draft-ietf-ipsp-spd-mib-04.txt   draft-ietf-ipsp-spd-mib-05.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: July 31, 2006 R. Charlet Expires: August 28, 2006 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO/North Carolina State
University University
January 27, 2006 February 24, 2006
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-04.txt draft-ietf-ipsp-spd-mib-05.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 31, 2006. This Internet-Draft will expire on August 28, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines an SMIv2 Management Information Base (MIB) This document defines an SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
skipping to change at page 2, line 23 skipping to change at page 2, line 23
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5 4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5
4.1.2. Implementing an example SPD policy . . . . . . . . . . 6 4.1.2. Implementing an example SPD policy . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 63 6. Security Considerations . . . . . . . . . . . . . . . . . . . 64
6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 63 6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64
6.2. Protecting against in-authentic access . . . . . . . . . . 64 6.2. Protecting against in-authentic access . . . . . . . . . . 65
6.3. Protecting against involuntary disclosure . . . . . . . . 64 6.3. Protecting against involuntary disclosure . . . . . . . . 66
6.4. Bootstrapping your configuration . . . . . . . . . . . . . 65 6.4. Bootstrapping your configuration . . . . . . . . . . . . . 66
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 65 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 66 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.1. Normative References . . . . . . . . . . . . . . . . . . . 66 9.1. Normative References . . . . . . . . . . . . . . . . . . . 67
9.2. Informative References . . . . . . . . . . . . . . . . . . 66 9.2. Informative References . . . . . . . . . . . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
Intellectual Property and Copyright Statements . . . . . . . . . . 69 Intellectual Property and Copyright Statements . . . . . . . . . . 70
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration nature than for IPsec configuration only, such as for configuration
of a firewall. It is possible to extend this MIB module and add of a firewall. It is possible to extend this MIB module and add
other packet transforming actions that are performed conditionally on other packet transforming actions that are performed conditionally on
an interface's network traffic. an interface's network traffic.
skipping to change at page 3, line 29 skipping to change at page 3, line 29
these values are determined. these values are determined.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410] RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP), accessed through the Simple Network Management Protocol (SNMP).
described in STD 62 described STD 62, RFC 3411 [RFC3411], STD 62, RFC Objects in the MIB are defined using the mechanisms defined in the
3412 [RFC3412], STD 62, RFC 3413 [RFC3413], STD 62, RFC 3414 Structure of Management Information (SMI). This memo specifies a MIB
[RFC3414], STD 62, RFC 3415 [RFC3415]. Objects in the MIB are module that is compliant to the SMIv2, which is described in STD 58,
defined using the mechanisms defined in the Structure of Management RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
Information (SMI). This memo specifies a MIB module that is [RFC2580].
compliant to the SMIv2, which is described in STD 58, RFC 2578
[RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
3. Relationship to the DMTF Policy Model 3. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
(IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
model. The IPCP document describes a model for configuring IPsec. model. The IPCP document describes a model for configuring IPsec.
This MIB module is a task specific derivation (i.e. an SMIv2 This MIB module is a task specific derivation (i.e. an SMIv2
instantiation) of the IPCP's IPsec configuration model for use with instantiation) of the IPCP's IPsec configuration model for use with
skipping to change at page 8, line 19 skipping to change at page 8, line 19
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, the policy should take effect. of these rules have been applied, the policy should take effect.
5. MIB definition 5. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579], The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3411], [RFC3291], [RFC3289]. It also uses definitions [RFC2580], [RFC3411], [RFC4001], [RFC3289]. It also uses definitions
from [RFC1108]. from [RFC1108].
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI mib-2 FROM SNMPv2-SMI
-- [RFC2578] -- [RFC2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
skipping to change at page 9, line 5 skipping to change at page 9, line 5
-- [RFC3411] -- [RFC3411]
InetAddressType, InetAddress InetAddressType, InetAddress
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB
-- [RFC3291] -- [RFC3291]
diffServMIBMultiFieldClfrGroup, IfDirection, diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB FROM DIFFSERV-MIB
-- [RFC3289] -- [RFC3289]
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200502170000Z" -- 17 January 2005 LAST-UPDATED "200602240000Z" -- 24 February 2006
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
Sparta, Inc. Sparta, Inc.
Phone: +1 530 902 3131 Phone: +1 530 902 3131
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
skipping to change at page 10, line 4 skipping to change at page 10, line 4
E-Mail: cliffwang2000@yahoo.com" E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION DESCRIPTION
"This MIB module defines configuration objects for managing "This MIB module defines configuration objects for managing
IPsec Security Policies. IPsec Security Policies.
Copyright (C) The Internet Society (2005). This version of Copyright (C) The Internet Society (2005). This version of
this MIB module is part of RFC ZZZZ, see the RFC itself for this MIB module is part of RFC ZZZZ, see the RFC itself for
full legal notices." full legal notices."
-- Revision History -- Revision History
REVISION "200502170000Z" -- 17 January 2005 REVISION "200602240000Z" -- 24 February 2006
DESCRIPTION "Initial version, published as RFC ZZZZ." DESCRIPTION "Initial version, published as RFC ZZZZ."
-- RFC-editor assigns ZZZZ -- RFC-editor assigns ZZZZ
-- xxx: To be assigned by IANA -- xxx: To be assigned by IANA
::= { mib-2 xxx } ::= { mib-2 xxx }
-- --
-- groups of related objects -- groups of related objects
-- --
skipping to change at page 11, line 40 skipping to change at page 11, line 40
DESCRIPTION DESCRIPTION
"This object indicates the global system policy group that "This object indicates the global system policy group that
is to be applied on ingress packets (I.E., arriving at a is to be applied on ingress packets (I.E., arriving at a
interface) when a given endpoint does not contain a policy interface) when a given endpoint does not contain a policy
definition in the spdEndpointToGroupTable. Its value can be definition in the spdEndpointToGroupTable. Its value can be
used as an index into the spdGroupContentsTable to retrieve used as an index into the spdGroupContentsTable to retrieve
a list of policies. A zero length string indicates no a list of policies. A zero length string indicates no
system wide policy exists and the default policy of 'drop' system wide policy exists and the default policy of 'drop'
should be executed for ingress packets until one is imposed should be executed for ingress packets until one is imposed
by either this object or by the endpoint processing a given by either this object or by the endpoint processing a given
packet." packet.
This object MUST be persistent"
DEFVAL { "" }
::= { spdLocalConfigObjects 1 } ::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on egress global system policy that is to be applied on egress
packets (I.E., leaving an interface) when a given endpoint packets (I.E., leaving an interface) when a given endpoint
does not contain a policy definition in the does not contain a policy definition in the
spdEndpointToGroupTable. Its value can be used as an index spdEndpointToGroupTable. Its value can be used as an index
into the spdGroupContentsTable to retrieve a list of into the spdGroupContentsTable to retrieve a list of
policies. A zero length string indicates no system wide policies. A zero length string indicates no system wide
policy exits and the default policy of 'drop' should be policy exits and the default policy of 'drop' should be
executed for egress packets until one is imposed by either executed for egress packets until one is imposed by either
this object or by the endpoint processing a given packet." this object or by the endpoint processing a given packet.
This object MUST be persistent"
DEFVAL { "" }
::= { spdLocalConfigObjects 2 } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table maps policies (groupings) onto an endpoint where "This table maps policies (groupings) onto an endpoint where
traffic is to pass by. Any policy group assigned to an traffic is to pass by. Any policy group assigned to an
endpoint is then used to control access to the traffic endpoint is then used to control access to the traffic
skipping to change at page 12, line 36 skipping to change at page 12, line 42
If no policy group has been assigned to an endpoint, then If no policy group has been assigned to an endpoint, then
the policy group specified by spdSystemPolicyGroupName the policy group specified by spdSystemPolicyGroupName
MUST be used for the endpoint." MUST be used for the endpoint."
::= { spdConfigObjects 2 } ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mapping assigning a policy group to an endpoint." "A mapping assigning a policy group to an endpoint.
INDEX { spdEndGroupDirection, spdEndGroupIdentType,
Note: Since the spdEndGroupAddressType object currently only
allows for IPv4 and IPv6 address, the spdEndGroupAddress
value should be either 4 or 16 octets long. But
implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs (i.e. the index) for this table will have more than 128
sub-identifiers and will be unaccessible using SNMPv1,
SNMPv2c, or SNMPv3."
INDEX { spdEndGroupDirection, spdEndGroupAddressType,
spdEndGroupAddress } spdEndGroupAddress }
::= { spdEndpointToGroupTable 1 } ::= { spdEndpointToGroupTable 1 }
SpdEndpointToGroupEntry ::= SEQUENCE { SpdEndpointToGroupEntry ::= SEQUENCE {
spdEndGroupDirection IfDirection, spdEndGroupDirection IfDirection,
spdEndGroupIdentType InetAddressType, spdEndGroupAddressType InetAddressType,
spdEndGroupAddress InetAddress, spdEndGroupAddress InetAddress,
spdEndGroupName SnmpAdminString, spdEndGroupName SnmpAdminString,
spdEndGroupLastChanged TimeStamp, spdEndGroupLastChanged TimeStamp,
spdEndGroupStorageType StorageType, spdEndGroupStorageType StorageType,
spdEndGroupRowStatus RowStatus spdEndGroupRowStatus RowStatus
} }
spdEndGroupDirection OBJECT-TYPE spdEndGroupDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates which direction of packets crossing "This object indicates which direction of packets crossing
the interface should be associated with which the interface should be associated with which
spdEndGroupName object. Ingress packets, or packets into spdEndGroupName object. Ingress packets, or packets into
the device match when this value is inbound(1). Egress the device match when this value is inbound(1). Egress
packets or packets out of the device match when this value packets or packets out of the device match when this value
skipping to change at page 13, line 17 skipping to change at page 13, line 32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates which direction of packets crossing "This object indicates which direction of packets crossing
the interface should be associated with which the interface should be associated with which
spdEndGroupName object. Ingress packets, or packets into spdEndGroupName object. Ingress packets, or packets into
the device match when this value is inbound(1). Egress the device match when this value is inbound(1). Egress
packets or packets out of the device match when this value packets or packets out of the device match when this value
is outbound(2)." is outbound(2)."
::= { spdEndpointToGroupEntry 1 } ::= { spdEndpointToGroupEntry 1 }
spdEndGroupIdentType OBJECT-TYPE spdEndGroupAddressType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The Internet Protocol version of the address associated "The Internet Protocol version of the address associated
with a given endpoint. All addresses are represented as an with a given endpoint. All addresses are represented as an
array of octets in network byte order. When combined with array of octets in network byte order. When combined with
the spdEndGroupAddress these objects can be used to the spdEndGroupAddress these objects can be used to
uniquely identify an endpoint that a set of policy groups uniquely identify an endpoint that a set of policy groups
should be applied to. Devices supporting IPv4 MUST support should be applied to. Devices supporting IPv4 MUST support
the ipv4 value, and devices supporting IPv6 MUST support the ipv4 value, and devices supporting IPv6 MUST support
the ipv6 value. the ipv6 value."
Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object."
::= { spdEndpointToGroupEntry 2 } ::= { spdEndpointToGroupEntry 2 }
spdEndGroupAddress OBJECT-TYPE spdEndGroupAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The address of a given endpoint. The format of this object "The address of a given endpoint. The format of this object
is specified by the spdEndGroupIdentType object. is specified by the spdEndGroupAddressType object."
Note: Since spdEndGroupIdentType currently only allows IPv4
and IPv6 address this value should be either 4 or 16 octets
long. But Implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs in this table will have more than 128 sub-identifiers
and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3."
::= { spdEndpointToGroupEntry 3 } ::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE spdEndGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The policy group name to apply to this endpoint. The "The policy group name to apply to this endpoint. The
value of the spdEndGroupName object should then be used value of the spdEndGroupName object should then be used
as an index into the spdGroupContentsTable to come up as an index into the spdGroupContentsTable to come up
with a list of rules that MUST be applied to this with a list of rules that MUST be applied to this
endpoint." endpoint."
skipping to change at page 16, line 25 skipping to change at page 16, line 30
by all the rows in this table that have the same value of by all the rows in this table that have the same value of
this object." this object."
::= { spdGroupContentsEntry 1 } ::= { spdGroupContentsEntry 1 }
spdGroupContPriority OBJECT-TYPE spdGroupContPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority (sequence number) of the sub-component in "The priority (sequence number) of the sub-component in
this group." this group. This value indicates the order that each row
of this table should be processed from low to high. For
example, a row with a priority of 0 is processed before a
row with a priority of 1, a 1 before a 2, etc...."
::= { spdGroupContentsEntry 2 } ::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE spdGroupContFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdGroupContFilter points to a filter which is evaluated "spdGroupContFilter points to a filter which is evaluated
to determine whether the spdGroupContComponentName within to determine whether the spdGroupContComponentName within
this row should be exercised. Managers can use this object this row should be exercised. Managers can use this object
to classify groups of rules or subgroups together in order to classify groups of rules or subgroups together in order
to achieve a greater degree of control and optimization to achieve a greater degree of control and optimization
over the execution order of the items within the group. If over the execution order of the items within the group. If
the filter evaluates to false, the rule or subgroup will be the filter evaluates to false, the rule or subgroup will be
skipped and the next rule or subgroup will be evaluated skipped and the next rule or subgroup will be evaluated
instead. instead. This value can be used to indicate a scalar or a
row in a table. When indicating a row in a table, this
value MUST point to the first column instance in that row.
An example usage of this object would be to limit a An example usage of this object would be to limit a
group of rules to executing only when the IP packet group of rules to executing only when the IP packet
being process is designated to be processed by IKE. being process is designated to be processed by IKE.
This effectively creates a group of IKE specific rules. This effectively creates a group of IKE specific rules.
This MIB defines the following tables and scalars which This MIB defines the following tables and scalars which may
may be pointed to by this column. Implementations may be pointed to by this column. Implementations may choose
choose to provide support for other filter tables or to provide support for other filter tables or scalars as
scalars as well: well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentValue exception should be returned.
returned. If the table or scalar pointed to by the If the table or scalar pointed to by the VariablePointer is
VariablePointer is not supported at all, then an not supported at all, then an genErr exception should be
inconsistentValue exception should be returned." returned.
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet should be dropped."
DEFVAL { spdTrueFilter } DEFVAL { spdTrueFilter }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the spdGroupContComponentName object "Indicates whether the spdGroupContComponentName object
is the name of another group defined within the is the name of another group defined within the
skipping to change at page 20, line 34 skipping to change at page 20, line 48
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be returned. table, the inconsistentName exception should be returned.
If the table or scalar pointed to by the VariablePointer is If the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception not supported at all, then an inconsistentValue exception
should be returned." should be returned.
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet should be dropped."
::= { spdRuleDefinitionEntry 3 } ::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE spdRuleDefFilterNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilterNegated specifies whether the filter "spdRuleDefFilterNegated specifies whether the filter
referenced by the spdRuleDefFilter object should be referenced by the spdRuleDefFilter object should be
negated or not." negated or not."
skipping to change at page 21, line 23 skipping to change at page 21, line 41
It may also point to one of the scalar objects beneath It may also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error should be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
should be returned." should be returned.
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet should be dropped."
::= { spdRuleDefinitionEntry 5 } ::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE spdRuleDefAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus SYNTAX SpdAdminStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the current rule definition is considered "Indicates whether the current rule definition is considered
active. If the value is enabled the rule MUST be evaluated active. If the value is enabled the rule MUST be evaluated
when processing packets. If the value is disabled, the when processing packets. If the value is disabled, the
skipping to change at page 23, line 34 skipping to change at page 24, line 8
spdCompFiltLastChanged TimeStamp, spdCompFiltLastChanged TimeStamp,
spdCompFiltStorageType StorageType, spdCompFiltStorageType StorageType,
spdCompFiltRowStatus RowStatus spdCompFiltRowStatus RowStatus
} }
spdCompFiltName OBJECT-TYPE spdCompFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user definable string. You may use this field for "A user definable string. This value is used as an index
your administrative tracking purposes." into this table."
::= { spdCompoundFilterEntry 1 } ::= { spdCompoundFilterEntry 1 }
spdCompFiltDescription OBJECT-TYPE spdCompFiltDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user definable string. You may use this field for "A user definable string. You may use this field for
your administrative tracking purposes." your administrative tracking purposes."
DEFVAL { "" } DEFVAL { "" }
skipping to change at page 25, line 45 skipping to change at page 26, line 19
spdSubFiltRowStatus RowStatus spdSubFiltRowStatus RowStatus
} }
spdSubFiltPriority OBJECT-TYPE spdSubFiltPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given filter within a set of filters. "The priority of a given filter within a set of filters.
The order of execution should be from lowest to highest The order of execution should be from lowest to highest
priority value. Implementations MAY choose to follow this priority value (i.e., priority 0 before priority 1, 1 before
2, etc...). Implementations MAY choose to follow this
ordering as set by the manager that created the rows. This ordering as set by the manager that created the rows. This
can allow a manager to intelligently construct filter lists can allow a manager to intelligently construct filter lists
such that faster filters are evaluated first." such that faster filters are evaluated first."
::= { spdSubfiltersEntry 1 } ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 26, line 30 skipping to change at page 27, line 5
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an VariablePointer is not supported at all, then an
inconsistentValue exception should be returned." inconsistentValue exception should be returned.
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet should be dropped."
::= { spdSubfiltersEntry 2 } ::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE spdSubFiltSubfilterIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the result of applying this subfilter "Indicates whether the result of applying this subfilter
should be negated." should be negated."
DEFVAL { false } DEFVAL { false }
skipping to change at page 28, line 4 skipping to change at page 28, line 31
If neither condition is met, an attempt to set this row to If neither condition is met, an attempt to set this row to
something other than active should result in an something other than active should result in an
inconsistentValue error." inconsistentValue error."
::= { spdSubfiltersEntry 6 } ::= { spdSubfiltersEntry 6 }
-- --
-- Static Filters -- Static Filters
-- --
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE spdTrueFilter OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates a (automatic) true result for "This scalar indicates a (automatic) true result for
a filter. I.e. this is a filter that is always a filter. I.e. this is a filter that is always
true, useful for adding as a default filter for a true, useful for adding as a default filter for a
default action or a set of actions." default action or a set of actions."
::= { spdStaticFilters 1 } ::= { spdStaticFilters 1 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 } spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
skipping to change at page 29, line 21 skipping to change at page 29, line 48
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The administrative name for this filter." "The administrative name for this filter."
::= { spdIpOffsetFilterEntry 1 } ::= { spdIpOffsetFilterEntry 1 }
spdIpOffFiltOffset OBJECT-TYPE spdIpOffFiltOffset OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This is the byte offset from the front of the IP packet "This is the byte offset from the front of the entire IP
where the value or arithmetic comparison is done. A packet where the value or arithmetic comparison is done. A
value of '0' indicates the first byte in the packet." value of '0' indicates the first byte of the packet header."
::= { spdIpOffsetFilterEntry 2 } ::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltType OBJECT-TYPE spdIpOffFiltType OBJECT-TYPE
SYNTAX INTEGER { equal(1), SYNTAX INTEGER { equal(1),
notEqual(2), notEqual(2),
arithmeticLess(3), arithmeticLess(3),
arithmeticGreaterOrEqual(4), arithmeticGreaterOrEqual(4),
arithmeticGreater(5), arithmeticGreater(5),
arithmeticLessOrEqual(6) } arithmeticLessOrEqual(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 30, line 49 skipping to change at page 31, line 28
'spdIpOffFiltValue'." 'spdIpOffFiltValue'."
::= { spdIpOffsetFilterEntry 3 } ::= { spdIpOffsetFilterEntry 3 }
spdIpOffFiltValue OBJECT-TYPE spdIpOffFiltValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..1024)) SYNTAX OCTET STRING (SIZE(1..1024))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdIpOffFiltValue is used for match comparisons of a "spdIpOffFiltValue is used for match comparisons of a
packet at spdIpOffFiltOffset. This object is only used packet at spdIpOffFiltOffset."
if one of the match types is chosen in
spdIpOffFiltType."
::= { spdIpOffsetFilterEntry 4 } ::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE spdIpOffFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
skipping to change at page 31, line 37 skipping to change at page 32, line 14
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpOffsetFilterEntry 7 } ::= { spdIpOffsetFilterEntry 7 }
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
skipping to change at page 33, line 49 skipping to change at page 34, line 28
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which indicates acceptable months of the year. "A bit mask which indicates acceptable months of the year.
This column evaluates to 'true' if the current month's bit This column evaluates to 'true' if the current month's bit
is set." is set."
DEFVAL { { january, february, march, april, may, june, july, DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } } august, september, october, november, december } }
::= { spdTimeFilterEntry 4 } ::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE spdTimeFiltDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(4)) SYNTAX OCTET STRING (SIZE(8))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines which days of the month the current time is "Defines which days of the month the current time is
valid for. It is a sequence of 32 BITS, where each BIT valid for. It is a sequence of 64 BITS, where each BIT
represents a corresponding day of the month starting from represents a corresponding day of the month in forward or
the left most bit which is equal to the first day of the reverse order. Starting from the left most bit, the first
month. The last bit in the string MUST be zero. This 31 bits identify the day of the month counting from the
column evaluates to 'true' if the current day of the beginning of the month. The following 31 bits (bits 32-62)
month's bit is set." indicate the day of the month counting from the end month.
DEFVAL { 'fffffffe'H } For months with fewer than 31 days, the bits that
correspond to the non-existing days of that month are
ignored (e.g. for non-leap year Februarys, bits 29-31 and
60-62 are ignored).
This column evaluates to 'true' if the current day of the
month's bit is set.
For example, A value of 0X'80 00 00 01 00 00 00 00'
indicates that this column evaluates to true on the first
and last days of the month.
The last two bits in the string MUST be zero."
DEFVAL { 'fffffffffffffffe'H }
::= { spdTimeFilterEntry 5 } ::= { spdTimeFilterEntry 5 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE spdTimeFiltDayOfWeekMask OBJECT-TYPE
SYNTAX BITS { monday(0), tuesday(1), wednesday(2), SYNTAX BITS { sunday(0), monday(1), tuesday(2),
thursday(3), friday(4), saturday(5), wednesday(3), thursday(4), friday(5),
sunday(6) } saturday(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which defines which days of the week the current "A bit mask which defines which days of the week the current
time is valid for. This column evaluates to 'true' if the time is valid for. This column evaluates to 'true' if the
current day of the week's bit is set." current day of the week's bit is set."
DEFVAL { { monday, tuesday, wednesday, thursday, friday, DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } } saturday, sunday } }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 6 }
skipping to change at page 35, line 48 skipping to change at page 36, line 40
::= { spdTimeFilterEntry 10 } ::= { spdTimeFilterEntry 10 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this "This object indicates the conceptual status of this
row. row.
Any attempt to set this row to active when the The value of this object has no effect on whether other
objects in this conceptual row can be modified.
However, any attempt to set this row to active when the
spdTimeFiltTimeOfDayMaskEnd object is earlier than spdTimeFiltTimeOfDayMaskEnd object is earlier than
spdTimeFiltTimeOfDayMaskStart object should fail with an spdTimeFiltTimeOfDayMaskStart object should fail with an
inconsistentValue error. Although, setting these objects inconsistentValue error. Although, setting these objects
to the same value is allowed. to the same value is allowed.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
skipping to change at page 38, line 35 skipping to change at page 39, line 31
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpsoHeaderFilterEntry 6 } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
This object may not be set to active if the requirements of The value of this object has no effect on whether other
the spdIpsoHeadFiltType object are not met. Specifically, objects in this conceptual row can be modified.
if the spdIpsoHeadFiltType is classification(0), the
spdIpsoHeadFiltClassification column MUST have a valid However, this object may not be set to active if the
value for row status to be set to active. If the requirements of the spdIpsoHeadFiltType object are not met.
spdIpsoHeadFiltType is set to protectionAuthority(1), the Specifically, if the spdIpsoHeadFiltType bit for
classification(0) is set, the spdIpsoHeadFiltClassification
column MUST have a valid value for the row status to be set
to active. If the spdIpsoHeadFiltType bit for
protectionAuthority(1) is set, the
spdIpsoHeadFiltProtectionAuth column MUST have a valid spdIpsoHeadFiltProtectionAuth column MUST have a valid
value for row status to be set to active. value for the row status to be set to active.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpsoHeaderFilterEntry 7 } ::= { spdIpsoHeaderFilterEntry 7 }
-- --
-- compound actions table -- compound actions table
skipping to change at page 42, line 16 skipping to change at page 43, line 16
spdSubActStorageType StorageType, spdSubActStorageType StorageType,
spdSubActRowStatus RowStatus spdSubActRowStatus RowStatus
} }
spdSubActPriority OBJECT-TYPE spdSubActPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given sub-action within a compound "The priority of a given sub-action within a compound
action. The order in which sub-actions should be action. The order in which sub-actions should be executed
executed are based on the value from this column, with are based on the value from this column, with the lowest
the lowest numeric value executing first." numeric value executing first (i.e., priority 0 before
priority 1, 1 before 2, etc...)."
::= { spdSubactionsEntry 1 } ::= { spdSubactionsEntry 1 }
spdSubActSubActionName OBJECT-TYPE spdSubActSubActionName OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It may, "This column points to the action to be taken. It may,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
skipping to change at page 42, line 44 skipping to change at page 43, line 45
It may also point to one of the scalar objects beneath It may also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error should be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
should be returned." should be returned.
::= { spdSubactionsEntry 2 }
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet should be dropped."
::= { spdSubactionsEntry 2 }
spdSubActLastChanged OBJECT-TYPE spdSubActLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdSubactionsEntry 3 } ::= { spdSubactionsEntry 3 }
skipping to change at page 44, line 9 skipping to change at page 45, line 14
-- Static Actions -- Static Actions
-- --
-- these are static actions which can be pointed to by the -- these are static actions which can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to -- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets. -- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE spdDropAction OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet should be dropped
WITHOUT action/packet logging. This object returns a WITHOUT action/packet logging. This object returns a
value of 1 for IPsec policy implementations that support value of 1 for IPsec policy implementations that support
the drop static action." the drop static action."
::= { spdStaticActions 1 } ::= { spdStaticActions 1 }
spdDropActionLog OBJECT-TYPE spdDropActionLog OBJECT-TYPE
skipping to change at page 45, line 42 skipping to change at page 46, line 47
through." through."
::= { spdNotificationVariables 2 } ::= { spdNotificationVariables 2 }
spdIPEndpointAddress OBJECT-TYPE spdIPEndpointAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the interface address for the interface that "Contains the interface address for the interface that
the packet which triggered the notification is passing the packet which triggered the notification is passing
through." through.
::= { spdNotificationVariables 3 }
The format of this object is specified by the
spdIPEndpointAddType object."
::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE spdIPSourceType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address type of the packet which "Contains the source address type of the packet which
triggered the notification." triggered the notification."
::= { spdNotificationVariables 4 } ::= { spdNotificationVariables 4 }
spdIPSourceAddress OBJECT-TYPE spdIPSourceAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address of the packet which "Contains the source address of the packet which
triggered the notification." triggered the notification.
The format of this object is specified by the
spdIPSourceType object."
::= { spdNotificationVariables 5 } ::= { spdNotificationVariables 5 }
spdIPDestinationType OBJECT-TYPE spdIPDestinationType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address type of the packet "Contains the destination address type of the packet
which triggered the notification." which triggered the notification."
::= { spdNotificationVariables 6 } ::= { spdNotificationVariables 6 }
spdIPDestinationAddress OBJECT-TYPE spdIPDestinationAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address of the packet which "Contains the destination address of the packet which
triggered the notification." triggered the notification.
The format of this object is specified by the
spdIPDestinationType object."
::= { spdNotificationVariables 7 } ::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE spdPacketDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if the packet which triggered the action in "Indicates if the packet which triggered the action in
questions was ingress (inbound) our egress (outbound)." questions was ingress (inbound) our egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..65535)) SYNTAX OCTET STRING (SIZE (0..65535))
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Is the front part of the full IP packet that triggered this "Is the front part of the full IP packet that triggered this
notification. The initial size limit is determined by the notification. The initial size limit is determined by the
smaller of the size indicated by 'SpdIPPacketLogging' and smaller of the size indicated by
the size of the triggering packet. I. The value of the object with the TC syntax
'SpdIPPacketLogging' that indicated the packet should be
logged and
II. The size of the triggering packet.
The final limit is determined by the SNMP packet size when The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be sending the notification. The maximum size that can be
included will be the smaller of the initial size given above included will be the smaller of the initial size given above
and the length that will fit in a single SNMP notification and the length that will fit in a single SNMP notification
packet after the rest of the notification's objects and any packet after the rest of the notification's objects and any
other necessary packet data (headers encoding, etc...) has other necessary packet data (headers encoding, etc...) has
been included in the packet." been included in the packet."
::= { spdNotificationVariables 9 } ::= { spdNotificationVariables 9 }
skipping to change at page 48, line 18 skipping to change at page 49, line 34
which will indicate which action was executed within the which will indicate which action was executed within the
scope of the rule. Additionally, the spdIPSourceType, scope of the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects are spdIPEndpointAddress, and spdPacketDirection objects are
included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is included to associated with. Finally, spdPacketPart is included to
enable sending a variable sized part of the front of the enable sending a variable sized part of the front of the
packet with size dependent on the value of packet with the size dependent on the value of the object of
SpdIPPacketLogging." TC syntax 'SpdIPPacketLogging' which indicated logging
should be done."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
spdCompliances OBJECT IDENTIFIER spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 } ::= { spdConformanceObjects 1 }
spdGroups OBJECT IDENTIFIER spdGroups OBJECT IDENTIFIER
::= { spdConformanceObjects 2 } ::= { spdConformanceObjects 2 }
-- --
-- Compliance statements -- Compliance statements
-- --
-- --
spdRuleFilterCompliance MODULE-COMPLIANCE spdRuleFilterFullCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support." filters support.
When this MIB is implemented with support for read-create,
then such an implementation can claim full compliance. Such
devices can then be both monitored and configured with this
MIB.
There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for
which we have the following compliance requirements,
expressed in OBJECT clause form in this description clause:
-- OBJECT spdEndGroupAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT spdEndGroupAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations which support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations which support compound filters."
skipping to change at page 51, line 30 skipping to change at page 53, line 23
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support. filters support.
If this MIB is implemented without support for read-create If this MIB is implemented without support for read-create
(i.e. in read-only), it is not in full compliance but it (i.e. in read-only), it is not in full compliance but it
can claim read-only compliance. Such a device can then be can claim read-only compliance. Such a device can then be
monitored but can not be configured with this MIB." monitored but can not be configured with this MIB.
There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for
which we have the following compliance requirements,
expressed in OBJECT clause form in this description clause:
-- OBJECT spdEndGroupAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT spdEndGroupAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
skipping to change at page 52, line 25 skipping to change at page 54, line 35
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup GROUP spdCompoundActionGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound actions." implementations which support compound actions."
OBJECT spdAcceptAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdAcceptActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActExecutionStrategy OBJECT spdCompActExecutionStrategy
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompActLastChanged OBJECT spdCompActLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdCompActRowStatus OBJECT spdCompActRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompActStorageType OBJECT spdCompActStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompFiltDescription OBJECT spdCompFiltDescription
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompFiltLastChanged OBJECT spdCompFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdCompFiltLogicType OBJECT spdCompFiltLogicType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompFiltRowStatus OBJECT spdCompFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompFiltStorageType OBJECT spdCompFiltStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdDropAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdDropActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEgressPolicyGroupName OBJECT spdEgressPolicyGroupName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdEndGroupLastChanged OBJECT spdEndGroupLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdEndGroupName OBJECT spdEndGroupName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdEndGroupRowStatus OBJECT spdEndGroupRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 54, line 38 skipping to change at page 56, line 22
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdGroupContFilter OBJECT spdGroupContFilter
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdGroupContLastChanged OBJECT spdGroupContLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdGroupContRowStatus OBJECT spdGroupContRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdGroupContStorageType OBJECT spdGroupContStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 55, line 4 skipping to change at page 56, line 34
OBJECT spdGroupContRowStatus OBJECT spdGroupContRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdGroupContStorageType OBJECT spdGroupContStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIngressPolicyGroupName OBJECT spdIngressPolicyGroupName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIpOffFiltLastChanged OBJECT spdIpOffFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdIpOffFiltOffset OBJECT spdIpOffFiltOffset
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIpOffFiltRowStatus OBJECT spdIpOffFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 55, line 46 skipping to change at page 57, line 27
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIpsoHeadFiltClassification OBJECT spdIpsoHeadFiltClassification
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIpsoHeadFiltLastChanged OBJECT spdIpsoHeadFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdIpsoHeadFiltProtectionAuth OBJECT spdIpsoHeadFiltProtectionAuth
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdIpsoHeadFiltRowStatus OBJECT spdIpsoHeadFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 56, line 49 skipping to change at page 58, line 28
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdRuleDefFilterNegated OBJECT spdRuleDefFilterNegated
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdRuleDefLastChanged OBJECT spdRuleDefLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdRuleDefRowStatus OBJECT spdRuleDefRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdRuleDefStorageType OBJECT spdRuleDefStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdSubActLastChanged OBJECT spdSubActLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdSubActRowStatus OBJECT spdSubActRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdSubActStorageType OBJECT spdSubActStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdSubActSubActionName OBJECT spdSubActSubActionName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdSubFiltLastChanged OBJECT spdSubFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdSubFiltRowStatus OBJECT spdSubFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdSubFiltStorageType OBJECT spdSubFiltStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 58, line 25 skipping to change at page 59, line 47
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltDayOfWeekMask OBJECT spdTimeFiltDayOfWeekMask
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltLastChanged OBJECT spdTimeFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required. This object is not "This object is not required for compliance."
required for compliance."
OBJECT spdTimeFiltMonthOfYearMask OBJECT spdTimeFiltMonthOfYearMask
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltPeriodEnd OBJECT spdTimeFiltPeriodEnd
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
skipping to change at page 59, line 17 skipping to change at page 60, line 37
OBJECT spdTimeFiltTimeOfDayMaskEnd OBJECT spdTimeFiltTimeOfDayMaskEnd
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltStorageType OBJECT spdTimeFiltStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTrueFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { spdCompliances 3 } ::= { spdCompliances 3 }
-- --
-- --
-- Compliance Groups Definitions -- Compliance Groups Definitions
-- --
-- --
-- Endpoint, Rule, Filter Compliance Groups -- Endpoint, Rule, Filter Compliance Groups
-- --
skipping to change at page 63, line 4 skipping to change at page 64, line 19
spdActionNotificationGroup NOTIFICATION-GROUP spdActionNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { NOTIFICATIONS {
spdActionNotification, spdActionNotification,
spdPacketNotification spdPacketNotification
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of all the Notifications for this "This group is made up of all the Notifications for this
MIB." MIB."
::= { spdGroups 13 } ::= { spdGroups 13 }
END END
6. Security Considerations 6. Security Considerations
6.1. Introduction 6.1. Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides network security services, its services. Since IPsec provides network security services, all of its
configuration data (e.g. this MIB) should be as secure or more secure configuration data (e.g. this entire MIB) should be as secure or more
than any of the security services IPsec provides. There are two main secure than any of the security services IPsec provides. There are
threats you need to protect against when configuring IPsec devices. two main threats you need to protect against when configuring IPsec
devices.
1. Malicious Configuration: only the official administrators should 1. Malicious Configuration: This MIB configures network security
be allowed to configure a device. In other words, services. If an attacker has SET access to any part of this MIB,
administrators' identities should be authenticated and their the network security services configured by this MIB should be
access rights checked before they are allowed to do device considered broken. The network data sent through the associated
configuration. The support for SET operations to the IPSP MIB in gateway should no longer be considered as protected by IPsec
a non-secure environment, without proper protection, can have a (i.e., it is no longer confidential or authenticated).
negative effect on the security of the network traffic affected Therefore, only the official administrators should be allowed to
by the IPSP MIB. configure a device. In other words, administrators' identities
should be authenticated and their access rights checked before
they are allowed to do device configuration. The support for SET
operations to the IPSP MIB in a non-secure environment, without
proper protection, will invalidate the security of the network
traffic affected by the IPSP MIB.
2. Disclosure of Configuration: In general, malicious parties should 2. Disclosure of Configuration: In general, malicious parties should
not be able to read security configuration data while the data is not be able to read security configuration data while the data is
in network transit. In particular, malicious users should be in network transit. An attacker reading the configuration data
prevented from reading SNMP packets containing this MIB's data. may be able to find compromises in the device and the network due
Any knowledge about a device's IPsec policy configuration could to poor and misconfiguration. Since this entire MIB is used for
help an unfriendly party compromise that device and/or the security configuration, it is highly recommended that only
network(s) it protects. It is thus important to control even GET authorized administrators should be allow to view data in this
access to these objects and possibly to even encrypt the values MIB. In particular, malicious users should be prevented from
of these objects when sending them over the network via SNMP. reading SNMP packets containing this MIB's data. SNMP GET data
should be encrypted when sent across the network. Also, only
authorized administrators should be allowed SNMP GET access to
any of the MIB objects.
SNMP versions prior to SNMPv3 do not include adequate security. Even SNMP versions prior to SNMPv3 do not include adequate security. Even
if the network itself is secure (e.g. by using IPsec), earlier if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure versions of SNMP have virtually no control as to who on the secure
network is allowed to access (i.e. read/change/create/delete) the network is allowed to access (i.e. read/change/create/delete) the
objects in this MIB module. objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
skipping to change at page 66, line 27 skipping to change at page 68, line 5
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information
Base for the Differentiated Services Architecture", Base for the Differentiated Services Architecture",
RFC 3289, May 2002. RFC 3289, May 2002.
[RFC3291] Daniele, M., Haberman, B., Routhier, S., and J. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Schoenwaelder, "Textual Conventions for Internet Network Architecture for Describing Simple Network Management
Addresses", RFC 3291, May 2002. Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
9.2. Informative References 9.2. Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IPsec Action MIB", Wang, "IPsec Security Policy IPsec Action MIB",
December 2002. December 2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IKE Action MIB", Wang, "IPsec Security Policy IKE Action MIB",
December 2002. December 2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000. Paper", November 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62,
RFC 3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004. SNMP User-based Security Model", RFC 3826, June 2004.
Authors' Addresses Authors' Addresses
Michael Baer Michael Baer
Sparta, Inc. Sparta, Inc.
7075 Samuel Morse Drive 7075 Samuel Morse Drive
Columbia, MD 21046 Columbia, MD 21046
 End of changes. 85 change blocks. 
206 lines changed or deleted 259 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/