draft-ietf-ipsp-spd-mib-07.txt   rfc4807.txt 
IPSP M. Baer Network Working Group M. Baer
Internet-Draft Sparta, Inc. Request for Comments: 4807 Sparta, Inc.
Intended status: Informational R. Charlet Category: Standards Track R. Charlet
Expires: April 21, 2007 Self Self
W. Hardaker W. Hardaker
Sparta, Inc. Sparta, Inc.
R. Story R. Story
Revelstone Software Revelstone Software
C. Wang C. Wang
ARO/North Carolina State ARO
University
October 18, 2006
IPsec Security Policy Database Configuration MIB IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-07.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Status of This Memo
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 21, 2007. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document defines an SMIv2 Management Information Base (MIB) This document defines a Structure of Management Information Version 2
module for configuring the security policy database of a device (SMIv2) Management Information Base (MIB) module for configuring the
implementing the IPsec protocol. The policy-based packet filtering security policy database of a device implementing the IPsec protocol.
and the corresponding execution of actions described in this document The policy-based packet filtering and the corresponding execution of
are of a more general nature than for IPsec configuration alone, such actions described in this document are of a more general nature than
as for configuration of a firewall. This MIB module is designed to for IPsec configuration alone, such as for configuration of a
be extensible with other enterprise or standards based defined packet firewall. This MIB module is designed to be extensible with other
filters and actions. enterprise or standards-based defined packet filters and actions.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Internet-Standard Management Framework . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3
4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6
5.1.1. Notational conventions . . . . . . . . . . . . . . . . 6 5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6
5.1.2. Implementing an example SPD policy . . . . . . . . . . 7 5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7
6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 65
7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65
7.2. Protecting against unauthenticated access . . . . . . . . 66 7.2. Protecting against Unauthenticated Access . . . . . . . . 66
7.3. Protecting against involuntary disclosure . . . . . . . . 66 7.3. Protecting against Involuntary Disclosure . . . . . . . . 66
7.4. Bootstrapping your configuration . . . . . . . . . . . . . 67 7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68
10.1. Normative References . . . . . . . . . . . . . . . . . . . 67 10.1. Normative References . . . . . . . . . . . . . . . . . . . 68
10.2. Informative References . . . . . . . . . . . . . . . . . . 69 10.2. Informative References . . . . . . . . . . . . . . . . . . 69
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
Intellectual Property and Copyright Statements . . . . . . . . . . 71
1. Introduction 1. Introduction
This document defines a MIB module for configuration of an IPsec This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The IPsec model this MIB is designed security policy database (SPD). The IPsec model this MIB is designed
to configure is based on the "IPsec Configuration Policy Model" to configure is based on the "IPsec Configuration Policy Model"
(IPCP) [RFC3585]. The IPCP's IPsec model is in turn derived from the (IPCP) [RFC3585]. The IPCP's IPsec model is, in turn, derived from
DMTF's (see below) IPsec model and from the IPsec model specified in the Distributed Management Task Force's (DMTF) IPsec model (see
RFC 2401 [RFC2401]. The policy-based packet filtering and the below) and from the IPsec model specified in RFC 2401 [RFC2401].
corresponding execution of actions configured by this MIB is of a Note: RFC 2401 has been updated by RFC 4301 [RFC4301], but this
more general nature than for IPsec configuration only, such as for implementation is based on RFC 2401. The policy-based packet
configuration of a firewall. It is possible to extend this MIB filtering and the corresponding execution of actions configured by
module and add other packet transforming actions that are performed this MIB is of a more general nature than for IPsec configuration
conditionally on an interface's network traffic. only, such as for configuration of a firewall. It is possible to
extend this MIB module and add other packet-transforming actions that
The IPsec and IKE specific actions as documented in [RFCXXXX] and are performed conditionally on an interface's network traffic.
[RFCYYYY] respectively and are not documented in this document.
Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when The IPsec- and IKE-specific actions are as documented in
these values are determined. [IPsec-ACTION] and [IKE-ACTION], respectively, and are not documented
in this document.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
3. The Internet-Standard Management Framework 3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
skipping to change at page 4, line 5 skipping to change at page 3, line 51
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
4. Relationship to the DMTF Policy Model 4. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
(IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy (IPCP) [RFC3585] is based, in large part, on the DMTF's IPsec policy
model and on RFC 2401 [RFC2401]. The IPCP document describes a model model and on RFC 2401 [RFC2401]. The IPCP document describes a model
for configuring IPsec. This MIB module is a task specific derivation for configuring IPsec. This MIB module is a task-specific derivation
(i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model (i.e., an SMIv2 instantiation) of the IPCP's IPsec configuration
for use with SNMPv3. model for use with Simple Network Management Protocol version 3
(SNMPv3).
The high-level areas where this MIB module diverges from the IPCP The high-level areas where this MIB module diverges from the IPCP
model are: model are:
o Policies, Groups, Conditions, and some levels of Actions are o Policies, Groups, Conditions, and some levels of Actions are
generically named. In other words, IPsec specific prefixes like generically named. In other words, IPsec-specific prefixes like
"SA" (Security Association), or "IPsec" are not used. This naming "SA" (Security Association), or "IPsec", are not used. This
convention is used because packet classification and the matching naming convention is used because packet classification and the
of conditions to actions is more general than IPsec. The tables matching of conditions to actions is more general than IPsec. The
in this document can possibly be reused by other packet tables in this document can possibly be reused by other packet-
transforming actions which need to conditionally act on packets transforming actions, which need to conditionally act on packets
matching filters. matching filters.
o Filters are implemented in a more generic and scalable manner, o Filters are implemented in a more generic and scalable manner,
rather than enforcing the condition/filtering pairing of the IPCP rather than enforcing the condition/filtering pairing of the IPCP
and its restrictions upon the user. This MIB module offers a and its restrictions upon the user. This MIB module offers a
compound filter object providing greater flexibility for complex compound filter object providing greater flexibility for complex
filters than the IPCP. filters than the IPCP.
5. MIB Module Overview 5. MIB Module Overview
The MIB module is modularized into several different parts: rules, The MIB module is modularized into several different parts: rules,
filters, and actions. filters, and actions.
The rules section associates endpoints and groups of rules and The rules section associates endpoints and groups of rules, and
consists of the spdEndpointToGroupTable, spdGroupContentsTable, and consists of the spdEndpointToGroupTable, spdGroupContentsTable, and
the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable
connects a filter to an action. It should also be noted that by connects a filter to an action. It should also be noted that by
referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's
filter column can indicate a set of filters to be processed. filter column can indicate a set of filters to be processed.
Likewise, by referencing the spdCompoundActionTable, the Likewise, by referencing the spdCompoundActionTable, the
spdRuleDefinitionTable's action column can indicate multiple actions spdRuleDefinitionTable's action column can indicate multiple actions
to be executed. to be executed.
This MIB is structured to allow for reuse through the future creation This MIB is structured to allow for reuse through the future creation
of extension tables that provide additional filters and/or actions. of extension tables that provide additional filters and/or actions.
In fact, the companion documents to this one do just that and define In fact, the companion documents to this one ([IPsec-ACTION] and
IPsec [RFCXXXX] and IKE [RFCYYYY] specific actions to be used within [IKE-ACTION]) do just that and define IPsec- and IKE-specific actions
this SPD configuration MIB. Note, It is expected that in order to to be used within this SPD configuration MIB. Note: it is expected
function properly, extension action MIBs may impose additional that, in order to function properly, extension action MIBs may impose
limitations on the objects in this MIB and how they can be used with additional limitations on the objects in this MIB and how they can be
the extended actions. An extension action may only support a subset used with the extended actions. An extension action may only support
of the configuration options available in this MIB. a subset of the configuration options available in this MIB.
The filter section of the MIB module is composed of the different The filter section of the MIB module is composed of the different
types of filters in the Policy Model. It is made up of the types of filters in the Policy Model. It is made up of the
spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
spdIpsoHeaderFilterTable. spdIpsoHeaderFilterTable.
The action section of this MIB module contains only the simple static The action section of this MIB module contains only the simple static
actions required for the firewall processing that an IPsec SPD actions required for the firewall processing that an IPsec SPD
implementation requires (e.g. accept, drop, log, ...). The companion implementation requires (e.g., accept, drop, log, etc.). The
documents of this document define the complex actions necessary for companion documents of this document define the complex actions
IPsec and IKE negotiations. necessary for IPsec and IKE negotiations.
As may have been noticed above, the MIB uses recursion in a similar As may have been noticed above, the MIB uses recursion in a similar
manner in several different places. In particular the manner in several different places. In particular, the
spdGroupContentsTable, the spdCompoundFilterTable / spdGroupContentsTable, the spdCompoundFilterTable /
spdSubfiltersTable combination, and the spdCompoundActionTable / spdSubfiltersTable combination, and the spdCompoundActionTable /
spdSubactionsTable combination can reference themselves. spdSubactionsTable combination can reference themselves.
In the case of the spdGroupContentsTable, a row can indicate a rule In the case of the spdGroupContentsTable, a row can indicate a rule
(i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another (i.e., a row in the spdRuleDefinitionTable) or a group (i.e., another
set of one or more rows in the spdGroupContentsTable). This way a set of one or more rows in the spdGroupContentsTable). This way, a
group can contain a set of rules and sub-groups. Sub-groups are just group can contain a set of rules and sub-groups. Sub-groups are just
other groups defined in the spdGroupContentsTable. There is no other groups defined in the spdGroupContentsTable. There is no
inherent MIB limit to the depth of nesting of groups. inherent MIB limit to the depth of nesting of groups.
The spdCompoundFilterTable / spdSubfiltersTable combination and The spdCompoundFilterTable / spdSubfiltersTable combination and
spdCompoundActionTable / spdSubactionsTable combination are designed spdCompoundActionTable / spdSubactionsTable combination are designed
almost identically with one being for filters and the other for almost identically, with one being for filters and the other for
actions respectively. The following descriptions for the compound actions, respectively. The following descriptions for the compound
filter tables can be directly applied to the compound action tables. filter tables can be directly applied to the compound action tables.
The combination of the tables spdCompoundFilterTable and The combination of the tables spdCompoundFilterTable and
spdSubfiltersTable allow a user to create a set of filters that can spdSubfiltersTable allow a user to create a set of filters that can
be referenced from any table as a single filter. A row in the be referenced from any table as a single filter. A row in the
spdCompoundFilterTable has the basic configuration information for spdCompoundFilterTable has the basic configuration information for
the compound filter. The index of spdCompoundFilterTable, the compound filter. The index of spdCompoundFilterTable,
spdCompFiltname, is also used as a partial index to reference a set spdCompFiltname, is also used as a partial index to reference a set
of ordered rows in the spdSubfiltersTable. Each row in of ordered rows in the spdSubfiltersTable. Each row in
spdSubfiltersTable points at a row in another filter table. In this spdSubfiltersTable points to a row in another filter table. In this
way, the set of rows in spdSubFiltersTable with a matching way, the set of rows in spdSubFiltersTable with a matching
spdCompFiltName together with the row in spdCompoundFilterTable spdCompFiltName, together with the row in spdCompoundFilterTable
indexed by spdCompFiltName create a compound filter. Note that it is indexed by spdCompFiltName, create a compound filter. Note that it
possible for a row in the spdSubfiltersTable to point to a row in the is possible for a row in the spdSubfiltersTable to point to a row in
spdCompoundFilterTable. This recursion allows the creation of a the spdCompoundFilterTable. This recursion allows the creation of a
filter set that include other filter sets within it. There is no filter set that includes other filter sets within it. There is no
inherent MIB limit to the nesting of compound filters within compound inherent MIB limit to the nesting of compound filters within compound
filters. filters.
5.1. Usage Tutorial 5.1. Usage Tutorial
In order to use the tables contained in this document, a general In order to use the tables contained in this document, a general
understanding of firewall processing is helpful. The processing of understanding of firewall processing is helpful. The processing of
the security policy database (SPD) involves applying a set of SPD the security policy database (SPD) involves applying a set of SPD
rules to an interface on a device. The given set of rules to apply rules to an interface on a device. The given set of rules to apply
to any given interface is defined within the spdEndpointToGroupTable to any given interface is defined within the spdEndpointToGroupTable
table. This table maps a given interface to a group of rules. In table. This table maps a given interface to a group of rules. In
this table, the interface itself is specified using its assigned this table, the interface itself is specified using its assigned
address. There is also one group of rules per direction (ingress and address. There is also one group of rules per direction (ingress and
egress). egress).
5.1.1. Notational conventions 5.1.1. Notational Conventions
Notes about the following example operations: Notes about the following example operations:
1. All the example operations in the following section make use of 1. All the example operations in the following section make use of
default values for all columns not listed. The operations and default values for all columns not listed. The operations and
column values given in the examples are the minimal SNMP Varbinds column values given in the examples are the minimal SNMP Varbinds
that must be sent to create a row. that must be sent to create a row.
2. The example operations are formatted such that a row (i.e. the 2. The example operations are formatted such that a row (i.e., the
table's Entry object) is operated on by using the indexes to that table's Entry object) is operated on by using the indexes to that
row and the column values for the that row. row and the column values for that row.
3. Below is a generic example of the notation used in the following 3. Below is a generic example of the notation used in the following
section's examples of this MIB's usage. This example indicates section's examples of this MIB's usage. This example indicates
that the MIB row to be set is the row with the index values of that the MIB row to be set is the row with the index values of
value1 for index1 and value2 for index2. Within this row, value1 for index1, and value2 for index2. Within this row,
column1 is set to column_value1 and colum2 is set to column1 is set to column_value1, and column2 is set to
column_value2.: column_value2.:
rowEntry(index1 = value1, rowEntry(index1 = value1,
index2 = value2) index2 = value2)
= (column1 = column_value1, = (column1 = column_value1,
column2 = column_value2) column2 = column_value2)
4. The below is a specific example of the notation used in the 4. The below is a specific example of the notation used in the
following section's examples of this MIB's usage. This example following section's examples of this MIB's usage. This example
represents the status column of a row in the IP- represents the status column of a row in the IP-
MIB::ipAddressTable table being set to deprecated. The index MIB::ipAddressTable table being set to deprecated. The index
values for this row are IPv4 and 192.0.2.1. The example notation values for this row are IPv4 and 192.0.2.1. The example notation
would look like the following: would look like the following:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressEntry(ipAddressAddrType = 1, -- ipv4
ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1
= (ipAddressStatus = 2) -- deprecated = (ipAddressStatus = 2) -- deprecated
5.1.2. Implementing an example SPD policy 5.1.2. Implementing an Example SPD Policy
As an example, let us define the following administrative policy: On As an example, let us define the following administrative policy: On
the network interface with IP address 192.0.2.1, all traffic from the network interface with IP address 192.0.2.1, all traffic from
host 192.0.2.6 will be dropped and all other traffic will be host 192.0.2.6 will be dropped and all other traffic will be
accepted. accepted.
This policy is enforced by setting the values in the MIB to do the This policy is enforced by setting the values in the MIB to do the
following: following:
o create a filter for 192.0.2.6 o create a filter for 192.0.2.6
skipping to change at page 8, line 39 skipping to change at page 8, line 33
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
spdEndGroupIdentType = 4, -- IPv4 spdEndGroupIdentType = 4, -- IPv4
spdEndGroupAddress = 0xC0000001) spdEndGroupAddress = 0xC0000001)
= (spdEndGroupName = "ingress", = (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all This completes the necessary steps to implement the policy. Once all
of these rules have been applied, the policy should take effect. of these rules have been applied, the policy should take effect.
6. MIB definition 6. MIB Definition
The following MIB Module imports from: [RFC2578], [RFC2579], The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC2863], [RFC3289], [RFC3411], [RFC4001]. It also uses [RFC2580], [RFC2863], [RFC3289], [RFC3411], and [RFC4001]. It also
definitions from [RFC1108], [RFC3060], and [RFC3629]. uses definitions from [RFC1108], [RFC3060], and [RFC3629].
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
Unsigned32, mib-2 FROM SNMPv2-SMI Unsigned32, mib-2 FROM SNMPv2-SMI
-- [RFC2578] -- [RFC2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue, TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer TimeStamp, StorageType, VariablePointer
FROM SNMPv2-TC FROM SNMPv2-TC
-- [RFC2579] -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
-- [RFC2580] -- [RFC2580]
InterfaceIndex InterfaceIndex
FROM IF-MIB FROM IF-MIB
-- [RFC2863] -- [RFC2863]
diffServMIBMultiFieldClfrGroup, IfDirection, diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree diffServMultiFieldClfrNextFree
skipping to change at page 9, line 36 skipping to change at page 9, line 31
SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB
-- [RFC3411] -- [RFC3411]
; ;
-- --
-- module identity -- module identity
-- --
spdMIB MODULE-IDENTITY spdMIB MODULE-IDENTITY
LAST-UPDATED "200610170000Z" -- 17 October 2006 LAST-UPDATED "200702070000Z" -- 7 February 2007
ORGANIZATION "IETF IP Security Policy Working Group" ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer CONTACT-INFO "Michael Baer
P.O. Box 72682 P.O. Box 72682
Davis, CA 95617 Davis, CA 95617
Phone: +1 530 902 3131 Phone: +1 530 902 3131
Email: baerm@tislabs.com Email: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Email: rcharlet@alumni.calpoly.edu Email: rcharlet@alumni.calpoly.edu
skipping to change at page 10, line 11 skipping to change at page 10, line 6
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com Email: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
Phone: +1 770 617 3722 Phone: +1 770 617 3722
Email: rstory@sparta.com Email: rstory@ipsp.revelstone.com
Cliff Wang Cliff Wang
ARO/North Carolina State University ARO
4300 S. Miami Blvd. 4300 S. Miami Blvd.
RTP, NC 27709 Durham, NC 27703
E-Mail: cliffwangmail@yahoo.com" E-Mail: cliffwangmail@yahoo.com"
DESCRIPTION DESCRIPTION
"This MIB module defines configuration objects for managing "This MIB module defines configuration objects for managing
IPsec Security Policies. In general, this MIB can be IPsec Security Policies. In general, this MIB can be
implemented anywhere IPsec security services exist (e.g., implemented anywhere IPsec security services exist (e.g.,
bump-in-the-wire, host, gateway, firewall, router, etc....). bump-in-the-wire, host, gateway, firewall, router, etc.).
Copyright (C) The Internet Society (2006). This version of Copyright (C) The IETF Trust (2007). This version of
this MIB module is part of RFC ZZZZ, see the RFC itself for this MIB module is part of RFC 4807; see the RFC itself for
full legal notices." full legal notices."
-- Revision History -- Revision History
REVISION "200610170000Z" -- 17 October 2006 REVISION "200702070000Z" -- 7 February 2007
DESCRIPTION "Initial version, published as RFC ZZZZ." DESCRIPTION "Initial version, published as RFC 4807."
-- RFC-editor assigns ZZZZ
-- xxx: To be assigned by IANA ::= { mib-2 153 }
::= { mib-2 xxx }
-- --
-- groups of related objects -- groups of related objects
-- --
spdConfigObjects OBJECT IDENTIFIER spdConfigObjects OBJECT IDENTIFIER
::= { spdMIB 1 } ::= { spdMIB 1 }
spdNotificationObjects OBJECT IDENTIFIER spdNotificationObjects OBJECT IDENTIFIER
::= { spdMIB 2 } ::= { spdMIB 2 }
spdConformanceObjects OBJECT IDENTIFIER spdConformanceObjects OBJECT IDENTIFIER
skipping to change at page 11, line 10 skipping to change at page 10, line 51
::= { spdMIB 4 } ::= { spdMIB 4 }
-- --
-- Textual Conventions -- Textual Conventions
-- --
SpdBooleanOperator ::= TEXTUAL-CONVENTION SpdBooleanOperator ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SpdBooleanOperator operator is used to specify "The SpdBooleanOperator operator is used to specify
whether sub-components in a decision making process are whether sub-components in a decision-making process are
ANDed or ORed together to decide if the resulting ANDed or ORed together to decide if the resulting
expression is true or false." expression is true or false."
SYNTAX INTEGER { or(1), and(2) } SYNTAX INTEGER { or(1), and(2) }
SpdAdminStatus ::= TEXTUAL-CONVENTION SpdAdminStatus ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SpdAdminStatus is used to specify the administrative "The SpdAdminStatus is used to specify the administrative
status of an object. Objects which are disabled MUST NOT status of an object. Objects that are disabled MUST NOT
be used by the packet processing engine." be used by the packet processing engine."
SYNTAX INTEGER { enabled(1), disabled(2) } SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION SpdIPPacketLogging ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d" DISPLAY-HINT "d"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"SpdIPPacketLogging specifies whether an audit message "SpdIPPacketLogging specifies whether an audit message
SHOULD be logged if a packet is passed through a Security SHOULD be logged if a packet is passed through a Security
Association (SA) and if some of that packet is included in Association (SA) and if some of that packet is included in
skipping to change at page 12, line 29 skipping to change at page 12, line 22
The first 'yyyymmddThhmmss' sub-string indicates the start The first 'yyyymmddThhmmss' sub-string indicates the start
date and time. The second 'yyyymmddThhmmss' sub-string date and time. The second 'yyyymmddThhmmss' sub-string
indicates the end date and time. The character 'T' within indicates the end date and time. The character 'T' within
these sub-strings indicates the beginning of the time these sub-strings indicates the beginning of the time
portion of each sub-string. The solidus character '/' portion of each sub-string. The solidus character '/'
separates the start from the end date and time. The end separates the start from the end date and time. The end
date and time MUST be subsequent to the start date and date and time MUST be subsequent to the start date and
time. time.
There are also two allowed substitutes for a There are also two allowed substitutes for a
'yyyymmddThhmmss' sub-string. One for the start date and 'yyyymmddThhmmss' sub-string: one for the start date and
time and one for the end date and time. time, and one for the end date and time.
If the start date and time is replaced with the string If the start date and time are replaced with the string
'THISANDPRIOR', this sub-string would indicate the current 'THISANDPRIOR', this sub-string would indicate the current
date and the time and the dates and time previous. date and time and the previous dates and time.
If the end date and time is replaced with the string If the end date and time are replaced with the string
'THISANDFUTURE', this sub-string would indicate the current 'THISANDFUTURE', this sub-string would indicate the current
date and time and the dates and time subsequent. date and time and the subsequent dates and time.
Any of the following SHOULD be considered an Any of the following SHOULD be considered a
'wrongValue' error: 'wrongValue' error:
- Setting a value with the end date and time earlier than - Setting a value with the end date and time earlier than
or equal to the start date and time. or equal to the start date and time.
- Setting the start date and time to 'THISANDFUTURE'. - Setting the start date and time to 'THISANDFUTURE'.
- Setting the end date and time to 'THISANDPRIOR'." - Setting the end date and time to 'THISANDPRIOR'."
REFERENCE "RFC 3060, 3269" REFERENCE "RFC 3060, 3269"
SYNTAX OCTET STRING (SIZE (0..31)) SYNTAX OCTET STRING (SIZE (0..31))
-- --
-- Policy group definitions -- Policy group definitions
-- --
skipping to change at page 13, line 4 skipping to change at page 12, line 44
'wrongValue' error: 'wrongValue' error:
- Setting a value with the end date and time earlier than - Setting a value with the end date and time earlier than
or equal to the start date and time. or equal to the start date and time.
- Setting the start date and time to 'THISANDFUTURE'. - Setting the start date and time to 'THISANDFUTURE'.
- Setting the end date and time to 'THISANDPRIOR'." - Setting the end date and time to 'THISANDPRIOR'."
REFERENCE "RFC 3060, 3269" REFERENCE "RFC 3060, 3269"
SYNTAX OCTET STRING (SIZE (0..31)) SYNTAX OCTET STRING (SIZE (0..31))
-- --
-- Policy group definitions -- Policy group definitions
-- --
spdLocalConfigObjects OBJECT IDENTIFIER spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 } ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the global system policy group that "This object indicates the global system policy group that
is to be applied on ingress packets (I.E., arriving at an is to be applied on ingress packets (i.e., arriving at an
interface from a network) when a given endpoint does not interface from a network) when a given endpoint does not
contain a policy definition in the spdEndpointToGroupTable. contain a policy definition in the spdEndpointToGroupTable.
Its value can be used as an index into the Its value can be used as an index into the
spdGroupContentsTable to retrieve a list of policies. A spdGroupContentsTable to retrieve a list of policies. A
zero length string indicates no system wide policy exists zero length string indicates that no system-wide policy exists
and the default policy of 'drop' SHOULD be executed for and the default policy of 'drop' SHOULD be executed for
ingress packets until one is imposed by either this object ingress packets until one is imposed by either this object
or by the endpoint processing a given packet. or by the endpoint processing a given packet.
This object MUST be persistent" This object MUST be persistent"
DEFVAL { "" } DEFVAL { "" }
::= { spdLocalConfigObjects 1 } ::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the policy group containing the "This object indicates the policy group containing the
global system policy that is to be applied on egress global system policy that is to be applied on egress
packets (I.E., packets leaving an interface and entering a packets (i.e., packets leaving an interface and entering a
network) when a given endpoint does not contain a policy network) when a given endpoint does not contain a policy
definition in the spdEndpointToGroupTable. Its value can definition in the spdEndpointToGroupTable. Its value can
be used as an index into the spdGroupContentsTable to be used as an index into the spdGroupContentsTable to
retrieve a list of policies. A zero length string retrieve a list of policies. A zero length string
indicates no system wide policy exists and the default indicates that no system-wide policy exists and the default
policy of 'drop' SHOULD be executed for egress packets policy of 'drop' SHOULD be executed for egress packets
until one is imposed by either this object or by the until one is imposed by either this object or by the
endpoint processing a given packet. endpoint processing a given packet.
This object MUST be persistent" This object MUST be persistent"
DEFVAL { "" } DEFVAL { "" }
::= { spdLocalConfigObjects 2 } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
skipping to change at page 14, line 18 skipping to change at page 14, line 12
used to control access to the network traffic passing used to control access to the network traffic passing
through that endpoint. through that endpoint.
If an endpoint has been configured with a policy group and If an endpoint has been configured with a policy group and
no rule within that policy group matches that packet, the no rule within that policy group matches that packet, the
default action in this case SHALL be to drop the packet. default action in this case SHALL be to drop the packet.
If no policy group has been assigned to an endpoint, then If no policy group has been assigned to an endpoint, then
the policy group specified by spdIngressPolicyGroupName MUST the policy group specified by spdIngressPolicyGroupName MUST
be used on traffic inbound from the network through that be used on traffic inbound from the network through that
endpoint and the policy group specified by endpoint, and the policy group specified by
spdEgressPolicyGroupName MUST be used for traffic outbound spdEgressPolicyGroupName MUST be used for traffic outbound
to the network through that endpoint." to the network through that endpoint."
::= { spdConfigObjects 2 } ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mapping assigning a policy group to an endpoint." "A mapping assigning a policy group to an endpoint."
skipping to change at page 15, line 12 skipping to change at page 15, line 5
when this value is inbound(1). Egress packets or packets when this value is inbound(1). Egress packets or packets
out of the device match when this value is outbound(2)." out of the device match when this value is outbound(2)."
::= { spdEndpointToGroupEntry 1 } ::= { spdEndpointToGroupEntry 1 }
spdEndGroupInterface OBJECT-TYPE spdEndGroupInterface OBJECT-TYPE
SYNTAX InterfaceIndex SYNTAX InterfaceIndex
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This value matches the IF-MIB's ifTable's ifIndex column "This value matches the IF-MIB's ifTable's ifIndex column
and indicates the interface associated with with a given and indicates the interface associated with a given
endpoint. This object can be used to uniquely identify an endpoint. This object can be used to uniquely identify an
endpoint that a set of policy groups are applied to." endpoint that a set of policy groups are applied to."
::= { spdEndpointToGroupEntry 2 } ::= { spdEndpointToGroupEntry 2 }
spdEndGroupName OBJECT-TYPE spdEndGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The policy group name to apply at this endpoint. The "The policy group name to apply at this endpoint. The
skipping to change at page 15, line 47 skipping to change at page 15, line 40
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdEndpointToGroupEntry 4 } ::= { spdEndpointToGroupEntry 4 }
spdEndGroupStorageType OBJECT-TYPE spdEndGroupStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdEndpointToGroupEntry 5 } ::= { spdEndpointToGroupEntry 5 }
spdEndGroupRowStatus OBJECT-TYPE spdEndGroupRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 17, line 9 skipping to change at page 16, line 50
current row for a given packet." current row for a given packet."
::= { spdConfigObjects 3 } ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a given sub-component within a policy group. A "Defines a given sub-component within a policy group. A
sub-component is either a rule or another group as sub-component is either a rule or another group as
indicated by spdGroupContCompontentType and referenced by indicated by spdGroupContComponentType and referenced by
spdGroupContCompontentName." spdGroupContComponentName."
INDEX { spdGroupContName, spdGroupContPriority } INDEX { spdGroupContName, spdGroupContPriority }
::= { spdGroupContentsTable 1 } ::= { spdGroupContentsTable 1 }
SpdGroupContentsEntry ::= SEQUENCE { SpdGroupContentsEntry ::= SEQUENCE {
spdGroupContName SnmpAdminString, spdGroupContName SnmpAdminString,
spdGroupContPriority Integer32, spdGroupContPriority Integer32,
spdGroupContFilter VariablePointer, spdGroupContFilter VariablePointer,
spdGroupContComponentType INTEGER, spdGroupContComponentType INTEGER,
spdGroupContComponentName SnmpAdminString, spdGroupContComponentName SnmpAdminString,
spdGroupContLastChanged TimeStamp, spdGroupContLastChanged TimeStamp,
skipping to change at page 17, line 45 skipping to change at page 17, line 38
spdGroupContPriority OBJECT-TYPE spdGroupContPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority (sequence number) of the sub-component in "The priority (sequence number) of the sub-component in
a group that this row represents. This value indicates a group that this row represents. This value indicates
the order that each row of this table MUST be processed the order that each row of this table MUST be processed
from low to high. For example, a row with a priority of 0 from low to high. For example, a row with a priority of 0
is processed before a row with a priority of 1, a 1 before is processed before a row with a priority of 1, a 1 before
a 2, etc...." a 2, etc."
::= { spdGroupContentsEntry 2 } ::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE spdGroupContFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdGroupContFilter points to a filter which is evaluated "spdGroupContFilter points to a filter that is evaluated
to determine whether the spdGroupContComponentName within to determine whether the spdGroupContComponentName within
this row is exercised. Managers can use this object to this row is exercised. Managers can use this object to
classify groups of rules or subgroups together in order to classify groups of rules, or subgroups, together in order to
achieve a greater degree of control and optimization over achieve a greater degree of control and optimization over
the execution order of the items within the group. If the the execution order of the items within the group. If the
filter evaluates to false, the rule or subgroup will be filter evaluates to false, the rule or subgroup will be
skipped and the next rule or subgroup will be evaluated skipped and the next rule or subgroup will be evaluated
instead. This value can be used to indicate a scalar or a instead. This value can be used to indicate a scalar or
row in a table. When indicating a row in a table, this row in a table. When indicating a row in a table, this
value MUST point to the first column instance in that row. value MUST point to the first column instance in that row.
An example usage of this object would be to limit a An example usage of this object would be to limit a
group of rules to executing only when the IP packet group of rules to executing only when the IP packet
being process is designated to be processed by IKE. being processed is designated to be processed by IKE.
This effectively creates a group of IKE specific rules. This effectively creates a group of IKE-specific rules.
The following tables and scalars can be pointed to by this The following tables and scalars can be pointed to by this
column. All but diffServMultiFieldClfrTable are defined in column. All but diffServMultiFieldClfrTable are defined in
this MIB: this MIB:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
Implementations MAY choose to provide support for other Implementations MAY choose to provide support for other
filter tables or scalars. filter tables or scalars.
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value, which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception MUST be returned. If table, the inconsistentName exception MUST be returned. If
the table or scalar pointed to by the VariablePointer is the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception not supported at all, then an inconsistentValue exception
MUST be returned. MUST be returned.
If during packet processing, a row in this table is applied If, during packet processing, a row in this table is applied
to a packet and the value of this column in that row to a packet and the value of this column in that row
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet MUST be dropped." packet MUST be dropped."
REFERENCE "RFC 3289" REFERENCE "RFC 3289"
DEFVAL { spdTrueFilterInstance } DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) } SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create MAX-ACCESS read-create
skipping to change at page 19, line 44 skipping to change at page 19, line 37
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, re-initialization of the network management subsystem,
this object SHOULD have a zero value." this object SHOULD have a zero value."
::= { spdGroupContentsEntry 6 } ::= { spdGroupContentsEntry 6 }
spdGroupContStorageType OBJECT-TYPE spdGroupContStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdGroupContentsEntry 7 } ::= { spdGroupContentsEntry 7 }
spdGroupContRowStatus OBJECT-TYPE spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
skipping to change at page 20, line 21 skipping to change at page 20, line 15
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object MUST NOT be set to active until the row to This object MUST NOT be set to active until the row to
which the spdGroupContComponentName points to exists and is which the spdGroupContComponentName points to exists and is
active. active.
If active, this object MUST remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met: following two conditions are met:
I. No active row in spdEndpointToGroupTable exists which I. No active row in spdEndpointToGroupTable exists that
references this row's group (i.e. indicate this row's references this row's group (i.e., indicate this row's
spdGroupContName). spdGroupContName).
II. Or at least one other active row in this table has a II. Or at least one other active row in this table has a
matching spdGroupContName. matching spdGroupContName.
If neither condition is met, an attempt to set this row to If neither condition is met, an attempt to set this row to
something other than active MUST result in an something other than active MUST result in an
inconsistentValue error." inconsistentValue error."
::= { spdGroupContentsEntry 8 } ::= { spdGroupContentsEntry 8 }
-- --
-- policy definition table -- policy definition table
skipping to change at page 21, line 45 skipping to change at page 21, line 39
"A user defined string. This field MAY be used for "A user defined string. This field MAY be used for
administrative tracking purposes." administrative tracking purposes."
DEFVAL { "" } DEFVAL { "" }
::= { spdRuleDefinitionEntry 2 } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE spdRuleDefFilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilter points to a filter which is used to "spdRuleDefFilter points to a filter that is used to
evaluate whether the action associated with this row are evaluate whether the action associated with this row is
executed or not. The action will only execute if the executed or not. The action will only execute if the
filter referenced by this object evaluates to TRUE after filter referenced by this object evaluates to TRUE after
first applying any negation required by the first applying any negation required by the
spdRuleDefFilterNegated object. spdRuleDefFilterNegated object.
The following tables and scalars can be pointed to by this The following tables and scalars can be pointed to by this
column. All but diffServMultiFieldClfrTable are defined in column. All but diffServMultiFieldClfrTable are defined in
this MIB. Implementations MAY choose to provide support this MIB. Implementations MAY choose to provide support
for other filter tables or scalars as well: for other filter tables or scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value, which
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception MUST be returned. If table, the inconsistentName exception MUST be returned. If
the table or scalar pointed to by the VariablePointer is the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception not supported at all, then an inconsistentValue exception
MUST be returned. MUST be returned.
If during packet processing this column has a value that If, during packet processing, this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet MUST be dropped." packet MUST be dropped."
REFERENCE "RFC 3289" REFERENCE "RFC 3289"
::= { spdRuleDefinitionEntry 3 } ::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE spdRuleDefFilterNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdRuleDefFilterNegated specifies whether the results of "spdRuleDefFilterNegated specifies whether or not the results of
the filter referenced by the spdRuleDefFilter object is the filter referenced by the spdRuleDefFilter object is
negated or not." negated."
DEFVAL { false } DEFVAL { false }
::= { spdRuleDefinitionEntry 4 } ::= { spdRuleDefinitionEntry 4 }
spdRuleDefAction OBJECT-TYPE spdRuleDefAction OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It MAY, "This column points to the action to be taken. It MAY,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
skipping to change at page 23, line 15 skipping to change at page 23, line 10
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error MUST be returned. error MUST be returned.
If this object is set to point to a non-existent row in an If this object is set to point to a non-existent row in an
otherwise supported table, an inconsistentName error MUST otherwise supported table, an inconsistentName error MUST
be returned. be returned.
If during packet processing this column has a value that If, during packet processing, this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet MUST be dropped." packet MUST be dropped."
::= { spdRuleDefinitionEntry 5 } ::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE spdRuleDefAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus SYNTAX SpdAdminStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the current rule definition is considered "Indicates whether the current rule definition is considered
active. If the value is enabled the rule MUST be evaluated active. If the value is enabled, the rule MUST be evaluated
when processing packets. If the value is disabled, the when processing packets. If the value is disabled, the
packet processing MUST continue as if this rule's filter packet processing MUST continue as if this rule's filter
had effectively failed." had effectively failed."
DEFVAL { enabled } DEFVAL { enabled }
::= { spdRuleDefinitionEntry 6 } ::= { spdRuleDefinitionEntry 6 }
spdRuleDefLastChanged OBJECT-TYPE spdRuleDefLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
skipping to change at page 24, line 4 skipping to change at page 23, line 47
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdRuleDefinitionEntry 7 } ::= { spdRuleDefinitionEntry 7 }
spdRuleDefStorageType OBJECT-TYPE spdRuleDefStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdRuleDefinitionEntry 8 } ::= { spdRuleDefinitionEntry 8 }
spdRuleDefRowStatus OBJECT-TYPE spdRuleDefRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object MUST NOT be set to active until the containing This object MUST NOT be set to active until the containing
conditions, filters and actions have been defined. Once conditions, filters, and actions have been defined. Once
active, it MUST remain active until no active active, it MUST remain active until no active
policyGroupContents entries are referencing it. A failed policyGroupContents entries are referencing it. A failed
attempt to do so MUST return an inconsistentValue error." attempt to do so MUST return an inconsistentValue error."
::= { spdRuleDefinitionEntry 9 } ::= { spdRuleDefinitionEntry 9 }
-- --
-- Policy compound filter definition table -- Policy compound filter definition table
-- --
spdCompoundFilterTable OBJECT-TYPE spdCompoundFilterTable OBJECT-TYPE
skipping to change at page 25, line 9 skipping to change at page 25, line 4
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in the spdCompoundFilterTable. Each entry in this "An entry in the spdCompoundFilterTable. Each entry in this
table represents a compound filter. A filter defined by table represents a compound filter. A filter defined by
this table is considered to have a TRUE return value if and this table is considered to have a TRUE return value if and
only if: only if:
spdCompFiltLogicType is AND and all of the sub-filters spdCompFiltLogicType is AND and all of the sub-filters
associated with it, as defined in the spdSubfiltersTable, associated with it, as defined in the spdSubfiltersTable,
are all true themselves (after applying any required are all true themselves (after applying any required
negation as defined by the ficFilterIsNegated object). negation, as defined by the ficFilterIsNegated object).
spdCompFiltLogicType is OR and at least one of the spdCompFiltLogicType is OR and at least one of the
sub-filters associated with it, as defined in the sub-filters associated with it, as defined in the
spdSubfiltersTable, is true itself (after applying any spdSubfiltersTable, is true itself (after applying any
required negation as defined by the ficFilterIsNegated required negation, as defined by the ficFilterIsNegated
object." object."
INDEX { spdCompFiltName } INDEX { spdCompFiltName }
::= { spdCompoundFilterTable 1 } ::= { spdCompoundFilterTable 1 }
SpdCompoundFilterEntry ::= SEQUENCE { SpdCompoundFilterEntry ::= SEQUENCE {
spdCompFiltName SnmpAdminString, spdCompFiltName SnmpAdminString,
spdCompFiltDescription SnmpAdminString, spdCompFiltDescription SnmpAdminString,
spdCompFiltLogicType SpdBooleanOperator, spdCompFiltLogicType SpdBooleanOperator,
spdCompFiltLastChanged TimeStamp, spdCompFiltLastChanged TimeStamp,
spdCompFiltStorageType StorageType, spdCompFiltStorageType StorageType,
skipping to change at page 26, line 28 skipping to change at page 26, line 24
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdCompoundFilterEntry 4 } ::= { spdCompoundFilterEntry 4 }
spdCompFiltStorageType OBJECT-TYPE spdCompFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundFilterEntry 5 } ::= { spdCompoundFilterEntry 5 }
spdCompFiltRowStatus OBJECT-TYPE spdCompFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 27, line 24 skipping to change at page 27, line 19
given compound filter defined in the given compound filter defined in the
spdCompoundFilterTable." spdCompoundFilterTable."
::= { spdConfigObjects 6 } ::= { spdConfigObjects 6 }
spdSubfiltersEntry OBJECT-TYPE spdSubfiltersEntry OBJECT-TYPE
SYNTAX SpdSubfiltersEntry SYNTAX SpdSubfiltersEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry in the spdSubfiltersTable. There is an entry in "An entry in the spdSubfiltersTable. There is an entry in
this table for each subfilter of all compound filters this table for each sub-filter of all compound filters
present in the spdCompoundFilterTable." present in the spdCompoundFilterTable."
INDEX { spdCompFiltName, spdSubFiltPriority } INDEX { spdCompFiltName, spdSubFiltPriority }
::= { spdSubfiltersTable 1 } ::= { spdSubfiltersTable 1 }
SpdSubfiltersEntry ::= SEQUENCE { SpdSubfiltersEntry ::= SEQUENCE {
spdSubFiltPriority Integer32, spdSubFiltPriority Integer32,
spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilter VariablePointer,
spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltSubfilterIsNegated TruthValue,
spdSubFiltLastChanged TimeStamp, spdSubFiltLastChanged TimeStamp,
spdSubFiltStorageType StorageType, spdSubFiltStorageType StorageType,
skipping to change at page 27, line 46 skipping to change at page 27, line 41
} }
spdSubFiltPriority OBJECT-TYPE spdSubFiltPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given filter within a compound filter. "The priority of a given filter within a compound filter.
The order of execution is from lowest to highest priority The order of execution is from lowest to highest priority
value (i.e., priority 0 before priority 1, 1 before 2, value (i.e., priority 0 before priority 1, 1 before 2,
etc...). Implementations MAY choose to follow this ordering etc.). Implementations MAY choose to follow this ordering,
as set by the manager that created the rows. This can allow as set by the manager that created the rows. This can allow
a manager to intelligently construct filter lists such that a manager to intelligently construct filter lists such that
faster filters are evaluated first." faster filters are evaluated first."
::= { spdSubfiltersEntry 1 } ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The OID of the contained filter. The value of this "The OID of the contained filter. The value of this
object is a VariablePointer which references the filter to object is a VariablePointer that references the filter to
be included in this compound filter. be included in this compound filter.
The following tables and scalars can be pointed to by this The following tables and scalars can be pointed to by this
column. All but diffServMultiFieldClfrTable are defined in column. All but diffServMultiFieldClfrTable are defined in
this MIB. Implementations MAY choose to provide support this MIB. Implementations MAY choose to provide support
for other filter tables or scalars as well: for other filter tables or scalars as well:
diffServMultiFieldClfrTable diffServMultiFieldClfrTable
spdIpsoHeaderFilterTable spdIpsoHeaderFilterTable
spdIpOffsetFilterTable spdIpOffsetFilterTable
spdTimeFilterTable spdTimeFilterTable
spdCompoundFilterTable spdCompoundFilterTable
spdTrueFilter spdTrueFilter
If this column is set to a VariablePointer value which If this column is set to a VariablePointer value that
references a non-existent row in an otherwise supported references a non-existent row in an otherwise supported
table, the inconsistentName exception MUST be returned. If table, the inconsistentName exception MUST be returned. If
the table or scalar pointed to by the VariablePointer is the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception not supported at all, then an inconsistentValue exception
MUST be returned. MUST be returned.
If during packet processing this column has a value that If, during packet processing, this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet MUST be dropped." packet MUST be dropped."
REFERENCE "RFC 3289" REFERENCE "RFC 3289"
::= { spdSubfiltersEntry 2 } ::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE spdSubFiltSubfilterIsNegated OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates whether the result of applying this subfilter "Indicates whether or not the result of applying this sub-filter
are negated or not." is negated."
DEFVAL { false } DEFVAL { false }
::= { spdSubfiltersEntry 3 } ::= { spdSubfiltersEntry 3 }
spdSubFiltLastChanged OBJECT-TYPE spdSubFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
skipping to change at page 29, line 19 skipping to change at page 29, line 15
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdSubfiltersEntry 4 } ::= { spdSubfiltersEntry 4 }
spdSubFiltStorageType OBJECT-TYPE spdSubFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubfiltersEntry 5 } ::= { spdSubfiltersEntry 5 }
spdSubFiltRowStatus OBJECT-TYPE spdSubFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates the conceptual status of this row. "This object indicates the conceptual status of this row.
The value of this object has no effect on whether other The value of this object has no effect on whether other
objects in this conceptual row can be modified. objects in this conceptual row can be modified.
This object can not be made active until a filter This object can not be made active until a filter
referenced by the spdSubFiltSubfilter object is both referenced by the spdSubFiltSubfilter object is both
defined and is active. An attempt to do so MUST result in defined and active. An attempt to do so MUST result in
an inconsistentValue error. an inconsistentValue error.
If active, this object MUST remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met: following two conditions are met:
I. No active row in the SpdCompoundFilterTable exists I. No active row in the SpdCompoundFilterTable exists
which has a matching spdCompFiltName. that has a matching spdCompFiltName.
II. Or at least one other active row in this table has a
II. Or, at least one other active row in this table has a
matching spdCompFiltName. matching spdCompFiltName.
If neither condition is met, an attempt to set this row to If neither condition is met, an attempt to set this row to
something other than active MUST result in an something other than active MUST result in an
inconsistentValue error." inconsistentValue error."
::= { spdSubfiltersEntry 6 } ::= { spdSubfiltersEntry 6 }
-- --
-- Static Filters -- Static Filters
-- --
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE spdTrueFilter OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates a (automatic) true result for "This scalar indicates a (automatic) true result for
a filter. I.e. this is a filter that is always a filter. That is, this is a filter that is always
true, useful for adding as a default filter for a true; it is useful for adding as a default filter for a
default action or a set of actions." default action or a set of actions."
::= { spdStaticFilters 1 } ::= { spdStaticFilters 1 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 } spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
-- --
-- Policy IP Offset filter definition table -- Policy IP Offset filter definition table
-- --
spdIpOffsetFilterTable OBJECT-TYPE spdIpOffsetFilterTable OBJECT-TYPE
skipping to change at page 33, line 34 skipping to change at page 33, line 31
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdIpOffsetFilterEntry 5 } ::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE spdIpOffFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a were created through an external process MAY have a
storage type of readOnly or permanent. storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 34, line 22 skipping to change at page 34, line 19
-- --
-- Time/scheduling filter table -- Time/scheduling filter table
-- --
spdTimeFilterTable OBJECT-TYPE spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines a table of filters which can be used to "Defines a table of filters that can be used to
effectively enable or disable policies based on a valid effectively enable or disable policies based on a valid
time range." time range."
::= { spdConfigObjects 9 } ::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE spdTimeFilterEntry OBJECT-TYPE
SYNTAX SpdTimeFilterEntry SYNTAX SpdTimeFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row describing a given time frame for which a policy "A row describing a given time frame for which a policy
skipping to change at page 35, line 34 skipping to change at page 35, line 32
::= { spdTimeFilterEntry 2 } ::= { spdTimeFilterEntry 2 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE spdTimeFiltMonthOfYearMask OBJECT-TYPE
SYNTAX BITS { january(0), february(1), march(2), SYNTAX BITS { january(0), february(1), march(2),
april(3), may(4), june(5), july(6), april(3), may(4), june(5), july(6),
august(7), september(8), october(9), august(7), september(8), october(9),
november(10), december(11) } november(10), december(11) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which indicates acceptable months of the year. "A bit mask that indicates acceptable months of the year.
This column evaluates to 'true' if the current month's bit This column evaluates to 'true' if the current month's bit
is set." is set."
DEFVAL { { january, february, march, april, may, june, july, DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } } august, september, october, november, december } }
::= { spdTimeFilterEntry 3 } ::= { spdTimeFilterEntry 3 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE spdTimeFiltDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(8)) SYNTAX OCTET STRING (SIZE(8))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Defines which days of the month the current time is "Defines which days of the month the current time is
valid for. It is a sequence of 64 BITS, where each BIT valid for. It is a sequence of 64 BITS, where each BIT
represents a corresponding day of the month in forward or represents a corresponding day of the month in forward or
reverse order. Starting from the left most bit, the first reverse order. Starting from the left-most bit, the first
31 bits identify the day of the month counting from the 31 bits identify the day of the month, counting from the
beginning of the month. The following 31 bits (bits 32-62) beginning of the month. The following 31 bits (bits 32-62)
indicate the day of the month counting from the end month. indicate the day of the month, counting from the end of the
For months with fewer than 31 days, the bits that month. For months with fewer than 31 days, the bits that
correspond to the non-existing days of that month are correspond to the non-existent days of that month are
ignored (e.g. for non-leap year Februarys, bits 29-31 and ignored (e.g., for non-leap year Februarys, bits 29-31 and
60-62 are ignored). 60-62 are ignored).
This column evaluates to 'true' if the current day of the This column evaluates to 'true' if the current day of the
month's bit is set. month's bit is set.
For example, A value of 0X'80 00 00 01 00 00 00 00' For example, a value of 0X'80 00 00 01 00 00 00 00'
indicates that this column evaluates to true on the first indicates that this column evaluates to true on the first
and last days of the month. and last days of the month.
The last two bits in the string MUST be zero." The last two bits in the string MUST be zero."
DEFVAL { 'fffffffffffffffe'H } DEFVAL { 'fffffffffffffffe'H }
::= { spdTimeFilterEntry 4 } ::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE spdTimeFiltDayOfWeekMask OBJECT-TYPE
SYNTAX BITS { sunday(0), monday(1), tuesday(2), SYNTAX BITS { sunday(0), monday(1), tuesday(2),
wednesday(3), thursday(4), friday(5), wednesday(3), thursday(4), friday(5),
saturday(6) } saturday(6) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit mask which defines which days of the week the current "A bit mask that defines which days of the week that the current
time is valid for. This column evaluates to 'true' if the time is valid for. This column evaluates to 'true' if the
current day of the week's bit is set." current day of the week's bit is set."
DEFVAL { { monday, tuesday, wednesday, thursday, friday, DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } } saturday, sunday } }
::= { spdTimeFilterEntry 5 } ::= { spdTimeFilterEntry 5 }
spdTimeFiltTimeOfDayMask OBJECT-TYPE spdTimeFiltTimeOfDayMask OBJECT-TYPE
SYNTAX SpdTimePeriod SYNTAX SpdTimePeriod
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates the start and end time of day for which this "Indicates the start and end time of the day for which this
filter evaluates to true. The date portions of the filter evaluates to true. The date portions of the
spdTimePeriod TC are ignored for purposes of evaluating this spdTimePeriod TC are ignored for purposes of evaluating this
mask and only the time specific portions are used. mask, and only the time-specific portions are used.
This column evaluates to 'true' if the current time of day This column evaluates to 'true' if the current time of day
is within the range of the start and end times of day is within the range of the start and end times of the day
indicated by this object." indicated by this object."
DEFVAL { "00000000T000000/00000000T240000" } DEFVAL { "00000000T000000/00000000T240000" }
::= { spdTimeFilterEntry 6 } ::= { spdTimeFilterEntry 6 }
spdTimeFiltLastChanged OBJECT-TYPE spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means. external means.
If this row has not been modified since the last If this row has not been modified since the last
skipping to change at page 37, line 23 skipping to change at page 37, line 21
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdTimeFilterEntry 7 } ::= { spdTimeFilterEntry 7 }
spdTimeFiltStorageType OBJECT-TYPE spdTimeFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdTimeFilterEntry 8 } ::= { spdTimeFilterEntry 8 }
spdTimeFiltRowStatus OBJECT-TYPE spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 40, line 13 skipping to change at page 40, line 11
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdIpsoHeaderFilterEntry 5 } ::= { spdIpsoHeaderFilterEntry 5 }
spdIpsoHeadFiltStorageType OBJECT-TYPE spdIpsoHeadFiltStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdIpsoHeaderFilterEntry 6 } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 42, line 47 skipping to change at page 42, line 46
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdCompoundActionEntry 3 } ::= { spdCompoundActionEntry 3 }
spdCompActStorageType OBJECT-TYPE spdCompActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdCompoundActionEntry 4 } ::= { spdCompoundActionEntry 4 }
spdCompActRowStatus OBJECT-TYPE spdCompActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 44, line 20 skipping to change at page 44, line 18
spdSubActPriority OBJECT-TYPE spdSubActPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The priority of a given sub-action within a compound "The priority of a given sub-action within a compound
action. The order in which sub-actions MUST be executed action. The order in which sub-actions MUST be executed
are based on the value from this column, with the lowest are based on the value from this column, with the lowest
numeric value executing first (i.e., priority 0 before numeric value executing first (i.e., priority 0 before
priority 1, 1 before 2, etc...)." priority 1, 1 before 2, etc.)."
::= { spdSubactionsEntry 1 } ::= { spdSubactionsEntry 1 }
spdSubActSubActionName OBJECT-TYPE spdSubActSubActionName OBJECT-TYPE
SYNTAX VariablePointer SYNTAX VariablePointer
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This column points to the action to be taken. It MAY, "This column points to the action to be taken. It MAY,
but is not limited to, point to a row in one of the but is not limited to, point to a row in one of the
following tables: following tables:
skipping to change at page 44, line 48 skipping to change at page 44, line 46
spdStaticActions. spdStaticActions.
If this object is set to a pointer to a row in an If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue unsupported (or unknown) table, an inconsistentValue
error MUST be returned. error MUST be returned.
If this object is set to point to a non-existent row in If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error an otherwise supported table, an inconsistentName error
MUST be returned. MUST be returned.
If during packet processing this column has a value that If, during packet processing, this column has a value that
references a non-existent or non-supported object, the references a non-existent or non-supported object, the
packet MUST be dropped." packet MUST be dropped."
::= { spdSubactionsEntry 2 } ::= { spdSubactionsEntry 2 }
spdSubActLastChanged OBJECT-TYPE spdSubActLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime when this row was last modified "The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other or created either through SNMP SETs or by some other
external means. external means.
If this row has not been modified since the last If this row has not been modified since the last
skipping to change at page 45, line 23 skipping to change at page 45, line 22
If this row has not been modified since the last If this row has not been modified since the last
re-initialization of the network management subsystem, this re-initialization of the network management subsystem, this
object SHOULD have a zero value." object SHOULD have a zero value."
::= { spdSubactionsEntry 3 } ::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE spdSubActStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table which "The storage type for this row. Rows in this table that
were created through an external process MAY have a storage were created through an external process MAY have a storage
type of readOnly or permanent. type of readOnly or permanent.
For a storage type of permanent, none of the columns have For a storage type of permanent, none of the columns have
to be writable." to be writable."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { spdSubactionsEntry 4 } ::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE spdSubActRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
skipping to change at page 45, line 51 skipping to change at page 45, line 50
If active, this object MUST remain active unless one of the If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to following two conditions are met. An attempt to set it to
anything other than active while the following conditions anything other than active while the following conditions
are not met MUST result in an inconsistentValue error. The are not met MUST result in an inconsistentValue error. The
two conditions are: two conditions are:
I. No active row in the spdCompoundActionTable exists I. No active row in the spdCompoundActionTable exists
which has a matching spdCompActName. which has a matching spdCompActName.
II. Or at least one other active row in this table has a II. Or, at least one other active row in this table has a
matching spdCompActName." matching spdCompActName."
::= { spdSubactionsEntry 5 } ::= { spdSubactionsEntry 5 }
-- --
-- Static Actions -- Static Actions
-- --
-- these are static actions which can be pointed to by the -- these are static actions that can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to -- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets. -- drop, accept, or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE spdDropAction OBJECT-TYPE
SYNTAX Integer32 (1) SYNTAX Integer32 (1)
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This scalar indicates that a packet MUST be dropped "This scalar indicates that a packet MUST be dropped
and SHOULD NOT have action/packet logging." and SHOULD NOT have action/packet logging."
skipping to change at page 47, line 51 skipping to change at page 47, line 52
The format of this object is specified by the The format of this object is specified by the
spdIPEndpointAddType object." spdIPEndpointAddType object."
::= { spdNotificationVariables 3 } ::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE spdIPSourceType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address type of the packet which "Contains the source address type of the packet that
triggered the notification." triggered the notification."
::= { spdNotificationVariables 4 } ::= { spdNotificationVariables 4 }
spdIPSourceAddress OBJECT-TYPE spdIPSourceAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the source address of the packet which "Contains the source address of the packet that
triggered the notification. triggered the notification.
The format of this object is specified by the The format of this object is specified by the
spdIPSourceType object." spdIPSourceType object."
::= { spdNotificationVariables 5 } ::= { spdNotificationVariables 5 }
spdIPDestinationType OBJECT-TYPE spdIPDestinationType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address type of the packet "Contains the destination address type of the packet
which triggered the notification." that triggered the notification."
::= { spdNotificationVariables 6 } ::= { spdNotificationVariables 6 }
spdIPDestinationAddress OBJECT-TYPE spdIPDestinationAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Contains the destination address of the packet which "Contains the destination address of the packet that
triggered the notification. triggered the notification.
The format of this object is specified by the The format of this object is specified by the
spdIPDestinationType object." spdIPDestinationType object."
::= { spdNotificationVariables 7 } ::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE spdPacketDirection OBJECT-TYPE
SYNTAX IfDirection SYNTAX IfDirection
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Indicates if the packet which triggered the action in "Indicates if the packet that triggered the action in
questions was ingress (inbound) or egress (outbound)." questions was ingress (inbound) or egress (outbound)."
::= { spdNotificationVariables 8 } ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..65535)) SYNTAX OCTET STRING (SIZE (0..65535))
MAX-ACCESS accessible-for-notify MAX-ACCESS accessible-for-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"spdPacketPart is the front part of the full IP packet that "spdPacketPart is the front part of the full IP packet that
triggered this notification. The initial size limit is triggered this notification. The initial size limit is
determined by the smaller of the size indicated by determined by the smaller of the size, indicated by:
I. The value of the object with the TC syntax I. The value of the object with the TC syntax
'SpdIPPacketLogging' that indicated the packet SHOULD be 'SpdIPPacketLogging' that indicated the packet SHOULD be
logged and logged and
II. The size of the triggering packet. II. The size of the triggering packet.
The final limit is determined by the SNMP packet size when The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be sending the notification. The maximum size that can be
included will be the smaller of the initial size given above included will be the smaller of the initial size, given the
and the length that will fit in a single SNMP notification above, and the length that will fit in a single SNMP
packet after the rest of the notification's objects and any notification packet after the rest of the notification's
other necessary packet data (headers encoding, etc...) has objects and any other necessary packet data (headers encoding,
been included in the packet." etc.) have been included in the packet."
::= { spdNotificationVariables 9 } ::= { spdNotificationVariables 9 }
spdActionNotification NOTIFICATION-TYPE spdActionNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection } spdPacketDirection }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that an action was executed by a rule. "Notification that an action was executed by a rule.
Only actions with logging enabled will result in this Only actions with logging enabled will result in this
notification getting sent. The object includes the notification getting sent. The object includes the
spdActionExecuted object which will indicate which action spdActionExecuted object, which will indicate which action
was executed within the scope of the rule. Additionally was executed within the scope of the rule. Additionally,
the spdIPSourceType, spdIPSourceAddress, the spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, and spdIPDestinationAddress objects spdIPDestinationType, and spdIPDestinationAddress objects
are included to indicate the packet source and destination are included to indicate the packet source and destination
of the packet that triggered the action. Finally the of the packet that triggered the action. Finally, the
spdIPEndpointAddType, spdIPEndpointAddress, and spdIPEndpointAddType, spdIPEndpointAddress, and
spdPacketDirection objects indicate which interface the spdPacketDirection objects indicate which interface the
executed action was associated with and if the packet was executed action was associated with, and if the packet was
ingress or egress through the endpoint. ingress or egress through the endpoint.
A spdActionNotification SHOULD be limited to a maximum of A spdActionNotification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
controlling their send rate. controlling their send rate.
Note that compound actions with multiple executed Note that compound actions with multiple executed
subactions may result in multiple notifications being sent sub-actions may result in multiple notifications being sent
from a single rule execution." from a single rule execution."
::= { spdNotifications 1 } ::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType, OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress, spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationType,
spdIPDestinationAddress, spdIPDestinationAddress,
spdPacketDirection, spdPacketDirection,
spdPacketPart } spdPacketPart }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that a packet passed through a Security "Notification that a packet passed through a Security
Association (SA). Only SAs created by actions with packet Association (SA). Only SAs created by actions with packet
logging enabled will result in this notification getting logging enabled will result in this notification getting
sent. The objects sent MUST include the spdActionExecuted sent. The objects sent MUST include the spdActionExecuted,
which will indicate which action was executed within the which will indicate which action was executed within the
scope of the rule. Additionally, the spdIPSourceType, scope of the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects MUST be included to spdIPDestinationAddress objects MUST be included to
indicate the packet source and destination of the packet indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType, that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects are spdIPEndpointAddress, and spdPacketDirection objects are
included to indicate which endpoint the packet was included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is included to associated with. Finally, spdPacketPart is included to
enable sending a variable sized part of the front of the enable sending a variable sized part of the front of the
packet with the size dependent on the value of the object of packet with the size dependent on the value of the object of
TC syntax 'SpdIPPacketLogging' which indicated that logging TC syntax 'SpdIPPacketLogging', which indicated that logging
should be done. should be done.
A spdPacketNotification SHOULD be limited to a maximum of A spdPacketNotification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
controlling their send rate. controlling their send rate.
An action notification SHOULD be limited to a maximum of An action notification SHOULD be limited to a maximum of
one notification sent per minute for any action one notification sent per minute for any action
notifications that do not have any other configuration notifications that do not have any other configuration
skipping to change at page 51, line 39 skipping to change at page 51, line 40
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations that support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations that support compound filters."
GROUP spdIPOffsetFilterGroup GROUP spdIPOffsetFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In implementations that support IP Offset filters. In
general, this SHOULD be supported by a compliant IPsec general, this SHOULD be supported by a compliant IPsec
Policy implementation." Policy implementation."
GROUP spdTimeFilterGroup GROUP spdTimeFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support time filters." implementations that support time filters."
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations that support IPSO Header filters."
GROUP spdCompoundActionGroup GROUP spdCompoundActionGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound actions." implementations that support compound actions."
OBJECT spdEndGroupLastChanged OBJECT spdEndGroupLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdGroupContComponentType OBJECT spdGroupContComponentType
SYNTAX INTEGER { SYNTAX INTEGER {
rule(2) rule(2)
} }
DESCRIPTION DESCRIPTION
"Support of the value group(1) is only required for "Support of the value group(1) is only required for
implementations which support Policy Groups within implementations that support Policy Groups within
Policy Groups." Policy Groups."
OBJECT spdGroupContLastChanged OBJECT spdGroupContLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
"This object not required for compliance." "This object not required for compliance."
OBJECT spdRuleDefLastChanged OBJECT spdRuleDefLastChanged
MIN-ACCESS not-accessible MIN-ACCESS not-accessible
DESCRIPTION DESCRIPTION
skipping to change at page 54, line 14 skipping to change at page 54, line 15
-- ReadOnly Compliances -- ReadOnly Compliances
-- --
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities that include "The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and an IPsec MIB implementation with Endpoint, Rules, and
filters support. filters support.
If this MIB is implemented without support for read-create If this MIB is implemented without support for read-create
(i.e. in read-only), it is not in full compliance but it (i.e., in read-only), it is not in full compliance, but it
can claim read-only compliance. Such a device can then be can claim read-only compliance. Such a device can then be
monitored but can not be configured with this MIB." monitored, but cannot be configured with this MIB."
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup, MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup, spdGroupContentsGroup,
spdRuleDefinitionGroup, spdRuleDefinitionGroup,
spdStaticFilterGroup, spdStaticFilterGroup,
spdStaticActionGroup , spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup } diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support a system policy group implementations that support a system policy group
name." name."
GROUP spdCompoundFilterGroup GROUP spdCompoundFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound filters." implementations that support compound filters."
GROUP spdIPOffsetFilterGroup GROUP spdIPOffsetFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In implementations that support IP Offset filters. In
general, this SHOULD be supported by a compliant IPsec general, this SHOULD be supported by a compliant IPsec
Policy implementation." Policy implementation."
GROUP spdTimeFilterGroup GROUP spdTimeFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support time filters." implementations that support time filters."
GROUP spdIpsoHeaderFilterGroup GROUP spdIpsoHeaderFilterGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support IPSO Header filters." implementations that support IPSO Header filters."
GROUP spdCompoundActionGroup GROUP spdCompoundActionGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for IPsec Policy "This group is mandatory for IPsec Policy
implementations which support compound actions." implementations that support compound actions."
OBJECT spdCompActExecutionStrategy OBJECT spdCompActExecutionStrategy
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT spdCompActLastChanged OBJECT spdCompActLastChanged
DESCRIPTION DESCRIPTION
"This object is not required for compliance." "This object is not required for compliance."
skipping to change at page 64, line 28 skipping to change at page 64, line 28
this MIB." this MIB."
::= { spdGroups 12 } ::= { spdGroups 12 }
spdActionNotificationGroup NOTIFICATION-GROUP spdActionNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { NOTIFICATIONS {
spdActionNotification, spdActionNotification,
spdPacketNotification spdPacketNotification
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This group is made up of all the Notifications for this "This group is made up of all the Notifications for this MIB."
MIB."
::= { spdGroups 13 } ::= { spdGroups 13 }
END END
7. Security Considerations 7. Security Considerations
7.1. Introduction 7.1. Introduction
This document defines a MIB module used to configure IPsec policy This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides network security services, all of its services. Since IPsec provides network security services, all of its
configuration data (e.g. this entire MIB) SHOULD be as secure or more configuration data (e.g., this entire MIB) SHOULD be as secure or
secure than any of the security services IPsec provides. There are more secure than any of the security services IPsec provides. There
two main threats you need to protect against when configuring IPsec are two main threats you need to protect against when configuring
devices. IPsec devices.
1. Malicious Configuration: This MIB configures network security 1. Malicious Configuration: This MIB configures network security
services. If an attacker has SET access to any part of this MIB, services. If an attacker has SET access to any part of this MIB,
the network security services configured by this MIB SHOULD be the network security services configured by this MIB SHOULD be
considered broken. The network data sent through the associated considered broken. The network data sent through the associated
gateway should no longer be considered as protected by IPsec gateway should no longer be considered as protected by IPsec
(i.e., it is no longer confidential or authenticated). (i.e., it is no longer confidential or authenticated).
Therefore, only the official administrators SHOULD be allowed to Therefore, only the official administrators SHOULD be allowed to
configure a device. In other words, administrators' identities configure a device. In other words, administrators' identities
SHOULD be authenticated and their access rights checked before SHOULD be authenticated and their access rights checked before
skipping to change at page 65, line 28 skipping to change at page 65, line 44
attacks to the network or to the configured node. Since this attacks to the network or to the configured node. Since this
entire MIB is used for security configuration, it is highly entire MIB is used for security configuration, it is highly
RECOMMENDED that only authorized administrators are allowed to RECOMMENDED that only authorized administrators are allowed to
view data in this MIB. In particular, malicious users SHOULD be view data in this MIB. In particular, malicious users SHOULD be
prevented from reading SNMP packets containing this MIB's data. prevented from reading SNMP packets containing this MIB's data.
SNMP GET data SHOULD be encrypted when sent across the network. SNMP GET data SHOULD be encrypted when sent across the network.
Also, only authorized administrators SHOULD be allowed SNMP GET Also, only authorized administrators SHOULD be allowed SNMP GET
access to any of the MIB objects. access to any of the MIB objects.
SNMP versions prior to SNMPv3 do not include adequate security. Even SNMP versions prior to SNMPv3 do not include adequate security. Even
if the network itself is secure (e.g. by using IPsec), earlier if the network itself is secure (e.g., by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure versions of SNMP have virtually no control as to who on the secure
network is allowed to access (i.e. read/change/create/delete) the network is allowed to access (i.e., read/change/create/delete) the
objects in this MIB module. objects in this MIB module.
It is RECOMMENDED that implementers use the security features as It is RECOMMENDED that implementers use the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
skipping to change at page 66, line 10 skipping to change at page 66, line 25
SNMPv3. This is a real strength, because it allows administrators SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3 conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved, establishment of IPsec configuration on a device has been achieved,
it would be possible to set up IPsec SAs to then also provide it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation. security and integrity services to the configuration conversation.
This may seem redundant at first, but will be shown to have a use for This may seem redundant at first, but will be shown to have a use for
added privacy protection below. added privacy protection below.
7.2. Protecting against unauthenticated access 7.2. Protecting against Unauthenticated Access
The current SNMPv3 User Security Model provides for key based user The current SNMPv3 User Security Model provides for key-based user
authentication. Typically, keys are derived from passwords (but are authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms not required to be), and the keys are then used in Hashed Message
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP Authentication Code (HMAC) algorithms (currently, MD5 and SHA-1 HMACs
data. Each SNMP device keeps a (configured) list of users and keys. are defined) to authenticate all SNMP data. Each SNMP device keeps a
Under SNMPv3 user keys may be updated as often as an administrator (configured) list of users and keys. Under SNMPv3 user keys may be
cares to have users enter new passwords. But Perfect Forward Secrecy updated as often as an administrator cares to have users enter new
for user keys in SNMPv3 is not yet provided by standards track passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is
documents, although RFC2786 defines an experimental method of doing not yet provided by standards track documents, although RFC2786
so. defines an experimental method of doing so.
7.3. Protecting against involuntary disclosure 7.3. Protecting against Involuntary Disclosure
While sending IPsec configuration data to a Policy Enforcement Point While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed (PEP), there are a few critical parameters that MUST NOT be observed
by third parties. Specifically, except for public keys, keying by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties. information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a This includes IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters, the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written, privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and as of may be done as you read this. algorithms is in the works and may be completed by the time you read
As of October 2006, there a stronger standards track algorithm: AES this. As of October 2006, there is a stronger standards track
[RFC3826]. When configure IPsec policy using this MIB, policy algorithm: AES [RFC3826]. When configuring the IPsec policy using
administrators SHOULD use a privacy security service that is at least this MIB, policy administrators SHOULD use a privacy security service
as strong as the desired IPsec policy. E.G., If an administrator that is at least as strong as the desired IPsec policy, e.g., If an
were to use this MIB to configure an IPsec connection that utilizes a administrator were to use this MIB to configure an IPsec connection
AES algorithms, the SNMP communication configuring the connection that utilizes a AES algorithms, the SNMP communication configuring
SHOULD be protected by an algorithm as strong or stronger than the the connection SHOULD be protected by an algorithm as strong or
AES algorithm. stronger than the AES algorithm.
7.4. Bootstrapping your configuration 7.4. Bootstrapping Your Configuration
Most vendors will not ship new products with a default SNMPv3 user/ Most vendors will not ship new products with a default SNMPv3 user/
password pair, but it is possible. If a device does ship with a password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user). user (or, at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console initialization over a trusted medium, such as a local console
connection. connection.
8. IANA Considerations 8. IANA Considerations
Only two IANA considerations exist for this document. The first is Only two IANA considerations exist for this document. The first is
just the node number allocation of the IPSEC-SPD-MIB itself. just the node number allocation of the IPSEC-SPD-MIB itself within
the MIB-2 tree. This is listed in the MIB definition in Section 6.
The IPSEC-SPD-MIB also allows for extension action MIB's. Although The IPSEC-SPD-MIB also allows for extension action MIBs. Although
additional actions are not required to use it, the node spdActions is additional actions are not required to use it, the node spdActions is
allocated as a subtree under which IANA can define any additional allocated as a subtree under which IANA can assign additional
actions. IANA would be responsible for allocating any values under actions.
this node. The only restriction is that additional nodes appended to
spdACtions should be in reference to IPSEC-SPD-MIB actions. The second IANA consideration is that IANA would be responsible for
creating a new subregistry for and assigning nodes under the
spdActions subtree. This tree should have a prefix of
iso.org.dod.internet.mgmt.mib-2.spdMIB.spdActions and be listed
similar to the following:
Decimal Name Description References
------- ---- ----------- ----------
A documented specification is required in order to assign a number.
The action and it's meaning can be specified in an RFC or in another
publicly available reference. The specification should have
sufficient detail that interoperability between independent
implementations is possible. The product of the IETF or of another
standards body is acceptable or an assignment can be accepted under
the advice of a "designated expert". (contact IANA for the current
expert)
9. Acknowledgments 9. Acknowledgments
Many other people contributed thoughts and ideas that influenced this Many people contributed thoughts and ideas that influenced this MIB
MIB module. Some special thanks are in order for the following module. Some special thanks are in order to the following people:
people:
Lindy Foster (Sparta, Inc.) Lindy Foster (Sparta, Inc.)
John Gillis (ADC) John Gillis (ADC)
Roger Hartmuller (Sparta, Inc.) Roger Hartmuller (Sparta, Inc.)
Harrie Hazewinkel Harrie Hazewinkel
Jamie Jason (Intel Corporation) Jamie Jason (Intel Corporation)
David Partain (Ericsson) David Partain (Ericsson)
Lee Rafalow (IBM) Lee Rafalow (IBM)
Jon Saperia (JDS Consulting) Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems) Eric Vyncke (Cisco Systems)
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991. [RFC1108] Kent, S., "U.S. Department of Defense Security
Options for the Internet Protocol", RFC 1108,
November 1991.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
Internet Protocol", RFC 2401, November 1998. the Internet Protocol", RFC 2401, November 1998.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Information Version 2 (SMIv2)", STD 58, RFC 2578,
April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces
MIB", RFC 2863, June 2000. Group MIB", RFC 2863, June 2000.
[RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, [RFC3060] Moore, B., Ellesson, E., Strassner, J., and A.
"Policy Core Information Model -- Version 1 Westerinen, "Policy Core Information Model -- Version
Specification", RFC 3060, February 2001. 1 Specification", RFC 3060, February 2001.
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information [RFC3289] Baker, F., Chan, K., and A. Smith, "Management
Base for the Differentiated Services Architecture", Information Base for the Differentiated Services
RFC 3289, May 2002. Architecture", RFC 3289, May 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62,
December 2002. RFC 3411, December 2002.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet
Addresses", RFC 4001, February 2005. Network Addresses", RFC 4001, February 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
10.2. Informative References 10.2. Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [IPsec-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and
Wang, "IPsec Security Policy IPsec Action MIB", C. Wang, "IPsec Security Policy IPsec Action MIB",
December 2002. Work in Progress, October 2006.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [IKE-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and
Wang, "IPsec Security Policy IKE Action MIB", C. Wang, "IPsec Security Policy IKE Action MIB", Work
December 2002. in Progress, October 2006.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", More Info http://www.dmtf.org/specs/cim.html, Paper", November 2000.
November 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for
Standard Management Framework", RFC 3410, December 2002. Internet-Standard Management Framework", RFC 3410,
December 2002.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the Advanced Encryption Standard (AES) Cipher Algorithm
SNMP User-based Security Model", RFC 3826, June 2004. in the SNMP User-based Security Model", RFC 3826,
June 2004.
Authors' Addresses Authors' Addresses
Michael Baer Michael Baer
Sparta, Inc. Sparta, Inc.
P.O. Box 72682 P.O. Box 72682
Davis, CA 95617 Davis, CA 95617
US US
Email: baerm@tislabs.com EMail: baerm@tislabs.com
Ricky Charlet Ricky Charlet
Self Self
Email: rcharlet@alumni.calpoly.edu EMail: rcharlet@alumni.calpoly.edu
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Phone: +1 530 792 1913 Phone: +1 530 792 1913
Email: hardaker@tislabs.com EMail: hardaker@tislabs.com
Robert Story Robert Story
Revelstone Software Revelstone Software
PO Box 1812 PO Box 1812
Tucker, GA 30085 Tucker, GA 30085
US US
Email: rstory@sparta.com EMail: rstory@ipsp.revelstone.com
Cliff Wang Cliff Wang
ARO/North Carolina State University ARO
4300 S. Miami Blvd 4300 S. Miami Blvd
RTP, NC 27709 Durham, NC 27703
US US
Email: cliffwangmail@yahoo.com EMail: cliffwangmail@yahoo.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
skipping to change at page 71, line 45 skipping to change at page 71, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment Acknowledgement
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is currently provided by the
Administrative Support Activity (IASA). Internet Society.
 End of changes. 183 change blocks. 
316 lines changed or deleted 323 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/