IPSP M. Baer Internet-Draft Sparta, Inc. Expires: April 20, 2005 R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang SmartPipes, Inc. October 20, 2004 IPsec Security Policy IKE Action MIB draft-ietf-ipsp-ikeaction-mib-01.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 20, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines a SMIv2 Management Information Base (MIB) module for configuring IKE actions for the security policy database Baer, et al. Expires April 20, 2005 [Page 1] Internet-Draft IPSP IKE Action MIB October 2004 (SPD) of a device that uses the IPsec Security Policy Database Configuration MIB for configuring the IKE protocol actions on that device. The IPSP IKE Action MIB integrates directly with the IPsec Security Policy Database Configuration MIB and it is meant to work within the framework of an action referenced by that MIB. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 3 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 59 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 59 6.2 Protecting against in-authentic access . . . . . . . . . . 60 6.3 Protecting against involuntary disclosure . . . . . . . . 60 6.4 Bootstrapping your configuration . . . . . . . . . . . . . 61 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 61 8.2 Informative References . . . . . . . . . . . . . . . . . . . 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63 Intellectual Property and Copyright Statements . . . . . . . . 64 Baer, et al. Expires April 20, 2005 [Page 2] Internet-Draft IPSP IKE Action MIB October 2004 1. Introduction This document defines a MIB module for configuration of an IKE action within the IPsec security policy database (SPD). This module works within the framework of the IPsec Security Policy Database Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action by the IPSP-SPD-MIB and is used to configure IKE negotiations between network devices. Companion document [RFCXXXX], documents the IPsec Security Policy Database Configuration MIB. Companion document [RFCYYYY], documents the IPsec Security Policy IPsec Action MIB for configuration of static IPsec SAs. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410] Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Relationship to the DMTF Policy Model The Distributed Management Task Force (DMTF) has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPPMWP]. The contents of this document are also reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. This MIB module is a task specific derivation of the IKE actions portions of the IPCP for use with SNMPv3. This includes the necessary filters, negotiation, identity and IKE action information required to enable IKE negotiation within the IPsec Policy framework. 4. MIB Module Overview The MIB module describes the necessary information to implement IKE actions and their associated negotiations referred to by the IPsec Security Policy Database Configuration MIB. A basic understanding of IKE, of IPsec processing, of the IPsec Configuration Policy Model and of how actions fit in to the overall framework of the IPSP-SPD-MIB are required to use this MIB properly. Baer, et al. Expires April 20, 2005 [Page 3] Internet-Draft IPSP IKE Action MIB October 2004 5. MIB definition IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType, VariablePointer FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB spdActions, SpdIPPacketLogging, spdEndGroupIdentType, spdEndGroupAddress FROM IPSEC-SPD-MIB IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter, ipsaSharedGroup FROM IPSEC-IPSECACTION-MIB ; -- -- module identity -- ipiaMIB MODULE-IDENTITY LAST-UPDATED "200212100000Z" -- 12 December 2002 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer Sparta, Inc. Phone: +1 530 902 3131 Email: baerm@tislabs.com Ricky Charlet Email: rcharlet@alumni.calpoly.edu Wes Hardaker Baer, et al. Expires April 20, 2005 [Page 4] Internet-Draft IPSP IKE Action MIB October 2004 Sparta, Inc. P.O. Box 382 Davis, CA 95617 Phone: +1 530 792 1913 Email: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 Phone: +1 770 617 3722 Email: ipsp-mib@revelstone.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: cliffwang2000@yahoo.com" DESCRIPTION "The MIB module for defining IKE actions for managing IPsec Security Policy. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC XXXX, see the RFC itself for full legal notices." -- Revision History REVISION "200301070000Z" -- 7 January 2003 DESCRIPTION "Initial version, published as RFC xxxx." -- RFC-editor assigns xxxx ::= { spdActions 2 } -- -- groups of related objects -- ipiaConfigObjects OBJECT IDENTIFIER ::= { ipiaMIB 1 } ipiaNotificationObjects OBJECT IDENTIFIER ::= { ipiaMIB 2 } ipiaConformanceObjects OBJECT IDENTIFIER ::= { ipiaMIB 3 } -- -- Textual Conventions Baer, et al. Expires April 20, 2005 [Page 5] Internet-Draft IPSP IKE Action MIB October 2004 -- IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Values for encryption algorithms negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Encryption Algorithm (1). Unused values <= 65000 are reserved to IANA. Currently assigned values at the time of this writing: reserved(0), -- reserved in IKE desCbc(1), -- RFC 2405 ideaCbc(2), blowfishCbc(3), rc5R16B64Cbc(4), -- RC5 R16 B64 CBC tripleDesCbc(5), -- 3DES CBC castCbc(6), aesCbc(7) Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A, IANA" SYNTAX Unsigned32 (0..65535) IkeAuthMethod ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Values for authentication methods negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Authentication Method (3). Unused values <= 65000 are reserved to IANA. reserved(0), -- reserved in IKE preSharedKey(1), dssSignatures(2), rsaSignatures(3), encryptionWithRsa(4), revisedEncryptionWithRsa(5), reservedDontUse6(6), -- not to be used reservedDontUse7(7), -- not to be used ecdsaSignatures(8) Values 65001-65535 are for private use among Baer, et al. Expires April 20, 2005 [Page 6] Internet-Draft IPSP IKE Action MIB October 2004 mutually consenting parties." REFERENCE "RFC 2409 appendix A, IANA" SYNTAX Unsigned32 (0..65535) IkeHashAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Values for hash algorithms negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Hash Algorithm (2). Unused values <= 65000 are reserved to IANA. Currently assigned values at the time of this writing: reserved(0), -- reserved in IKE md5(1), -- RFC 1321 sha(2), -- FIPS 180-1 tiger(3), sha256(4), sha384(5), sha512(6) Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A, IANA" SYNTAX Unsigned32 (0..65535) IkeGroupDescription ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Values for Oakley key computation groups for Diffie-Hellman exchange negotiated for the ISAKMP SA by IKE in Phase I. They are also used in Phase II when perfect forward secrecy is in use. These are values for SA Attrbute type Group Description (4). Unused values <= 32767 are reserved to IANA. Currently assigned values at the time of this writing: none(0), -- reserved in IKE, used -- in MIBs to reflect that -- none of the predefined -- groups are used modp768(1), -- default 768-bit MODP group modp1024(2), -- alternate 1024-bit MODP -- group Baer, et al. Expires April 20, 2005 [Page 7] Internet-Draft IPSP IKE Action MIB October 2004 ec2nGF155(3), -- EC2N group on Galois -- Field GF[2^155] ec2nGF185(4), -- EC2N group on Galois -- Field GF[2^185] ec2nGF163Random(6), -- EC2N group on Galois -- Field GF[2^163], -- random seed ec2nGF163Koblitz(7), -- EC2N group on Galois -- Field GF[2^163], -- Koblitz curve ec2nGF283Random(8), -- EC2N group on Galois -- Field GF[2^283], -- random seed ec2nGF283Koblitz(9), -- EC2N group on Galois -- Field GF[2^283], -- Koblitz curve ec2nGF409Random(10), -- EC2N group on Galois -- Field GF[2^409], -- random seed ec2nGF409Koblitz(11), -- EC2N group on Galois -- Field GF[2^409], -- Koblitz curve ec2nGF571Random(12), -- EC2N group on Galois -- Field GF[2^571], -- random seed ec2nGF571Koblitz(13) -- EC2N group on Galois -- Field GF[2^571], -- Koblitz curve Values 32768-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A, IANA" SYNTAX Unsigned32 (0..65535) IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "These are the IPsec DOI values for the Protocol-Id field in an ISAKMP Proposal Payload, and in all Notification Payloads. They are also used as the Protocol-ID In the Baer, et al. Expires April 20, 2005 [Page 8] Internet-Draft IPSP IKE Action MIB October 2004 Notification Payload and the Delete Payload. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI protoIsakmp(1), -- message protection -- required during Phase I -- of the IKE protocol protoIpsecAh(2), -- IP packet authentication -- via Authentication Header protoIpsecEsp(3), -- IP packet confidentiality -- via Encapsulating -- Security Payload protoIpcomp(4) -- IP payload compression The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 section 4.4.1" SYNTAX Unsigned32 (0..255) -- -- Policy group definitions -- ipiaLocalConfigObjects OBJECT IDENTIFIER ::= { ipiaConfigObjects 1 } -- -- Static Filters -- ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 } ipiaIkePhase1Filter OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This static filter can be used to test if a packet is part of an IKE phase-1 negotiation." ::= { ipiaStaticFilters 1 } ipiaIkePhase2Filter OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current Baer, et al. Expires April 20, 2005 [Page 9] Internet-Draft IPSP IKE Action MIB October 2004 DESCRIPTION "This static filter can be used to test if a packet is part of an IKE phase-2 negotiation." ::= { ipiaStaticFilters 2 } -- -- credential filter table -- ipiaCredentialFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaCredentialFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines filters which can be used to match credentials of IKE peers, where the credentials in question have been obtained from an IKE phase 1 exchange. They may be X.509 certificates, Kerberos tickets, etc..." ::= { ipiaConfigObjects 3 } ipiaCredentialFilterEntry OBJECT-TYPE SYNTAX IpiaCredentialFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular credential filter" INDEX { ipiaCredFiltName } ::= { ipiaCredentialFilterTable 1 } IpiaCredentialFilterEntry ::= SEQUENCE { ipiaCredFiltName SnmpAdminString, ipiaCredFiltCredentialType IpsaCredentialType, ipiaCredFiltMatchFieldName OCTET STRING, ipiaCredFiltMatchFieldValue OCTET STRING, ipiaCredFiltAcceptCredFrom OCTET STRING, ipiaCredFiltLastChanged TimeStamp, ipiaCredFiltStorageType StorageType, ipiaCredFiltRowStatus RowStatus } ipiaCredFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this filter." ::= { ipiaCredentialFilterEntry 1 } Baer, et al. Expires April 20, 2005 [Page 10] Internet-Draft IPSP IKE Action MIB October 2004 ipiaCredFiltCredentialType OBJECT-TYPE SYNTAX IpsaCredentialType MAX-ACCESS read-create STATUS current DESCRIPTION "The credential type that is expected for this filter to succeed." DEFVAL { x509 } ::= { ipiaCredentialFilterEntry 2 } ipiaCredFiltMatchFieldName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "The piece of the credential to match against. Examples: serialNumber, signatureAlgorithm, issuerName or subjectName. For credential types without fields (e.g. shared secret), this field should be left empty, and the entire credential will be matched against the ipiaCredFiltMatchFieldValue." ::= { ipiaCredentialFilterEntry 3 } ipiaCredFiltMatchFieldValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..4096)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value that the field indicated by the ipiaCredFiltMatchFieldName must match against for the filter to be considered TRUE." ::= { ipiaCredentialFilterEntry 4 } ipiaCredFiltAcceptCredFrom OBJECT-TYPE SYNTAX OCTET STRING(SIZE(1..117)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used to look up a row in the ipiaIpsecCredMngServiceTable for the Certificate Authority (CA) Information. This value is empty if there is no CA used for this filter." ::= { ipiaCredentialFilterEntry 5 } ipiaCredFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only Baer, et al. Expires April 20, 2005 [Page 11] Internet-Draft IPSP IKE Action MIB October 2004 STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaCredentialFilterEntry 6 } ipiaCredFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaCredentialFilterEntry 7 } ipiaCredFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row." ::= { ipiaCredentialFilterEntry 8 } -- -- Peer Identity Filter Table -- ipiaPeerIdentityFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaPeerIdentityFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines filters which can be used to match credentials of IKE peers, where the credentials in question have been obtained from an IKE phase 1 exchange. They may be X.509 certificates, Kerberos tickets, etc..." ::= { ipiaConfigObjects 4 } ipiaPeerIdentityFilterEntry OBJECT-TYPE SYNTAX IpiaPeerIdentityFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular credential filter" Baer, et al. Expires April 20, 2005 [Page 12] Internet-Draft IPSP IKE Action MIB October 2004 INDEX { ipiaPeerIdFiltName } ::= { ipiaPeerIdentityFilterTable 1 } IpiaPeerIdentityFilterEntry ::= SEQUENCE { ipiaPeerIdFiltName SnmpAdminString, ipiaPeerIdFiltIdentityType IpsecDoiIdentType, ipiaPeerIdFiltIdentityValue IpsaIdentityFilter, ipiaPeerIdFiltLastChanged TimeStamp, ipiaPeerIdFiltStorageType StorageType, ipiaPeerIdFiltRowStatus RowStatus } ipiaPeerIdFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this filter." ::= { ipiaPeerIdentityFilterEntry 1 } ipiaPeerIdFiltIdentityType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of identity field in the peer ID payload to match against." ::= { ipiaPeerIdentityFilterEntry 2 } ipiaPeerIdFiltIdentityValue OBJECT-TYPE SYNTAX IpsaIdentityFilter MAX-ACCESS read-create STATUS current DESCRIPTION "The string representation of the value that the peer ID payload value must match against. Wildcard mechanisms MUST be supported such that: - a ipiaPeerIdFiltIdentityValue of '*@example.com' will match a userFqdn ID payload of 'JDOE@EXAMPLE.COM' - a ipiaPeerIdFiltIdentityValue of '*.example.com' will match a fqdn ID payload of 'WWW.EXAMPLE.COM' - a ipiaPeerIdFiltIdentityValue of: 'cn=*,ou=engineering,o=company,c=us' will match a DER DN ID payload of 'cn=John Doe,ou=engineering,o=company,c=us' Baer, et al. Expires April 20, 2005 [Page 13] Internet-Draft IPSP IKE Action MIB October 2004 - a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will match an IPv4 address ID payload of 192.0.2.10 - a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also match an IPv4 address ID payload of 192.0.2.10. The character '*' replaces 0 or multiple instances of any character." ::= { ipiaPeerIdentityFilterEntry 3 } ipiaPeerIdFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaPeerIdentityFilterEntry 4 } ipiaPeerIdFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaPeerIdentityFilterEntry 5 } ipiaPeerIdFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object can not be considered active unless the ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue column values are defined." ::= { ipiaPeerIdentityFilterEntry 6 } -- -- Static Actions -- -- these are static actions which can be pointed to by the Baer, et al. Expires April 20, 2005 [Page 14] Internet-Draft IPSP IKE Action MIB October 2004 -- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop, -- accept or reject packets. ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 } ipiaRejectIKEAction OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be rejected WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the reject static action." ::= { ipiaStaticActions 1 } ipiaRejectIKEActionLog OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be rejected WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the reject static action with logging." ::= { ipiaStaticActions 2 } -- -- ipiaIkeActionTable -- ipiaIkeActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipiaIkeActionTable contains a list of the parameters used for an IKE phase 1 SA DOI negotiation. See the corresponding table ipiaIkeActionProposalsTable for a list of proposals contained within a given IKE Action." ::= { ipiaConfigObjects 6 } ipiaIkeActionEntry OBJECT-TYPE SYNTAX IpiaIkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 15] Internet-Draft IPSP IKE Action MIB October 2004 "The ipiaIkeActionEntry lists the IKE negotiation attributes." INDEX { ipiaIkeActName } ::= { ipiaIkeActionTable 1 } IpiaIkeActionEntry ::= SEQUENCE { ipiaIkeActName SnmpAdminString, ipiaIkeActParametersName SnmpAdminString, ipiaIkeActThresholdDerivedKeys Integer32, ipiaIkeActExchangeMode INTEGER, ipiaIkeActAgressiveModeGroupId IkeGroupDescription, ipiaIkeActIdentityType IpsecDoiIdentType, ipiaIkeActIdentityContext SnmpAdminString, ipiaIkeActPeerName SnmpAdminString, ipiaIkeActDoActionLogging TruthValue, ipiaIkeActDoPacketLogging SpdIPPacketLogging, ipiaIkeActVendorId OCTET STRING, ipiaIkeActLastChanged TimeStamp, ipiaIkeActStorageType StorageType, ipiaIkeActRowStatus RowStatus } ipiaIkeActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this ikeAction entry." ::= { ipiaIkeActionEntry 1 } ipiaIkeActParametersName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is administratively assigned to reference a row in the ipiaSaNegotiationParametersTable where additional parameters affecting this action may be found." ::= { ipiaIkeActionEntry 2 } ipiaIkeActThresholdDerivedKeys OBJECT-TYPE SYNTAX Integer32 (0..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkeActThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should Baer, et al. Expires April 20, 2005 [Page 16] Internet-Draft IPSP IKE Action MIB October 2004 attempt to renegotiate the IKE phase 1 security association." DEFVAL { 100 } ::= { ipiaIkeActionEntry 3 } ipiaIkeActExchangeMode OBJECT-TYPE SYNTAX INTEGER { main(1), agressive(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkeActExchangeMode specifies the IKE Phase 1 negotiation mode." DEFVAL { main } ::= { ipiaIkeActionEntry 4 } ipiaIkeActAgressiveModeGroupId OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-create STATUS current DESCRIPTION "The values to be used for Diffie-Hellman exchange." ::= { ipiaIkeActionEntry 5 } ipiaIkeActIdentityType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "This column along with ipiaIkeActIdentityContext and endpoint information is used to refer an ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." ::= { ipiaIkeActionEntry 6 } ipiaIkeActIdentityContext OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This column, along with ipiaIkeActIdentityType and endpoint information, is used to refer to an ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." ::= { ipiaIkeActionEntry 7 } ipiaIkeActPeerName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 17] Internet-Draft IPSP IKE Action MIB October 2004 "This object indicates the peer id name of the IKE peer. This object can be used to look up the peer id value, address, credentials and other values in the ipiaPeerIdentityTable." ::= { ipiaIkeActionEntry 8 } ipiaIkeActDoActionLogging OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ikeDoActionLogging specifies whether or not an audit message should be logged when this ike SA is created." DEFVAL { false } ::= { ipiaIkeActionEntry 9 } ipiaIkeActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ikeDoPacketLogging specifies whether or not an audit message should be logged and if there is logging, how many bytes of the packet to place in the notification." DEFVAL { -1 } ::= { ipiaIkeActionEntry 10 } ipiaIkeActVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..65535)) MAX-ACCESS read-create STATUS current DESCRIPTION "Vendor ID Payload. A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder)." DEFVAL { "" } ::= { ipiaIkeActionEntry 11 } ipiaIkeActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external Baer, et al. Expires April 20, 2005 [Page 18] Internet-Draft IPSP IKE Action MIB October 2004 means." ::= { ipiaIkeActionEntry 12 } ipiaIkeActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIkeActionEntry 13 } ipiaIkeActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to destroy if refered to by other rows in other action tables." ::= { ipiaIkeActionEntry 14 } -- -- IPsec action definition table -- ipiaIpsecActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIpsecActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipiaIpsecActionTable contains a list of the parameters used for an IKE phase 2 IPsec DOI negotiation." ::= { ipiaConfigObjects 7 } ipiaIpsecActionEntry OBJECT-TYPE SYNTAX IpiaIpsecActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 19] Internet-Draft IPSP IKE Action MIB October 2004 "The ipiaIpsecActionEntry lists the IPsec negotiation attributes." INDEX { ipiaIpsecActName } ::= { ipiaIpsecActionTable 1 } IpiaIpsecActionEntry ::= SEQUENCE { ipiaIpsecActName SnmpAdminString, ipiaIpsecActParametersName SnmpAdminString, ipiaIpsecActProposalsName SnmpAdminString, ipiaIpsecActUsePfs TruthValue, ipiaIpsecActVendorId OCTET STRING, ipiaIpsecActGroupId IkeGroupDescription, ipiaIpsecActPeerGatewayIdName OCTET STRING, ipiaIpsecActUseIkeGroup TruthValue, ipiaIpsecActGranularity INTEGER, ipiaIpsecActMode INTEGER, ipiaIpsecActDFHandling INTEGER, ipiaIpsecActDoActionLogging TruthValue, ipiaIpsecActDoPacketLogging SpdIPPacketLogging, ipiaIpsecActLastChanged TimeStamp, ipiaIpsecActStorageType StorageType, ipiaIpsecActRowStatus RowStatus } ipiaIpsecActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "ipiaIpsecActName is the name of the ipsecAction entry." ::= { ipiaIpsecActionEntry 1 } ipiaIpsecActParametersName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to reference a row in the ipiaSaNegotiationParametersTable where additional parameters affecting this action may be found." ::= { ipiaIpsecActionEntry 2 } ipiaIpsecActProposalsName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 20] Internet-Draft IPSP IKE Action MIB October 2004 "This object is used to reference one or more rows in the ipiaIpsecProposalsTable where an ordered list of proposals affecting this action may be found." ::= { ipiaIpsecActionEntry 3 } ipiaIpsecActUsePfs OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This MIB object specifies whether or not perfect forward secrecy should be used when refreshing keys. A value of true indicates that PFS should be used." ::= { ipiaIpsecActionEntry 4 } ipiaIpsecActVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The VendorID property is used to identify vendor-defined key exchange GroupIDs." ::= { ipiaIpsecActionEntry 5 } ipiaIpsecActGroupId OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the Diffie-Hellman group to use for phase 2 when the object ipiaIpsecActUsePfs is true and the object ipiaIpsecActUseIkeGroup is false. If the GroupID number is from the vendor-specific range (32768-65535), the VendorID qualifies the group number." ::= { ipiaIpsecActionEntry 6 } ipiaIpsecActPeerGatewayIdName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..116)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the peer gateway. This object can be used to look up the peer id value, address and other values in the ipiaPeerIdentityTable. This object is used when initiating a tunnel SA. This object is not used for transport SAs. If no value is set and ipiaIpsecActMode is tunnel, the peer gateway should be determined from the source or destination Baer, et al. Expires April 20, 2005 [Page 21] Internet-Draft IPSP IKE Action MIB October 2004 address of the packet." ::= { ipiaIpsecActionEntry 7 } ipiaIpsecActUseIkeGroup OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, this entry should be ignored." ::= { ipiaIpsecActionEntry 8 } ipiaIpsecActGranularity OBJECT-TYPE SYNTAX INTEGER { subnet(1), address(2), protocol(3), port(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies how the proposed selector for the security association will be created. The selector is created by using the FilterList information. The selector can be subnet, address, porotocol, or port." ::= { ipiaIpsecActionEntry 9 } ipiaIpsecActMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), transport(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the encapsulation of the IPsec SA to be negotiated." DEFVAL { tunnel } ::= { ipiaIpsecActionEntry 10 } ipiaIpsecActDFHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the processing of DF bit by the negotiated IPsec tunnel. 1 - DF bit is copied. 2 - DF bit is set. 3 - DF bit is cleared." DEFVAL { copy } ::= { ipiaIpsecActionEntry 11 } Baer, et al. Expires April 20, 2005 [Page 22] Internet-Draft IPSP IKE Action MIB October 2004 ipiaIpsecActDoActionLogging OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIpsecActDoActionLogging specifies whether or not an audit message should be logged when this ipsec SA is created." DEFVAL { false } ::= { ipiaIpsecActionEntry 12 } ipiaIpsecActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIpsecActDoPacketLogging specifies whether or not an audit message should be logged and if there is logging, how many bytes of the packet to place in the notification." DEFVAL { -1 } ::= { ipiaIpsecActionEntry 13 } ipiaIpsecActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIpsecActionEntry 14 } ipiaIpsecActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIpsecActionEntry 15 } ipiaIpsecActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 23] Internet-Draft IPSP IKE Action MIB October 2004 "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipiaIpsecActionEntry 16 } -- -- ipiaSaNegotiationParametersTable -- -- PROPERTIES MinLifetimeSeconds -- MinLifetimeKilobytes -- RefreshThresholdSeconds -- RefreshThresholdKilobytes -- IdleDurationSeconds ipiaSaNegotiationParametersTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaSaNegotiationParametersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains reusable parameters that can be pointed to by the ipiaIkeActionTable and ipiaIpsecActionTable. These parameters are reusable since it is likely an administrator will want to make global policy changes to lifetime parameters that apply to multiple actions. This table allows multiple rows in the other actions tables to reuse global lifetime parameters in this table by repeatedly pointing to a row cointained within this table." ::= { ipiaConfigObjects 8 } ipiaSaNegotiationParametersEntry OBJECT-TYPE SYNTAX IpiaSaNegotiationParametersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains the attributes of one row in the ipiaSaNegotiationParametersTable." INDEX { ipiaSaNegParamName } ::= { ipiaSaNegotiationParametersTable 1 } IpiaSaNegotiationParametersEntry ::= SEQUENCE { ipiaSaNegParamName SnmpAdminString, ipiaSaNegParamMinLifetimeSecs Unsigned32, ipiaSaNegParamMinLifetimeKB Unsigned32, Baer, et al. Expires April 20, 2005 [Page 24] Internet-Draft IPSP IKE Action MIB October 2004 ipiaSaNegParamRefreshThreshSecs Unsigned32, ipiaSaNegParamRefreshThresholdKB Unsigned32, ipiaSaNegParamIdleDurationSecs Unsigned32, ipiaSaNegParamLastChanged TimeStamp, ipiaSaNegParamStorageType StorageType, ipiaSaNegParamRowStatus RowStatus } ipiaSaNegParamName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the administrative name of this SaNegotiationParametersEntry. This row can be referred to by this name in other policy action tables." ::= { ipiaSaNegotiationParametersEntry 1 } ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds lifetime that will be accepted from the peer." ::= { ipiaSaNegotiationParametersEntry 2 } ipiaSaNegParamMinLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte lifetime that will be accepted from the peer." ::= { ipiaSaNegotiationParametersEntry 3 } ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE SYNTAX Unsigned32 (1..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamRefreshThreshSecs specifies what percentage of the seconds lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the seconds lifetime has been completely reached." Baer, et al. Expires April 20, 2005 [Page 25] Internet-Draft IPSP IKE Action MIB October 2004 ::= { ipiaSaNegotiationParametersEntry 4 } ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE SYNTAX Unsigned32 (1..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamRefreshThresholdKB specifies what percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the kilobyte lifetime has been reached." ::= { ipiaSaNegotiationParametersEntry 5 } ipiaSaNegParamIdleDurationSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamIdleDurationSecs specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. A value of zero indicates that idle detection should not be used for the security association. Any non-zero value indicates the number of seconds the security association may remain unused." ::= { ipiaSaNegotiationParametersEntry 6 } ipiaSaNegParamLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaSaNegotiationParametersEntry 7 } ipiaSaNegParamStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." Baer, et al. Expires April 20, 2005 [Page 26] Internet-Draft IPSP IKE Action MIB October 2004 DEFVAL { nonVolatile } ::= { ipiaSaNegotiationParametersEntry 8 } ipiaSaNegParamRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to destroy if refered to by other rows in other action tables." ::= { ipiaSaNegotiationParametersEntry 9 } -- -- ipiaIkeActionProposalsTable proposals contained within a ikeAction -- ipiaIkeActionProposalsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIkeActionProposalsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of all ike proposal names found within a given IKE Action." ::= { ipiaConfigObjects 9 } ipiaIkeActionProposalsEntry OBJECT-TYPE SYNTAX IpiaIkeActionProposalsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "a row containing one ike proposal reference" INDEX { ipiaIkeActName, ipiaIkeActPropPriority } ::= { ipiaIkeActionProposalsTable 1 } IpiaIkeActionProposalsEntry ::= SEQUENCE { ipiaIkeActPropPriority Integer32, ipiaIkeActPropName SnmpAdminString, ipiaIkeActPropLastChanged TimeStamp, ipiaIkeActPropStorageType StorageType, ipiaIkeActPropRowStatus RowStatus } ipiaIkeActPropPriority OBJECT-TYPE Baer, et al. Expires April 20, 2005 [Page 27] Internet-Draft IPSP IKE Action MIB October 2004 SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The numeric priority of a given contained proposal inside an ike Action. This index should be used to order the proposals in an IKE Phase I negotiation, lowest value first." ::= { ipiaIkeActionProposalsEntry 1 } ipiaIkeActPropName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The administratively assigned name that can be used to reference a set of values contained within the ipiaIkeProposalTable." ::= { ipiaIkeActionProposalsEntry 2 } ipiaIkeActPropLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIkeActionProposalsEntry 3 } ipiaIkeActPropStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIkeActionProposalsEntry 4 } ipiaIkeActPropRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. Baer, et al. Expires April 20, 2005 [Page 28] Internet-Draft IPSP IKE Action MIB October 2004 The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ipiaIkeActionProposalsEntry 5 } -- -- IKE proposal definition table -- ipiaIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IKE proposals which are used in an IKE negotiation." ::= { ipiaConfigObjects 10 } ipiaIkeProposalEntry OBJECT-TYPE SYNTAX IpiaIkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One IKE proposal entry." INDEX { ipiaIkeActPropName } ::= { ipiaIkeProposalTable 1 } IpiaIkeProposalEntry ::= SEQUENCE { ipiaIkePropLifetimeDerivedKeys Unsigned32, ipiaIkePropCipherAlgorithm IkeEncryptionAlgorithm, ipiaIkePropCipherKeyLength Unsigned32, ipiaIkePropCipherKeyRounds Unsigned32, ipiaIkePropHashAlgorithm IkeHashAlgorithm, ipiaIkePropPrfAlgorithm INTEGER, ipiaIkePropVendorId OCTET STRING, ipiaIkePropDhGroup IkeGroupDescription, ipiaIkePropAuthenticationMethod IkeAuthMethod, ipiaIkePropMaxLifetimeSecs Unsigned32, ipiaIkePropMaxLifetimeKB Unsigned32, ipiaIkePropLastChanged TimeStamp, ipiaIkePropStorageType StorageType, ipiaIkePropRowStatus RowStatus } ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current Baer, et al. Expires April 20, 2005 [Page 29] Internet-Draft IPSP IKE Action MIB October 2004 DESCRIPTION "ipiaIkePropLifetimeDerivedKeys specifies the number of times that a phase 1 key will be used to derive a phase 2 key before the phase 1 security association needs renegotiated." ::= { ipiaIkeProposalEntry 1 } ipiaIkePropCipherAlgorithm OBJECT-TYPE SYNTAX IkeEncryptionAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkePropCipherAlgorithm specifies the proposed phase 1 security association encryption algorithm." ::= { ipiaIkeProposalEntry 2 } ipiaIkePropCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies, in bits, the key length for the cipher algorithm used in IKE Phase 1 negotiation." ::= { ipiaIkeProposalEntry 3 } ipiaIkePropCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the number of key rounds for the cipher algorithm used in IKE Phase 1 negotiation." ::= { ipiaIkeProposalEntry 4 } ipiaIkePropHashAlgorithm OBJECT-TYPE SYNTAX IkeHashAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkePropHashAlgorithm specifies the proposed phase 1 security assocation hash algorithm." ::= { ipiaIkeProposalEntry 5 } ipiaIkePropPrfAlgorithm OBJECT-TYPE SYNTAX INTEGER { reserved(0) } MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 30] Internet-Draft IPSP IKE Action MIB October 2004 "ipPRFAlgorithm specifies the proposed phase 1 security association psuedo-random function. Note: currently no prf algorithms are defined." ::= { ipiaIkeProposalEntry 6 } ipiaIkePropVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The VendorID property is used to identify vendor-defined key exchange GroupIDs." ::= { ipiaIkeProposalEntry 7 } ipiaIkePropDhGroup OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the proposed phase 1 security association Diffie-Hellman group" ::= { ipiaIkeProposalEntry 8 } ipiaIkePropAuthenticationMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the proposed authentication method for the phase 1 security association." ::= { ipiaIkeProposalEntry 9 } ipiaIkePropMaxLifetimeSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of time to propose a security association remain valid. A value of 0 indicates that the default lifetime of 8 hours should be used." ::= { ipiaIkeProposalEntry 10 } ipiaIkePropMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create Baer, et al. Expires April 20, 2005 [Page 31] Internet-Draft IPSP IKE Action MIB October 2004 STATUS current DESCRIPTION "ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte lifetime to propose a security association remain valid." ::= { ipiaIkeProposalEntry 11 } ipiaIkePropLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIkeProposalEntry 12 } ipiaIkePropStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIkeProposalEntry 13 } ipiaIkePropRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ipiaIkeProposalEntry 14 } -- -- ipiaIpsecProposalsTable -- ipiaIpsecProposalsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIpsecProposalsEntry MAX-ACCESS not-accessible STATUS current Baer, et al. Expires April 20, 2005 [Page 32] Internet-Draft IPSP IKE Action MIB October 2004 DESCRIPTION "This table lists one or more IPsec proposals for IPsec actions." ::= { ipiaConfigObjects 11 } ipiaIpsecProposalsEntry OBJECT-TYPE SYNTAX IpiaIpsecProposalsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing (possibly a portion of) a proposal." INDEX { ipiaIpsecPropName, ipiaIpsecPropPriority, ipiaIpsecPropProtocolId } ::= { ipiaIpsecProposalsTable 1 } IpiaIpsecProposalsEntry ::= SEQUENCE { ipiaIpsecPropName SnmpAdminString, ipiaIpsecPropPriority Integer32, ipiaIpsecPropProtocolId IpsecDoiSecProtocolId, ipiaIpsecPropTransformsName SnmpAdminString, ipiaIpsecPropLastChanged TimeStamp, ipiaIpsecPropStorageType StorageType, ipiaIpsecPropRowStatus RowStatus } ipiaIpsecPropName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this proposal." ::= { ipiaIpsecProposalsEntry 1 } ipiaIpsecPropPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority level (AKA sequence level) of this proposal. A lower number indicates a higher precedence." ::= { ipiaIpsecProposalsEntry 2 } ipiaIpsecPropProtocolId OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS not-accessible STATUS current DESCRIPTION "The protocol Id for the transforms for this proposal. The Baer, et al. Expires April 20, 2005 [Page 33] Internet-Draft IPSP IKE Action MIB October 2004 protoIsakmp(1) value is not valid for this object. This object, along with the ipiaIpsecPropTransformsName, is the index into the ipiaIpsecTransformsTable." ::= { ipiaIpsecProposalsEntry 3 } ipiaIpsecPropTransformsName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the transform or group of transforms for this protocol. This object, along with the ipiaIpsecPropProtocolId, is the index into the ipiaIpsecTransformsTable." ::= { ipiaIpsecProposalsEntry 4 } ipiaIpsecPropLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIpsecProposalsEntry 5 } ipiaIpsecPropStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIpsecProposalsEntry 6 } ipiaIpsecPropRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This row may not be set to active until the corresponding Baer, et al. Expires April 20, 2005 [Page 34] Internet-Draft IPSP IKE Action MIB October 2004 row in the ipiaIpsecTransformsTable exists and is active." ::= { ipiaIpsecProposalsEntry 7 } -- -- ipiaIpsecTransformsTable -- ipiaIpsecTransformsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIpsecTransformsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the IPsec proposals contained within a given IPsec action and the transforms within each of those proposals. These proposals and transforms can then be used to create phase 2 negotiation proposals." ::= { ipiaConfigObjects 12 } ipiaIpsecTransformsEntry OBJECT-TYPE SYNTAX IpiaIpsecTransformsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the information on an IPsec transform." INDEX { ipiaIpsecTranType, ipiaIpsecTranName, ipiaIpsecTranPriority } ::= { ipiaIpsecTransformsTable 1 } IpiaIpsecTransformsEntry ::= SEQUENCE { ipiaIpsecTranType IpsecDoiSecProtocolId, ipiaIpsecTranName SnmpAdminString, ipiaIpsecTranPriority Integer32, ipiaIpsecTranTransformName SnmpAdminString, ipiaIpsecTranLastChanged TimeStamp, ipiaIpsecTranStorageType StorageType, ipiaIpsecTranRowStatus RowStatus } ipiaIpsecTranType OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS not-accessible STATUS current DESCRIPTION "The protocol type for this transform. The protoIsakmp(1) value is not valid for this object." ::= { ipiaIpsecTransformsEntry 1 } Baer, et al. Expires April 20, 2005 [Page 35] Internet-Draft IPSP IKE Action MIB October 2004 ipiaIpsecTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name for this transform or group of transforms." ::= { ipiaIpsecTransformsEntry 2 } ipiaIpsecTranPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority level (AKA sequence level) of the this transform within the group of transforms. This indicates the preference for which algorithms are requested when the list of transforms are sent to the remote host. A lower number indicates a higher precedence." ::= { ipiaIpsecTransformsEntry 3 } ipiaIpsecTranTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name for the given transform. Depending on the value of ipiaIpsecTranType, this value should be used to lookup the transform's specific parameters in the ipiaAhTransformTable, the ipiaEspTransformTable or the ipiaIpcompTransformTable." ::= { ipiaIpsecTransformsEntry 4 } ipiaIpsecTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIpsecTransformsEntry 5 } ipiaIpsecTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which Baer, et al. Expires April 20, 2005 [Page 36] Internet-Draft IPSP IKE Action MIB October 2004 were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIpsecTransformsEntry 6 } ipiaIpsecTranRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This row may not be set to active until the corresponding row in the ipiaAhTransformTable, ipiaEspTransformTable or the ipiaIpcompTransformTable exists." ::= { ipiaIpsecTransformsEntry 7 } -- -- IKE identity definition table -- ipiaIkeIdentityTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIkeIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify itself in IKE phase 1 negotiations. The column ikeIdentityName in an ipiaIkeActionEntry together with the spdEndGroupIdentType and the spdEndGroupAddress in the PolicyEndpointToGroupTable specifies the unique identity to use in a negotiation exchange." ::= { ipiaConfigObjects 13 } ipiaIkeIdentityEntry OBJECT-TYPE SYNTAX IpiaIkeIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "ikeIdentity lists the attributes of an IKE identity." INDEX { spdEndGroupIdentType, spdEndGroupAddress, ipiaIkeActIdentityType, ipiaIkeActIdentityContext } Baer, et al. Expires April 20, 2005 [Page 37] Internet-Draft IPSP IKE Action MIB October 2004 ::= { ipiaIkeIdentityTable 1 } IpiaIkeIdentityEntry ::= SEQUENCE { ipiaIkeIdCredentialName SnmpAdminString, ipiaIkeIdLastChanged TimeStamp, ipiaIkeIdStorageType StorageType, ipiaIkeIdRowStatus RowStatus } ipiaIkeIdCredentialName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipiaCredentialTable to look up the actual credential value and other credential information. For ID's without associated credential information, this value is left blank. For ID's that are address types, this value may be left blank and the associated IPProtocolEndpoint or appropriate member of the Collection of endpoints is used." ::= { ipiaIkeIdentityEntry 1 } ipiaIkeIdLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIkeIdentityEntry 2 } ipiaIkeIdStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIkeIdentityEntry 3 } ipiaIkeIdRowStatus OBJECT-TYPE Baer, et al. Expires April 20, 2005 [Page 38] Internet-Draft IPSP IKE Action MIB October 2004 SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipiaIkeIdentityEntry 4 } -- -- autostart IKE Table ipiaAutostartIkeTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaAutostartIkeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The parameters in the autostart IKE Table are used to automatically initiate IKE phaes I and II (i.e. IPsec) negotiations on startup. It also will initiate IKE phase I and II negotiations for a row at the time of that row's creation" ::= { ipiaConfigObjects 14 } ipiaAutostartIkeEntry OBJECT-TYPE SYNTAX IpiaAutostartIkeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "autostart ike provides the set of parameters to automatically start IKE and IPsec SA's." INDEX { ipiaAutoIkePriority } ::= { ipiaAutostartIkeTable 1 } IpiaAutostartIkeEntry ::= SEQUENCE { ipiaAutoIkePriority Integer32, ipiaAutoIkeAction VariablePointer, ipiaAutoIkeAddressType InetAddressType, ipiaAutoIkeSourceAddress InetAddress, ipiaAutoIkeSourcePort InetPortNumber, ipiaAutoIkeDestAddress InetAddress, ipiaAutoIkeDestPort InetPortNumber, ipiaAutoIkeProtocol Unsigned32, Baer, et al. Expires April 20, 2005 [Page 39] Internet-Draft IPSP IKE Action MIB October 2004 ipiaAutoIkeLastChanged TimeStamp, ipiaAutoIkeStorageType StorageType, ipiaAutoIkeRowStatus RowStatus } ipiaAutoIkePriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "ipiaAutoIkePriority is an index into the autostartIkeAction table and can be used to order the autostart IKE actions." ::= { ipiaAutostartIkeEntry 1 } ipiaAutoIkeAction OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This pointer is used to point to the action or compound action that should be initiated by this row." ::= { ipiaAutostartIkeEntry 2 } ipiaAutoIkeAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipiaAutoIkeAddressType specifies the format of the autoIke source and destination Address values. Values of unknown, ipv4z, ipv6z and dns are not legal values for this object." ::= { ipiaAutostartIkeEntry 3 } ipiaAutoIkeSourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The property autoIkeSourecAddress specifies Source IP address for autostarting IKE SA's, formatted according to the appropriate convention as defined in the ipiaAutoIkeAddressType property." ::= { ipiaAutostartIkeEntry 4 } ipiaAutoIkeSourcePort OBJECT-TYPE SYNTAX InetPortNumber Baer, et al. Expires April 20, 2005 [Page 40] Internet-Draft IPSP IKE Action MIB October 2004 MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipiaAutoIkeSourcePort specifies the port number for the source port for auotstarting IKE SA's. The value of 0 for this object is illegal." ::= { ipiaAutostartIkeEntry 5 } ipiaAutoIkeDestAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipiaAutoIkeDestAddress specifies the Destination IP address for autostarting IKE SA's, formatted according to the appropriate convention as defined in the ipiaAutoIkeAddressType property." ::= { ipiaAutostartIkeEntry 6 } ipiaAutoIkeDestPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipiaAutoIkeDestPort specifies the port number for the destination port for auotstarting IKE SA's. The value of 0 for this object is illegal." ::= { ipiaAutostartIkeEntry 7 } ipiaAutoIkeProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "The property Protocol specifies the protocol number used in comparing with policy filter entries and used in any phase 2 negotiations." ::= { ipiaAutostartIkeEntry 8 } ipiaAutoIkeLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external Baer, et al. Expires April 20, 2005 [Page 41] Internet-Draft IPSP IKE Action MIB October 2004 means." ::= { ipiaAutostartIkeEntry 9 } ipiaAutoIkeStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaAutostartIkeEntry 10 } ipiaAutoIkeRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ipiaAutostartIkeEntry 11 } -- -- CA Table -- ipiaIpsecCredMngServiceTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaIpsecCredMngServiceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Credential Management Service values. This table is usually used for credential/certificate values that are used with a management service (e.g. Certificate Authorities)." ::= { ipiaConfigObjects 15 } ipiaIpsecCredMngServiceEntry OBJECT-TYPE SYNTAX IpiaIpsecCredMngServiceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipiaIpsecCredMngServiceTable." Baer, et al. Expires April 20, 2005 [Page 42] Internet-Draft IPSP IKE Action MIB October 2004 INDEX { ipiaIcmsName } ::= { ipiaIpsecCredMngServiceTable 1 } IpiaIpsecCredMngServiceEntry ::= SEQUENCE { ipiaIcmsName SnmpAdminString, ipiaIcmsDistinguishedName OCTET STRING, ipiaIcmsPolicyStatement OCTET STRING, ipiaIcmsMaxChainLength Integer32, ipiaIcmsCredentialName SnmpAdminString, ipiaIcmsLastChanged TimeStamp, ipiaIcmsStorageType StorageType, ipiaIcmsRowStatus RowStatus } ipiaIcmsName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned string used to index this table." ::= { ipiaIpsecCredMngServiceEntry 1 } ipiaIcmsDistinguishedName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value represents the Distinguished Name of the Credential Management Service." ::= { ipiaIpsecCredMngServiceEntry 2 } ipiaIcmsPolicyStatement OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "This Value represents the Credential Management Service Policy Statement, or a reference describing how to obtain it (e.g., a URL). If one doesn't exist, this value can be left blank" ::= { ipiaIpsecCredMngServiceEntry 3 } ipiaIcmsMaxChainLength OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 43] Internet-Draft IPSP IKE Action MIB October 2004 "This value is the maximum length of the chain allowble from the Credential Management Service to the credential in question." DEFVAL { 0 } ::= { ipiaIpsecCredMngServiceEntry 4} ipiaIcmsCredentialName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipiaCredentialTable to look up the actual credential value." ::= { ipiaIpsecCredMngServiceEntry 5 } ipiaIcmsLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaIpsecCredMngServiceEntry 6 } ipiaIcmsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaIpsecCredMngServiceEntry 7 } ipiaIcmsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." Baer, et al. Expires April 20, 2005 [Page 44] Internet-Draft IPSP IKE Action MIB October 2004 ::= { ipiaIpsecCredMngServiceEntry 8 } -- -- CRL Table -- ipiaCredMngCRLTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaCredMngCRLEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of the Credential Revocation Lists (CRL) for credential managment services." ::= { ipiaConfigObjects 16 } ipiaCredMngCRLEntry OBJECT-TYPE SYNTAX IpiaCredMngCRLEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipiaCredMngCRLTable." INDEX { ipiaIcmsName , ipiaCmcCRLName } ::= { ipiaCredMngCRLTable 1 } IpiaCredMngCRLEntry ::= SEQUENCE { ipiaCmcCRLName SnmpAdminString, ipiaCmcDistributionPoint OCTET STRING, ipiaCmcThisUpdate OCTET STRING, ipiaCmcNextUpdate OCTET STRING, ipiaCmcLastChanged TimeStamp, ipiaCmcStorageType StorageType, ipiaCmcRowStatus RowStatus } ipiaCmcCRLName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned string used to index this table. It represents a CRL for a given CA from a given distribution point." ::= { ipiaCredMngCRLEntry 1 } ipiaCmcDistributionPoint OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-create Baer, et al. Expires April 20, 2005 [Page 45] Internet-Draft IPSP IKE Action MIB October 2004 STATUS current DESCRIPTION "This Value represents a Distribution Point for a Credential Revocation List. It can be relative to the Credential Management Service or a full name (URL, e-mail, etc...)." ::= { ipiaCredMngCRLEntry 2 } ipiaCmcThisUpdate OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is the issue date of this CRL. This should be in utctime or generalizedtime." ::= { ipiaCredMngCRLEntry 3 } ipiaCmcNextUpdate OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value indicates the date the next version of this CRL will be issued. This should be in utctime or generalizedtime." ::= { ipiaCredMngCRLEntry 4 } ipiaCmcLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaCredMngCRLEntry 5 } ipiaCmcStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaCredMngCRLEntry 6 } ipiaCmcRowStatus OBJECT-TYPE Baer, et al. Expires April 20, 2005 [Page 46] Internet-Draft IPSP IKE Action MIB October 2004 SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipiaCredMngCRLEntry 7 } -- -- Revoked Certificate Table -- ipiaRevokedCertificateTable OBJECT-TYPE SYNTAX SEQUENCE OF IpiaRevokedCertificateEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Credentials revoked by credential managment services. That is, this table is a table of Certificates that are on CRL's, Credential Revocation Lists." ::= { ipiaConfigObjects 17 } ipiaRevokedCertificateEntry OBJECT-TYPE SYNTAX IpiaRevokedCertificateEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipiaRevokedCertificateTable." INDEX { ipiaCmcCRLName, ipiaRctCertSerialNumber} ::= { ipiaRevokedCertificateTable 1 } IpiaRevokedCertificateEntry ::= SEQUENCE { ipiaRctCertSerialNumber Unsigned32, ipiaRctRevokedDate OCTET STRING, ipiaRctRevokedReason INTEGER, ipiaRctLastChanged TimeStamp, ipiaRctStorageType StorageType, ipiaRctRowStatus RowStatus } ipiaRctCertSerialNumber OBJECT-TYPE SYNTAX Unsigned32 (0..4294967295) Baer, et al. Expires April 20, 2005 [Page 47] Internet-Draft IPSP IKE Action MIB October 2004 MAX-ACCESS not-accessible STATUS current DESCRIPTION "This value is the serial number of the revoked certificate." ::= { ipiaRevokedCertificateEntry 1 } ipiaRctRevokedDate OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is the revocation date of the certificate. This should be in utctime or generaltime." ::= { ipiaRevokedCertificateEntry 2 } ipiaRctRevokedReason OBJECT-TYPE SYNTAX INTEGER { reserved(0), unspecified(1), keyCompromise(2), cACompromise(3), affiliationChanged(4), superseded(5), cessationOfOperation(6), certificateHold(7), removeFromCRL(8) } MAX-ACCESS read-create STATUS current DESCRIPTION "This value is the reason this certificate was revoked." DEFVAL { unspecified } ::= { ipiaRevokedCertificateEntry 3 } ipiaRctLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipiaRevokedCertificateEntry 4 } ipiaRctStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipiaRevokedCertificateEntry 5 } Baer, et al. Expires April 20, 2005 [Page 48] Internet-Draft IPSP IKE Action MIB October 2004 ipiaRctRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipiaRevokedCertificateEntry 6 } -- -- -- Notification objects information -- -- ipiaNotificationVariables OBJECT IDENTIFIER ::= { ipiaNotificationObjects 1 } ipiaNotifications OBJECT IDENTIFIER ::= { ipiaNotificationObjects 0 } -- -- -- Conformance information -- -- ipiaCompliances OBJECT IDENTIFIER ::= { ipiaConformanceObjects 1 } ipiaGroups OBJECT IDENTIFIER ::= { ipiaConformanceObjects 2 } -- -- Compliance statements -- -- ipiaIKECompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an Baer, et al. Expires April 20, 2005 [Page 49] Internet-Draft IPSP IKE Action MIB October 2004 IPsec MIB implementation and supports IKE actions." MODULE -- This Module MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup, ipiaStaticActionGroup, ipsaSharedGroup } OBJECT ipiaIkeActRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIkeActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIkeActPropRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIkeActPropLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIkePropRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIkePropLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIpsecActRowStatus Baer, et al. Expires April 20, 2005 [Page 50] Internet-Draft IPSP IKE Action MIB October 2004 SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIpsecActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIpsecPropRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIpsecPropLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIpsecTranRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIpsecTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaSaNegParamRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." Baer, et al. Expires April 20, 2005 [Page 51] Internet-Draft IPSP IKE Action MIB October 2004 OBJECT ipiaSaNegParamLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaIkeIdRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaIkeIdLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaAutoIkeAddressType SYNTAX InetAddressType { ipv4(1), ipv6(2) } DESCRIPTION "Only the ipv4 and ipv6 values make sense for this object." OBJECT ipiaAutoIkeRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaAutoIkeLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipiaCmcDistributionPoint MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaCmcThisUpdate Baer, et al. Expires April 20, 2005 [Page 52] Internet-Draft IPSP IKE Action MIB October 2004 MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaCmcNextUpdate MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaCmcLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT ipiaCmcStorageType MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaCmcRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required. Only read-only access is required for compliance." OBJECT ipiaRctRevokedDate MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaRctRevokedReason MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaRctLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT ipiaRctStorageType MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." Baer, et al. Expires April 20, 2005 [Page 53] Internet-Draft IPSP IKE Action MIB October 2004 OBJECT ipiaRctRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required. Only read-only access is required for compliance." OBJECT ipiaIcmsDistinguishedName MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaIcmsPolicyStatement MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaIcmsMaxChainLength MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaIcmsCredentialName MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaIcmsLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT ipiaIcmsStorageType MIN-ACCESS read-only DESCRIPTION "Only read-only access is required for compliance." OBJECT ipiaIcmsRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } MIN-ACCESS read-only DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required. Only read-only Baer, et al. Expires April 20, 2005 [Page 54] Internet-Draft IPSP IKE Action MIB October 2004 access is required for compliance." ::= { ipiaCompliances 1 } ipiaRuleFilterCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IKEACTION MIB implementation with IKE filters support." MODULE -- This Module MANDATORY-GROUPS { ipiaStaticFilterGroup } GROUP ipiaPeerIdFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support Peer Identity filters." OBJECT ipiaPeerIdFiltRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaPeerIdFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." GROUP ipiaCredentialFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support IKE Credential filters." OBJECT ipiaCredFiltRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipiaCredFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." Baer, et al. Expires April 20, 2005 [Page 55] Internet-Draft IPSP IKE Action MIB October 2004 ::= { ipiaCompliances 2 } -- -- -- Compliance Groups Definitions -- -- -- Compliance Groups -- ipiaStaticFilterGroup OBJECT-GROUP OBJECTS { ipiaIkePhase1Filter, ipiaIkePhase2Filter } STATUS current DESCRIPTION "The static filter group. Currently this is just a true filter." ::= { ipiaGroups 1 } ipiaCredentialFilterGroup OBJECT-GROUP OBJECTS { ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName, ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom, ipiaCredFiltLastChanged, ipiaCredFiltStorageType, ipiaCredFiltRowStatus, ipiaCmcDistributionPoint, ipiaCmcThisUpdate, ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, ipiaCmcRowStatus, ipiaRctRevokedDate, ipiaRctRevokedReason, ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus } STATUS current DESCRIPTION "The IPsec Policy Credential Filter Table Group." ::= { ipiaGroups 2 } ipiaPeerIdFilterGroup OBJECT-GROUP OBJECTS { ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue, ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType, ipiaPeerIdFiltRowStatus Baer, et al. Expires April 20, 2005 [Page 56] Internet-Draft IPSP IKE Action MIB October 2004 } STATUS current DESCRIPTION "The IPsec Policy Peer Identity Filter Table Group." ::= { ipiaGroups 3 } -- -- action compliance groups -- ipiaStaticActionGroup OBJECT-GROUP OBJECTS { ipiaRejectIKEAction, ipiaRejectIKEActionLog } STATUS current DESCRIPTION "The IPsec Policy Static Actions Group." ::= { ipiaGroups 4 } ipiaIkeGroup OBJECT-GROUP OBJECTS { ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys, ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId, ipiaIkeActIdentityType, ipiaIkeActIdentityContext, ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName, ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging, ipiaIkeActLastChanged, ipiaIkeActStorageType, ipiaIkeActRowStatus, ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType, ipiaIkeActPropRowStatus, ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm, ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds, ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm, ipiaIkePropVendorId, ipiaIkePropDhGroup, ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs, ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged, ipiaIkePropStorageType, ipiaIkePropRowStatus, ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, ipiaSaNegParamRefreshThreshSecs, ipiaSaNegParamRefreshThresholdKB, ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus, Baer, et al. Expires April 20, 2005 [Page 57] Internet-Draft IPSP IKE Action MIB October 2004 ipiaIkeIdCredentialName, ipiaIkeIdLastChanged, ipiaIkeIdStorageType, ipiaIkeIdRowStatus, ipiaAutoIkeAction, ipiaAutoIkeAddressType, ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort, ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort, ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged, ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus, ipiaCmcDistributionPoint, ipiaCmcThisUpdate, ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, ipiaCmcRowStatus, ipiaRctRevokedDate, ipiaRctRevokedReason, ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus } STATUS current DESCRIPTION "This group is the set of objects that support IKE actions. These objects are from The IPsec Policy IKE Action Table, The IKE Action Proposals Table, The IKE Proposal Table, The autostart IKE Table and The IKE Identity Table, The Peer Identity Table, The Credential Management Service Table, and the shared table Negotiation Parameters Table (from the IPSEC-IPSECACTION-MIB." ::= { ipiaGroups 5 } ipiaIpsecGroup OBJECT-GROUP OBJECTS { ipiaIpsecActParametersName, ipiaIpsecActProposalsName, ipiaIpsecActUsePfs, ipiaIpsecActVendorId, ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName, ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity, ipiaIpsecActMode, ipiaIpsecActDFHandling, ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging, ipiaIpsecActLastChanged, ipiaIpsecActStorageType, ipiaIpsecActRowStatus, ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged, ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus, ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged, ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus, Baer, et al. Expires April 20, 2005 [Page 58] Internet-Draft IPSP IKE Action MIB October 2004 ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, ipiaSaNegParamRefreshThreshSecs, ipiaSaNegParamRefreshThresholdKB, ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus } STATUS current DESCRIPTION "This group is the set of objects that support IPsec actions. These objects are from The IPsec Policy IPsec Actions Table, The IPsec Proposal Table, and The IPsec Transform Table. This group also includes objects from the shared tables: Peer Identity Table, Credential Table, Negotiation Parameters Table, Credential Management Service Table and the AH, ESP, and IPComp Transform Table." ::= { ipiaGroups 6 } END 6. Security Considerations 6.1 Introduction This document defines a MIB module used to configure IPsec policy services. Since IKE negotiates keys for IPsec and IPsec provides security services, it is important that the IKE configuration data be at least as protected as the IPsec provided security service. There are two threats you need to thwart when configuring IPsec devices. 1. To make sure that only the official administrators are allowed to configure a device, only authenticated administrators should be allowed to do device configuration. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. 2. Unfriendly parties should not be able to read configuration data while the data is in network transit. Any knowledge about a device's IKE policy configuration could help an unfriendly party compromise that device and/or a network it protects. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), Baer, et al. Expires April 20, 2005 [Page 59] Internet-Draft IPSP IKE Action MIB October 2004 even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once initial establishment of IPsec configuration on a device has been achieved, it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be shown to have a use for added privacy protection below. 6.2 Protecting against in-authentic access The current SNMPv3 User Security Model provides for key based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in HMAC algorithms (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so. 6.3 Protecting against involuntary disclosure While sending IKE configuration data to a PEP, there are a few critical parameters which MUST NOT be observed by third parties. These include IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate Baer, et al. Expires April 20, 2005 [Page 60] Internet-Draft IPSP IKE Action MIB October 2004 your device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the DES encryption algorithm. Support for other (stronger) cryptographic algorithms was in the works and may be done as you read this. Policy administrators SHOULD use a privacy security service to configure their IPsec policy which is at least as strong as the desired IPsec policy. E.G., it is unwise to configure IPsec parameters implementing 3DES algorithms while only protecting that conversation with single DES. 6.4 Bootstrapping your configuration Hopefully vendors will not ship new products with a default SNMPv3 user/password pair, but it is possible. Most SNMPv3 distributions should hopefully require an out-of-band initialization over a trusted medium, such as a local console connection. 7. Acknowledgments Many other people contributed thoughts and ideas that influenced this MIB module. Some special thanks are in order the following people: Lindy Foster (Sparta, Inc.) John Gillis (ADC) Jamie Jason (Intel Corporation) Roger Hartmuller (Sparta, Inc.) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) John Shriver (Internap Network Services Corporation) Eric Vyncke (Cisco Systems) 8. References 8.1 Normative References [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. Wang, "IPsec Security Policy Database Configuration MIB", January 2004. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. Wang, "IPsec Security Policy IPsec Action MIB", January 2004. Baer, et al. Expires April 20, 2005 [Page 61] Internet-Draft IPSP IKE Action MIB October 2004 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002. [RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003. 8.2 Informative References [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", November 2000. Baer, et al. Expires April 20, 2005 [Page 62] Internet-Draft IPSP IKE Action MIB October 2004 Authors' Addresses Michael Baer Sparta, Inc. 7075 Samuel Morse Drive Columbia, MD 21046 US EMail: baerm@tislabs.com Ricky Charlet Self EMail: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US Phone: +1 530 792 1913 EMail: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US EMail: ipsp-mib@revelstone.com Cliff Wang SmartPipes, Inc. Suite 300, 565 Metro Place South Dublin, OH, OH 43017 US EMail: cliffwang2000@yahoo.com Baer, et al. Expires April 20, 2005 [Page 63] Internet-Draft IPSP IKE Action MIB October 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Baer, et al. Expires April 20, 2005 [Page 64]