draft-ietf-ipsp-spd-mib-06.txt   draft-ietf-ipsp-spd-mib-07.txt 
IPSP M. Baer IPSP M. Baer
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Expires: October 8, 2006 R. Charlet Intended status: Informational R. Charlet
Self Expires: April 21, 2007 Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO/North Carolina State
University University
April 6, 2006 October 18, 2006
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-06.txt draft-ietf-ipsp-spd-mib-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 8, 2006. This Internet-Draft will expire on April 21, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines an SMIv2 Management Information Base (MIB) This document defines an SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
are of a more general nature than for IPsec configuration alone, such are of a more general nature than for IPsec configuration alone, such
as for configuration of a firewall. This MIB module is designed to as for configuration of a firewall. This MIB module is designed to
be extensible with other enterprise or standards based defined packet be extensible with other enterprise or standards based defined packet
filters and actions. filters and actions.
Table of Contents Table of Contents
skipping to change at page 2, line 16 skipping to change at page 2, line 19
implementing the IPsec protocol. The policy-based packet filtering implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document and the corresponding execution of actions described in this document
are of a more general nature than for IPsec configuration alone, such are of a more general nature than for IPsec configuration alone, such
as for configuration of a firewall. This MIB module is designed to as for configuration of a firewall. This MIB module is designed to
be extensible with other enterprise or standards based defined packet be extensible with other enterprise or standards based defined packet
filters and actions. filters and actions.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6
4.1.2. Implementing an example SPD policy . . . . . . . . . . 6 5.1.1. Notational conventions . . . . . . . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1.2. Implementing an example SPD policy . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 64 6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 64
6.2. Protecting against in-authentic access . . . . . . . . . . 65 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64
6.3. Protecting against involuntary disclosure . . . . . . . . 66 7.2. Protecting against unauthenticated access . . . . . . . . 66
6.4. Bootstrapping your configuration . . . . . . . . . . . . . 66 7.3. Protecting against involuntary disclosure . . . . . . . . 66
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 7.4. Bootstrapping your configuration . . . . . . . . . . . . . 67
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67
9.1. Normative References . . . . . . . . . . . . . . . . . . . 67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.2. Informative References . . . . . . . . . . . . . . . . . . 68 10.1. Normative References . . . . . . . . . . . . . . . . . . . 67
10.2. Informative References . . . . . . . . . . . . . . . . . . 69
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
Intellectual Property and Copyright Statements . . . . . . . . . . 70 Intellectual Property and Copyright Statements . . . . . . . . . . 71
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering security policy database (SPD). The IPsec model this MIB is designed
and the corresponding execution of actions is of a more general to configure is based on the "IPsec Configuration Policy Model"
nature than for IPsec configuration only, such as for configuration (IPCP) [RFC3585]. The IPCP's IPsec model is in turn derived from the
of a firewall. It is possible to extend this MIB module and add DMTF's (see below) IPsec model and from the IPsec model specified in
other packet transforming actions that are performed conditionally on RFC 2401 [RFC2401]. The policy-based packet filtering and the
an interface's network traffic. corresponding execution of actions configured by this MIB is of a
more general nature than for IPsec configuration only, such as for
configuration of a firewall. It is possible to extend this MIB
module and add other packet transforming actions that are performed
conditionally on an interface's network traffic.
The IPsec and IKE specific actions as documented in [RFCXXXX] and The IPsec and IKE specific actions as documented in [RFCXXXX] and
[RFCYYYY] respectively and are not documented in this document. [RFCYYYY] respectively and are not documented in this document.
Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
these values are determined. these values are determined.
2. The Internet-Standard Management Framework 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410] RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
3. Relationship to the DMTF Policy Model 4. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
(IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
model. The IPCP document describes a model for configuring IPsec. model and on RFC 2401 [RFC2401]. The IPCP document describes a model
This MIB module is a task specific derivation (i.e. an SMIv2 for configuring IPsec. This MIB module is a task specific derivation
instantiation) of the IPCP's IPsec configuration model for use with (i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model
SNMPv3. for use with SNMPv3.
The high-level areas where this MIB module diverges from the IPCP The high-level areas where this MIB module diverges from the IPCP
model are: model are:
o Policies, Groups, Conditions, and some levels of Actions are o Policies, Groups, Conditions, and some levels of Actions are
generically named. In other words, IPsec specific prefixes like generically named. In other words, IPsec specific prefixes like
"SA" (Security Association), or "IPsec" are not used. This naming "SA" (Security Association), or "IPsec" are not used. This naming
convention is used because packet classification and the matching convention is used because packet classification and the matching
of conditions to actions is more general than IPsec. The tables of conditions to actions is more general than IPsec. The tables
in this document can possibly be reused by other packet in this document can possibly be reused by other packet
transforming actions which need to conditionally act on packets transforming actions which need to conditionally act on packets
matching filters. matching filters.
o Filters are implemented in a more generic and scalable manner, o Filters are implemented in a more generic and scalable manner,
rather than enforcing the condition/filtering pairing of the IPCP rather than enforcing the condition/filtering pairing of the IPCP
and its restrictions upon the user. This MIB module offers a and its restrictions upon the user. This MIB module offers a
compound filter object providing greater flexibility for complex compound filter object providing greater flexibility for complex
filters than the IPCP. filters than the IPCP.
4. MIB Module Overview 5. MIB Module Overview
The MIB module is modularized into several different parts: rules, The MIB module is modularized into several different parts: rules,
filters, and actions. filters, and actions.
The rules section associates endpoints and groups of rules and The rules section associates endpoints and groups of rules and
consists of the spdEndpointToGroupTable, spdGroupContentsTable, and consists of the spdEndpointToGroupTable, spdGroupContentsTable, and
the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable
connects a filter to an action. It should also be noted that by connects a filter to an action. It should also be noted that by
referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's
filter column can indicate a set of filters to be processed. filter column can indicate a set of filters to be processed.
Likewise, by referencing the spdCompoundActionTable, the Likewise, by referencing the spdCompoundActionTable, the
spdRuleDefinitionTable's action column can indicate multiple actions spdRuleDefinitionTable's action column can indicate multiple actions
to be executed. to be executed.
This MIB is structured to allow for reuse through the future creation This MIB is structured to allow for reuse through the future creation
of extension tables that provide additional filters and/or actions. of extension tables that provide additional filters and/or actions.
In fact, the companion documents to this one do just that to define In fact, the companion documents to this one do just that and define
IPsec and IKE specific actions to be used within this SPD IPsec [RFCXXXX] and IKE [RFCYYYY] specific actions to be used within
configuration MIB. this SPD configuration MIB. Note, It is expected that in order to
function properly, extension action MIBs may impose additional
limitations on the objects in this MIB and how they can be used with
the extended actions. An extension action may only support a subset
of the configuration options available in this MIB.
The filter section of the MIB module is composed of the different The filter section of the MIB module is composed of the different
types of filters in the Policy Model. It is made up of the types of filters in the Policy Model. It is made up of the
spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
spdCompoundFilterTable, spdIpsoHeaderFilterTable. spdIpsoHeaderFilterTable.
The action section of this MIB module contains only the simple static The action section of this MIB module contains only the simple static
actions required for the firewall processing that an IPsec SPD actions required for the firewall processing that an IPsec SPD
implementation requires (e.g. accept, drop, log, ...). The companion implementation requires (e.g. accept, drop, log, ...). The companion
documents of this document define the complex actions necessary for documents of this document define the complex actions necessary for
IPsec and IKE negotiations. IPsec and IKE negotiations.
As may have been noticed above, the MIB uses recursion similarly in As may have been noticed above, the MIB uses recursion in a similar
several different places. In particular the spdGroupContentsTable, manner in several different places. In particular the
the spdCompoundFilterTable / spdSubfiltersTable combination, and the spdGroupContentsTable, the spdCompoundFilterTable /
spdCompoundActionTable / spdSubactionsTable combination can reference spdSubfiltersTable combination, and the spdCompoundActionTable /
themselves. spdSubactionsTable combination can reference themselves.
In the case of the spdGroupContentsTable, a row can indicate a rule In the case of the spdGroupContentsTable, a row can indicate a rule
(i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another (i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another
set of one or more rows in the spdGroupContentsTable). This way a set of one or more rows in the spdGroupContentsTable). This way a
group can contain a set of rules and sub-groups. Sub-groups are just group can contain a set of rules and sub-groups. Sub-groups are just
other groups defined in the spdGroupContentsTable. There is no other groups defined in the spdGroupContentsTable. There is no
inherit MIB limit to the nesting of groups. inherent MIB limit to the depth of nesting of groups.
The spdCompoundFilterTable / spdSubfiltersTable combination and The spdCompoundFilterTable / spdSubfiltersTable combination and
spdCompoundActionTable / spdSubactionsTable combination are designed spdCompoundActionTable / spdSubactionsTable combination are designed
almost identically with one being for filters and the other for almost identically with one being for filters and the other for
actions respectively. The following descriptions for the compound actions respectively. The following descriptions for the compound
filter tables can be directly applied to the compound action tables. filter tables can be directly applied to the compound action tables.
The combination of the tables spdCompoundFilterTable and The combination of the tables spdCompoundFilterTable and
spdSubfiltersTable allow a user to create a set of filters that can spdSubfiltersTable allow a user to create a set of filters that can
be referenced any table as a single filter. A row in the be referenced from any table as a single filter. A row in the
spdCompoundFilterTable has the basic configuration information for spdCompoundFilterTable has the basic configuration information for
the compound filter. It's name (spdCompFiltname) references a set of the compound filter. The index of spdCompoundFilterTable,
rows in the spdSubfiltersTable. Each row in spdSubfiltersTable spdCompFiltname, is also used as a partial index to reference a set
points at a row in another filter table. In this way, a set of of ordered rows in the spdSubfiltersTable. Each row in
ordered filters composing the compound filter is created. Note that spdSubfiltersTable points at a row in another filter table. In this
it is possible for one of the rows in the spdSubfiltersTable to point way, the set of rows in spdSubFiltersTable with a matching
at a row in the spdCompoundFilterTable. This recursion allows the spdCompFiltName together with the row in spdCompoundFilterTable
creation of a filter set that include other filter sets within it. indexed by spdCompFiltName create a compound filter. Note that it is
There is no inherit MIB limit to the nesting of compound filters possible for a row in the spdSubfiltersTable to point to a row in the
within compound filters. spdCompoundFilterTable. This recursion allows the creation of a
filter set that include other filter sets within it. There is no
inherent MIB limit to the nesting of compound filters within compound
filters.
4.1. Usage Tutorial 5.1. Usage Tutorial
In order to use the tables contained in this document, a general In order to use the tables contained in this document, a general
understanding of firewall processing is necessary. The processing of understanding of firewall processing is helpful. The processing of
the security policy database involves applying a set of firewall the security policy database (SPD) involves applying a set of SPD
rules to an interface on a device. The given set of rules to apply rules to an interface on a device. The given set of rules to apply
to any given interface is defined within the ipspEndpointToGroupTable to any given interface is defined within the spdEndpointToGroupTable
table. This table maps a given interface to a group of rules. In table. This table maps a given interface to a group of rules. In
this table, the interface itself is specified using its assigned this table, the interface itself is specified using its assigned
address. There is also one group of rules per direction (ingress and address. There is also one group of rules per direction (ingress and
egress). egress).
4.1.1. Notational conventions 5.1.1. Notational conventions
Notes about the following example operations: Notes about the following example operations:
1. All the example operations in the following section make use of 1. All the example operations in the following section make use of
default values for all columns not listed. The operations and default values for all columns not listed. The operations and
column values given in the examples are the minimal SNMP Varbinds column values given in the examples are the minimal SNMP Varbinds
that must be sent to create a row. that must be sent to create a row.
2. The example operations are formatted such that a row (i.e. the 2. The example operations are formatted such that a row (i.e. the
table's Entry object) is operated on by using the indexes to that table's Entry object) is operated on by using the indexes to that
row and the column values for the that row. row and the column values for the that row.
3. Below is a generic example of the notation used in the following 3. Below is a generic example of the notation used in the following
section's examples of this MIB's usage. It indicates that the section's examples of this MIB's usage. This example indicates
columns column1 and column2 in row rowEntry with indexes index1 that the MIB row to be set is the row with the index values of
and index2 are being set to value1 and value2 respectively.: value1 for index1 and value2 for index2. Within this row,
column1 is set to column_value1 and colum2 is set to
column_value2.:
rowEntry(index1 = value1, rowEntry(index1 = value1,
index2 = value2) index2 = value2)
= (column1 = column_value1, = (column1 = column_value1,
column2 = column_value2) column2 = column_value2)
4. The below is a specific example of the notation used in the 4. The below is a specific example of the notation used in the
following section's examples of this MIB's usage. The below following section's examples of this MIB's usage. This example
shows the status of a row in the IP-MIB::ipAddressTable table represents the status column of a row in the IP-
being changed to. deprecated. The index values for this row are MIB::ipAddressTable table being set to deprecated. The index
IPv4 and 192.0.2.1. The example notation would look like the values for this row are IPv4 and 192.0.2.1. The example notation
following: would look like the following:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressEntry(ipAddressAddrType = 1, -- ipv4
ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1
= (ipAddressStatus = 2) -- deprecated = (ipAddressStatus = 2) -- deprecated
4.1.2. Implementing an example SPD policy 5.1.2. Implementing an example SPD policy
As an example, let us define the following administrative policy: On As an example, let us define the following administrative policy: On
the network interface with IP address 192.0.2.1, all traffic from the network interface with IP address 192.0.2.1, all traffic from
host 192.0.2.6 will be dropped and all other traffic will be host 192.0.2.6 will be dropped and all other traffic will be
accepted. accepted.
This policy is enforced by setting the values in the MIB to do the This policy is enforced by setting the values in the MIB to do the
following: following:
o create a filter for 192.0.2.6 o create a filter for 192.0.2.6
skipping to change at page 7, line 37 skipping to change at page 8, line 12
Next, a rule is created that accepts all packets: Next, a rule is created that accepts all packets:
spdRuleDefinitionEntry(spdRuleDefName = "accept all") spdRuleDefinitionEntry(spdRuleDefName = "accept all")
= (spdRuleDefFilter = spdTrueFilter.0, = (spdRuleDefFilter = spdTrueFilter.0,
spdRuleDefAction = spdAcceptAction.0, spdRuleDefAction = spdAcceptAction.0,
spdRuleDefRowStatus = 4) -- createAndGo spdRuleDefRowStatus = 4) -- createAndGo
Next, these two rules are grouped together. Rule groups attached to Next, these two rules are grouped together. Rule groups attached to
an interface are processed one row at a time. The rows are processed an interface are processed one row at a time. The rows are processed
from lowest to highest spdGroupContPiority value. Because the row from lowest to highest spdGroupContPriority value. Because the row
that references the "accept all" rule should be processed last, it is that references the "accept all" rule should be processed last, it is
given the higher spdGroupContPriority value. given the higher spdGroupContPriority value.
SpdGroupContentsEntry(spdGroupContName = "ingress", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 65535) spdGroupContPriority = 65535)
= (spdGroupContComponentName = "accept all", = (spdGroupContComponentName = "accept all",
spdGroupContRowStatus = 4) -- createAndGo spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress", SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 1000) spdGroupContPriority = 1000)
skipping to change at page 8, line 16 skipping to change at page 8, line 39
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
spdEndGroupIdentType = 4, -- IPv4 spdEndGroupIdentType = 4, -- IPv4
spdEndGroupAddress = 0xC0000001) spdEndGroupAddress = 0xC0000001)
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, the policy should take effect. of these rules have been applied, the policy should take effect.
5. MIB definition 6. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579], The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3411], [RFC4001], [RFC3289]. It also uses definitions [RFC2580], [RFC2863], [RFC3289], [RFC3411], [RFC4001]. It also uses
from [RFC1108], [RFC3060], and [RFC3629]. definitions from [RFC1108], [RFC3060], and [RFC3629].
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI Unsigned32, mib-2 FROM SNMPv2-SMI
-- [RFC2578] -- [RFC2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer TimeStamp, StorageType, VariablePointer
FROM SNMPv2-TC FROM SNMPv2-TC
-- [RFC2579] -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
-- [RFC2580] -- [RFC2580]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB InterfaceIndex
-- [RFC3411] FROM IF-MIB
-- [RFC2863]
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
-- [RFC3291]
diffServMIBMultiFieldClfrGroup, IfDirection, diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB FROM DIFFSERV-MIB
-- [RFC3289] -- [RFC3289]
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
-- [RFC4001]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
-- [RFC3411]
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200610170000Z" -- 17 October 2006
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
Sparta, Inc. P.O. Box 72682
Davis, CA 95617
Phone: +1 530 902 3131 Phone: +1 530 902 3131
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com Email: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
Phone: +1 770 617 3722 Phone: +1 770 617 3722
Email: ipsp-mib@revelstone.com Email: rstory@sparta.com
Cliff Wang Cliff Wang
SmartPipes Inc. ARO/North Carolina State University
Suite 300, 565 Metro Place South 4300 S. Miami Blvd.
Dublin, OH 43017 RTP, NC 27709
Phone: +1 614 923 6241 E-Mail: cliffwangmail@yahoo.com"
E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION DESCRIPTION
"This MIB module defines configuration objects for managing "This MIB module defines configuration objects for managing
IPsec Security Policies. IPsec Security Policies. In general, this MIB can be
implemented anywhere IPsec security services exist (e.g.,
bump-in-the-wire, host, gateway, firewall, router, etc....).
Copyright (C) The Internet Society (2006). This version of Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC ZZZZ, see the RFC itself for this MIB module is part of RFC ZZZZ, see the RFC itself for
full legal notices." full legal notices."
-- Revision History -- Revision History
REVISION "200610170000Z" -- 17 October 2006
DESCRIPTION "Initial version, published as RFC ZZZZ." DESCRIPTION "Initial version, published as RFC ZZZZ."
-- RFC-editor assigns ZZZZ -- RFC-editor assigns ZZZZ
-- xxx: To be assigned by IANA -- xxx: To be assigned by IANA
::= { mib-2 xxx } ::= { mib-2 xxx }
-- --
-- groups of related objects -- groups of related objects
-- --
skipping to change at page 10, line 40 skipping to change at page 11, line 19
"The SpdBooleanOperator operator is used to specify "The SpdBooleanOperator operator is used to specify
whether sub-components in a decision making process are whether sub-components in a decision making process are
ANDed or ORed together to decide if the resulting ANDed or ORed together to decide if the resulting
expression is true or false." expression is true or false."
SYNTAX INTEGER { or(1), and(2) } SYNTAX INTEGER { or(1), and(2) }
SpdAdminStatus ::= TEXTUAL-CONVENTION SpdAdminStatus ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SpdAdminStatus is used to specify the administrative "The SpdAdminStatus is used to specify the administrative
status of an object. Objects which are disabled must not status of an object. Objects which are disabled MUST NOT
be used by the packet processing engine." be used by the packet processing engine."
SYNTAX INTEGER { enabled(1), disabled(2) } SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION SpdIPPacketLogging ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"SpdIPPacketLogging specifies whether an audit message "SpdIPPacketLogging specifies whether an audit message
should be logged if a packet is passed through a Security SHOULD be logged if a packet is passed through a Security
Association (SA) and if some of that packet should be Association (SA) and if some of that packet is included in
included in the log event. A value of '-1' indicates no the log event. A value of '-1' indicates no logging. A
logging. A value of '0' or greater indicates that logging value of '0' or greater indicates that logging SHOULD be
should be done and indicates the number of bytes starting at done and indicates the number of bytes starting at the
the beginning of the packet to place in the log. Values beginning of the packet to place in the log. Values greater
greater than the size of the packet being processed indicate than the size of the packet being processed indicate that
that the entire packet should be sent. the entire packet SHOULD be sent.
Examples: Examples:
'-1' no logging '-1' no logging
'0' log but do not include any of the packet in the log '0' log but do not include any of the packet in the log
'20' log and include the first 20 bytes of the packet '20' log and include the first 20 bytes of the packet
in the log." in the log."
SYNTAX Integer32 (-1..65535) SYNTAX Integer32 (-1..65535)
SpdTimePeriod ::= TEXTUAL-CONVENTION SpdTimePeriod ::= TEXTUAL-CONVENTION
DISPLAY-HINT "31t" DISPLAY-HINT "31t"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This property identifies an overall range of calendar dates "This property identifies an overall range of calendar dates
and time. In a boolean context, a value within this time and time. In a boolean context, a value within this time
range, inclusive, is considered true. T range, inclusive, is considered true.
This information is encoded as an octet string using This information is encoded as an octet string using
the UTF-8 transformation format described in STD 63, the UTF-8 transformation format described in STD 63,
RFC3629. RFC3629.
It uses the format suggested in RFC 3060. An octet string It uses the format suggested in RFC 3060. An octet string
represents a start date and time and an end date and time. represents a start date and time and an end date and time.
For example: For example:
yyyymmddThhmmss/yyyymmddThhmmss yyyymmddThhmmss/yyyymmddThhmmss
Where: yyyy = year mm = month dd = day Where: yyyy = year mm = month dd = day
hh = hour mm = minute ss = second hh = hour mm = minute ss = second
The first 'yyyymmddThhmmss' sub-string indicates the start The first 'yyyymmddThhmmss' sub-string indicates the start
date and time. The second 'yyyymmddThhmmss' sub-string date and time. The second 'yyyymmddThhmmss' sub-string
indicates the end date and time. The character 'T' within indicates the end date and time. The character 'T' within
these sub-strings indicates the beginning of the time these sub-strings indicates the beginning of the time
portion of each sub-string. The solidus character '/' portion of each sub-string. The solidus character '/'
separates the start from the end date and time. The end separates the start from the end date and time. The end
date and time must be subsequent to the start date and date and time MUST be subsequent to the start date and
time. time.
There are also two allowed substitutes for a There are also two allowed substitutes for a
'yyyymmddThhmmss' sub-string. One for the start date and 'yyyymmddThhmmss' sub-string. One for the start date and
time and one for the end date and time. time and one for the end date and time.
If the start date and time is replaced with the string If the start date and time is replaced with the string
'THISANDPRIOR', this sub-string would indicate the current 'THISANDPRIOR', this sub-string would indicate the current
date and the time and the dates and time previous. date and the time and the dates and time previous.
If the end date and time is replaced with the string If the end date and time is replaced with the string
'THISANDFUTURE', this sub-string would indicate the current 'THISANDFUTURE', this sub-string would indicate the current
date and time and the dates and time subsequent. date and time and the dates and time subsequent.
Any of the following should be considered an Any of the following SHOULD be considered an
inconsistentValue: 'wrongValue' error:
- Setting a value with the end date and time earlier than - Setting a value with the end date and time earlier than
the start data and time. or equal to the start date and time.
- Setting the start date and time to 'THISANDFUTURE'. - Setting the start date and time to 'THISANDFUTURE'.
- Setting the end date and time to 'THISANDPRIOR'." - Setting the end date and time to 'THISANDPRIOR'."
REFERENCE "RFC 3060" REFERENCE "RFC 3060, 3269"
SYNTAX OCTET STRING (SIZE (0..31)) SYNTAX OCTET STRING (SIZE (0..31))
-- --
-- Policy group definitions -- Policy group definitions
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the global system policy group that "This object indicates the global system policy group that
is to be applied on ingress packets (I.E., arriving at a is to be applied on ingress packets (I.E., arriving at an
interface) when a given endpoint does not contain a policy interface from a network) when a given endpoint does not
definition in the spdEndpointToGroupTable. Its value can be contain a policy definition in the spdEndpointToGroupTable.
used as an index into the spdGroupContentsTable to retrieve Its value can be used as an index into the
a list of policies. A zero length string indicates no spdGroupContentsTable to retrieve a list of policies. A
system wide policy exists and the default policy of 'drop' zero length string indicates no system wide policy exists
should be executed for ingress packets until one is imposed and the default policy of 'drop' SHOULD be executed for
by either this object or by the endpoint processing a given ingress packets until one is imposed by either this object
packet. or by the endpoint processing a given packet.
This object MUST be persistent" This object MUST be persistent"
DEFVAL { "" } DEFVAL { "" }
::= { spdLocalConfigObjects 1 } ::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on egress global system policy that is to be applied on egress
packets (I.E., leaving an interface) when a given endpoint packets (I.E., packets leaving an interface and entering a
does not contain a policy definition in the network) when a given endpoint does not contain a policy
spdEndpointToGroupTable. Its value can be used as an index definition in the spdEndpointToGroupTable. Its value can
into the spdGroupContentsTable to retrieve a list of be used as an index into the spdGroupContentsTable to
policies. A zero length string indicates no system wide retrieve a list of policies. A zero length string
policy exits and the default policy of 'drop' should be indicates no system wide policy exists and the default
executed for egress packets until one is imposed by either policy of 'drop' SHOULD be executed for egress packets
this object or by the endpoint processing a given packet. until one is imposed by either this object or by the
endpoint processing a given packet.
This object MUST be persistent" This object MUST be persistent"
DEFVAL { "" } DEFVAL { "" }
::= { spdLocalConfigObjects 2 } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table maps policies (groupings) onto an endpoint where "This table maps policies (groupings) onto an endpoint
traffic is to pass by. Any policy group assigned to an (interface). A policy group assigned to an endpoint is then
endpoint is then used to control access to the traffic used to control access to the network traffic passing
passing by it. through that endpoint.
If an endpoint has been configured with a policy group and If an endpoint has been configured with a policy group and
no rule within that policy group matches the ingress packet, no rule within that policy group matches that packet, the
the default action in this case shall be to drop the packet. default action in this case SHALL be to drop the packet.
If no policy group has been assigned to an endpoint, then If no policy group has been assigned to an endpoint, then
the policy group specified by spdSystemPolicyGroupName the policy group specified by spdIngressPolicyGroupName MUST
MUST be used for the endpoint." be used on traffic inbound from the network through that
endpoint and the policy group specified by
spdEgressPolicyGroupName MUST be used for traffic outbound
to the network through that endpoint."
::= { spdConfigObjects 2 } ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mapping assigning a policy group to an endpoint. "A mapping assigning a policy group to an endpoint."
Note: Since the spdEndGroupAddressType object currently only INDEX { spdEndGroupDirection, spdEndGroupInterface }
allows for IPv4 and IPv6 address, the spdEndGroupAddress
value should be either 4 or 16 octets long. But
implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs (i.e. the index) for this table will have more than 128
sub-identifiers and will be unaccessible using SNMPv1,
SNMPv2c, or SNMPv3."
INDEX { spdEndGroupDirection, spdEndGroupAddressType,
spdEndGroupAddress }
::= { spdEndpointToGroupTable 1 } ::= { spdEndpointToGroupTable 1 }
SpdEndpointToGroupEntry ::= SEQUENCE { SpdEndpointToGroupEntry ::= SEQUENCE {
spdEndGroupDirection IfDirection, spdEndGroupDirection IfDirection,
spdEndGroupAddressType InetAddressType, spdEndGroupInterface InterfaceIndex,
spdEndGroupAddress InetAddress,
spdEndGroupName SnmpAdminString, spdEndGroupName SnmpAdminString,
spdEndGroupLastChanged TimeStamp, spdEndGroupLastChanged TimeStamp,
spdEndGroupStorageType StorageType, spdEndGroupStorageType StorageType,
spdEndGroupRowStatus RowStatus spdEndGroupRowStatus RowStatus
} }
spdEndGroupDirection OBJECT-TYPE spdEndGroupDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates which direction of packets crossing "This object indicates which direction of packets crossing
the interface should be associated with which the interface are associated with which spdEndGroupName
spdEndGroupName object. Ingress packets, or packets into object. Ingress packets, or packets into the device match
the device match when this value is inbound(1). Egress when this value is inbound(1). Egress packets or packets
packets or packets out of the device match when this value out of the device match when this value is outbound(2)."
is outbound(2)."
::= { spdEndpointToGroupEntry 1 } ::= { spdEndpointToGroupEntry 1 }
spdEndGroupAddressType OBJECT-TYPE spdEndGroupInterface OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InterfaceIndex
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The Internet Protocol version of the address associated "This value matches the IF-MIB's ifTable's ifIndex column
with a given endpoint. All addresses are represented as an and indicates the interface associated with with a given
array of octets in network byte order. When combined with endpoint. This object can be used to uniquely identify an
the spdEndGroupAddress these objects can be used to endpoint that a set of policy groups are applied to."
uniquely identify an endpoint that a set of policy groups
should be applied to. Devices supporting IPv4 MUST support
the ipv4 value, and devices supporting IPv6 MUST support
the ipv6 value."
::= { spdEndpointToGroupEntry 2 } ::= { spdEndpointToGroupEntry 2 }
spdEndGroupAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The address of a given endpoint. The format of this object
is specified by the spdEndGroupAddressType object."
::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE spdEndGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The policy group name to apply to this endpoint. The "The policy group name to apply at this endpoint. The
value of the spdEndGroupName object should then be used value of the spdEndGroupName object is then used as an
as an index into the spdGroupContentsTable to come up index into the spdGroupContentsTable to come up with a list
with a list of rules that MUST be applied to this of rules that MUST be applied at this endpoint."
endpoint." ::= { spdEndpointToGroupEntry 3 }
::= { spdEndpointToGroupEntry 4 }
spdEndGroupLastChanged OBJECT-TYPE spdEndGroupLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
::= { spdEndpointToGroupEntry 5 }
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdEndpointToGroupEntry 4 }
spdEndGroupStorageType OBJECT-TYPE spdEndGroupStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a storage
storage type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdEndpointToGroupEntry 6 } ::= { spdEndpointToGroupEntry 5 }
spdEndGroupRowStatus OBJECT-TYPE spdEndGroupRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object is considered 'notReady' and may not be set to This object is considered 'notReady' and MUST NOT be set to
active until one or more active rows exist within the active until one or more active rows exist within the
spdGroupContentsTable for the group referenced by the spdGroupContentsTable for the group referenced by the
spdEndGroupName object." spdEndGroupName object."
::= { spdEndpointToGroupEntry 7 } ::= { spdEndpointToGroupEntry 6 }
-- --
-- policy group definition table -- policy group definition table
-- --
spdGroupContentsTable OBJECT-TYPE spdGroupContentsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdGroupContentsEntry SYNTAX SEQUENCE OF SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of rules and/or subgroups "This table contains a list of rules and/or subgroups
contained within a given policy group. For a given value contained within a given policy group. For a given value
of spdGroupContName, the set of rows sharing that value of spdGroupContName, the set of rows sharing that value
forms a 'group'. The rows in a group MUST be processed forms a 'group'. The rows in a group MUST be processed
according to the value of the spdGroupContPriority object. according to the value of the spdGroupContPriority object
The processing MUST be executed starting with the lowest in each row. The processing MUST be executed starting with
value of spdGroupContPriority and in ascending order the lowest value of spdGroupContPriority and in ascending
thereafter. order thereafter.
If an action is executed as the result of the procesing of If an action is executed as the result of the processing of
a row in a group, the processing of further rows in that a row in a group, the processing of further rows in that
group MUST stop. Iterating to the next policy group row by group MUST stop. Iterating to the next policy group row by
finding the next largest spdGroupContPriority object shall finding the next largest spdGroupContPriority object SHALL
only be done if no actions were run while processing the only be done if no actions were run while processing the
current row for a given packet." current row for a given packet."
::= { spdConfigObjects 3 } ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a given sub-component within a policy group. A "Defines a given sub-component within a policy group. A
skipping to change at page 17, line 22 skipping to change at page 17, line 30
spdGroupContLastChanged TimeStamp, spdGroupContLastChanged TimeStamp,
spdGroupContStorageType StorageType, spdGroupContStorageType StorageType,
spdGroupContRowStatus RowStatus spdGroupContRowStatus RowStatus
} }
spdGroupContName OBJECT-TYPE spdGroupContName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The administrative name of this group. A 'group' is formed "The administrative name of the group associated with this
by all the rows in this table that have the same value of row. A 'group' is formed by all the rows in this table that
this object." have the same value of this object."
::= { spdGroupContentsEntry 1 } ::= { spdGroupContentsEntry 1 }
spdGroupContPriority OBJECT-TYPE spdGroupContPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority (sequence number) of the sub-component in "The priority (sequence number) of the sub-component in
this group. This value indicates the order that each row a group that this row represents. This value indicates
of this table should be processed from low to high. For the order that each row of this table MUST be processed
example, a row with a priority of 0 is processed before a from low to high. For example, a row with a priority of 0
row with a priority of 1, a 1 before a 2, etc...." is processed before a row with a priority of 1, a 1 before
a 2, etc...."
::= { spdGroupContentsEntry 2 } ::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE spdGroupContFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdGroupContFilter points to a filter which is evaluated "spdGroupContFilter points to a filter which is evaluated
to determine whether the spdGroupContComponentName within to determine whether the spdGroupContComponentName within
this row should be exercised. Managers can use this object this row is exercised. Managers can use this object to
to classify groups of rules or subgroups together in order classify groups of rules or subgroups together in order to
to achieve a greater degree of control and optimization achieve a greater degree of control and optimization over
over the execution order of the items within the group. If the execution order of the items within the group. If the
the filter evaluates to false, the rule or subgroup will be filter evaluates to false, the rule or subgroup will be
skipped and the next rule or subgroup will be evaluated skipped and the next rule or subgroup will be evaluated
instead. This value can be used to indicate a scalar or a instead. This value can be used to indicate a scalar or a
row in a table. When indicating a row in a table, this row in a table. When indicating a row in a table, this
value MUST point to the first column instance in that row. value MUST point to the first column instance in that row.
An example usage of this object would be to limit a An example usage of this object would be to limit a
group of rules to executing only when the IP packet group of rules to executing only when the IP packet
being process is designated to be processed by IKE. being process is designated to be processed by IKE.
This effectively creates a group of IKE specific rules. This effectively creates a group of IKE specific rules.
This MIB defines the following tables and scalars which may The following tables and scalars can be pointed to by this
be pointed to by this column. Implementations may choose column. All but diffServMultiFieldClfrTable are defined in
to provide support for other filter tables or scalars as this MIB:
well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
Implementations MAY choose to provide support for other
filter tables or scalars.
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table or if the table or scalar pointed to by the table, the inconsistentName exception MUST be returned. If
VariablePointer is not supported at all, the the table or scalar pointed to by the VariablePointer is
inconsistentValue exception should be returned. not supported at all, then an inconsistentValue exception
MUST be returned.
If during packet processing this column has a value that If during packet processing, a row in this table is applied
to a packet and the value of this column in that row
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet MUST be dropped."
DEFVAL { spdTrueFilter } REFERENCE "RFC 3289"
DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the spdGroupContComponentName object "Indicates whether the spdGroupContComponentName object
is the name of another group defined within the is the name of another group defined within the
spdGroupContentsTable or is the name of a rule defined spdGroupContentsTable or is the name of a rule defined
within the spdRuleDefinitionTable." within the spdRuleDefinitionTable."
DEFVAL { rule } DEFVAL { rule }
::= { spdGroupContentsEntry 4 } ::= { spdGroupContentsEntry 4 }
spdGroupContComponentName OBJECT-TYPE spdGroupContComponentName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name of the policy rule or subgroup contained within "The name of the policy rule or subgroup contained within
this group, as indicated by the spdGroupContComponentType this row, as indicated by the spdGroupContComponentType
object." object."
::= { spdGroupContentsEntry 5 } ::= { spdGroupContentsEntry 5 }
spdGroupContLastChanged OBJECT-TYPE spdGroupContLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem,
this object SHOULD have a zero value."
::= { spdGroupContentsEntry 6 } ::= { spdGroupContentsEntry 6 }
spdGroupContStorageType OBJECT-TYPE spdGroupContStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a storage
storage type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdGroupContentsEntry 7 } ::= { spdGroupContentsEntry 7 }
spdGroupContRowStatus OBJECT-TYPE spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
skipping to change at page 19, line 45 skipping to change at page 20, line 14
spdGroupContRowStatus OBJECT-TYPE spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object may not be set to active until the row to which This object MUST NOT be set to active until the row to
the spdGroupContComponentName points to exists and is which the spdGroupContComponentName points to exists and is
active. active.
If active, this object MUST remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met: following two conditions are met:
I. No active row in spdEndpointToGroupTable exists which I. No active row in spdEndpointToGroupTable exists which
references this row's group (i.e. indicate this row's references this row's group (i.e. indicate this row's
spdGroupContName). spdGroupContName).
II. Or at least one other active row in this table has a II. Or at least one other active row in this table has a
matching spdGroupContName. matching spdGroupContName.
If neither condition is met, an attempt to set this row to If neither condition is met, an attempt to set this row to
something other than active should result in an something other than active MUST result in an
inconsistentValue error." inconsistentValue error."
::= { spdGroupContentsEntry 8 } ::= { spdGroupContentsEntry 8 }
-- --
-- policy definition table -- policy definition table
-- --
spdRuleDefinitionTable OBJECT-TYPE spdRuleDefinitionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdRuleDefinitionEntry SYNTAX SEQUENCE OF SpdRuleDefinitionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 21, line 18 skipping to change at page 21, line 35
"spdRuleDefName is the administratively assigned name of "spdRuleDefName is the administratively assigned name of
the rule referred to by the spdGroupContComponentName the rule referred to by the spdGroupContComponentName
object." object."
::= { spdRuleDefinitionEntry 1 } ::= { spdRuleDefinitionEntry 1 }
spdRuleDefDescription OBJECT-TYPE spdRuleDefDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user defined string. This field may be used for "A user defined string. This field MAY be used for
administrative tracking purposes." administrative tracking purposes."
DEFVAL { "" } DEFVAL { "" }
::= { spdRuleDefinitionEntry 2 } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE spdRuleDefFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilter points to a filter which is used to "spdRuleDefFilter points to a filter which is used to
evaluate whether the action associated with this row should evaluate whether the action associated with this row are
be executed or not. The action will only fire if the executed or not. The action will only execute if the
filter referenced by this object evaluates to TRUE after filter referenced by this object evaluates to TRUE after
first applying any negation required by the first applying any negation required by the
spdRuleDefFilterNegated object. spdRuleDefFilterNegated object.
This MIB defines the following tables and scalars which The following tables and scalars can be pointed to by this
may be pointed to by this column. Implementations may column. All but diffServMultiFieldClfrTable are defined in
choose to provide support for other filter tables or this MIB. Implementations MAY choose to provide support
scalars as well: for other filter tables or scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be returned. table, the inconsistentName exception MUST be returned. If
If the table or scalar pointed to by the VariablePointer is the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception not supported at all, then an inconsistentValue exception
should be returned. MUST be returned.
If during packet processing this column has a value that If during packet processing this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet MUST be dropped."
REFERENCE "RFC 3289"
::= { spdRuleDefinitionEntry 3 } ::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE spdRuleDefFilterNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilterNegated specifies whether the filter "spdRuleDefFilterNegated specifies whether the results of
referenced by the spdRuleDefFilter object should be the filter referenced by the spdRuleDefFilter object is
negated or not." negated or not."
DEFVAL { false } DEFVAL { false }
::= { spdRuleDefinitionEntry 4 } ::= { spdRuleDefinitionEntry 4 }
spdRuleDefAction OBJECT-TYPE spdRuleDefAction OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It may, "This column points to the action to be taken. It MAY,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
spdCompoundActionTable spdCompoundActionTable
ipsaSaPreconfiguredActionTable ipsaSaPreconfiguredActionTable
ipiaIkeActionTable ipiaIkeActionTable
ipiaIpsecActionTable ipiaIpsecActionTable
It MAY also point to one of the scalar objects beneath
It may also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error MUST be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in an
an otherwise supported table, an inconsistentName error otherwise supported table, an inconsistentName error MUST
should be returned. be returned.
If during packet processing this column has a value that If during packet processing this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet MUST be dropped."
::= { spdRuleDefinitionEntry 5 } ::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE spdRuleDefAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus SYNTAX SpdAdminStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the current rule definition is considered "Indicates whether the current rule definition is considered
active. If the value is enabled the rule MUST be evaluated active. If the value is enabled the rule MUST be evaluated
when processing packets. If the value is disabled, the when processing packets. If the value is disabled, the
skipping to change at page 23, line 22 skipping to change at page 23, line 40
DEFVAL { enabled } DEFVAL { enabled }
::= { spdRuleDefinitionEntry 6 } ::= { spdRuleDefinitionEntry 6 }
spdRuleDefLastChanged OBJECT-TYPE spdRuleDefLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdRuleDefinitionEntry 7 } ::= { spdRuleDefinitionEntry 7 }
spdRuleDefStorageType OBJECT-TYPE spdRuleDefStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdRuleDefinitionEntry 8 } ::= { spdRuleDefinitionEntry 8 }
spdRuleDefRowStatus OBJECT-TYPE spdRuleDefRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object may not be set to active until the containing This object MUST NOT be set to active until the containing
conditions, filters and actions have been defined. Once conditions, filters and actions have been defined. Once
active, it must remain active until no active active, it MUST remain active until no active
policyGroupContents entries are referencing it. A failed policyGroupContents entries are referencing it. A failed
attempt to do so should return an inconsistentValue error." attempt to do so MUST return an inconsistentValue error."
::= { spdRuleDefinitionEntry 9 } ::= { spdRuleDefinitionEntry 9 }
-- --
-- Policy compound filter definition table -- Policy compound filter definition table
-- --
spdCompoundFilterTable OBJECT-TYPE spdCompoundFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundFilterEntry SYNTAX SEQUENCE OF SpdCompoundFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A table defining a compound set of filters and the set's "A table defining compound filters and their associated
associated parameters. A row in this table can be pointed parameters. A row in this table can be pointed to by a
to by a spdRuleDefFilter object." spdRuleDefFilter object."
::= { spdConfigObjects 5 } ::= { spdConfigObjects 5 }
spdCompoundFilterEntry OBJECT-TYPE spdCompoundFilterEntry OBJECT-TYPE
SYNTAX SpdCompoundFilterEntry SYNTAX SpdCompoundFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in the spdCompoundFilterTable. A filter "An entry in the spdCompoundFilterTable. Each entry in this
defined by this table is considered to have a TRUE return table represents a compound filter. A filter defined by
value if and only if: this table is considered to have a TRUE return value if and
only if:
spdCompFiltLogicType is AND and all of the sub-filters spdCompFiltLogicType is AND and all of the sub-filters
associated with it, as defined in the spdSubfiltersTable, associated with it, as defined in the spdSubfiltersTable,
are all true themselves (after applying any required are all true themselves (after applying any required
negation as defined by the ficFilterIsNegated object). negation as defined by the ficFilterIsNegated object).
spdCompFiltLogicType is OR and at least one of the spdCompFiltLogicType is OR and at least one of the
sub-filters associated with it, as defined in the sub-filters associated with it, as defined in the
spdSubfiltersTable, is true itself (after applying any spdSubfiltersTable, is true itself (after applying any
required negation as defined by the ficFilterIsNegated required negation as defined by the ficFilterIsNegated
skipping to change at page 25, line 18 skipping to change at page 25, line 42
DESCRIPTION DESCRIPTION
"A user definable string. This value is used as an index "A user definable string. This value is used as an index
into this table." into this table."
::= { spdCompoundFilterEntry 1 } ::= { spdCompoundFilterEntry 1 }
spdCompFiltDescription OBJECT-TYPE spdCompFiltDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A user definable string. You may use this field for "A user definable string. This field MAY be used for
your administrative tracking purposes." your administrative tracking purposes."
DEFVAL { "" } DEFVAL { "" }
::= { spdCompoundFilterEntry 2 } ::= { spdCompoundFilterEntry 2 }
spdCompFiltLogicType OBJECT-TYPE spdCompFiltLogicType OBJECT-TYPE
SYNTAX SpdBooleanOperator SYNTAX SpdBooleanOperator
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the filters contained within this "Indicates whether the sub-component filters of this
filter are functionally ANDed or ORed together." compound filter are functionally ANDed or ORed together."
DEFVAL { and } DEFVAL { and }
::= { spdCompoundFilterEntry 3 } ::= { spdCompoundFilterEntry 3 }
spdCompFiltLastChanged OBJECT-TYPE spdCompFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdCompoundFilterEntry 4 } ::= { spdCompoundFilterEntry 4 }
spdCompFiltStorageType OBJECT-TYPE spdCompFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundFilterEntry 5 } ::= { spdCompoundFilterEntry 5 }
spdCompFiltRowStatus OBJECT-TYPE spdCompFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
Once active, it may not have its value changed if any Once active, it MUST NOT have its value changed if any
active rows in the spdRuleDefinitionTable are currently active rows in the spdRuleDefinitionTable are currently
pointing at this row." pointing at this row."
::= { spdCompoundFilterEntry 6 } ::= { spdCompoundFilterEntry 6 }
-- --
-- Policy filters in a cf table -- Policy filters in a cf table
-- --
spdSubfiltersTable OBJECT-TYPE spdSubfiltersTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubfiltersEntry SYNTAX SEQUENCE OF SpdSubfiltersEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table defines a list of filters contained within a "This table defines a list of filters contained within a
skipping to change at page 26, line 35 skipping to change at page 27, line 14
-- --
-- Policy filters in a cf table -- Policy filters in a cf table
-- --
spdSubfiltersTable OBJECT-TYPE spdSubfiltersTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubfiltersEntry SYNTAX SEQUENCE OF SpdSubfiltersEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table defines a list of filters contained within a "This table defines a list of filters contained within a
given compound filter set defined in the given compound filter defined in the
spdCompoundFilterTable." spdCompoundFilterTable."
::= { spdConfigObjects 6 } ::= { spdConfigObjects 6 }
spdSubfiltersEntry OBJECT-TYPE spdSubfiltersEntry OBJECT-TYPE
SYNTAX SpdSubfiltersEntry SYNTAX SpdSubfiltersEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in a list of filters for a given compound "An entry in the spdSubfiltersTable. There is an entry in
filter. A list is formed by the set of rows in this table this table for each subfilter of all compound filters
that share the same value of spdCompFiltName. There will present in the spdCompoundFilterTable."
also be an associated row in the spdCompoundFilterTable
with parameters specific to the filter set."
INDEX { spdCompFiltName, spdSubFiltPriority } INDEX { spdCompFiltName, spdSubFiltPriority }
::= { spdSubfiltersTable 1 } ::= { spdSubfiltersTable 1 }
SpdSubfiltersEntry ::= SEQUENCE { SpdSubfiltersEntry ::= SEQUENCE {
spdSubFiltPriority Integer32, spdSubFiltPriority Integer32,
spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilter VariablePointer,
spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltSubfilterIsNegated TruthValue,
spdSubFiltLastChanged TimeStamp, spdSubFiltLastChanged TimeStamp,
spdSubFiltStorageType StorageType, spdSubFiltStorageType StorageType,
spdSubFiltRowStatus RowStatus spdSubFiltRowStatus RowStatus
} }
spdSubFiltPriority OBJECT-TYPE spdSubFiltPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given filter within a set of filters. "The priority of a given filter within a compound filter.
The order of execution should be from lowest to highest The order of execution is from lowest to highest priority
priority value (i.e., priority 0 before priority 1, 1 before value (i.e., priority 0 before priority 1, 1 before 2,
2, etc...). Implementations MAY choose to follow this etc...). Implementations MAY choose to follow this ordering
ordering as set by the manager that created the rows. This as set by the manager that created the rows. This can allow
can allow a manager to intelligently construct filter lists a manager to intelligently construct filter lists such that
such that faster filters are evaluated first." faster filters are evaluated first."
::= { spdSubfiltersEntry 1 } ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The location of the contained filter. The value of this "The OID of the contained filter. The value of this
column should be a VariablePointer which references the object is a VariablePointer which references the filter to
properties for the filter to be included in this compound be included in this compound filter.
filter.
This MIB defines the following tables and scalars which The following tables and scalars can be pointed to by this
may be pointed to by this column. Implementations may column. All but diffServMultiFieldClfrTable are defined in
choose to provide support for other filter tables or this MIB. Implementations MAY choose to provide support
scalars as well: for other filter tables or scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception should be table, the inconsistentName exception MUST be returned. If
returned. If the table or scalar pointed to by the the table or scalar pointed to by the VariablePointer is
VariablePointer is not supported at all, then an not supported at all, then an inconsistentValue exception
inconsistentValue exception should be returned. MUST be returned.
If during packet processing this column has a value that If during packet processing this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet MUST be dropped."
REFERENCE "RFC 3289"
::= { spdSubfiltersEntry 2 } ::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE spdSubFiltSubfilterIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the result of applying this subfilter "Indicates whether the result of applying this subfilter
should be negated." are negated or not."
DEFVAL { false } DEFVAL { false }
::= { spdSubfiltersEntry 3 } ::= { spdSubfiltersEntry 3 }
spdSubFiltLastChanged OBJECT-TYPE spdSubFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdSubfiltersEntry 4 } ::= { spdSubfiltersEntry 4 }
spdSubFiltStorageType OBJECT-TYPE spdSubFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubfiltersEntry 5 } ::= { spdSubfiltersEntry 5 }
spdSubFiltRowStatus OBJECT-TYPE spdSubFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object can not be made active until a filter This object can not be made active until a filter
referenced by the spdSubFiltSubfilter object is both referenced by the spdSubFiltSubfilter object is both
defined and is active. An attempt to do so will result in defined and is active. An attempt to do so MUST result in
an inconsistentValue error. an inconsistentValue error.
If active, this object MUST remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met: following two conditions are met:
I. No active row in the SpdCompoundFilterTable exists I. No active row in the SpdCompoundFilterTable exists
which has a matching spdCompFiltName. which has a matching spdCompFiltName.
II. Or at least one other active row in this table has a II. Or at least one other active row in this table has a
matching spdCompFiltName. matching spdCompFiltName.
If neither condition is met, an attempt to set this row to If neither condition is met, an attempt to set this row to
something other than active should result in an something other than active MUST result in an
inconsistentValue error." inconsistentValue error."
::= { spdSubfiltersEntry 6 } ::= { spdSubfiltersEntry 6 }
-- --
-- Static Filters -- Static Filters
-- --
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE spdTrueFilter OBJECT-TYPE
skipping to change at page 30, line 11 skipping to change at page 30, line 40
spdIpOffsetFilterTable OBJECT-TYPE spdIpOffsetFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table contains a list of filter definitions to be "This table contains a list of filter definitions to be
used within the spdRuleDefinitionTable or the used within the spdRuleDefinitionTable or the
spdSubfiltersTable. spdSubfiltersTable.
This filter is used to compare an administrator set This type of filter is used to compare an administrator
variable length octet string to the octets at a particular specified octet string to the octets at a particular
location in a packet." location in a packet."
::= { spdConfigObjects 8 } ::= { spdConfigObjects 8 }
spdIpOffsetFilterEntry OBJECT-TYPE spdIpOffsetFilterEntry OBJECT-TYPE
SYNTAX SpdIpOffsetFilterEntry SYNTAX SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A definition of a particular filter." "A definition of a particular filter."
INDEX { spdIpOffFiltName } INDEX { spdIpOffFiltName }
::= { spdIpOffsetFilterTable 1 } ::= { spdIpOffsetFilterTable 1 }
SpdIpOffsetFilterEntry ::= SEQUENCE { SpdIpOffsetFilterEntry ::= SEQUENCE {
spdIpOffFiltName SnmpAdminString, spdIpOffFiltName SnmpAdminString,
spdIpOffFiltOffset Integer32, spdIpOffFiltOffset Unsigned32,
spdIpOffFiltType INTEGER, spdIpOffFiltType INTEGER,
spdIpOffFiltValue OCTET STRING, spdIpOffFiltValue OCTET STRING,
spdIpOffFiltLastChanged TimeStamp, spdIpOffFiltLastChanged TimeStamp,
spdIpOffFiltStorageType StorageType, spdIpOffFiltStorageType StorageType,
spdIpOffFiltRowStatus RowStatus spdIpOffFiltRowStatus RowStatus
} }
spdIpOffFiltName OBJECT-TYPE spdIpOffFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The administrative name for this filter." "The administrative name for this filter."
::= { spdIpOffsetFilterEntry 1 } ::= { spdIpOffsetFilterEntry 1 }
spdIpOffFiltOffset OBJECT-TYPE spdIpOffFiltOffset OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This is the byte offset from the front of the entire IP "This is the byte offset from the front of the entire IP
packet where the value or arithmetic comparison is done. A packet where the value or arithmetic comparison is done. A
value of '0' indicates the first byte of the packet header." value of '0' indicates the first byte of the packet header.
If this value is greater than the length of the packet, the
filter represented by this row should be considered to
fail."
::= { spdIpOffsetFilterEntry 2 } ::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltType OBJECT-TYPE spdIpOffFiltType OBJECT-TYPE
SYNTAX INTEGER { equal(1), SYNTAX INTEGER { equal(1),
notEqual(2), notEqual(2),
arithmeticLess(3), arithmeticLess(3),
arithmeticGreaterOrEqual(4), arithmeticGreaterOrEqual(4),
arithmeticGreater(5), arithmeticGreater(5),
arithmeticLessOrEqual(6) } arithmeticLessOrEqual(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 31, line 23 skipping to change at page 32, line 11
DESCRIPTION DESCRIPTION
"This defines the various tests that are used when "This defines the various tests that are used when
evaluating a given filter. evaluating a given filter.
The various tests definable in this table are as follows: The various tests definable in this table are as follows:
equal: equal:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', matches - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
a value in the packet starting at the given offset in a value in the packet starting at the given offset in
the packet and comparing the entire OCTET STRING of the packet and comparing the entire OCTET STRING of
'spdIpOffFiltValue'. Any numeric values compared this 'spdIpOffFiltValue'. Any values compared this way are
way are assumed to be unsigned integer values in assumed to be unsigned integer values in network byte
network byte order of the same length as order of the same length as 'spdIpOffFiltValue'.
'spdIpOffFiltValue'.
notEqual: notEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', does - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
not match a value in the packet starting at the given not match a value in the packet starting at the given
offset in the packet and comparing to the entire OCTET offset in the packet and comparing to the entire OCTET
STRING of 'spdIpOffFiltValue'. Any numeric values STRING of 'spdIpOffFiltValue'. Any values compared
compared this way are assumed to be unsigned integer this way are assumed to be unsigned integer values in
values in network byte order of the same length as network byte order of the same length as
'spdIpOffFiltValue'. 'spdIpOffFiltValue'.
arithmeticLess: arithmeticLess:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than ('<') the value starting at arithmetically less than ('<') the value starting at
the given offset within the packet. The value in the the given offset within the packet. The value in the
packet is assumed to be an unsigned integer in network packet is assumed to be an unsigned integer in network
byte order of the same length as 'spdIpOffFiltValue'. byte order of the same length as 'spdIpOffFiltValue'.
arithmeticGreaterOrEqual: arithmeticGreaterOrEqual:
skipping to change at page 32, line 38 skipping to change at page 33, line 22
packet at spdIpOffFiltOffset." packet at spdIpOffFiltOffset."
::= { spdIpOffsetFilterEntry 4 } ::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE spdIpOffFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdIpOffsetFilterEntry 5 } ::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE spdIpOffFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
If active, this object must remain active if it is If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table MUST result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpOffsetFilterEntry 7 } ::= { spdIpOffsetFilterEntry 7 }
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
spdTimeFilterTable OBJECT-TYPE spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 33, line 44 skipping to change at page 34, line 33
effectively enable or disable policies based on a valid effectively enable or disable policies based on a valid
time range." time range."
::= { spdConfigObjects 9 } ::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE spdTimeFilterEntry OBJECT-TYPE
SYNTAX SpdTimeFilterEntry SYNTAX SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row describing a given time frame for which a policy "A row describing a given time frame for which a policy
may be filtered on to place the rule active or is filtered on to activate or deactivate the rule.
inactive.
If all the column objects in a row are true for the current If all the column objects in a row are true for the current
time, the row evaluates as 'true'. More explicitly, the time, the row evaluates as 'true'. More explicitly, the
time matching column objects in a row MUST be logically time matching column objects in a row MUST be logically
AND'd together to form the boolean true/false for the row." ANDed together to form the boolean true/false for the row."
INDEX { spdTimeFiltName } INDEX { spdTimeFiltName }
::= { spdTimeFilterTable 1 } ::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE { SpdTimeFilterEntry ::= SEQUENCE {
spdTimeFiltName SnmpAdminString, spdTimeFiltName SnmpAdminString,
spdTimeFiltPeriod SpdTimePeriod, spdTimeFiltPeriod SpdTimePeriod,
spdTimeFiltMonthOfYearMask BITS, spdTimeFiltMonthOfYearMask BITS,
spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfMonthMask OCTET STRING,
spdTimeFiltDayOfWeekMask BITS, spdTimeFiltDayOfWeekMask BITS,
spdTimeFiltTimeOfDayMask SpdTimePeriod, spdTimeFiltTimeOfDayMask SpdTimePeriod,
skipping to change at page 36, line 16 skipping to change at page 37, line 4
"Indicates the start and end time of day for which this "Indicates the start and end time of day for which this
filter evaluates to true. The date portions of the filter evaluates to true. The date portions of the
spdTimePeriod TC are ignored for purposes of evaluating this spdTimePeriod TC are ignored for purposes of evaluating this
mask and only the time specific portions are used. mask and only the time specific portions are used.
This column evaluates to 'true' if the current time of day This column evaluates to 'true' if the current time of day
is within the range of the start and end times of day is within the range of the start and end times of day
indicated by this object." indicated by this object."
DEFVAL { "00000000T000000/00000000T240000" } DEFVAL { "00000000T000000/00000000T240000" }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 6 }
spdTimeFiltLastChanged OBJECT-TYPE spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdTimeFilterEntry 7 } ::= { spdTimeFilterEntry 7 }
spdTimeFiltStorageType OBJECT-TYPE spdTimeFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a storage
storage type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdTimeFilterEntry 8 } ::= { spdTimeFilterEntry 8 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this "This object indicates the conceptual status of this
row. row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
If active, this object must remain active if it is If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table MUST result in
an inconsistentValue error." an inconsistentValue error."
::= { spdTimeFilterEntry 9 } ::= { spdTimeFilterEntry 9 }
-- --
-- IPSO protection authority filtering -- IPSO protection authority filtering
-- --
spdIpsoHeaderFilterTable OBJECT-TYPE spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 38, line 13 skipping to change at page 39, line 4
"The administrative name for this filter." "The administrative name for this filter."
::= { spdIpsoHeaderFilterEntry 1 } ::= { spdIpsoHeaderFilterEntry 1 }
spdIpsoHeadFiltType OBJECT-TYPE spdIpsoHeadFiltType OBJECT-TYPE
SYNTAX BITS { classificationLevel(0), SYNTAX BITS { classificationLevel(0),
protectionAuthority(1) } protectionAuthority(1) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates which of the IPSO header field a "This object indicates which of the IPSO header field a
packet should be filtered on for this row. If this object packet is filtered on for this row. If this object is set
is set to classification(0), the to classification(0), the spdIpsoHeadFiltClassification
spdIpsoHeadFiltClassification object indicates how the object indicates how the packet is filtered. If this object
packet is filtered. If this object is set to is set to protectionAuthority(1), the
protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth spdIpsoHeadFiltProtectionAuth object indicates how the
object indicates how the packet is filtered." packet is filtered."
::= { spdIpsoHeaderFilterEntry 2 } ::= { spdIpsoHeaderFilterEntry 2 }
spdIpsoHeadFiltClassification OBJECT-TYPE spdIpsoHeadFiltClassification OBJECT-TYPE
SYNTAX INTEGER { topSecret(61), secret(90), SYNTAX INTEGER { topSecret(61), secret(90),
confidential(150), unclassified(171) } confidential(150), unclassified(171) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the IPSO classification header field "This object indicates the IPSO classification header field
value that the packet must have for this row to evaluate to value that the packet MUST have for this row to evaluate to
'true'. 'true'.
The values of these enumerations are defined by RFC1108." The values of these enumerations are defined by RFC1108."
REFERENCE "RFC 1108" REFERENCE "RFC 1108"
::= { spdIpsoHeaderFilterEntry 3 } ::= { spdIpsoHeaderFilterEntry 3 }
spdIpsoHeadFiltProtectionAuth OBJECT-TYPE spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
SYNTAX INTEGER { genser(0), siopesi(1), sci(2), SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
nsa(3), doe(4) } nsa(3), doe(4) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the IPSO protection authority header "This object indicates the IPSO protection authority header
field value that the packet must have for this row to field value that the packet MUST have for this row to
evaluate to 'true'. evaluate to 'true'.
The values of these enumerations are defined by RFC1108. The values of these enumerations are defined by RFC1108.
Hence the reason the SMIv2 convention of not using 0 in enum Hence the reason the SMIv2 convention of not using 0 in
lists is violated here." enumerated lists is violated here."
REFERENCE "RFC 1108" REFERENCE "RFC 1108"
::= { spdIpsoHeaderFilterEntry 4 } ::= { spdIpsoHeaderFilterEntry 4 }
spdIpsoHeadFiltLastChanged OBJECT-TYPE spdIpsoHeadFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdIpsoHeaderFilterEntry 5 } ::= { spdIpsoHeaderFilterEntry 5 }
spdIpsoHeadFiltStorageType OBJECT-TYPE spdIpsoHeadFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpsoHeaderFilterEntry 6 } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
However, this object may not be set to active if the However, this object MUST NOT be set to active if the
requirements of the spdIpsoHeadFiltType object are not met. requirements of the spdIpsoHeadFiltType object are not met.
Specifically, if the spdIpsoHeadFiltType bit for Specifically, if the spdIpsoHeadFiltType bit for
classification(0) is set, the spdIpsoHeadFiltClassification classification(0) is set, the spdIpsoHeadFiltClassification
column MUST have a valid value for the row status to be set column MUST have a valid value for the row status to be set
to active. If the spdIpsoHeadFiltType bit for to active. If the spdIpsoHeadFiltType bit for
protectionAuthority(1) is set, the protectionAuthority(1) is set, the
spdIpsoHeadFiltProtectionAuth column MUST have a valid spdIpsoHeadFiltProtectionAuth column MUST have a valid
value for the row status to be set to active. value for the row status to be set to active.
If active, this object must remain active if it is If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt referenced by an active row in another table. An attempt
to set it to anything other than active while it is to set it to anything other than active while it is
referenced by an active row in another table will result in referenced by an active row in another table MUST result in
an inconsistentValue error." an inconsistentValue error."
::= { spdIpsoHeaderFilterEntry 7 } ::= { spdIpsoHeaderFilterEntry 7 }
-- --
-- compound actions table -- compound actions table
-- --
spdCompoundActionTable OBJECT-TYPE spdCompoundActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundActionEntry SYNTAX SEQUENCE OF SpdCompoundActionEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Table used to allow multiple actions to be associated "Table used to allow multiple actions to be associated
with a rule. It uses the spdSubactionsTable to do this. with a rule. It uses the spdSubactionsTable to do this.
The rows from spdSubactionsTable that are partially indexed The rows from spdSubactionsTable that are partially indexed
by spdCompActName form the set of compound actions to be by spdCompActName form the set of compound actions to be
performed. The spdCompActExecutionStrategy column in this performed. The spdCompActExecutionStrategy column in this
skipping to change at page 41, line 23 skipping to change at page 42, line 17
exit status of the previous action. exit status of the previous action.
This parent action is always This parent action is always
considered to have acted successfully. considered to have acted successfully.
doUntilSuccess - run each sub-action until one succeeds, doUntilSuccess - run each sub-action until one succeeds,
at which point stop processing the at which point stop processing the
sub-actions within this parent sub-actions within this parent
compound action. If one of the compound action. If one of the
sub-actions did execute successfully, sub-actions did execute successfully,
this parent action is also considered this parent action is also considered
to have executed sucessfully. to have executed successfully.
doUntilFailure - run each sub-action until one fails, doUntilFailure - run each sub-action until one fails,
at which point stop processing the at which point stop processing the
sub-actions within this compound sub-actions within this compound
action. If any sub-action fails, the action. If any sub-action fails, the
result of this parent action is result of this parent action is
considered to have failed." considered to have failed."
DEFVAL { doUntilSuccess } DEFVAL { doUntilSuccess }
::= { spdCompoundActionEntry 2 } ::= { spdCompoundActionEntry 2 }
spdCompActLastChanged OBJECT-TYPE spdCompActLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdCompoundActionEntry 3 } ::= { spdCompoundActionEntry 3 }
spdCompActStorageType OBJECT-TYPE spdCompActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a were created through an external process MAY have a storage
storage type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundActionEntry 4 } ::= { spdCompoundActionEntry 4 }
spdCompActRowStatus OBJECT-TYPE spdCompActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
Once a row in the spdCompoundActionTable has been made Once a row in the spdCompoundActionTable has been made
active, this object may not be set to destroy without active, this object MUST NOT be set to destroy without
first destroying all the contained rows listed in the first destroying all the contained rows listed in the
spdSubactionsTable." spdSubactionsTable."
::= { spdCompoundActionEntry 5 } ::= { spdCompoundActionEntry 5 }
-- --
-- actions contained within a compound action -- actions contained within a compound action
-- --
spdSubactionsTable OBJECT-TYPE spdSubactionsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubactionsEntry SYNTAX SEQUENCE OF SpdSubactionsEntry
skipping to change at page 43, line 18 skipping to change at page 44, line 17
spdSubActStorageType StorageType, spdSubActStorageType StorageType,
spdSubActRowStatus RowStatus spdSubActRowStatus RowStatus
} }
spdSubActPriority OBJECT-TYPE spdSubActPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given sub-action within a compound "The priority of a given sub-action within a compound
action. The order in which sub-actions should be executed action. The order in which sub-actions MUST be executed
are based on the value from this column, with the lowest are based on the value from this column, with the lowest
numeric value executing first (i.e., priority 0 before numeric value executing first (i.e., priority 0 before
priority 1, 1 before 2, etc...)." priority 1, 1 before 2, etc...)."
::= { spdSubactionsEntry 1 } ::= { spdSubactionsEntry 1 }
spdSubActSubActionName OBJECT-TYPE spdSubActSubActionName OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It may, "This column points to the action to be taken. It MAY,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
spdCompoundActionTable - Allowing recursion spdCompoundActionTable - Allowing recursion
ipsaSaPreconfiguredActionTable ipsaSaPreconfiguredActionTable
ipiaIkeActionTable ipiaIkeActionTable
ipiaIpsecActionTable ipiaIpsecActionTable
It may also point to one of the scalar objects beneath It MAY also point to one of the scalar objects beneath
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error should be returned. error MUST be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
should be returned. MUST be returned.
If during packet processing this column has a value that If during packet processing this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet should be dropped." packet MUST be dropped."
::= { spdSubactionsEntry 2 } ::= { spdSubactionsEntry 2 }
spdSubActLastChanged OBJECT-TYPE spdSubActLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means." external means.
If this row has not been modified since the last
re-initialization of the network management subsystem, this
object SHOULD have a zero value."
::= { spdSubactionsEntry 3 } ::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE spdSubActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table which
were created through an external process may have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubactionsEntry 4 } ::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE spdSubActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
If active, this object must remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to following two conditions are met. An attempt to set it to
anything other than active while the following conditions anything other than active while the following conditions
are not met will result in an inconsistentValue error. The are not met MUST result in an inconsistentValue error. The
two conditions are: two conditions are:
I. No active row in the spdCompoundActionTable exists I. No active row in the spdCompoundActionTable exists
which has a matching spdCompActName. which has a matching spdCompActName.
II. Or at least one other active row in this table has a II. Or at least one other active row in this table has a
matching spdCompActName." matching spdCompActName."
::= { spdSubactionsEntry 5 } ::= { spdSubactionsEntry 5 }
-- --
-- Static Actions -- Static Actions
-- --
-- these are static actions which can be pointed to by the -- these are static actions which can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to -- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets. -- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
skipping to change at page 45, line 19 skipping to change at page 46, line 22
-- spdRuleDefAction or the spdSubActSubActionName objects to -- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets. -- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE spdDropAction OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet MUST be dropped
WITHOUT action/packet logging." and SHOULD NOT have action/packet logging."
::= { spdStaticActions 1 } ::= { spdStaticActions 1 }
spdDropActionLog OBJECT-TYPE spdDropActionLog OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be dropped "This scalar indicates that a packet MUST be dropped
WITH action/packet logging." and SHOULD have action/packet logging."
::= { spdStaticActions 2 } ::= { spdStaticActions 2 }
spdAcceptAction OBJECT-TYPE spdAcceptAction OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This Scalar indicates that a packet should be accepted "This Scalar indicates that a packet MUST be accepted
(pass-through) WITHOUT action/packet logging." (pass-through) and SHOULD NOT have action/packet logging."
::= { spdStaticActions 3 } ::= { spdStaticActions 3 }
spdAcceptActionLog OBJECT-TYPE spdAcceptActionLog OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet should be accepted "This scalar indicates that a packet MUST be accepted
(pass-through) WITH action/packet logging." (pass-through) and SHOULD have action/packet logging."
::= { spdStaticActions 4 } ::= { spdStaticActions 4 }
-- --
-- --
-- Notification objects information -- Notification objects information
-- --
-- --
spdNotificationVariables OBJECT IDENTIFIER ::= spdNotificationVariables OBJECT IDENTIFIER ::=
{ spdNotificationObjects 1 } { spdNotificationObjects 1 }
spdNotifications OBJECT IDENTIFIER ::= spdNotifications OBJECT IDENTIFIER ::=
skipping to change at page 46, line 28 skipping to change at page 47, line 30
DESCRIPTION DESCRIPTION
"Points to the action instance that was executed that "Points to the action instance that was executed that
resulted in the notification being sent." resulted in the notification being sent."
::= { spdNotificationVariables 1 } ::= { spdNotificationVariables 1 }
spdIPEndpointAddType OBJECT-TYPE spdIPEndpointAddType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the interface type for the interface that the "Contains the address type for the interface that the
packet which triggered the notification is passing notification triggering packet is passing through."
through."
::= { spdNotificationVariables 2 } ::= { spdNotificationVariables 2 }
spdIPEndpointAddress OBJECT-TYPE spdIPEndpointAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the interface address for the interface that "Contains the interface address for the interface that the
the packet which triggered the notification is passing notification triggering packet is passing through.
through.
The format of this object is specified by the The format of this object is specified by the
spdIPEndpointAddType object." spdIPEndpointAddType object."
::= { spdNotificationVariables 3 } ::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE spdIPSourceType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 47, line 46 skipping to change at page 48, line 46
The format of this object is specified by the The format of this object is specified by the
spdIPDestinationType object." spdIPDestinationType object."
::= { spdNotificationVariables 7 } ::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE spdPacketDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if the packet which triggered the action in "Indicates if the packet which triggered the action in
questions was ingress (inbound) our egress (outbound)." questions was ingress (inbound) or egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..65535)) SYNTAX OCTET STRING (SIZE (0..65535))
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Is the front part of the full IP packet that triggered this "spdPacketPart is the front part of the full IP packet that
notification. The initial size limit is determined by the triggered this notification. The initial size limit is
smaller of the size indicated by determined by the smaller of the size indicated by
I. The value of the object with the TC syntax I. The value of the object with the TC syntax
'SpdIPPacketLogging' that indicated the packet should be 'SpdIPPacketLogging' that indicated the packet SHOULD be
logged and logged and
II. The size of the triggering packet. II. The size of the triggering packet.
The final limit is determined by the SNMP packet size when The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be sending the notification. The maximum size that can be
included will be the smaller of the initial size given above included will be the smaller of the initial size given above
and the length that will fit in a single SNMP notification and the length that will fit in a single SNMP notification
packet after the rest of the notification's objects and any packet after the rest of the notification's objects and any
other necessary packet data (headers encoding, etc...) has other necessary packet data (headers encoding, etc...) has
been included in the packet." been included in the packet."
skipping to change at page 48, line 34 skipping to change at page 49, line 35
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection } spdPacketDirection }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that an action was executed by a rule. "Notification that an action was executed by a rule.
Only actions with logging enabled will result in this Only actions with logging enabled will result in this
notification getting sent. The objects sent must include notification getting sent. The object includes the
the spdActionExecuted object which will indicate which spdActionExecuted object which will indicate which action
action was executed within the scope of the rule. was executed within the scope of the rule. Additionally
Additionally the spdIPSourceType, spdIPSourceAddress, the spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, and spdIPDestinationAddress objects spdIPDestinationType, and spdIPDestinationAddress objects
must be included to indicate the packet source and are included to indicate the packet source and destination
destination of the packet that triggered the action. of the packet that triggered the action. Finally the
Finally the spdIPEndpointAddType, spdIPEndpointAddress, spdIPEndpointAddType, spdIPEndpointAddress, and
and spdPacketDirection objects are included to indicate spdPacketDirection objects indicate which interface the
which interface the action was executed in association with executed action was associated with and if the packet was
and if the packet was ingress or egress through the ingress or egress through the endpoint.
endpoint.
A spdActionNotification should be limited to a maximum of A spdActionNotification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
controlling their send rate. controlling their send rate.
Note that compound actions with multiple executed Note that compound actions with multiple executed
subactions may result in multiple notifications being sent subactions may result in multiple notifications being sent
from a single rule execution." from a single rule execution."
::= { spdNotifications 1 } ::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection, spdPacketDirection,
spdPacketPart } spdPacketPart }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that a packet passed through a Security "Notification that a packet passed through a Security
Association (SA). Only SA's created by actions with packet Association (SA). Only SAs created by actions with packet
logging enabled will result in this notification getting logging enabled will result in this notification getting
sent. The objects sent must include the spdActionExecuted sent. The objects sent MUST include the spdActionExecuted
which will indicate which action was executed within the which will indicate which action was executed within the
scope of the rule. Additionally, the spdIPSourceType, scope of the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to spdIPDestinationAddress, objects MUST be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects are spdIPEndpointAddress, and spdPacketDirection objects are
included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is included to associated with. Finally, spdPacketPart is included to
enable sending a variable sized part of the front of the enable sending a variable sized part of the front of the
packet with the size dependent on the value of the object of packet with the size dependent on the value of the object of
TC syntax 'SpdIPPacketLogging' which indicated logging TC syntax 'SpdIPPacketLogging' which indicated that logging
should be done. should be done.
A spdPacketNotification should be limited to a maximum of A spdPacketNotification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
controlling their send rate. controlling their send rate.
An action notification should be limited to a maximum of An action notification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
controlling their send rate." controlling their send rate."
::= { spdNotifications 2 } ::= { spdNotifications 2 }
-- --
-- --
-- Conformance information -- Conformance information
-- --
-- --
skipping to change at page 50, line 26 skipping to change at page 51, line 26
spdRuleFilterFullCompliance MODULE-COMPLIANCE spdRuleFilterFullCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support. filters support.
When this MIB is implemented with support for read-create, When this MIB is implemented with support for read-create,
then such an implementation can claim full compliance. Such then such an implementation can claim full compliance. Such
devices can then be both monitored and configured with this devices can then be both monitored and configured with this
MIB. MIB."
There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for
which we have the following compliance requirements,
expressed in OBJECT clause form in this description clause:
-- OBJECT spdEndGroupAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT spdEndGroupAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations which support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations which support compound filters."
skipping to change at page 53, line 30 skipping to change at page 54, line 16
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support. filters support.
If this MIB is implemented without support for read-create If this MIB is implemented without support for read-create
(i.e. in read-only), it is not in full compliance but it (i.e. in read-only), it is not in full compliance but it
can claim read-only compliance. Such a device can then be can claim read-only compliance. Such a device can then be
monitored but can not be configured with this MIB. monitored but can not be configured with this MIB."
There are a number of INDEX objects that cannot be
represented in the form of OBJECT clauses in SMIv2, but for
which we have the following compliance requirements,
expressed in OBJECT clause form in this description clause:
-- OBJECT spdEndGroupAddressType
-- SYNTAX InetAddressType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT spdEndGroupAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
skipping to change at page 64, line 17 skipping to change at page 64, line 34
spdPacketNotification spdPacketNotification
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of all the Notifications for this "This group is made up of all the Notifications for this
MIB." MIB."
::= { spdGroups 13 } ::= { spdGroups 13 }
END END
6. Security Considerations 7. Security Considerations
6.1. Introduction 7.1. Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides network security services, all of its services. Since IPsec provides network security services, all of its
configuration data (e.g. this entire MIB) should be as secure or more configuration data (e.g. this entire MIB) SHOULD be as secure or more
secure than any of the security services IPsec provides. There are secure than any of the security services IPsec provides. There are
two main threats you need to protect against when configuring IPsec two main threats you need to protect against when configuring IPsec
devices. devices.
1. Malicious Configuration: This MIB configures network security 1. Malicious Configuration: This MIB configures network security
services. If an attacker has SET access to any part of this MIB, services. If an attacker has SET access to any part of this MIB,
the network security services configured by this MIB should be the network security services configured by this MIB SHOULD be
considered broken. The network data sent through the associated considered broken. The network data sent through the associated
gateway should no longer be considered as protected by IPsec gateway should no longer be considered as protected by IPsec
(i.e., it is no longer confidential or authenticated). (i.e., it is no longer confidential or authenticated).
Therefore, only the official administrators should be allowed to Therefore, only the official administrators SHOULD be allowed to
configure a device. In other words, administrators' identities configure a device. In other words, administrators' identities
should be authenticated and their access rights checked before SHOULD be authenticated and their access rights checked before
they are allowed to do device configuration. The support for SET they are allowed to do device configuration. The support for SET
operations to the IPSP MIB in a non-secure environment, without operations to the SPD MIB in a non-secure environment, without
proper protection, will invalidate the security of the network proper protection, will invalidate the security of the network
traffic affected by the IPSP MIB. traffic affected by the SPD MIB.
2. Disclosure of Configuration: In general, malicious parties should 2. Disclosure of Configuration: In general, malicious parties SHOULD
not be able to read security configuration data while the data is NOT be able to read security configuration data while the data is
in network transit. An attacker reading the configuration data in network transit. An attacker reading the configuration data
may be able to find compromises in the device and the network due may be able to find misconfigurations in the MIB that enable
to poor and misconfiguration. Since this entire MIB is used for attacks to the network or to the configured node. Since this
security configuration, it is highly recommended that only entire MIB is used for security configuration, it is highly
authorized administrators should be allow to view data in this RECOMMENDED that only authorized administrators are allowed to
MIB. In particular, malicious users should be prevented from view data in this MIB. In particular, malicious users SHOULD be
reading SNMP packets containing this MIB's data. SNMP GET data prevented from reading SNMP packets containing this MIB's data.
should be encrypted when sent across the network. Also, only SNMP GET data SHOULD be encrypted when sent across the network.
authorized administrators should be allowed SNMP GET access to Also, only authorized administrators SHOULD be allowed SNMP GET
any of the MIB objects. access to any of the MIB objects.
SNMP versions prior to SNMPv3 do not include adequate security. Even SNMP versions prior to SNMPv3 do not include adequate security. Even
if the network itself is secure (e.g. by using IPsec), earlier if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure versions of SNMP have virtually no control as to who on the secure
network is allowed to access (i.e. read/change/create/delete) the network is allowed to access (i.e. read/change/create/delete) the
objects in this MIB module. objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers use the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
skipping to change at page 65, line 43 skipping to change at page 66, line 10
SNMPv3. This is a real strength, because it allows administrators SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3 conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved, establishment of IPsec configuration on a device has been achieved,
it would be possible to set up IPsec SAs to then also provide it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation. security and integrity services to the configuration conversation.
This may seem redundant at first, but will be shown to have a use for This may seem redundant at first, but will be shown to have a use for
added privacy protection below. added privacy protection below.
6.2. Protecting against in-authentic access 7.2. Protecting against unauthenticated access
The current SNMPv3 User Security Model provides for key based user The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys. data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys in SNMPv3 is not yet provided by standards track for user keys in SNMPv3 is not yet provided by standards track
documents, although RFC2786 defines an experimental method of doing documents, although RFC2786 defines an experimental method of doing
so. so.
6.3. Protecting against involuntary disclosure 7.3. Protecting against involuntary disclosure
While sending IPsec configuration data to a Policy Enforcement Point While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed (PEP), there are a few critical parameters which MUST NOT be observed
by third parties. Specifically, except for public keys, keying by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties. information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters, the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written, privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and may be done as you read this (e.g. algorithms is in the works and as of may be done as you read this.
AES [RFC3826]). When configure IPsec policy using this MIB, policy As of October 2006, there a stronger standards track algorithm: AES
[RFC3826]. When configure IPsec policy using this MIB, policy
administrators SHOULD use a privacy security service that is at least administrators SHOULD use a privacy security service that is at least
as strong as the desired IPsec policy. E.G., If an administrator as strong as the desired IPsec policy. E.G., If an administrator
were to use this MIB to configure an IPsec connection that utilizes a were to use this MIB to configure an IPsec connection that utilizes a
3DES algorithms, the SNMP communication configuring the connection AES algorithms, the SNMP communication configuring the connection
should be protected by an algorithm as strong or stronger than the SHOULD be protected by an algorithm as strong or stronger than the
3DES algorithm. AES algorithm.
6.4. Bootstrapping your configuration 7.4. Bootstrapping your configuration
Most vendors will not ship new products with a default SNMPv3 user/ Most vendors will not ship new products with a default SNMPv3 user/
password pair, but it is possible. If a device does ship with a password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user). user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console initialization over a trusted medium, such as a local console
connection. connection.
7. IANA Considerations 8. IANA Considerations
Only two IANA considerations exist for this document. The first is Only two IANA considerations exist for this document. The first is
just the node number allocation of the IPSEC-SPD-MIB itself. just the node number allocation of the IPSEC-SPD-MIB itself.
The IPSEC-SPD-MIB also allows for extension action MIB's. Although The IPSEC-SPD-MIB also allows for extension action MIB's. Although
additional actions are not required to use it, the node spdActions is additional actions are not required to use it, the node spdActions is
allocated for any additional actions that wish to use it. IANA would allocated as a subtree under which IANA can define any additional
be responsible for allocating any values under this node. actions. IANA would be responsible for allocating any values under
this node. The only restriction is that additional nodes appended to
spdACtions should be in reference to IPSEC-SPD-MIB actions.
8. Acknowledgments 9. Acknowledgments
Many other people contributed thoughts and ideas that influenced this Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order for the following MIB module. Some special thanks are in order for the following
people: people:
Lindy Foster (Sparta, Inc.) Lindy Foster (Sparta, Inc.)
John Gillis (ADC) John Gillis (ADC)
Roger Hartmuller (Sparta, Inc.) Roger Hartmuller (Sparta, Inc.)
Harrie Hazewinkel Harrie Hazewinkel
Jamie Jason (Intel Corporation) Jamie Jason (Intel Corporation)
David Partain (Ericsson) David Partain (Ericsson)
Lee Rafalow (IBM) Lee Rafalow (IBM)
Jon Saperia (JDS Consulting) Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems) Eric Vyncke (Cisco Systems)
9. References 10. References
9.1. Normative References 10.1. Normative References
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991. [RFC1108] Kent, S., "U.S", RFC 1108, November 1991.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
MIB", RFC 2863, June 2000.
[RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, [RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen,
"Policy Core Information Model -- Version 1 "Policy Core Information Model -- Version 1
Specification", RFC 3060, February 2001. Specification", RFC 3060, February 2001.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information
Base for the Differentiated Services Architecture", Base for the Differentiated Services Architecture",
RFC 3289, May 2002. RFC 3289, May 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
skipping to change at page 68, line 19 skipping to change at page 69, line 5
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
9.2. Informative References 10.2. Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IPsec Action MIB", Wang, "IPsec Security Policy IPsec Action MIB",
December 2002. December 2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IKE Action MIB", Wang, "IPsec Security Policy IKE Action MIB",
December 2002. December 2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000. Paper", More Info http://www.dmtf.org/specs/cim.html,
November 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004. SNMP User-based Security Model", RFC 3826, June 2004.
Authors' Addresses Authors' Addresses
Michael Baer Michael Baer
Sparta, Inc. Sparta, Inc.
7075 Samuel Morse Drive P.O. Box 72682
Columbia, MD 21046 Davis, CA 95617
US US
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Self Self
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com Email: hardaker@tislabs.com
Robert Story Robert Story
skipping to change at page 70, line 5 skipping to change at page 71, line 5
Email: rstory@sparta.com Email: rstory@sparta.com
Cliff Wang Cliff Wang
ARO/North Carolina State University ARO/North Carolina State University
4300 S. Miami Blvd 4300 S. Miami Blvd
RTP, NC 27709 RTP, NC 27709
US US
Email: cliffwangmail@yahoo.com Email: cliffwangmail@yahoo.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 70, line 29 skipping to change at page 71, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 217 change blocks. 
475 lines changed or deleted 501 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/