draft-ietf-ipsp-spd-mib-03.txt   draft-ietf-ipsp-spd-mib-04.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: April 15, 2006 R. Charlet Expires: July 31, 2006 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO/North Carolina State
University University
October 12, 2005 January 27, 2006
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-03.txt draft-ietf-ipsp-spd-mib-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 15, 2006. This Internet-Draft will expire on July 31, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines an SMIv2 Management Information Base (MIB) This document defines an SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
are of a more general nature than for IPsec configuration alone, such are of a more general nature than for IPsec configuration alone, such
as for configuration of a firewall. This MIB module is designed to as for configuration of a firewall. This MIB module is designed to
be extensible with other enterprise or standards based defined packet be extensible with other enterprise or standards based defined packet
filters and actions. filters and actions.
skipping to change at page 2, line 23 skipping to change at page 2, line 23
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5 4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5
4.1.2. Implementing an example SPD policy . . . . . . . . . . 6 4.1.2. Implementing an example SPD policy . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 63
6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 63 6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 63
6.2. Protecting against in-authentic access . . . . . . . . . . 64 6.2. Protecting against in-authentic access . . . . . . . . . . 64
6.3. Protecting against involuntary disclosure . . . . . . . . 64 6.3. Protecting against involuntary disclosure . . . . . . . . 64
6.4. Bootstrapping your configuration . . . . . . . . . . . . . 65 6.4. Bootstrapping your configuration . . . . . . . . . . . . . 65
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 65 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 65
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9.1. Normative References . . . . . . . . . . . . . . . . . . . 65 9.1. Normative References . . . . . . . . . . . . . . . . . . . 66
9.2. Informative References . . . . . . . . . . . . . . . . . . 66 9.2. Informative References . . . . . . . . . . . . . . . . . . 66
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 68
Intellectual Property and Copyright Statements . . . . . . . . . . 69 Intellectual Property and Copyright Statements . . . . . . . . . . 69
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
skipping to change at page 3, line 29 skipping to change at page 3, line 29
these values are determined. these values are determined.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410] RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP),
Objects in the MIB are defined using the mechanisms defined in the described in STD 62 described STD 62, RFC 3411 [RFC3411], STD 62, RFC
Structure of Management Information (SMI). This memo specifies a MIB 3412 [RFC3412], STD 62, RFC 3413 [RFC3413], STD 62, RFC 3414
module that is compliant to the SMIv2, which is described in STD 58, [RFC3414], STD 62, RFC 3415 [RFC3415]. Objects in the MIB are
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 defined using the mechanisms defined in the Structure of Management
[RFC2580]. Information (SMI). This memo specifies a MIB module that is
compliant to the SMIv2, which is described in STD 58, RFC 2578
[RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
3. Relationship to the DMTF Policy Model 3. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
(IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
model. The IPCP document describes a model for configuring IPsec. model. The IPCP document describes a model for configuring IPsec.
This MIB module is a task specific derivation (i.e. an SMIv2 This MIB module is a task specific derivation (i.e. an SMIv2
instantiation) of the IPCP's IPsec configuration model for use with instantiation) of the IPCP's IPsec configuration model for use with
skipping to change at page 8, line 18 skipping to change at page 8, line 18
spdEndGroupAddress = 0xC0000001) spdEndGroupAddress = 0xC0000001)
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, the policy should take effect. of these rules have been applied, the policy should take effect.
5. MIB definition 5. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3411], [RFC3291], [RFC3289]. It also uses definitions
from [RFC1108].
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI mib-2 FROM SNMPv2-SMI
--rfc2578 -- [RFC2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer, DateAndTime TimeStamp, StorageType, VariablePointer, DateAndTime
FROM SNMPv2-TC FROM SNMPv2-TC
--rfc2579 -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
--rfc2580 -- [RFC2580]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB
--rfc3411 -- [RFC3411]
InetAddressType, InetAddress InetAddressType, InetAddress
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB
--rfc3291 -- [RFC3291]
diffServMIBMultiFieldClfrGroup, IfDirection, diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB FROM DIFFSERV-MIB
--rfc3289 -- [RFC3289]
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200502170000Z" -- 17 January 2005 LAST-UPDATED "200502170000Z" -- 17 January 2005
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
Sparta, Inc. Sparta, Inc.
Phone: +1 530 902 3131 Phone: +1 530 902 3131
skipping to change at page 17, line 13 skipping to change at page 17, line 18
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned."
DEFVAL { spdTrueFilterInstance } DEFVAL { spdTrueFilter }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the spdGroupContComponentName object "Indicates whether the spdGroupContComponentName object
is the name of another group defined within the is the name of another group defined within the
spdGroupContentsTable or is the name of a rule defined spdGroupContentsTable or is the name of a rule defined
skipping to change at page 46, line 34 skipping to change at page 46, line 43
spdPacketDirection OBJECT-TYPE spdPacketDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if the packet which triggered the action in "Indicates if the packet which triggered the action in
questions was ingress (inbound) our egress (outbound)." questions was ingress (inbound) our egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING (SIZE (0..65535))
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Is the front part of the full IP packet that triggered this "Is the front part of the full IP packet that triggered this
notification. The initial size limit is determined by the notification. The initial size limit is determined by the
smaller of the size indicated by 'SpdIPPacketLogging' and smaller of the size indicated by 'SpdIPPacketLogging' and
the size of the triggering packet. the size of the triggering packet.
The final limit is determined by the SNMP packet size when The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be sending the notification. The maximum size that can be
skipping to change at page 48, line 7 skipping to change at page 48, line 16
logging enabled will result in this notification getting logging enabled will result in this notification getting
sent. The objects sent must include the spdActionExecuted sent. The objects sent must include the spdActionExecuted
which will indicate which action was executed within the which will indicate which action was executed within the
scope of the rule. Additionally, the spdIPSourceType, scope of the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects are spdIPEndpointAddress, and spdPacketDirection objects are
included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is including for associated with. Finally, spdPacketPart is included to
sending a variable sized part of the front of the packet enable sending a variable sized part of the front of the
depending on the value of SpdIPPacketLogging." packet with size dependent on the value of
SpdIPPacketLogging."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
spdCompliances OBJECT IDENTIFIER spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 } ::= { spdConformanceObjects 1 }
skipping to change at page 68, line 35 skipping to change at page 68, line 35
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com Email: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
US US
Email: ipsp-mib@revelstone.com Email: rstory@sparta.com
Cliff Wang Cliff Wang
ARO/North Carolina State University ARO/North Carolina State University
4300 S. Miami Blvd 4300 S. Miami Blvd
RTP, NC 27709 RTP, NC 27709
US US
Email: cliffwangmail@yahoo.com Email: cliffwangmail@yahoo.com
Intellectual Property Statement Intellectual Property Statement
skipping to change at page 69, line 41 skipping to change at page 69, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 21 change blocks. 
27 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/