draft-ietf-ipsp-spd-mib-02.txt   draft-ietf-ipsp-spd-mib-03.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: August 21, 2005 R. Charlet Expires: April 15, 2006 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO/North Carolina State
University University
February 20, 2005 October 12, 2005
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-02.txt draft-ietf-ipsp-spd-mib-03.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of section 3 of RFC 3667. By submitting this Internet-Draft, each applicable patent or other IPR claims of which he or she is aware
author represents that any applicable patent or other IPR claims of have been or will be disclosed, and any of which he or she becomes
which he or she is aware have been or will be disclosed, and any of aware will be disclosed, in accordance with Section 6 of BCP 79.
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 21, 2005. This Internet-Draft will expire on April 15, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines a SMIv2 Management Information Base (MIB) This document defines an SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
is of a more general nature than for IPsec configuration alone, such are of a more general nature than for IPsec configuration alone, such
as for configuration of a firewall. This MIB module is designed to as for configuration of a firewall. This MIB module is designed to
be extensible with other enterprise or standards based defined packet be extensible with other enterprise or standards based defined packet
filters and actions. filters and actions.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1 Notational conventions . . . . . . . . . . . . . . . . 5 4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5
4.1.2 Implementing an example SPD policy . . . . . . . . . . 6 4.1.2. Implementing an example SPD policy . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 61 6. Security Considerations . . . . . . . . . . . . . . . . . . . 62
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 61 6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 63
6.2 Protecting against in-authentic access . . . . . . . . . . 63 6.2. Protecting against in-authentic access . . . . . . . . . . 64
6.3 Protecting against involuntary disclosure . . . . . . . . 63 6.3. Protecting against involuntary disclosure . . . . . . . . 64
6.4 Bootstrapping your configuration . . . . . . . . . . . . . 63 6.4. Bootstrapping your configuration . . . . . . . . . . . . . 65
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 64 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 65
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 64 9.1. Normative References . . . . . . . . . . . . . . . . . . . 65
9.2 Informative References . . . . . . . . . . . . . . . . . . . 65 9.2. Informative References . . . . . . . . . . . . . . . . . . 66
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 68
Intellectual Property and Copyright Statements . . . . . . . . 67 Intellectual Property and Copyright Statements . . . . . . . . . . 69
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
of a firewall. It is possible to extend this MIB module and add of a firewall. It is possible to extend this MIB module and add
other packet transforming actions that are performed conditionally on other packet transforming actions that are performed conditionally on
network traffic. an interface's network traffic.
Companion documents [RFCXXXX], [RFCYYYY] document actions which are The IPsec and IKE specific actions as documented in [RFCXXXX] and
specific to IPsec and IKE. No IPsec or IKE specific actions are [RFCYYYY] respectively and are not documented in this document.
defined within this document.
Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
these values are determined. these values are determined.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410] RFC 3410 [RFC3410]
skipping to change at page 4, line 6 skipping to change at page 4, line 9
instantiation) of the IPCP's IPsec configuration model for use with instantiation) of the IPCP's IPsec configuration model for use with
SNMPv3. SNMPv3.
The high-level areas where this MIB module diverges from the IPCP The high-level areas where this MIB module diverges from the IPCP
model are: model are:
o Policies, Groups, Conditions, and some levels of Actions are o Policies, Groups, Conditions, and some levels of Actions are
generically named. In other words, IPsec specific prefixes like generically named. In other words, IPsec specific prefixes like
"SA" (Security Association), or "IPsec" are not used. This naming "SA" (Security Association), or "IPsec" are not used. This naming
convention is used because packet classification and the matching convention is used because packet classification and the matching
of conditions to actions is more general than IPsec. These tables of conditions to actions is more general than IPsec. The tables
could possibly be reused by other packet transforming actions in this document can possibly be reused by other packet
which need to conditionally act on packets matching filters. transforming actions which need to conditionally act on packets
matching filters.
o Filters are implemented in a more generic and scalable manner, o Filters are implemented in a more generic and scalable manner,
rather than enforcing the condition/filtering pairing of the IPCP rather than enforcing the condition/filtering pairing of the IPCP
and its restrictions upon the user. This MIB module offers a and its restrictions upon the user. This MIB module offers a
compound filter object to provide for greater flexibility than the compound filter object providing greater flexibility for complex
IPCP when creating complex filters. filters than the IPCP.
4. MIB Module Overview 4. MIB Module Overview
The MIB module is modularized into several different parts: rules, The MIB module is modularized into several different parts: rules,
filters, and actions. filters, and actions.
The rules section connects endpoints and groups of rules together. The rules section associates endpoints and groups of rules and
This is made up of the spdEndpointToGroupTable, consists of the spdEndpointToGroupTable, spdGroupContentsTable, and
spdGroupContentsTable, and the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable
the spdRuleDefinitionTable connects a filter to an action. It should connects a filter to an action. It should also be noted that by
also be noted that by referencing the spdCompoundFilterTable, the referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's
spdRuleDefinitionTable's filter column can indicate a set of filters filter column can indicate a set of filters to be processed.
to be processed. Likewise, by referencing the Likewise, by referencing the spdCompoundActionTable, the
spdCompoundActionTable, the spdRuleDefinitionTable's action column spdRuleDefinitionTable's action column can indicate multiple actions
can indicate multiple actions to be executed. to be executed.
This MIB is structured to allow for reuse through the future creation This MIB is structured to allow for reuse through the future creation
of extension tables that provide additional filters and/or actions. of extension tables that provide additional filters and/or actions.
In fact, the companion documents to this one do just that to define In fact, the companion documents to this one do just that to define
IPsec and IKE specific actions to be used within this SPD IPsec and IKE specific actions to be used within this SPD
configuration MIB. configuration MIB.
The filter section of the MIB module is composed of the different The filter section of the MIB module is composed of the different
types of filters in the Policy Model. It is made up of the types of filters in the Policy Model. It is made up of the
spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
spdCompoundFilterTable, spdIpsoHeaderFilterTable. spdCompoundFilterTable, spdIpsoHeaderFilterTable.
The action section of this MIB module contains only the simple static The action section of this MIB module contains only the simple static
actions required for the firewall processing that an IPsec SPD actions required for the firewall processing that an IPsec SPD
implementation requires (e.g. accept, drop, log, ...). The implementation requires (e.g. accept, drop, log, ...). The companion
companion documents to this document define the complex actions documents of this document define the complex actions necessary for
necessary for IPsec and IKE negotiations. IPsec and IKE negotiations.
As may have been noticed above, the MIB uses recursion similarly in As may have been noticed above, the MIB uses recursion similarly in
several different places. In particular the spdGroupContentsTable, several different places. In particular the spdGroupContentsTable,
the spdCompoundFilterTable / spdSubfiltersTable combination, and the the spdCompoundFilterTable / spdSubfiltersTable combination, and the
spdCompoundActionTable / spdSubactionsTable combination can reference spdCompoundActionTable / spdSubactionsTable combination can reference
themselves. themselves.
In the case of the spdGroupContentsTable, a row can indicate a rule In the case of the spdGroupContentsTable, a row can indicate a rule
(i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another (i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another
set of one or more rows in the spdGroupContentsTable). In this way a set of one or more rows in the spdGroupContentsTable). This way a
group can contain a set of rules and sub-groups. Sub-groups are just group can contain a set of rules and sub-groups. Sub-groups are just
other groups defined in the spdGroupContentsTable. There is no other groups defined in the spdGroupContentsTable. There is no
inherit MIB limit to the nesting of groups within groups. inherit MIB limit to the nesting of groups.
The spdCompoundFilterTable / spdSubfiltersTable combination and The spdCompoundFilterTable / spdSubfiltersTable combination and
spdCompoundActionTable / spdSubactionsTable combination are designed spdCompoundActionTable / spdSubactionsTable combination are designed
almost identically with one being for filters and the other for almost identically with one being for filters and the other for
actions respectively. The following descriptions for the compound actions respectively. The following descriptions for the compound
filter tables can be directly applied to the compound action tables. filter tables can be directly applied to the compound action tables.
The combination of the tables spdCompoundFilterTable and The combination of the tables spdCompoundFilterTable and
spdSubfiltersTable allow a user to create a set of filters that can spdSubfiltersTable allow a user to create a set of filters that can
be treated by any table that references it as a single filter. A row be referenced any table as a single filter. A row in the
in the spdCompoundFilterTable has the basic configuration information spdCompoundFilterTable has the basic configuration information for
for the compound filter. It's name (spdCompFiltname) reference a set the compound filter. It's name (spdCompFiltname) references a set of
of rows in the spdSubfiltersTable. Each row in spdSubfiltersTable rows in the spdSubfiltersTable. Each row in spdSubfiltersTable
points at a row in another filter table. In this way, a set of points at a row in another filter table. In this way, a set of
ordered filters making up the compound filter is created. Note that ordered filters composing the compound filter is created. Note that
it is possible for one of these rows in the spdSubfiltersTable to it is possible for one of the rows in the spdSubfiltersTable to point
point at a row in the spdCompoundFilterTable. This recursion allows at a row in the spdCompoundFilterTable. This recursion allows the
the creation of a filter set that include other filter sets within creation of a filter set that include other filter sets within it.
it. There is no inherit MIB limit to the nesting of compound filters There is no inherit MIB limit to the nesting of compound filters
within compound filters. within compound filters.
4.1 Usage Tutorial 4.1. Usage Tutorial
In order to make use of the tables contained in this document, a In order to use the tables contained in this document, a general
general understanding of firewall processing is necessary. The understanding of firewall processing is necessary. The processing of
processing of the security policy database involves applying a set of the security policy database involves applying a set of firewall
firewall rules to an interface on a device. The given set of rules rules to an interface on a device. The given set of rules to apply
to apply to any given interface is defined within the to any given interface is defined within the ipspEndpointToGroupTable
ipspEndpointToGroupTable table. This table maps a given interface to table. This table maps a given interface to a group of rules. In
a group of rules. In this table, the interface itself is specified this table, the interface itself is specified using its assigned
using its assigned address. There is also one group of rules per address. There is also one group of rules per direction (ingress and
direction (ingress and egress). egress).
4.1.1 Notational conventions 4.1.1. Notational conventions
Notes about the following example operations: Notes about the following example operations:
1. All of the example operations in the following section make use 1. All the example operations in the following section make use of
of default values for all columns not listed. The operations and default values for all columns not listed. The operations and
column values below are the minimal SNMP Varbinds that must be column values given in the examples are the minimal SNMP Varbinds
sent. that must be sent to create a row.
2. The example operations are formatted such that a row (i.e. the 2. The example operations are formatted such that a row (i.e. the
table's Entry object) is operated on by using the indexes to that table's Entry object) is operated on by using the indexes to that
row and the column values for the that row. row and the column values for the that row.
3. The following is a generic example of the notation used in the 3. Below is a generic example of the notation used in the following
following section's examples of this MIB's usage: section's examples of this MIB's usage. It indicates that the
columns column1 and column2 in row rowEntry with indexes index1
and index2 are being set to value1 and value2 respectively.:
rowEntry(index1 = value1, rowEntry(index1 = value1,
index2 = value2) index2 = value2)
= (column1 = column_value1, = (column1 = column_value1,
column2 = column_value2) column2 = column_value2)
4. The following is a specific example of the notation used in the 4. The below is a specific example of the notation used in the
following section's examples of this MIB's usage. In order to following section's examples of this MIB's usage. The below
set the address status column to deprecated for a row in the shows the status of a row in the IP-MIB::ipAddressTable table
IP-MIB::ipAddressTable with the index values of ipAddressAddrType being changed to. deprecated. The index values for this row are
= ipv4 and ipAddressAddr = 192.0.2.1. The example notation would IPv4 and 192.0.2.1. The example notation would look like the
look like the following: following:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressEntry(ipAddressAddrType = 1, -- ipv4
ipAddressAddr = 0x0a000001 ) -- 192.0.2.1 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1
= (ipAddressStatus = 2) -- deprecated = (ipAddressStatus = 2) -- deprecated
4.1.2 Implementing an example SPD policy 4.1.2. Implementing an example SPD policy
For our example, let us define and apply the following policy for all As an example, let us define the following administrative policy: On
ingress traffic on a network interface: the network interface with IP address 192.0.2.1, all traffic from
host 192.0.2.6 will be dropped and all other traffic will be
accepted.
o Drop all packets from the host 10.6.6.6. This policy is enforced by setting the values in the MIB to do the
following:
o Accept all other packets. o create a filter for 192.0.2.6
To do this, let us call the set of rules (as a group) "ingress" and o create a rule that connects the 192.0.2.6 filter to a packet drop
apply them to the ingress traffic for the interface associated with action
the IPv4 address 10.0.0.1. For these rules, let us apply a policy
that accepts all traffic except for packets that arrive from a host
with an IPv4 address of "10.6.6.6". To achieve this policy, we would
follow these steps:
First, we need to create the rules to institute this policy. To o create a rule that always accepts packets
accomplish this, first we have to create the filter for the host. We o group these rules together in the proper order so that the
could do this using the following row insertion into the 192.0.2.6 drop rule is checked first.
spdIpHeaderFilterTable table:
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "10.6.6.6") o connect this group of rules to the 192.0.2.1 interface
The first step to do this is creating the filter for the IPv4 address
192.0.2.6:
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6")
= (spdIpHeadFiltType = 0x80, -- sourceAddress = (spdIpHeadFiltType = 0x80, -- sourceAddress
spdIpHeadFiltIPVersion = 1, -- IPv4 spdIpHeadFiltIPVersion = 1, -- IPv4
spdIpHeadFiltSrcAddressBegin = 0x0a060606, spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6
spdIpHeadFiltSrcAddressEnd = 0x0a060606, spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6
spdIpHeadFiltRowStatus = 4) -- createAndGo spdIpHeadFiltRowStatus = 4) -- createAndGo
Next, we need to bind this filter to an action of "drop" in a new Next, a rule is created to connect the above "192.0.2.6" filter to an
rule. We can do this as follows: action to "drop" the packet, as follows:
spdRuleDefinitionEntry(spdRuleDefName = "drop from 10.6.6.6") spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6")
= (spdRuleDefFilter = = (spdRuleDefFilter =
spdIpHeadFiltType.8.49.48.46.54.46.54.46.54, spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54,
spdRuleDefAction = spdDropAction.0, spdRuleDefAction = spdDropAction.0,
spdRuleDefRowStatus = 4) -- createAndGo spdRuleDefRowStatus = 4) -- createAndGo
We also need a rule to accept all other packets: Next, a rule is created that accepts all packets:
spdRuleDefinitionEntry(spdRuleDefName = "accept all") spdRuleDefinitionEntry(spdRuleDefName = "accept all")
= (spdRuleDefFilter = spdTrueFilter.0, = (spdRuleDefFilter = spdTrueFilter.0,
spdRuleDefAction = spdAcceptAction.0, spdRuleDefAction = spdAcceptAction.0,
spdRuleDefRowStatus = 4) -- createAndGo spdRuleDefRowStatus = 4) -- createAndGo
Now, we need to put these two rules into a group. We will put the Next, these two rules are grouped together. Rule groups attached to
"accept all" rule at the very end (i.e. assign it the highest an interface are processed one row at a time. The rows are processed
priority number), so it is matched last. Then, at an earlier from lowest to highest spdGroupContPiority value. Because the row
priority (1000), we will insert the "drop from 10.6.6.6" rule. We that references the "accept all" rule should be processed last, it is
will do this by putting the rules into the group "ingress". given the higher spdGroupContPriority value.
SpdGroupContentsEntry(spdGroupContName = "ingress", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 65535) spdGroupContPriority = 65535)
= (spdGroupContComponentName = "accept all", = (spdGroupContComponentName = "accept all",
spdGroupContRowStatus = 4) -- createAndGo spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 1000) spdGroupContPriority = 1000)
= (spdGroupContComponentName = "drop from 10.6.6.6", = (spdGroupContComponentName = "drop from 192.0.2.6",
spdGroupContRowStatus = 4) -- createAndGo spdGroupContRowStatus = 4) -- createAndGo
Finally, we apply this group of rules to our interface: Finally, this group of rules is connected to the 192.0.2.1 interface
as follows:
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
spdEndGroupIdentType = 4, -- IPv4 spdEndGroupIdentType = 4, -- IPv4
spdEndGroupAddress = 0x0a000001) spdEndGroupAddress = 0xC0000001)
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, our policy should take effect. of these rules have been applied, the policy should take effect.
5. MIB definition 5. MIB definition
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI mib-2 FROM SNMPv2-SMI
--rfc2578 --rfc2578
skipping to change at page 10, line 34 skipping to change at page 10, line 45
DESCRIPTION DESCRIPTION
"The SpdAdminStatus is used to specify the administrative "The SpdAdminStatus is used to specify the administrative
status of an object. Objects which are disabled must not status of an object. Objects which are disabled must not
be used by the packet processing engine." be used by the packet processing engine."
SYNTAX INTEGER { enabled(1), disabled(2) } SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION SpdIPPacketLogging ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"SpdIPPacketLogging specifies whether or not an audit "SpdIPPacketLogging specifies whether an audit message
message should be logged when a packet is passed through a should be logged if a packet is passed through a Security
Security Association (SA) and if some of that packet should Association (SA) and if some of that packet should be
be included in the log event. A value of '-1' indicates no included in the log event. A value of '-1' indicates no
logging. A value of '0' or greater indicates that logging logging. A value of '0' or greater indicates that logging
should be done and how many bytes of the beginning of the should be done and indicates the number of bytes starting at
packet to place in the log. Values greater than the size of the beginning of the packet to place in the log. Values
the packet being processed indicate that the entire packet greater than the size of the packet being processed indicate
should be sent. that the entire packet should be sent.
Examples: Examples:
'-1' no logging '-1' no logging
'0' log but do not include any of the packet in the log '0' log but do not include any of the packet in the log
'20' log and include the first 20 bytes of the packet '20' log and include the first 20 bytes of the packet
in the log." in the log."
SYNTAX Integer32 (-1..65535) SYNTAX Integer32 (-1..65535)
-- --
-- Policy group definitions -- Policy group definitions
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
skipping to change at page 11, line 16 skipping to change at page 11, line 27
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the global system policy group that
global system policy that is to be applied on ingress is to be applied on ingress packets (I.E., arriving at a
packets (I.E., arriving at a interface) when a given interface) when a given endpoint does not contain a policy
endpoint does not contain a policy definition in the definition in the spdEndpointToGroupTable. Its value can be
spdEndpointToGroupTable. Its value can be used as an index used as an index into the spdGroupContentsTable to retrieve
into the spdGroupContentsTable to retrieve a list of a list of policies. A zero length string indicates no
policies. A zero length string indicates no system wide system wide policy exists and the default policy of 'drop'
policy exits and the default policy of 'drop' should be should be executed for ingress packets until one is imposed
executed for ingress packets until one is imposed by either by either this object or by the endpoint processing a given
this object or by the endpoint processing a given packet." packet."
::= { spdLocalConfigObjects 1 } ::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on egress global system policy that is to be applied on egress
packets (I.E., leaving an interface) when a given endpoint packets (I.E., leaving an interface) when a given endpoint
skipping to change at page 11, line 50 skipping to change at page 12, line 13
policy exits and the default policy of 'drop' should be policy exits and the default policy of 'drop' should be
executed for egress packets until one is imposed by either executed for egress packets until one is imposed by either
this object or by the endpoint processing a given packet." this object or by the endpoint processing a given packet."
::= { spdLocalConfigObjects 2 } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is used to map policy (groupings) onto an "This table maps policies (groupings) onto an endpoint where
endpoint where traffic is to pass by. Any policy group traffic is to pass by. Any policy group assigned to an
assigned to an endpoint is then used to control access endpoint is then used to control access to the traffic
to the traffic passing by it. passing by it.
If an endpoint has been configured with a policy group If an endpoint has been configured with a policy group and
and no contained rule matches the ingress packet, the no rule within that policy group matches the ingress packet,
default action in this case shall be to drop the packet. the default action in this case shall be to drop the packet.
If no policy group has been assigned to an endpoint, If no policy group has been assigned to an endpoint, then
then the policy group specified by the policy group specified by spdSystemPolicyGroupName
spdSystemPolicyGroupName should be used for the MUST be used for the endpoint."
endpoint."
::= { spdConfigObjects 2 } ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mapping assigning a policy group to an endpoint." "A mapping assigning a policy group to an endpoint."
INDEX { spdEndGroupDirection, spdEndGroupIdentType, INDEX { spdEndGroupDirection, spdEndGroupIdentType,
spdEndGroupAddress } spdEndGroupAddress }
skipping to change at page 13, line 26 skipping to change at page 13, line 36
Values of unknown, ipv4z, ipv6z and dns are not legal Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object." values for this object."
::= { spdEndpointToGroupEntry 2 } ::= { spdEndpointToGroupEntry 2 }
spdEndGroupAddress OBJECT-TYPE spdEndGroupAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The address of a given endpoint, the format of which is "The address of a given endpoint. The format of this object
specified by the spdEndGroupIdentType object. is specified by the spdEndGroupIdentType object.
Note: Since spdEndGroupIdentType currently only allows IPv4 Note: Since spdEndGroupIdentType currently only allows IPv4
and IPv6 address this value should be either 4 or 16 octets and IPv6 address this value should be either 4 or 16 octets
long. But Implementors should be aware that if the size of long. But Implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs in this table will have more than 128 sub-identifiers OIDs in this table will have more than 128 sub-identifiers
and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3." and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3."
::= { spdEndpointToGroupEntry 3 } ::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE spdEndGroupName OBJECT-TYPE
skipping to change at page 15, line 4 skipping to change at page 15, line 14
-- --
-- policy group definition table -- policy group definition table
-- --
spdGroupContentsTable OBJECT-TYPE spdGroupContentsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdGroupContentsEntry SYNTAX SEQUENCE OF SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of rules and/or subgroups "This table contains a list of rules and/or subgroups
contained within a given policy group. The entries are contained within a given policy group. For a given value
sorted by the spdGroupContPriority object and MUST be of spdGroupContName, the set of rows sharing that value
executed in order according to this value, starting with forms a 'group'. The rows in a group MUST be processed
the lowest value. Once a group item has been processed, according to the value of the spdGroupContPriority object.
the processor MUST stop processing this packet if an action The processing MUST be executed starting with the lowest
was executed as a result of the processing of a given value of spdGroupContPriority and in ascending order
group. Iterating into the next policy group item by thereafter.
If an action is executed as the result of the procesing of
a row in a group, the processing of further rows in that
group MUST stop. Iterating to the next policy group row by
finding the next largest spdGroupContPriority object shall finding the next largest spdGroupContPriority object shall
only be done if no actions were run when processing the only be done if no actions were run while processing the
last item for a given packet." current row for a given packet."
::= { spdConfigObjects 3 } ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a given sub-component within a policy group. A "Defines a given sub-component within a policy group. A
sub-component is either a rule or another group as sub-component is either a rule or another group as
indicated by spdGroupContCompontentType and referenced by indicated by spdGroupContCompontentType and referenced by
skipping to change at page 15, line 38 skipping to change at page 16, line 4
SpdGroupContentsEntry ::= SEQUENCE { SpdGroupContentsEntry ::= SEQUENCE {
spdGroupContName SnmpAdminString, spdGroupContName SnmpAdminString,
spdGroupContPriority Integer32, spdGroupContPriority Integer32,
spdGroupContFilter VariablePointer, spdGroupContFilter VariablePointer,
spdGroupContComponentType INTEGER, spdGroupContComponentType INTEGER,
spdGroupContComponentName SnmpAdminString, spdGroupContComponentName SnmpAdminString,
spdGroupContLastChanged TimeStamp, spdGroupContLastChanged TimeStamp,
spdGroupContStorageType StorageType, spdGroupContStorageType StorageType,
spdGroupContRowStatus RowStatus spdGroupContRowStatus RowStatus
} }
spdGroupContName OBJECT-TYPE spdGroupContName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The administrative name of this group." "The administrative name of this group. A 'group' is formed
by all the rows in this table that have the same value of
this object."
::= { spdGroupContentsEntry 1 } ::= { spdGroupContentsEntry 1 }
spdGroupContPriority OBJECT-TYPE spdGroupContPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority (sequence number) of the sub-component in "The priority (sequence number) of the sub-component in
this group." this group."
::= { spdGroupContentsEntry 2 } ::= { spdGroupContentsEntry 2 }
skipping to change at page 16, line 38 skipping to change at page 17, line 5
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may may be pointed to by this column. Implementations may
choose to provide support for other filter tables or choose to provide support for other filter tables or
scalars as well: scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned."
DEFVAL { spdTrueFilterInstance } DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
skipping to change at page 18, line 8 skipping to change at page 18, line 24
spdGroupContRowStatus OBJECT-TYPE spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object may not be set to active until the row to This object may not be set to active until the row to which
which the spdGroupContComponentName points to exists." the spdGroupContComponentName points to exists and is
active.
If active, this object MUST remain active unless one of the
following two conditions are met:
I. No active row in spdEndpointToGroupTable exists which
references this row's group (i.e. indicate this row's
spdGroupContName).
II. Or at least one other active row in this table has a
matching spdGroupContName.
If neither condition is met, an attempt to set this row to
something other than active should result in an
inconsistentValue error."
::= { spdGroupContentsEntry 8 } ::= { spdGroupContentsEntry 8 }
-- --
-- policy definition table -- policy definition table
-- --
spdRuleDefinitionTable OBJECT-TYPE spdRuleDefinitionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdRuleDefinitionEntry SYNTAX SEQUENCE OF SpdRuleDefinitionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table defines a policy rule by associating a filter "This table defines a rule by associating a filter
or a set of filters to an action to be executed." or a set of filters to an action to be executed."
::= { spdConfigObjects 4 } ::= { spdConfigObjects 4 }
spdRuleDefinitionEntry OBJECT-TYPE spdRuleDefinitionEntry OBJECT-TYPE
SYNTAX SpdRuleDefinitionEntry SYNTAX SpdRuleDefinitionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row defining a particular policy definition. A rule "A row defining a particular rule definition. A rule
definition binds a filter pointer to an action pointer." definition binds a filter pointer to an action pointer."
INDEX { spdRuleDefName } INDEX { spdRuleDefName }
::= { spdRuleDefinitionTable 1 } ::= { spdRuleDefinitionTable 1 }
SpdRuleDefinitionEntry ::= SEQUENCE { SpdRuleDefinitionEntry ::= SEQUENCE {
spdRuleDefName SnmpAdminString, spdRuleDefName SnmpAdminString,
spdRuleDefDescription SnmpAdminString, spdRuleDefDescription SnmpAdminString,
spdRuleDefFilter VariablePointer, spdRuleDefFilter VariablePointer,
spdRuleDefFilterNegated TruthValue, spdRuleDefFilterNegated TruthValue,
spdRuleDefAction VariablePointer, spdRuleDefAction VariablePointer,
skipping to change at page 19, line 26 skipping to change at page 20, line 9
DEFVAL { "" } DEFVAL { "" }
::= { spdRuleDefinitionEntry 2 } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE spdRuleDefFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilter points to a filter which is used to "spdRuleDefFilter points to a filter which is used to
evaluate whether the action associated with this row should evaluate whether the action associated with this row should
be fired or not. The action will only fire if the filter be executed or not. The action will only fire if the
referenced by this object evaluates to TRUE after first filter referenced by this object evaluates to TRUE after
applying any negation required by the first applying any negation required by the
spdRuleDefFilterNegated object. spdRuleDefFilterNegated object.
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may may be pointed to by this column. Implementations may
choose to provide support for other filter tables or choose to provide support for other filter tables or
scalars as well: scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
skipping to change at page 20, line 44 skipping to change at page 21, line 27
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
should be returned." should be returned."
::= { spdRuleDefinitionEntry 5 } ::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE spdRuleDefAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus SYNTAX SpdAdminStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the current rule definition should be "Indicates whether the current rule definition is considered
considered active. If enabled, it should be evaluated active. If the value is enabled the rule MUST be evaluated
when processing packets. If disabled, packets should when processing packets. If the value is disabled, the
continue to be processed by the rest of the rules packet processing MUST continue as if this rule's filter
defined in the spdGroupContentsTable as if this rule's had effectively failed."
filters had effectively failed."
DEFVAL { enabled } DEFVAL { enabled }
::= { spdRuleDefinitionEntry 6 } ::= { spdRuleDefinitionEntry 6 }
spdRuleDefLastChanged OBJECT-TYPE spdRuleDefLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdRuleDefinitionEntry 7 } ::= { spdRuleDefinitionEntry 7 }
skipping to change at page 21, line 38 skipping to change at page 22, line 20
spdRuleDefRowStatus OBJECT-TYPE spdRuleDefRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object may not be set to active until the This object may not be set to active until the containing
containing contitions, filters and actions have been conditions, filters and actions have been defined. Once
defined. Once active, it must remain active until no active, it must remain active until no active
policyGroupContents entries are referencing it." policyGroupContents entries are referencing it. A failed
attempt to do so should return an inconsistentValue error."
::= { spdRuleDefinitionEntry 9 } ::= { spdRuleDefinitionEntry 9 }
-- --
-- Policy compound filter definition table -- Policy compound filter definition table
-- --
spdCompoundFilterTable OBJECT-TYPE spdCompoundFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundFilterEntry SYNTAX SEQUENCE OF SpdCompoundFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A table defining a compound set of filters and their "A table defining a compound set of filters and the set's
associated parameters. A row in this table can either associated parameters. A row in this table can be pointed
be pointed to by a spdRuleDefFilter object or by a to by a spdRuleDefFilter object."
ficSubFilter object."
::= { spdConfigObjects 5 } ::= { spdConfigObjects 5 }
spdCompoundFilterEntry OBJECT-TYPE spdCompoundFilterEntry OBJECT-TYPE
SYNTAX SpdCompoundFilterEntry SYNTAX SpdCompoundFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in the spdCompoundFilterTable. A filter "An entry in the spdCompoundFilterTable. A filter
defined by this table is considered to have a TRUE defined by this table is considered to have a TRUE return
return value if and only if: value if and only if:
spdCompFiltLogicType is AND and all of the sub-filters spdCompFiltLogicType is AND and all of the sub-filters
associated with it, as defined in the spdSubfiltersTable, associated with it, as defined in the spdSubfiltersTable,
are all true themselves (after applying any required are all true themselves (after applying any required
negation as defined by the ficFilterIsNegated object). negation as defined by the ficFilterIsNegated object).
spdCompFiltLogicType is OR and at least one of the spdCompFiltLogicType is OR and at least one of the
sub-filters associated with it, as defined in the sub-filters associated with it, as defined in the
spdSubfiltersTable, is true itself (after applying any spdSubfiltersTable, is true itself (after applying any
required negation as defined by the ficFilterIsNegated required negation as defined by the ficFilterIsNegated
skipping to change at page 24, line 34 skipping to change at page 25, line 14
"This table defines a list of filters contained within a "This table defines a list of filters contained within a
given compound filter set defined in the given compound filter set defined in the
spdCompoundFilterTable." spdCompoundFilterTable."
::= { spdConfigObjects 6 } ::= { spdConfigObjects 6 }
spdSubfiltersEntry OBJECT-TYPE spdSubfiltersEntry OBJECT-TYPE
SYNTAX SpdSubfiltersEntry SYNTAX SpdSubfiltersEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry into the list of filters for a given compound "An entry in a list of filters for a given compound
filter." filter. A list is formed by the set of rows in this table
that share the same value of spdCompFiltName. There will
also be an associated row in the spdCompoundFilterTable
with parameters specific to the filter set."
INDEX { spdCompFiltName, spdSubFiltPriority } INDEX { spdCompFiltName, spdSubFiltPriority }
::= { spdSubfiltersTable 1 } ::= { spdSubfiltersTable 1 }
SpdSubfiltersEntry ::= SEQUENCE { SpdSubfiltersEntry ::= SEQUENCE {
spdSubFiltPriority Integer32, spdSubFiltPriority Integer32,
spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilter VariablePointer,
spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltSubfilterIsNegated TruthValue,
spdSubFiltLastChanged TimeStamp, spdSubFiltLastChanged TimeStamp,
spdSubFiltStorageType StorageType, spdSubFiltStorageType StorageType,
spdSubFiltRowStatus RowStatus spdSubFiltRowStatus RowStatus
} }
spdSubFiltPriority OBJECT-TYPE spdSubFiltPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given filter within a condition. "The priority of a given filter within a set of filters.
Implementations MAY choose to follow the ordering The order of execution should be from lowest to highest
indicated by the manager that created the rows in order priority value. Implementations MAY choose to follow this
to allow the manager to intelligently construct filter ordering as set by the manager that created the rows. This
lists such that faster filters are evaluated first." can allow a manager to intelligently construct filter lists
such that faster filters are evaluated first."
::= { spdSubfiltersEntry 1 } ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The location of the contained filter. The value of this "The location of the contained filter. The value of this
column should be a VariablePointer which references the column should be a VariablePointer which references the
properties for the filter to be included in this compound properties for the filter to be included in this compound
skipping to change at page 25, line 48 skipping to change at page 26, line 32
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned."
::= { spdSubfiltersEntry 2 } ::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE spdSubFiltSubfilterIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the result of applying this subfilter "Indicates whether the result of applying this subfilter
should be negated or not." should be negated."
DEFVAL { false } DEFVAL { false }
::= { spdSubfiltersEntry 3 } ::= { spdSubfiltersEntry 3 }
spdSubFiltLastChanged OBJECT-TYPE spdSubFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdSubfiltersEntry 4 } ::= { spdSubfiltersEntry 4 }
skipping to change at page 26, line 38 skipping to change at page 27, line 22
spdSubFiltRowStatus OBJECT-TYPE spdSubFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object can not be made active until the filter This object can not be made active until a filter
referenced by the ficSubFilter object is both defined referenced by the spdSubFiltSubfilter object is both
and is active. An attempt to do so will result in an defined and is active. An attempt to do so will result in
inconsistentValue error. an inconsistentValue error.
If active, this object must remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to following two conditions are met:
anything other than active while the following conditions
are not met will result in an inconsistentValue error. The
two conditions are:
I. No active row in the SpdCompoundFilterTable exists I. No active row in the SpdCompoundFilterTable exists
which has a matching spdCompFiltName. which has a matching spdCompFiltName.
II. Or at least one other active row in this table has a II. Or at least one other active row in this table has a
matching spdCompFiltName." matching spdCompFiltName.
If neither condition is met, an attempt to set this row to
something other than active should result in an
inconsistentValue error."
::= { spdSubfiltersEntry 6 } ::= { spdSubfiltersEntry 6 }
-- --
-- Static Filters -- Static Filters
-- --
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE spdTrueFilter OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32
skipping to change at page 27, line 37 skipping to change at page 28, line 22
-- Policy IP Offset filter definition table -- Policy IP Offset filter definition table
-- --
spdIpOffsetFilterTable OBJECT-TYPE spdIpOffsetFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of filter definitions to be "This table contains a list of filter definitions to be
used within the spdRuleDefinitionTable or the used within the spdRuleDefinitionTable or the
spdSubfiltersTable." spdSubfiltersTable.
This filter is used to compare an administrator set
variable length octet string to the octets at a particular
location in a packet."
::= { spdConfigObjects 8 } ::= { spdConfigObjects 8 }
spdIpOffsetFilterEntry OBJECT-TYPE spdIpOffsetFilterEntry OBJECT-TYPE
SYNTAX SpdIpOffsetFilterEntry SYNTAX SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpOffFiltName } INDEX { spdIpOffFiltName }
::= { spdIpOffsetFilterTable 1 } ::= { spdIpOffsetFilterTable 1 }
skipping to change at page 28, line 44 skipping to change at page 29, line 33
arithmeticLess(3), arithmeticLess(3),
arithmeticGreaterOrEqual(4), arithmeticGreaterOrEqual(4),
arithmeticGreater(5), arithmeticGreater(5),
arithmeticLessOrEqual(6) } arithmeticLessOrEqual(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This defines the various tests that are used when "This defines the various tests that are used when
evaluating a given filter. evaluating a given filter.
Once a row is 'active', this object's value may not be
changed unless the column, spdIpOffFiltValue, has been
appropriately configured.
The various tests definable in this table are as follows: The various tests definable in this table are as follows:
equal: equal:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', matches - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
a value in the packet starting at the given offset in a value in the packet starting at the given offset in
the packet and comparing the entire OCTET STRING of the packet and comparing the entire OCTET STRING of
'spdIpOffFiltValue'. Any numeric values compared this 'spdIpOffFiltValue'. Any numeric values compared this
way are assumed to be unsigned integer values in way are assumed to be unsigned integer values in
network byte order of the same length as network byte order of the same length as
'spdIpOffFiltValue'. 'spdIpOffFiltValue'.
skipping to change at page 30, line 4 skipping to change at page 30, line 36
arithmeticLessOrEqual: arithmeticLessOrEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than or equal to ('<=') the value arithmetically less than or equal to ('<=') the value
starting at the given offset within the packet. The starting at the given offset within the packet. The
value in the packet is assumed to be an unsigned value in the packet is assumed to be an unsigned
integer in network byte order of the same length as integer in network byte order of the same length as
'spdIpOffFiltValue'." 'spdIpOffFiltValue'."
::= { spdIpOffsetFilterEntry 3 } ::= { spdIpOffsetFilterEntry 3 }
spdIpOffFiltValue OBJECT-TYPE spdIpOffFiltValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024)) SYNTAX OCTET STRING (SIZE(1..1024))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdIpOffFiltValue is used for match comparisons of a "spdIpOffFiltValue is used for match comparisons of a
packet at spdIpOffFiltOffset. This object is only used packet at spdIpOffFiltOffset. This object is only used
if one of the match types is chosen in if one of the match types is chosen in
spdIpOffFiltType." spdIpOffFiltType."
::= { spdIpOffsetFilterEntry 4 } ::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE spdIpOffFiltLastChanged OBJECT-TYPE
skipping to change at page 30, line 46 skipping to change at page 31, line 30
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements
of the spdIpOffFiltType object are not met. In other
words, if the associated value columns needed by a
particular test have not been set, then attempting to
change this row to an active state will result in an
inconsistentValue error. See the spdIpOffFiltType
object description for further details.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpOffsetFilterEntry 7 } ::= { spdIpOffsetFilterEntry 7 }
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
skipping to change at page 31, line 27 skipping to change at page 32, line 4
spdTimeFilterTable OBJECT-TYPE spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a table of filters which can be used to "Defines a table of filters which can be used to
effectively enable or disable policies based on a valid effectively enable or disable policies based on a valid
time range." time range."
::= { spdConfigObjects 9 } ::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE spdTimeFilterEntry OBJECT-TYPE
SYNTAX SpdTimeFilterEntry SYNTAX SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row describing a given time frame for which a policy "A row describing a given time frame for which a policy
may be filtered on to place the rule active or may be filtered on to place the rule active or
inactive." inactive.
If all the column objects in a row are true for the current
time, the row evaluates as 'true'. More explicitly, the
time matching column objects in a row MUST be logically
AND'd together to form the boolean true/false for the row."
INDEX { spdTimeFiltName } INDEX { spdTimeFiltName }
::= { spdTimeFilterTable 1 } ::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE { SpdTimeFilterEntry ::= SEQUENCE {
spdTimeFiltName SnmpAdminString, spdTimeFiltName SnmpAdminString,
spdTimeFiltPeriodStart DateAndTime, spdTimeFiltPeriodStart DateAndTime,
spdTimeFiltPeriodEnd DateAndTime, spdTimeFiltPeriodEnd DateAndTime,
spdTimeFiltMonthOfYearMask BITS, spdTimeFiltMonthOfYearMask BITS,
spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfMonthMask OCTET STRING,
spdTimeFiltDayOfWeekMask BITS, spdTimeFiltDayOfWeekMask BITS,
spdTimeFiltStartTimeOfDayMask DateAndTime, spdTimeFiltTimeOfDayMaskStart DateAndTime,
spdTimeFiltStopTimeOfDayMask DateAndTime, spdTimeFiltTimeOfDayMaskEnd DateAndTime,
spdTimeFiltLastChanged TimeStamp, spdTimeFiltLastChanged TimeStamp,
spdTimeFiltStorageType StorageType, spdTimeFiltStorageType StorageType,
spdTimeFiltRowStatus RowStatus spdTimeFiltRowStatus RowStatus
} }
spdTimeFiltName OBJECT-TYPE spdTimeFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An administratively assigned name for this filter." "An administratively assigned name for this filter."
::= { spdTimeFilterEntry 1 } ::= { spdTimeFilterEntry 1 }
spdTimeFiltPeriodStart OBJECT-TYPE spdTimeFiltPeriodStart OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The starting time period for this filter. In addition "The starting time for this filter. This column is
to a normal DateAndTime string, this object may be set considered 'true' if the current time evaluates as later
to the OCTET STRING value THISANDPRIOR which indicates than this object.
that the filter is valid from any time before now up
until (at least) now." Note: the default value of this object is the minimum value
for a DateAndTime object and should evaluate to 'true'
for any realistic time."
DEFVAL { '00000101000000002b0000'H } DEFVAL { '00000101000000002b0000'H }
::= { spdTimeFilterEntry 2 } ::= { spdTimeFilterEntry 2 }
spdTimeFiltPeriodEnd OBJECT-TYPE spdTimeFiltPeriodEnd OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The ending time period for this filter. In addition to "The ending time for this filter. This column is considered
a normal DateAndTime string, this object may be set to 'true' if the current time evaluates as previous to this
the OCTET STRING value THISANDFUTURE which indicates object.
that the filter is valid without an ending date and/or
time." Note: the default value for this object is the maximum value
for a DateAndTime object and should evaluate to 'true' for
any realistic time."
DEFVAL { '99991231235959092b0000'H } DEFVAL { '99991231235959092b0000'H }
::= { spdTimeFilterEntry 3 } ::= { spdTimeFilterEntry 3 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE spdTimeFiltMonthOfYearMask OBJECT-TYPE
SYNTAX BITS { january(0), february(1), march(2), SYNTAX BITS { january(0), february(1), march(2),
april(3), may(4), june(5), july(6), april(3), may(4), june(5), july(6),
august(7), september(8), october(9), august(7), september(8), october(9),
november(10), december(11) } november(10), december(11) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which overlays the spdTimeFiltPeriodStart to "A bit mask which indicates acceptable months of the year.
spdTimeFiltPeriodEnd date range to further restrict the This column evaluates to 'true' if the current month's bit
time period to a restricted set of months of the year." is set."
DEFVAL { { january, february, march, april, may, june, july, DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } } august, september, october, november, december } }
::= { spdTimeFilterEntry 4 } ::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE spdTimeFiltDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(4)) SYNTAX OCTET STRING (SIZE(4))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines which days of the month this time period is "Defines which days of the month the current time is
valid for. It is a sequence of 32 BITS, where each BIT valid for. It is a sequence of 32 BITS, where each BIT
represents a corresponding day of the month starting represents a corresponding day of the month starting from
from the left most bit being equal to the first day of the left most bit which is equal to the first day of the
the month. The last bit in the string MUST be zero." month. The last bit in the string MUST be zero. This
column evaluates to 'true' if the current day of the
month's bit is set."
DEFVAL { 'fffffffe'H } DEFVAL { 'fffffffe'H }
::= { spdTimeFilterEntry 5 } ::= { spdTimeFilterEntry 5 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE spdTimeFiltDayOfWeekMask OBJECT-TYPE
SYNTAX BITS { monday(0), tuesday(1), wednesday(2), SYNTAX BITS { monday(0), tuesday(1), wednesday(2),
thursday(3), friday(4), saturday(5), thursday(3), friday(4), saturday(5),
sunday(6) } sunday(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which overlays the spdTimeFiltPeriodStart to "A bit mask which defines which days of the week the current
spdTimeFiltPeriodEnd date range to further restrict the time is valid for. This column evaluates to 'true' if the
time period to a restricted set of days within a given current day of the week's bit is set."
week."
DEFVAL { { monday, tuesday, wednesday, thursday, friday, DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } } saturday, sunday } }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 6 }
spdTimeFiltStartTimeOfDayMask OBJECT-TYPE spdTimeFiltTimeOfDayMaskStart OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the starting time of day for which this filter "Indicates the starting time of day for which this filter
evaluates to true. The date portions of the DateAndTime evaluates to true. The date portions of the DateAndTime TC
TC are ignored for purposes of evaluating this mask and are ignored for purposes of evaluating this mask and only
only the time specific portions are used." the time specific portions are used.
This column evaluates to 'true' in two cases. It is 'true'
if the current time of day is later than the time of day
indicated by this object. It is also 'true' if this object
is equal to the spdTimeFiltTimeOfDayMaskEnd object."
DEFVAL { '00000000000000002b0000'H } DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 7 } ::= { spdTimeFilterEntry 7 }
spdTimeFiltStopTimeOfDayMask OBJECT-TYPE spdTimeFiltTimeOfDayMaskEnd OBJECT-TYPE
SYNTAX DateAndTime SYNTAX DateAndTime
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the ending time of day for which this filter "Indicates the ending time of day for which this filter
evaluates to true. The date portions of the DateAndTime TC evaluates to true. The date portions of the DateAndTime TC
are ignored for purposes of evaluating this mask and only are ignored for purposes of evaluating this mask and only
the time specific portions are used. If this starting and the time specific portions are used.
ending time values indicated by the
spdTimeFiltStartTimeOfDayMask and This column evaluates to 'true' in two cases. It is 'true'
spdTimeFiltStopTimeOfDayMask objects are equal, the filter if the current time of day is previous to the time of day
is expected to be evaluated over the entire 24 hour indicated by this object. It is also 'true' if this object
period." is equal to the spdTimeFiltTimeOfDayMaskStart object."
DEFVAL { '00000000000000002b0000'H } DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 8 } ::= { spdTimeFilterEntry 8 }
spdTimeFiltLastChanged OBJECT-TYPE spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
skipping to change at page 34, line 50 skipping to change at page 35, line 40
::= { spdTimeFilterEntry 10 } ::= { spdTimeFilterEntry 10 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this "This object indicates the conceptual status of this
row. row.
Any attempt to set this row to active when the
spdTimeFiltTimeOfDayMaskEnd object is earlier than
spdTimeFiltTimeOfDayMaskStart object should fail with an
inconsistentValue error. Although, setting these objects
to the same value is allowed.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdTimeFilterEntry 11 } ::= { spdTimeFilterEntry 11 }
-- --
-- IPSO protection authority filtering -- IPSO protection authority filtering
-- --
spdIpsoHeaderFilterTable OBJECT-TYPE spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of IPSO header filter "This table contains a list of IPSO header filter
skipping to change at page 35, line 22 skipping to change at page 36, line 17
spdIpsoHeaderFilterTable OBJECT-TYPE spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of IPSO header filter "This table contains a list of IPSO header filter
definitions to be used within the spdRuleDefinitionTable or definitions to be used within the spdRuleDefinitionTable or
the spdSubfiltersTable. IPSO headers and their values are the spdSubfiltersTable. IPSO headers and their values are
described in RFC1108." described in RFC1108."
REFERENCE "RFC 1108"
::= { spdConfigObjects 10 } ::= { spdConfigObjects 10 }
spdIpsoHeaderFilterEntry OBJECT-TYPE spdIpsoHeaderFilterEntry OBJECT-TYPE
SYNTAX SpdIpsoHeaderFilterEntry SYNTAX SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpsoHeadFiltName } INDEX { spdIpsoHeadFiltName }
::= { spdIpsoHeaderFilterTable 1 } ::= { spdIpsoHeaderFilterTable 1 }
skipping to change at page 36, line 9 skipping to change at page 37, line 5
DESCRIPTION DESCRIPTION
"The administrative name for this filter." "The administrative name for this filter."
::= { spdIpsoHeaderFilterEntry 1 } ::= { spdIpsoHeaderFilterEntry 1 }
spdIpsoHeadFiltType OBJECT-TYPE spdIpsoHeadFiltType OBJECT-TYPE
SYNTAX BITS { classificationLevel(0), SYNTAX BITS { classificationLevel(0),
protectionAuthority(1) } protectionAuthority(1) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPSO header fields to match the value against." "This object indicates which of the IPSO header field a
packet should be filtered on for this row. If this object
is set to classification(0), the
spdIpsoHeadFiltClassification object indicates how the
packet is filtered. If this object is set to
protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth
object indicates how the packet is filtered."
::= { spdIpsoHeaderFilterEntry 2 } ::= { spdIpsoHeaderFilterEntry 2 }
spdIpsoHeadFiltClassification OBJECT-TYPE spdIpsoHeadFiltClassification OBJECT-TYPE
SYNTAX INTEGER { topSecret(61), secret(90), SYNTAX INTEGER { topSecret(61), secret(90),
confidential(150), unclassified(171) } confidential(150), unclassified(171) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPSO classification header field value must match "This object indicates the IPSO classification header field
the value in this column if the classificationLevel bit value that the packet must have for this row to evaluate to
is set in the spdIpsoHeadFiltType field. 'true'.
The values of these enumerations are defined by The values of these enumerations are defined by RFC1108."
RFC1108." REFERENCE "RFC 1108"
::= { spdIpsoHeaderFilterEntry 3 } ::= { spdIpsoHeaderFilterEntry 3 }
spdIpsoHeadFiltProtectionAuth OBJECT-TYPE spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
SYNTAX INTEGER { genser(0), siopesi(1), sci(2), SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
nsa(3), doe(4) } nsa(3), doe(4) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IPSO protection authority header field value must "This object indicates the IPSO protection authority header
match the value in this column if the protection authority field value that the packet must have for this row to
bit is set in the spdIpsoHeadFiltType field. evaluate to 'true'.
The values of these enumerations are defined by RFC1108. The values of these enumerations are defined by RFC1108.
Hence the reason the SMIv2 convention of not using 0 in Hence the reason the SMIv2 convention of not using 0 in enum
enum lists is violated here." lists is violated here."
REFERENCE "RFC 1108"
::= { spdIpsoHeaderFilterEntry 4 } ::= { spdIpsoHeaderFilterEntry 4 }
spdIpsoHeadFiltLastChanged OBJECT-TYPE spdIpsoHeadFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
skipping to change at page 37, line 25 skipping to change at page 38, line 28
::= { spdIpsoHeaderFilterEntry 6 } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements of This object may not be set to active if the requirements of
the spdIpsoHeadFiltType object are not met. In other the spdIpsoHeadFiltType object are not met. Specifically,
words, if the associated value columns needed by a if the spdIpsoHeadFiltType is classification(0), the
particular test have not been set, then attempting to spdIpsoHeadFiltClassification column MUST have a valid
change this row to an active state will result in an value for row status to be set to active. If the
inconsistentValue error. See the spdIpsoHeadFiltType spdIpsoHeadFiltType is set to protectionAuthority(1), the
object description for further details. spdIpsoHeadFiltProtectionAuth column MUST have a valid
value for row status to be set to active.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpsoHeaderFilterEntry 7 } ::= { spdIpsoHeaderFilterEntry 7 }
-- --
-- compound actions table -- compound actions table
-- --
spdCompoundActionTable OBJECT-TYPE spdCompoundActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundActionEntry SYNTAX SEQUENCE OF SpdCompoundActionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table used to allow multiple actions to be associated "Table used to allow multiple actions to be associated
with a rule. It uses the spdSubactionsTable to do with a rule. It uses the spdSubactionsTable to do this.
this." The rows from spdSubactionsTable that are partially indexed
by spdCompActName form the set of compound actions to be
performed. The spdCompActExecutionStrategy column in this
table indicates how those actions are processed."
::= { spdConfigObjects 11 } ::= { spdConfigObjects 11 }
spdCompoundActionEntry OBJECT-TYPE spdCompoundActionEntry OBJECT-TYPE
SYNTAX SpdCompoundActionEntry SYNTAX SpdCompoundActionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row in the spdCompoundActionTable." "A row in the spdCompoundActionTable."
INDEX { spdCompActName } INDEX { spdCompActName }
::= { spdCompoundActionTable 1 } ::= { spdCompoundActionTable 1 }
SpdCompoundActionEntry ::= SEQUENCE { SpdCompoundActionEntry ::= SEQUENCE {
skipping to change at page 41, line 46 skipping to change at page 43, line 7
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdSubactionsEntry 3 } ::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE spdSubActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a storage
storage type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubactionsEntry 4 } ::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE spdSubActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
skipping to change at page 45, line 30 skipping to change at page 46, line 38
DESCRIPTION DESCRIPTION
"Indicates if the packet which triggered the action in "Indicates if the packet which triggered the action in
questions was ingress (inbound) our egress (outbound)." questions was ingress (inbound) our egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Is the front part of the packet that triggered this "Is the front part of the full IP packet that triggered this
notification. The initial size limit is determined by the notification. The initial size limit is determined by the
smaller of the size indicated by 'SpdIPPacketLogging' and smaller of the size indicated by 'SpdIPPacketLogging' and
the size of the triggering packet. the size of the triggering packet.
The final limit is determined by the SNMP packet size when The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be sending the notification. The maximum size that can be
included will be the smaller of the initial size given included will be the smaller of the initial size given above
above and the length that will fit in a single SNMP and the length that will fit in a single SNMP notification
notification packet after the rest of the notification's packet after the rest of the notification's objects and any
objects and any other necessary packet data (headers other necessary packet data (headers encoding, etc...) has
encoding, etc...) has been included in the packet." been included in the packet."
::= { spdNotificationVariables 9 } ::= { spdNotificationVariables 9 }
spdActionNotification NOTIFICATION-TYPE spdActionNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection } spdPacketDirection }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that an action was executed by a rule. "Notification that an action was executed by a rule.
skipping to change at page 46, line 35 skipping to change at page 47, line 43
spdPacketNotification NOTIFICATION-TYPE spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection, spdPacketDirection,
spdPacketPart } spdPacketPart }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that a packet passed through an SA. Only "Notification that a packet passed through a Security
SA's created by actions with packet logging enabled will Association (SA). Only SA's created by actions with packet
result in this notification getting sent. The objects logging enabled will result in this notification getting
sent must include the spdActionExecuted which will sent. The objects sent must include the spdActionExecuted
indicate which action was executed within the scope of which will indicate which action was executed within the
the rule. Additionally, the spdIPSourceType, scope of the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects spdIPEndpointAddress, and spdPacketDirection objects are
are included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is including associated with. Finally, spdPacketPart is including for
for sending a variable sized part of the front of the sending a variable sized part of the front of the packet
packet depending on the value of SpdIPPacketLogging." depending on the value of SpdIPPacketLogging."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
spdCompliances OBJECT IDENTIFIER spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 } ::= { spdConformanceObjects 1 }
spdGroups OBJECT IDENTIFIER spdGroups OBJECT IDENTIFIER
::= { spdConformanceObjects 2 } ::= { spdConformanceObjects 2 }
skipping to change at page 47, line 43 skipping to change at page 49, line 4
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations which support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations which support compound filters."
GROUP spdIPOffsetFilterGroup GROUP spdIPOffsetFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In implementations which support IP Offset filters. In
general, this SHOULD be supported by a compliant general, this SHOULD be supported by a compliant IPsec
IPsec Policy implementation." Policy implementation."
GROUP spdTimeFilterGroup GROUP spdTimeFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support time filters." implementations which support time filters."
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations which support IPSO Header filters."
skipping to change at page 50, line 37 skipping to change at page 51, line 45
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations which support compound filters."
GROUP spdIPOffsetFilterGroup GROUP spdIPOffsetFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In implementations which support IP Offset filters. In
general, this SHOULD be supported by a compliant general, this SHOULD be supported by a compliant IPsec
IPsec Policy implementation." Policy implementation."
GROUP spdTimeFilterGroup GROUP spdTimeFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support time filters." implementations which support time filters."
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup GROUP spdCompoundActionGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound actions." implementations which support compound actions."
skipping to change at page 57, line 33 skipping to change at page 58, line 39
OBJECT spdTimeFiltPeriodStart OBJECT spdTimeFiltPeriodStart
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltRowStatus OBJECT spdTimeFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltStartTimeOfDayMask OBJECT spdTimeFiltTimeOfDayMaskStart
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltStopTimeOfDayMask OBJECT spdTimeFiltTimeOfDayMaskEnd
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltStorageType OBJECT spdTimeFiltStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTrueFilter OBJECT spdTrueFilter
skipping to change at page 60, line 6 skipping to change at page 61, line 13
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of objects from the IPsec Policy IP "This group is made up of objects from the IPsec Policy IP
Offset Filter Table." Offset Filter Table."
::= { spdGroups 7 } ::= { spdGroups 7 }
spdTimeFilterGroup OBJECT-GROUP spdTimeFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd, spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd,
spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
spdTimeFiltDayOfWeekMask, spdTimeFiltStartTimeOfDayMask, spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMaskStart,
spdTimeFiltStopTimeOfDayMask, spdTimeFiltLastChanged, spdTimeFiltTimeOfDayMaskEnd, spdTimeFiltLastChanged,
spdTimeFiltStorageType, spdTimeFiltRowStatus spdTimeFiltStorageType, spdTimeFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of objects from the IPsec Policy Time "This group is made up of objects from the IPsec Policy Time
Filter Table." Filter Table."
::= { spdGroups 8 } ::= { spdGroups 8 }
spdIpsoHeaderFilterGroup OBJECT-GROUP spdIpsoHeaderFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at page 61, line 39 skipping to change at page 63, line 5
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of all the Notifications for this "This group is made up of all the Notifications for this
MIB." MIB."
::= { spdGroups 13 } ::= { spdGroups 13 }
END END
6. Security Considerations 6. Security Considerations
6.1 Introduction 6.1. Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides security services it is important services. Since IPsec provides network security services, its
that the IPsec configuration data be at least as protected as the configuration data (e.g. this MIB) should be as secure or more secure
IPsec provided security service. There are two main threats you need than any of the security services IPsec provides. There are two main
to thwart when configuring IPsec devices. threats you need to protect against when configuring IPsec devices.
1. Malicious Configuration: only the official administrators should 1. Malicious Configuration: only the official administrators should
be allowed to configure a device. In other words, be allowed to configure a device. In other words,
administrators' identities should be authenticated and their administrators' identities should be authenticated and their
access rights checked before they are allowed to do device access rights checked before they are allowed to do device
configuration. The support for SET operations to the IPSP MIB in configuration. The support for SET operations to the IPSP MIB in
a non-secure environment, without proper protection, can have a a non-secure environment, without proper protection, can have a
negative effect on the security of the network traffic affected negative effect on the security of the network traffic affected
by the IPSP MIB. by the IPSP MIB.
2. Disclosure of Configuration: Malicious parties should not be 2. Disclosure of Configuration: In general, malicious parties should
able to read configuration data while the data is in network not be able to read security configuration data while the data is
transit. Any knowledge about a device's IPsec policy in network transit. In particular, malicious users should be
configuration could help an unfriendly party compromise that prevented from reading SNMP packets containing this MIB's data.
device and/or the network(s) it protects. It is thus important Any knowledge about a device's IPsec policy configuration could
to control even GET access to these objects and possibly to even help an unfriendly party compromise that device and/or the
encrypt the values of these objects when sending them over the network(s) it protects. It is thus important to control even GET
network via SNMP. access to these objects and possibly to even encrypt the values
of these objects when sending them over the network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 do not include adequate security. Even
Even if the network itself is secure (e.g. by using IPsec), earlier if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure versions of SNMP have virtually no control as to who on the secure
network is allowed to access and GET/SET (read/change/create/delete) network is allowed to access (i.e. read/change/create/delete) the
the objects in this MIB module. objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
skipping to change at page 63, line 5 skipping to change at page 64, line 14
SNMPv3. This is a real strength, because it allows administrators SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3 conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved, establishment of IPsec configuration on a device has been achieved,
it would be possible to set up IPsec SAs to then also provide it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation. security and integrity services to the configuration conversation.
This may seem redundant at first, but will be shown to have a use for This may seem redundant at first, but will be shown to have a use for
added privacy protection below. added privacy protection below.
6.2 Protecting against in-authentic access 6.2. Protecting against in-authentic access
The current SNMPv3 User Security Model provides for key based user The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys. data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents, for user keys in SNMPv3 is not yet provided by standards track
although RFC2786 defines an experimental method of doing so. documents, although RFC2786 defines an experimental method of doing
so.
6.3 Protecting against involuntary disclosure 6.3. Protecting against involuntary disclosure
While sending IPsec configuration data to a Policy Enforcement Point While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed (PEP), there are a few critical parameters which MUST NOT be observed
by third parties. Specifically, except for public keys, keying by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties. information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters, the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written, privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and may be done as you read this (e.g. algorithms is in the works and may be done as you read this (e.g.
AES [RFC3826]). Policy administrators SHOULD use a privacy security AES [RFC3826]). When configure IPsec policy using this MIB, policy
service to configure their IPsec policy which is at least as strong administrators SHOULD use a privacy security service that is at least
as the desired IPsec policy. E.G., it is unwise to configure IPsec as strong as the desired IPsec policy. E.G., If an administrator
parameters implementing 3DES algorithms while only protecting that were to use this MIB to configure an IPsec connection that utilizes a
conversation with single DES. 3DES algorithms, the SNMP communication configuring the connection
should be protected by an algorithm as strong or stronger than the
3DES algorithm.
6.4 Bootstrapping your configuration 6.4. Bootstrapping your configuration
Most vendors will not ship new products with a default SNMPv3 Most vendors will not ship new products with a default SNMPv3 user/
user/password pair, but it is possible. If a device does ship with a password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user). user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console initialization over a trusted medium, such as a local console
connection. If a product does install with default user/password connection.
information, these values should be changed before connecting to a
network.
7. IANA Considerations 7. IANA Considerations
Only two IANA considerations exist for this document. The first is Only two IANA considerations exist for this document. The first is
just the node number allocation of the IPSEC-SPD-MIB itself. just the node number allocation of the IPSEC-SPD-MIB itself.
The IPSEC-SPD-MIB also allows for extension action MIB's and The IPSEC-SPD-MIB also allows for extension action MIB's. Although
allocates a node, spdActions, for them. IANA would be responsible additional actions are not required to use it, the node spdActions is
for allocating the values under this node. allocated for any additional actions that wish to use it. IANA would
be responsible for allocating any values under this node.
8. Acknowledgments 8. Acknowledgments
Many other people contributed thoughts and ideas that influenced this Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order for the following MIB module. Some special thanks are in order for the following
people: people:
Lindy Foster (Sparta, Inc.) Lindy Foster (Sparta, Inc.)
John Gillis (ADC) John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.) Roger Hartmuller (Sparta, Inc.)
Harrie Hazewinkel
Jamie Jason (Intel Corporation)
David Partain (Ericsson) David Partain (Ericsson)
Lee Rafalow (IBM) Lee Rafalow (IBM)
Jon Saperia (JDS Consulting) Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems) Eric Vyncke (Cisco Systems)
9. References 9. References
9.1 Normative References 9.1. Normative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, [RFC1108] Kent, S., "U.S", RFC 1108, November 1991.
"Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410, [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information
Base for the Differentiated Services Architecture",
RFC 3289, May 2002.
[RFC3291] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 3291, May 2002.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585,
August 2003.
9.2. Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IPsec Action MIB",
December 2002. December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IKE Action MIB",
December 2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network "Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, December Management Protocol (SNMP)", STD 62, RFC 3412,
2002. December 2002.
[RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC Management Protocol (SNMP) Applications", STD 62,
3413, December 2002. RFC 3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December Management Protocol (SNMP)", STD 62, RFC 3415,
2002. December 2002.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
Management Information Version 2 (SMIv2)", STD 58, RFC
2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003.
9.2 Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IPsec Action MIB", December
2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IKE Action MIB", December
2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000.
[RFC3826] Blumenthal, U., Maino, F. and K. McCloghrie, "The Advanced [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Encryption Standard (AES) Cipher Algorithm in the SNMP Advanced Encryption Standard (AES) Cipher Algorithm in the
User-based Security Model", RFC 3826, June 2004. SNMP User-based Security Model", RFC 3826, June 2004.
Authors' Addresses Authors' Addresses
Michael Baer Michael Baer
Sparta, Inc. Sparta, Inc.
7075 Samuel Morse Drive 7075 Samuel Morse Drive
Columbia, MD 21046 Columbia, MD 21046
US US
EMail: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Self Self
EMail: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Phone: +1 530 792 1913 Phone: +1 530 792 1913
EMail: hardaker@tislabs.com Email: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
US US
EMail: ipsp-mib@revelstone.com Email: ipsp-mib@revelstone.com
Cliff Wang Cliff Wang
ARO/North Carolina State University ARO/North Carolina State University
4300 S. Miami Blvd 4300 S. Miami Blvd
RTP, NC 27709 RTP, NC 27709
US US
EMail: cliffwangmail@yahoo.com Email: cliffwangmail@yahoo.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
 End of changes. 147 change blocks. 
388 lines changed or deleted 455 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/