ipsp working group Man Li Internet Draft Nokia Expires May 2004 David Arneson N/A Avri Doria LTU Jamie Jason Intel Cliff Wang SmartPipe Markus Stenberg SSH November 2003 IPsec Policy Information Base draft-ietf-ipsp-ipsecpib-09.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright (C) The Internet Society (2003). All Rights Reserved. Distribution of this memo is unlimited. Abstract This document describes a portion of the Policy Information Base (PIB) for a device implementing the IP Security Architecture. The provisioning classes defined here provide control of IPsec policy. These provisioning classes can be used with other non-IPsec provisioning classes (defined in other PIB modules) to provide for a comprehensive policy controlled mapping of service requirement to device capability and usage. Li, et al Expires May 2004 1 IPsec Policy Information Base November 2003 Table of Contents 1. Introduction.......................................................3 2. Operation Overview.................................................3 3. Structure of IPsec PIB.............................................4 3.1 IPsec association group...........................................4 3.1.1 IPsec rules.....................................................4 3.1.2 IPsec actions...................................................5 3.1.3 IPsec associations..............................................6 3.1.4 IPsec proposals.................................................6 3.2 AH transform group................................................6 3.3 ESP transform group...............................................6 3.4 COMP transform group..............................................7 3.5 IKE association group.............................................7 3.6 Credential group..................................................8 3.7 Selector group....................................................8 3.8 Policy time period group..........................................9 3.9 Interface capability group........................................9 4. Summary of the IPsec PIB...........................................9 4.1 ipSecAssociation group............................................9 4.1.1 ipSecRuleTable..................................................9 4.1.2 ipSecActionSetTable............................................10 4.1.3 ipSecStaticActionTable.........................................10 4.1.4 ipSecNegotiationActionTable....................................10 4.1.5 ipSecAssociationTable..........................................10 4.1.6 ipSecProposalSetTable..........................................10 4.1.7 ipSecProposalTable.............................................10 4.2 ipSecAhTransform group...........................................10 4.2.1 ipSecAhTransformSetTable.......................................10 4.2.2 ipSecAhTransformTable..........................................10 4.3 ipSecEspTransform group..........................................10 4.3.1 ipSecEspTransformSetTable......................................10 4.3.2 ipSecEspTransformTable.........................................10 4.4 ipSecCompTransform group.........................................10 4.4.1 ipSecCompTransformSetTable.....................................10 4.4.2 ipSecCompTransformTable........................................10 4.5 ipSecIkeAssociation group........................................10 4.5.1 ipSecIkeRuleTable..............................................10 4.5.2 ipSecIkeActionSetTable.........................................11 4.5.3 ipSecIkeAssociationTable.......................................11 4.5.4 ipSecIkeProposalSetTable.......................................11 4.5.5 ipSecIkeProposalTable..........................................11 4.5.6 ipSecIkePeerEndpointTable......................................11 4.6 ipSecCredential group............................................11 4.6.1 ipSecCredentialSetTable........................................11 4.6.2 ipSecCredentialTable...........................................11 4.6.3 ipSecCredentialFieldsTable.....................................11 4.7 ipSecSelector group..............................................11 4.7.1 ipSecSelectorSetTable..........................................11 4.7.2 ipSecSelectorTable.............................................11 4.7.3 ipSecAddressTable..............................................11 4.7.4 ipSecL4PortTable...............................................11 Li, et al Expires May 2004 2 IPsec Policy Information Base November 2003 4.7.5 ipSecIpsoFilterSetTable........................................11 4.7.6 ipSecIpsoFilterTable...........................................11 4.8 ipSecPolicyTimePeriod group......................................11 4.8.1 ipSecRuleTimePeriodTable.......................................12 4.8.2 ipSecRuleTimePeriodSetTable....................................12 4.9 ipSecIfCapability group..........................................12 4.9.1 ipSecIfCapsTable...............................................12 4.10 ipSecPolicyPibConformance group.................................12 5. The IPsec PIB Module..............................................12 6. Security Considerations...........................................93 7. RFC Editor Considerations.........................................94 8. IANA Considerations...............................................94 9. Normative References..............................................94 10. Informative References...........................................95 11. Author's Addresses...............................................96 12. Full Copyright Statement.........................................96 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. 1. Introduction The policy rule classes (PRC) defined in this document contain parameters for IKE phase one and phase two negotiations. Details of these parameters can be found in [3], [7], [8], [10], [11], [12] and [14]. The PIB defined in this document is based on the IPsec configuration policy model [12]. The concept of "Roles" described in [9], which scales to large networks, is adopted for distributing IPsec policy over the COPS-PR protocol [6]. 2. Operation Overview As defined in [13], the management entity that downloads policy to IPsec-enabled devices will be called a Policy Decision Point (PDP) and the target IPsec-enabled devices will be called Policy Enforcement Points (PEP). After connecting to a PDP using COPS-PR [6] that is an extension of COPS [5], a PEP reports to the PDP the PIB Provisioning Classes (PRCs) it supports as well as any limitations related to the implementations of theses classes and parameters. The PEP provides the above information using the frwkPrcSupportTable and the frwkCompLimitsTable defined in the framework PIB [9]. In addition, the PEP also reports the interface type capabilities and role combinations it supports using the frwkCapabilitySetTable and the frwkRoleComboTable. Each row of the frwkCapabilitySetTable contains a capability set name and a reference to an instance of a Li, et al Expires May 2004 3 IPsec Policy Information Base November 2003 PRC that describes the capabilities of the interface type. The capability instances may reside in the ipSecIfCapsTable or in a table defined in another PIB. Each row of the frwkRoleComboTable contains an interface capability set name and a role combination. Based on the interface capabilities and role combinations, the PDP provides the PEP with IPsec policy information. Later on, if any of the interface capabilities or role combinations of the PEP change, the PEP notifies the PDP. The PDP will then send a new set of IPsec policy information to the PEP. In addition, if the policy associated with a given interface capability and role combination changes, the PDP will deliver the new IPsec policy to all the PEPs that have registered with that interface capability and role combination. 3. Structure of IPsec PIB An IPsec policy consists of an ordered list of IPsec rules. Each rule is composed of a set of conditions and a set of actions. If a packet matches any of the conditions, the actions will be applied accordingly. The IPsec PIB module consists of nine groups. The selector group describes conditions to be associated with IPsec rules. The IPsec association group, AH transform group, ESP transform group, COMP transform group, IKE association group and the credential group together describe actions to be associated with IPsec rules. The policy time period group specifies time periods during which a rule is valid. The interface capability group is used by a PEP to report the capabilities associated with its interface types. Each of the nine groups is discussed in the following sections. 3.1 IPsec association group This group specifies IPsec Security Associations. 3.1.1 IPsec rules The ipSecRuleTable is the starting point for specifying an IPsec policy. It contains an ordered list of IPsec rules. Each rule is associated with IfName, Roles and Direction attributes to indicate the interface type and role combinations as well as the direction of the interface to which this rule is to be applied. Each rule points to a set of selectors and, optionally, a set of IPSO filters to indicate the conditions associated with this rule. In addition, each rule has a pointer to a set of actions to indicate the actions associated with this rule. Hence if a packet matches a selector in the selector set and, if the reference to the IPSO filter set is not zero, it matches a filter in the IPSO filter set, the action(s) associated with this rule will be applied to the packet. Li, et al Expires May 2004 4 IPsec Policy Information Base November 2003 When a rule involves multiple actions, the ExecutionStrategy attribute indicates how these actions are executed. A value of "DoAll" means that all the actions MUST be applied to the packet according to a predefined order. A value of "DoUntilSuccess" means that the actions MUST be tried in sequence until a successful execution of a single action. For example, in a nested Security Associations case the actions of an initiator's rule might be structured as: ExecutionStrategy='Do All' | +---1--- IPsecTunnelAction // set up SA from host to gateway | +---2--- IPsecTransportAction // set up SA from host through // tunnel to remote host Another example, showing a rule with fallback actions might be structured as: ExecutionStrategy='Do Until Success' | +---1--- IPsecTunnelAction // set up SA from host to gateway [A] | +---2--- IPsecTunnelAction // set up SA from host to gateway [B] As an optional feature, IPsec associations may be established without being prompted by IP packets. The AutoStart attribute indicates if the IPsec association(s) of this rule should be set up automatically. Support of this attribute is optional. 3.1.2 IPsec actions IPsec actions may be of two types: Static Action and Negotiation Action. Static Actions do not require any negotiations. They include by- pass, discard, IKE rejection, pre-configured transport and pre- configured tunnel actions. The ipSecStaticActionTable specifies IPsec Static Actions. For a pre-configured transport or pre- configured tunnel action, it further points to a valid instance in another table that describes a transform to be used, for example, the ipSecEspTransformTable. In addition, the SPI used for the transform is also defined in the table. Negotiation Actions require negotiations in order to establish Security Associations. They include transport and tunnel actions. The ipSecNegotiationActionTable specifies IPsec Negotiation Actions. It points to a valid instance in the ipSecAssociationTable that further defines the IPsec association to be established. For key exchange policy, the KeyExchangeId points to a valid instance in another table that describes key Li, et al Expires May 2004 5 IPsec Policy Information Base November 2003 exchange procedures. If a single IKE phase one negotiation is used for the key exchange, this attribute MUST point to an instance in the ipSecIkeAssociationTable. If multiple IKE phase one negotiations (e.g., with different modes) are to be tried until success, this attribute SHOULD point to ipSecIkeRuleTable. For other key exchange methods, this attribute MAY point to an instance of a PRC defined in some other PIB module. The ipSecActionSetTable specifies sets of actions. Actions within a set form an ordered list. If an action within a set is a Static Action, the ActionId MUST point to a valid instance in the ipSecStaticActionTable. If the action is a Negotiation Action, the ActionId MUST point to a valid instance in the ipSecNegotiationActionTable. For other actions, the ActionId MAY point to an instance of a PRC defined in some other PIB module. 3.1.3 IPsec associations The ipSecAssociationTable specifies attributes associated with IPsec associations. For each association, it points to a set of proposals in the ipSecProposalSetTable that is associated with this association. The MinLifetimeSeconds and MinLifetimeKilobytes in the ipSecAssociationTable indicate the lifetime to propose for the IPsec association to be negotiated. They are different from the time periods indicated by the IpSecRuleTimePeriodGroupId in the IpsecRuleTable. Those time periods specify when the given IPsec rule is valid. 3.1.4 IPsec proposals The ipSecProposalSetTable specifies sets of proposals. Proposals within a set are ordered with a preference value. The ipSecProposalTable specifies proposals. It points to sets of ESP transforms, AH transforms and COMP transforms. Within a proposal, sets of transforms of different types are logically ANDed. Transforms of the same type within a transform set are to be logically ORed. For example, if the proposal were ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } AH = { MD5, SHA-1 } then the one sending the proposal would want the other side to pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the AH transform list (preferably MD5). 3.2 AH transform group The AH transform group describes sets of AH transforms. 3.3 ESP transform group Li, et al Expires May 2004 6 IPsec Policy Information Base November 2003 The ESP transform group describes sets of ESP transforms. 3.4 COMP transform group The COMP transform group describes sets of COMP transforms. 3.5 IKE association group This group specifies rules associated with IKE phase one negotiation. The ipSecIkeRuleTable and the ipSecIkeActionSetTable are optional tables. Support of these tables is required only when a policy contains: - Multiple IKE phase one actions (e.g., with different exchange modes) that are associated with one IPsec association. These actions are to be tried in sequence till one success. - IKE phase one actions that start automatically. For the latter case, IKE rules may be distributed independently and the IfName and Roles attributes in the ipSecIkeRuleTable indicate the interface type and role combinations to which this rule is to be applied. The ipSecIkeActionSetTable specifies sets of actions. Actions within a set form an ordered list. The ipSecIkeAssociationTable contains parameters associated with IKE associations including the IKE identities to be used during IKE phase one negotiation. It points to a set of credentials specified in the ipSecCredentialTable. Any of the credentials in this set may be used during IKE phase one negotiation. In addition, each IKE association points to a set of IKE proposals to be associated with this association. If the Authentication Method for one or more of the IKE proposals is specified as PresharedKey in the ipSecIkeProposalTable, the ipSecIkeAssociationPresharedKey attribute contains the actual pre-shared key to be used for the proposal(s). This attribute is optional. If this attribute is not supported or contains a zero length octet, the pre-shared key MUST be obtained through other methods. The ipSecIkeProposalSetTable specifies sets of proposals. Proposals within a set are ordered with a preference value.The ipSecIkeProposalTable contains parameters associated with IKE proposals. The ipSecIkePeerEndpointTable specifies IKE peer endpoint information that includes acceptable peer identity and credentials for IKE phase one negotiation. It points to a set of credentials specified in the ipSecIkePeerEndpointCredentialSetTable. Any of Li, et al Expires May 2004 7 IPsec Policy Information Base November 2003 the credentials in the set is acceptable as a peer credential. The AddressType and the Address attributes are used only when IKE phase one negotiation starts automatically, i.e., the value of the AutoStart attribute in the ipSecIkeRuleTable is true. In which case, these two attributes together indicate the peer endpoint address. 3.6 Credential group This group specifies credentials to be used for IKE phase one negotiations. The ipSecCredentialSetTable specifies sets of credentials. The ipSecCredentialTable and ipSecCredentialFieldsTable together specify credentials. Each credential may contain multiple sub- fields. For example, a certificate may contain a unique serial number sub-field and an issuer name sub-field, etc. The ipSecCredentialFieldsTable defines the sub-fields and their values that MUST be matched against. The ipSecCredentialTable points to a set of criteria defined in the ipSecCredentialFieldsTable. The criteria MUST all be satisfied in order for a credential to be considered as acceptable. Certificates may also be revoked. The CrlDistributionPoint attribute in the ipSecCredentialTable indicates the Certificate Revocation List (CRL) distribution point where CRLs may be fetched. 3.7 Selector group This group specifies the selectors for IPsec rules. The ipSecSelectorSetTable specifies sets of selectors. Selectors within a set form an ordered list. The SelectorId attribute points to a valid instance in another table that describes a selector. To achieve scalability in policy distribution for large networks, it SHOULD point to the ipSecSelectorTable. The ipSecAddressTable specifies individual or ranges of IP addresses and the ipSecL4PortTable specifies individual or ranges of layer 4 ports. The ipSecSelectorTable has references to these two tables. Each row in the selector table can represent multiple selectors. These selectors are constructed as follows: 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorSrcAddressGroupId. 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorDstAddressGroupId. Li, et al Expires May 2004 8 IPsec Policy Information Base November 2003 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorSrcPortGroupId. 4. Substitute the ipSecSelectorDstPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorDstPortGroupId. 5. Construct all the possible combinations of the above four fields. Then add to the combinations the ipSecSelectorProtocol, ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form the list of selectors. Selectors constructed from a single row have the same order within a selector set. The order is indicated by the Order attribute of the ipSecSelectorSetTable. The relative order among selectors constructed from a single row is unspecified. This is not an issue as long as these selectors are not over-lapping. The use of references in the ipSecSelectorTable instead of real IP addresses and port numbers reduces the number of bytes being pushed down to the PEP. Grouping of IP addresses and layer 4 ports serves the same purpose. The ipSecIpsoFilterSetTable specifies sets of IPSO filters. Filters within a set form an ordered list. The ipSecIpsoFilterTable contains IPSO filters. 3.8 Policy time period group This group specifies time periods during which a policy rule is valid. The ipSecRuleTimePeriodTable specifies a single time period within a day. The ipSecRuleTimePeriodSetTable specifies multiple time periods. Implementation of this group is optional. 3.9 Interface capability group PEPs may have different capabilities. For example, some PEPs support nested Security Associations whereas others do not. This group allows a PEP to specify the capabilities associated with its different interface types. For ease of reference, a concise summary of the groups and tables is included in the next section. 4. Summary of the IPsec PIB 4.1 ipSecAssociation group This group specifies IPsec Security Associations. 4.1.1 ipSecRuleTable Li, et al Expires May 2004 9 IPsec Policy Information Base November 2003 This table is the starting point for specifying an IPsec policy. It contains an ordered list of IPsec rules. 4.1.2 ipSecActionSetTable Specifies IPsec action sets. 4.1.3 ipSecStaticActionTable Specifies IPsec static actions. 4.1.4 ipSecNegotiationActionTable Specifies IPsec negotiation actions. 4.1.5 ipSecAssociationTable Specifies IPsec associations. 4.1.6 ipSecProposalSetTable Specifies IPsec proposal sets. 4.1.7 ipSecProposalTable Specifies IPsec proposals. 4.2 ipSecAhTransform group This group specifies AH Transforms. 4.2.1 ipSecAhTransformSetTable Specifies AH transform sets. 4.2.2 ipSecAhTransformTable Specifies AH transforms. 4.3 ipSecEspTransform group This group specifies ESP Transforms. 4.3.1 ipSecEspTransformSetTable Specifies ESP transform sets. 4.3.2 ipSecEspTransformTable Specifies ESP transforms. 4.4 ipSecCompTransform group This group specifies Compression Transforms. 4.4.1 ipSecCompTransformSetTable Specifies IPComp transform sets. 4.4.2 ipSecCompTransformTable Specifies IP compression (IPCOMP) algorithms. 4.5 ipSecIkeAssociation group This group specifies IKE Security Associations. 4.5.1 ipSecIkeRuleTable Specifies IKE rules. Li, et al Expires May 2004 10 IPsec Policy Information Base November 2003 4.5.2 ipSecIkeActionSetTable Specifies IKE action sets. 4.5.3 ipSecIkeAssociationTable Specifies IKE associations. 4.5.4 ipSecIkeProposalSetTable Specifies IKE proposal sets. 4.5.5 ipSecIkeProposalTable Specifies IKE proposals. 4.5.6 ipSecIkePeerEndpointTable Specifies IKE peer endpoints. 4.6 ipSecCredential group This group specifies credentials for IKE phase one negotiations. 4.6.1 ipSecCredentialSetTable Specifies credential sets. 4.6.2 ipSecCredentialTable Specifies credentials. 4.6.3 ipSecCredentialFieldsTable Specifies sets of credential sub-fields and their values to be matched against. 4.7 ipSecSelector group This group specifies selectors for IPsec associations. 4.7.1 ipSecSelectorSetTable Specifies IPsec selector sets. 4.7.2 ipSecSelectorTable Specifies IPsec selectors. 4.7.3 ipSecAddressTable Specifies IP addresses. 4.7.4 ipSecL4PortTable Specifies layer four port numbers. 4.7.5 ipSecIpsoFilterSetTable Specifies IPSO filter sets. 4.7.6 ipSecIpsoFilterTable Specifies IPSO filters. 4.8 ipSecPolicyTimePeriod group This group specifies the time periods during which a policy rule is valid. Li, et al Expires May 2004 11 IPsec Policy Information Base November 2003 4.8.1 ipSecRuleTimePeriodTable Specifies the time periods during which a policy rule is valid. 4.8.2 ipSecRuleTimePeriodSetTable Specifies time period sets. 4.9 ipSecIfCapability group This group specifies capabilities associated with interface types. 4.9.1 ipSecIfCapsTable Specifies capabilities that may be associated with an interface of a specific type. 4.10 ipSecPolicyPibConformance group This group specifies requirements for conformance to the IPsec Policy PIB. 5. The IPsec PIB Module IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IMPORTS Unsigned32, Unsigned64, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE, OBJECT-GROUP, pib FROM COPS-PR-SPPI TruthValue FROM SNMPv2-TC InstanceId, ReferenceId, TagId, TagReferenceId, Prid FROM COPS-PR-SPPI-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddress, InetAddressType, InetAddressPrefixLength, InetPortNumber FROM INET-ADDRESS-MIB DscpOrAny FROM DIFFSERV-DSCP-TC zeroDotZero FROM SNMPv2-SMI IPv6FlowLabelOrAny FROM IPV6-FLOW-LABEL-MIB RoleCombination FROM FRAMEWORK-TC-PIB; ipSecPolicyPib MODULE-IDENTITY SUBJECT-CATEGORIES { xxxx (nn) } -- IPsec Client Type - -- to be assigned by IANA. Suggest to use ipSec for xxxx - LAST-UPDATED "200311081800Z" ORGANIZATION "IETF ipsp WG" CONTACT-INFO " Man Li Li, et al Expires May 2004 12 IPsec Policy Information Base November 2003 Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com Avri Doria Div. of Computer Communications Lulea University of Technology SE-971 87 Lulea, Sweden Phone: +46 920 49 3030 Email: avri@sm.luth.se Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Fax: +1 503 264 9428 Email: jamie.jason@intel.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 Email: CWang@smartpipes.com Markus Stenberg SSH Communications Security Corp. Fredrikinkatu 42 FIN-00100 Helsinki, Finland Phone: +358 20 500 7466 Email: fingon@iki.fi" DESCRIPTION "This PIB module contains a set of policy rule classes that describe IPsec policies. Copyright (C) The Internet Society (2003). This version of this PIB module is part of RFC xxxx; see the RFC itself for full legal notices" REVISION "200311081800Z" DESCRIPTION "Initial version, published as RFC xxxx." -- xxxx to be assigned by IANA -- ::= { pib yyy } -- yyy to be assigned by IANA -- Li, et al Expires May 2004 13 IPsec Policy Information Base November 2003 Unsigned16TC ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An unsigned 16 bit integer." SYNTAX Unsigned32 (0..65535) ipSecAssociation OBJECT IDENTIFIER ::= {ipSecPolicyPib 1 } ipSecAhTransform OBJECT IDENTIFIER ::= {ipSecPolicyPib 2 } ipSecEspTransform OBJECT IDENTIFIER ::= {ipSecPolicyPib 3 } ipSecCompTransform OBJECT IDENTIFIER ::= {ipSecPolicyPib 4 } ipSecIkeAssociation OBJECT IDENTIFIER ::= {ipSecPolicyPib 5 } ipSecCredential OBJECT IDENTIFIER ::= {ipSecPolicyPib 6 } ipSecSelector OBJECT IDENTIFIER ::= {ipSecPolicyPib 7 } ipSecPolicyTimePeriod OBJECT IDENTIFIER ::= {ipSecPolicyPib 8 } ipSecIfCapability OBJECT IDENTIFIER ::= {ipSecPolicyPib 9 } ipSecPolicyPibConformance OBJECT IDENTIFIER ::= {ipSecPolicyPib 10 } -- -- -- The ipSecRuleTable -- ipSecRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "This table is the starting point for specifying an IPsec policy. It contains an ordered list of IPsec rules. " ::= { ipSecAssociation 1 } ipSecRuleEntry OBJECT-TYPE SYNTAX IpSecRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRulePrid } UNIQUENESS { ipSecRuleIfName, ipSecRuleRoles, ipSecRuleOrder Li, et al Expires May 2004 14 IPsec Policy Information Base November 2003 } ::= { ipSecRuleTable 1 } IpSecRuleEntry ::= SEQUENCE { ipSecRulePrid InstanceId, ipSecRuleIfName SnmpAdminString, ipSecRuleRoles RoleCombination, ipSecRuleDirection INTEGER, ipSecRuleIpSecSelectorSetId TagReferenceId, ipSecRuleIpSecIpsoFilterSetId TagReferenceId, ipSecRuleIpSecActionSetId TagReferenceId, ipSecRuleActionExecutionStrategy INTEGER, ipSecRuleOrder Unsigned16TC, ipSecRuleLimitNegotiation INTEGER, ipSecRuleAutoStart TruthValue, ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId } ipSecRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecRuleEntry 1 } ipSecRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "The interface capability set to which this IPsec rule applies. The interface capability name specified by this attribute MUST exist in the frwkCapabilitySetTable [9] prior to association with an instance of this class." ::= { ipSecRuleEntry 2 } ipSecRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combination of the interface to which this IPsec rule should apply. There must exist an instance in the frwkRoleComboTable [9] specifying this role combination, together with the interface capability set specified by ipSecRuleIfName, prior to association with an instance of this class." ::= { ipSecRuleEntry 3 } ipSecRuleDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } Li, et al Expires May 2004 15 IPsec Policy Information Base November 2003 STATUS current DESCRIPTION "Specifies the direction of traffic to which this rule should apply." ::= { ipSecRuleEntry 4 } ipSecRuleIpSecSelectorSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecSelectorSetSelectorSetId } STATUS current DESCRIPTION "Identifies a set of selectors to be associated with this IPsec rule. " ::= { ipSecRuleEntry 5 } ipSecRuleIpSecIpsoFilterSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIpsoFilterSetFilterSetId } STATUS current DESCRIPTION "Identifies a set of IPSO filters to be associated with this IPsec rule. A value of zero indicates that there are no IPSO filters associated with this rule. When the value of this attribute is not zero, the set of IPSO filters is ANDed with the set of Selectors specified by ipSecRuleIpSecSelectorSetId. In other words, a packet MUST match a selector in the selector sets and a filter in the IPSO filter sets before the actions associated with this rule can be applied." ::= { ipSecRuleEntry 6 } ipSecRuleIpSecActionSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecActionSetActionSetId } STATUS current DESCRIPTION "Identifies a set of IPsec actions to be associated with this rule." ::= { ipSecRuleEntry 7 } ipSecRuleActionExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2) } STATUS current DESCRIPTION "Specifies the strategy to be used in executing the sequenced actions in the action set identified by ipSecRuleIpSecActionSetId. DoAll (1) causes the execution of all the actions in the action set according to their defined precedence order. The precedence Li, et al Expires May 2004 16 IPsec Policy Information Base November 2003 order is specified by the ipSecActionSetOrder in the ipSecActionSetTable. DoUntilSuccess (2) causes the execution of actions according to their defined precedence order until a successful execution of a single action. The precedence order is specified by the ipSecActionSetOrder in the ipSecActionSetTable." ::= { ipSecRuleEntry 8 } ipSecRuleOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the precedence order of the rule within all the rules associated with {IfName, Roles}. A smaller value indicates a higher precedence order. " ::= { ipSecRuleEntry 9 } ipSecRuleLimitNegotiation OBJECT-TYPE SYNTAX INTEGER { initiator(1), responder(2), both(3) } STATUS current DESCRIPTION "Limits the negotiation method. Before proceeding with a phase 2 negotiation, the LimitNegotiation property of the IPsecRule is first checked to determine if the negotiation part indicated for the rule matches that of the current negotiation (Initiator, Responder, or Either). This attribute is ignored when an attempt is made to refresh an expiring SA (either side can initiate a refresh operation). The system can determine that the negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to a new SA, the negotiation is stopped. " ::= { ipSecRuleEntry 10 } ipSecRuleAutoStart OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Indicates if this rule should be automatically executed." ::= { ipSecRuleEntry 11 } ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } STATUS current DESCRIPTION Li, et al Expires May 2004 17 IPsec Policy Information Base November 2003 "Identifies an IPsec rule time period set, specified in ipSecRuleTimePeriodSetTable, that is associated with this rule. A value of zero indicates that this IPsec rule is always valid." ::= { ipSecRuleEntry 12 } -- -- -- The ipSecActionSetTable -- ipSecActionSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecActionSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec action sets." ::= { ipSecAssociation 2 } ipSecActionSetEntry OBJECT-TYPE SYNTAX IpSecActionSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecActionSetPrid } UNIQUENESS { ipSecActionSetActionSetId, ipSecActionSetActionId, ipSecActionSetDoActionLogging, ipSecActionSetDoPacketLogging, ipSecActionSetOrder } ::= { ipSecActionSetTable 1 } IpSecActionSetEntry ::= SEQUENCE { ipSecActionSetPrid InstanceId, ipSecActionSetActionSetId TagId, ipSecActionSetActionId Prid, ipSecActionSetDoActionLogging TruthValue, ipSecActionSetDoPacketLogging TruthValue, ipSecActionSetOrder Unsigned16TC } ipSecActionSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecActionSetEntry 1 } ipSecActionSetActionSetId OBJECT-TYPE Li, et al Expires May 2004 18 IPsec Policy Information Base November 2003 SYNTAX TagId STATUS current DESCRIPTION "An IPsec action set is composed of one or more IPsec actions. Each action belonging to the same set has the same ActionSetId." ::= { ipSecActionSetEntry 2 } ipSecActionSetActionId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes an action to be taken. For IPsec static actions, it MUST point to an instance in the ipSecStaticActionTable. For IPsec negotiation actions, it MUST point to an instance in the ipSecNegotiationActionTable. For other actions, it may point to an instance in a table specified by other PIB modules." ::= { ipSecActionSetEntry 3 } ipSecActionSetDoActionLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether a log message is to be generated when the action is performed. This applies for ipSecNegotiationActions with the meaning of logging a message when the negotiation is attempted (with the success or failure result). This also applies for ipSecStaticAction only for PreconfiguredTransport action or PreconfiguredTunnel action with the meaning of logging a message when the preconfigured SA is actually installed in the SADB." ::= { ipSecActionSetEntry 4 } ipSecActionSetDoPacketLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to log when the resulting security association is used to process a packet. For ipSecStaticActions, a log message is to be generated when the IPsecBypass, IpsecDiscard or IKEReject actions are executed." ::= { ipSecActionSetEntry 5 } ipSecActionSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the precedence order of the action within the action set. An action with a smaller precedence order is to be applied before one with a larger precedence order. " ::= { ipSecActionSetEntry 6 } Li, et al Expires May 2004 19 IPsec Policy Information Base November 2003 -- -- -- The ipSecStaticActionTable -- ipSecStaticActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecStaticActionEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec static actions." ::= { ipSecAssociation 3 } ipSecStaticActionEntry OBJECT-TYPE SYNTAX IpSecStaticActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecStaticActionPrid } UNIQUENESS { ipSecStaticActionAction, ipSecStaticActionTunnelEndpointId, ipSecStaticActionDfHandling, ipSecStaticActionSpi, ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeKilobytes, ipSecStaticActionSaTransformId } ::= { ipSecStaticActionTable 1 } IpSecStaticActionEntry ::= SEQUENCE { ipSecStaticActionPrid InstanceId, ipSecStaticActionAction INTEGER, ipSecStaticActionTunnelEndpointId ReferenceId, ipSecStaticActionDfHandling INTEGER, ipSecStaticActionSpi Unsigned32, ipSecStaticActionLifetimeSeconds Unsigned32, ipSecStaticActionLifetimeKilobytes Unsigned64, ipSecStaticActionSaTransformId Prid } ipSecStaticActionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecStaticActionEntry 1 } ipSecStaticActionAction OBJECT-TYPE SYNTAX INTEGER { Li, et al Expires May 2004 20 IPsec Policy Information Base November 2003 byPass(1), discard(2), ikeRejection(3), preConfiguredTransport(4), preConfiguredTunnel(5) } STATUS current DESCRIPTION "Specifies the IPsec action to be applied to the traffic. byPass (1) means that packets are to be allowed to pass in the clear. discard (2) means that packets are to be discarded. ikeRejection (3) means that that an IKE negotiation should not even be attempted or continued. preConfiguredTransport (4) means that an IPsec transport SA is pre-configured. preConfiguredTunnel (5) means that an IPsec tunnel SA is pre-configured. " ::= { ipSecStaticActionEntry 2 } ipSecStaticActionTunnelEndpointId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAddressEntry } STATUS current DESCRIPTION "When ipSecStaticActionAction is preConfiguredTunnel (5), this attribute indicates the peer gateway IP address. This address MUST be a single endpoint address. When ipSecStaticActionAction is not preConfiguredTunnel, this attribute MUST be zero." ::= { ipSecStaticActionEntry 3 } ipSecStaticActionDfHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } STATUS current DESCRIPTION "When ipSecStaticActionAction is preConfiguredTunnel, this attribute specifies how the DF bit is managed. Copy (1) indicates to copy the DF bit from the internal IP header to the external IP header. Set (2) indicates to set the DF bit of the external IP header to 1. Clear (3) indicates to clear the DF bit of the external IP header to 0. When ipSecStaticActionAction is not preConfiguredTunnel, this attribute MUST be ignored. " ::= { ipSecStaticActionEntry 4 } ipSecStaticActionSpi OBJECT-TYPE SYNTAX Unsigned32 STATUS current Li, et al Expires May 2004 21 IPsec Policy Information Base November 2003 DESCRIPTION "Specifies the SPI to be used with the SA Transform identified by ipSecStaticActionSaTransformId. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored." ::= { ipSecStaticActionEntry 5 } ipSecStaticActionLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the amount of time (in seconds) that a security association derived from this action should be used. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored. A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). The actual lifetime of the preconfigured SA will be the smallest of the value of this LifetimeSeconds property and of the value of the MaxLifetimeSeconds property of the associated SA Transform. Except if the value of this LifetimeSeconds property is zero, then there will be no lifetime associated to this SA." ::= { ipSecStaticActionEntry 6 } ipSecStaticActionLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the SA lifetime in kilobytes. When ipSecStaticActionAction is neither preConfiguredTransportAction nor preConfiguredTunnelAction, this attribute MUST be ignored. A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). The actual lifetime of the preconfigured SA will be the smallest of the value of this LifetimeKilobytes property and of the value of the MaxLifetimeKilobytes property of the associated SA transform. Except if the value of this LifetimeKilobytes property is zero, then there will be no lifetime associated with this action. " ::= { ipSecStaticActionEntry 7 } ipSecStaticActionSaTransformId OBJECT-TYPE SYNTAX Prid STATUS current Li, et al Expires May 2004 22 IPsec Policy Information Base November 2003 DESCRIPTION "A pointer to a valid instance in another table that describes an SA transform, e.g, ipSecEspTransformTable, ipSecAhTransformTable." ::= { ipSecStaticActionEntry 8 } -- -- -- The ipSecNegotiationActionTable -- ipSecNegotiationActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecNegotiationActionEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec negotiation actions." ::= { ipSecAssociation 4 } ipSecNegotiationActionEntry OBJECT-TYPE SYNTAX IpSecNegotiationActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecNegotiationActionPrid } UNIQUENESS { ipSecNegotiationActionAction, ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionDfHandling, ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionKeyExchangeId } ::= { ipSecNegotiationActionTable 1 } IpSecNegotiationActionEntry ::= SEQUENCE { ipSecNegotiationActionPrid InstanceId, ipSecNegotiationActionAction INTEGER, ipSecNegotiationActionTunnelEndpointId ReferenceId, ipSecNegotiationActionDfHandling INTEGER, ipSecNegotiationActionIpSecSecurityAssociationId ReferenceId, ipSecNegotiationActionKeyExchangeId Prid } ipSecNegotiationActionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecNegotiationActionEntry 1 } ipSecNegotiationActionAction OBJECT-TYPE SYNTAX INTEGER { Li, et al Expires May 2004 23 IPsec Policy Information Base November 2003 transport(1), tunnel(2) } STATUS current DESCRIPTION "Specifies the IPsec action to be applied to the traffic. transport(1) means that the packet should be protected with a security association in transport mode. tunnel(2) means that the packet should be protected with a security association in tunnel mode. If tunnel (2) is specified, ipSecActionTunnelEndpointId MUST also be specified." ::= { ipSecNegotiationActionEntry 2 } ipSecNegotiationActionTunnelEndpointId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAddressEntry } STATUS current DESCRIPTION "When ipSecActionAction is tunnel (2), this attribute indicates the peer gateway IP address. This address MUST be a single endpoint address. When ipSecActionAction is not tunnel, this attribute MUST be zero." ::= { ipSecNegotiationActionEntry 3 } ipSecNegotiationActionDfHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } STATUS current DESCRIPTION "When ipSecActionAction is tunnel, this attribute specifies how the DF bit is managed. Copy (1) indicates to copy the DF bit from the internal IP header to the external IP header. Set (2) indicates to set the DF bit of the external IP header to 1. Clear (3) indicates to clear the DF bit of the external IP header to 0. When ipSecActionAction is not tunnel, this attribute MUST be ignored. " ::= { ipSecNegotiationActionEntry 4 } ipSecNegotiationActionIpSecSecurityAssociationId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAssociationEntry } STATUS current DESCRIPTION "Pointer to a valid instance in the ipSecAssociationTable." ::= { ipSecNegotiationActionEntry 5 } Li, et al Expires May 2004 24 IPsec Policy Information Base November 2003 ipSecNegotiationActionKeyExchangeId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes key exchange associations. If a single IKE phase one negotiation is used for the key exchange, this attribute MUST point to an instance in the ipSecIkeAssociationTable. If multiple IKE phase one negotiations (e.g., with different modes) are to be tried until success, this attribute SHOULD point to ipSecIkeRuleTable. For other key exchange methods, this attribute may point to an instance of a PRC defined in some other PIB. A value of zeroDotZero means that there is no key exchange procedure associated." ::= { ipSecNegotiationActionEntry 6 } -- -- -- The ipSecAssociationTable -- ipSecAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec associations." ::= { ipSecAssociation 5 } ipSecAssociationEntry OBJECT-TYPE SYNTAX IpSecAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAssociationPrid } UNIQUENESS { ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeKilobytes, ipSecAssociationIdleDurationSeconds, ipSecAssociationUsePfs, ipSecAssociationVendorId, ipSecAssociationUseKeyExchangeGroup, ipSecAssociationDhGroup, ipSecAssociationGranularity, ipSecAssociationProposalSetId } ::= { ipSecAssociationTable 1 } IpSecAssociationEntry ::= SEQUENCE { Li, et al Expires May 2004 25 IPsec Policy Information Base November 2003 ipSecAssociationPrid InstanceId, ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned64, ipSecAssociationIdleDurationSeconds Unsigned32, ipSecAssociationUsePfs TruthValue, ipSecAssociationVendorId OCTET STRING, ipSecAssociationUseKeyExchangeGroup TruthValue, ipSecAssociationDhGroup Unsigned16TC, ipSecAssociationGranularity INTEGER, ipSecAssociationProposalSetId TagReferenceId } ipSecAssociationPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecAssociationEntry 1 } ipSecAssociationMinLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 2 } ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 3 } ipSecAssociationIdleDurationSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies how long, in seconds, a security association may remain unused before it is deleted. A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used)." Li, et al Expires May 2004 26 IPsec Policy Information Base November 2003 ::= { ipSecAssociationEntry 4 } ipSecAssociationUsePfs OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether or not to use PFS when refreshing keys." ::= { ipSecAssociationEntry 5 } ipSecAssociationVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the IKE Vendor ID. This attribute is used together with the property ipSecAssociationDhGroup (when it is in the vendor- specific range) to identify the key exchange group. This attribute is ignored unless ipSecAssociationUsePFS is true and ipSecAssociationUseKeyExchangeGroup is false and ipSecAssociationDhGroup is in the vendor-specific range (32768- 65535)." ::= { ipSecAssociationEntry 6 } ipSecAssociationUseKeyExchangeGroup OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then this attribute is ignored. A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the group number specified by the ipSecSecurityAssociationDhGroup attribute SHALL be used for phase 2. " ::= { ipSecAssociationEntry 7 } ipSecAssociationDhGroup OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the key exchange group to use for phase 2 when the property ipSecSecurityAssociationUsePfs is true and the property ipSecSecurityAssociationUseKeyExchangeGroup is false." ::= { ipSecAssociationEntry 8 } ipSecAssociationGranularity OBJECT-TYPE SYNTAX INTEGER { subnet(1), address(2), protocol(3), port(4) } STATUS current Li, et al Expires May 2004 27 IPsec Policy Information Base November 2003 DESCRIPTION "Specifies how the proposed selector for the security association will be created. A value of 1 (subnet) indicates that the source and destination subnet masks of the filter entry are used. A value of 2 (address) indicates that only the source and destination IP addresses of the triggering packet are used. A value of 3 (protocol) indicates that the source and destination IP addresses and the IP protocol of the triggering packet are used. A value of 4 (port) indicates that the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used. " ::= { ipSecAssociationEntry 9 } ipSecAssociationProposalSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecProposalSetProposalSetId } STATUS current DESCRIPTION "Identifies a set of IPsec proposals that is associated with this IPsec association." ::= { ipSecAssociationEntry 10 } -- -- -- The ipSecProposalSetTable -- ipSecProposalSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec proposal sets. Proposals within a set are ORed with preference order. " ::= { ipSecAssociation 6 } ipSecProposalSetEntry OBJECT-TYPE SYNTAX IpSecProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecProposalSetPrid } UNIQUENESS { ipSecProposalSetProposalSetId, ipSecProposalSetProposalId, ipSecProposalSetOrder Li, et al Expires May 2004 28 IPsec Policy Information Base November 2003 } ::= { ipSecProposalSetTable 1 } IpSecProposalSetEntry ::= SEQUENCE { ipSecProposalSetPrid InstanceId, ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalId ReferenceId, ipSecProposalSetOrder Unsigned16TC } ipSecProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecProposalSetEntry 1 } ipSecProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPsec proposal set is composed of one or more IPsec proposals. Each proposal belonging to the same set has the same ProposalSetId." ::= { ipSecProposalSetEntry 2 } ipSecProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecProposalEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecProposalTable." ::= { ipSecProposalSetEntry 3 } ipSecProposalSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecProposalSetProposalId in a proposal set. The proposal set is identified by ipSecProposalSetProposalSetId. Proposals within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecProposalSetEntry 4 } -- -- -- The ipSecProposalTable -- ipSecProposalTable OBJECT-TYPE Li, et al Expires May 2004 29 IPsec Policy Information Base November 2003 SYNTAX SEQUENCE OF IpSecProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec proposals. It has references to ESP, AH and IPCOMP Transform sets. Within a proposal, different types of transforms are ANDed. Multiple transforms of the same type are ORed with preference order." ::= { ipSecAssociation 7 } ipSecProposalEntry OBJECT-TYPE SYNTAX IpSecProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecProposalPrid } UNIQUENESS { ipSecProposalEspTransformSetId, ipSecProposalAhTransformSetId, ipSecProposalCompTransformSetId } ::= { ipSecProposalTable 1 } IpSecProposalEntry ::= SEQUENCE { ipSecProposalPrid InstanceId, ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalCompTransformSetId TagReferenceId } ipSecProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecProposalEntry 1 } ipSecProposalEspTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecEspTransformSetTransformSetId } STATUS current DESCRIPTION "An integer that identifies a set of ESP transforms, specified in ipSecEspTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 2 } ipSecProposalAhTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAhTransformSetTransformSetId } STATUS current DESCRIPTION Li, et al Expires May 2004 30 IPsec Policy Information Base November 2003 "An integer that identifies an AH transform set, specified in ipSecAhTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 3 } ipSecProposalCompTransformSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCompTransformSetTransformSetId } STATUS current DESCRIPTION "An integer that identifies a set of IPComp transforms, specified in ipSecCompTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 4 } -- -- -- The ipSecAhTransformSetTable -- ipSecAhTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transform sets. Within a transform set, the transforms are ORed with preference order. " ::= { ipSecAhTransform 1 } ipSecAhTransformSetEntry OBJECT-TYPE SYNTAX IpSecAhTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAhTransformSetPrid } UNIQUENESS { ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformId, ipSecAhTransformSetOrder } ::= { ipSecAhTransformSetTable 1 } IpSecAhTransformSetEntry ::= SEQUENCE { ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetOrder Unsigned16TC } ipSecAhTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION Li, et al Expires May 2004 31 IPsec Policy Information Base November 2003 "An integer index that uniquely identifies an instance of this class. " ::= { ipSecAhTransformSetEntry 1 } ipSecAhTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An AH transform set is composed of one or more AH transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecAhTransformSetEntry 2 } ipSecAhTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAhTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecAhTransformTable." ::= { ipSecAhTransformSetEntry 3 } ipSecAhTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecAhTransformSetTransformId within a transform set. The transform set is identified by ipSecAhTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecAhTransformSetEntry 4 } -- -- -- The ipSecAhTransformTable -- ipSecAhTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transforms." ::= { ipSecAhTransform 2 } ipSecAhTransformEntry OBJECT-TYPE SYNTAX IpSecAhTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAhTransformPrid } Li, et al Expires May 2004 32 IPsec Policy Information Base November 2003 UNIQUENESS { ipSecAhTransformTransformId, ipSecAhTransformIntegrityKey, ipSecAhTransformUseReplayPrevention, ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformVendorId, ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeKilobytes } ::= { ipSecAhTransformTable 1 } IpSecAhTransformEntry ::= SEQUENCE { ipSecAhTransformPrid InstanceId, ipSecAhTransformTransformId INTEGER, ipSecAhTransformIntegrityKey OCTET STRING, ipSecAhTransformUseReplayPrevention TruthValue, ipSecAhTransformReplayPreventionWindowSize Unsigned32, ipSecAhTransformVendorId OCTET STRING, ipSecAhTransformMaxLifetimeSeconds Unsigned32, ipSecAhTransformMaxLifetimeKilobytes Unsigned64 } ipSecAhTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class. " ::= { ipSecAhTransformEntry 1 } ipSecAhTransformTransformId OBJECT-TYPE SYNTAX INTEGER { md5(2), sha-1(3), des(4) } STATUS current DESCRIPTION "Specifies the transform ID of the AH algorithm to propose." ::= { ipSecAhTransformEntry 2 } ipSecAhTransformIntegrityKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When this AH transform instance is used for a Static Action, this attribute specifies the integrity key to be used. This attribute MUST be ignored when this AH transform instance is used for a Negotiation Action." ::= { ipSecAhTransformEntry 3 } ipSecAhTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue Li, et al Expires May 2004 33 IPsec Policy Information Base November 2003 STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecAhTransformEntry 4 } ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is ignored if UseReplayPrevention is false. It is assumed that the window size will be power of 2." ::= { ipSecAhTransformEntry 5 } ipSecAhTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecAhTransformEntry 6 } ipSecAhTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecAhTransformEntry 7 } ipSecAhTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecAhTransformEntry 8 } -- -- -- The ipSecEspTransformSetTable -- Li, et al Expires May 2004 34 IPsec Policy Information Base November 2003 ipSecEspTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies ESP transform sets. Within a transform set, the choices are ORed with preference order. " ::= { ipSecEspTransform 1 } ipSecEspTransformSetEntry OBJECT-TYPE SYNTAX IpSecEspTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecEspTransformSetPrid } UNIQUENESS { ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformId, ipSecEspTransformSetOrder } ::= { ipSecEspTransformSetTable 1 } IpSecEspTransformSetEntry ::= SEQUENCE { ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetOrder Unsigned16TC } ipSecEspTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecEspTransformSetEntry 1 } ipSecEspTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An ESP transform set is composed of one or more ESP transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecEspTransformSetEntry 2 } ipSecEspTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecEspTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecEspTransformTable." ::= { ipSecEspTransformSetEntry 3 } Li, et al Expires May 2004 35 IPsec Policy Information Base November 2003 ipSecEspTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecEspTransformSetTransformId within a transform set. The transform set is identified by ipSecEspTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecEspTransformSetEntry 4 } -- -- -- The ipSecEspTransformTable -- ipSecEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies ESP transforms." ::= { ipSecEspTransform 2 } ipSecEspTransformEntry OBJECT-TYPE SYNTAX IpSecEspTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecEspTransformPrid } UNIQUENESS { ipSecEspTransformIntegrityTransformId, ipSecEspTransformCipherTransformId, ipSecEspTransformIntegrityKey, ipSecEspTransformCipherKey, ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyLength, ipSecEspTransformUseReplayPrevention, ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformVendorId, ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeKilobytes } ::= { ipSecEspTransformTable 1 } IpSecEspTransformEntry ::= SEQUENCE { ipSecEspTransformPrid InstanceId, ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformIntegrityKey OCTET STRING, Li, et al Expires May 2004 36 IPsec Policy Information Base November 2003 ipSecEspTransformCipherKey OCTET STRING, ipSecEspTransformCipherKeyRounds Unsigned16TC, ipSecEspTransformCipherKeyLength Unsigned16TC, ipSecEspTransformUseReplayPrevention TruthValue, ipSecEspTransformReplayPreventionWindowSize Unsigned32, ipSecEspTransformVendorId OCTET STRING, ipSecEspTransformMaxLifetimeSeconds Unsigned32, ipSecEspTransformMaxLifetimeKilobytes Unsigned64 } ipSecEspTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecEspTransformEntry 1 } ipSecEspTransformIntegrityTransformId OBJECT-TYPE SYNTAX INTEGER { none(0), hmacMd5(1), hmacSha(2), desMac(3), kpdk(4) } STATUS current DESCRIPTION "Specifies the transform ID of the ESP integrity algorithm to propose." ::= { ipSecEspTransformEntry 2 } ipSecEspTransformCipherTransformId OBJECT-TYPE SYNTAX INTEGER { desIV64(1), des(2), tripleDES(3), rc5(4), idea(5), cast(6), blowfish(7), tripleIDEA(8), desIV32(9), rc4(10), null(11) } STATUS current DESCRIPTION "Specifies the transform ID of the ESP encryption algorithm to propose." ::= { ipSecEspTransformEntry 3 } ipSecEspTransformIntegrityKey OBJECT-TYPE Li, et al Expires May 2004 37 IPsec Policy Information Base November 2003 SYNTAX OCTET STRING STATUS current DESCRIPTION "When this ESP transform instance is used for a Static Action, this attribute specifies the integrity key to be used. This attribute MUST be ignored when this ESP transform instance is used for a Negotiation Action." ::= { ipSecEspTransformEntry 4 } ipSecEspTransformCipherKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When this ESP transform instance is used for a Static Action, this attribute specifies the cipher key to be used. This attribute MUST be ignored when this ESP transform instance is used for a Negotiation Action." ::= { ipSecEspTransformEntry 5 } ipSecEspTransformCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored." ::= { ipSecEspTransformEntry 6 } ipSecEspTransformCipherKeyLength OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithms that use fixed-length keys, this value is ignored." ::= { ipSecEspTransformEntry 7 } ipSecEspTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecEspTransformEntry 8 } ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is ignored if UseReplayPrevention is false. It is assumed that the window size will be power of 2." ::= { ipSecEspTransformEntry 9 } Li, et al Expires May 2004 38 IPsec Policy Information Base November 2003 ipSecEspTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecEspTransformEntry 10 } ipSecEspTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecEspTransformEntry 11 } ipSecEspTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecEspTransformEntry 12 } -- -- -- The ipSecCompTransformSetTable -- ipSecCompTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPComp transform sets. Within a transform set, the choices are ORed with preference order." ::= { ipSecCompTransform 1 } ipSecCompTransformSetEntry OBJECT-TYPE SYNTAX IpSecCompTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" Li, et al Expires May 2004 39 IPsec Policy Information Base November 2003 PIB-INDEX { ipSecCompTransformSetPrid } UNIQUENESS { ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformId, ipSecCompTransformSetOrder } ::= { ipSecCompTransformSetTable 1 } IpSecCompTransformSetEntry ::= SEQUENCE { ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformId ReferenceId, ipSecCompTransformSetOrder Unsigned16TC } ipSecCompTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCompTransformSetEntry 1 } ipSecCompTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPCOMP transform set is composed of one or more IPCOMP transforms. Each transform belonging to the same set has the same TransformSetId." ::= { ipSecCompTransformSetEntry 2 } ipSecCompTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecCompTransformEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecCompTransformTable." ::= { ipSecCompTransformSetEntry 3 } ipSecCompTransformSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecCompTransformSetTransformId within a transform set. The transform set is identified by ipSecCompTransformSetTransformSetId. Transforms within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecCompTransformSetEntry 4 } Li, et al Expires May 2004 40 IPsec Policy Information Base November 2003 -- -- -- The ipSecCompTransformTable -- ipSecCompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IP compression (IPCOMP) algorithms." ::= { ipSecCompTransform 2 } ipSecCompTransformEntry OBJECT-TYPE SYNTAX IpSecCompTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCompTransformPrid } UNIQUENESS { ipSecCompTransformAlgorithm, ipSecCompTransformDictionarySize, ipSecCompTransformPrivateAlgorithm, ipSecCompTransformVendorId, ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeKilobytes } ::= { ipSecCompTransformTable 1 } IpSecCompTransformEntry ::= SEQUENCE { ipSecCompTransformPrid InstanceId, ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformDictionarySize Unsigned16TC, ipSecCompTransformPrivateAlgorithm Unsigned32, ipSecCompTransformVendorId OCTET STRING, ipSecCompTransformMaxLifetimeSeconds Unsigned32, ipSecCompTransformMaxLifetimeKilobytes Unsigned64 } ipSecCompTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCompTransformEntry 1 } ipSecCompTransformAlgorithm OBJECT-TYPE SYNTAX INTEGER { oui(1), deflate(2), lzs(3) } Li, et al Expires May 2004 41 IPsec Policy Information Base November 2003 STATUS current DESCRIPTION "Specifies the transform ID of the IPCOMP compression algorithm to propose." ::= { ipSecCompTransformEntry 2 } ipSecCompTransformDictionarySize OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre- defined dictionary sizes, this value is ignored." ::= { ipSecCompTransformEntry 3 } ipSecCompTransformPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies a private vendor-specific compression algorithm." ::= { ipSecCompTransformEntry 4 } ipSecCompTransformVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the vendor ID for vendor-defined transforms." ::= { ipSecCompTransformEntry 5 } ipSecCompTransformMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecCompTransformEntry 6 } ipSecCompTransformMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecCompTransformEntry 7 } Li, et al Expires May 2004 42 IPsec Policy Information Base November 2003 -- -- -- The ipSecIkeRuleTable -- ipSecIkeRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE rules. This table is required only when specifying: - Multiple IKE phase one actions (e.g., with different exchange modes) that are associated with one IPsec association. These actions are to be tried in sequence till one success. - IKE phase one actions that start automatically. Support of this table is optional." ::= { ipSecIkeAssociation 1 } ipSecIkeRuleEntry OBJECT-TYPE SYNTAX IpSecIkeRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeRulePrid } UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles, ipSecIkeRuleIkeActionSetId, ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleLimitNegotiation, ipSecIkeRuleAutoStart } ::= { ipSecIkeRuleTable 1 } IpSecIkeRuleEntry ::= SEQUENCE { ipSecIkeRulePrid InstanceId, ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleIkeActionSetId TagReferenceId, ipSecIkeRuleActionExecutionStrategy INTEGER, ipSecIkeRuleLimitNegotiation INTEGER, ipSecIkeRuleAutoStart TruthValue, ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId } ipSecIkeRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current Li, et al Expires May 2004 43 IPsec Policy Information Base November 2003 DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeRuleEntry 1 } ipSecIkeRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "The interface capability set to which this IKE rule applies. The interface capability name specified by this attribute must exist in the frwkCapabilitySetTable [9] prior to association with an instance of this class. This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkeRuleEntry 2 } ipSecIkeRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combination of the interface to which this IKE rule should apply. There must exist an instance in the frwkRoleComboTable [9] specifying this role combination, together with the interface capability set specified by ipSecIkeRuleIfName, prior to association with an instance of this class. This attribute MUST be ignored if ipSecIkeRuleAutoStart is false." ::= { ipSecIkeRuleEntry 3 } ipSecIkeRuleIkeActionSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIkeActionSetActionSetId } STATUS current DESCRIPTION "Identifies a set of IKE actions to be associated with this rule." ::= { ipSecIkeRuleEntry 4 } ipSecIkeRuleActionExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2) } STATUS current DESCRIPTION "Specifies the strategy to be used in executing the sequenced actions in the action set identified by ipSecRuleIpSecActionSetId. DoAll (1) causes the execution of all the actions in the action set according to their defined precedence order. The precedence order is specified by the ipSecActionSetOrder in ipSecIkeActionSetTable. Li, et al Expires May 2004 44 IPsec Policy Information Base November 2003 DoUntilSuccess (2) causes the execution of actions according to their defined precedence order until a successful execution of a single action. The precedence order is specified by the ipSecActionSetOrder in ipSecIkeActionSetTable." ::= { ipSecIkeRuleEntry 5 } ipSecIkeRuleLimitNegotiation OBJECT-TYPE SYNTAX INTEGER { initiator(1), responder(2), both(3) } STATUS current DESCRIPTION "Limits the negotiation method. Before proceeding with a phase 1 negotiation, this property is checked to determine if the negotiation role of the rule matches that defined for the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g. the current role is IKE responder while the rule specifies IKE initiator), then the IKE negotiation is stopped. Note that this only applies to new IKE phase 1 negotiations and has no effect on either renegotiation or refresh operations with peers for which an established SA already exists." ::= { ipSecIkeRuleEntry 6 } ipSecIkeRuleAutoStart OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Indicates if this rule should be automatically executed." ::= { ipSecIkeRuleEntry 7 } ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecRuleTimePeriodSetRuleTimePeriodSetId } STATUS current DESCRIPTION "Identifies a rule time period set, specified in ipSecRuleTimePeriodSetTable, that is associated with this rule. A value of zero indicates that this rule is always valid." ::= { ipSecIkeRuleEntry 8 } -- -- -- The ipSecIkeActionSetTable -- ipSecIkeActionSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeActionSetEntry PIB-ACCESS install STATUS current Li, et al Expires May 2004 45 IPsec Policy Information Base November 2003 DESCRIPTION "Specifies IKE action sets." ::= { ipSecIkeAssociation 2 } ipSecIkeActionSetEntry OBJECT-TYPE SYNTAX IpSecIkeActionSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeActionSetPrid } UNIQUENESS { ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionId, ipSecIkeActionSetOrder } ::= { ipSecIkeActionSetTable 1 } IpSecIkeActionSetEntry ::= SEQUENCE { ipSecIkeActionSetPrid InstanceId, ipSecIkeActionSetActionSetId TagId, ipSecIkeActionSetActionId ReferenceId, ipSecIkeActionSetOrder Unsigned16TC } ipSecIkeActionSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeActionSetEntry 1 } ipSecIkeActionSetActionSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IKE action set is composed of one or more IKE actions. Each action belonging to the same set has the same ActionSetId." ::= { ipSecIkeActionSetEntry 2 } ipSecIkeActionSetActionId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIkeAssociationEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIkeAssociationTable." ::= { ipSecIkeActionSetEntry 3 } ipSecIkeActionSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION Li, et al Expires May 2004 46 IPsec Policy Information Base November 2003 "Specifies the precedence order of the action within the action set. An action with a smaller precedence order is to be tried before one with a larger precedence order. " ::= { ipSecIkeActionSetEntry 4 } -- -- -- The ipSecIkeAssociationTable -- ipSecIkeAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE associations." ::= { ipSecIkeAssociation 3 } ipSecIkeAssociationEntry OBJECT-TYPE SYNTAX IpSecIkeAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeAssociationPrid } UNIQUENESS { ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationExchangeMode, ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationPresharedKey, ipSecIkeAssociationVendorId, ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationIkeProposalSetId } ::= { ipSecIkeAssociationTable 1 } IpSecIkeAssociationEntry ::= SEQUENCE { ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLifetimeKilobytes Unsigned64, ipSecIkeAssociationIdleDurationSeconds Unsigned32, ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationUseIkeIdentityValue OCTET STRING, ipSecIkeAssociationIkePeerEndpoint ReferenceId, ipSecIkeAssociationPresharedKey OCTET STRING, ipSecIkeAssociationVendorId OCTET STRING, Li, et al Expires May 2004 47 IPsec Policy Information Base November 2003 ipSecIkeAssociationAggressiveModeGroupId Unsigned16TC, ipSecIkeAssociationLocalCredentialId TagReferenceId, ipSecIkeAssociationDoActionLogging TruthValue, ipSecIkeAssociationIkeProposalSetId TagReferenceId } ipSecIkeAssociationPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeAssociationEntry 1 } ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 2 } ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 3 } ipSecIkeAssociationIdleDurationSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies how long, in seconds, a security association may remain unused before it is deleted. A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used)." ::= { ipSecIkeAssociationEntry 4 } ipSecIkeAssociationExchangeMode OBJECT-TYPE Li, et al Expires May 2004 48 IPsec Policy Information Base November 2003 SYNTAX INTEGER { baseMode(1), mainMode(2), aggressiveMode(4) } STATUS current DESCRIPTION "Specifies the negotiation mode that the IKE server will use for phase one." ::= { ipSecIkeAssociationEntry 5 } ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of IKE identity to use during IKE phase one negotiation." ::= { ipSecIkeAssociationEntry 6 } ipSecIkeAssociationUseIkeIdentityValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the ID payload value to be provided to the peer during IKE phase one negotiation." ::= { ipSecIkeAssociationEntry 7 } ipSecIkeAssociationIkePeerEndpoint OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIkePeerEndpointEntry } STATUS current DESCRIPTION "Pointer to a valid instance in the ipSecIkePeerEndpointTable to indicate an IKE peer endpoint." ::= { ipSecIkeAssociationEntry 8 } ipSecIkeAssociationPresharedKey OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION Li, et al Expires May 2004 49 IPsec Policy Information Base November 2003 "This attribute specifies the preshared key or secret to use for IKE authentication. This is the key for all the IKE proposals of this association that set ipSecIkeProposalAuthenticationMethod to presharedKey(1)." ::= { ipSecIkeAssociationEntry 9 } ipSecIkeAssociationVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to be used in the Vendor ID payload. A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder). " ::= { ipSecIkeAssociationEntry 10 } ipSecIkeAssociationAggressiveModeGroupId OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the group ID to be used for aggressive mode. This attribute is ignored unless the attribute ipSecIkeAssociationExchangeMode is set to 4 (aggressive mode). If the value of this attribute is from the vendor-specific range (32768-65535), this attribute qualifies the group number." ::= { ipSecIkeAssociationEntry 11 } ipSecIkeAssociationLocalCredentialId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCredentialSetSetId } STATUS current DESCRIPTION "Indicates a group of credentials. One of the credentials in the group MUST be used when establishing an IKE association with the peer endpoint." ::= { ipSecIkeAssociationEntry 12 } ipSecIkeAssociationDoActionLogging OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether a log message is to be generated when the negotiation is attempted (with the success or failure result)." ::= { ipSecIkeAssociationEntry 13 } ipSecIkeAssociationIkeProposalSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecIkeProposalSetProposalSetId } STATUS current DESCRIPTION Li, et al Expires May 2004 50 IPsec Policy Information Base November 2003 "Identifies a set of IKE proposals that is associated with this IKE association." ::= { ipSecIkeAssociationEntry 14 } -- -- -- The ipSecIkeProposalSetTable -- ipSecIkeProposalSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposal sets. Proposals within a set are ORed with preference order. " ::= { ipSecIkeAssociation 4 } ipSecIkeProposalSetEntry OBJECT-TYPE SYNTAX IpSecIkeProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeProposalSetPrid } UNIQUENESS { ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalId, ipSecIkeProposalSetOrder } ::= { ipSecIkeProposalSetTable 1 } IpSecIkeProposalSetEntry ::= SEQUENCE { ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetOrder Unsigned16TC } ipSecIkeProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeProposalSetEntry 1 } ipSecIkeProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION Li, et al Expires May 2004 51 IPsec Policy Information Base November 2003 "An IKE proposal set is composed of one or more IKE proposals. Each proposal belonging to the same set has the same ProposalSetId. " ::= { ipSecIkeProposalSetEntry 2 } ipSecIkeProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIkeProposalEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIkeProposalTable." ::= { ipSecIkeProposalSetEntry 3 } ipSecIkeProposalSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecIkeProposalSetProposalId in a proposal set. The proposal set is identified by ipSecIkeProposalSetProposalSetId. Proposals within a set are ORed with preference order. A smaller integer value indicates a higher preference." ::= { ipSecIkeProposalSetEntry 4 } -- -- -- The ipSecIkeProposalTable -- ipSecIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposals." ::= { ipSecIkeAssociation 5 } ipSecIkeProposalEntry OBJECT-TYPE SYNTAX IpSecIkeProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkeProposalPrid } UNIQUENESS { ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalHashAlgorithm, ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalIkeDhGroup, ipSecIkeProposalVendorId Li, et al Expires May 2004 52 IPsec Policy Information Base November 2003 } ::= { ipSecIkeProposalTable 1 } IpSecIkeProposalEntry ::= SEQUENCE { ipSecIkeProposalPrid InstanceId, ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned64, ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalPrfAlgorithm Unsigned16TC, ipSecIkeProposalIkeDhGroup Unsigned16TC, ipSecIkeProposalVendorId OCTET STRING } ipSecIkeProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIkeProposalEntry 1 } ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" STATUS current DESCRIPTION "Specifies the maximum amount of time to propose for a security association to remain valid. A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime." ::= { ipSecIkeProposalEntry 2 } ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned64 UNITS "kilobytes" STATUS current DESCRIPTION "Specifies the maximum kilobyte lifetime to propose for a security association to remain valid. A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime." ::= { ipSecIkeProposalEntry 3 } ipSecIkeProposalCipherAlgorithm OBJECT-TYPE SYNTAX INTEGER { des-CBC(1), idea-CBC(2), blowfish-CBC(3), Li, et al Expires May 2004 53 IPsec Policy Information Base November 2003 rc5-R16-B64-CBC(4), tripleDes-CBC(5), cast-CBC(6) } STATUS current DESCRIPTION "Specifies the encryption algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 4 } ipSecIkeProposalHashAlgorithm OBJECT-TYPE SYNTAX INTEGER { md5(1), sha-1(2), tiger(3) } STATUS current DESCRIPTION "Specifies the hash algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 5 } ipSecIkeProposalAuthenticationMethod OBJECT-TYPE SYNTAX INTEGER { presharedKey(1), dssSignatures(2), rsaSignatures(3), rsaEncryption(4), revisedRsaEncryption(5), kerberos(6) } STATUS current DESCRIPTION "Specifies the authentication method to propose for the IKE association." ::= { ipSecIkeProposalEntry 6 } ipSecIkeProposalPrfAlgorithm OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the Psuedo-Random Function (PRF) to propose for the IKE association." ::= { ipSecIkeProposalEntry 7 } ipSecIkeProposalIkeDhGroup OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the Diffie-Hellman group to propose for the IKE association. The value of this property is to be ignored when doing aggressive mode." ::= { ipSecIkeProposalEntry 8 } Li, et al Expires May 2004 54 IPsec Policy Information Base November 2003 ipSecIkeProposalVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range." ::= { ipSecIkeProposalEntry 9 } -- -- -- The ipSecIkePeerEndpointTable -- ipSecIkePeerEndpointTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkePeerEndpointEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE peer endpoints." ::= { ipSecIkeAssociation 6 } ipSecIkePeerEndpointEntry OBJECT-TYPE SYNTAX IpSecIkePeerEndpointEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIkePeerEndpointPrid } UNIQUENESS { ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointIsNegated, ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointCredentialSetId } ::= { ipSecIkePeerEndpointTable 1 } IpSecIkePeerEndpointEntry ::= SEQUENCE { ipSecIkePeerEndpointPrid InstanceId, ipSecIkePeerEndpointIdentityType INTEGER, ipSecIkePeerEndpointIdentityValue OCTET STRING, ipSecIkePeerEndpointIsNegated TruthValue, ipSecIkePeerEndpointAddress ReferenceId, ipSecIkePeerEndpointCredentialSetId TagReferenceId } ipSecIkePeerEndpointPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." Li, et al Expires May 2004 55 IPsec Policy Information Base November 2003 ::= { ipSecIkePeerEndpointEntry 1 } ipSecIkePeerEndpointIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of identity that MUST be provided by the peer in the ID payload during IKE phase one negotiation." ::= { ipSecIkePeerEndpointEntry 2 } ipSecIkePeerEndpointIdentityValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to be matched with the ID payload provided by the peer during IKE phase one negotiation. The syntax may need to be converted for comparison. If the ipSecIkePeerEndpointIdentityType is a DistinguishedName, the name in the ipSecIkePeerEndpointIdentityValue is represented by an ordinary string value, but this value must be converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. The same applies to IPv4 & IPv6 addresses. Different Wildcards wildcard mechanisms can be used as well as the prefix notation for IPv4 addresses depending on the ID payload: - an IdentityValue of *@example.com will match an user FQDN ID payload of JDOE@EXAMPLE.COM - an IdentityValue of *.example.com will match a FQDN ID payload of WWW.EXAMPLE.COM - an IdentityValue of cn=*,ou=engineering,o=company,c=us will match a DER DN ID payload of cn=John Doe, ou=engineering, o=company, c=us - an IdentityValue of 193.190.125.0/24 will match an IPv4 address ID payload of 193.190.125.10. Li, et al Expires May 2004 56 IPsec Policy Information Base November 2003 - an IdentityValue of 193.190.125.* will also match an IPv4 address ID payload of 193.190.125.10. The above wildcard mechanisms MUST be supported for all ID payloads supported by the local IKE entity. The character * replaces 0 or multiple instances of any character." ::= { ipSecIkePeerEndpointEntry 3 } ipSecIkePeerEndpointIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "This attribute behaves like a logical NOT for the peer identity. If the value of this attribute is 'true', the peer identity whose type is specified by ipSecIkePeerEndpointIdentityType MUST not match the vaule specified by ipSecIkePeerEndpointValue." ::= { ipSecIkePeerEndpointEntry 4 } ipSecIkePeerEndpointAddress OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecAddressEntry } STATUS current DESCRIPTION "A pointer to a valid entry in the ipSecAddressTable to specify the endpoint address with which this PEP establishes IKE association. The pointed address MUST be a single endpoint address. This attribute is used only when the IKE association is to be started automatically. Hence, the value of this attribute MUST be zero if ipSecIkeRuleAutoStart is false. " ::= { ipSecIkePeerEndpointEntry 5 } ipSecIkePeerEndpointCredentialSetId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecCredentialSetSetId } STATUS current DESCRIPTION "Identifies a set of credentials. Any one of the credentials in the set is acceptable as the IKE peer credential." ::= { ipSecIkePeerEndpointEntry 6 } -- -- -- The ipSecCredentialSetTable -- ipSecCredentialSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialSetEntry PIB-ACCESS install STATUS current DESCRIPTION Li, et al Expires May 2004 57 IPsec Policy Information Base November 2003 "Specifies credential sets. For IKE peer credentials, any one of the credentials in the set is acceptable as peer credential during IEK phase 1 negotiation. For IKE local credentials, any one of the credentials in the set can be used in IKE phase 1 negotiation." ::= { ipSecCredential 1 } ipSecCredentialSetEntry OBJECT-TYPE SYNTAX IpSecCredentialSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialSetPrid } UNIQUENESS { ipSecCredentialSetPrid, ipSecCredentialSetSetId, ipSecCredentialSetCredentialId } ::= { ipSecCredentialSetTable 1 } IpSecCredentialSetEntry ::= SEQUENCE { ipSecCredentialSetPrid InstanceId, ipSecCredentialSetSetId TagId, ipSecCredentialSetCredentialId ReferenceId } ipSecCredentialSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialSetEntry 1 } ipSecCredentialSetSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "A credential set is composed of one or more credentials. Each credential belonging to the same set has the same CredentialSetId." ::= { ipSecCredentialSetEntry 2 } ipSecCredentialSetCredentialId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecCredentialEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecCredentialTable." ::= { ipSecCredentialSetEntry 3 } Li, et al Expires May 2004 58 IPsec Policy Information Base November 2003 -- -- -- The ipSecCredentialTable -- ipSecCredentialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies credentials." ::= { ipSecCredential 2 } ipSecCredentialEntry OBJECT-TYPE SYNTAX IpSecCredentialEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialPrid } UNIQUENESS { ipSecCredentialCredentialType, ipSecCredentialFieldsId, ipSecCredentialCrlDistributionPoint } ::= { ipSecCredentialTable 1 } IpSecCredentialEntry ::= SEQUENCE { ipSecCredentialPrid InstanceId, ipSecCredentialCredentialType INTEGER, ipSecCredentialFieldsId TagReferenceId, ipSecCredentialCrlDistributionPoint OCTET STRING } ipSecCredentialPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialEntry 1 } ipSecCredentialCredentialType OBJECT-TYPE SYNTAX INTEGER { certificateX509(1), kerberos-ticket(2) } STATUS current DESCRIPTION "Specifies the type of credential to be matched." ::= { ipSecCredentialEntry 2 } ipSecCredentialFieldsId OBJECT-TYPE SYNTAX TagReferenceId Li, et al Expires May 2004 59 IPsec Policy Information Base November 2003 PIB-TAG { ipSecCredentialFieldsSetId } STATUS current DESCRIPTION "Identifies a group of matching criteria to be used for the peer credential. The identified criteria MUST all be satisfied." ::= { ipSecCredentialEntry 3 } ipSecCredentialCrlDistributionPoint OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When credential type is certificate X509, this attribute identifies the Certificate Revocation List (CRL) distribution point for this credential." ::= { ipSecCredentialEntry 4 } -- -- -- The ipSecCredentialFieldsTable -- ipSecCredentialFieldsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies sets of credential sub-fields and their values to be matched against. " ::= { ipSecCredential 3 } ipSecCredentialFieldsEntry OBJECT-TYPE SYNTAX IpSecCredentialFieldsEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecCredentialFieldsPrid } UNIQUENESS { ipSecCredentialFieldsName, ipSecCredentialFieldsValue, ipSecCredentialFieldsIsNegated, ipSecCredentialFieldsSetId } ::= { ipSecCredentialFieldsTable 1 } IpSecCredentialFieldsEntry ::= SEQUENCE { ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsIsNegated TruthValue, ipSecCredentialFieldsSetId TagId } Li, et al Expires May 2004 60 IPsec Policy Information Base November 2003 ipSecCredentialFieldsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecCredentialFieldsEntry 1 } ipSecCredentialFieldsName OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the sub-field of the credential to match with. This is the string representation of a X.509 certificate attribute, e.g. serialNumber, issuerName, subjectName, etc.. " ::= { ipSecCredentialFieldsEntry 2 } ipSecCredentialFieldsValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to match with for the sub-field identified by ipSecCredentialFieldsName. A wildcard mechanism can be used in the Value string. E.g., if the Name is subjectName then a Value of cn=*,ou=engineering,o=foo,c=be will match successfully a certificate whose subject attribute is cn=Jane Doe, ou=engineering, o=foo, c=be. The wildcard character * can be used to represent 0 or several characters. If the ipSecCredentialFieldsName corresponds to a DistinguishedName, this value in the CIM class is represented by an ordinary string value. However, an implementation must convert this string to a DER-encoded string before matching against the values extracted from credentials at runtime. " ::= { ipSecCredentialFieldsEntry 3 } ipSecCredentialFieldsIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "This attribute behaves like a logical NOT for the credential field match. If the value of this attribute is 'true', the credential field specified by ipSecCredentialFieldsName MUST not match the vaule specified by ipSecCredentialFieldsValue." ::= { ipSecCredentialFieldsEntry 4 } ipSecCredentialFieldsSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the set this criteria belongs to. All criteria within a set MUST all be satisfied." Li, et al Expires May 2004 61 IPsec Policy Information Base November 2003 ::= { ipSecCredentialFieldsEntry 5 } -- -- -- The ipSecSelectorSetTable -- ipSecSelectorSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec selector sets." ::= { ipSecSelector 1 } ipSecSelectorSetEntry OBJECT-TYPE SYNTAX IpSecSelectorSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecSelectorSetPrid } UNIQUENESS { ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorId, ipSecSelectorSetOrder, ipSecSelectorSetIsNegated } ::= { ipSecSelectorSetTable 1 } IpSecSelectorSetEntry ::= SEQUENCE { ipSecSelectorSetPrid InstanceId, ipSecSelectorSetSelectorSetId TagId, ipSecSelectorSetSelectorId Prid, ipSecSelectorSetOrder Unsigned16TC, ipSecSelectorSetIsNegated TruthValue } ipSecSelectorSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecSelectorSetEntry 1 } ipSecSelectorSetSelectorSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPsec selector set is composed of one or more IPsec selectors. Each selector belonging to the same set has the same SelectorSetId." Li, et al Expires May 2004 62 IPsec Policy Information Base November 2003 ::= { ipSecSelectorSetEntry 2 } ipSecSelectorSetSelectorId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "A pointer to a valid instance in another table that describes selectors. To use selectors defined in this IPsec PIB module, this attribute MUST point to an instance in ipSecSelectorTable. This attribute may also point to an instance in a selector or filter table defined in other PIB modules." ::= { ipSecSelectorSetEntry 3 } ipSecSelectorSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the selectors identified by ipSecSelectorId within a selector set. The selector set is identified by ipSecSelectorSetId. A smaller integer value indicates a higher preference. All selectors constructed from the instance pointed by ipSecSelectorId have the same order." ::= { ipSecSelectorSetEntry 4 } ipSecSelectorSetIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If the value of this attribute is 'true', the filters pointed by ipSecSelectorSetSelectorId SHALL be negated." ::= { ipSecSelectorSetEntry 5 } -- -- -- The ipSecSelectorTable -- ipSecSelectorTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec selectors. Each row in the selector table represents multiple selectors. These selectors are obtained as follows: 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorSrcAddressGroupId. Li, et al Expires May 2004 63 IPsec Policy Information Base November 2003 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorDstAddressGroupId. 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorSrcPortGroupId. 4. Substitute the ipSecSelectorDstPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorDstPortGroupId. 5. Construct all the possible combinations of the above four fields. Then add to the combinations the ipSecSelectorProtocol, ipSecSelectorDscp and ipSecSelectorFlowLabel attributes to form all the selectors.el attributes to form the list of selectors. The relative order of the selectors constructed from a single row is unspecified. " ::= { ipSecSelector 2 } ipSecSelectorEntry OBJECT-TYPE SYNTAX IpSecSelectorEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecSelectorPrid } UNIQUENESS { ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcPortGroupId, ipSecSelectorDstAddressGroupId, ipSecSelectorDstPortGroupId, ipSecSelectorProtocol, ipSecSelectorDscp, ipSecSelectorFlowLabel } ::= { ipSecSelectorTable 1 } IpSecSelectorEntry ::= SEQUENCE { ipSecSelectorPrid InstanceId, ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecSelectorSrcPortGroupId TagReferenceId, ipSecSelectorDstAddressGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorProtocol Unsigned32, ipSecSelectorDscp DscpOrAny, ipSecSelectorFlowLabel IPv6FlowLabelOrAny } ipSecSelectorPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION Li, et al Expires May 2004 64 IPsec Policy Information Base November 2003 "An integer index that uniquely identifies an instance of this class." ::= { ipSecSelectorEntry 1 } ipSecSelectorSrcAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAddressGroupId } STATUS current DESCRIPTION "Indicates source addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId matches this value are included as source addresses. A value of zero indicates wildcard address, i.e., any address matches." ::= { ipSecSelectorEntry 2 } ipSecSelectorSrcPortGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecL4PortGroupId } STATUS current DESCRIPTION "Indicates source layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId matches this value are included. A value of zero indicates wildcard port, i.e., any port number matches." ::= { ipSecSelectorEntry 3 } ipSecSelectorDstAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecAddressGroupId } STATUS current DESCRIPTION "Indicates destination addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId matches this value are included as destination addresses. A value of zero indicates wildcard address, i.e., any address matches." ::= { ipSecSelectorEntry 4 } ipSecSelectorDstPortGroupId OBJECT-TYPE SYNTAX TagReferenceId PIB-TAG { ipSecL4PortGroupId } STATUS current DESCRIPTION "Indicates destination layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId matches this value are included. A value of zero indicates wildcard port, i.e., any port number matches." Li, et al Expires May 2004 65 IPsec Policy Information Base November 2003 ::= { ipSecSelectorEntry 5 } ipSecSelectorProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..255) STATUS current DESCRIPTION "The layer-4 protocol Id to match against the IPv4 protocol number or the IPv6 Next-Header number in the packet. A value of 255 means match all. Note the protocol number of 255 is reserved by IANA, and Next-Header number of 0 is used in IPv6." ::= { ipSecSelectorEntry 6 } ipSecSelectorDscp OBJECT-TYPE SYNTAX DscpOrAny STATUS current DESCRIPTION "The value that the DSCP in the packet can have and match this filter. A value of -1 indicates that a specific DSCP value has not been defined and thus all DSCP values are considered a match." ::= { ipSecSelectorEntry 7 } ipSecSelectorFlowLabel OBJECT-TYPE SYNTAX IPv6FlowLabelOrAny STATUS current DESCRIPTION "The flow identifier or flow label in an IPv6 packet header that may be used to discriminate traffic flows. The value of -1 is used to indicate a wildcard, i.e. any value." ::= { ipSecSelectorEntry 8 } -- -- -- The ipSecAddressTable -- ipSecAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAddressEntry PIB-ACCESS install STATUS current DESCRIPTION "This table allows the specification of a single IP address, a subnet consisting of an IP address and the prefix length, an IP address range, and a wild-card IP address. If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z', to specify a single IP address the values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the same and the ipSecAddressAddrPrefixLength MUST have a value of 32 or greater (128 or greater for 'ipv6' or 'ipv6z'). To specify a subnet, the values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be the same and the ipSecAddressAddrPrefixLength MUST have a value between 0 and 32 (128 for 'ipv6' or 'ipv6z'). To specify an IP Li, et al Expires May 2004 66 IPsec Policy Information Base November 2003 address range, the values of ipSecAddressAddrMin and ipSecAddressAddrMax MUST be different and the ipSecAddressAddrPrefixLength MUST have a value of 32 (or 128 for 'ipv6' or 'ipv6z') If the address type is 'dns', ipSecAddressAddrMin and ipSecAddressAddrMax MUST contain the same 'dns' address. The ipSecAddressAddrPrefixLength MUST be ignored. The mapping of the address value to IPv4 or IPv6 addresses MUST be done by the PEP at install time. A dns name may be mapped into multiple single IP addresses. Each of them becomes a single row in the resulted address table. To specify a wild-card IP address, the ipSecAddressAddrPrefixLength MUST be zero. " ::= { ipSecSelector 3 } ipSecAddressEntry OBJECT-TYPE SYNTAX IpSecAddressEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecAddressPrid } UNIQUENESS { ipSecAddressAddressType, ipSecAddressAddrPrefixLength, ipSecAddressAddrMin, ipSecAddressAddrMax, ipSecAddressGroupId } ::= { ipSecAddressTable 1 } IpSecAddressEntry ::= SEQUENCE { ipSecAddressPrid InstanceId, ipSecAddressAddressType InetAddressType, ipSecAddressAddrPrefixLength InetAddressPrefixLength, ipSecAddressAddrMin InetAddress, ipSecAddressAddrMax InetAddress, ipSecAddressGroupId TagId } ipSecAddressPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecAddressEntry 1 } ipSecAddressAddressType OBJECT-TYPE SYNTAX InetAddressType STATUS current DESCRIPTION Li, et al Expires May 2004 67 IPsec Policy Information Base November 2003 "Specifies the type of IP address. While other types of addresses are defined in the InetAddressType textual convention, an IP filter can only use IPv4 and IPv6 addresses directly to classify traffic. All other InetAddressTypes require mapping to the corresponding Ipv4 or IPv6 address before being used to classify traffic. Therefore, this object as such is not limited to IPv4 and IPv6 addresses, i.e., it can be assigned any of the valid values defined in the InetAddressType TC, but the mapping of the address values to IPv4 or IPv6 addresses must be done by the PEP at install time. " ::= { ipSecAddressEntry 2 } ipSecAddressAddrPrefixLength OBJECT-TYPE SYNTAX InetAddressPrefixLength STATUS current DESCRIPTION "The length of a mask for the matching of IP address. This attribute is interpreted only if the InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'. Masks are constructed by setting bits in sequence from the most- significant bit downwards for ipSecAddressAddrPrefixLength bits length. All other bits in the mask, up to the number needed to fill the length of the address ipSecAddressAddrMin are cleared to zero. A zero bit in the mask then means that the corresponding bit in the address always matches. In IPv4 addresses, a length of 0 indicates a match of any address. When ipSecAddressAddrMin and ipSecAddressAddrMax have the same value, a length of 32 or greater indicates a match of a single host address, and a length between 0 and 32 indicates the use of a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have different values, this attribute MUST have a value of 32 to indicate an IP address range. In IPv6 addresses, a length of 0 indicates a match of any address. When ipSecAddressAddrMin and ipSecAddressAddrMax have the same value, a length of 128 or greater indicates a match of a single host address, and a length between 0 and 128 indicates the use of a CIDR Prefix. When ipSecAddressAddrMin and ipSecAddressAddrMax have different values, this attribute MUST have a value of 128 in order to indicate an IP address range." ::= { ipSecAddressEntry 3 } ipSecAddressAddrMin OBJECT-TYPE SYNTAX InetAddress STATUS current DESCRIPTION "Specifies an IP address. The type of the address is specified by the ipSecAddressAddressType attribute. If the address type is 'ipv4', 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute Li, et al Expires May 2004 68 IPsec Policy Information Base November 2003 ipSecAddressAddrPrefixLength indicates the number of bits that are relevant." ::= { ipSecAddressEntry 4 } ipSecAddressAddrMax OBJECT-TYPE SYNTAX InetAddress STATUS current DESCRIPTION "If a range of addresses is used then this specifies the ending address. The type of the address is specified by the ipSecAddressAddressType attribute. To specify a single IP addres or a subnet, this attribute MUST be the same as that of ipSecAddressAddrMin. When ipSecAddressAddressType is 'dns', this attribute MUST contain the same DNS address as ipSecAddressAddrMin" ::= { ipSecAddressEntry 5 } ipSecAddressGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this IP address, address range or subnet address belongs to." ::= { ipSecAddressEntry 6 } -- -- -- The ipSecL4PortTable -- ipSecL4PortTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecL4PortEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies layer four port numbers." ::= { ipSecSelector 4 } ipSecL4PortEntry OBJECT-TYPE SYNTAX IpSecL4PortEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecL4PortPrid } UNIQUENESS { ipSecL4PortPortMin, ipSecL4PortPortMax, ipSecL4PortGroupId } ::= { ipSecL4PortTable 1 } Li, et al Expires May 2004 69 IPsec Policy Information Base November 2003 IpSecL4PortEntry ::= SEQUENCE { ipSecL4PortPrid InstanceId, ipSecL4PortPortMin InetPortNumber, ipSecL4PortPortMax InetPortNumber, ipSecL4PortGroupId TagId } ipSecL4PortPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecL4PortEntry 1 } ipSecL4PortPortMin OBJECT-TYPE SYNTAX InetPortNumber STATUS current DESCRIPTION "Specifies a layer 4 port or the first layer 4 port number of a range of ports. The value of this attribute must be equal or less than that of ipSecL4PortPortMax. A value of zero indicates any port matches." ::= { ipSecL4PortEntry 2 } ipSecL4PortPortMax OBJECT-TYPE SYNTAX InetPortNumber STATUS current DESCRIPTION "Specifies the last layer 4 port in the range. If only a single port is specified, the value of this attribute must be equal to that of ipSecL4PortPortMin. Otherwise, the value of this attribute MUST be greater than that specified by ipSecL4PortPortMin. If ipSecL4PortPortMin is zero, this attribute MUST be ignored." ::= { ipSecL4PortEntry 3 } ipSecL4PortGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this port or port range belongs to." ::= { ipSecL4PortEntry 4 } -- -- -- The ipSecIpsoFilterSetTable -- ipSecIpsoFilterSetTable OBJECT-TYPE Li, et al Expires May 2004 70 IPsec Policy Information Base November 2003 SYNTAX SEQUENCE OF IpSecIpsoFilterSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPSO filter sets." ::= { ipSecSelector 5 } ipSecIpsoFilterSetEntry OBJECT-TYPE SYNTAX IpSecIpsoFilterSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIpsoFilterSetPrid } UNIQUENESS { ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetOrder, ipSecIpsoFilterSetIsNegated } ::= { ipSecIpsoFilterSetTable 1 } IpSecIpsoFilterSetEntry ::= SEQUENCE { ipSecIpsoFilterSetPrid InstanceId, ipSecIpsoFilterSetFilterSetId TagId, ipSecIpsoFilterSetFilterId ReferenceId, ipSecIpsoFilterSetOrder Unsigned16TC, ipSecIpsoFilterSetIsNegated TruthValue } ipSecIpsoFilterSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIpsoFilterSetEntry 1 } ipSecIpsoFilterSetFilterSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An IPSO filter set is composed of one or more IPSO filters. Each filter belonging to the same set has the same FilterSetId." ::= { ipSecIpsoFilterSetEntry 2 } ipSecIpsoFilterSetFilterId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecIpsoFilterEntry } STATUS current DESCRIPTION "A pointer to a valid instance in the ipSecIpsoFilterTable." ::= { ipSecIpsoFilterSetEntry 3 } Li, et al Expires May 2004 71 IPsec Policy Information Base November 2003 ipSecIpsoFilterSetOrder OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "An integer that specifies the precedence order of the filter identified by ipSecIpsoFilterSetFilterId within a filter set. The filter set is identified by ipSecIpsoFilterSetFilterSetId. A smaller integer value indicates a higher preference." ::= { ipSecIpsoFilterSetEntry 4 } ipSecIpsoFilterSetIsNegated OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If the value of this attribute is 'true', the filter pointed by ipSecIpsoFilterSetFilterId SHALL be negated." ::= { ipSecIpsoFilterSetEntry 5 } -- -- -- The ipSecIpsoFilterTable -- ipSecIpsoFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIpsoFilterEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPSO filters." ::= { ipSecSelector 6 } ipSecIpsoFilterEntry OBJECT-TYPE SYNTAX IpSecIpsoFilterEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIpsoFilterPrid } UNIQUENESS { ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterProtectionAuthority } ::= { ipSecIpsoFilterTable 1 } IpSecIpsoFilterEntry ::= SEQUENCE { ipSecIpsoFilterPrid InstanceId, ipSecIpsoFilterMatchConditionType INTEGER, ipSecIpsoFilterClassificationLevel INTEGER, ipSecIpsoFilterProtectionAuthority INTEGER } ipSecIpsoFilterPrid OBJECT-TYPE Li, et al Expires May 2004 72 IPsec Policy Information Base November 2003 SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIpsoFilterEntry 1 } ipSecIpsoFilterMatchConditionType OBJECT-TYPE SYNTAX INTEGER { classificationLevel(1), protectionAuthority(2) } STATUS current DESCRIPTION "Specifies the IPSO header field to be matched." ::= { ipSecIpsoFilterEntry 2 } ipSecIpsoFilterClassificationLevel OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } STATUS current DESCRIPTION "Specifies the value for classification level to be matched against. This attribute MUST be ignored if ipSecIpsoFilterMatchConditionType is not 1 (classificationLevel)." ::= { ipSecIpsoFilterEntry 3 } ipSecIpsoFilterProtectionAuthority OBJECT-TYPE SYNTAX INTEGER { genser(0), siop-esi(1), sci(2), nsa(3), doe(4) } STATUS current DESCRIPTION "Specifies the value for protection authority to be matched against. This attribute MUST be ignored if ipSecIpsoFilterMatchConditionType is not 2 (protectionAuthority). " ::= { ipSecIpsoFilterEntry 4 } -- -- -- The ipSecRuleTimePeriodTable -- Li, et al Expires May 2004 73 IPsec Policy Information Base November 2003 ipSecRuleTimePeriodTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies the time periods during which a policy rule is valid. The values of the first five attributes in a row are ANDed together to determine the validity period(s). If any of the five attributes is not present, it is treated as having value always enabled. " ::= { ipSecPolicyTimePeriod 1 } ipSecRuleTimePeriodEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRuleTimePeriodPrid } UNIQUENESS { ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodLocalOrUtcTime } ::= { ipSecRuleTimePeriodTable 1 } IpSecRuleTimePeriodEntry ::= SEQUENCE { ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodLocalOrUtcTime INTEGER } ipSecRuleTimePeriodPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodEntry 1 } ipSecRuleTimePeriodTimePeriod OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that identifies an overall range of calendar dates and times over which a policy rule is valid. It reuses the format for an explicit time period defined in RFC 2445 : a string representing a starting date and time, in which the character 'T' Li, et al Expires May 2004 74 IPsec Policy Information Base November 2003 indicates the beginning of the time portion, followed by the solidus character '/', followed by a similar string representing an end date and time. The first date indicates the beginning of the range, while the second date indicates the end. Thus, the second date and time must be later than the first. Date/times are expressed as substrings of the form yyyymmddThhmmss. There are also two special cases: - If the first date/time is replaced with the string THISANDPRIOR, then the property indicates that a policy rule is valid [from now] until the date/time that appears after the '/'. - If the second date/time is replaced with the string THISANDFUTURE, then the property indicates that a policy rule becomes valid on the date/time that appears before the '/', and remains valid from that point on. " ::= { ipSecRuleTimePeriodEntry 2 } ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which months the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000006 for this property; - a 2-octet field consisting of 12 bits identifying the 12 months of the year, beginning with January and ending with December, followed by 4 bits that are always set to '0'. For each month, the value '1' indicates that the policy is valid for that month, and the value '0' indicates that it is not valid. If this property is omitted, then the policy rule is treated as valid for all twelve months." ::= { ipSecRuleTimePeriodEntry 3 } ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the month the policy is valid for. The octet string is structured as follows: -a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x0000000C for this property; -an 8-octet field consisting of 31 bits identifying the days of the month counting from the beginning, followed by 31 more bits Li, et al Expires May 2004 75 IPsec Policy Information Base November 2003 identifying the days of the month counting from the end, followed by 2 bits that are always set to '0'. For each day, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. For months with fewer than 31 days, the digits corresponding to days that the months do not have (counting in both directions) are ignored. " ::= { ipSecRuleTimePeriodEntry 4 } ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the week the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000005 for this property; - a 1-octet field consisting of 7 bits identifying the 7 days of the week, beginning with Sunday and ending with Saturday, followed by 1 bit that is always set to '0'. For each day of the week, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. " ::= { ipSecRuleTimePeriodEntry 5 } ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies a range of times in a day the policy is valid for. It is formatted as follows: A time string beginning with the character 'T', followed by the solidus character '/', followed by a second time string. The first time indicates the beginning of the range, while the second time indicates the end. Times are expressed as substrings of the form Thhmmss. The second substring always identifies a later time than the first substring. To allow for ranges that span midnight, however, the value of the second string may be smaller than the value of the first substring. Thus, T080000/T210000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from 2100 until 0800 of the following day." ::= { ipSecRuleTimePeriodEntry 6 } ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE SYNTAX INTEGER { Li, et al Expires May 2004 76 IPsec Policy Information Base November 2003 localTime(1), utcTime(2) } STATUS current DESCRIPTION "This property indicates whether the times represented in this table represent local times or UTC times. There is no provision for mixing of local times and UTC times: the value of this property applies to all of the other time-related properties." ::= { ipSecRuleTimePeriodEntry 7 } -- -- -- The ipSecRuleTimePeriodSetTable -- ipSecRuleTimePeriodSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies time period sets. The ipSecRuleTimePeriodTable can specify only a single time period within a day. This table enables the specification of multiple time periods within a day by grouping them into one set. " ::= { ipSecPolicyTimePeriod 2 } ipSecRuleTimePeriodSetEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecRuleTimePeriodSetPrid } UNIQUENESS { ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodId } ::= { ipSecRuleTimePeriodSetTable 1 } IpSecRuleTimePeriodSetEntry ::= SEQUENCE { ipSecRuleTimePeriodSetPrid InstanceId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId } ipSecRuleTimePeriodSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodSetEntry 1 } Li, et al Expires May 2004 77 IPsec Policy Information Base November 2003 ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that uniquely identifies an ipSecRuleTimePeriod set. " ::= { ipSecRuleTimePeriodSetEntry 2 } ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE SYNTAX ReferenceId PIB-REFERENCES {ipSecRuleTimePeriodEntry } STATUS current DESCRIPTION "An integer that identifies an ipSecRuleTimePeriod, specified by ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is included in this set." ::= { ipSecRuleTimePeriodSetEntry 3 } -- -- -- The ipSecIfCapsTable -- ipSecIfCapsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIfCapsEntry PIB-ACCESS notify STATUS current DESCRIPTION "Specifies capabilities that may be associated with an interface of a specific type. The instances of this table are referenced by the frwkCapabilitySetCapability attribute of the frwkCapabilitySetTable [9]." ::= { ipSecIfCapability 1 } ipSecIfCapsEntry OBJECT-TYPE SYNTAX IpSecIfCapsEntry STATUS current DESCRIPTION "Specifies an instance of this class" PIB-INDEX { ipSecIfCapsPrid } UNIQUENESS { ipSecIfCapsDirection, ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIkeActions } ::= { ipSecIfCapsTable 1 } IpSecIfCapsEntry ::= SEQUENCE { ipSecIfCapsPrid InstanceId, ipSecIfCapsDirection INTEGER, ipSecIfCapsMaxIpSecActions Unsigned16TC, ipSecIfCapsMaxIkeActions Unsigned16TC } Li, et al Expires May 2004 78 IPsec Policy Information Base November 2003 ipSecIfCapsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index that uniquely identifies an instance of this class." ::= { ipSecIfCapsEntry 1 } ipSecIfCapsDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction for which this capability applies." ::= { ipSecIfCapsEntry 2 } ipSecIfCapsMaxIpSecActions OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the maximum number of actions an IPsec action set may contain. IPsec action sets are specified by the ipSecActionSetTable. A value of zero indicates that there is no maximum limit." ::= { ipSecIfCapsEntry 3 } ipSecIfCapsMaxIkeActions OBJECT-TYPE SYNTAX Unsigned16TC STATUS current DESCRIPTION "Specifies the maximum number of actions an IKE action set may contain. IKE action sets are specified by the ipSecIkeActionSetTable. A value of zero indicates that there is no maximum limit." ::= { ipSecIfCapsEntry 4 } -- -- -- Conformance Section -- ipSecPolicyPibConformanceCompliances OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } ipSecPolicyPibConformanceGroups OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } Li, et al Expires May 2004 79 IPsec Policy Information Base November 2003 ipSecPolicyPibCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION " Compliance statement" MODULE --this module MANDATORY-GROUPS { ipSecRuleGroup, ipSecActionSetGroup, ipSecStaticActionGroup, ipSecNegotiationActionGroup, ipSecAssociationGroup, ipSecProposalSetGroup, ipSecProposalGroup, ipSecAhTransformSetGroup, ipSecAhTransformGroup, ipSecEspTransformSetGroup, ipSecEspTransformGroup, ipSecCompTransformSetGroup, ipSecCompTransformGroup, ipSecIkeAssociationGroup, ipSecIkeProposalSetGroup, ipSecIkeProposalGroup, ipSecIkePeerEndpointGroup, ipSecCredentialSetGroup, ipSecCredentialGroup, ipSecCredentialFieldsGroup, ipSecSelectorSetGroup, ipSecSelectorGroup, ipSecAddressGroup, ipSecL4PortGroup, ipSecIfCapsGroup } GROUP ipSecIkeRuleGroup DESCRIPTION "This group is mandatory if any of the following is supported: 1) multiple IKE phase one actions (e.g., with different exchange modes) are associated with an IPsec rule. These actions are to be tried in sequence till one success; 2) IKE phase one actions that start automatically." GROUP ipSecIkeActionSetGroup DESCRIPTION "This group is mandatory if any of the following is supported: 1) multiple IKE phase one actions (e.g., with different exchange modes) are associated with an IPsec rule. These actions are to be tried in sequence till one success; 2) IKE phase one actions that start automatically." GROUP ipSecIpsoFilterSetGroup DESCRIPTION "This group is mandatory if IPSO filter is supported." Li, et al Expires May 2004 80 IPsec Policy Information Base November 2003 GROUP ipSecIpsoFilterGroup DESCRIPTION "This group is mandatory if IPSO filter is supported." GROUP ipSecRuleTimePeriodGroup DESCRIPTION "This group is mandatory if policy scheduling is supported." GROUP ipSecRuleTimePeriodSetGroup DESCRIPTION "This group is mandatory if policy scheduling is supported." OBJECT ipSecRuleIpSecIpsoFilterSetId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleLimitNegotiation PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleAutoStart PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleIpSecRuleTimePeriodGroupId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecActionSetDoActionLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecActionSetDoPacketLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationMinLifetimeSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationMinLifetimeKilobytes PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" Li, et al Expires May 2004 81 IPsec Policy Information Base November 2003 OBJECT ipSecAssociationIdleDurationSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationUseKeyExchangeGroup PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAssociationGranularity PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformUseReplayPrevention PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformReplayPreventionWindowSize PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecAhTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformCipherKeyRounds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformCipherKeyLength PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformUseReplayPrevention PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecEspTransformReplayPreventionWindowSize PIB-MIN-ACCESS not-accessible DESCRIPTION Li, et al Expires May 2004 82 IPsec Policy Information Base November 2003 " Support of this attribute is optional" OBJECT ipSecEspTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformDictionarySize PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformPrivateAlgorithm PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecCompTransformVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationMinLiftetimeSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationMinLifetimeKilobytes PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationIdleDurationSeconds PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationPresharedKey PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationAggressiveModeGroupId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationLocalCredentialId Li, et al Expires May 2004 83 IPsec Policy Information Base November 2003 PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeAssociationDoActionLogging PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeProposalPrfAlgorithm PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkeProposalVendorId PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIkePeerEndpointAddress PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecIfCapsMaxIkeActions PIB-MIN-ACCESS not-accessible DESCRIPTION " Support of this attribute is optional" OBJECT ipSecRuleActionExecutionStrategy SYNTAX INTEGER { doAll(1) } DESCRIPTION " Support of doUntilSuccess(2) is not required" OBJECT ipSecStaticActionAction SYNTAX INTEGER { byPass(1), discard(2), preConfiguredTransport(4), preConfiguredTunnel(5) } DESCRIPTION " Support of ikeRejection(3) is not required" ::= { ipSecPolicyPibConformanceCompliances 1 } ipSecRuleGroup OBJECT-GROUP OBJECTS { ipSecRulePrid, ipSecRuleIfName, ipSecRuleRoles, Li, et al Expires May 2004 84 IPsec Policy Information Base November 2003 ipSecRuleDirection, ipSecRuleIpSecSelectorSetId, ipSecRuleIpSecIpsoFilterSetId, ipSecRuleIpSecActionSetId, ipSecRuleActionExecutionStrategy, ipSecRuleOrder, ipSecRuleLimitNegotiation, ipSecRuleAutoStart, ipSecRuleIpSecRuleTimePeriodGroupId } STATUS current DESCRIPTION "Objects from the ipSecRuleTable." ::= { ipSecPolicyPibConformanceGroups 1 } ipSecActionSetGroup OBJECT-GROUP OBJECTS { ipSecActionSetPrid, ipSecActionSetActionSetId, ipSecActionSetActionId, ipSecActionSetDoActionLogging, ipSecActionSetDoPacketLogging, ipSecActionSetOrder } STATUS current DESCRIPTION "Objects from the ipSecActionSetTable." ::= { ipSecPolicyPibConformanceGroups 2 } ipSecStaticActionGroup OBJECT-GROUP OBJECTS { ipSecStaticActionPrid, ipSecStaticActionAction, ipSecStaticActionTunnelEndpointId, ipSecStaticActionDfHandling, ipSecStaticActionSpi, ipSecStaticActionLifetimeSeconds, ipSecStaticActionLifetimeKilobytes, ipSecStaticActionSaTransformId } STATUS current DESCRIPTION "Objects from the ipSecStaticActionTable." ::= { ipSecPolicyPibConformanceGroups 3 } ipSecNegotiationActionGroup OBJECT-GROUP OBJECTS { ipSecNegotiationActionPrid, ipSecNegotiationActionAction, ipSecNegotiationActionTunnelEndpointId, ipSecNegotiationActionDfHandling, ipSecNegotiationActionIpSecSecurityAssociationId, ipSecNegotiationActionKeyExchangeId Li, et al Expires May 2004 85 IPsec Policy Information Base November 2003 } STATUS current DESCRIPTION "Objects from the ipSecNegotiationActionTable." ::= { ipSecPolicyPibConformanceGroups 4 } ipSecAssociationGroup OBJECT-GROUP OBJECTS { ipSecAssociationPrid, ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeKilobytes, ipSecAssociationIdleDurationSeconds, ipSecAssociationUsePfs, ipSecAssociationVendorId, ipSecAssociationUseKeyExchangeGroup, ipSecAssociationDhGroup, ipSecAssociationGranularity, ipSecAssociationProposalSetId } STATUS current DESCRIPTION "Objects from the ipSecAssociationTable." ::= { ipSecPolicyPibConformanceGroups 5 } ipSecProposalSetGroup OBJECT-GROUP OBJECTS { ipSecProposalSetPrid, ipSecProposalSetProposalSetId, ipSecProposalSetProposalId, ipSecProposalSetOrder } STATUS current DESCRIPTION "Objects from the ipSecProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 6 } ipSecProposalGroup OBJECT-GROUP OBJECTS { ipSecProposalPrid, ipSecProposalEspTransformSetId, ipSecProposalAhTransformSetId, ipSecProposalCompTransformSetId } STATUS current DESCRIPTION "Objects from the ipSecProposalTable." ::= { ipSecPolicyPibConformanceGroups 7 } ipSecAhTransformSetGroup OBJECT-GROUP OBJECTS { ipSecAhTransformSetPrid, ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformId, Li, et al Expires May 2004 86 IPsec Policy Information Base November 2003 ipSecAhTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecAhTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 8 } ipSecAhTransformGroup OBJECT-GROUP OBJECTS { ipSecAhTransformPrid, ipSecAhTransformTransformId, ipSecAhTransformIntegrityKey, ipSecAhTransformUseReplayPrevention, ipSecAhTransformReplayPreventionWindowSize, ipSecAhTransformVendorId, ipSecAhTransformMaxLifetimeSeconds, ipSecAhTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecAhTransformTable." ::= { ipSecPolicyPibConformanceGroups 9 } ipSecEspTransformSetGroup OBJECT-GROUP OBJECTS { ipSecEspTransformSetPrid, ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformId, ipSecEspTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecEspTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 10 } ipSecEspTransformGroup OBJECT-GROUP OBJECTS { ipSecEspTransformPrid, ipSecEspTransformIntegrityTransformId, ipSecEspTransformCipherTransformId, ipSecEspTransformIntegrityKey, ipSecEspTransformCipherKey, ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyLength, ipSecEspTransformUseReplayPrevention, ipSecEspTransformReplayPreventionWindowSize, ipSecEspTransformVendorId, ipSecEspTransformMaxLifetimeSeconds, ipSecEspTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecEspTransformTable." Li, et al Expires May 2004 87 IPsec Policy Information Base November 2003 ::= { ipSecPolicyPibConformanceGroups 11 } ipSecCompTransformSetGroup OBJECT-GROUP OBJECTS { ipSecCompTransformSetPrid, ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformId, ipSecCompTransformSetOrder } STATUS current DESCRIPTION "Objects from the ipSecCompTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 12 } ipSecCompTransformGroup OBJECT-GROUP OBJECTS { ipSecCompTransformPrid, ipSecCompTransformAlgorithm, ipSecCompTransformDictionarySize, ipSecCompTransformPrivateAlgorithm, ipSecCompTransformVendorId, ipSecCompTransformMaxLifetimeSeconds, ipSecCompTransformMaxLifetimeKilobytes } STATUS current DESCRIPTION "Objects from the ipSecCompTransformTable." ::= { ipSecPolicyPibConformanceGroups 13 } ipSecIkeRuleGroup OBJECT-GROUP OBJECTS { ipSecIkeRulePrid, ipSecIkeRuleIfName, ipSecIkeRuleRoles, ipSecIkeRuleIkeActionSetId, ipSecIkeRuleActionExecutionStrategy, ipSecIkeRuleLimitNegotiation, ipSecIkeRuleAutoStart, ipSecIkeRuleIpSecRuleTimePeriodGroupId } STATUS current DESCRIPTION "Objects from the ipSecIkeRuleTable." ::= { ipSecPolicyPibConformanceGroups 14 } ipSecIkeActionSetGroup OBJECT-GROUP OBJECTS { ipSecIkeActionSetPrid, ipSecIkeActionSetActionSetId, ipSecIkeActionSetActionId, ipSecIkeActionSetOrder } STATUS current Li, et al Expires May 2004 88 IPsec Policy Information Base November 2003 DESCRIPTION "Objects from the ipSecIkeActionSetTable." ::= { ipSecPolicyPibConformanceGroups 15 } ipSecIkeAssociationGroup OBJECT-GROUP OBJECTS { ipSecIkeAssociationPrid, ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationIdleDurationSeconds, ipSecIkeAssociationExchangeMode, ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationUseIkeIdentityValue, ipSecIkeAssociationIkePeerEndpoint, ipSecIkeAssociationPresharedKey, ipSecIkeAssociationVendorId, ipSecIkeAssociationAggressiveModeGroupId, ipSecIkeAssociationLocalCredentialId, ipSecIkeAssociationDoActionLogging, ipSecIkeAssociationIkeProposalSetId } STATUS current DESCRIPTION "Objects from the ipSecIkeAssociationTable." ::= { ipSecPolicyPibConformanceGroups 16 } ipSecIkeProposalSetGroup OBJECT-GROUP OBJECTS { ipSecIkeProposalSetPrid, ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalId, ipSecIkeProposalSetOrder } STATUS current DESCRIPTION "Objects from the ipSecIkeProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 17 } ipSecIkeProposalGroup OBJECT-GROUP OBJECTS { ipSecIkeProposalPrid, ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalHashAlgorithm, ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalIkeDhGroup, ipSecIkeProposalVendorId } STATUS current DESCRIPTION "Objects from the ipSecIkeProposalTable." Li, et al Expires May 2004 89 IPsec Policy Information Base November 2003 ::= { ipSecPolicyPibConformanceGroups 18 } ipSecIkePeerEndpointGroup OBJECT-GROUP OBJECTS { ipSecIkePeerEndpointPrid, ipSecIkePeerEndpointIdentityType, ipSecIkePeerEndpointIdentityValue, ipSecIkePeerEndpointIsNegated, ipSecIkePeerEndpointAddress, ipSecIkePeerEndpointCredentialSetId } STATUS current DESCRIPTION "Objects from the ipSecIkePeerEndpointTable." ::= { ipSecPolicyPibConformanceGroups 19 } ipSecCredentialSetGroup OBJECT-GROUP OBJECTS { ipSecCredentialSetPrid, ipSecCredentialSetSetId, ipSecCredentialSetCredentialId } STATUS current DESCRIPTION "Objects from the ipSecCredentialSetTable." ::= { ipSecPolicyPibConformanceGroups 20 } ipSecCredentialGroup OBJECT-GROUP OBJECTS { ipSecCredentialPrid, ipSecCredentialCredentialType, ipSecCredentialFieldsId, ipSecCredentialCrlDistributionPoint } STATUS current DESCRIPTION "Objects from the ipSecCredentialTable." ::= { ipSecPolicyPibConformanceGroups 21 } ipSecCredentialFieldsGroup OBJECT-GROUP OBJECTS { ipSecCredentialFieldsPrid, ipSecCredentialFieldsName, ipSecCredentialFieldsValue, ipSecCredentialFieldsIsNegated, ipSecCredentialFieldsSetId } STATUS current DESCRIPTION "Objects from the ipSecCredentialFieldsTable." ::= { ipSecPolicyPibConformanceGroups 22 } ipSecSelectorSetGroup OBJECT-GROUP Li, et al Expires May 2004 90 IPsec Policy Information Base November 2003 OBJECTS { ipSecSelectorSetPrid, ipSecSelectorSetSelectorSetId, ipSecSelectorSetSelectorId, ipSecSelectorSetOrder, ipSecSelectorSetIsNegated } STATUS current DESCRIPTION "Objects from the ipSecSelectorSetTable." ::= { ipSecPolicyPibConformanceGroups 23 } ipSecSelectorGroup OBJECT-GROUP OBJECTS { ipSecSelectorPrid, ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcPortGroupId, ipSecSelectorDstAddressGroupId, ipSecSelectorDstPortGroupId, ipSecSelectorProtocol, ipSecSelectorDscp, ipSecSelectorFlowLabel } STATUS current DESCRIPTION "Objects from the ipSecSelectorTable." ::= { ipSecPolicyPibConformanceGroups 24 } ipSecAddressGroup OBJECT-GROUP OBJECTS { ipSecAddressPrid, ipSecAddressAddressType, ipSecAddressAddrPrefixLength, ipSecAddressAddrMin, ipSecAddressAddrMax, ipSecAddressGroupId } STATUS current DESCRIPTION "Objects from the ipSecAddressTable." ::= { ipSecPolicyPibConformanceGroups 25 } ipSecL4PortGroup OBJECT-GROUP OBJECTS { ipSecL4PortPrid, ipSecL4PortPortMin, ipSecL4PortPortMax, ipSecL4PortGroupId } STATUS current DESCRIPTION "Objects from the ipSecL4PortTable." ::= { ipSecPolicyPibConformanceGroups 26 } Li, et al Expires May 2004 91 IPsec Policy Information Base November 2003 ipSecIpsoFilterSetGroup OBJECT-GROUP OBJECTS { ipSecIpsoFilterSetPrid, ipSecIpsoFilterSetFilterSetId, ipSecIpsoFilterSetFilterId, ipSecIpsoFilterSetOrder, ipSecIpsoFilterSetIsNegated } STATUS current DESCRIPTION "Objects from the ipSecIpsoFilterSetTable." ::= { ipSecPolicyPibConformanceGroups 27 } ipSecIpsoFilterGroup OBJECT-GROUP OBJECTS { ipSecIpsoFilterPrid, ipSecIpsoFilterMatchConditionType, ipSecIpsoFilterClassificationLevel, ipSecIpsoFilterProtectionAuthority } STATUS current DESCRIPTION "Objects from the ipSecIpsoFilterTable." ::= { ipSecPolicyPibConformanceGroups 28 } ipSecRuleTimePeriodGroup OBJECT-GROUP OBJECTS { ipSecRuleTimePeriodPrid, ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodLocalOrUtcTime } STATUS current DESCRIPTION "Objects from the ipSecRuleTimePeriodTable." ::= { ipSecPolicyPibConformanceGroups 29 } ipSecRuleTimePeriodSetGroup OBJECT-GROUP OBJECTS { ipSecRuleTimePeriodSetPrid, ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodId } STATUS current DESCRIPTION "Objects from the ipSecRuleTimePeriodSetTable." ::= { ipSecPolicyPibConformanceGroups 30 } ipSecIfCapsGroup OBJECT-GROUP Li, et al Expires May 2004 92 IPsec Policy Information Base November 2003 OBJECTS { ipSecIfCapsPrid, ipSecIfCapsDirection, ipSecIfCapsMaxIpSecActions, ipSecIfCapsMaxIkeActions } STATUS current DESCRIPTION "Objects from the ipSecIfCapsTable." ::= { ipSecPolicyPibConformanceGroups 31 } END 6. Security Considerations This document defines an IPsec PIB for configuring IPsec policies on IPsec enabled devices. As IPsec provides security services, it is critical that IPsec configuration data be protected at least as strongly as the desired IPsec policy. The ipSecEspTransformTable, ipSecAhTransformTable contain authentication and encryption keys for static IPsec security associations. These two attributes are ignored for IPsec security associations that are dynamically established. The ipSecIkeAssociationTable contains an optional pre-shared key for IKE authentication. Malicious access of the above PRCs can compromise the keys. As a result, they MUST NOT be observed by third parties. In addition, the PRCs in this PIB may contain information that may be sensitive from a business perspective, in that they may represent a customer's service contract or the filters that the service provider chooses to apply to a customer's traffic. All the tables except the ipSecIfCapsTable have a PIB-ACCESS clause of install. Malicious altering of the these PRCs may affect the IPsec behavior of the device being provisioned. Malicious access of the above PRCs also exposes policy information concerning how the device is provisioned. The ipSecIfCapsTable has a PIB-ACCESS clause of notify. Malicious access of the this PRC exposes information concerning the device being provisioned. The authentication and integrity of configuration information is of utmost importance to the security of a network. Administrators SHOULD carefully consider the potential threat environment involving PDP and PEP data exchange. At a minimum, PDP's and PEP's SHOULD authenticate one another and SHOULD use a transport protocol that supports data integrity and authentication. Administrators SHOULD also carefully consider the importance of confidentiality of their configuration information, because it may reveal private or confidential information about customer access, business relationships, keys, etc. If these are concerns to the organization, then confidentiality SHOULD be used to transport the Li, et al Expires May 2004 93 IPsec Policy Information Base November 2003 information. Administrators SHOULD use IPSEC or TLS between PDP and PEP as described in [5] and [15] to provide necessary protections. 7. RFC Editor Considerations This document normatively references [9][12]which are in the IESG last call stage. Please use the corresponding RFC numbers prior to publishing of this document as a RFC. 8. IANA Considerations This document describes the ipSecPolicyPib Policy Information Base (PIB) module for registration under the "pib" branch registered with IANA. IANA has assigned PIB number for it under the "pib" branch. IANA Considerations for SUBJECT-CATEGORIES follow the same requirements as specified in [5] IANA Considerations for COPS Client Types. The IPsec PIB defines a new COPS Client Type. IANA needs to assign this type and IANA must also update the registry for COPS Client Types as a result. The authors suggest the use of "ipSec" as the name of the ClientType. 9. Normative References 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 3. S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. 4. F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998. 5. J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. 6. K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", RFC 3084, March 2001. 7. D. Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. Li, et al Expires May 2004 94 IPsec Policy Information Base November 2003 8. S. Kent, R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. 9. M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. Smith, F. Reichmeyer "Framework Policy Information Base", RFC 3318, March 2003. 10. D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. 11. A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 12. J. Jason, L. Rafalow, E. Vyncke "IPsec Configuration Policy Model", draft-ietf-ipsp-config-policy-model-06.txt, August 2002. 13. A. Westerinen, et al "Terminology for Policy-Based Management", RFC 3198, November 2001. 14. K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. Smith, F. Reichmeyer, "Structure of Policy Provisioning Information", RFC 3159, August 2001. 15. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose, S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 16. K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case,M. Rose, S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. 17. F. Baker, K. Chan, A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. 18. M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder, "Textual Conventions for Internet Network Addresses.", RFC 3291, May 2002. 19. D. Harrington, R. Presuhn, B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", RFC 3411, December 2002. 20. B. Wijnen, "Textual Conventions for Ipv6 Flow Label", RFC 3595, September 2003. 10. Informative References 15. J. Walker, A. Kulkarni, "COPS Over TLS", draft-ietf-rap-cops- tls-04.txt, June 2002. Li, et al Expires May 2004 95 IPsec Policy Information Base November 2003 11. Author's Addresses Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com David Arneson Email: dla@mediaone.net Avri Doria Div. of Computer Communications Lulea University of Technology SE-971 87 Lulea, Sweden Phone: +46 920 49 3030 Email: avri@sm.luth.se Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Email: jamie.jason@intel.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 Email: CWang@smartpipes.com Markus Stenberg SSH Communications Security Corp. Fredrikinkatu 42 FIN-00100 Helsinki, Finland Phone: +358 20 500 7466 Email: fingon@iki.fi 12. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative Li, et al Expires May 2004 96 IPsec Policy Information Base November 2003 works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Li, et al Expires May 2004 97