardless of the doAll - run each sub-action regardless of the
skipping to change at page 44, line 19 skipping to change at page 39, line 32
external means." external means."
::= { spdCompoundActionEntry 3 } ::= { spdCompoundActionEntry 3 }
spdCompActStorageType OBJECT-TYPE spdCompActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundActionEntry 4 } ::= { spdCompoundActionEntry 4 }
spdCompActRowStatus OBJECT-TYPE spdCompActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
skipping to change at page 45, line 6 skipping to change at page 40, line 21
spdSubactionsTable OBJECT-TYPE spdSubactionsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubactionsEntry SYNTAX SEQUENCE OF SpdSubactionsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of the sub-actions within a "This table contains a list of the sub-actions within a
given compound action. Compound actions executing these given compound action. Compound actions executing these
actions MUST execute them in series based on the actions MUST execute them in series based on the
spdSubActPriority value, with the lowest value executing spdSubActPriority value, with the lowest value executing
first." first."
::= { spdConfigObjects 13 } ::= { spdConfigObjects 12 }
spdSubactionsEntry OBJECT-TYPE spdSubactionsEntry OBJECT-TYPE
SYNTAX SpdSubactionsEntry SYNTAX SpdSubactionsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row containing a reference to a given compound-action "A row containing a reference to a given compound-action
sub-action." sub-action."
INDEX { spdCompActName, spdSubActPriority } INDEX { spdCompActName, spdSubActPriority }
::= { spdSubactionsTable 1 } ::= { spdSubactionsTable 1 }
skipping to change at page 45, line 47 skipping to change at page 41, line 14
spdSubActSubActionName OBJECT-TYPE spdSubActSubActionName OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It may, "This column points to the action to be taken. It may,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
spdCompoundActionTable - Allowing recursion spdCompoundActionTable - Allowing recursion
spdSaPreconfiguredActionTable ipsaSaPreconfiguredActionTable
spdIkeActionTable ipiaIkeActionTable
spdIpsecActionTable ipiaIpsecActionTable
It may also point to one of the scalar objects beneath It may also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error should be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
skipping to change at page 46, line 32 skipping to change at page 41, line 47
external means." external means."
::= { spdSubactionsEntry 3 } ::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE spdSubActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent." storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubactionsEntry 4 } ::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE spdSubActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified." objects in this conceptual row can be modified.
If active, this object must remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met will result in an inconsistentValue error. The
two conditions are:
I. No active row in the spdCompoundActionTable exists
which has a matching spdCompActName.
II. Or at least one other active row in this table has a
matching spdCompActName."
::= { spdSubactionsEntry 5 } ::= { spdSubactionsEntry 5 }
-- --
-- Static Actions -- Static Actions
-- --
-- these are static actions which can be pointed to by the -- these are static actions which can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to -- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets. -- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 14 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE spdDropAction OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet should be dropped
WITHOUT action/packet logging. This object returns a WITHOUT action/packet logging. This object returns a
value of 1 for IPsec policy implementations that support value of 1 for IPsec policy implementations that support
the drop static action." the drop static action."
skipping to change at page 48, line 25 skipping to change at page 44, line 8
spdActionExecuted OBJECT-TYPE spdActionExecuted OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Points to the action instance that was executed that "Points to the action instance that was executed that
resulted in the notification being sent." resulted in the notification being sent."
::= { spdNotificationVariables 1 } ::= { spdNotificationVariables 1 }
spdIPInterfaceType OBJECT-TYPE spdIPEndpointAddType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the interface type for the interface that the "Contains the interface type for the interface that the
packet which triggered the notification in question is packet which triggered the notification is passing
passing through." through."
::= { spdNotificationVariables 2 } ::= { spdNotificationVariables 2 }
spdIPInterfaceAddress OBJECT-TYPE spdIPEndpointAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the interface address for the interface that "Contains the interface address for the interface that
the packet which triggered the notification in question the packet which triggered the notification is passing
is passing through." through."
::= { spdNotificationVariables 3 } ::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE spdIPSourceType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address type of the packet which "Contains the source address type of the packet which
triggered the notification in question." triggered the notification."
::= { spdNotificationVariables 4 } ::= { spdNotificationVariables 4 }
spdIPSourceAddress OBJECT-TYPE spdIPSourceAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address of the packet which "Contains the source address of the packet which
triggered the notification in question." triggered the notification."
::= { spdNotificationVariables 5 } ::= { spdNotificationVariables 5 }
spdIPDestinationType OBJECT-TYPE spdIPDestinationType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address type of the packet "Contains the destination address type of the packet
which triggered the notification in question." which triggered the notification."
::= { spdNotificationVariables 6 } ::= { spdNotificationVariables 6 }
spdIPDestinationAddress OBJECT-TYPE spdIPDestinationAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address of the packet which "Contains the destination address of the packet which
triggered the notification in question." triggered the notification."
::= { spdNotificationVariables 7 } ::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE spdPacketDirection OBJECT-TYPE
SYNTAX INTEGER { inbound(1), outbound(2) } SYNTAX IfDirection
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if the packet whic triggered the action in "Indicates if the packet which triggered the action in
questions was inbound our outbound." questions was ingress (inbound) our egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Is the front part of the packet that triggered this "Is the front part of the packet that triggered this
notification. The size is determined by the value of notification. The initial size limit is determined by the
'SpdIPPacketLogging' or the size of the packet, smaller of the size indicated by 'SpdIPPacketLogging' and
whichever is smaller." the size of the triggering packet.
The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be
included will be the smaller of the initial size given
above and the length that will fit in a single SNMP
notification packet after the rest of the notification's
objects and any other necessary packet data (headers
encoding, etc...) has been included in the packet."
::= { spdNotificationVariables 9 } ::= { spdNotificationVariables 9 }
spdActionNotification NOTIFICATION-TYPE spdActionNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPInterfaceType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPInterfaceAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection } spdPacketDirection }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that an action was executed by a rule. "Notification that an action was executed by a rule.
Only actions with logging enabled will result in this Only actions with logging enabled will result in this
notification getting sent. The objects sent must notification getting sent. The objects sent must include
include the spdActionExecuted object which will indicate the spdActionExecuted object which will indicate which
which action was executed within the scope of the rule. action was executed within the scope of the rule.
Additionally the spdIPSourceType, spdIPSourceAddress, Additionally the spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, and spdIPDestinationAddress spdIPDestinationType, and spdIPDestinationAddress objects
objects must be included to indicate the packet source must be included to indicate the packet source and
and destination of the packet that triggered the action. destination of the packet that triggered the action.
Finally the spdIPInterfaceType, spdIPInterfaceAddress, Finally the spdIPEndpointAddType, spdIPEndpointAddress,
and spdPacketDirection objects are included to indicate and spdPacketDirection objects are included to indicate
which interface the action was executed in association which interface the action was executed in association with
with and if the packet was inbound or outbond through and if the packet was ingress or egress through the
the endpoint. endpoint.
Note that compound actions with multiple executed Note that compound actions with multiple executed
subactions may result in multiple notifications being subactions may result in multiple notifications being sent
sent from a single rule execution." from a single rule execution."
::= { spdNotifications 1 } ::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPInterfaceType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPInterfaceAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection, spdPacketDirection,
spdPacketPart } spdPacketPart }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that a packet passed through an SA. Only "Notification that a packet passed through an SA. Only
SA's created by actions with packet logging enabled will SA's created by actions with packet logging enabled will
result in this notification getting sent. The objects result in this notification getting sent. The objects
sent must include the spdActionExecuted which will sent must include the spdActionExecuted which will
indicate which action was executed within the scope of indicate which action was executed within the scope of
the rule. Additionally, the spdIPSourceType, the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPInterfaceType, that triggered the action. The spdIPEndpointAddType,
spdIPInterfaceAddress, and spdPacketDirection objects spdIPEndpointAddress, and spdPacketDirection objects
are included to indicate which endpoint the packet was are included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is including associated with. Finally, spdPacketPart is including
for sending a variable sized part of the front of the for sending a variable sized part of the front of the
packet depending on the value of SpdIPPacketLogging." packet depending on the value of SpdIPPacketLogging."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
spdCompliances OBJECT IDENTIFIER spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 } ::= { spdConformanceObjects 1 }
spdGroups OBJECT IDENTIFIER spdGroups OBJECT IDENTIFIER
::= { spdConformanceObjects 2 } ::= { spdConformanceObjects 2 }
skipping to change at page 51, line 38 skipping to change at page 47, line 29
spdRuleFilterCompliance MODULE-COMPLIANCE spdRuleFilterCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support." filters support."
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdIPHeaderFilterGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup } spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations which support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
skipping to change at page 52, line 28 skipping to change at page 48, line 18
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup GROUP spdCompoundActionGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound actions." implementations which support compound actions."
OBJECT spdEndGroupRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdEndGroupLastChanged OBJECT spdEndGroupLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdGroupContComponentType OBJECT spdGroupContComponentType
SYNTAX INTEGER { SYNTAX INTEGER {
rule(2) rule(2)
} }
DESCRIPTION DESCRIPTION
"Support of the value group(1) is only required for "Support of the value group(1) is only required for
implementations which support Policy Groups within implementations which support Policy Groups within
Policy Groups." Policy Groups."
OBJECT spdGroupContRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdGroupContLastChanged OBJECT spdGroupContLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdRuleDefRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdRuleDefLastChanged OBJECT spdRuleDefLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdCompFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdCompFiltLastChanged OBJECT spdCompFiltLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdSubFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdSubFiltLastChanged OBJECT spdSubFiltLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdIpHeadFiltIPVersion
SYNTAX InetAddressType {
ipv4(1), ipv6(2)
}
DESCRIPTION
"Only the ipv4 and ipv6 values make sense for this
object."
OBJECT spdIpHeadFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdIpHeadFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdIpOffFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdIpOffFiltLastChanged OBJECT spdIpOffFiltLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdTimeFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdTimeFiltLastChanged OBJECT spdTimeFiltLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdIpsoHeadFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdIpsoHeadFiltLastChanged OBJECT spdIpsoHeadFiltLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdCompActRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdCompActLastChanged OBJECT spdCompActLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdSubActRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT spdSubActLastChanged OBJECT spdSubActLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT diffServMultiFieldClfrNextFree
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required for compliance."
::= { spdCompliances 1 } ::= { spdCompliances 1 }
spdLoggingCompliance MODULE-COMPLIANCE spdLoggingCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that support "The compliance statement for SNMP entities that support
sending notifications when actions are invoked." sending notifications when actions are invoked."
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdActionLoggingObjectGroup, MANDATORY-GROUPS { spdActionLoggingObjectGroup,
spdActionNotificationGroup } spdActionNotificationGroup }
::= { spdCompliances 2 } ::= { spdCompliances 2 }
-- --
-- ReadOnly Compliances
--
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and
filters support.
If this MIB is implemented without support for read-create
(i.e. in read-only), it is not in full compliance but it
can claim read-only compliance. Such a device can then be
monitored but can not be configured with this MIB."
MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup,
spdRuleDefinitionGroup,
spdStaticFilterGroup,
spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support a system policy group
name."
GROUP spdCompoundFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support compound filters."
GROUP spdIPOffsetFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In
general, this SHOULD be supported by a compliant
IPsec Policy implementation."
GROUP spdTimeFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support time filters."
GROUP spdIpsoHeaderFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support compound actions."
OBJECT spdAcceptAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdAcceptActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActExecutionStrategy
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdCompActRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdCompFiltLogicType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdDropAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdDropActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEgressPolicyGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdEndGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContComponentName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContComponentType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdGroupContRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIngressPolicyGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdIpOffFiltOffset
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltValue
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltClassification
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdIpsoHeadFiltProtectionAuth
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefAdminStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefFilterNegated
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdRuleDefRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdSubActRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActSubActionName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdSubFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltSubfilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltSubfilterIsNegated
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltDayOfMonthMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltDayOfWeekMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdTimeFiltMonthOfYearMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltPeriodEnd
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltPeriodStart
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStartTimeOfDayMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStopTimeOfDayMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTrueFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { spdCompliances 3 }
--
-- --
-- Compliance Groups Definitions -- Compliance Groups Definitions
-- --
-- --
-- Endpoint, Rule, Filter Compliance Groups -- Endpoint, Rule, Filter Compliance Groups
-- --
spdEndpointGroup OBJECT-GROUP spdEndpointGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdEndGroupName, spdEndGroupLastChanged, spdEndGroupName, spdEndGroupLastChanged,
spdEndGroupStorageType, spdEndGroupRowStatus spdEndGroupStorageType, spdEndGroupRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Endpoint Table Group." "This group is made up of objects from the IPsec Policy
Endpoint Table."
::= { spdGroups 1 } ::= { spdGroups 1 }
spdGroupContentsGroup OBJECT-GROUP spdGroupContentsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdGroupContComponentType, spdGroupContFilter, spdGroupContComponentType, spdGroupContFilter,
spdGroupContComponentName, spdGroupContLastChanged, spdGroupContComponentName, spdGroupContLastChanged,
spdGroupContStorageType, spdGroupContRowStatus spdGroupContStorageType, spdGroupContRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Group Contents Table Group." "This group is made up of objects from the IPsec Policy
Group Contents Table."
::= { spdGroups 2 } ::= { spdGroups 2 }
spdIpsecSystemPolicyNameGroup OBJECT-GROUP spdIpsecSystemPolicyNameGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdIncomingPolicyGroupName, spdIngressPolicyGroupName,
spdOutgoingPolicyGroupName spdEgressPolicyGroupName
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The System Policy Group Name Group." "This group is made up of objects represent the System
Policy Group Names."
::= { spdGroups 3} ::= { spdGroups 3}
spdRuleDefinitionGroup OBJECT-GROUP spdRuleDefinitionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdRuleDefDescription, spdRuleDefFilter, spdRuleDefDescription, spdRuleDefFilter,
spdRuleDefFilterNegated, spdRuleDefAction, spdRuleDefFilterNegated, spdRuleDefAction,
spdRuleDefAdminStatus, spdRuleDefLastChanged, spdRuleDefAdminStatus, spdRuleDefLastChanged,
spdRuleDefStorageType, spdRuleDefRowStatus spdRuleDefStorageType, spdRuleDefRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Rule Definition Table Group." "This group is made up of objects from the IPsec Policy Rule
Definition Table."
::= { spdGroups 4 } ::= { spdGroups 4 }
spdCompoundFilterGroup OBJECT-GROUP spdCompoundFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdCompFiltDescription, spdCompFiltLogicType, spdCompFiltDescription, spdCompFiltLogicType,
spdCompFiltLastChanged, spdCompFiltStorageType, spdCompFiltLastChanged, spdCompFiltStorageType,
spdCompFiltRowStatus, spdSubFiltSubfilter, spdCompFiltRowStatus, spdSubFiltSubfilter,
spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged, spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
spdSubFiltStorageType, spdSubFiltRowStatus spdSubFiltStorageType, spdSubFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Compound Filter Table and Filters in "This group is made up of objects from the IPsec Policy
Compound Filters Table Group." Compound Filter Table and Sub-Filter Table Group."
::= { spdGroups 5 } ::= { spdGroups 5 }
spdStaticFilterGroup OBJECT-GROUP spdStaticFilterGroup OBJECT-GROUP
OBJECTS { spdTrueFilter } OBJECTS { spdTrueFilter }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The static filter group. Currently this is just a true "The static filter group. Currently this is just a true
filter." filter."
::= { spdGroups 6 } ::= { spdGroups 6 }
spdIPHeaderFilterGroup OBJECT-GROUP
OBJECTS {
spdIpHeadFiltType, spdIpHeadFiltIPVersion,
spdIpHeadFiltSrcAddressBegin, spdIpHeadFiltSrcAddressEnd,
spdIpHeadFiltDstAddressBegin, spdIpHeadFiltDstAddressEnd,
spdIpHeadFiltSrcLowPort, spdIpHeadFiltSrcHighPort,
spdIpHeadFiltDstLowPort, spdIpHeadFiltDstHighPort,
spdIpHeadFiltProtocol, spdIpHeadFiltIPv6FlowLabel,
spdIpHeadFiltLastChanged, spdIpHeadFiltStorageType,
spdIpHeadFiltRowStatus
}
STATUS current
DESCRIPTION
"The IPsec Policy IP Header Filter Table Group."
::= { spdGroups 7 }
spdIPOffsetFilterGroup OBJECT-GROUP spdIPOffsetFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdIpOffFiltOffset, spdIpOffFiltType, spdIpOffFiltOffset, spdIpOffFiltType,
spdIpOffFiltValue, spdIpOffFiltLastChanged, spdIpOffFiltValue, spdIpOffFiltLastChanged,
spdIpOffFiltStorageType, spdIpOffFiltRowStatus spdIpOffFiltStorageType, spdIpOffFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy IP Offset Filter Table Group." "This group is made up of objects from the IPsec Policy IP
::= { spdGroups 8 } Offset Filter Table."
::= { spdGroups 7 }
spdTimeFilterGroup OBJECT-GROUP spdTimeFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd, spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd,
spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMaskStart, spdTimeFiltDayOfWeekMask, spdTimeFiltStartTimeOfDayMask,
spdTimeFiltTimeOfDayMaskEnd, spdTimeFiltLastChanged, spdTimeFiltStopTimeOfDayMask, spdTimeFiltLastChanged,
spdTimeFiltStorageType, spdTimeFiltRowStatus spdTimeFiltStorageType, spdTimeFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Time Filter Table Group." "This group is made up of objects from the IPsec Policy Time
::= { spdGroups 9 } Filter Table."
::= { spdGroups 8 }
spdIpsoHeaderFilterGroup OBJECT-GROUP spdIpsoHeaderFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdIpsoHeadFiltType, spdIpsoHeadFiltClassification, spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged, spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy IPSO Header Filter Table Group." "This group is made up of objects from the IPsec Policy IPSO
::= { spdGroups 10 } Header Filter Table."
::= { spdGroups 9 }
-- --
-- action compliance groups -- action compliance groups
-- --
spdStaticActionGroup OBJECT-GROUP spdStaticActionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdDropAction, spdAcceptAction, spdDropAction, spdAcceptAction,
spdDropActionLog, spdAcceptActionLog spdDropActionLog, spdAcceptActionLog
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Static Actions Group." "This group is made up of objects from the IPsec Policy
::= { spdGroups 11 } Static Actions."
::= { spdGroups 10 }
spdCompoundActionGroup OBJECT-GROUP spdCompoundActionGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdCompActExecutionStrategy, spdCompActLastChanged, spdCompActExecutionStrategy, spdCompActLastChanged,
spdCompActStorageType, spdCompActStorageType,
spdCompActRowStatus, spdSubActSubActionName, spdCompActRowStatus, spdSubActSubActionName,
spdSubActLastChanged, spdSubActStorageType, spdSubActLastChanged, spdSubActStorageType,
spdSubActRowStatus spdSubActRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPsec Policy Compound Action Table and Actions In "The IPsec Policy Compound Action Table and Actions In
Compound Action Table Group." Compound Action Table Group."
::= { spdGroups 12 } ::= { spdGroups 11 }
spdActionLoggingObjectGroup OBJECT-GROUP spdActionLoggingObjectGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdActionExecuted, spdActionExecuted,
spdIPInterfaceType, spdIPInterfaceAddress, spdIPEndpointAddType, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationAddress, spdIPDestinationType, spdIPDestinationAddress,
spdPacketDirection, spdPacketPart spdPacketDirection, spdPacketPart
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification objects." "This group is made up of all the Notification objects for
::= { spdGroups 13 } this MIB."
::= { spdGroups 12 }
spdActionNotificationGroup NOTIFICATION-GROUP spdActionNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { NOTIFICATIONS {
spdActionNotification, spdActionNotification,
spdPacketNotification spdPacketNotification
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notifications." "This group is made up of all the Notifications for this
::= { spdGroups 14 } MIB."
::= { spdGroups 13 }
END END
6. Security Considerations 6. Security Considerations
6.1 Introduction 6.1 Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides security services it is important services. Since IPsec provides security services it is important
that the IPsec configuration data be at least as protected as the that the IPsec configuration data be at least as protected as the
skipping to change at page 60, line 34 skipping to change at page 62, line 22
2. Disclosure of Configuration: Malicious parties should not be 2. Disclosure of Configuration: Malicious parties should not be
able to read configuration data while the data is in network able to read configuration data while the data is in network
transit. Any knowledge about a device's IPsec policy transit. Any knowledge about a device's IPsec policy
configuration could help an unfriendly party compromise that configuration could help an unfriendly party compromise that
device and/or the network(s) it protects. It is thus important device and/or the network(s) it protects. It is thus important
to control even GET access to these objects and possibly to even to control even GET access to these objects and possibly to even
encrypt the values of these objects when sending them over the encrypt the values of these objects when sending them over the
network via SNMP. network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (e.g. by using IPsec), earlier
even then, there is no control as to who on the secure network is versions of SNMP have virtually no control as to who on the secure
allowed to access and GET/SET (read/change/create/delete) the objects network is allowed to access and GET/SET (read/change/create/delete)
in this MIB module. the objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module, is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
SNMP version 3. The rest of this discussion assumes the use of SNMP version 3. The rest of this discussion assumes the use of
SNMPv3. This is a real strength, because it allows administrators SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3 conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved, establishment of IPsec configuration on a device has been achieved,
it would be possible to set up IPsec SAs to then also provide it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation. security and integrity services to the configuration conversation.
skipping to change at page 61, line 29 skipping to change at page 63, line 19
not required to be), and the keys are then used in HMAC algorithms not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys. data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents, for user keys is not yet provided by standards track documents,
although RFC2786 defines an experimental method of doing so. although RFC2786 defines an experimental method of doing so.
6.3 Protecting against involuntary disclosure 6.3 Protecting against involuntary disclosure
While sending IPsec configuration data to a PEP, there are a few While sending IPsec configuration data to a Policy Enforcement Point
critical parameters which MUST NOT be observed by third parties. (PEP), there are a few critical parameters which MUST NOT be observed
These include IKE Pre-Shared Keys and possibly the private key of a by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate parameters to be known to a third party, they could then impersonate
your device to other IKE peers. Aside from those critical the device to other IKE peers. Aside from those critical parameters,
parameters, policy administrators have an interest in not divulging policy administrators have an interest in not divulging any of their
any of their policy configuration. Any knowledge about a device's policy configuration. Any knowledge about a device's configuration
configuration could help an unfriendly party compromise that device. could help an unfriendly party compromise that device. SNMPv3 offers
SNMPv3 offers privacy security services, but at the time this privacy security services, but at the time this document was written,
document was written, the only standardized encryption algorithm the only standardized encryption algorithm supported by SNMPv3 is the
supported by SNMPv3 is the DES encryption algorithm. Support for DES encryption algorithm. Support for other (stronger) cryptographic
other (stronger) cryptographic algorithms is in the works and may be algorithms is in the works and may be done as you read this (e.g.
done as you read this. Policy administrators SHOULD use a privacy AES [RFC3826]). Policy administrators SHOULD use a privacy security
security service to configure their IPsec policy which is at least as service to configure their IPsec policy which is at least as strong
strong as the desired IPsec policy. E.G., it is unwise to configure as the desired IPsec policy. E.G., it is unwise to configure IPsec
IPsec parameters implementing 3DES algorithms while only protecting parameters implementing 3DES algorithms while only protecting that
that conversation with single DES. conversation with single DES.
6.4 Bootstrapping your configuration 6.4 Bootstrapping your configuration
Hopefully vendors will not ship new products with a default SNMPv3 Most vendors will not ship new products with a default SNMPv3
user/password pair, but it is possible. Most SNMPv3 distributions user/password pair, but it is possible. If a device does ship with a
should hopefully require an out-of-band initialization over a trusted default user/password pair, policy administrators SHOULD either
medium, such as a local console connection. change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console
connection. If a product does install with default user/password
information, these values should be changed before connecting to a
network.
7. Acknowledgments 7. IANA Considerations
Only two IANA considerations exist for this document. The first is
just the node number allocation of the IPSEC-SPD-MIB itself.
The IPSEC-SPD-MIB also allows for extension action MIB's and
allocates a node, spdActions, for them. IANA would be responsible
for allocating the values under this node.
8. Acknowledgments
Many other people contributed thoughts and ideas that influenced this Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order the following people: MIB module. Some special thanks are in order for the following
people:
Lindy Foster (Sparta, Inc.) Lindy Foster (Sparta, Inc.)
John Gillis (ADC) John Gillis (ADC)
Jamie Jason (Intel Corporation) Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.) Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson) David Partain (Ericsson)
Lee Rafalow (IBM) Lee Rafalow (IBM)
Jon Saperia (JDS Consulting) Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems) Eric Vyncke (Cisco Systems)
8. References 9. References
8.1 Normative References 9.1 Normative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for "Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410, Internet-Standard Management Framework", RFC 3410,
December 2002. December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
skipping to change at page 63, line 22 skipping to change at page 65, line 30
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999. Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration [RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003. Policy Information Model", RFC 3585, August 2003.
8.2 Informative References 9.2 Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IPsec Action MIB", December Wang, "IPsec Security Policy IPsec Action MIB", December
2002. 2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IKE Action MIB", December Wang, "IPsec Security Policy IKE Action MIB", December
2002. 2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000. Paper", November 2000.
[RFC3826] Blumenthal, U., Maino, F. and K. McCloghrie, "The Advanced
Encryption Standard (AES) Cipher Algorithm in the SNMP
User-based Security Model", RFC 3826, June 2004.
Authors' Addresses Authors' Addresses
Michael Baer Michael Baer
Sparta, Inc. Sparta, Inc.
7075 Samuel Morse Drive 7075 Samuel Morse Drive
Columbia, MD 21046 Columbia, MD 21046
US US
EMail: baerm@tislabs.com EMail: baerm@tislabs.com
skipping to change at page 64, line 22 skipping to change at page 66, line 38
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
US US
EMail: ipsp-mib@revelstone.com EMail: ipsp-mib@revelstone.com
Cliff Wang Cliff Wang
SmartPipes, Inc. ARO/North Carolina State University
Suite 300, 565 Metro Place South 4300 S. Miami Blvd
Dublin, OH, OH 43017 RTP, NC 27709
US US
EMail: cliffwang2000@yahoo.com EMail: cliffwangmail@yahoo.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
skipping to change at page 65, line 41 skipping to change at page 67, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/