IPSP                                                             M. Baer
Internet-Draft                                              Sparta, Inc.
Expires: August 28, October 8, 2006                                      R. Charlet
                                                                    Self
                                                             W. Hardaker
                                                            Sparta, Inc.
                                                                R. Story
                                                     Revelstone Software
                                                                 C. Wang
                                                ARO/North Carolina State
                                                              University
                                                       February 24,
                                                           April 6, 2006

            IPsec Security Policy Database Configuration MIB
                     draft-ietf-ipsp-spd-mib-05.txt
                     draft-ietf-ipsp-spd-mib-06.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 28, October 8, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract
   This document defines an SMIv2 Management Information Base (MIB)
   module for configuring the security policy database of a device
   implementing the IPsec protocol.  The policy-based packet filtering
   and the corresponding execution of actions described in this document
   are of a more general nature than for IPsec configuration alone, such
   as for configuration of a firewall.  This MIB module is designed to
   be extensible with other enterprise or standards based defined packet
   filters and actions.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Internet-Standard Management Framework . . . . . . . . . .  3
   3.  Relationship to the DMTF Policy Model  . . . . . . . . . . . .  3
   4.  MIB Module Overview  . . . . . . . . . . . . . . . . . . . . .  4
     4.1.  Usage Tutorial . . . . . . . . . . . . . . . . . . . . . .  5
       4.1.1.  Notational conventions . . . . . . . . . . . . . . . .  5
       4.1.2.  Implementing an example SPD policy . . . . . . . . . .  6
   5.  MIB definition . . . . . . . . . . . . . . . . . . . . . . . .  8
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 64
     6.1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . 64
     6.2.  Protecting against in-authentic access . . . . . . . . . . 65
     6.3.  Protecting against involuntary disclosure  . . . . . . . . 66
     6.4.  Bootstrapping your configuration . . . . . . . . . . . . . 66
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 66
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 67
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 67
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 67
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 68
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
   Intellectual Property and Copyright Statements . . . . . . . . . . 70

1.  Introduction

   This document defines a MIB module for configuration of an IPsec
   security policy database (SPD).  The policy-based packet filtering
   and the corresponding execution of actions is of a more general
   nature than for IPsec configuration only, such as for configuration
   of a firewall.  It is possible to extend this MIB module and add
   other packet transforming actions that are performed conditionally on
   an interface's network traffic.

   The IPsec and IKE specific actions as documented in [RFCXXXX] and
   [RFCYYYY] respectively and are not documented in this document.

   Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
   these values are determined.

2.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410]

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].

3.  Relationship to the DMTF Policy Model

   The Distributed Management Task Force (DMTF) has created an object
   oriented model of IPsec policy information known as the IPsec Policy
   Model White Paper [IPPMWP].  The "IPsec Configuration Policy Model"
   (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
   model.  The IPCP document describes a model for configuring IPsec.
   This MIB module is a task specific derivation (i.e. an SMIv2
   instantiation) of the IPCP's IPsec configuration model for use with
   SNMPv3.

   The high-level areas where this MIB module diverges from the IPCP
   model are:

   o  Policies, Groups, Conditions, and some levels of Actions are
      generically named.  In other words, IPsec specific prefixes like
      "SA" (Security Association), or "IPsec" are not used.  This naming
      convention is used because packet classification and the matching
      of conditions to actions is more general than IPsec.  The tables
      in this document can possibly be reused by other packet
      transforming actions which need to conditionally act on packets
      matching filters.

   o  Filters are implemented in a more generic and scalable manner,
      rather than enforcing the condition/filtering pairing of the IPCP
      and its restrictions upon the user.  This MIB module offers a
      compound filter object providing greater flexibility for complex
      filters than the IPCP.

4.  MIB Module Overview

   The MIB module is modularized into several different parts: rules,
   filters, and actions.

   The rules section associates endpoints and groups of rules and
   consists of the spdEndpointToGroupTable, spdGroupContentsTable, and
   the spdRuleDefinitionTable.  Each row of the spdRuleDefinitionTable
   connects a filter to an action.  It should also be noted that by
   referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's
   filter column can indicate a set of filters to be processed.
   Likewise, by referencing the spdCompoundActionTable, the
   spdRuleDefinitionTable's action column can indicate multiple actions
   to be executed.

   This MIB is structured to allow for reuse through the future creation
   of extension tables that provide additional filters and/or actions.
   In fact, the companion documents to this one do just that to define
   IPsec and IKE specific actions to be used within this SPD
   configuration MIB.

   The filter section of the MIB module is composed of the different
   types of filters in the Policy Model.  It is made up of the
   spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
   spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
   spdCompoundFilterTable, spdIpsoHeaderFilterTable.

   The action section of this MIB module contains only the simple static
   actions required for the firewall processing that an IPsec SPD
   implementation requires (e.g. accept, drop, log, ...).  The companion
   documents of this document define the complex actions necessary for
   IPsec and IKE negotiations.

   As may have been noticed above, the MIB uses recursion similarly in
   several different places.  In particular the spdGroupContentsTable,
   the spdCompoundFilterTable / spdSubfiltersTable combination, and the
   spdCompoundActionTable / spdSubactionsTable combination can reference
   themselves.

   In the case of the spdGroupContentsTable, a row can indicate a rule
   (i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another
   set of one or more rows in the spdGroupContentsTable).  This way a
   group can contain a set of rules and sub-groups.  Sub-groups are just
   other groups defined in the spdGroupContentsTable.  There is no
   inherit MIB limit to the nesting of groups.

   The spdCompoundFilterTable / spdSubfiltersTable combination and
   spdCompoundActionTable / spdSubactionsTable combination are designed
   almost identically with one being for filters and the other for
   actions respectively.  The following descriptions for the compound
   filter tables can be directly applied to the compound action tables.

   The combination of the tables spdCompoundFilterTable and
   spdSubfiltersTable allow a user to create a set of filters that can
   be referenced any table as a single filter.  A row in the
   spdCompoundFilterTable has the basic configuration information for
   the compound filter.  It's name (spdCompFiltname) references a set of
   rows in the spdSubfiltersTable.  Each row in spdSubfiltersTable
   points at a row in another filter table.  In this way, a set of
   ordered filters composing the compound filter is created.  Note that
   it is possible for one of the rows in the spdSubfiltersTable to point
   at a row in the spdCompoundFilterTable.  This recursion allows the
   creation of a filter set that include other filter sets within it.
   There is no inherit MIB limit to the nesting of compound filters
   within compound filters.

4.1.  Usage Tutorial

   In order to use the tables contained in this document, a general
   understanding of firewall processing is necessary.  The processing of
   the security policy database involves applying a set of firewall
   rules to an interface on a device.  The given set of rules to apply
   to any given interface is defined within the ipspEndpointToGroupTable
   table.  This table maps a given interface to a group of rules.  In
   this table, the interface itself is specified using its assigned
   address.  There is also one group of rules per direction (ingress and
   egress).

4.1.1.  Notational conventions

   Notes about the following example operations:

   1.  All the example operations in the following section make use of
       default values for all columns not listed.  The operations and
       column values given in the examples are the minimal SNMP Varbinds
       that must be sent to create a row.

   2.  The example operations are formatted such that a row (i.e. the
       table's Entry object) is operated on by using the indexes to that
       row and the column values for the that row.

   3.  Below is a generic example of the notation used in the following
       section's examples of this MIB's usage.  It indicates that the
       columns column1 and column2 in row rowEntry with indexes index1
       and index2 are being set to value1 and value2 respectively.:

       rowEntry(index1     = value1,
                index2     = value2)
             = (column1        = column_value1,
                column2        = column_value2)

   4.  The below is a specific example of the notation used in the
       following section's examples of this MIB's usage.  The below
       shows the status of a row in the IP-MIB::ipAddressTable table
       being changed to. deprecated.  The index values for this row are
       IPv4 and 192.0.2.1.  The example notation would look like the
       following:

       ipAddressEntry(ipAddressAddrType = 1,           -- ipv4
                      ipAddressAddr     = 0xC0000201 ) -- 192.0.2.1
                   = (ipAddressStatus   = 2)           -- deprecated

4.1.2.  Implementing an example SPD policy

   As an example, let us define the following administrative policy: On
   the network interface with IP address 192.0.2.1, all traffic from
   host 192.0.2.6 will be dropped and all other traffic will be
   accepted.

   This policy is enforced by setting the values in the MIB to do the
   following:

   o  create a filter for 192.0.2.6

   o  create a rule that connects the 192.0.2.6 filter to a packet drop
      action

   o  create a rule that always accepts packets
   o  group these rules together in the proper order so that the
      192.0.2.6 drop rule is checked first.

   o  connect this group of rules to the 192.0.2.1 interface

   The first step to do this is creating the filter for the IPv4 address
   192.0.2.6:

   SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6")
         = (spdIpHeadFiltType            = 0x80,        -- sourceAddress
            spdIpHeadFiltIPVersion       = 1,           -- IPv4
            spdIpHeadFiltSrcAddressBegin = 0xC0000206,  -- 192.0.2.6
            spdIpHeadFiltSrcAddressEnd   = 0xC0000206,  -- 192.0.2.6
            spdIpHeadFiltRowStatus       = 4)           -- createAndGo

   Next, a rule is created to connect the above "192.0.2.6" filter to an
   action to "drop" the packet, as follows:

   spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6")
         = (spdRuleDefFilter             =
                   spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54,
            spdRuleDefAction             = spdDropAction.0,
            spdRuleDefRowStatus          = 4)           -- createAndGo

   Next, a rule is created that accepts all packets:

   spdRuleDefinitionEntry(spdRuleDefName = "accept all")
         = (spdRuleDefFilter             = spdTrueFilter.0,
            spdRuleDefAction             = spdAcceptAction.0,
            spdRuleDefRowStatus          = 4)           -- createAndGo

   Next, these two rules are grouped together.  Rule groups attached to
   an interface are processed one row at a time.  The rows are processed
   from lowest to highest spdGroupContPiority value.  Because the row
   that references the "accept all" rule should be processed last, it is
   given the higher spdGroupContPriority value.

   SpdGroupContentsEntry(spdGroupContName     = "ingress",
                         spdGroupContPriority = 65535)
        = (spdGroupContComponentName          = "accept all",
           spdGroupContRowStatus              = 4)      -- createAndGo

   SpdGroupContentsEntry(spdGroupContName     = "ingress",
                         spdGroupContPriority = 1000)
        = (spdGroupContComponentName          = "drop from 192.0.2.6",
           spdGroupContRowStatus              = 4)      -- createAndGo

   Finally, this group of rules is connected to the 192.0.2.1 interface
   as follows:

   SpdEndpointToGroupEntry(spdEndGroupDirection = 1,    -- ingress
                           spdEndGroupIdentType = 4,    -- IPv4
                           spdEndGroupAddress   = 0xC0000001)

        = (spdEndGroupName = "ingress",
           spdEndGroupRowStatus = 4)                    -- createAndGo

   This completes the necessary steps to implement the policy.  Once all
   of these rules have been applied, the policy should take effect.

5.  MIB definition

   The following MIB Module imports from: [RFC2578], [RFC2579],
   [RFC2580], [RFC3411], [RFC4001], [RFC3289].  It also uses definitions
   from [RFC1108]. [RFC1108], [RFC3060], and [RFC3629].

   IPSEC-SPD-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
       mib-2                        FROM SNMPv2-SMI
                                           -- [RFC2578]

       TEXTUAL-CONVENTION, RowStatus, TruthValue,
       TimeStamp, StorageType, VariablePointer, DateAndTime VariablePointer
                                           FROM SNMPv2-TC
                                           -- [RFC2579]

       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
                                           FROM SNMPv2-CONF
                                           -- [RFC2580]

       SnmpAdminString                     FROM SNMP-FRAMEWORK-MIB
                                           -- [RFC3411]

       InetAddressType, InetAddress
                                           FROM INET-ADDRESS-MIB
                                           -- [RFC3291]

       diffServMIBMultiFieldClfrGroup, IfDirection,
       diffServMultiFieldClfrNextFree
                                           FROM DIFFSERV-MIB
                                           -- [RFC3289]
       ;

   --
   -- module identity
   --

   spdMIB MODULE-IDENTITY
       LAST-UPDATED "200602240000Z" "200604060000Z"            -- 24 February 6 April 2006
       ORGANIZATION "IETF IP Security Policy Working Group"
       CONTACT-INFO "Michael Baer
                     Sparta, Inc.
                     Phone: +1 530 902 3131
                     Email: baerm@tislabs.com

                     Ricky Charlet
                     Email: rcharlet@alumni.calpoly.edu

                     Wes Hardaker
                     Sparta, Inc.
                     P.O. Box 382
                     Davis, CA  95617
                     Phone: +1 530 792 1913
                     Email: hardaker@tislabs.com

                     Robert Story
                     Revelstone Software
                     PO Box 1812
                     Tucker, GA 30085
                     Phone: +1 770 617 3722
                     Email: ipsp-mib@revelstone.com

                     Cliff Wang
                     SmartPipes Inc.
                     Suite 300, 565 Metro Place South
                     Dublin, OH 43017
                     Phone: +1 614 923 6241
                     E-Mail: cliffwang2000@yahoo.com"
       DESCRIPTION
        "This MIB module defines configuration objects for managing
         IPsec Security Policies.

         Copyright (C) The Internet Society (2005). (2006). This version of
         this MIB module is part of RFC ZZZZ, see the RFC itself for
         full legal notices."

   -- Revision History
       REVISION     "200602240000Z"     "200604060000Z"            -- 24 February 6 April 2006
       DESCRIPTION  "Initial version, published as RFC ZZZZ."
       -- RFC-editor assigns ZZZZ

   -- xxx: To be assigned by IANA
       ::= { mib-2 xxx }

   --
   -- groups of related objects
   --

   spdConfigObjects         OBJECT IDENTIFIER
        ::= { spdMIB 1 }
   spdNotificationObjects   OBJECT IDENTIFIER
        ::= { spdMIB 2 }
   spdConformanceObjects    OBJECT IDENTIFIER
        ::= { spdMIB 3 }
   spdActions                OBJECT IDENTIFIER
        ::= { spdMIB 4 }

   --
   -- Textual Conventions
   --

   SpdBooleanOperator ::= TEXTUAL-CONVENTION
       STATUS   current
       DESCRIPTION
           "The SpdBooleanOperator operator is used to specify
            whether sub-components in a decision making process are
            ANDed or ORed together to decide if the resulting
            expression is true or false."
       SYNTAX      INTEGER { or(1), and(2) }

   SpdAdminStatus ::= TEXTUAL-CONVENTION
       STATUS   current
       DESCRIPTION
           "The SpdAdminStatus is used to specify the administrative
            status of an object. Objects which are disabled must not
            be used by the packet processing engine."
       SYNTAX      INTEGER { enabled(1), disabled(2) }

   SpdIPPacketLogging ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS   current
       DESCRIPTION
           "SpdIPPacketLogging specifies whether an audit message
           should be logged if a packet is passed through a Security
           Association (SA) and if some of that packet should be
           included in the log event.  A value of '-1' indicates no
           logging.  A value of '0' or greater indicates that logging
           should be done and indicates the number of bytes starting at
           the beginning of the packet to place in the log.  Values
           greater than the size of the packet being processed indicate
           that the entire packet should be sent.

            Examples:
            '-1' no logging
            '0'  log but do not include any of the packet in the log
            '20' log and include the first 20 bytes of the packet
                 in the log."

       SYNTAX      Integer32 (-1..65535)

   SpdTimePeriod ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "31t"
       STATUS       current
       DESCRIPTION
           "This property identifies an overall range of calendar dates
            and time.  In a boolean context, a value within this time
            range, inclusive, is considered true.  T

            This information is encoded as an octet string using
            the UTF-8 transformation format described in STD 63,
            RFC3629.

            It uses the format suggested in RFC 3060.  An octet string
            represents a start date and time and an end date and time.
            For example:

            yyyymmddThhmmss/yyyymmddThhmmss

            Where: yyyy = year     mm = month     dd = day
                     hh = hour     mm = minute    ss = second

            The first 'yyyymmddThhmmss' sub-string indicates the start
            date and time.  The second 'yyyymmddThhmmss' sub-string
            indicates the end date and time.  The character 'T' within
            these sub-strings indicates the beginning of the time
            portion of each sub-string.  The solidus character '/'
            separates the start from the end date and time.  The end
            date and time must be subsequent to the start date and
            time.

            There are also two allowed substitutes for a
            'yyyymmddThhmmss' sub-string.  One for the start date and
            time and one for the end date and time.

            If the start date and time is replaced with the string
            'THISANDPRIOR', this sub-string would indicate the current
            date and the time and the dates and time previous.

            If the end date and time is replaced with the string
            'THISANDFUTURE', this sub-string would indicate the current
            date and time and the dates and time subsequent.

            Any of the following should be considered an
            inconsistentValue:
            - Setting a value with the end date and time earlier than
              the start data and time.
            - Setting the start date and time to 'THISANDFUTURE'.
            - Setting the end date and time to 'THISANDPRIOR'."
       REFERENCE "RFC 3060"
       SYNTAX      OCTET STRING (SIZE (0..31))
   --
   -- Policy group definitions
   --

   spdLocalConfigObjects OBJECT IDENTIFIER
        ::= { spdConfigObjects 1 }

   spdIngressPolicyGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object indicates the global system policy group that
           is to be applied on ingress packets (I.E., arriving at a
           interface) when a given endpoint does not contain a policy
           definition in the spdEndpointToGroupTable.  Its value can be
           used as an index into the spdGroupContentsTable to retrieve
           a list of policies.  A zero length string indicates no
           system wide policy exists and the default policy of 'drop'
           should be executed for ingress packets until one is imposed
           by either this object or by the endpoint processing a given
           packet.

           This object MUST be persistent"
       DEFVAL { "" }
       ::= { spdLocalConfigObjects 1 }

   spdEgressPolicyGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object indicates the policy group containing the
            global system policy that is to be applied on egress
            packets (I.E., leaving an interface) when a given endpoint
            does not contain a policy definition in the
            spdEndpointToGroupTable.  Its value can be used as an index
            into the spdGroupContentsTable to retrieve a list of
            policies.  A zero length string indicates no system wide
            policy exits and the default policy of 'drop' should be
            executed for egress packets until one is imposed by either
            this object or by the endpoint processing a given packet.

            This object MUST be persistent"
       DEFVAL { "" }
       ::= { spdLocalConfigObjects 2 }

   spdEndpointToGroupTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdEndpointToGroupEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table maps policies (groupings) onto an endpoint where
           traffic is to pass by.  Any policy group assigned to an
           endpoint is then used to control access to the traffic
           passing by it.

           If an endpoint has been configured with a policy group and
           no rule within that policy group matches the ingress packet,
           the default action in this case shall be to drop the packet.

           If no policy group has been assigned to an endpoint, then
           the policy group specified by spdSystemPolicyGroupName
           MUST be used for the endpoint."
       ::= { spdConfigObjects 2 }

   spdEndpointToGroupEntry OBJECT-TYPE
       SYNTAX      SpdEndpointToGroupEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A mapping assigning a policy group to an endpoint.

           Note: Since the spdEndGroupAddressType object currently only
           allows for IPv4 and IPv6 address, the spdEndGroupAddress
           value should be either 4 or 16 octets long.  But
           implementors should be aware that if the size of
           spdEndGroupAddress ever exceeds 115 octets, column instance
           OIDs (i.e. the index) for this table will have more than 128
           sub-identifiers and will be unaccessible using SNMPv1,
           SNMPv2c, or SNMPv3."
       INDEX { spdEndGroupDirection, spdEndGroupAddressType,
              spdEndGroupAddress }
       ::= { spdEndpointToGroupTable 1 }

   SpdEndpointToGroupEntry ::= SEQUENCE {
       spdEndGroupDirection                      IfDirection,
       spdEndGroupAddressType                    InetAddressType,
       spdEndGroupAddress                        InetAddress,
       spdEndGroupName                           SnmpAdminString,
       spdEndGroupLastChanged                    TimeStamp,
       spdEndGroupStorageType                    StorageType,
       spdEndGroupRowStatus                      RowStatus
   }

   spdEndGroupDirection OBJECT-TYPE
       SYNTAX      IfDirection
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This object indicates which direction of packets crossing
            the interface should be associated with which
            spdEndGroupName object.  Ingress packets, or packets into
            the device match when this value is inbound(1).  Egress
            packets or packets out of the device match when this value
            is outbound(2)."
       ::= { spdEndpointToGroupEntry 1 }

   spdEndGroupAddressType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The Internet Protocol version of the address associated
            with a given endpoint.  All addresses are represented as an
            array of octets in network byte order.  When combined with
            the spdEndGroupAddress these objects can be used to
            uniquely identify an endpoint that a set of policy groups
            should be applied to.  Devices supporting IPv4 MUST support
            the ipv4 value, and devices supporting IPv6 MUST support
            the ipv6 value."
       ::= { spdEndpointToGroupEntry 2 }

   spdEndGroupAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The address of a given endpoint.  The format of this object
           is specified by the spdEndGroupAddressType object."
       ::= { spdEndpointToGroupEntry 3 }

   spdEndGroupName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The policy group name to apply to this endpoint.  The
            value of the spdEndGroupName object should then be used
            as an index into the spdGroupContentsTable to come up
            with a list of rules that MUST be applied to this
            endpoint."
       ::= { spdEndpointToGroupEntry 4 }

   spdEndGroupLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdEndpointToGroupEntry 5 }

   spdEndGroupStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdEndpointToGroupEntry 6 }

   spdEndGroupRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object is considered 'notReady' and may not be set to
            active until one or more active rows exist within the
            spdGroupContentsTable for the group referenced by the
            spdEndGroupName object."
       ::= { spdEndpointToGroupEntry 7 }

   --
   -- policy group definition table
   --

   spdGroupContentsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdGroupContentsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of rules and/or subgroups
            contained within a given policy group.  For a given value
            of spdGroupContName, the set of rows sharing that value
            forms a 'group'.  The rows in a group MUST be processed
            according to the value of the spdGroupContPriority object.
            The processing MUST be executed starting with the lowest
            value of spdGroupContPriority and in ascending order
            thereafter.

            If an action is executed as the result of the procesing of
            a row in a group, the processing of further rows in that
            group MUST stop.  Iterating to the next policy group row by
            finding the next largest spdGroupContPriority object shall
            only be done if no actions were run while processing the
            current row for a given packet."
       ::= { spdConfigObjects 3 }

   spdGroupContentsEntry OBJECT-TYPE
       SYNTAX      SpdGroupContentsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Defines a given sub-component within a policy group.  A
            sub-component is either a rule or another group as
            indicated by spdGroupContCompontentType and referenced by
            spdGroupContCompontentName."
       INDEX   { spdGroupContName, spdGroupContPriority }
       ::= { spdGroupContentsTable 1 }

   SpdGroupContentsEntry ::= SEQUENCE {
       spdGroupContName                        SnmpAdminString,
       spdGroupContPriority                    Integer32,
       spdGroupContFilter                      VariablePointer,
       spdGroupContComponentType               INTEGER,
       spdGroupContComponentName               SnmpAdminString,
       spdGroupContLastChanged                 TimeStamp,
       spdGroupContStorageType                 StorageType,
       spdGroupContRowStatus                   RowStatus
   }

   spdGroupContName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this group.  A 'group' is formed
           by all the rows in this table that have the same value of
           this object."
       ::= { spdGroupContentsEntry 1 }

   spdGroupContPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority (sequence number) of the sub-component in
            this group.  This value indicates the order that each row
            of this table should be processed from low to high.  For
            example, a row with a priority of 0 is processed before a
            row with a priority of 1, a 1 before a 2, etc...."
       ::= { spdGroupContentsEntry 2 }

   spdGroupContFilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdGroupContFilter points to a filter which is evaluated
            to determine whether the spdGroupContComponentName within
            this row should be exercised.  Managers can use this object
            to classify groups of rules or subgroups together in order
            to achieve a greater degree of control and optimization
            over the execution order of the items within the group.  If
            the filter evaluates to false, the rule or subgroup will be
            skipped and the next rule or subgroup will be evaluated
            instead.  This value can be used to indicate a scalar or a
            row in a table.  When indicating a row in a table, this
            value MUST point to the first column instance in that row.

            An example usage of this object would be to limit a
            group of rules to executing only when the IP packet
            being process is designated to be processed by IKE.
            This effectively creates a group of IKE specific rules.

            This MIB defines the following tables and scalars which may
            be pointed to by this column.  Implementations may choose
            to provide support for other filter tables or scalars as
            well:

                   diffServMultiFieldClfrTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter
                   spdIpsoHeaderFilterTable

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentValue exception should be returned.
            If
            table or if the table or scalar pointed to by the
            VariablePointer is not supported at all, then an genErr the
            inconsistentValue exception should be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet should be dropped."
       DEFVAL { spdTrueFilter }
       ::= { spdGroupContentsEntry 3 }

   spdGroupContComponentType OBJECT-TYPE
       SYNTAX      INTEGER { group(1), rule(2) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the spdGroupContComponentName object
            is the name of another group defined within the
            spdGroupContentsTable or is the name of a rule defined
            within the spdRuleDefinitionTable."
       DEFVAL { rule }
       ::= { spdGroupContentsEntry 4 }

   spdGroupContComponentName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name of the policy rule or subgroup contained within
            this group, as indicated by the spdGroupContComponentType
            object."
       ::= { spdGroupContentsEntry 5 }

   spdGroupContLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdGroupContentsEntry 6 }

   spdGroupContStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdGroupContentsEntry 7 }

   spdGroupContRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to active until the row to which
            the spdGroupContComponentName points to exists and is
            active.

            If active, this object MUST remain active unless one of the
            following two conditions are met:

            I.  No active row in spdEndpointToGroupTable exists which
                references this row's group (i.e. indicate this row's
                spdGroupContName).
            II. Or at least one other active row in this table has a
                matching spdGroupContName.

            If neither condition is met, an attempt to set this row to
            something other than active should result in an
            inconsistentValue error."
       ::= { spdGroupContentsEntry 8 }

   --
   -- policy definition table
   --

   spdRuleDefinitionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdRuleDefinitionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines a rule by associating a filter
            or a set of filters to an action to be executed."
       ::= { spdConfigObjects 4 }

   spdRuleDefinitionEntry OBJECT-TYPE
       SYNTAX      SpdRuleDefinitionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row defining a particular rule definition.  A rule
            definition binds a filter pointer to an action pointer."
       INDEX   { spdRuleDefName }
       ::= { spdRuleDefinitionTable 1 }

   SpdRuleDefinitionEntry ::= SEQUENCE {
       spdRuleDefName                          SnmpAdminString,
       spdRuleDefDescription                   SnmpAdminString,
       spdRuleDefFilter                        VariablePointer,
       spdRuleDefFilterNegated                 TruthValue,
       spdRuleDefAction                        VariablePointer,
       spdRuleDefAdminStatus                   SpdAdminStatus,
       spdRuleDefLastChanged                   TimeStamp,
       spdRuleDefStorageType                   StorageType,
       spdRuleDefRowStatus                     RowStatus
   }

   spdRuleDefName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "spdRuleDefName is the administratively assigned name of
            the rule referred to by the spdGroupContComponentName
            object."
       ::= { spdRuleDefinitionEntry 1 }

   spdRuleDefDescription OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A user defined string.  This field may be used for
            administrative tracking purposes."
       DEFVAL { "" }
       ::= { spdRuleDefinitionEntry 2 }

   spdRuleDefFilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdRuleDefFilter points to a filter which is used to
            evaluate whether the action associated with this row should
            be executed or not.  The action will only fire if the
            filter referenced by this object evaluates to TRUE after
            first applying any negation required by the
            spdRuleDefFilterNegated object.

            This MIB defines the following tables and scalars which
            may be pointed to by this column.  Implementations may
            choose to provide support for other filter tables or
            scalars as well:

                   diffServMultiFieldClfrTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentName exception should be returned.
            If the table or scalar pointed to by the VariablePointer is
            not supported at all, then an inconsistentValue exception
            should be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet should be dropped."
       ::= { spdRuleDefinitionEntry 3 }

   spdRuleDefFilterNegated OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdRuleDefFilterNegated specifies whether the filter
            referenced by the spdRuleDefFilter object should be
            negated or not."
       DEFVAL { false }
       ::= { spdRuleDefinitionEntry 4 }

   spdRuleDefAction OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column points to the action to be taken.  It may,
            but is not limited to, point to a row in one of the
            following tables:

               spdCompoundActionTable
               ipsaSaPreconfiguredActionTable
               ipiaIkeActionTable
               ipiaIpsecActionTable

            It may also point to one of the scalar objects beneath
            spdStaticActions.

            If this object is set to a pointer to a row in an
            unsupported (or unknown) table, an inconsistentValue
            error should be returned.

            If this object is set to point to a non-existent row in
            an otherwise supported table, an inconsistentName error
            should be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet should be dropped."
       ::= { spdRuleDefinitionEntry 5 }

   spdRuleDefAdminStatus OBJECT-TYPE
       SYNTAX      SpdAdminStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the current rule definition is considered
           active.  If the value is enabled the rule MUST be evaluated
           when processing packets.  If the value is disabled, the
           packet processing MUST continue as if this rule's filter
           had effectively failed."
       DEFVAL { enabled }
       ::= { spdRuleDefinitionEntry 6 }

   spdRuleDefLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdRuleDefinitionEntry 7 }

   spdRuleDefStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdRuleDefinitionEntry 8 }

   spdRuleDefRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to active until the containing
            conditions, filters and actions have been defined.  Once
            active, it must remain active until no active
            policyGroupContents entries are referencing it.  A failed
            attempt to do so should return an inconsistentValue error."
       ::= { spdRuleDefinitionEntry 9 }

   --
   -- Policy compound filter definition table
   --

   spdCompoundFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdCompoundFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table defining a compound set of filters and the set's
            associated parameters.  A row in this table can be pointed
            to by a spdRuleDefFilter object."
       ::= { spdConfigObjects 5 }

   spdCompoundFilterEntry OBJECT-TYPE
       SYNTAX      SpdCompoundFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry in the spdCompoundFilterTable.  A filter
            defined by this table is considered to have a TRUE return
            value if and only if:

            spdCompFiltLogicType is AND and all of the sub-filters
            associated with it, as defined in the spdSubfiltersTable,
            are all true themselves (after applying any required
            negation as defined by the ficFilterIsNegated object).

            spdCompFiltLogicType is OR and at least one of the
            sub-filters associated with it, as defined in the
            spdSubfiltersTable, is true itself (after applying any
            required negation as defined by the ficFilterIsNegated
            object."
       INDEX       { spdCompFiltName }
       ::= { spdCompoundFilterTable 1 }

   SpdCompoundFilterEntry ::= SEQUENCE {
       spdCompFiltName                          SnmpAdminString,
       spdCompFiltDescription                   SnmpAdminString,
       spdCompFiltLogicType                     SpdBooleanOperator,
       spdCompFiltLastChanged                   TimeStamp,
       spdCompFiltStorageType                   StorageType,
       spdCompFiltRowStatus                     RowStatus
   }
   spdCompFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A user definable string.  This value is used as an index
           into this table."
       ::= { spdCompoundFilterEntry 1 }

   spdCompFiltDescription OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A user definable string.  You may use this field for
            your administrative tracking purposes."
       DEFVAL { "" }
       ::= { spdCompoundFilterEntry 2 }

   spdCompFiltLogicType OBJECT-TYPE
       SYNTAX      SpdBooleanOperator
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the filters contained within this
            filter are functionally ANDed or ORed together."
       DEFVAL { and }
       ::= { spdCompoundFilterEntry 3 }

   spdCompFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdCompoundFilterEntry 4 }

   spdCompFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdCompoundFilterEntry 5 }

   spdCompFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            Once active, it may not have its value changed if any
            active rows in the spdRuleDefinitionTable are currently
            pointing at this row."
       ::= { spdCompoundFilterEntry 6 }

   --
   -- Policy filters in a cf table
   --

   spdSubfiltersTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdSubfiltersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines a list of filters contained within a
            given compound filter set defined in the
            spdCompoundFilterTable."
       ::= { spdConfigObjects 6 }

   spdSubfiltersEntry OBJECT-TYPE
       SYNTAX      SpdSubfiltersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry in a list of filters for a given compound
            filter.  A list is formed by the set of rows in this table
            that share the same value of spdCompFiltName.  There will
            also be an associated row in the spdCompoundFilterTable
            with parameters specific to the filter set."
       INDEX       {  spdCompFiltName, spdSubFiltPriority }
       ::= { spdSubfiltersTable 1 }

   SpdSubfiltersEntry ::= SEQUENCE {
       spdSubFiltPriority                      Integer32,
       spdSubFiltSubfilter                     VariablePointer,
       spdSubFiltSubfilterIsNegated            TruthValue,
       spdSubFiltLastChanged                   TimeStamp,
       spdSubFiltStorageType                   StorageType,
       spdSubFiltRowStatus                     RowStatus
   }

   spdSubFiltPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority of a given filter within a set of filters.
           The order of execution should be from lowest to highest
           priority value (i.e., priority 0 before priority 1, 1 before
           2, etc...).  Implementations MAY choose to follow this
           ordering as set by the manager that created the rows.  This
           can allow a manager to intelligently construct filter lists
           such that faster filters are evaluated first."
       ::= { spdSubfiltersEntry 1 }

   spdSubFiltSubfilter OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The location of the contained filter.  The value of this
            column should be a VariablePointer which references the
            properties for the filter to be included in this compound
            filter.

            This MIB defines the following tables and scalars which
            may be pointed to by this column.  Implementations may
            choose to provide support for other filter tables or
            scalars as well:

                   diffServMultiFieldClfrTable
                   spdIpsoHeaderFilterTable
                   spdIpOffsetFilterTable
                   spdTimeFilterTable
                   spdCompoundFilterTable
                   spdTrueFilter

            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table, the inconsistentName exception should be
            returned.  If the table or scalar pointed to by the
            VariablePointer is not supported at all, then an
            inconsistentValue exception should be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet should be dropped."
       ::= { spdSubfiltersEntry 2 }

   spdSubFiltSubfilterIsNegated OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates whether the result of applying this subfilter
            should be negated."
       DEFVAL { false }
       ::= { spdSubfiltersEntry 3 }

   spdSubFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdSubfiltersEntry 4 }

   spdSubFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdSubfiltersEntry 5 }

   spdSubFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object can not be made active until a filter
            referenced by the spdSubFiltSubfilter object is both
            defined and is active.  An attempt to do so will result in
            an inconsistentValue error.

            If active, this object MUST remain active unless one of the
            following two conditions are met:

            I.  No active row in the SpdCompoundFilterTable exists
                which has a matching spdCompFiltName.
            II. Or at least one other active row in this table has a
                matching spdCompFiltName.

            If neither condition is met, an attempt to set this row to
            something other than active should result in an
            inconsistentValue error."
       ::= { spdSubfiltersEntry 6 }

   --
   -- Static Filters
   --

   spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }

   spdTrueFilter OBJECT-TYPE
           SYNTAX      Integer32 (1)
           MAX-ACCESS  read-only
           STATUS      current
           DESCRIPTION
               "This scalar indicates a (automatic) true result for
                a filter.  I.e. this is a filter that is always
                true, useful for adding as a default filter for a
                default action or a set of actions."
           ::= { spdStaticFilters 1 }

   spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }

   --
   -- Policy IP Offset filter definition table
   --

   spdIpOffsetFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdIpOffsetFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of filter definitions to be
            used within the spdRuleDefinitionTable or the
            spdSubfiltersTable.

            This filter is used to compare an administrator set
            variable length octet string to the octets at a particular
            location in a packet."
       ::= { spdConfigObjects 8 }

   spdIpOffsetFilterEntry OBJECT-TYPE
       SYNTAX      SpdIpOffsetFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A definition of a particular filter."
       INDEX       {  spdIpOffFiltName }
       ::= { spdIpOffsetFilterTable 1 }

   SpdIpOffsetFilterEntry ::= SEQUENCE {
       spdIpOffFiltName                         SnmpAdminString,
       spdIpOffFiltOffset                       Integer32,
       spdIpOffFiltType                         INTEGER,
       spdIpOffFiltValue                        OCTET STRING,
       spdIpOffFiltLastChanged                  TimeStamp,
       spdIpOffFiltStorageType                  StorageType,
       spdIpOffFiltRowStatus                    RowStatus
   }

   spdIpOffFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name for this filter."
       ::= { spdIpOffsetFilterEntry 1 }

   spdIpOffFiltOffset OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This is the byte offset from the front of the entire IP
           packet where the value or arithmetic comparison is done.  A
           value of '0' indicates the first byte of the packet header."
       ::= { spdIpOffsetFilterEntry 2 }
   spdIpOffFiltType OBJECT-TYPE
       SYNTAX INTEGER { equal(1),
                        notEqual(2),
                        arithmeticLess(3),
                        arithmeticGreaterOrEqual(4),
                        arithmeticGreater(5),
                        arithmeticLessOrEqual(6) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This defines the various tests that are used when
            evaluating a given filter.

            The various tests definable in this table are as follows:

            equal:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
                a value in the packet starting at the given offset in
                the packet and comparing the entire OCTET STRING of
                'spdIpOffFiltValue'.  Any numeric values compared this
                way are assumed to be unsigned integer values in
                network byte order of the same length as
                'spdIpOffFiltValue'.

            notEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
                not match a value in the packet starting at the given
                offset in the packet and comparing to the entire OCTET
                STRING of 'spdIpOffFiltValue'.  Any numeric values
                compared this way are assumed to be unsigned integer
                values in network byte order of the same length as
                'spdIpOffFiltValue'.

            arithmeticLess:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically less than ('<') the value starting at
                the given offset within the packet.  The value in the
                packet is assumed to be an unsigned integer in network
                byte order of the same length as 'spdIpOffFiltValue'.

            arithmeticGreaterOrEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically greater than or equal to ('>=') the
                value starting at the given offset within the packet.
                The value in the packet is assumed to be an unsigned
                integer in network byte order of the same length as
                'spdIpOffFiltValue'.

            arithmeticGreater:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically greater than ('>') the value starting at
                the given offset within the packet.  The value in the
                packet is assumed to be an unsigned integer in network
                byte order of the same length as 'spdIpOffFiltValue'.

            arithmeticLessOrEqual:
              - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
                arithmetically less than or equal to ('<=') the value
                starting at the given offset within the packet.  The
                value in the packet is assumed to be an unsigned
                integer in network byte order of the same length as
                'spdIpOffFiltValue'."

       ::= { spdIpOffsetFilterEntry 3 }

   spdIpOffFiltValue OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(1..1024))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "spdIpOffFiltValue is used for match comparisons of a
            packet at spdIpOffFiltOffset."
       ::= { spdIpOffsetFilterEntry 4 }

   spdIpOffFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdIpOffsetFilterEntry 5 }

   spdIpOffFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdIpOffsetFilterEntry 6 }

   spdIpOffFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdIpOffsetFilterEntry 7 }

   --
   -- Time/scheduling filter table
   --

   spdTimeFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdTimeFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Defines a table of filters which can be used to
            effectively enable or disable policies based on a valid
            time range."
       ::= { spdConfigObjects 9 }

   spdTimeFilterEntry OBJECT-TYPE
       SYNTAX      SpdTimeFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row describing a given time frame for which a policy
            may be filtered on to place the rule active or
            inactive.

            If all the column objects in a row are true for the current
            time, the row evaluates as 'true'.  More explicitly, the
            time matching column objects in a row MUST be logically
            AND'd together to form the boolean true/false for the row."
       INDEX   { spdTimeFiltName }
       ::= { spdTimeFilterTable 1 }

   SpdTimeFilterEntry ::= SEQUENCE {
       spdTimeFiltName                 SnmpAdminString,
       spdTimeFiltPeriodStart          DateAndTime,
       spdTimeFiltPeriodEnd            DateAndTime,
       spdTimeFiltPeriod               SpdTimePeriod,
       spdTimeFiltMonthOfYearMask      BITS,
       spdTimeFiltDayOfMonthMask       OCTET STRING,
       spdTimeFiltDayOfWeekMask        BITS,
       spdTimeFiltTimeOfDayMaskStart   DateAndTime,
       spdTimeFiltTimeOfDayMaskEnd     DateAndTime,
       spdTimeFiltTimeOfDayMask        SpdTimePeriod,
       spdTimeFiltLastChanged          TimeStamp,
       spdTimeFiltStorageType          StorageType,
       spdTimeFiltRowStatus            RowStatus
   }

   spdTimeFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An administratively assigned name for this filter."
       ::= { spdTimeFilterEntry 1 }

   spdTimeFiltPeriodStart

   spdTimeFiltPeriod OBJECT-TYPE
       SYNTAX      DateAndTime      SpdTimePeriod
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The starting valid time period for this filter.  This column is
           considered 'true' if the current time evaluates as later
           than is within the range of
           this object.

           Note: the default value of this object is the minimum value
           for a DateAndTime object and should evaluate to 'true'
           for any realistic time." object."
       DEFVAL { '00000101000000002b0000'H "THISANDPRIOR/THISANDFUTURE" }
       ::= { spdTimeFilterEntry 2 }

   spdTimeFiltPeriodEnd OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The ending time for this filter.  This column is considered
           'true' if the current time evaluates as previous to this
           object.

           Note: the default value for this object is the maximum value
           for a DateAndTime object and should evaluate to 'true' for
           any realistic time."
       DEFVAL { '99991231235959092b0000'H }
       ::= { spdTimeFilterEntry 3 }

   spdTimeFiltMonthOfYearMask OBJECT-TYPE
       SYNTAX      BITS { january(0), february(1), march(2),
                          april(3), may(4), june(5), july(6),
                          august(7), september(8), october(9),
                          november(10), december(11) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A bit mask which indicates acceptable months of the year.
           This column evaluates to 'true' if the current month's bit
           is set."
       DEFVAL { { january, february, march, april, may, june, july,
                  august, september, october, november, december } }
       ::= { spdTimeFilterEntry 4 3 }

   spdTimeFiltDayOfMonthMask OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(8))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Defines which days of the month the current time is
            valid for.  It is a sequence of 64 BITS, where each BIT
            represents a corresponding day of the month in forward or
            reverse order.  Starting from the left most bit, the first
            31 bits identify the day of the month counting from the
            beginning of the month.  The following 31 bits (bits 32-62)
            indicate the day of the month counting from the end month.
            For months with fewer than 31 days, the bits that
            correspond to the non-existing days of that month are
            ignored (e.g. for non-leap year Februarys, bits 29-31 and
            60-62 are ignored).

            This column evaluates to 'true' if the current day of the
            month's bit is set.

            For example, A value of 0X'80 00 00 01 00 00 00 00'
            indicates that this column evaluates to true on the first
            and last days of the month.

            The last two bits in the string MUST be zero."
       DEFVAL { 'fffffffffffffffe'H }
       ::= { spdTimeFilterEntry 5 4 }

   spdTimeFiltDayOfWeekMask OBJECT-TYPE
       SYNTAX      BITS { sunday(0), monday(1), tuesday(2),
                          wednesday(3), thursday(4), friday(5),
                          saturday(6) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "A bit mask which defines which days of the week the current
           time is valid for.  This column evaluates to 'true' if the
           current day of the week's bit is set."
       DEFVAL { { monday, tuesday, wednesday, thursday, friday,
                  saturday, sunday } }
       ::= { spdTimeFilterEntry 6 5 }

   spdTimeFiltTimeOfDayMaskStart

   spdTimeFiltTimeOfDayMask OBJECT-TYPE
       SYNTAX      DateAndTime      SpdTimePeriod
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates the starting start and end time of day for which this
            filter evaluates to true.  The date portions of the DateAndTime
            spdTimePeriod TC are ignored for purposes of evaluating this
            mask and only the time specific portions are used.

            This column evaluates to 'true' in two cases.  It is 'true' if the current time of day
            is later than the time of day
            indicated by this object.  It is also 'true' if this object
            is equal to the spdTimeFiltTimeOfDayMaskEnd object."
       DEFVAL { '00000000000000002b0000'H }
       ::= { spdTimeFilterEntry 7 }

   spdTimeFiltTimeOfDayMaskEnd OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "Indicates within the ending time of day for which this filter
            evaluates to true.  The date portions range of the DateAndTime TC
            are ignored for purposes of evaluating this mask start and only
            the time specific portions are used.

            This column evaluates to 'true' in two cases.  It is 'true'
            if the current time of day is previous to the time end times of day
            indicated by this object.  It is also 'true' if this object
            is equal to the spdTimeFiltTimeOfDayMaskStart object."
       DEFVAL { '00000000000000002b0000'H "00000000T000000/00000000T240000" }
       ::= { spdTimeFilterEntry 8 6 }

   spdTimeFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdTimeFilterEntry 9 7 }

   spdTimeFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdTimeFilterEntry 10 8 }

   spdTimeFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this
            row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            However, any attempt to set this row to active when the
            spdTimeFiltTimeOfDayMaskEnd object is earlier than
            spdTimeFiltTimeOfDayMaskStart object should fail with an
            inconsistentValue error.  Although, setting these objects
            to the same value is allowed.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdTimeFilterEntry 11 9 }

   --
   -- IPSO protection authority filtering
   --

   spdIpsoHeaderFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdIpsoHeaderFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of IPSO header filter
            definitions to be used within the spdRuleDefinitionTable or
            the spdSubfiltersTable.  IPSO headers and their values are
            described in RFC1108."
       REFERENCE "RFC 1108"
       ::= { spdConfigObjects 10 }

   spdIpsoHeaderFilterEntry OBJECT-TYPE
       SYNTAX      SpdIpsoHeaderFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A definition of a particular filter."
       INDEX       {  spdIpsoHeadFiltName }
       ::= { spdIpsoHeaderFilterTable 1 }

   SpdIpsoHeaderFilterEntry ::= SEQUENCE {
       spdIpsoHeadFiltName                     SnmpAdminString,
       spdIpsoHeadFiltType                     BITS,
       spdIpsoHeadFiltClassification           INTEGER,
       spdIpsoHeadFiltProtectionAuth           INTEGER,
       spdIpsoHeadFiltLastChanged              TimeStamp,
       spdIpsoHeadFiltStorageType              StorageType,
       spdIpsoHeadFiltRowStatus                RowStatus
   }

   spdIpsoHeadFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name for this filter."
       ::= { spdIpsoHeaderFilterEntry 1 }

   spdIpsoHeadFiltType OBJECT-TYPE
       SYNTAX      BITS { classificationLevel(0),
                          protectionAuthority(1) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates which of the IPSO header field a
           packet should be filtered on for this row.  If this object
           is set to classification(0), the
           spdIpsoHeadFiltClassification object indicates how the
           packet is filtered.  If this object is set to
           protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth
           object indicates how the packet is filtered."
       ::= { spdIpsoHeaderFilterEntry 2 }

   spdIpsoHeadFiltClassification OBJECT-TYPE
       SYNTAX      INTEGER { topSecret(61), secret(90),
                             confidential(150), unclassified(171) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the IPSO classification header field
           value that the packet must have for this row to evaluate to
           'true'.

           The values of these enumerations are defined by RFC1108."
       REFERENCE "RFC 1108"
       ::= { spdIpsoHeaderFilterEntry 3 }

   spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
       SYNTAX      INTEGER { genser(0), siopesi(1), sci(2),
                             nsa(3), doe(4) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the IPSO protection authority header
           field value that the packet must have for this row to
           evaluate to 'true'.

           The values of these enumerations are defined by RFC1108.
           Hence the reason the SMIv2 convention of not using 0 in enum
           lists is violated here."
       REFERENCE "RFC 1108"
       ::= { spdIpsoHeaderFilterEntry 4 }

   spdIpsoHeadFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdIpsoHeaderFilterEntry 5 }

   spdIpsoHeadFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdIpsoHeaderFilterEntry 6 }

   spdIpsoHeadFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            However, this object may not be set to active if the
            requirements of the spdIpsoHeadFiltType object are not met.
            Specifically, if the spdIpsoHeadFiltType bit for
            classification(0) is set, the spdIpsoHeadFiltClassification
            column MUST have a valid value for the row status to be set
            to active.  If the spdIpsoHeadFiltType bit for
            protectionAuthority(1) is set, the
            spdIpsoHeadFiltProtectionAuth column MUST have a valid
            value for the row status to be set to active.

            If active, this object must remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table will result in
            an inconsistentValue error."
       ::= { spdIpsoHeaderFilterEntry 7 }

   --
   -- compound actions table
   --

   spdCompoundActionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdCompoundActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Table used to allow multiple actions to be associated
            with a rule.  It uses the spdSubactionsTable to do this.
            The rows from spdSubactionsTable that are partially indexed
            by spdCompActName form the set of compound actions to be
            performed.  The spdCompActExecutionStrategy column in this
            table indicates how those actions are processed."
       ::= { spdConfigObjects 11 }

   spdCompoundActionEntry OBJECT-TYPE
       SYNTAX      SpdCompoundActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the spdCompoundActionTable."
       INDEX   { spdCompActName }
       ::= { spdCompoundActionTable 1 }

   SpdCompoundActionEntry ::= SEQUENCE {
       spdCompActName                      SnmpAdminString,
       spdCompActExecutionStrategy         INTEGER,
       spdCompActLastChanged               TimeStamp,
       spdCompActStorageType               StorageType,
       spdCompActRowStatus                 RowStatus
   }

   spdCompActName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned name of this
            compound action."
       ::= { spdCompoundActionEntry 1 }

   spdCompActExecutionStrategy OBJECT-TYPE
       SYNTAX      INTEGER { doAll(1),
                             doUntilSuccess(2),
                             doUntilFailure(3) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates how the sub-actions are executed
            based on the success of the actions as they finish
            executing.

            doAll           - run each sub-action regardless of the
                              exit status of the previous action.
                              This parent action is always
                              considered to have acted successfully.

            doUntilSuccess  - run each sub-action until one succeeds,
                              at which point stop processing the
                              sub-actions within this parent
                              compound action.  If one of the
                              sub-actions did execute successfully,
                              this parent action is also considered
                              to have executed sucessfully.

            doUntilFailure  - run each sub-action until one fails,
                              at which point stop processing the
                              sub-actions within this compound
                              action.  If any sub-action fails, the
                              result of this parent action is
                              considered to have failed."
       DEFVAL { doUntilSuccess }
       ::= { spdCompoundActionEntry 2 }

   spdCompActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdCompoundActionEntry 3 }

   spdCompActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a
            storage type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdCompoundActionEntry 4 }

   spdCompActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            Once a row in the spdCompoundActionTable has been made
            active, this object may not be set to destroy without
            first destroying all the contained rows listed in the
            spdSubactionsTable."
       ::= { spdCompoundActionEntry 5 }

   --
   -- actions contained within a compound action
   --

   spdSubactionsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SpdSubactionsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of the sub-actions within a
            given compound action.  Compound actions executing these
            actions MUST execute them in series based on the
            spdSubActPriority value, with the lowest value executing
            first."
       ::= { spdConfigObjects 12 }

   spdSubactionsEntry OBJECT-TYPE
       SYNTAX      SpdSubactionsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row containing a reference to a given compound-action
            sub-action."
       INDEX   { spdCompActName, spdSubActPriority }
       ::= { spdSubactionsTable 1 }
   SpdSubactionsEntry ::= SEQUENCE {
       spdSubActPriority                          Integer32,
       spdSubActSubActionName                     VariablePointer,
       spdSubActLastChanged                       TimeStamp,
       spdSubActStorageType                       StorageType,
       spdSubActRowStatus                         RowStatus
   }

   spdSubActPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority of a given sub-action within a compound
            action.  The order in which sub-actions should be executed
            are based on the value from this column, with the lowest
            numeric value executing first (i.e., priority 0 before
            priority 1, 1 before 2, etc...)."
       ::= { spdSubactionsEntry 1 }

   spdSubActSubActionName OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column points to the action to be taken.  It may,
            but is not limited to, point to a row in one of the
            following tables:

               spdCompoundActionTable         - Allowing recursion
               ipsaSaPreconfiguredActionTable
               ipiaIkeActionTable
               ipiaIpsecActionTable

            It may also point to one of the scalar objects beneath
            spdStaticActions.

            If this object is set to a pointer to a row in an
            unsupported (or unknown) table, an inconsistentValue
            error should be returned.

            If this object is set to point to a non-existent row in
            an otherwise supported table, an inconsistentName error
            should be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet should be dropped."
       ::= { spdSubactionsEntry 2 }

   spdSubActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified
            or created either through SNMP SETs or by some other
            external means."
       ::= { spdSubactionsEntry 3 }

   spdSubActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { spdSubactionsEntry 4 }

   spdSubActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met will result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the spdCompoundActionTable exists
                which has a matching spdCompActName.

            II. Or at least one other active row in this table has a
                matching spdCompActName."
       ::= { spdSubactionsEntry 5 }
   --
   -- Static Actions
   --

   -- these are static actions which can be pointed to by the
   -- spdRuleDefAction or the spdSubActSubActionName objects to
   -- drop, accept or reject packets.

   spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }

   spdDropAction    OBJECT-TYPE
       SYNTAX      Integer32 (1)
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be dropped
            WITHOUT action/packet logging.  This object returns a
            value of 1 for IPsec policy implementations that support
            the drop static action." logging."
       ::= { spdStaticActions 1 }

   spdDropActionLog OBJECT-TYPE
       SYNTAX      Integer32 (1)
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be dropped
            WITH action/packet logging.  This object returns a value
            of 1 for IPsec policy implementations that support the
            drop static action with logging."
       ::= { spdStaticActions 2 }

   spdAcceptAction OBJECT-TYPE
       SYNTAX      Integer32 (1)
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This Scalar indicates that a packet should be accepted
            (pass-through) WITHOUT action/packet logging.  This
            object returns a value of 1 for IPsec policy
            implementations that support the accept static action." logging."
       ::= { spdStaticActions 3 }

   spdAcceptActionLog OBJECT-TYPE
       SYNTAX      Integer32 (1)
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be accepted
            (pass-through) WITH action/packet logging.  This object
            returns a value of 1 for IPsec policy implementations
            that support the accept static action with logging."
       ::= { spdStaticActions 4 }

   --
   --
   -- Notification objects information
   --
   --

   spdNotificationVariables OBJECT IDENTIFIER ::=
      { spdNotificationObjects 1 }

   spdNotifications OBJECT IDENTIFIER ::=
      { spdNotificationObjects 0 }

   spdActionExecuted OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Points to the action instance that was executed that
            resulted in the notification being sent."
       ::= { spdNotificationVariables 1 }

   spdIPEndpointAddType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the interface type for the interface that the
            packet which triggered the notification is passing
            through."
       ::= { spdNotificationVariables 2 }

   spdIPEndpointAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the interface address for the interface that
            the packet which triggered the notification is passing
            through.

            The format of this object is specified by the
            spdIPEndpointAddType object."
       ::= { spdNotificationVariables 3 }

   spdIPSourceType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the source address type of the packet which
            triggered the notification."
       ::= { spdNotificationVariables 4 }

   spdIPSourceAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the source address of the packet which
            triggered the notification.

            The format of this object is specified by the
            spdIPSourceType object."
       ::= { spdNotificationVariables 5 }

   spdIPDestinationType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the destination address type of the packet
            which triggered the notification."
       ::= { spdNotificationVariables 6 }

   spdIPDestinationAddress OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Contains the destination address of the packet which
            triggered the notification.

            The format of this object is specified by the
            spdIPDestinationType object."
       ::= { spdNotificationVariables 7 }

   spdPacketDirection OBJECT-TYPE
       SYNTAX      IfDirection
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Indicates if the packet which triggered the action in
            questions was ingress (inbound) our egress (outbound)."
       ::= { spdNotificationVariables 8 }

   spdPacketPart OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE (0..65535))
       MAX-ACCESS  accessible-for-notify
       STATUS      current
       DESCRIPTION
           "Is the front part of the full IP packet that triggered this
           notification.  The initial size limit is determined by the
           smaller of the size indicated by
           I.  The value of the object with the TC syntax
               'SpdIPPacketLogging' that indicated the packet should be
               logged and
           II. The size of the triggering packet.

           The final limit is determined by the SNMP packet size when
           sending the notification.  The maximum size that can be
           included will be the smaller of the initial size given above
           and the length that will fit in a single SNMP notification
           packet after the rest of the notification's objects and any
           other necessary packet data (headers encoding, etc...) has
           been included in the packet."
       ::= { spdNotificationVariables 9 }

   spdActionNotification NOTIFICATION-TYPE
       OBJECTS { spdActionExecuted, spdIPEndpointAddType,
                 spdIPEndpointAddress,
                 spdIPSourceType, spdIPSourceAddress,
                 spdIPDestinationType,
                 spdIPDestinationAddress,
                 spdPacketDirection }
       STATUS  current
       DESCRIPTION
           "Notification that an action was executed by a rule.
            Only actions with logging enabled will result in this
            notification getting sent.  The objects sent must include
            the spdActionExecuted object which will indicate which
            action was executed within the scope of the rule.
            Additionally the spdIPSourceType, spdIPSourceAddress,
            spdIPDestinationType, and spdIPDestinationAddress objects
            must be included to indicate the packet source and
            destination of the packet that triggered the action.
            Finally the spdIPEndpointAddType, spdIPEndpointAddress,
            and spdPacketDirection objects are included to indicate
            which interface the action was executed in association with
            and if the packet was ingress or egress through the
            endpoint.

            A spdActionNotification should be limited to a maximum of
            one notification sent per minute for any action
            notifications that do not have any other configuration
            controlling their send rate.

            Note that compound actions with multiple executed
            subactions may result in multiple notifications being sent
            from a single rule execution."
       ::= { spdNotifications 1 }

   spdPacketNotification NOTIFICATION-TYPE
       OBJECTS { spdActionExecuted, spdIPEndpointAddType,
                 spdIPEndpointAddress,
                 spdIPSourceType, spdIPSourceAddress,
                 spdIPDestinationType,
                 spdIPDestinationAddress,
                 spdPacketDirection,
                 spdPacketPart }
       STATUS  current
       DESCRIPTION
           "Notification that a packet passed through a Security
           Association (SA).  Only SA's created by actions with packet
           logging enabled will result in this notification getting
           sent.  The objects sent must include the spdActionExecuted
           which will indicate which action was executed within the
           scope of the rule.  Additionally, the spdIPSourceType,
           spdIPSourceAddress, spdIPDestinationType, and
           spdIPDestinationAddress, objects must be included to
           indicate the packet source and destination of the packet
           that triggered the action.  The spdIPEndpointAddType,
           spdIPEndpointAddress, and spdPacketDirection objects are
           included to indicate which endpoint the packet was
           associated with.  Finally, spdPacketPart is included to
           enable sending a variable sized part of the front of the
           packet with the size dependent on the value of the object of
           TC syntax 'SpdIPPacketLogging' which indicated logging
           should be done." done.

           A spdPacketNotification should be limited to a maximum of
           one notification sent per minute for any action
           notifications that do not have any other configuration
           controlling their send rate.

           An action notification should be limited to a maximum of
           one notification sent per minute for any action
           notifications that do not have any other configuration
           controlling their send rate."
       ::= { spdNotifications 2 }

   --
   --
   -- Conformance information
   --
   --

   spdCompliances OBJECT IDENTIFIER
       ::= { spdConformanceObjects 1 }
   spdGroups OBJECT IDENTIFIER
       ::= { spdConformanceObjects 2 }

   --
   -- Compliance statements
   --
   --
   spdRuleFilterFullCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include
            an IPsec MIB implementation with Endpoint, Rules, and
            filters support.

            When this MIB is implemented with support for read-create,
            then such an implementation can claim full compliance. Such
            devices can then be both monitored and configured with this
            MIB.

            There are a number of INDEX objects that cannot be
            represented in the form of OBJECT clauses in SMIv2, but for
            which we have the following compliance requirements,
            expressed in OBJECT clause form in this description clause:

            -- OBJECT spdEndGroupAddressType
            -- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --
            -- OBJECT spdEndGroupAddress
            -- SYNTAX InetAddress (SIZE(4|16))
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --"
       MODULE -- This Module
           MANDATORY-GROUPS { spdEndpointGroup,
                              spdGroupContentsGroup,
                              spdRuleDefinitionGroup,
                              spdStaticFilterGroup,
                              spdStaticActionGroup ,
                              diffServMIBMultiFieldClfrGroup }
           GROUP spdIpsecSystemPolicyNameGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support a system policy group
                name."

           GROUP spdCompoundFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound filters."

           GROUP spdIPOffsetFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IP Offset filters.  In
                general, this SHOULD be supported by a compliant IPsec
                Policy implementation."

           GROUP spdTimeFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support time filters."

           GROUP spdIpsoHeaderFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IPSO Header filters."

           GROUP  spdCompoundActionGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound actions."

           OBJECT      spdEndGroupLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdGroupContComponentType
           SYNTAX      INTEGER {
                   rule(2)
           }
           DESCRIPTION
               "Support of the value group(1) is only required for
                implementations which support Policy Groups within
                Policy Groups."

           OBJECT      spdGroupContLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdRuleDefLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdCompFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdSubFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdIpOffFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdTimeFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdIpsoHeadFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdCompActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      spdSubActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      diffServMultiFieldClfrNextFree
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is not required for compliance."
       ::= { spdCompliances 1 }

   spdLoggingCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that support
            sending notifications when actions are invoked."
       MODULE -- This Module
           MANDATORY-GROUPS { spdActionLoggingObjectGroup,
                              spdActionNotificationGroup }

       ::= { spdCompliances 2 }

   --
   -- ReadOnly Compliances
   --
   spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include
            an IPsec MIB implementation with Endpoint, Rules, and
            filters support.

            If this MIB is implemented without support for read-create
            (i.e. in read-only), it is not in full compliance but it
            can claim read-only compliance. Such a device can then be
            monitored but can not be configured with this MIB.

            There are a number of INDEX objects that cannot be
            represented in the form of OBJECT clauses in SMIv2, but for
            which we have the following compliance requirements,
            expressed in OBJECT clause form in this description clause:

            -- OBJECT spdEndGroupAddressType
            -- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --
            -- OBJECT spdEndGroupAddress
            -- SYNTAX InetAddress (SIZE(4|16))
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --"
       MODULE -- This Module
           MANDATORY-GROUPS { spdEndpointGroup,
                              spdGroupContentsGroup,
                              spdRuleDefinitionGroup,
                              spdStaticFilterGroup,
                              spdStaticActionGroup ,
                              diffServMIBMultiFieldClfrGroup }

           GROUP spdIpsecSystemPolicyNameGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support a system policy group
                name."

           GROUP spdCompoundFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound filters."

           GROUP spdIPOffsetFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IP Offset filters.  In
                general, this SHOULD be supported by a compliant IPsec
                Policy implementation."

           GROUP spdTimeFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support time filters."

           GROUP spdIpsoHeaderFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IPSO Header filters."

           GROUP  spdCompoundActionGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support compound actions."

           OBJECT       spdCompActExecutionStrategy
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompActLastChanged
           DESCRIPTION
              "This object is not required for compliance."
           OBJECT       spdCompActRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompActStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltDescription
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdCompFiltLogicType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdCompFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEgressPolicyGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEndGroupLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdEndGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."
           OBJECT       spdEndGroupRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdEndGroupStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContComponentName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContComponentType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContFilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdGroupContRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdGroupContStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIngressPolicyGroupName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltLastChanged
           DESCRIPTION
              "This object is not required for compliance."
           OBJECT       spdIpOffFiltOffset
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpOffFiltValue
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltClassification
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdIpsoHeadFiltProtectionAuth
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdIpsoHeadFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."
           OBJECT       spdIpsoHeadFiltType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefAction
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefAdminStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefDescription
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefFilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefFilterNegated
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdRuleDefRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdRuleDefStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActLastChanged
           DESCRIPTION
              "This object is not required for compliance."
           OBJECT       spdSubActRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubActSubActionName
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdSubFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltSubfilter
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdSubFiltSubfilterIsNegated
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltDayOfMonthMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltDayOfWeekMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."
           OBJECT       spdTimeFiltLastChanged
           DESCRIPTION
              "This object is not required for compliance."

           OBJECT       spdTimeFiltMonthOfYearMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltPeriodEnd
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltPeriodStart       spdTimeFiltPeriod
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltRowStatus
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltTimeOfDayMaskStart
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltTimeOfDayMaskEnd       spdTimeFiltTimeOfDayMask
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

           OBJECT       spdTimeFiltStorageType
           MIN-ACCESS   read-only
           DESCRIPTION
              "Write access is not required."

       ::= { spdCompliances 3 }

   --
   --
   -- Compliance Groups Definitions
   --

   --
   -- Endpoint, Rule, Filter Compliance Groups
   --

   spdEndpointGroup OBJECT-GROUP
       OBJECTS {
           spdEndGroupName, spdEndGroupLastChanged,
           spdEndGroupStorageType, spdEndGroupRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Endpoint Table."
       ::= { spdGroups 1 }

   spdGroupContentsGroup OBJECT-GROUP
       OBJECTS {
           spdGroupContComponentType, spdGroupContFilter,
           spdGroupContComponentName, spdGroupContLastChanged,
           spdGroupContStorageType, spdGroupContRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Group Contents Table."
       ::= { spdGroups 2 }

   spdIpsecSystemPolicyNameGroup OBJECT-GROUP
       OBJECTS {
           spdIngressPolicyGroupName,
           spdEgressPolicyGroupName
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects represent the System
           Policy Group Names."
       ::= { spdGroups 3}

   spdRuleDefinitionGroup OBJECT-GROUP
       OBJECTS {
           spdRuleDefDescription, spdRuleDefFilter,
           spdRuleDefFilterNegated, spdRuleDefAction,
           spdRuleDefAdminStatus, spdRuleDefLastChanged,
           spdRuleDefStorageType, spdRuleDefRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy Rule
           Definition Table."
       ::= { spdGroups 4 }

   spdCompoundFilterGroup OBJECT-GROUP
       OBJECTS {
           spdCompFiltDescription, spdCompFiltLogicType,
           spdCompFiltLastChanged, spdCompFiltStorageType,
           spdCompFiltRowStatus, spdSubFiltSubfilter,
           spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
           spdSubFiltStorageType, spdSubFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Compound Filter Table and Sub-Filter Table Group."
       ::= { spdGroups 5 }

   spdStaticFilterGroup OBJECT-GROUP
           OBJECTS { spdTrueFilter }
        STATUS current
        DESCRIPTION
            "The static filter group.  Currently this is just a true
             filter."
       ::= { spdGroups 6 }

   spdIPOffsetFilterGroup OBJECT-GROUP
       OBJECTS {
           spdIpOffFiltOffset, spdIpOffFiltType,
           spdIpOffFiltValue, spdIpOffFiltLastChanged,
           spdIpOffFiltStorageType, spdIpOffFiltRowStatus
       }

       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy IP
           Offset Filter Table."
       ::= { spdGroups 7 }

   spdTimeFilterGroup OBJECT-GROUP
       OBJECTS {
           spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd,
           spdTimeFiltPeriod,
           spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
           spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMaskStart,
           spdTimeFiltTimeOfDayMaskEnd, spdTimeFiltTimeOfDayMask,
           spdTimeFiltLastChanged,
           spdTimeFiltStorageType, spdTimeFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy Time
           Filter Table."
       ::= { spdGroups 8 }

   spdIpsoHeaderFilterGroup OBJECT-GROUP
       OBJECTS {
           spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
           spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
           spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy IPSO
           Header Filter Table."
       ::= { spdGroups 9 }

   --
   -- action compliance groups
   --

   spdStaticActionGroup OBJECT-GROUP
       OBJECTS {
           spdDropAction, spdAcceptAction,
           spdDropActionLog, spdAcceptActionLog
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Static Actions."
       ::= { spdGroups 10 }

   spdCompoundActionGroup OBJECT-GROUP
       OBJECTS {
           spdCompActExecutionStrategy, spdCompActLastChanged,
           spdCompActStorageType,

           spdCompActRowStatus, spdSubActSubActionName,
           spdSubActLastChanged, spdSubActStorageType,
           spdSubActRowStatus
       }
       STATUS current
       DESCRIPTION
           "The IPsec Policy Compound Action Table and Actions In
            Compound Action Table Group."
       ::= { spdGroups 11 }

   spdActionLoggingObjectGroup OBJECT-GROUP
       OBJECTS {
           spdActionExecuted,
           spdIPEndpointAddType,   spdIPEndpointAddress,
           spdIPSourceType,        spdIPSourceAddress,
           spdIPDestinationType,   spdIPDestinationAddress,
           spdPacketDirection,     spdPacketPart
       }
       STATUS current
       DESCRIPTION
           "This group is made up of all the Notification objects for
           this MIB."
       ::= { spdGroups 12 }
   spdActionNotificationGroup NOTIFICATION-GROUP
       NOTIFICATIONS {
           spdActionNotification,
           spdPacketNotification
       }
       STATUS current
       DESCRIPTION
               "This group is made up of all the Notifications for this
               MIB."
       ::= { spdGroups 13 }

   END

6.  Security Considerations

6.1.  Introduction

   This document defines a MIB module used to configure IPsec policy
   services.  Since IPsec provides network security services, all of its
   configuration data (e.g. this entire MIB) should be as secure or more
   secure than any of the security services IPsec provides.  There are
   two main threats you need to protect against when configuring IPsec
   devices.

   1.  Malicious Configuration: This MIB configures network security
       services.  If an attacker has SET access to any part of this MIB,
       the network security services configured by this MIB should be
       considered broken.  The network data sent through the associated
       gateway should no longer be considered as protected by IPsec
       (i.e., it is no longer confidential or authenticated).
       Therefore, only the official administrators should be allowed to
       configure a device.  In other words, administrators' identities
       should be authenticated and their access rights checked before
       they are allowed to do device configuration.  The support for SET
       operations to the IPSP MIB in a non-secure environment, without
       proper protection, will invalidate the security of the network
       traffic affected by the IPSP MIB.

   2.  Disclosure of Configuration: In general, malicious parties should
       not be able to read security configuration data while the data is
       in network transit.  An attacker reading the configuration data
       may be able to find compromises in the device and the network due
       to poor and misconfiguration.  Since this entire MIB is used for
       security configuration, it is highly recommended that only
       authorized administrators should be allow to view data in this
       MIB.  In particular, malicious users should be prevented from
       reading SNMP packets containing this MIB's data.  SNMP GET data
       should be encrypted when sent across the network.  Also, only
       authorized administrators should be allowed SNMP GET access to
       any of the MIB objects.

   SNMP versions prior to SNMPv3 do not include adequate security.  Even
   if the network itself is secure (e.g. by using IPsec), earlier
   versions of SNMP have virtually no control as to who on the secure
   network is allowed to access (i.e. read/change/create/delete) the
   objects in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to GET or SET (change/create/delete) them.

   Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
   SNMP version 3.  The rest of this discussion assumes the use of
   SNMPv3.  This is a real strength, because it allows administrators
   the ability to load new IPsec configuration on a device and keep the
   conversation private and authenticated under the protection of SNMPv3
   before any IPsec protections are available.  Once initial
   establishment of IPsec configuration on a device has been achieved,
   it would be possible to set up IPsec SAs to then also provide
   security and integrity services to the configuration conversation.
   This may seem redundant at first, but will be shown to have a use for
   added privacy protection below.

6.2.  Protecting against in-authentic access

   The current SNMPv3 User Security Model provides for key based user
   authentication.  Typically, keys are derived from passwords (but are
   not required to be), and the keys are then used in HMAC algorithms
   (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
   data.  Each SNMP device keeps a (configured) list of users and keys.
   Under SNMPv3 user keys may be updated as often as an administrator
   cares to have users enter new passwords.  But Perfect Forward Secrecy
   for user keys in SNMPv3 is not yet provided by standards track
   documents, although RFC2786 defines an experimental method of doing
   so.

6.3.  Protecting against involuntary disclosure

   While sending IPsec configuration data to a Policy Enforcement Point
   (PEP), there are a few critical parameters which MUST NOT be observed
   by third parties.  Specifically, except for public keys, keying
   information MUST NOT be allowed to be observed by third parties.
   This include IKE Pre-Shared Keys and possibly the private key of a
   public/private key pair for use in a PKI.  Were either of those
   parameters to be known to a third party, they could then impersonate
   the device to other IKE peers.  Aside from those critical parameters,
   policy administrators have an interest in not divulging any of their
   policy configuration.  Any knowledge about a device's configuration
   could help an unfriendly party compromise that device.  SNMPv3 offers
   privacy security services, but at the time this document was written,
   the only standardized encryption algorithm supported by SNMPv3 is the
   DES encryption algorithm.  Support for other (stronger) cryptographic
   algorithms is in the works and may be done as you read this (e.g.
   AES [RFC3826]).  When configure IPsec policy using this MIB, policy
   administrators SHOULD use a privacy security service that is at least
   as strong as the desired IPsec policy.  E.G., If an administrator
   were to use this MIB to configure an IPsec connection that utilizes a
   3DES algorithms, the SNMP communication configuring the connection
   should be protected by an algorithm as strong or stronger than the
   3DES algorithm.

6.4.  Bootstrapping your configuration

   Most vendors will not ship new products with a default SNMPv3 user/
   password pair, but it is possible.  If a device does ship with a
   default user/password pair, policy administrators SHOULD either
   change the password or configure a new user, deleting the default
   user (or at a minimum, restrict the access of the default user).
   Most SNMPv3 distributions should, hopefully, require an out-of-band
   initialization over a trusted medium, such as a local console
   connection.

7.  IANA Considerations

   Only two IANA considerations exist for this document.  The first is
   just the node number allocation of the IPSEC-SPD-MIB itself.

   The IPSEC-SPD-MIB also allows for extension action MIB's.  Although
   additional actions are not required to use it, the node spdActions is
   allocated for any additional actions that wish to use it.  IANA would
   be responsible for allocating any values under this node.

8.  Acknowledgments

   Many other people contributed thoughts and ideas that influenced this
   MIB module.  Some special thanks are in order for the following
   people:

         Lindy Foster     (Sparta, Inc.)
         John Gillis      (ADC)
         Roger Hartmuller (Sparta, Inc.)
         Harrie Hazewinkel
         Jamie Jason      (Intel Corporation)
         David Partain    (Ericsson)
         Lee Rafalow      (IBM)
         Jon Saperia      (JDS Consulting)
         Eric Vyncke      (Cisco Systems)

9.  References

9.1.  Normative References

   [RFC1108]  Kent, S., "U.S", RFC 1108, November 1991.

   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Structure of Management Information
              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2",
              STD 58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Perkins, D., and J. Schoenwaelder,
              "Conformance Statements for SMIv2", STD 58, RFC 2580,
              April 1999.

   [RFC3060]  Moore, B., Ellesson, E., Strassner, J., and A. Westerinen,
              "Policy Core Information Model -- Version 1
              Specification", RFC 3060, February 2001.

   [RFC3289]  Baker, F., Chan, K., and A. Smith, "Management Information
              Base for the Differentiated Services Architecture",
              RFC 3289, May 2002.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3585]  Jason, J., Rafalow, L., and E. Vyncke, "IPsec
              Configuration Policy Information Model", RFC 3585,
              August 2003.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, November 2003.

   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
              Schoenwaelder, "Textual Conventions for Internet Network
              Addresses", RFC 4001, February 2005.

9.2.  Informative References

   [RFCXXXX]  Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
              Wang, "IPsec Security Policy IPsec Action MIB",
              December 2002.

   [RFCYYYY]  Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
              Wang, "IPsec Security Policy IKE Action MIB",
              December 2002.

   [IPPMWP]   Lortz, V. and L. Rafalow, "IPsec Policy Model White
              Paper", November 2000.

   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
              "Introduction and Applicability Statements for Internet-
              Standard Management Framework", RFC 3410, December 2002.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826, June 2004.

Authors' Addresses

   Michael Baer
   Sparta, Inc.
   7075 Samuel Morse Drive
   Columbia, MD  21046
   US

   Email: baerm@tislabs.com

   Ricky Charlet
   Self

   Email: rcharlet@alumni.calpoly.edu

   Wes Hardaker
   Sparta, Inc.
   P.O. Box 382
   Davis, CA  95617
   US

   Phone: +1 530 792 1913
   Email: hardaker@tislabs.com

   Robert Story
   Revelstone Software
   PO Box 1812
   Tucker, GA  30085
   US

   Email: rstory@sparta.com

   Cliff Wang
   ARO/North Carolina State University
   4300 S. Miami Blvd
   RTP, NC  27709
   US

   Email: cliffwangmail@yahoo.com

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.