draft-ietf-ipsp-spd-mib-05.txt   draft-ietf-ipsp-spd-mib-06.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: August 28, 2006 R. Charlet Expires: October 8, 2006 R. Charlet
Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO/North Carolina State
University University
February 24, 2006 April 6, 2006
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-05.txt draft-ietf-ipsp-spd-mib-06.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 28, 2006. This Internet-Draft will expire on October 8, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines an SMIv2 Management Information Base (MIB) This document defines an SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
skipping to change at page 8, line 20 skipping to change at page 8, line 20
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, the policy should take effect. of these rules have been applied, the policy should take effect.
5. MIB definition 5. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579], The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3411], [RFC4001], [RFC3289]. It also uses definitions [RFC2580], [RFC3411], [RFC4001], [RFC3289]. It also uses definitions
from [RFC1108]. from [RFC1108], [RFC3060], and [RFC3629].
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI mib-2 FROM SNMPv2-SMI
-- [RFC2578] -- [RFC2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer, DateAndTime TimeStamp, StorageType, VariablePointer
FROM SNMPv2-TC FROM SNMPv2-TC
-- [RFC2579] -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
-- [RFC2580] -- [RFC2580]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB
-- [RFC3411] -- [RFC3411]
skipping to change at page 9, line 12 skipping to change at page 9, line 12
diffServMultiFieldClfrNextFree diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB FROM DIFFSERV-MIB
-- [RFC3289] -- [RFC3289]
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200602240000Z" -- 24 February 2006 LAST-UPDATED "200604060000Z" -- 6 April 2006
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
Sparta, Inc. Sparta, Inc.
Phone: +1 530 902 3131 Phone: +1 530 902 3131
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
skipping to change at page 9, line 46 skipping to change at page 9, line 46
Cliff Wang Cliff Wang
SmartPipes Inc. SmartPipes Inc.
Suite 300, 565 Metro Place South Suite 300, 565 Metro Place South
Dublin, OH 43017 Dublin, OH 43017
Phone: +1 614 923 6241 Phone: +1 614 923 6241
E-Mail: cliffwang2000@yahoo.com" E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION DESCRIPTION
"This MIB module defines configuration objects for managing "This MIB module defines configuration objects for managing
IPsec Security Policies. IPsec Security Policies.
Copyright (C) The Internet Society (2005). This version of Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC ZZZZ, see the RFC itself for this MIB module is part of RFC ZZZZ, see the RFC itself for
full legal notices." full legal notices."
-- Revision History -- Revision History
REVISION "200602240000Z" -- 24 February 2006 REVISION "200604060000Z" -- 6 April 2006
DESCRIPTION "Initial version, published as RFC ZZZZ." DESCRIPTION "Initial version, published as RFC ZZZZ."
-- RFC-editor assigns ZZZZ -- RFC-editor assigns ZZZZ
-- xxx: To be assigned by IANA -- xxx: To be assigned by IANA
::= { mib-2 xxx } ::= { mib-2 xxx }
-- --
-- groups of related objects -- groups of related objects
-- --
skipping to change at page 11, line 19 skipping to change at page 11, line 19
that the entire packet should be sent. that the entire packet should be sent.
Examples: Examples:
'-1' no logging '-1' no logging
'0' log but do not include any of the packet in the log '0' log but do not include any of the packet in the log
'20' log and include the first 20 bytes of the packet '20' log and include the first 20 bytes of the packet
in the log." in the log."
SYNTAX Integer32 (-1..65535) SYNTAX Integer32 (-1..65535)
SpdTimePeriod ::= TEXTUAL-CONVENTION
DISPLAY-HINT "31t"
STATUS current
DESCRIPTION
"This property identifies an overall range of calendar dates
and time. In a boolean context, a value within this time
range, inclusive, is considered true. T
This information is encoded as an octet string using
the UTF-8 transformation format described in STD 63,
RFC3629.
It uses the format suggested in RFC 3060. An octet string
represents a start date and time and an end date and time.
For example:
yyyymmddThhmmss/yyyymmddThhmmss
Where: yyyy = year mm = month dd = day
hh = hour mm = minute ss = second
The first 'yyyymmddThhmmss' sub-string indicates the start
date and time. The second 'yyyymmddThhmmss' sub-string
indicates the end date and time. The character 'T' within
these sub-strings indicates the beginning of the time
portion of each sub-string. The solidus character '/'
separates the start from the end date and time. The end
date and time must be subsequent to the start date and
time.
There are also two allowed substitutes for a
'yyyymmddThhmmss' sub-string. One for the start date and
time and one for the end date and time.
If the start date and time is replaced with the string
'THISANDPRIOR', this sub-string would indicate the current
date and the time and the dates and time previous.
If the end date and time is replaced with the string
'THISANDFUTURE', this sub-string would indicate the current
date and time and the dates and time subsequent.
Any of the following should be considered an
inconsistentValue:
- Setting a value with the end date and time earlier than
the start data and time.
- Setting the start date and time to 'THISANDFUTURE'.
- Setting the end date and time to 'THISANDPRIOR'."
REFERENCE "RFC 3060"
SYNTAX OCTET STRING (SIZE (0..31))
-- --
-- Policy group definitions -- Policy group definitions
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
skipping to change at page 17, line 24 skipping to change at page 18, line 27
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentValue exception should be returned. table or if the table or scalar pointed to by the
If the table or scalar pointed to by the VariablePointer is VariablePointer is not supported at all, the
not supported at all, then an genErr exception should be inconsistentValue exception should be returned.
returned.
If during packet processing this column has a value that If during packet processing this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet should be dropped."
DEFVAL { spdTrueFilter } DEFVAL { spdTrueFilter }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
skipping to change at page 33, line 9 skipping to change at page 34, line 9
If all the column objects in a row are true for the current If all the column objects in a row are true for the current
time, the row evaluates as 'true'. More explicitly, the time, the row evaluates as 'true'. More explicitly, the
time matching column objects in a row MUST be logically time matching column objects in a row MUST be logically
AND'd together to form the boolean true/false for the row." AND'd together to form the boolean true/false for the row."
INDEX { spdTimeFiltName } INDEX { spdTimeFiltName }
::= { spdTimeFilterTable 1 } ::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE { SpdTimeFilterEntry ::= SEQUENCE {
spdTimeFiltName SnmpAdminString, spdTimeFiltName SnmpAdminString,
spdTimeFiltPeriodStart DateAndTime, spdTimeFiltPeriod SpdTimePeriod,
spdTimeFiltPeriodEnd DateAndTime,
spdTimeFiltMonthOfYearMask BITS, spdTimeFiltMonthOfYearMask BITS,
spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfMonthMask OCTET STRING,
spdTimeFiltDayOfWeekMask BITS, spdTimeFiltDayOfWeekMask BITS,
spdTimeFiltTimeOfDayMaskStart DateAndTime, spdTimeFiltTimeOfDayMask SpdTimePeriod,
spdTimeFiltTimeOfDayMaskEnd DateAndTime,
spdTimeFiltLastChanged TimeStamp, spdTimeFiltLastChanged TimeStamp,
spdTimeFiltStorageType StorageType, spdTimeFiltStorageType StorageType,
spdTimeFiltRowStatus RowStatus spdTimeFiltRowStatus RowStatus
} }
spdTimeFiltName OBJECT-TYPE spdTimeFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An administratively assigned name for this filter." "An administratively assigned name for this filter."
::= { spdTimeFilterEntry 1 } ::= { spdTimeFilterEntry 1 }
spdTimeFiltPeriodStart OBJECT-TYPE spdTimeFiltPeriod OBJECT-TYPE
SYNTAX DateAndTime SYNTAX SpdTimePeriod
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The starting time for this filter. This column is "The valid time period for this filter. This column is
considered 'true' if the current time evaluates as later considered 'true' if the current time is within the range of
than this object. this object."
DEFVAL { "THISANDPRIOR/THISANDFUTURE" }
Note: the default value of this object is the minimum value
for a DateAndTime object and should evaluate to 'true'
for any realistic time."
DEFVAL { '00000101000000002b0000'H }
::= { spdTimeFilterEntry 2 } ::= { spdTimeFilterEntry 2 }
spdTimeFiltPeriodEnd OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The ending time for this filter. This column is considered
'true' if the current time evaluates as previous to this
object.
Note: the default value for this object is the maximum value
for a DateAndTime object and should evaluate to 'true' for
any realistic time."
DEFVAL { '99991231235959092b0000'H }
::= { spdTimeFilterEntry 3 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE spdTimeFiltMonthOfYearMask OBJECT-TYPE
SYNTAX BITS { january(0), february(1), march(2), SYNTAX BITS { january(0), february(1), march(2),
april(3), may(4), june(5), july(6), april(3), may(4), june(5), july(6),
august(7), september(8), october(9), august(7), september(8), october(9),
november(10), december(11) } november(10), december(11) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which indicates acceptable months of the year. "A bit mask which indicates acceptable months of the year.
This column evaluates to 'true' if the current month's bit This column evaluates to 'true' if the current month's bit
is set." is set."
DEFVAL { { january, february, march, april, may, june, july, DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } } august, september, october, november, december } }
::= { spdTimeFilterEntry 4 } ::= { spdTimeFilterEntry 3 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE spdTimeFiltDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(8)) SYNTAX OCTET STRING (SIZE(8))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines which days of the month the current time is "Defines which days of the month the current time is
valid for. It is a sequence of 64 BITS, where each BIT valid for. It is a sequence of 64 BITS, where each BIT
represents a corresponding day of the month in forward or represents a corresponding day of the month in forward or
reverse order. Starting from the left most bit, the first reverse order. Starting from the left most bit, the first
skipping to change at page 35, line 7 skipping to change at page 35, line 33
This column evaluates to 'true' if the current day of the This column evaluates to 'true' if the current day of the
month's bit is set. month's bit is set.
For example, A value of 0X'80 00 00 01 00 00 00 00' For example, A value of 0X'80 00 00 01 00 00 00 00'
indicates that this column evaluates to true on the first indicates that this column evaluates to true on the first
and last days of the month. and last days of the month.
The last two bits in the string MUST be zero." The last two bits in the string MUST be zero."
DEFVAL { 'fffffffffffffffe'H } DEFVAL { 'fffffffffffffffe'H }
::= { spdTimeFilterEntry 5 } ::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE spdTimeFiltDayOfWeekMask OBJECT-TYPE
SYNTAX BITS { sunday(0), monday(1), tuesday(2), SYNTAX BITS { sunday(0), monday(1), tuesday(2),
wednesday(3), thursday(4), friday(5), wednesday(3), thursday(4), friday(5),
saturday(6) } saturday(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which defines which days of the week the current "A bit mask which defines which days of the week the current
time is valid for. This column evaluates to 'true' if the time is valid for. This column evaluates to 'true' if the
current day of the week's bit is set." current day of the week's bit is set."
DEFVAL { { monday, tuesday, wednesday, thursday, friday, DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } } saturday, sunday } }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 5 }
spdTimeFiltTimeOfDayMaskStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates the starting time of day for which this filter
evaluates to true. The date portions of the DateAndTime TC
are ignored for purposes of evaluating this mask and only
the time specific portions are used.
This column evaluates to 'true' in two cases. It is 'true'
if the current time of day is later than the time of day
indicated by this object. It is also 'true' if this object
is equal to the spdTimeFiltTimeOfDayMaskEnd object."
DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 7 }
spdTimeFiltTimeOfDayMaskEnd OBJECT-TYPE spdTimeFiltTimeOfDayMask OBJECT-TYPE
SYNTAX DateAndTime SYNTAX SpdTimePeriod
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the ending time of day for which this filter "Indicates the start and end time of day for which this
evaluates to true. The date portions of the DateAndTime TC filter evaluates to true. The date portions of the
are ignored for purposes of evaluating this mask and only spdTimePeriod TC are ignored for purposes of evaluating this
the time specific portions are used. mask and only the time specific portions are used.
This column evaluates to 'true' in two cases. It is 'true' This column evaluates to 'true' if the current time of day
if the current time of day is previous to the time of day is within the range of the start and end times of day
indicated by this object. It is also 'true' if this object indicated by this object."
is equal to the spdTimeFiltTimeOfDayMaskStart object." DEFVAL { "00000000T000000/00000000T240000" }
DEFVAL { '00000000000000002b0000'H } ::= { spdTimeFilterEntry 6 }
::= { spdTimeFilterEntry 8 }
spdTimeFiltLastChanged OBJECT-TYPE spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means."
::= { spdTimeFilterEntry 9 } ::= { spdTimeFilterEntry 7 }
spdTimeFiltStorageType OBJECT-TYPE spdTimeFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process may have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdTimeFilterEntry 10 } ::= { spdTimeFilterEntry 8 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this "This object indicates the conceptual status of this
row. row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
However, any attempt to set this row to active when the
spdTimeFiltTimeOfDayMaskEnd object is earlier than
spdTimeFiltTimeOfDayMaskStart object should fail with an
inconsistentValue error. Although, setting these objects
to the same value is allowed.
If active, this object must remain active if it is If active, this object must remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table will result in
an inconsistentValue error." an inconsistentValue error."
::= { spdTimeFilterEntry 11 } ::= { spdTimeFilterEntry 9 }
-- --
-- IPSO protection authority filtering -- IPSO protection authority filtering
-- --
spdIpsoHeaderFilterTable OBJECT-TYPE spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 45, line 19 skipping to change at page 45, line 20
-- drop, accept or reject packets. -- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE spdDropAction OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet should be dropped
WITHOUT action/packet logging. This object returns a WITHOUT action/packet logging."
value of 1 for IPsec policy implementations that support
the drop static action."
::= { spdStaticActions 1 } ::= { spdStaticActions 1 }
spdDropActionLog OBJECT-TYPE spdDropActionLog OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet should be dropped
WITH action/packet logging. This object returns a value WITH action/packet logging."
of 1 for IPsec policy implementations that support the
drop static action with logging."
::= { spdStaticActions 2 } ::= { spdStaticActions 2 }
spdAcceptAction OBJECT-TYPE spdAcceptAction OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This Scalar indicates that a packet should be accepted "This Scalar indicates that a packet should be accepted
(pass-through) WITHOUT action/packet logging. This (pass-through) WITHOUT action/packet logging."
object returns a value of 1 for IPsec policy
implementations that support the accept static action."
::= { spdStaticActions 3 } ::= { spdStaticActions 3 }
spdAcceptActionLog OBJECT-TYPE spdAcceptActionLog OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be accepted "This scalar indicates that a packet should be accepted
(pass-through) WITH action/packet logging. This object (pass-through) WITH action/packet logging."
returns a value of 1 for IPsec policy implementations
that support the accept static action with logging."
::= { spdStaticActions 4 } ::= { spdStaticActions 4 }
-- --
-- --
-- Notification objects information -- Notification objects information
-- --
-- --
spdNotificationVariables OBJECT IDENTIFIER ::= spdNotificationVariables OBJECT IDENTIFIER ::=
{ spdNotificationObjects 1 } { spdNotificationObjects 1 }
skipping to change at page 49, line 5 skipping to change at page 48, line 47
Additionally the spdIPSourceType, spdIPSourceAddress, Additionally the spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, and spdIPDestinationAddress objects spdIPDestinationType, and spdIPDestinationAddress objects
must be included to indicate the packet source and must be included to indicate the packet source and
destination of the packet that triggered the action. destination of the packet that triggered the action.
Finally the spdIPEndpointAddType, spdIPEndpointAddress, Finally the spdIPEndpointAddType, spdIPEndpointAddress,
and spdPacketDirection objects are included to indicate and spdPacketDirection objects are included to indicate
which interface the action was executed in association with which interface the action was executed in association with
and if the packet was ingress or egress through the and if the packet was ingress or egress through the
endpoint. endpoint.
A spdActionNotification should be limited to a maximum of
one notification sent per minute for any action
notifications that do not have any other configuration
controlling their send rate.
Note that compound actions with multiple executed Note that compound actions with multiple executed
subactions may result in multiple notifications being sent subactions may result in multiple notifications being sent
from a single rule execution." from a single rule execution."
::= { spdNotifications 1 } ::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
skipping to change at page 49, line 36 skipping to change at page 49, line 36
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects are spdIPEndpointAddress, and spdPacketDirection objects are
included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is included to associated with. Finally, spdPacketPart is included to
enable sending a variable sized part of the front of the enable sending a variable sized part of the front of the
packet with the size dependent on the value of the object of packet with the size dependent on the value of the object of
TC syntax 'SpdIPPacketLogging' which indicated logging TC syntax 'SpdIPPacketLogging' which indicated logging
should be done." should be done.
A spdPacketNotification should be limited to a maximum of
one notification sent per minute for any action
notifications that do not have any other configuration
controlling their send rate.
An action notification should be limited to a maximum of
one notification sent per minute for any action
notifications that do not have any other configuration
controlling their send rate."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
spdCompliances OBJECT IDENTIFIER spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 } ::= { spdConformanceObjects 1 }
skipping to change at page 59, line 45 skipping to change at page 60, line 4
OBJECT spdTimeFiltDayOfMonthMask OBJECT spdTimeFiltDayOfMonthMask
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltDayOfWeekMask OBJECT spdTimeFiltDayOfWeekMask
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltLastChanged OBJECT spdTimeFiltLastChanged
DESCRIPTION DESCRIPTION
"This object is not required for compliance." "This object is not required for compliance."
OBJECT spdTimeFiltMonthOfYearMask OBJECT spdTimeFiltMonthOfYearMask
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltPeriodEnd OBJECT spdTimeFiltPeriod
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltPeriodStart
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltRowStatus OBJECT spdTimeFiltRowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltTimeOfDayMaskStart OBJECT spdTimeFiltTimeOfDayMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltTimeOfDayMaskEnd
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdTimeFiltStorageType OBJECT spdTimeFiltStorageType
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
::= { spdCompliances 3 } ::= { spdCompliances 3 }
skipping to change at page 62, line 37 skipping to change at page 62, line 33
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of objects from the IPsec Policy IP "This group is made up of objects from the IPsec Policy IP
Offset Filter Table." Offset Filter Table."
::= { spdGroups 7 } ::= { spdGroups 7 }
spdTimeFilterGroup OBJECT-GROUP spdTimeFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd, spdTimeFiltPeriod,
spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMaskStart, spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask,
spdTimeFiltTimeOfDayMaskEnd, spdTimeFiltLastChanged, spdTimeFiltLastChanged,
spdTimeFiltStorageType, spdTimeFiltRowStatus spdTimeFiltStorageType, spdTimeFiltRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of objects from the IPsec Policy Time "This group is made up of objects from the IPsec Policy Time
Filter Table." Filter Table."
::= { spdGroups 8 } ::= { spdGroups 8 }
spdIpsoHeaderFilterGroup OBJECT-GROUP spdIpsoHeaderFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at page 67, line 46 skipping to change at page 67, line 41
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen,
"Policy Core Information Model -- Version 1
Specification", RFC 3060, February 2001.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information
Base for the Differentiated Services Architecture", Base for the Differentiated Services Architecture",
RFC 3289, May 2002. RFC 3289, May 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
9.2. Informative References 9.2. Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IPsec Action MIB", Wang, "IPsec Security Policy IPsec Action MIB",
December 2002. December 2002.
 End of changes. 42 change blocks. 
115 lines changed or deleted 122 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/