Internet Engineering Task Force Y. Sharma, Ed.
Internet-Draft R. Kamath
Intended status: Standards Track A. Inamdar
Expires: October 15, 2016 Cisco Systems
April 13, 2016

Management Information Base for the Group Domain of Interpretation
draft-kamarthy-gdoi-mib-01

Abstract

This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular this document describes a high-level Management Information Base for Group Domain of Interpretation (GDOI), which is used for secure group communication in Ipsec-based networks. This draft describes managed objects used for implementations of the GDOI protocol.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on October 15, 2016.

Copyright Notice

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

This memo defines the Management Information Base (MIB) for use with network management protocols. In particular it defines objects for managing the Group Domain of Interpretation (GDOI) protocol, defined by RFC3547[RFC3547] used for secure group communication.

2. The Internet-Standard Management Framework

For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410].

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].

3. Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

4. Overview

To support the management needs of IPsec-based networks, we have defined the GDOI MIB (module GDOI-MIB). The MIB defines a number of objects with enumeration syntax which refer to the numbers assigned by IANA to denote specific elements. The SNMP Management Framework presently consists of five major components:

  1. An overall architecture, described in RFC 2271[RFC2271]
  2. Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [RFC1155], RFC 1212 [RFC1212] and RFC 1215 [RFC1212]. The second version, called SMIv2, is described in RFC 1902 [RFC1902],RFC 1903 [RFC1903] and RFC 1904 [RFC1904].
  3. Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [RFC1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2272 [RFC2272] and RFC 2274 [RFC2274].
  4. Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905] .
  5. A set of fundamental applications described in RFC 2273 [RFC2273] and the view-based access control mechanism described in RFC 2275 [RFC2275].

The GDOI MIB module defined in this draft is used to manage network devices running a group-based key management protocol based on the GDOI standard. The MIB module supports management of two network entities, group member and key server. A GDOI group spans multiple devices in the network, and this GDOI MIB module can be used to model all the network entities that make up the GDOI group.

5. Structure of the MIB Module

This section provides a view of the overall architecture, and describes the major MIB groups and table definitions.

5.1. Textual Conventions

The following new textual conventions are introduced: GdoiKsStatus, GdoiKsRole, GdoiIdentificationType, GdoiIdentificationValue, GdoiKekSPI, GdoiIpProtocolId, GdoiKeyManagementAlgorithm, GdoiEncryptionAlgorithm, GdoiPseudoRandomFunction, GdoiIntegrityAlgorithm, GdoiSignatureMethod, GdoiDiffieHellmanGroup, GdoiEncapsulationMode, GdoiSecurityProtocol, GdoiTekSPI, GdoiKekStatus, GdoiTekStatus, GdoiUnsigned16.

5.2. The GDOI MIB Module Subtree

The following figure shows the organization of the GDOI MIB module and the dependencies among various objects. The objects at the bottom of the figure depend on the objects above them. Figure 1 shows which object of the GDOI MIB will be available for query by a network manager if only the group member resides on a networks box. Figure 2 shows the object that can be queried by the SNMP manager if only the key server is available on a box. Finally, Figure 3 shows the scenario in which both a group member and a key server reside on a box, and the MIB objects that can be queried.


                                 --------------
                                 | GDOI Group |
                                 --------------
                                       |
                                       |
                                       |
                                 --------------
                                 |  Local GM  |
                                 --------------
                                       |
                                     |   |
                                   |       |
                                |             |
                         ------------      ------------
                         |  KEK SA  |      |  TEK SA  |
                         ------------      ------------


 Figure 1: GDOI MIB objects that are used when a group member 
           is on a box

                                 --------------
                                 | GDOI Group |
                                 --------------
                                       |
                                       |
                                       |
                                 --------------
                                 |  Local KS  |
                                 --------------
                                       |
                                     |   |
                                   |       |
                                |             |
                         ------------      ------------
                         |  KEK SA  |      |  TEK SA  |
                         ------------      ------------

 Figure 2: GDOI MIB objects that are used when a key server is
           on a box

                           --------------
                           | GDOI Group |
                           --------------
                                 |
                             |   |   |
                         |       |       |
                     |           |           |
                 |               |               |
           --------------  --------------  --------------
           |  Local KS  |  |  COOP Peer |  |  Local GM  |
           --------------  --------------  --------------
                 |                               |
               |   |                           |   |
             |       |                       |       |
           |           |                   |           |
    ------------     ------------   ------------   ------------
    |  KEK SA  |     |  TEK SA  |   |  KEK SA  |   |  TEK SA  |
    ------------     ------------   ------------   ------------


 Figure 3: GDOI MIB objects that are used when a key server and a group
           member are on a box

     

The GDOI MIB module object definitions will be covered in Section 6.

5.3. The Notifications Subtree

Notifications are defined to inform the management station about changes that happen on the Group Member (GM) or the Key Server (KS). The gdoiKeyServerNotifs defines the KS notifications, which are sent when the following events happens on the KS:

  1. A new group member initiates registration to a GDOI group, gdoiKeyServerNewRegistration
  2. A group member has completed registration to a GDOI group, gdoiKeyServerRegistrationComplete
  3. Send the rekey to the GDOI group, gdoiKeyServerRekeyPushed
  4. RSA keys were not created or they are missing, gdoiKeyServerNoRsaKeys
  5. Key server switches it's role, gdoiKeyServerRoleChange
  6. A group member is deleted from a GDOI group, gdoiKeyServerGmDeleted
  7. A peer KS has become reachable, gdoiKeyServerPeerReachable
  8. A peer KS has become unreachable, gdoiKeyServerPeerUnreachable

The gdoiGmNotifs defines the GM notifications, which are sent after the occurrence of the following events:

  1. Start the registration to the key server, gdoiGmRegister
  2. Registration to the key server is completed and the SAs are downloaded properly, gdoiGmRegistrationComplete
  3. IPsec SA created for one group may have expired or been cleared. The GM needs to reregister to the key server, gdoiGmReRegister
  4. The GM received the multicast rekey with the sequence number displayed, gdoiGmRekeyReceived
  5. Registration cannot be completed because the GDOI group configuration may be missing the group ID, server ID, or both, gdoiGmIncompleteCfg
  6. Hardware limitation for IPsec flow limit reached. Cannot create any more IPsec SAs, gdoiGmNoIpSecFlows
  7. During GDOI rekey the payload parsing failed on this group member from the key server, gdoiGmRekeyFailure

5.4. The Table Structures

The GDOI MIB module has the following tables:

6. Relationship to Other MIB Modules

This GDOI MIB module does not depend on any other MIB modules.

6.1. Relationship to Other MIB

NA

6.2. MIB modules required for IMPORTS

The GDOI-STD-MIB module IMPORTS objects from SNMPv2-SMI [RFC2579], SNMPv2-TC [RFC2578], SNMPv2-CONF [RFC2580].

7. Definitions

-- *********************************************************************
-- Copyright (c)2010-2011, 2010, 2015 by Cisco Systems Inc.
-- All rights reserved.
--   
-- CISCO-GDOI-MIB: MIB for Group Domain of Interpretation (GDOI)
-- July 2010 - Preethi Sundaradevan, Manoj Vellala,
-- Mike Hamada, Tanya Roosta
-- February 2015 - Rohini Kamath, Yogesh Sharma
-- *********************************************************************

CISCO-GDOI-MIB DEFINITIONS ::= BEGIN

IMPORTS
    MODULE-COMPLIANCE,
    NOTIFICATION-GROUP,
    OBJECT-GROUP
        FROM SNMPv2-CONF
    MODULE-IDENTITY,
    NOTIFICATION-TYPE,
    OBJECT-TYPE,
    Counter32,
    Unsigned32
        FROM SNMPv2-SMI
    TEXTUAL-CONVENTION,
    DisplayString,
    TruthValue
        FROM SNMPv2-TC
    CiscoMilliSeconds
        FROM CISCO-TC
    ciscoMgmt
        FROM CISCO-SMI;


-- ------------------------------------------------------------------ --
-- GDOI MIB Module Identity
-- ------------------------------------------------------------------ --

ciscoGdoiMIB MODULE-IDENTITY
    LAST-UPDATED    "201507170000Z"
    ORGANIZATION    "cisco Systems, Inc."
    CONTACT-INFO
            "Cisco Systems
            Enterprise Business Management Unit

            Postal: 170 W Tasman Drive
            San Jose, CA  95134
            USA

               Tel: +1 800 553-NETS

            E-mail: cs-ipsecurity@cisco.com"
    DESCRIPTION
        "This MIB module defines objects for managing the GDOI protocol.

        Copyright (c) The IETF Trust (2010).  This version of this MIB
        module is based on RFC 6407; see the RFC itself for full legal
        notices."
    REVISION        "201507170000Z"
    DESCRIPTION
        "Added the following textual conventions:
        - CgmGdoiKsStatus
        - CgmGdoiKsRole
        Added the following objects to cgmGdoiGroupTable:
        - cgmGdoiGroupMemberCount
        - cgmGdoiGroupActivePeerKeyServerCount
        - cgmGdoiGroupLastRekeyRetransmits
        - cgmGdoiGroupLastRekeyTimeTaken
        Added the following objects to cgmGdoiKeyServerTable:
        - cgmGdoiKeyServerRole
        - cgmGdoiKeyServerRegisteredGMs
        Added the following objects to cgmGdoiGmTable:
        - cgmGdoiGmActiveTEKNum
        Added the following objects to cgmGdoiNotifCntl:
        - cgmGdoiKsRoleChangeNotifEnable
        - cgmGdoiKsGmDeletedNotifEnable
        - cgmGdoiKsPeerReachNotifEnable
        - cgmGdoiKsPeerUnreachNotifEnable
        Added the following tables:
        - cgmGdoiNotifVars
        - cgmGdoiCoopPeerTable
        Added the following notifications:
        - cgmGdoiKeyServerRoleChange
        - cgmGdoiKeyServerGmDeleted
        - cgmGdoiKeyServerPeerReachable
        - cgmGdoiKeyServerPeerUnreachable
        Added new MIB Groups (for conformance)
        - cgmGdoiGroupIdGroupRev1
        - cgmGdoiKeyServerGroupRev1
        - cgmGdoiGmGroupRev1
        - cgmGdoiNotificationControlGroupRev1
        - cgmGdoiKeyServerNotificationGroupRev1
        - cgmGdoiCoopPeerGroup
        - cgmGdoiNotificationVariablesGroup
        Added a new compliance group:
        - cgmGdoiMIBComplianceRev1
        Deprecated an old compliance group:
        - cgmGdoiMIBCompliance"
    REVISION        "201008310000Z"
    DESCRIPTION
        "Final Ciscoized version of the MIB draft after review comments"
    REVISION        "201007201240Z"
    DESCRIPTION
        "Ciscoized version of the MIB draft after review comments"
    REVISION        "201006021245Z"
    DESCRIPTION
        "Ciscoized version of the initial MIB draft"
    REVISION        "201002250545Z"
    DESCRIPTION
        "Initial version, published as RFC ????"
    ::= { ciscoMgmt 759 }



-- ------------------------------------------------------------------ --
-- GDOI MIB Textual Conventions
-- ------------------------------------------------------------------ --

CgmGdoiKsStatus ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention identifying the status of Key Server in
        the COOP/Stand-alone scenario.

        Following are the possible values:

          ID Type              Value
          -------              -----
          Alive                  1  -- Key Server is perceived as Alive
          Dead                   2  -- Key Server is perceived as Dead
          Unknown                3  -- Failed to determine the status;
                                       or, the status of a secondary 
                                       peer when seen from a Secondary 
                                       Key Server."
    SYNTAX          INTEGER  {
                        keyServerAlive(1),
                        keyServerDead(2),
                        keyServerUnknown(3)
                    }

CgmGdoiKsRole ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention identifying the role of Key Server in the
        COOP/Stand-alone scenario.

        Following are the possible values:

          ID Type              Value
          -------              -----
          Primary                1  -- Role is Primary
          Secondary              2  -- Role is Secondary
          Unknown                3  -- Failed to determine the role"
    SYNTAX          INTEGER  {
                        keyServerPrimary(1),
                        keyServerSecondary(2),
                        keyServerUnknown(3)
                    }

CgmGdoiIdentificationType ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the type of value used to
        identify a GDOI entity (i.e. Group, Key Server, or Group
        Member).

        Following are the Identification Type Values:

          ID Type              Value
          -------              -----
          RESERVED               0  -- Not Used
          ID_IPV4_ADDR           1  -- ipv4Address
          ID_FQDN                2  -- domainName

          ID_RFC822_ADDR         3  -- userName
          (ID_USER_FQDN)

          ID_IPV4_ADDR_SUBNET    4  -- ipv4Subnet - Not in RFC 4306
          ID_IPV6_ADDR           5  -- ipv6Address
          ID_IPV6_ADDR_SUBNET    6  -- ipv6Subnet - Not in RFC 4306
          ID_IPV4_ADDR_RANGE     7  -- ipv4Range  - Not in RFC 4306
          ID_IPV6_ADDR_RANGE     8  -- ipv6Range  - Not in RFC 4306
          ID_DER_ASN1_DN         9  -- caDistinguishedName
          ID_DER_ASN1_GN         10 -- caGeneralName
          ID_KEY_ID              11 -- groupNumber

        Following are the mappings to the type values above:

          'ipv4Address' : a single four (4) octet IPv4 address.

          'domainName'  : a fully-qualified domain name string.  An
               example is, 'example.com'.  The string MUST not
               contain any terminators (e.g., NULL, CR, etc.).

          'userName'    : a fully-qualified RFC 822 username or email
               address string. An example is, 'jsmith@example.com'.
               The string MUST not contain any terminators.

          'ipv4Subnet'  : a range of IPv4 addresses, represented by
               two four (4) octet values concatenated together.  The
               first value is an IPv4 address.  The second is an
               IPv4 network mask.  Note that ones (1s) in the network
               mask indicate that the corresponding bit in the address
               is fixed, while zeros (0s) indicate a 'wildcard' bit.

          'ipv6Address' : a single sixteen (16) octet IPv6 address.

          'ipv6Subnet'  : a range of IPv6 addresses, represented by
               two sixteen (16) octet values concatenated together. 
               The first value is an IPv6 address.  The second is an
               IPv network mask.  Note that ones (1s) in the network
               mask indicate that the corresponding bit in the address
               is fixed, while zeros (0s) indicate a 'wildcard' bit.

          'ipv4Range'   : a range of IPv4 addresses, represented by
               two four (4) octet values.  The first value is the
               beginning IPv4 address (inclusive) and the second 
               value is the ending IPv4 address (inclusive).  All
               addresses falling between the two specified addresses
               are considered to be within the list.

          'ipv6Range'   : a range of IPv6 addresses, represented by
               two sixteen (16) octet values.  The first value is the
               beginning IPv6 address (inclusive) and the second 
               value is the ending IPv6 address (inclusive).  All
               addresses falling between the two specified addresses
               are considered to be within the list.

          'caDistinguishedName' : the binary DER encoding of an ASN.1
               X.500 Distinguished Name [X.501]. 

          'caGeneralName' : the binary DER encoding of an ASN.1
               X.500 GeneralName [X.509].

          'groupNumber' : a four (4) octet group identifier."

    REFERENCE
        "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
         Section: IPSEC Identification Type
         http://www.iana.org/assignments/isakmp-registry
         
         RFC 4306 - Section: 3.5. Identification Payloads"
    SYNTAX          INTEGER  {
                        ipv4Address(1),
                        domainName(2),
                        userName(3),
                        ipv4Subnet(4),
                        ipv6Address(5),
                        ipv6Subnet(6),
                        ipv4Range(7),
                        ipv6Range(8),
                        caDistinguishedName(9),
                        caGeneralName(10),
                        groupNumber(11)
                    }

CgmGdoiIdentificationValue ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "255d"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the actual value of used to
        identify a GDOI entity (i.e. Group, Key Server, or Group
        Member).  The value of the CgmGdoiIdentificationValue object can
        be parsed based on the value of the associated
        CgmGdoiIdentificationType object.

        The following CgmGdoiIdentificationType values indicate that the
         CgmGdoiIdentificationValue object should be parsed as a binary
        string of octets with the given lengths if a length is not
        associated with the object:

          ipv4Address(1)   -- 4 octets
          ipv4Subnet(4)    -- 8 octets
          ipv6Address(5)   -- 16 octets
          ipv6Subnet(6)    -- 32 octets
          ipv4Range(7)     -- 8 octets
          ipv6Range(8)     -- 32 octets
          groupNumber(11)  -- 4 octets

        The following  CgmGdoiIdentificationType values indicate that
        the CgmGdoiIdentificationValue object should be parsed as an 
        ASCII string of characters. Note that a length MUST be 
        associated with the object in these cases:

          domainName(2)
          userName(3)
          caDistinguishedName(9)
          caGeneralName(10)

        Note that the length of 48 octets was chosen because the
        gdoiKsKekEntry, gdoiGmKekEntry, gdoiKsTekEntry, &
        gdoiGmTekEntry will exceed the OID size limit of 255 octets
        if this size is any larger than 48 octets."

    REFERENCE
        "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
         Section: IPSEC Identification Type
         http://www.iana.org/assignments/isakmp-registry
         
         RFC 4306 - Section: 3.5. Identification Payloads"
    SYNTAX          OCTET STRING (SIZE (0..48))

CgmGdoiKekSPI ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "16x"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a SPI (Security Parameter
        Index) of sixteen (16) octets for a KEK.  The SPI must be the
        ISAKMP Header cookie pair where the first 8 octets become the
        'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP
        HDR, and the second 8 octets become the 'Responder Cookie' in
        the same HDR.  These cookies are assigned by the Key Server."

    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          OCTET STRING (SIZE (16))

CgmGdoiIpProtocolId ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the IP
        Protocol being used for the rekey datagram.  Some possible
        values are:

          ID Value  ID Type
          --------  -------
             06       TCP    -- ipProtocolTCP
             17       UDP    -- ipProtocolUDP"

    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          INTEGER  {
                        ipProtocolUnknown(0),
                        ipProtocolTCP(1),
                        ipProtocolUDP(2)
                    }

CgmGdoiKeyManagementAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the key/KEK
        management algorithm being used to provide forward or
        backward access control (i.e. used to exclude group
        members).

        Following are the possible KEK management algorithm values &
        CgmGdoiKeyManagementAlgorithm mappings:

          KEK Management Type  Value
          -------------------  -----
           LKH                   1  -- keyMgmtLkh"

    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          INTEGER  {
                        keyMgmtNone(0),
                        keyMgmtLkh(1)
                    }

CgmGdoiEncryptionAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        encryption algorithm being used.

        Following are the possible updated encryption algorithm
        values & CgmGdoiEncryptionAlgorithm mappings after RFC 4306:

          Encryption Algorithm Type          Value
          ---------------------------------  -----
           ENCR_DES_IV64                       1  -- encrAlgDes64
           ENCR_DES                            2  -- encrAlgDes
           ENCR_3DES                           3  -- encrAlg3Des
           ENCR_RC5                            4  -- encrAlgRc5
           ENCR_IDEA                           5  -- encrAlgIdea
           ENCR_CAST                           6  -- encrAlgCast
           ENCR_BLOWFISH                       7  -- encrAlgBlowfish
           ENCR_3IDEA                          8  -- encrAlg3Idea
           ENCR_DES_IV32                       9  -- encrAlgDes32
           ENCR_NULL                           11 -- encrAlgNull
           ENCR_AES_CBC                        12 -- encrAlgAesCbc
           ENCR_AES_CTR                        13 -- encrAlgAesCtr
           ENCR_AES-CCM_8                      14 -- encrAlgAesCcm8
           ENCR_AES-CCM_12                     15 -- encrAlgAesCcm12
           ENCR_AES-CCM_16                     16 -- encrAlgAesCcm16
           AES-GCM (8-octet ICV)               18 -- encrAlgAesGcm8
           AES-GCM (12-octet ICV)              19 -- encrAlgAesGcm12
           AES-GCM (16-octet ICV)              20 -- encrAlgAesGcm16
           ENCR_NULL_AUTH_AES_GMAC             21 
               -- encrAlgNullAuthAesGmac
           ENCR_CAMELLIA_CBC                   23
               -- encrAlgCamelliaCbc
           ENCR_CAMELLIA_CTR                   24
               -- encrAlgCamelliaCtr
           ENCR_CAMELLIA_CCM (8-octet ICV)     25
               -- encrAlgCamelliaCcm8
           ENCR_CAMELLIA_CCM (12-octet ICV)    26
               -- encrAlgCamelliaCcm12
           ENCR_CAMELLIA_CCM (16-octet ICV)    27
               -- encrAlgCamelliaCcm16

        Following are the possible ESP transform identifiers &
        CgmGdoiEncryptionAlgorithm mappings from RFC 2407:

          IPsec ESP Transform ID    Value
          ------------------------  -----
           ESP_DES_IV64               1  -- encrAlgDes64
           ESP_DES                    2  -- encrAlgDes
           ESP_3DES                   3  -- encrAlg3Des
           ESP_RC5                    4  -- encrAlgRc5
           ESP_IDEA                   5  -- encrAlgIdea
           ESP_CAST                   6  -- encrAlgCast
           ESP_BLOWFISH               7  -- encrAlgBlowfish
           ESP_3IDEA                  8  -- encrAlg3Idea
           ESP_DES_IV32               9  -- encrAlgDes32
           ESP_RC4                    10 -- encrAlgRc4
           ESP_NULL                   11 -- encrAlgNull
           ESP_AES-CBC                12 -- encrAlgAesCbc
           ESP_AES-CTR                13 -- encrAlgAesCtr
           ESP_AES-CCM_8              14 -- encrAlgAesCcm8
           ESP_AES-CCM_12             15 -- encrAlgAesCcm12
           ESP_AES-CCM_16             16 -- encrAlgAesCcm16
           ESP_AES-GCM_8              18 -- encrAlgAesGcm8
           ESP_AES-GCM_12             19 -- encrAlgAesGcm12
           ESP_AES-GCM_16             20 -- encrAlgAesGcm16
           ESP_SEED_CBC               21 -- encrAlgSeedCbc
           ESP_CAMELLIA               22
               -- encrAlgCamelliaCbc, Ctr, Ccm8, Ccm12, Ccm16
           ESP_NULL_AUTH_AES-GMAC     23
               -- encrAlgNullAuthAesGmac

        Following are the possible KEK_ALGORITHM values specifying
        the encryption algorithm used with a KEK &
        CgmGdoiEncryptionAlgorithm mappings from the GDOI RFC 3547:

          Algorithm Type  Value
          --------------  -----
           KEK_ALG_DES      1  -- encrAlgDes
           KEK_ALG_3DES     2  -- encrAlg3Des
           KEK_ALG_AES      3  -- encrAlgAesCbc"

    REFERENCE
        "IANA IKEv2 Parameters
         Section: Encryption Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         IANA 'Magic Numbers' for ISAMP Protocol
         Section: IPSEC ESP Transform Identifiers
         http://www.iana.org/assignments/isakmp-registry
          
         RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.3.3. KEK_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4106, 4309, 4543, 5282, 5529"
    SYNTAX          INTEGER  {
                        encrAlgNone(0),
                        encrAlgDes64(1),
                        encrAlgDes(2),
                        encrAlg3Des(3),
                        encrAlgRc5(4),
                        encrAlgIdea(5),
                        encrAlgCast(6),
                        encrAlgBlowfish(7),
                        encrAlg3Idea(8),
                        encrAlgDes32(9),
                        encrAlgRc4(10),
                        encrAlgNull(11),
                        encrAlgAesCbc(12),
                        encrAlgAesCtr(13),
                        encrAlgAesCcm8(14),
                        encrAlgAesCcm12(15),
                        encrAlgAesCcm16(16),
                        encrAlgAesGcm8(18),
                        encrAlgAesGcm12(19),
                        encrAlgAesGcm16(20),
                        encrAlgNullAuthAesGmac(21),
                        encrAlgCamelliaCbc(23),
                        encrAlgCamelliaCtr(24),
                        encrAlgCamelliaCcm8(25),
                        encrAlgCamelliaCcm12(26),
                        encrAlgCamelliaCcm1(27),
                        encrAlgSeedCbc(28)
                    }

CgmGdoiPseudoRandomFunction ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        pseudo-random function (PRF) being used.

        Following are the possible updated PRF values &
        CgmGdoiPseudoRandomFunction mappings after RFC 4306:

          Pseudo-Random Function Type        Value
          ---------------------------------  -----
           PRF_HMAC_MD5                        1  -- prfMd5Hmac
           PRF_HMAC_SHA1                       2  -- prfSha1Hmac
           PRF_HMAC_TIGER                      3  -- prfTigerHmac
           PRF_AES128_XCBC                     4  -- prfAes128Xcbc
           PRF_HMAC_SHA2_256                   5  -- prfSha2Hmac256
           PRF_HMAC_SHA2_384                   6  -- prfSha2Hmac384
           PRF_HMAC_SHA2_512                   7  -- prfSha2Hmac512
           PRF_AES128_CMAC                     8  -- prfAes128Cmac

        Following are the possible SIG_HASH_ALGORITHM values &
        CgmGdoiPseudoRandomFunction mappings from the GDOI RFC 3547:

          Algorithm Type  Value
          --------------  -----
           SIG_HASH_MD5     1  -- prfMd5Hmac
           SIG_HASH_SHA1    2  -- prfSha1Hmac"

    REFERENCE
        "IANA IKEv2 Parameters
         Section: Pseudo-random Function Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4615, 4868"
    SYNTAX          INTEGER  {
                        prfNone(0),
                        prfMd5Hmac(1),
                        prfSha1Hmac(2),
                        prfTigerHmac(3),
                        prfAes128Xcbc(4),
                        prfSha2Hmac256(5),
                        prfSha2Hmac384(6),
                        prfSha2Hmac512(7),
                        prfAes128Cmac(8)
                    }

CgmGdoiIntegrityAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        integirty algorithm being used.

        Following are the possible updated integrity algorithm
        values & CgmGdoiIntegrityAlgorithm mappings after RFC 4306:

          Integrity Algorithm Type  Value
          ------------------------  -----
           AUTH_HMAC_MD5_96           1  -- authAlgMd5Hmac96
           AUTH_HMAC_SHA1_96          2  -- authAlgSha1Hmac96
           AUTH_DES_MAC               3  -- authAlgDesMac
           AUTH_KPDK_MD5              4  -- authAlgMd5Kpdk
           AUTH_AES_XCBC_96           5  -- authAlgAesXcbc96
           AUTH_HMAC_MD5_128          6  -- authAlgMd5Hmac128
           AUTH_HMAC_SHA1_160         7  -- authAlgSha1Hmac160
           AUTH_AES_CMAC_96           8  -- authAlgAesCmac96
           AUTH_AES_128_GMAC          9  -- authAlgAes128Gmac
           AUTH_AES_192_GMAC          10 -- authAlgAes192Gmac
           AUTH_AES_256_GMAC          11 -- authAlgAes256Gmac
           AUTH_HMAC_SHA2_256_128     12 -- authAlgSha2Hmac256to128
           AUTH_HMAC_SHA2_384_192     13 -- authAlgSha2Hmac384to192
           AUTH_HMAC_SHA2_512_256     14 -- authAlgSha2Hmac512to256

        Following are the possible legacy authentication algorithm
        values & CgmGdoIntegrityAlgorithm mappings from RFC 2407:

          Algorithm Type  Value
          --------------  -----
           HMAC-MD5         1  -- authAlgMd5Hmac96
           HMAC-SHA         2  -- authAlgSha1Hmac96
           DES-MAC          3  -- authAlgDesMac
           KPDK             4  -- authAlgMd5Kpdk"

    REFERENCE
        "IANA IKEv2 Parameters
         Section: Integrity Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters
          
         RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4494, 4543, 4595, 4868"
    SYNTAX          INTEGER  {
                        authAlgNone(0),
                        authAlgMd5Hmac96(1),
                        authAlgSha1Hmac96(2),
                        authAlgDesMac(3),
                        authAlgMd5Kpdk(4),
                        authAlgAesXcbc96(5),
                        authAlgMd5Hmac128(6),
                        authAlgSha1Hmac160(7),
                        authAlgAesCmac96(8),
                        authAlgAes128Gmac(9),
                        authAlgAes192Gmac(10),
                        authAlgAes256Gmac(11),
                        authAlgSha2Hmac256to128(12),
                        authAlgSha2Hmac384to192(13),
                        authAlgSha2Hmac512to256(14)
                    }

CgmGdoiSignatureMethod ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        integirty algorithm being used.

        Following are the possible updated authentication method
        values & CgmGdoiSignatureMethod mappings after RFC 4306:

          Authentication Method                Value
          -----------------------------------  -----
           RSA Digital Signature                 1  -- sigRsa
           Shared Key Message Integrity Code     2  -- sigSharedKey
           DSS Digital Signature                 3  -- sigDss
           ECDSA w/ SHA-256 (P-256 curve)        9  -- sigEcdsa256
           ECDSA w/ SHA-384 (P-384 curve)        10 -- sigEcdsa384
           ECDSA w/ SHA-512 (P-521 curve)        11 -- sigEcdsa512

        Following are the possible legacy IPsec authentication method
        values & CgmGdoiSignatureMethod mappings from RFC 2409:

          Authentication Method             Value
          --------------------------------  -----
           Pre-Shared Key                     1  -- sigSharedKey
           DSS Signature                      2  -- sigDss
           RSA Signature                      3  -- sigRsa
           Encryption w/ RSA                  4  -- sigEncryptRsa
           Revised Encryption w/ RSA          5  -- sigRevEncryptRsa
           ECDSA w/ SHA-256 (P-256 curve)     9  -- sigEcdsa256
           ECDSA w/ SHA-384 (P-384 curve)     10 -- sigEcdsa384
           ECDSA w/ SHA-512 (P-521 curve)     11 -- sigEcdsa512

        Following are the possible POP algorithm values &
        CgmGdoiSignatureMethod mappings from the GDOI RFC 3547:

          Algorithm Type  Value
          --------------  -----
           POP_ALG_RSA      1  -- sigRsa
           POP_ALG_DSS      2  -- sigDss
           POP_ALG_ECDSS    3  -- sigEcdsa256, 384, 512

        Following are the possible SIG_ALGORITHM values &
        CgmGdoiSignatureMethod mappings from the GDOI RFC 3547:

          Algorithm Type  Value
          --------------  -----
           SIG_ALG_RSA      1  -- sigRsa
           SIG_ALG_DSS      2  -- sigDss
           SIG_ALG_ECDSS    3  -- sigEcdsa256, 384, 512"

    REFERENCE
        "IANA IKEv2 Parameters
         Section: Integrity Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters
          
         RFC 2409 - Section:  Appendix A. Authentication Method
         RFC 3547 - Sections: 5.3.SA KEK payload
              5.3.7.      SIG_ALGORITHM
         RFC 4306 - Section:  3.8.Authentication Payload
         RFC 4754"
    SYNTAX          INTEGER  {
                        sigNone(0),
                        sigRsa(1),
                        sigSharedKey(2),
                        sigDss(3),
                        sigEncryptRsa(4),
                        sigRevEncryptRsa(5),
                        sigEcdsa256(9),
                        sigEcdsa384(10),
                        sigEcdsa512(11)
                    }

CgmGdoiDiffieHellmanGroup ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        Diffie-Hellman Group being used.

        Following are the possible updated Diffie-Hellman Group
        values & CgmGdoiDiffieHellmanGroup mappings after RFC 4306:

          Diffie-Hellman Group Type  Value
          -------------------------  -----
           NONE                        0  -- dhNone
           Group 1 - 768 Bit MODP      1  -- dhGroup1
           Group 2 - 1024 Bit MODP     2  -- dhGroup2
           1536-bit MODP Group         5  -- dh1536Modp
           2048-bit MODP Group         14 -- dh2048Modp
           3072-bit MODP Group         15 -- dh3072Modp
           4096-bit MODP Group         16 -- dh4096Modp
           6144-bit MODP Group         17 -- dh6144Modp
           8192-bit MODP Group         18 -- dh8192Modp
           256-bit random ECP group    19 -- dhEcp256
           84-bit random ECP group     20 -- dhEcp84
           521-bit random ECP group    21 -- dhEcp521
           1024-bit MODP w/ 160-bit    22 -- dh1024Modp160
             Prime Order Subgroup
           2048-bit MODP w/ 224-bit    23 -- dh2048Modp224
             Prime Order Subgroup
           2048-bit MODP w/ 256-bit    24 -- dh2048Modp256
             Prime Order Subgroup
           192-bit Random ECP Group    25 -- dhEcp192
           224-bit Random ECP Group    26 -- dhEcp224

        Following are the possible legacy Diffie-Hellman Group
        values & CgmGdoiDiffieHellmanGroup mappings from RFC 2409:

          Diffie-Hellman Group Type  Value
          -------------------------  -----
           Group 1 - 768 Bit MODP      1  -- dhGroup1 
           Group 2 - 1024 Bit MODP     2  -- dhGroup2
           EC2N group on GP[2^155]     3  -- dhEc2nGp155
           EC2N group on GP[2^185]     4  -- dhEc2nGp185"

    REFERENCE
        "IANA IKEv2 Parameters
         Section: Diffie-Hellman Group Transform IDs
         http://www.iana.org/assignments/ikev2-parameters
         
         RFC 2409 - Sections: 6.1. First Oakley Default Group
              6.2. Second Oakley Default Group
              6.3. Third Oakley Default Group
              6.4. Fourth Oakley Default Group"
    SYNTAX          INTEGER  {
                        dhNone(0),
                        dhGroup1(1),
                        dhGroup2(2),
                        dhEc2nGp155(3),
                        dhEc2nGp185(4),
                        dh1536Modp(5),
                        dh2048Modp(14),
                        dh3072Modp(15),
                        dh4096Modp(16),
                        dh6144Modp(17),
                        dh8192Modp(18),
                        dhEcp256(19),
                        dhEcp84(20),
                        dhEcp521(21),
                        dh1024Modp160(22),
                        dh2048Modp224(23),
                        dh2048Modp256(24),
                        dhEcp192(25),
                        dhEcp224(26)
                    }

CgmGdoiEncapsulationMode ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        Encapsulation Mode being used.

        Following are the possible Encapsulation Mode
        values & CgmGdoiEncapsulationMode mappings from RFC 2407:

          Encapsulation Mode            Value
          ----------------------------  -----
           Tunnel                         1  -- encapTunnel
           Transport                      2  -- encapTransport
           UDP-Encapsulated-Tunnel        3  -- encapUdpTunnel
           UDP-Encapsulated-Transport     4  -- encapUdpTransport"

    REFERENCE
        "IANA 'Magic Numbers' for ISAKMP Protocol
         Section: Encapsulation Mode
         http://www.iana.org/assignments/isakmp-registry

         RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
         RFC 3947"
    SYNTAX          INTEGER  {
                        encapUnknown(0),
                        encapTunnel(1),
                        encapTransport(2),
                        encapUdpTunnel(3),
                        encapUdpTransport(4)
                    }

CgmGdoiSecurityProtocol ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
        Security Protocol being used.

        Following are the possible Security Protocol ID
        values & CgmGdoiSecurityProtocol mappings from the
        GDOI RFC 3547:

          Security Protocol ID    Value
          ----------------------  -----
           GDOI_PROTO_IPSEC_ESP     1  -- secProtocolIpsecEsp"

    REFERENCE       "RFC 3547 - Section: 5.4. SA TEK Payload"
    SYNTAX          INTEGER  {
                        secProtocolUnknown(0),
                        secProtocolIpsecEsp(1)
                    }

CgmGdoiTekSPI ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "4x"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a SPI (Security Parameter
        Index) of four (4) octets for a TEK using ESP."

    REFERENCE       "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    SYNTAX          OCTET STRING (SIZE (4))

CgmGdoiKekStatus ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the status of a GDOI KEK and
        its corresponding Security Association (SA).

        'inUse' : KEK currently being used to encrypt new KEK/TEKs
        'new'   : KEK currently being sent to all peers
        'old'   : KEK that has expired and is no longer being used"
    SYNTAX          INTEGER  {
                        inUse(1),
                        new(2),
                        old(3)
                    }

CgmGdoiTekStatus ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the status of a GDOI TEK and
        its corresponding Security Association (SA).

        'inbound'  : TEK is being used as inbound (receive) SA
        'outbound' : TEK is being used as outbound (transmit) SA
        'notInUse' : TEK is no longer being used"
    SYNTAX          INTEGER  {
                        inbound(1),
                        outbound(2),
                        notInUse(3)
                    }

CgmGdoiUnsigned16 ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "2d"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a 16-bit unsigned integer
        value."
    SYNTAX          OCTET STRING (SIZE (2))
-- ------------------------------------------------------------------ --
-- GDOI MIB Groups
-- ------------------------------------------------------------------ --

cgmGdoiMIBNotifications  OBJECT IDENTIFIER
    ::= { ciscoGdoiMIB 0 }

cgmGdoiMIBObjects  OBJECT IDENTIFIER
    ::= { ciscoGdoiMIB 1 }

cgmGdoiMIBConformance  OBJECT IDENTIFIER
    ::= { ciscoGdoiMIB 2 }


-- ------------------------------------------------------------------ --
-- GDOI MIB Notifications
-- ------------------------------------------------------------------ --
--   
-- *---------------------------------------------------------------- --
-- * GDOI Key Server (KS) Notifications
-- *---------------------------------------------------------------- --

cgmGdoiKeyServerNewRegistration NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "A notification from a Key Server sent when a new Group
        Member registers to a GDOI Group.  This is equivalent to a
        Key Server receiving the first message of a GROUPKEY-PULL
        exchange from a Group Member."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.4. Receiver Operations"
   ::= { cgmGdoiMIBNotifications 1 }

cgmGdoiKeyServerRegistrationComplete NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "A notification from a Key Server sent when a Group Member
        has successfully registered to itself.  This is equivalent
        to a Key Server sending the last message of a GROUPKEY-PULL
        exchange to the Group Member currently registering
        containing KEKs, TEKs, and their associated policies."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.4. Receiver Operations"
   ::= { cgmGdoiMIBNotifications 2 }

cgmGdoiKeyServerRekeyPushed NOTIFICATION-TYPE
    OBJECTS         { cgmGdoiKeyServerRekeysPushed }
    STATUS          current
    DESCRIPTION
        "A notification from a Key Server sent when a GROUPKEY-PUSH
        message is sent to refresh KEK(s) and or TEK(s).  A rekey
        is sent  periodically by a Key Server based on a configured
        time to the Group Members registered to its GDOI Group."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              4.   GROUPKEY-PUSH Message
              4.7. GCKS Operations"
   ::= { cgmGdoiMIBNotifications 3 }

cgmGdoiKeyServerNoRsaKeys NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Key Server sent when an RSA key
        is not setup.  Each Key Server and Group Member needs to have
        an RSA key established. The Key Server signs the TEK rekeys
        using this RSA key, also called a Key Encryption Key (KEK).
        The Group Member verifies the authenticity of the TEK rekey
        using this RSA key."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              4.7. GCKS Operations"
   ::= { cgmGdoiMIBNotifications 4 }

-- *---------------------------------------------------------------- --
-- * GDOI Group Member (GM) Notifications
-- *---------------------------------------------------------------- --

cgmGdoiGmRegister NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it is starting to
        register with its GDOI Group's Key Server.  Registration
        includes downloading keying & security association material.
        This is equivalent to a Group Member or Initiator sending the
        first message of a GROUPKEY-PULL exchange to its Group's Key
        Server."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.3. Initiator Operations"
   ::= { cgmGdoiMIBNotifications 5 }

cgmGdoiGmRegistrationComplete NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it has successfully
        registered with a Key Server in its GDOI Group.  This is
        equivalent to a Group Member receiving the last message of
        a GROUPKEY-PULL exchange from the Key Server containing
        KEKs, TEKs, and their associated policies."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.3. Initiator Operations"
   ::= { cgmGdoiMIBNotifications 6 }

cgmGdoiGmReRegister NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it is starting to
        re-register with a Key Server in its GDOI Group.  A Group
        Member needs to re-register to the key server if its keying & 
        security association material has expired and it has not
        received a rekey from the key server to refresh the material.
        This is equivalent to a Group Member sending the first
        message of a GROUPKEY-PULL exchange to the Key Server of a
        Group it is already registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.3. Initiator Operations"
   ::= { cgmGdoiMIBNotifications 7 }

cgmGdoiGmRekeyReceived NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdValue,
                        cgmGdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it has successfully
        received and processed a rekey from a Key Server in its GDOI
        Group.  Periodically the key server sends a rekey to refresh
        the keying & security association material.  This is
        equivalent to a Group Member receiving a GROUPKEY-PUSH
        message from the Key Server of the Group it is already
        registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              4.   GROUPKEY-PUSH Message
              4.8. Group Member Operations"
   ::= { cgmGdoiMIBNotifications 8 }

cgmGdoiGmIncompleteCfg NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when there is
        necessary information missing from the policy/configuration
        of a Group Member on an interface when it tries to register
        with a Key Server in its GDOI Group.  If the GDOI Group
        configuration is not complete on a Group Member, it will not
        be able to  register to the Key Server."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.   GROUPKEY-PULL Exchange
              3.3. Initiator Operations"
   ::= { cgmGdoiMIBNotifications 9 }

cgmGdoiGmNoIpSecFlows NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when no more
        security associations can be installed after receiving its
        keying & security association material.  When the Group
        Member receives the security association materials, it has
        to install the cryptographic keys and policies.  If there
        is not enough memory to install these materials, there will
        be an error thrown."
   ::= { cgmGdoiMIBNotifications 10 }

cgmGdoiGmRekeyFailure NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdValue,
                        cgmGdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when it is unable
        to successfully process and install a rekey (GROUPKEY-PUSH
        message) sent by the Key Server in its Group that it is
        registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              4.   GROUPKEY-PUSH Message
              4.8. Group Member Operations"
   ::= { cgmGdoiMIBNotifications 11 }

-- *---------------------------------------------------------------- --
-- * GDOI Key Server (KS) Notifications
-- *---------------------------------------------------------------- --

cgmGdoiKeyServerRoleChange NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiNotifGroupIdType,
                        cgmGdoiNotifGroupIdValue,
                        cgmGdoiNotifGroupName,
                        cgmGdoiNotifKeyServerIdType,
                        cgmGdoiNotifKeyServerIdValue,
                        cgmGdoiNotifKeyServerRole
                    }
    STATUS          current
    DESCRIPTION
        "This notification is generated when a Key Server changes it's
        role from Primary to Secondary or vice-versa. The varbinds
        encapsulate the Group information, the Key Server identifier and
        the role it has moved to."
   ::= { cgmGdoiMIBNotifications 12 }

cgmGdoiKeyServerGmDeleted NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiNotifGroupIdType,
                        cgmGdoiNotifGroupIdValue,
                        cgmGdoiNotifGroupName,
                        cgmGdoiNotifKeyServerIdType,
                        cgmGdoiNotifKeyServerIdValue,
                        cgmGdoiNotifGmIdType,
                        cgmGdoiNotifGmIdValue
                    }
    STATUS          current
    DESCRIPTION
        "This notification is generated when a Group Member is deleted
        from a Key Server. The varbinds encapsulate the Group
        information, the Key Server identifier and the Group Member
        identifier which is deleted."
   ::= { cgmGdoiMIBNotifications 13 }

cgmGdoiKeyServerPeerReachable NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiNotifGroupIdType,
                        cgmGdoiNotifGroupIdValue,
                        cgmGdoiNotifGroupName,
                        cgmGdoiNotifKeyServerIdType,
                        cgmGdoiNotifKeyServerIdValue,
                        cgmGdoiNotifPeerKsIdType,
                        cgmGdoiNotifPeerKsIdValue
                    }
    STATUS          current
    DESCRIPTION
        "This notification is generated from a Key Server when an
        unreachable peer Key Server becomes reachable. The varbinds
        encapsulate the Group information, the Key Server identifier and
        the peer Key Server identifier."
   ::= { cgmGdoiMIBNotifications 14 }

cgmGdoiKeyServerPeerUnreachable NOTIFICATION-TYPE
    OBJECTS         {
                        cgmGdoiNotifGroupIdType,
                        cgmGdoiNotifGroupIdValue,
                        cgmGdoiNotifGroupName,
                        cgmGdoiNotifKeyServerIdType,
                        cgmGdoiNotifKeyServerIdValue,
                        cgmGdoiNotifPeerKsIdType,
                        cgmGdoiNotifPeerKsIdValue
                    }
    STATUS          current
    DESCRIPTION
        "This notification is generated from a Key Server when a
        reachable peer Key Server becomes unreachable. The varbinds
        encapsulate the Group information, the Key Server identifier and
        the peer Key Server identifier."
   ::= { cgmGdoiMIBNotifications 15 }
-- ------------------------------------------------------------------ --
-- GDOI MIB Management Objects
-- ------------------------------------------------------------------ --
--   
-- *---------------------------------------------------------------- --
-- * The GDOI "Group" Table
-- *---------------------------------------------------------------- --

cgmGdoiGroupTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiGroupEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Groups in use on
        the network device being queried."
    ::= { cgmGdoiMIBObjects 1 }

cgmGdoiGroupEntry OBJECT-TYPE
    SYNTAX          CgmGdoiGroupEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing GDOI Group information, uniquely
        identified by the GDOI Group ID."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue
                    } 
    ::= { cgmGdoiGroupTable 1 }

CgmGdoiGroupEntry ::= SEQUENCE {
        cgmGdoiGroupIdType                   CgmGdoiIdentificationType,
        cgmGdoiGroupIdLength                 Unsigned32,
        cgmGdoiGroupIdValue                  CgmGdoiIdentificationValue,
        cgmGdoiGroupName                     DisplayString,
        cgmGdoiGroupMemberCount              Unsigned32,
        cgmGdoiGroupActivePeerKeyServerCount Unsigned32,
        cgmGdoiGroupLastRekeyRetransmits     Unsigned32,
        cgmGdoiGroupLastRekeyTimeTaken       CiscoMilliSeconds
}

cgmGdoiGroupIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse a GDOI Group ID.
        The GDOI RFC 3547 defines the types that can be used as a
        GDOI Group ID, and RFC 4306 defines all valid types that can
        be used as an identifier.  This Group ID type is sent as the
        'ID Type' field of the Identification Payload for a GDOI
        GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads" 
    ::= { cgmGdoiGroupEntry 1 }

cgmGdoiGroupIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Group ID.  If no
        length is given (i.e. it has a value of 0), the default
        length of its cgmGdoiGroupIdType should be used as long as it
        is not reprsented by an ASCII string.  If the value has a
        type that is represented by an ASCII string, a length MUST
        be included.  If the length given is not 0, it should match
        the 'Payload Length' (subtracting the generic header length)
        of the Identification Payload for a GDOI GROUPKEY-PULL
        exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads" 
    ::= { cgmGdoiGroupEntry 2 }

cgmGdoiGroupIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of a Group ID with its type indicated by the
        cgmGdoiGroupIdType.  Use the cgmGdoiGroupIdType to parse the 
        Group ID correctly.  This Group ID value is sent as the 
        'Identification Data' field of the Identification Payload
        for a GDOI GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads" 
    ::= { cgmGdoiGroupEntry 3 }

cgmGdoiGroupName OBJECT-TYPE
    SYNTAX          DisplayString
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The string-readable name configured for or given to a GDOI
        Group." 
    ::= { cgmGdoiGroupEntry 4 }

cgmGdoiGroupMemberCount OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The count of registered Group Members to this group, on a Key
        Server." 
    ::= { cgmGdoiGroupEntry 5 }

cgmGdoiGroupActivePeerKeyServerCount OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The count of the active Key Server sessions between the local
        Key Server and peer Key Servers for this group." 
    ::= { cgmGdoiGroupEntry 6 }

cgmGdoiGroupLastRekeyRetransmits OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This variable returns the cummulative count of number of rekey
        messages and retransmits during the last cycle of rekey. This
        count displays the information pertaining to Group Members only
        (and is not related to any sync operation pertaining to peer Key
        Servers). This information is a reflection of rekey operation on
        a Key Server that performs a rekey, and is not available for the
        Key Server(s) which do not perform rekeys since they do not 
        receive any ACKs. While a rekey is in progress, this variable 
        will give information of the last rekey operation." 
    ::= { cgmGdoiGroupEntry 7 }

cgmGdoiGroupLastRekeyTimeTaken OBJECT-TYPE
    SYNTAX          CiscoMilliSeconds
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This variable returns the duration (in milliseconds) of the
        last rekey operation. This information is valid for a Key 
        Server that performs a rekey, and is not available for the
        Key Server(s) which do not perform rekeys since they do not 
        receive any ACKs. While a rekey is in progress, this variable 
        will give information of the last rekey operation." 
    ::= { cgmGdoiGroupEntry 8 }
 

-- *---------------------------------------------------------------- --
-- * GDOI MIB Management Object Groups
-- *---------------------------------------------------------------- --

cgmGdoiPeers  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBObjects 2 }

cgmGdoiSecAssociations  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBObjects 3 }

cgmGdoiNotifCntl  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBObjects 4 }

-- #-------------------------------------------------------------- --
-- # The GDOI Notification Variables Table
-- #-------------------------------------------------------------- --

cgmGdoiNotifVars  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBObjects 5 }

-- *---------------------------------------------------------------- --
-- * The GDOI "Peers" Group
-- *---------------------------------------------------------------- --
--   
-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS)" Table
-- #-------------------------------------------------------------- --

cgmGdoiKeyServerTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiKeyServerEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information for the GDOI group from the perspective
        of the Key Servers (GCKSs) on the network device being
        queried."
    ::= { cgmGdoiPeers 1 }

cgmGdoiKeyServerEntry OBJECT-TYPE
    SYNTAX          CgmGdoiKeyServerEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing GDOI Key Server (KS) information,
        uniquely identified by the Group & Key Server IDs."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.4. Receiver Operations
              4.7. GCKS Operations"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiKeyServerIdType,
                        cgmGdoiKeyServerIdValue
                    } 
    ::= { cgmGdoiKeyServerTable 1 }

CgmGdoiKeyServerEntry ::= SEQUENCE {
        cgmGdoiKeyServerIdType        CgmGdoiIdentificationType,
        cgmGdoiKeyServerIdLength      Unsigned32,
        cgmGdoiKeyServerIdValue       CgmGdoiIdentificationValue,
        cgmGdoiKeyServerActiveKEK     CgmGdoiKekSPI,
        cgmGdoiKeyServerRekeysPushed  Counter32,
        cgmGdoiKeyServerRole          CgmGdoiKsRole,
        cgmGdoiKeyServerRegisteredGMs Unsigned32
}

cgmGdoiKeyServerIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for a Key Server.  RFC 4306 defines all valid
        types that can be used as an identifier.  These
        identification types are sent as the 'SRC ID Type' and 'DST
        ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL
        and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads" 
    ::= { cgmGdoiKeyServerEntry 1 }

cgmGdoiKeyServerIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Key Server ID.  If no
        length is given (i.e. it has a value of 0), the default
        length of its cgmGdoiKeyServerIdType should be used as long as
        it is not reprsented by an ASCII string.  If the value has a
        type that is represented by an ASCII string, a length MUST
        be included.  If the length given is not 0, it should match
        the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
        the KEK and TEK payloads for GDOI GROUPKEY-PULL and
        GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKeyServerEntry 2 }

cgmGdoiKeyServerIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the identity information for a Key Server with
        its type indicated by the cgmGdoiKeyServerIdType.  Use the
        cgmGdoiKeyServerIdType to parse the Key Server ID correctly.
        This Key Server ID value is sent as the 'SRC
        Identification Data' and 'DST Identification Data' of the
        KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
        exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKeyServerEntry 3 }

cgmGdoiKeyServerActiveKEK OBJECT-TYPE
    SYNTAX          CgmGdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The SPI of the Key Encryption Key (KEK) that is currently
        being used by the Key Server to encrypt the GROUPKEY-PUSH
        keying & security association material sent to the Key
        Server's registered Group Members."
    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK payload" 
    ::= { cgmGdoiKeyServerEntry 4 }

cgmGdoiKeyServerRekeysPushed OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The sequence number of the last rekey sent from the Key
        Server to its registered Group Members for this GDOI group."
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
              3.4. Receiver Operations
              4.   GROUPKEY-PUSH Message
              4.7. GCKS Operations
              5.6. Sequence Number Payload" 
    ::= { cgmGdoiKeyServerEntry 5 }

cgmGdoiKeyServerRole OBJECT-TYPE
    SYNTAX          CgmGdoiKsRole
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The current role of the queried Key Server for the Group." 
    ::= { cgmGdoiKeyServerEntry 6 }

cgmGdoiKeyServerRegisteredGMs OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The count of registered Group Members to the Key Server
        identified by the index." 
    ::= { cgmGdoiKeyServerEntry 7 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Group Members" Table
-- #-------------------------------------------------------------- --

cgmGdoiGmTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiGmEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Group Members (GMs)
        locally configured on the network device being queried.  Note
        that Local Group Members may or may not be registered to a
        Key Server in its GDOI Group on the same network device being
        queried."
    ::= { cgmGdoiPeers 2 }

cgmGdoiGmEntry OBJECT-TYPE
    SYNTAX          CgmGdoiGmEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing Local GDOI Group Member information,
        uniquely identified by Group & GM IDs. Because the Group
        Member is Local to the network device being queried, TEKs
        installed for this Group Member can be queried as well."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
              3.3. Initiator Operations
              4.8. Group Member Operations"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiGmIdType,
                        cgmGdoiGmIdValue
                    } 
    ::= { cgmGdoiGmTable 1 }

CgmGdoiGmEntry ::= SEQUENCE {
        cgmGdoiGmIdType               CgmGdoiIdentificationType,
        cgmGdoiGmIdLength             Unsigned32,
        cgmGdoiGmIdValue              CgmGdoiIdentificationValue,
        cgmGdoiGmRegKeyServerIdType   CgmGdoiIdentificationType,
        cgmGdoiGmRegKeyServerIdLength Unsigned32,
        cgmGdoiGmRegKeyServerIdValue  CgmGdoiIdentificationValue,
        cgmGdoiGmActiveKEK            CgmGdoiKekSPI,
        cgmGdoiGmRekeysReceived       Counter32,
        cgmGdoiGmActiveTEKNum         Counter32
}

cgmGdoiGmIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for a Initiator or Group Member.  RFC 4306
        defines all valid types that can be used as an identifier.
        These identification types are sent as the 'SRC ID Type' and
        'DST ID Type' of the KEK and TEK payloads for GDOI
        GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads" 
    ::= { cgmGdoiGmEntry 1 }

cgmGdoiGmIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Group Member ID.  If
        no length is given (i.e. it has a value of 0), the default
        length of its cgmGdoiGmIdType should be used as long as
        it is not reprsented by an ASCII string.  If the value has a
        type that is represented by an ASCII string, a length MUST
        be included.  If the length given is not 0, it should match
        the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
        the KEK and TEK payloads for GDOI GROUPKEY-PULL and
        GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmEntry 2 }

cgmGdoiGmIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the identity information for a Group Member with
        its type indicated by the cgmGdoiGmIdType.  Use the
        cgmGdoiGmIdType to parse the Group Member ID correctly.
        This Group Member ID value is sent as the 'SRC
        Identification Data' and 'DST Identification Data' of the
        KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
        exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmEntry 3 }

cgmGdoiGmRegKeyServerIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information of this Group Member's registered Key Server.
        RFC 4306 defines all valid types that can be used as an
        identifier.  These identification types are sent as the 'SRC
        ID Type' and 'DST ID Type' of the KEK and TEK payloads for
        GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads" 
    ::= { cgmGdoiGmEntry 4 }

cgmGdoiGmRegKeyServerIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the registered Key
        Server's ID.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiGmRegKeyServerIdType
        should be used as long as it is not reprsented by an ASCII
        string.  If the value has a type that is represented by an
        ASCII string, a length MUST be included.  If the length given
        is not 0, it should match the 'SRC ID Data Len' and 'DST ID
        Data Len' fields sent in the KEK and TEK payloads for GDOI
        GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmEntry 5 }

cgmGdoiGmRegKeyServerIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for this Group Member's
        registered Key Server with its type indicated by the
        cgmGdoiGmRegKeyServerIdType.  Use the
        cgmGdoiGmRegKeyServerIdType to parse the registered Key
        Server's ID correctly.  This Key Server ID value is sent as
        the 'SRC Identification Data' and 'DST Identification Data'
        of the KEK and TEK payloads for GDOI GROUPKEY-PULL and
        GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
              5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmEntry 6 }

cgmGdoiGmActiveKEK OBJECT-TYPE
    SYNTAX          CgmGdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The SPI of the Key Encryption Key (KEK) that is currently
        being used by the Group Member to authenticate & decrypt a
        rekey from a GROUPKEY-PUSH message." 
    ::= { cgmGdoiGmEntry 7 }

cgmGdoiGmRekeysReceived OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The sequence number of the last rekey successfully received
        from this Group Member's registered Key Server."
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
              3.3. Initiator Operations
              4.   GROUPKEY-PUSH Message
              4.8. Group Member Operations
              5.6. Sequence Number Payload" 
    ::= { cgmGdoiGmEntry 8 }

cgmGdoiGmActiveTEKNum OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "Number of traffic encryption keys"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The number of active traffic encryption keys (TEKS) currently
        being used by the Group Member to encrypt/decrypt/authenticate
        dataplane traffic." 
    ::= { cgmGdoiGmEntry 9 }
 

-- #-------------------------------------------------------------- --
-- # The COOP Peer Table
-- #-------------------------------------------------------------- --

cgmGdoiCoopPeerTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiCoopPeerEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information for the Cooperative Key Server (COOP KS)
        peer(s). Multiple COOP KSs are required to ensure seamless 
        fault recovery if a KS fails or becomes unreachable. The 
        information populated in this table, is extracted from the COOP
        messages exchanged between the local KS (device being queried)
        and the COOP Peer(s)."
    ::= { cgmGdoiPeers 3 }

cgmGdoiCoopPeerEntry OBJECT-TYPE
    SYNTAX          CgmGdoiCoopPeerEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing COOP Peer Key Server's (KS) information,
        uniquely identified by the Group & Peer Key Server IDs."
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiCoopPeerIdType,
                        cgmGdoiCoopPeerIdValue
                    } 
    ::= { cgmGdoiCoopPeerTable 1 }

CgmGdoiCoopPeerEntry ::= SEQUENCE {
        cgmGdoiCoopPeerIdType        CgmGdoiIdentificationType,
        cgmGdoiCoopPeerIdLength      Unsigned32,
        cgmGdoiCoopPeerIdValue       CgmGdoiIdentificationValue,
        cgmGdoiCoopPeerRole          CgmGdoiKsRole,
        cgmGdoiCoopPeerStatus        CgmGdoiKsStatus,
        cgmGdoiCoopPeerRegisteredGMs Unsigned32
}

cgmGdoiCoopPeerIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for a Key Server.  RFC 4306 defines all valid types
        that can be used as an identifier.  These identification types
        are sent as the 'SRC ID Type' and 'DST ID Type' of the KEK and
        TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
        exchanges." 
    ::= { cgmGdoiCoopPeerEntry 1 }

cgmGdoiCoopPeerIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Peer (Key Server) ID.
        If no length is given (i.e. it has a value of 0), the default
        length of its cgmGdoiCoopPeerIdType should be used as long as it
        is not reprsented by an ASCII string.  If the value has a type
        that is represented by an ASCII string, a length MUST be
        included.  If the length given is not 0, it should match the
        'SRC ID Data Len' and 'DST ID Data Len' fields sent in the KEK
        and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
        exchanges." 
    ::= { cgmGdoiCoopPeerEntry 2 }

cgmGdoiCoopPeerIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the identity information for a COOP Key Server
        with its type indicated by the cgmGdoiCoopPeerIdType. Use the
        cgmGdoiCoopPeerIdType to parse the COOP Peer (Key Server) ID
        correctly. This COOP Peer (Key Server) ID value is sent as the
        'SRC Identification Data' and 'DST Identification Data' of the
        KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
        exchanges." 
    ::= { cgmGdoiCoopPeerEntry 3 }

cgmGdoiCoopPeerRole OBJECT-TYPE
    SYNTAX          CgmGdoiKsRole
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The current role of the COOP Peer (Key Server) for the Group." 
    ::= { cgmGdoiCoopPeerEntry 4 }

cgmGdoiCoopPeerStatus OBJECT-TYPE
    SYNTAX          CgmGdoiKsStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The current status of the COOP Peer (Key Server) as seen from
        the local Key Server." 
    ::= { cgmGdoiCoopPeerEntry 5 }

cgmGdoiCoopPeerRegisteredGMs OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The count of registered Group Members to the COOP Peer (Key
        Server) identified by the index." 
    ::= { cgmGdoiCoopPeerEntry 6 }
 

-- *---------------------------------------------------------------- --
-- * The GDOI "Security Associations (SA)" Group
-- *---------------------------------------------------------------- --
--   
-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS) KEK Policy/SA" Table
-- #-------------------------------------------------------------- --

cgmGdoiKsKekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiKsKekEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Key Encryption Key
        (KEK) Policies & Security Associations (SAs) currently
        configured/installed for GDOI entities acting as Key Servers
        on the network device being queried.  There is one entry in
        this table for each KEK Policy/SA that has been
        configured/installed.  Each KEK Policy/SA is uniquely
        identified by a SPI at any given time."
    ::= { cgmGdoiSecAssociations 1 }

cgmGdoiKsKekEntry OBJECT-TYPE
    SYNTAX          CgmGdoiKsKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI KEK
        Policy/SA, uniquely identified by the Group ID, Key Server
        ID, & SPI value assigned by the given Key Server to the KEK.
        There will be at least one KEK Policy/SA entry for each Key
        Server & two KEK Policy/SA entries for a given Key Server 
        only during a KEK rekey when a new KEK is created/installed.
        The KEK SPI is unique for every KEK for a given Key Server."
    REFERENCE
        "RFC 3547 - Sections: 1.     Introduction
          3.2.   Messages
          4.     GROUPKEY-PUSH Message
               5.3.   SA KEK Payload
               5.3.1. KEK Attributes
               5.5.   Key Download Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiKeyServerIdType,
                        cgmGdoiKeyServerIdValue,
                        cgmGdoiKsKekIndex
                    } 
    ::= { cgmGdoiKsKekTable 1 }

CgmGdoiKsKekEntry ::= SEQUENCE {
        cgmGdoiKsKekIndex             Unsigned32,
        cgmGdoiKsKekSPI               CgmGdoiKekSPI,
        cgmGdoiKsKekSrcIdType         CgmGdoiIdentificationType,
        cgmGdoiKsKekSrcIdLength       Unsigned32,
        cgmGdoiKsKekSrcIdValue        CgmGdoiIdentificationValue,
        cgmGdoiKsKekSrcIdPort         CgmGdoiUnsigned16,
        cgmGdoiKsKekDstIdType         CgmGdoiIdentificationType,
        cgmGdoiKsKekDstIdLength       Unsigned32,
        cgmGdoiKsKekDstIdValue        CgmGdoiIdentificationValue,
        cgmGdoiKsKekDstIdPort         CgmGdoiUnsigned16,
        cgmGdoiKsKekIpProtocol        CgmGdoiIpProtocolId,
        cgmGdoiKsKekMgmtAlg           CgmGdoiKeyManagementAlgorithm,
        cgmGdoiKsKekEncryptAlg        CgmGdoiEncryptionAlgorithm,
        cgmGdoiKsKekEncryptKeyLength  Unsigned32,
        cgmGdoiKsKekSigHashAlg        CgmGdoiPseudoRandomFunction,
        cgmGdoiKsKekSigAlg            CgmGdoiSignatureMethod,
        cgmGdoiKsKekSigKeyLength      Unsigned32,
        cgmGdoiKsKekOakleyGroup       CgmGdoiDiffieHellmanGroup,
        cgmGdoiKsKekOriginalLifetime  Unsigned32,
        cgmGdoiKsKekRemainingLifetime Unsigned32,
        cgmGdoiKsKekStatus            CgmGdoiKekStatus
}

cgmGdoiKsKekIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the KS KEK.The value of the index is a number
        which begins at one and is incremented with each KS KEK that 
        is to be created by the KS for that GDOI group." 
    ::= { cgmGdoiKsKekEntry 1 }

cgmGdoiKsKekSPI OBJECT-TYPE
    SYNTAX          CgmGdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a KEK
        Policy/SA.  The SPI must be the ISAKMP Header cookie pair
        where the first 8 octets become the 'Initiator Cookie' field
        of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
        octets become the 'Responder Cookie' in the same HDR.  As
        described above, these cookies are assigned by the GCKS." 
    ::= { cgmGdoiKsKekEntry 2 }

cgmGdoiKsKekSrcIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the source of a KEK Policy/SA.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'SRC ID Type' of
        the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiKsKekEntry 3 }

cgmGdoiKsKekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
        a KEK Policy/SA.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiKsKekSrcIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'SRC ID Data Len' field sent in the KEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 4 }

cgmGdoiKsKekSrcIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
        a KEK Policy/SA with its type indicated by the
        cgmGdoiKsKekSrcIdType.  Use the cgmGdoiKsKekSrcIdType to parse 
        the KEK Source ID correctly.  This ID value is sent as the 'SRC
        Identification Data' of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 5 }

cgmGdoiKsKekSrcIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
        a KEK Policy/SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `SRC ID Port`
        field of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 6 }

cgmGdoiKsKekDstIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the dest. of a KEK Policy/SA (multicast 
        rekey address).  RFC 4306 defines all valid types that can 
        be used as an identifier. This identification type is sent as 
        the 'DST ID Type' of the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiKsKekEntry 7 }

cgmGdoiKsKekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
        a KEK Policy/SA (multicast rekey address).  If no length is 
        given (i.e. it has a valueof 0), the default length of its 
        cgmGdoiKsKekDstIdType should be used as long as it is not 
        reprsented by an ASCII string.  If the value has a type that 
        is represented by an ASCII string, a length MUST be included.  
        If the length given is not 0, it should match the 'DST ID Data 
        Len' field sent in the KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 8 }

cgmGdoiKsKekDstIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
        a KEK Policy/SA (multicast rekey address) with its type 
        indicated by the cgmGdoiKsKekDstIdType.  Use the 
        cgmGdoiKsKekDstIdType to parse the KEK Dest. ID correctly.  
        This ID value is sent as the 'DST Identification Data' of a 
        KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 9 }

cgmGdoiKsKekDstIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
        a KEK Policy/SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `DST ID Port`
        field of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 10 }

cgmGdoiKsKekIpProtocol OBJECT-TYPE
    SYNTAX          CgmGdoiIpProtocolId
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the IP protocol ID (e.g. UDP/TCP) being used
        for the rekey datagram."
    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK payload" 
    ::= { cgmGdoiKsKekEntry 11 }

cgmGdoiKsKekMgmtAlg OBJECT-TYPE
    SYNTAX          CgmGdoiKeyManagementAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_MANAGEMENT_ALGORITHM which specifies
        the group KEK management algorithm used to provide forward
        or backward access control (i.e. used to exclude group
        members).

          KEK Management Type  Value
          -------------------  -----
           RESERVED              0
           LKH                   1
           RESERVED              2-127
           Private Use           128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM" 
    ::= { cgmGdoiKsKekEntry 12 }

cgmGdoiKsKekEncryptAlg OBJECT-TYPE
    SYNTAX          CgmGdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_ALGORITHM which specifies the
        encryption algorithm used with the KEK Policy/SA.  A GDOI
        implementaiton must support KEK_ALG_3DES.

        Following are the KEK encryption algoritm values defined in
        the GDOI RFC 3547, however the CgmGdoiEncryptionAlgorithm TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           KEK_ALG_DES      1
           KEK_ALG_3DES     2
           KEK_ALG_AES      3
           RESERVED         4-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section 5.3.3. KEK_ALGORITHM" 
    ::= { cgmGdoiKsKekEntry 13 }

cgmGdoiKsKekEncryptKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LENGTH which specifies the KEK
        Algorithm key length (in bits)."
    REFERENCE       "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH" 
    ::= { cgmGdoiKsKekEntry 14 }

cgmGdoiKsKekSigHashAlg OBJECT-TYPE
    SYNTAX          CgmGdoiPseudoRandomFunction
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_HASH_ALGORITHM which specifies the SIG
        payload hash algorithm.  This is not required (i.e. could
        have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
        SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
        value of zero or SIG_HASH_SHA1).

        Following are the Signature Hash Algorithm values defined in
        the GDOI RFC 3547, however the CgmGdoiPseudoRandomFunction TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           SIG_HASH_MD5     1
           SIG_HASH_SHA1    2
           RESERVED         3-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM" 
    ::= { cgmGdoiKsKekEntry 15 }

cgmGdoiKsKekSigAlg OBJECT-TYPE
    SYNTAX          CgmGdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_ALGORITHM which specifies the SIG
        payload signature algorithm.  A GDOI implementation must
        support SIG_ALG_RSA.

        Following are the Signature Algorithm values defined in
        the GDOI RFC 3547, however the CgmGdoiSignatureMethod TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           SIG_ALG_RSA      1
           SIG_ALG_DSS      2
           SIG_ALG_ECDSS    3
           RESERVED         4-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM" 
    ::= { cgmGdoiKsKekEntry 16 }

cgmGdoiKsKekSigKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_KEY_LENGTH which specifies the length
        of the SIG payload key."
    REFERENCE       "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH" 
    ::= { cgmGdoiKsKekEntry 17 }

cgmGdoiKsKekOakleyGroup OBJECT-TYPE
    SYNTAX          CgmGdoiDiffieHellmanGroup
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
        or Diffie-Hellman Group used to compute the PFS secret in the
        optional KE payload of the GDOI GROUPKEY-PULL exchange."
    REFERENCE       "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP" 
    ::= { cgmGdoiKsKekEntry 18 }

cgmGdoiKsKekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LIFETIME which specifies the maximum
        time for which a KEK is valid.  The GCKS may refresh the KEK
        at any time before the end of the valid period.  The value is
        a four (4) octet (32-bit) number defining a valid time period
        in seconds."
    REFERENCE       "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" 
    ::= { cgmGdoiKsKekEntry 19 }

cgmGdoiKsKekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a KEK is valid.
        The value is a four (4) octet (32-bit) number which begins at
        the value of cgmGdoiKsKekOriginalLifetime when the KEK is sent
        and counts down to zero in seconds.  If the lifetime has
        already expired, this value should remain at zero (0) until
        the Key Server refreshes the KEK."
    REFERENCE       "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" 
    ::= { cgmGdoiKsKekEntry 20 }

cgmGdoiKsKekStatus OBJECT-TYPE
    SYNTAX          CgmGdoiKekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the KEK Policy/SA.  When this status value is
        queried, one of the following is returned:
        inUse(1), new(2), old(3)." 
    ::= { cgmGdoiKsKekEntry 21 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Group Member (GM) KEK SA" Table
-- #-------------------------------------------------------------- --

cgmGdoiGmKekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiGmKekEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Key Encryption Key
        (KEK) Security Associations (SAs) currently installed for
        GDOI entities acting as Group Members on the network device
        being queried.  There is one entry in this table for each
        KEK SA that has been installed and not yet deleted.  Each
        KEK SA is uniquely identified by a SPI at any given time."
    ::= { cgmGdoiSecAssociations 2 }

cgmGdoiGmKekEntry OBJECT-TYPE
    SYNTAX          CgmGdoiGmKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI KEK
        SA, uniquely identified by the Group ID, Group Member (GM)
        ID, & SPI value assigned by the GM's registered Key Server to
        the KEK.  There will be at least one KEK SA entry for each GM
        & two KEK SA entries for a given GM only during a KEK rekey
        when a new KEK is received & installed.  The KEK SPI is
        unique for every KEK for a given Group Member."
    REFERENCE
        "RFC 3547 - Sections: 1.     Introduction
          3.2.   Messages
          4.     GROUPKEY-PUSH Message
          5.3.   SA KEK Payload
          5.3.1. KEK Attributes
          5.5.   Key Download Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiGmIdType,
                        cgmGdoiGmIdValue,
                        cgmGdoiGmKekIndex
                    } 
    ::= { cgmGdoiGmKekTable 1 }

CgmGdoiGmKekEntry ::= SEQUENCE {
        cgmGdoiGmKekIndex             Unsigned32,
        cgmGdoiGmKekSPI               CgmGdoiKekSPI,
        cgmGdoiGmKekSrcIdType         CgmGdoiIdentificationType,
        cgmGdoiGmKekSrcIdLength       Unsigned32,
        cgmGdoiGmKekSrcIdValue        CgmGdoiIdentificationValue,
        cgmGdoiGmKekSrcIdPort         CgmGdoiUnsigned16,
        cgmGdoiGmKekDstIdType         CgmGdoiIdentificationType,
        cgmGdoiGmKekDstIdLength       Unsigned32,
        cgmGdoiGmKekDstIdValue        CgmGdoiIdentificationValue,
        cgmGdoiGmKekDstIdPort         CgmGdoiUnsigned16,
        cgmGdoiGmKekIpProtocol        CgmGdoiIpProtocolId,
        cgmGdoiGmKekMgmtAlg           CgmGdoiKeyManagementAlgorithm,
        cgmGdoiGmKekEncryptAlg        CgmGdoiEncryptionAlgorithm,
        cgmGdoiGmKekEncryptKeyLength  Unsigned32,
        cgmGdoiGmKekSigHashAlg        CgmGdoiPseudoRandomFunction,
        cgmGdoiGmKekSigAlg            CgmGdoiSignatureMethod,
        cgmGdoiGmKekSigKeyLength      Unsigned32,
        cgmGdoiGmKekOakleyGroup       CgmGdoiDiffieHellmanGroup,
        cgmGdoiGmKekOriginalLifetime  Unsigned32,
        cgmGdoiGmKekRemainingLifetime Unsigned32,
        cgmGdoiGmKekStatus            CgmGdoiKekStatus
}

cgmGdoiGmKekIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the GM KEK in table.The value of the index is a
        number which begins at one and is incremented with each 
        KEK that is used by the GM for that GDOI group." 
    ::= { cgmGdoiGmKekEntry 1 }

cgmGdoiGmKekSPI OBJECT-TYPE
    SYNTAX          CgmGdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a KEK
        SA.  The SPI must be the ISAKMP Header cookie pair
        where the first 8 octets become the 'Initiator Cookie' field
        of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
        octets become the 'Responder Cookie' in the same HDR.  As
        described above, these cookies are assigned by the GCKS." 
    ::= { cgmGdoiGmKekEntry 2 }

cgmGdoiGmKekSrcIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the source of a KEK SA.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'SRC ID Type' of
        the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiGmKekEntry 3 }

cgmGdoiGmKekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
        a KEK SA.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiGmKekSrcIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'SRC ID Data Len' field sent in the KEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 4 }

cgmGdoiGmKekSrcIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
        a KEK SA with its type indicated by the
        cgmGdoiGmKekSrcIdType.  Use the cgmGdoiGmKekSrcIdType to parse 
        the KEK Source ID correctly.  This ID value is sent as the 'SRC
        Identification Data' of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 5 }

cgmGdoiGmKekSrcIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
        a KEK SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `SRC ID Port`
        field of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 6 }

cgmGdoiGmKekDstIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the dest. (multicast rekey address) of a 
        KEK SA.  RFC 4306 defines all valid types that can be used 
        as an identifier. This identification type is sent as the 
        'DST ID Type' of the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiGmKekEntry 7 }

cgmGdoiGmKekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
        a KEK SA.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiGmKekDstIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'DST ID Data Len' field sent in the KEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 8 }

cgmGdoiGmKekDstIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
        a KEK SA (multicast rekey address) with its type indicated by 
        cgmGdoiGmKekDstIdType.  Use the cgmGdoiGmKekDstIdType to parse 
        the KEK Dest. ID correctly.  This ID value is sent as the 'DST
        Identification Data' of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 9 }

cgmGdoiGmKekDstIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
        a KEK SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `DST ID Port`
        field of a KEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 10 }

cgmGdoiGmKekIpProtocol OBJECT-TYPE
    SYNTAX          CgmGdoiIpProtocolId
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the IP protocol ID (e.g. UDP/TCP) being used
        for the rekey datagram."
    REFERENCE       "RFC 3547 - Section: 5.3. SA KEK payload" 
    ::= { cgmGdoiGmKekEntry 11 }

cgmGdoiGmKekMgmtAlg OBJECT-TYPE
    SYNTAX          CgmGdoiKeyManagementAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_MANAGEMENT_ALGORITHM which specifies
        the group KEK management algorithm used to provide forward
        or backward access control (i.e. used to exclude group
        members).

          KEK Management Type  Value
          -------------------  -----
           RESERVED              0
           LKH                   1
           RESERVED              2-127
           Private Use           128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM" 
    ::= { cgmGdoiGmKekEntry 12 }

cgmGdoiGmKekEncryptAlg OBJECT-TYPE
    SYNTAX          CgmGdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_ALGORITHM which specifies the
        encryption algorithm used with the KEK SA.  A GDOI
        implementaiton must support KEK_ALG_3DES.

        Following are the KEK encryption algoritm values defined in
        the GDOI RFC 3547, however the CgmGdoiEncryptionAlgorithm TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           KEK_ALG_DES      1
           KEK_ALG_3DES     2
           KEK_ALG_AES      3
           RESERVED         4-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section 5.3.3. KEK_ALGORITHM" 
    ::= { cgmGdoiGmKekEntry 13 }

cgmGdoiGmKekEncryptKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LENGTH which specifies the KEK
        Algorithm key length (in bits)."
    REFERENCE       "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH" 
    ::= { cgmGdoiGmKekEntry 14 }

cgmGdoiGmKekSigHashAlg OBJECT-TYPE
    SYNTAX          CgmGdoiPseudoRandomFunction
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_HASH_ALGORITHM which specifies the SIG
        payload hash algorithm.  This is not required (i.e. could
        have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
        SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
        value of zero or SIG_HASH_SHA1).

        Following are the Signature Hash Algorithm values defined in
        the GDOI RFC 3547, however the CgmGdoiPseudoRandomFunction TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           SIG_HASH_MD5     1
           SIG_HASH_SHA1    2
           RESERVED         3-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM" 
    ::= { cgmGdoiGmKekEntry 15 }

cgmGdoiGmKekSigAlg OBJECT-TYPE
    SYNTAX          CgmGdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_ALGORITHM which specifies the SIG
        payload signature algorithm.  A GDOI implementation must
        support SIG_ALG_RSA.

        Following are the Signature Algorithm values defined in
        the GDOI RFC 3547, however the CgmGdoiSignatureMethod TC
        defines all possible values.

          Algorithm Type  Value
          --------------  -----
           RESERVED         0
           SIG_ALG_RSA      1
           SIG_ALG_DSS      2
           SIG_ALG_ECDSS    3
           RESERVED         4-127
           Private Use      128-255"
    REFERENCE       "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM" 
    ::= { cgmGdoiGmKekEntry 16 }

cgmGdoiGmKekSigKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_KEY_LENGTH which specifies the length
        of the SIG payload key."
    REFERENCE       "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH" 
    ::= { cgmGdoiGmKekEntry 17 }

cgmGdoiGmKekOakleyGroup OBJECT-TYPE
    SYNTAX          CgmGdoiDiffieHellmanGroup
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
        or Diffie-Hellman Group used to compute the PFS secret in the
        optional KE payload of the GDOI GROUPKEY-PULL exchange."
    REFERENCE       "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP" 
    ::= { cgmGdoiGmKekEntry 18 }

cgmGdoiGmKekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LIFETIME which specifies the maximum
        time for which a KEK is valid.  The GCKS may refresh the KEK
        at any time before the end of the valid period.  The value is
        a four (4) octet (32-bit) number defining a valid time period
        in seconds."
    REFERENCE       "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" 
    ::= { cgmGdoiGmKekEntry 19 }

cgmGdoiGmKekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a KEK is valid.
        The value is a four (4) octet (32-bit) number which begins at
        the value of cgmGdoiGmKekOriginalLifetime and counts down to 0
        in seconds.  If the lifetime has already expired, this value
        should remain at zero (0) until the GCKS refreshes the KEK."
    REFERENCE       "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" 
    ::= { cgmGdoiGmKekEntry 20 }

cgmGdoiGmKekStatus OBJECT-TYPE
    SYNTAX          CgmGdoiKekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the KEK SA.  When this status value is
        queried, one of the following is returned:
        inUse(1), new(2), old(3)." 
    ::= { cgmGdoiGmKekEntry 21 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS) TEK Selector" Table
-- #-------------------------------------------------------------- --

cgmGdoiKsTekSelectorTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiKsTekSelectorEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
        (TEK) Selectors (source, destination, protocol information) 
        that is currently configured/pushed for GDOI entities
        acting as Key Servers on the network device being queried.
        There is one entry in this table for each TEK that has been
        configured & pushed to Group Members registered to the given
        Key Server."
    ::= { cgmGdoiSecAssociations 3 }

cgmGdoiKsTekSelectorEntry OBJECT-TYPE
    SYNTAX          CgmGdoiKsTekSelectorEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the Source/Destination attributes
        associated with a GDOI TEK Policy, uniquely identified by the 
        Group ID, Key Server ID and TEK Selector index.  There will be
        one entry for each Source/Destination Policy sent by the given
        Key Server to its registered Group Members, each with
        a unique <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple.
        However, due to the 255-octet constraint placed on an OID,
        the <SRC-ID, SRC-PORT, DST-ID, DST-PORT> 4-tuple cannot be
        used to INDEX a TEK entry for a given Group ID & Key Server
        ID.  Therefore, the TEK Selector index for a given Group ID & 
        Key Server ID MUST be unique. The TEK SPI is part of the TEK 
        Policy Table."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
          3.2. Messages
          4.   GROUPKEY-PUSH Message
          5.4. SA TEK Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiKeyServerIdType,
                        cgmGdoiKeyServerIdValue,
                        cgmGdoiKsTekSelectorIndex
                    } 
    ::= { cgmGdoiKsTekSelectorTable 1 }

CgmGdoiKsTekSelectorEntry ::= SEQUENCE {
        cgmGdoiKsTekSelectorIndex    Unsigned32,
        cgmGdoiKsTekSrcIdType        CgmGdoiIdentificationType,
        cgmGdoiKsTekSrcIdLength      Unsigned32,
        cgmGdoiKsTekSrcIdValue       CgmGdoiIdentificationValue,
        cgmGdoiKsTekSrcIdPort        CgmGdoiUnsigned16,
        cgmGdoiKsTekDstIdType        CgmGdoiIdentificationType,
        cgmGdoiKsTekDstIdLength      Unsigned32,
        cgmGdoiKsTekDstIdValue       CgmGdoiIdentificationValue,
        cgmGdoiKsTekDstIdPort        CgmGdoiUnsigned16,
        cgmGdoiKsTekSecurityProtocol CgmGdoiSecurityProtocol
}

cgmGdoiKsTekSelectorIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the Source/Destination tuple to be secured by the
        KS TEK.The value of the index is a number which begins at 
        one and is incremented with each Source/Destination pair that 
        is to be secured by the KS TEK policy for that GDOI group." 
    ::= { cgmGdoiKsTekSelectorEntry 1 }

cgmGdoiKsTekSrcIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the source of a TEK Policy.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'SRC ID Type' of
        the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads" 
    ::= { cgmGdoiKsTekSelectorEntry 2 }

cgmGdoiKsTekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
        a TEK Policy.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiKsTekSrcIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'SRC ID Data Len' field sent in the TEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 3 }

cgmGdoiKsTekSrcIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
        a TEK Policy with its type indicated by the
        cgmGdoiKsTekSrcIdType.  Use the cgmGdoiKsTekSrcIdType to parse 
        the TEK Source ID correctly.  This ID value is sent as the 'SRC
        Identification Data' of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 4 }

cgmGdoiKsTekSrcIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
        a TEK Policy.  A value of zero means that the port should
        be ignored.  This port value is sent as the `SRC ID Port`
        field of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 5 }

cgmGdoiKsTekDstIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the dest. of a TEK Policy.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'DST ID Type' of
        the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiKsTekSelectorEntry 6 }

cgmGdoiKsTekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
        a TEK Policy.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiKsTekDstIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'DST ID Data Len' field sent in the TEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 7 }

cgmGdoiKsTekDstIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
        a TEK Policy with its type indicated by the
        cgmGdoiKsTekDstIdType.  Use the cgmGdoiKsTekDstIdType to parse 
        the TEK Dest. ID correctly.  This ID value is sent as the 'DST
        Identification Data' of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 8 }

cgmGdoiKsTekDstIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
        a TEK Policy.  A value of zero means that the port should
        be ignored.  This port value is sent as the `DST ID Port`
        field of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekSelectorEntry 9 }

cgmGdoiKsTekSecurityProtocol OBJECT-TYPE
    SYNTAX          CgmGdoiSecurityProtocol
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Protocol-ID field of a SA TEK (SAT) payload
        which specifies the Security Protocol for a TEK.

        Following are the Security Protocol values defined in
        the GDOI RFC 3547, however the CgmGdoiSecurityProtocol TC
        defines all possible values.

          Protocol ID             Value
          ----------------------  -----
           RESERVED                 0
           GDOI_PROTO_IPSEC_ESP     1
           RESERVED                 2-127
           Private Use              128-255"
    REFERENCE       "RFC 3547 - Section: 5.4. SA TEK Payload" 
    ::= { cgmGdoiKsTekSelectorEntry 10 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS) TEK Policy" Table
-- #-------------------------------------------------------------- --

cgmGdoiKsTekPolicyTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiKsTekPolicyEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
        (TEK) Policies currently configured/pushed for GDOI entities
        acting as Key Servers on the network device being queried.
        There is one entry in this table for each TEK that has been
        configured & pushed to Group Members registered to the given
        Key Server."
    ::= { cgmGdoiSecAssociations 4 }

cgmGdoiKsTekPolicyEntry OBJECT-TYPE
    SYNTAX          CgmGdoiKsTekPolicyEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI TEK
        Policy, uniquely identified by the Group ID, Key Server ID,
        TEK Selector Index (Source/Destination IDs & Ports), and TEK 
        Policy Index (TEK SPI and direction).  There will be one or 
        more TEK entries for each TEK Policy sent by the given Key 
        Server to its registered Group Members, each with a unique 
        <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
          3.2. Messages
          4.   GROUPKEY-PUSH Message
          5.4. SA TEK Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiKeyServerIdType,
                        cgmGdoiKeyServerIdValue,
                        cgmGdoiKsTekSelectorIndex,
                        cgmGdoiKsTekPolicyIndex
                    } 
    ::= { cgmGdoiKsTekPolicyTable 1 }

CgmGdoiKsTekPolicyEntry ::= SEQUENCE {
        cgmGdoiKsTekPolicyIndex         Unsigned32,
        cgmGdoiKsTekSPI                 CgmGdoiTekSPI,
        cgmGdoiKsTekEncapsulationMode   CgmGdoiEncapsulationMode,
        cgmGdoiKsTekEncryptionAlgorithm CgmGdoiEncryptionAlgorithm,
        cgmGdoiKsTekEncryptionKeyLength Unsigned32,
        cgmGdoiKsTekIntegrityAlgorithm  CgmGdoiIntegrityAlgorithm,
        cgmGdoiKsTekIntegrityKeyLength  Unsigned32,
        cgmGdoiKsTekWindowSize          Unsigned32,
        cgmGdoiKsTekOriginalLifetime    Unsigned32,
        cgmGdoiKsTekRemainingLifetime   Unsigned32,
        cgmGdoiKsTekStatus              CgmGdoiTekStatus
}

cgmGdoiKsTekPolicyIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the policy that is used to secure the KS TEK.
        The value of the index is a number which begins at 
        one and is incremented with each row in this table." 
    ::= { cgmGdoiKsTekPolicyEntry 1 }

cgmGdoiKsTekSPI OBJECT-TYPE
    SYNTAX          CgmGdoiTekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a TEK
        Policy.  The SPI must be the SPI for ESP."
    REFERENCE       "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 2 }

cgmGdoiKsTekEncapsulationMode OBJECT-TYPE
    SYNTAX          CgmGdoiEncapsulationMode
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Encapsulation Mode of a TEK (IPsec SA).

        Following are the Encapsulation Mode values defined in
        RFC 2407, however the CgmGdoiEncapsulationMode TC defines all
        possible values.

          Encapsulation Mode  Value
          ------------------  -----
           RESERVED             0
           Tunnel               1
           Transport            2"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 3 }

cgmGdoiKsTekEncryptionAlgorithm OBJECT-TYPE
    SYNTAX          CgmGdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Transform ID field of a PROTO_IPSEC_ESP
        payload which specifies the ESP transform to be used.  If
        no encryption is used, this value will be zero (0).

        Following are the ESP Transform values defined in RFC 2407,
        however the CgmGdoiEncryptionAlgorithm TC defines all possible
        values.

          IPsec ESP Transform ID    Value
          ------------------------  -----
           RESERVED                   0
           ESP_DES_IV64               1
           ESP_DES                    2
           ESP_3DES                   3
           ESP_RC5                    4
           ESP_IDEA                   5
           ESP_CAST                   6
           ESP_BLOWFISH               7
           ESP_3IDEA                  8
           ESP_DES_IV32               9
           ESP_RC4                    10
           ESP_NULL                   11"
    REFERENCE
        "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 4 }

cgmGdoiKsTekEncryptionKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for encryption in a TEK
        (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 5 }

cgmGdoiKsTekIntegrityAlgorithm OBJECT-TYPE
    SYNTAX          CgmGdoiIntegrityAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Authentication Algorithm for a TEK IPsec
        ESP SA.  If no authentication is used, this value will be
        zero (0).

        Following are the Authentication Algorithm values defined in
        RFC 2407, however the CgmGdoiEncryptionAlgorithm TC defines all
        possible values.

          Algorithm Type  Value
          --------------  -----
           HMAC-MD5         1
           HMAC-SHA         2
           DES-MAC          3
           KPDK             4"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 6 }

cgmGdoiKsTekIntegrityKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for integrity/authentication in a
        TEK (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 7 }

cgmGdoiKsTekWindowSize OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The size of the Time Based Anti-Replay (TBAR) window used by
        this TEK Policy."
    REFERENCE
        "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
         RFC 3547 - Section: 6.3.4.   Replay/Reflection Attack
              Protection" 
    ::= { cgmGdoiKsTekPolicyEntry 8 }

cgmGdoiKsTekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SA Life Type defined in RFC 2407 which
        specifies the maximum time for which a TEK IPsec SA is valid.
        The GCKS may refresh the TEK at any time before the end of
        the valid period.  The value is a four (4) octet (32-bit)
        number defining a valid time period in seconds."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 9 }

cgmGdoiKsTekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a TEK is valid.
        The value is a four (4) octet (32-bit) number which begins at
        the value of cgmGdoiKsTekOriginalLifetime when the TEK is sent
        and counts down to zero in seconds.  If the lifetime has
        already expired, this value should remain at zero (0) until
        the Key Server refreshes the TEK."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiKsTekPolicyEntry 10 }

cgmGdoiKsTekStatus OBJECT-TYPE
    SYNTAX          CgmGdoiTekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the TEK Policy.  When this status value is
        queried, one of the following is returned:
        inbound(1), outbound(2), notInUse(3)." 
    ::= { cgmGdoiKsTekPolicyEntry 11 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Group Member (GM) TEK Selector" Table
-- #-------------------------------------------------------------- --

cgmGdoiGmTekSelectorTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiGmTekSelectorEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
        (TEK) Security Associations (SAs/Policies) pushed by a 
        Key Server & installed for GDOI entities acting as Group
        Members (GMs) on the network device being queried.  There is
        one entry in this table for each unique TEK traffic selector 
        (Source/Destination tuple) that has been downloaded from the 
        Key Server and installed on the Group Member."
    ::= { cgmGdoiSecAssociations 5 }

cgmGdoiGmTekSelectorEntry OBJECT-TYPE
    SYNTAX          CgmGdoiGmTekSelectorEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI TEK
        Policy/SA, uniquely identified by the Group ID, Group Member
        ID, Source/Destination IDs & Ports, and TEK SPI.  There will
        be one or more TEK entries for each TEK Policy/SA received
        and installed by the given Group Member from its registered
        Key Server, each with a unique <SRC-ID, SRC-PORT, DST-ID, 
        DST-PORT, SPI> 5-tuple. This table does not contain the SPI
        which is part of the TEK policy table."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
          3.2. Messages
          4.   GROUPKEY-PUSH Message
          5.4. SA TEK Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiGmIdType,
                        cgmGdoiGmIdValue,
                        cgmGdoiGmTekSelectorIndex
                    } 
    ::= { cgmGdoiGmTekSelectorTable 1 }

CgmGdoiGmTekSelectorEntry ::= SEQUENCE {
        cgmGdoiGmTekSelectorIndex    Unsigned32,
        cgmGdoiGmTekSrcIdType        CgmGdoiIdentificationType,
        cgmGdoiGmTekSrcIdLength      Unsigned32,
        cgmGdoiGmTekSrcIdValue       CgmGdoiIdentificationValue,
        cgmGdoiGmTekSrcIdPort        CgmGdoiUnsigned16,
        cgmGdoiGmTekDstIdType        CgmGdoiIdentificationType,
        cgmGdoiGmTekDstIdLength      Unsigned32,
        cgmGdoiGmTekDstIdValue       CgmGdoiIdentificationValue,
        cgmGdoiGmTekDstIdPort        CgmGdoiUnsigned16,
        cgmGdoiGmTekSecurityProtocol CgmGdoiSecurityProtocol
}

cgmGdoiGmTekSelectorIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the Source/Destination pair secured by the
        GM TEK.The value of the index is a number which begins at 
        one and is incremented with each Source/Destination pair that 
        is secured by the GM TEK policy for that GDOI group." 
    ::= { cgmGdoiGmTekSelectorEntry 1 }

cgmGdoiGmTekSrcIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the source of a TEK Policy/SA.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'SRC ID Type' of
        the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads" 
    ::= { cgmGdoiGmTekSelectorEntry 2 }

cgmGdoiGmTekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
        a TEK Policy/SA.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiGmTekSrcIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'SRC ID Data Len' field sent in the TEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 3 }

cgmGdoiGmTekSrcIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
        a TEK Policy/SA with its type indicated by the
        cgmGdoiGmTekSrcIdType.  Use the cgmGdoiGmTekSrcIdType to parse 
        the TEK Source ID correctly.  This ID value is sent as the 'SRC
        Identification Data' of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 4 }

cgmGdoiGmTekSrcIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
        a TEK Policy/SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `SRC ID Port`
        field of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 5 }

cgmGdoiGmTekDstIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
        information for the dest. of a TEK Policy/SA.  RFC 4306
        defines all valid types that can be used as an identifier.
        This identification type is sent as the 'DST ID Type' of
        the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5. Identification Payloads" 
    ::= { cgmGdoiGmTekSelectorEntry 6 }

cgmGdoiGmTekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
        a TEK Policy/SA.  If no length is given (i.e. it has a value
        of 0), the default length of its cgmGdoiGmTekDstIdType should be
        used as long as it is not reprsented by an ASCII string.  If
        the value has a type that is represented by an ASCII string,
        a length MUST be included.  If the length given is not 0, it
        should match the 'DST ID Data Len' field sent in the TEK
        payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 7 }

cgmGdoiGmTekDstIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
        a TEK Policy/SA with its type indicated by the
        cgmGdoiGmTekDstIdType.  Use the cgmGdoiGmTekDstIdType to parse 
        the TEK Dest. ID correctly.  This ID value is sent as the 'DST
        Identification Data' of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 8 }

cgmGdoiGmTekDstIdPort OBJECT-TYPE
    SYNTAX          CgmGdoiUnsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
        a TEK Policy/SA.  A value of zero means that the port should
        be ignored.  This port value is sent as the `DST ID Port`
        field of a TEK payload."
    REFERENCE       "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekSelectorEntry 9 }

cgmGdoiGmTekSecurityProtocol OBJECT-TYPE
    SYNTAX          CgmGdoiSecurityProtocol
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Protocol-ID field of a SA TEK (SAT) payload
        which specifies the Security Protocol for a TEK.

        Following are the Security Protocol values defined in
        the GDOI RFC 3547, however the CgmGdoiSecurityProtocol TC
        defines all possible values.

          Protocol ID             Value
          ----------------------  -----
           RESERVED                 0
           GDOI_PROTO_IPSEC_ESP     1
           RESERVED                 2-127
           Private Use              128-255"
    REFERENCE       "RFC 3547 - Section: 5.4. SA TEK Payload" 
    ::= { cgmGdoiGmTekSelectorEntry 10 }
 

-- #-------------------------------------------------------------- --
-- # The GDOI "Group Member (GM) TEK Policy" Table
-- #-------------------------------------------------------------- --

cgmGdoiGmTekPolicyTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CgmGdoiGmTekPolicyEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
        (TEK) Security Associations (SAs/Policies) received by a 
        Key Server & installed for GDOI entities acting as Group
        Members (GMs) on the network device being queried.  There is
        one entry in this table for each TEK SA that has been
        installed on the Group Member."
    ::= { cgmGdoiSecAssociations 6 }

cgmGdoiGmTekPolicyEntry OBJECT-TYPE
    SYNTAX          CgmGdoiGmTekPolicyEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI TEK
        Policy/SA, uniquely identified by the Group ID, Group Member
        ID, TEK Selector (Source/Destination IDs & Ports), and TEK 
        Policy index (TEK SPI and direction).  There will be one or 
        more TEK entries for each TEK Policy/SA received and installed 
        by the given Group Member from its registered Key Server, each 
        with a unique <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> tuple. 
        This table contains the SPI information corresponding to a TEK 
        Selector index."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
          3.2. Messages
          4.   GROUPKEY-PUSH Message
          5.4. SA TEK Payload"
    INDEX           {
                        cgmGdoiGroupIdType,
                        cgmGdoiGroupIdValue,
                        cgmGdoiGmIdType,
                        cgmGdoiGmIdValue,
                        cgmGdoiGmTekSelectorIndex,
                        cgmGdoiGmTekPolicyIndex
                    } 
    ::= { cgmGdoiGmTekPolicyTable 1 }

CgmGdoiGmTekPolicyEntry ::= SEQUENCE {
        cgmGdoiGmTekPolicyIndex         Unsigned32,
        cgmGdoiGmTekSPI                 CgmGdoiTekSPI,
        cgmGdoiGmTekEncapsulationMode   CgmGdoiEncapsulationMode,
        cgmGdoiGmTekEncryptionAlgorithm CgmGdoiEncryptionAlgorithm,
        cgmGdoiGmTekEncryptionKeyLength Unsigned32,
        cgmGdoiGmTekIntegrityAlgorithm  CgmGdoiIntegrityAlgorithm,
        cgmGdoiGmTekIntegrityKeyLength  Unsigned32,
        cgmGdoiGmTekWindowSize          Unsigned32,
        cgmGdoiGmTekOriginalLifetime    Unsigned32,
        cgmGdoiGmTekRemainingLifetime   Unsigned32,
        cgmGdoiGmTekStatus              CgmGdoiTekStatus
}

cgmGdoiGmTekPolicyIndex OBJECT-TYPE
    SYNTAX          Unsigned32
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The index of the SPI used to secure the GM TEK.The value of
        the index is a number which begins at one and is incremented 
        with each row of the GM TEK SPI table." 
    ::= { cgmGdoiGmTekPolicyEntry 1 }

cgmGdoiGmTekSPI OBJECT-TYPE
    SYNTAX          CgmGdoiTekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a TEK
        Policy/SA.  The SPI must be the SPI for ESP."
    REFERENCE       "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 2 }

cgmGdoiGmTekEncapsulationMode OBJECT-TYPE
    SYNTAX          CgmGdoiEncapsulationMode
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Encapsulation Mode of a TEK (IPsec SA).

        Following are the Encapsulation Mode values defined in
        RFC 2407, however the CgmGdoiEncapsulationMode TC defines all
        possible values.

          Encapsulation Mode  Value
          ------------------  -----
           RESERVED             0
           Tunnel               1
           Transport            2"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 3 }

cgmGdoiGmTekEncryptionAlgorithm OBJECT-TYPE
    SYNTAX          CgmGdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Transform ID field of a PROTO_IPSEC_ESP
        payload which specifies the ESP transform to be used.  If
        no encryption is used, this value will be zero (0).

        Following are the ESP Transform values defined in RFC 2407,
        however the CgmGdoiEncryptionAlgorithm TC defines all possible
        values.

          IPsec ESP Transform ID    Value
          ------------------------  -----
           RESERVED                   0
           ESP_DES_IV64               1
           ESP_DES                    2
           ESP_3DES                   3
           ESP_RC5                    4
           ESP_IDEA                   5
           ESP_CAST                   6
           ESP_BLOWFISH               7
           ESP_3IDEA                  8
           ESP_DES_IV32               9
           ESP_RC4                    10
           ESP_NULL                   11"
    REFERENCE
        "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 4 }

cgmGdoiGmTekEncryptionKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for encryption in a TEK
        (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 5 }

cgmGdoiGmTekIntegrityAlgorithm OBJECT-TYPE
    SYNTAX          CgmGdoiIntegrityAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Authentication Algorithm for a TEK IPsec
        ESP SA.  If no authentication is used, this value will be
        zero (0).

        Following are the Authentication Algorithm values defined in
        RFC 2407, however the CgmGdoiEncryptionAlgorithm TC defines all
        possible values.

          Algorithm Type  Value
          --------------  -----
           HMAC-MD5         1
           HMAC-SHA         2
           DES-MAC          3
           KPDK             4"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 6 }

cgmGdoiGmTekIntegrityKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for integrity/authentication in a
        TEK (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 7 }

cgmGdoiGmTekWindowSize OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The size of the Time Based Anti-Replay (TBAR) window used by
        this TEK Policy/SA."
    REFERENCE
        "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
         RFC 3547 - Section: 6.3.4.   Replay/Reflection Attack
              Protection" 
    ::= { cgmGdoiGmTekPolicyEntry 8 }

cgmGdoiGmTekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SA Life Type defined in RFC 2407 which
        specifies the maximum time for which a TEK IPsec SA is valid.
        The GCKS may refresh the TEK at any time before the end of
        the valid period.  The value is a four (4) octet (32-bit)
        number defining a valid time period in seconds."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 9 }

cgmGdoiGmTekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a TEK is valid.
        The value is a four (4) octet (32-bit) number which begins at
        the value of cgmGdoiGmTekOriginalLifetime and counts down to 0
        in seconds.  If the lifetime has already expired, this value
        should remain at zero (0) until the GCKS refreshes the TEK."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" 
    ::= { cgmGdoiGmTekPolicyEntry 10 }

cgmGdoiGmTekStatus OBJECT-TYPE
    SYNTAX          CgmGdoiTekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the TEK Policy/SA.  When this status value is
        queried, one of the following is returned:
        inbound(1), outbound(2), notInUse(3)." 
    ::= { cgmGdoiGmTekPolicyEntry 11 }
 


-- #-------------------------------------------------------------- --
-- # The GDOI Notification Control Table
-- #-------------------------------------------------------------- --

cgmGdoiKSNewRegNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Key Server when a new Group
        Member begins registration to a GDOI group." 
    ::= { cgmGdoiNotifCntl 1 }

cgmGdoiKSRegCompNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Key Server when a new Group
        Member successfully registers to a GDOI group." 
    ::= { cgmGdoiNotifCntl 2 }

cgmGdoiKSRekeyPushNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Key Server when a rekey is sent
        to a GDOI group." 
    ::= { cgmGdoiNotifCntl 3 }

cgmGdoiKSNoRSANotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "Indicates whether or not an error notification should
        be generated on a Key Server when an RSA 
        key is not set up." 
    ::= { cgmGdoiNotifCntl 4 }

cgmGdoiGMRegNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Group Member when it starts
        registration to a Key Server in a GDOI group." 
    ::= { cgmGdoiNotifCntl 5 }

cgmGdoiGmRegCompNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Group Member when it 
        successfully registers to a Key Server in 
        a GDOI group." 
    ::= { cgmGdoiNotifCntl 6 }

cgmGdoiGmReRegNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Group Member when it starts
        to re-register to a Key Server in a GDOI group." 
    ::= { cgmGdoiNotifCntl 7 }

cgmGdoiGmRekeyRecNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not a notification should be
        generated on a Group Member when it receives
        and processes a rekey sent by a Key Server in 
        a GDOI group." 
    ::= { cgmGdoiNotifCntl 8 }

cgmGdoiGmIncompCfgNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not an error notification should
        be generated on a Group Member when there is
        missing information for configuring a GDOI group." 
    ::= { cgmGdoiNotifCntl 9 }

cgmGdoiGmNoIpSecFlowsNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not an error notification should
        be generated on a Group Member when no more
        security associations can be installed after receiving
        a rekey from a Key Server in a GDOI group." 
    ::= { cgmGdoiNotifCntl 10 }

cgmGdoiGmRekeyFailNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not an error notification should
        be generated on a Group Member when it is unable
        to successfully process and install a rekey." 
    ::= { cgmGdoiNotifCntl 11 }

cgmGdoiKsRoleChangeNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not cgmGdoiKeyServerRoleChange
        notification should be generated on a Key Server when its role
        changes from Primary to Secondary or vice-versa." 
    ::= { cgmGdoiNotifCntl 12 }

cgmGdoiKsGmDeletedNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not cgmGdoiKeyServerGmDeleted notification
        should be generated on a Key Server when a Group Member is
        deleted from the group database." 
    ::= { cgmGdoiNotifCntl 13 }

cgmGdoiKsPeerReachNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not cgmGdoiKeyServerPeerReachable
        notification should be generated on a Key Server when
        unreachable peer Key Server becomes reachable." 
    ::= { cgmGdoiNotifCntl 14 }

cgmGdoiKsPeerUnreachNotifEnable OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Indicates whether or not cgmGdoiKeyServerPeerUnreachable
        notification should be generated on a Key Server when reachable
        peer Key Server becomes unreachable." 
    ::= { cgmGdoiNotifCntl 15 }

cgmGdoiNotifGroupIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. This variable captures
        the identification type of the GDOI group." 
    ::= { cgmGdoiNotifVars 1 }

cgmGdoiNotifGroupIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The value of a Group ID
        with its type indicated by the cgmGdoiNotifGroupIdType. Use the
        cgmGdoiNotifGroupIdType to parse the value of this field
        correctly." 
    ::= { cgmGdoiNotifVars 2 }

cgmGdoiNotifGroupName OBJECT-TYPE
    SYNTAX          DisplayString
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The string-readable name
        configured for or given to a GDOI Group." 
    ::= { cgmGdoiNotifVars 3 }

cgmGdoiNotifKeyServerIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The Identification Type
        Value used to parse the identity information of a Key Server." 
    ::= { cgmGdoiNotifVars 4 }

cgmGdoiNotifKeyServerIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The value of the identity
        information for a Key Server with its type indicated by the
        cgmGdoiNotifKeyServerIdType. Use the cgmGdoiNotifKeyServerIdType
        to parse the Key Server ID correctly." 
    ::= { cgmGdoiNotifVars 5 }

cgmGdoiNotifKeyServerRole OBJECT-TYPE
    SYNTAX          CgmGdoiKsRole
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The current role of the
        Key Server for the Group." 
    ::= { cgmGdoiNotifVars 6 }

cgmGdoiNotifGmIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The Identification Type
        Value used to parse the identity information for a Initiator or
        Group Member." 
    ::= { cgmGdoiNotifVars 7 }

cgmGdoiNotifGmIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The value of the identity
        information for a Group Member with its type indicated by the
        cgmGdoiNotifGmIdType. Use the cgmGdoiNotifGmIdType to parse the
        Group Member ID's value correctly." 
    ::= { cgmGdoiNotifVars 8 }

cgmGdoiNotifPeerKsIdType OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The Identification Type
        Value used to parse the identity information of a Key Server." 
    ::= { cgmGdoiNotifVars 9 }

cgmGdoiNotifPeerKsIdValue OBJECT-TYPE
    SYNTAX          CgmGdoiIdentificationValue
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "Variable used only for notifications. The value of the identity
        information for a Peer Key Server with its type indicated by the
        cgmGdoiNotifPeerKsIdType. Use the cgmGdoiNotifPeerKsIdType to
        parse the Peer Key Server ID correctly." 
    ::= { cgmGdoiNotifVars 10 }
-- ------------------------------------------------------------------ --
-- GDOI MIB Conformance & Compliance Information
-- ------------------------------------------------------------------ --
--   
-- *---------------------------------------------------------------- --
-- * GDOI MIB Conformance Information
-- *---------------------------------------------------------------- --

cgmGdoiMIBGroups  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBConformance 1 }

cgmGdoiMIBCompliances  OBJECT IDENTIFIER
    ::= { cgmGdoiMIBConformance 2 }


-- #-------------------------------------------------------------- --
-- # GDOI MIB Units/Groups of Conformance
-- #-------------------------------------------------------------- --

cgmGdoiGroupIdGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiGroupIdLength,
                        cgmGdoiGroupName
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Group Table

        cgmGdoiGroupIdGroupRev1 is an extension to this group."
    ::= { cgmGdoiMIBGroups 1 }

cgmGdoiKeyServerGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiKeyServerIdLength,
                        cgmGdoiKeyServerActiveKEK,
                        cgmGdoiKeyServerRekeysPushed
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Key Server Table

        cgmGdoiKeyServerGroupRev1 is an extension to this group."
    ::= { cgmGdoiMIBGroups 2 }

cgmGdoiGmGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiGmIdLength,
                        cgmGdoiGmRegKeyServerIdType,
                        cgmGdoiGmRegKeyServerIdLength,
                        cgmGdoiGmRegKeyServerIdValue,
                        cgmGdoiGmActiveKEK,
                        cgmGdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI GM Table

        cgmGdoiGmGroupRev1 is an extension to this group."
    ::= { cgmGdoiMIBGroups 3 }

cgmGdoiKsSecurityAssociationsGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiKsKekSPI,
                        cgmGdoiKsKekSrcIdType,
                        cgmGdoiKsKekSrcIdLength,
                        cgmGdoiKsKekSrcIdValue,
                        cgmGdoiKsKekSrcIdPort,
                        cgmGdoiKsKekDstIdType,
                        cgmGdoiKsKekDstIdLength,
                        cgmGdoiKsKekDstIdValue,
                        cgmGdoiKsKekDstIdPort,
                        cgmGdoiKsKekIpProtocol,
                        cgmGdoiKsKekMgmtAlg,
                        cgmGdoiKsKekEncryptAlg,
                        cgmGdoiKsKekEncryptKeyLength,
                        cgmGdoiKsKekSigHashAlg,
                        cgmGdoiKsKekSigAlg,
                        cgmGdoiKsKekSigKeyLength,
                        cgmGdoiKsKekOakleyGroup,
                        cgmGdoiKsKekOriginalLifetime,
                        cgmGdoiKsKekRemainingLifetime,
                        cgmGdoiKsKekStatus,
                        cgmGdoiKsTekSrcIdType,
                        cgmGdoiKsTekSrcIdLength,
                        cgmGdoiKsTekSrcIdValue,
                        cgmGdoiKsTekSrcIdPort,
                        cgmGdoiKsTekDstIdType,
                        cgmGdoiKsTekDstIdLength,
                        cgmGdoiKsTekDstIdValue,
                        cgmGdoiKsTekDstIdPort,
                        cgmGdoiKsTekSecurityProtocol,
                        cgmGdoiKsTekSPI,
                        cgmGdoiKsTekEncapsulationMode,
                        cgmGdoiKsTekEncryptionAlgorithm,
                        cgmGdoiKsTekEncryptionKeyLength,
                        cgmGdoiKsTekIntegrityAlgorithm,
                        cgmGdoiKsTekIntegrityKeyLength,
                        cgmGdoiKsTekWindowSize,
                        cgmGdoiKsTekOriginalLifetime,
                        cgmGdoiKsTekRemainingLifetime,
                        cgmGdoiKsTekStatus
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Key Server KEK Policy/SA Table
        2) GDOI Key Server TEK Policy Table"
    ::= { cgmGdoiMIBGroups 4 }

cgmGdoiGmSecurityAssociationsGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiGmKekSPI,
                        cgmGdoiGmKekSrcIdType,
                        cgmGdoiGmKekSrcIdLength,
                        cgmGdoiGmKekSrcIdValue,
                        cgmGdoiGmKekSrcIdPort,
                        cgmGdoiGmKekDstIdType,
                        cgmGdoiGmKekDstIdLength,
                        cgmGdoiGmKekDstIdValue,
                        cgmGdoiGmKekDstIdPort,
                        cgmGdoiGmKekIpProtocol,
                        cgmGdoiGmKekMgmtAlg,
                        cgmGdoiGmKekEncryptAlg,
                        cgmGdoiGmKekEncryptKeyLength,
                        cgmGdoiGmKekSigHashAlg,
                        cgmGdoiGmKekSigAlg,
                        cgmGdoiGmKekSigKeyLength,
                        cgmGdoiGmKekOakleyGroup,
                        cgmGdoiGmKekOriginalLifetime,
                        cgmGdoiGmKekRemainingLifetime,
                        cgmGdoiGmKekStatus,
                        cgmGdoiGmTekSrcIdType,
                        cgmGdoiGmTekSrcIdLength,
                        cgmGdoiGmTekSrcIdValue,
                        cgmGdoiGmTekSrcIdPort,
                        cgmGdoiGmTekDstIdType,
                        cgmGdoiGmTekDstIdLength,
                        cgmGdoiGmTekDstIdValue,
                        cgmGdoiGmTekDstIdPort,
                        cgmGdoiGmTekSecurityProtocol,
                        cgmGdoiGmTekSPI,
                        cgmGdoiGmTekEncapsulationMode,
                        cgmGdoiGmTekEncryptionAlgorithm,
                        cgmGdoiGmTekEncryptionKeyLength,
                        cgmGdoiGmTekIntegrityAlgorithm,
                        cgmGdoiGmTekIntegrityKeyLength,
                        cgmGdoiGmTekWindowSize,
                        cgmGdoiGmTekOriginalLifetime,
                        cgmGdoiGmTekRemainingLifetime,
                        cgmGdoiGmTekStatus
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Group Member KEK Policy/SA Table
        2) GDOI Group Member TEK Policy/SA Table"
    ::= { cgmGdoiMIBGroups 5 }

cgmGdoiKeyServerNotificationGroup NOTIFICATION-GROUP
   NOTIFICATIONS    {
                        cgmGdoiKeyServerNewRegistration,
                        cgmGdoiKeyServerRegistrationComplete,
                        cgmGdoiKeyServerRekeyPushed
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Key Server (GCKS) notifications
        for the GDOI MIB.

        cgmGdoiKeyServerNotificationGroupRev1 is an extension to this
        group."
    ::= { cgmGdoiMIBGroups 6 }

cgmGdoiKeyServerErrorNotificationGroup NOTIFICATION-GROUP
   NOTIFICATIONS    { cgmGdoiKeyServerNoRsaKeys }
    STATUS          current
    DESCRIPTION
        "This group contains the Key Server (GCKS) error notifications
        for the GDOI MIB."
    ::= { cgmGdoiMIBGroups 7 }

cgmGdoiGmNotificationGroup NOTIFICATION-GROUP
   NOTIFICATIONS    {
                        cgmGdoiGmRegister,
                        cgmGdoiGmRegistrationComplete,
                        cgmGdoiGmReRegister,
                        cgmGdoiGmRekeyReceived
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Group Member (GM) notifications
        for the GDOI MIB."
    ::= { cgmGdoiMIBGroups 8 }

cgmGdoiGmErrorNotificationGroup NOTIFICATION-GROUP
   NOTIFICATIONS    {
                        cgmGdoiGmIncompleteCfg,
                        cgmGdoiGmNoIpSecFlows,
                        cgmGdoiGmRekeyFailure
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Group Member (GM) error notifications
        for the GDOI MIB."
    ::= { cgmGdoiMIBGroups 9 }

cgmGdoiNotificationControlGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiKSNewRegNotifEnable,
                        cgmGdoiKSRegCompNotifEnable,
                        cgmGdoiKSRekeyPushNotifEnable,
                        cgmGdoiKSNoRSANotifEnable,
                        cgmGdoiGMRegNotifEnable,
                        cgmGdoiGmRegCompNotifEnable,
                        cgmGdoiGmReRegNotifEnable,
                        cgmGdoiGmRekeyRecNotifEnable,
                        cgmGdoiGmIncompCfgNotifEnable,
                        cgmGdoiGmNoIpSecFlowsNotifEnable,
                        cgmGdoiGmRekeyFailNotifEnable
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the GDOI notification control objects
        for the GDOI MIB.

        cgmGdoiNotificationControlGroupRev1 is an extension to this
        group."
    ::= { cgmGdoiMIBGroups 10 }

cgmGdoiGroupIdGroupRev1 OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiGroupMemberCount,
                        cgmGdoiGroupActivePeerKeyServerCount,
                        cgmGdoiGroupLastRekeyRetransmits,
                        cgmGdoiGroupLastRekeyTimeTaken
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Group Table

        This group is an extension to cgmGdoiGroupIdGroup."
    ::= { cgmGdoiMIBGroups 11 }

cgmGdoiKeyServerGroupRev1 OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiKeyServerRole,
                        cgmGdoiKeyServerRegisteredGMs
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI Key Server Table

        This group is an extension to cgmGdoiKeyServerGroup."
    ::= { cgmGdoiMIBGroups 12 }

cgmGdoiGmGroupRev1 OBJECT-GROUP
    OBJECTS         { cgmGdoiGmActiveTEKNum }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) GDOI GM Table

        This group is an extension to cgmGdoiGmGroup."
    ::= { cgmGdoiMIBGroups 13 }

cgmGdoiKeyServerNotificationGroupRev1 NOTIFICATION-GROUP
   NOTIFICATIONS    {
                        cgmGdoiKeyServerRoleChange,
                        cgmGdoiKeyServerGmDeleted,
                        cgmGdoiKeyServerPeerReachable,
                        cgmGdoiKeyServerPeerUnreachable
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Key Server (GCKS) notifications for the
        GDOI MIB.

        This group is an extension to
        cgmGdoiKeyServerNotificationGroup."
    ::= { cgmGdoiMIBGroups 14 }

cgmGdoiNotificationControlGroupRev1 OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiKsRoleChangeNotifEnable,
                        cgmGdoiKsGmDeletedNotifEnable,
                        cgmGdoiKsPeerReachNotifEnable,
                        cgmGdoiKsPeerUnreachNotifEnable
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the GDOI notification control objects
        for the GDOI MIB.

        This group is an extension to cgmGdoiNotificationControlGroup."
    ::= { cgmGdoiMIBGroups 15 }

cgmGdoiCoopPeerGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiCoopPeerIdLength,
                        cgmGdoiCoopPeerRole,
                        cgmGdoiCoopPeerStatus,
                        cgmGdoiCoopPeerRegisteredGMs
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
        1) COOP Peer Key Server Table"
    ::= { cgmGdoiMIBGroups 16 }

cgmGdoiNotificationVariablesGroup OBJECT-GROUP
    OBJECTS         {
                        cgmGdoiNotifGroupIdType,
                        cgmGdoiNotifGroupIdValue,
                        cgmGdoiNotifGroupName,
                        cgmGdoiNotifKeyServerIdType,
                        cgmGdoiNotifKeyServerIdValue,
                        cgmGdoiNotifKeyServerRole,
                        cgmGdoiNotifGmIdType,
                        cgmGdoiNotifGmIdValue,
                        cgmGdoiNotifPeerKsIdType,
                        cgmGdoiNotifPeerKsIdValue
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the GDOI notification variables for the
        GDOI MIB."
    ::= { cgmGdoiMIBGroups 17 }

-- #-------------------------------------------------------------- --
-- # GDOI MIB Compliance Statements
-- #-------------------------------------------------------------- --

cgmGdoiMIBCompliance MODULE-COMPLIANCE
    STATUS          deprecated
    DESCRIPTION
        "At minimum, only GDOI Group Member functionality is required so
        only objects associated with and needed by Group Members are
        mandatory to implement.  If Key Server functionality is also
        implemented, all other objects will need to be implemented as
        well.

        This group is deprecated and is superseeded by
        cgmGdoiMIBCompliance1."
    MODULE          -- this module
    MANDATORY-GROUPS {
                        cgmGdoiGroupIdGroup,
                        cgmGdoiGmSecurityAssociationsGroup,
                        cgmGdoiGmGroup
                    }

    GROUP           cgmGdoiKeyServerGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports being the Group Controller Key Server (GCKS)."

    GROUP           cgmGdoiKsSecurityAssociationsGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports being the Group Controller Key Server (GCKS)."

    GROUP           cgmGdoiKeyServerNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications & being the GCKS."

    GROUP           cgmGdoiKeyServerErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications & being the GCKS."

    GROUP           cgmGdoiGmNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."

    GROUP           cgmGdoiGmErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."

    GROUP           cgmGdoiNotificationControlGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."
    ::= { cgmGdoiMIBCompliances 1 }

cgmGdoiMIBComplianceRev1 MODULE-COMPLIANCE
    STATUS          current
    DESCRIPTION
        "At minimum, only GDOI Group Member functionality is required so
        only objects associated with and needed by Group Members are
        mandatory to implement. If Key Server functionality is also
        implemented, all other objects will need to be implemented as
        well.

        Updated the conformance group with new MIB Groups and objects
        with min-access as read-only."
    MODULE          -- this module
    MANDATORY-GROUPS {
                        cgmGdoiGroupIdGroup,
                        cgmGdoiGroupIdGroupRev1,
                        cgmGdoiGmSecurityAssociationsGroup,
                        cgmGdoiGmGroup,
                        cgmGdoiGmGroupRev1
                    }

    GROUP           cgmGdoiKeyServerGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports being the Group Controller Key Server (GCKS)."

    GROUP           cgmGdoiKeyServerGroupRev1
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports being the Group Controller Key Server (GCKS), this
        group is an extension of cgmGdoiKeyServerGroup."

    GROUP           cgmGdoiKsSecurityAssociationsGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports being the Group Controller Key Server (GCKS)."

    GROUP           cgmGdoiKeyServerNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device that
        supports the sending of notifications & being the GCKS."

    GROUP           cgmGdoiKeyServerNotificationGroupRev1
    DESCRIPTION
        "Implementation of this group is for any network device that
        supports the sending of notifications & being the GCKS, this
        group is an extension of cgmGdoiKeyServerNotificationGroup."

    GROUP           cgmGdoiKeyServerErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications & being the GCKS."

    GROUP           cgmGdoiGmNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."

    GROUP           cgmGdoiGmErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."

    GROUP           cgmGdoiNotificationControlGroup
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications."

    GROUP           cgmGdoiNotificationControlGroupRev1
    DESCRIPTION
        "Implementation of this group is for any network device
        that supports the sending of notifications, this group is an
        extension to cgmGdoiNotificationControlGroup."

    GROUP           cgmGdoiCoopPeerGroup
    DESCRIPTION
        "Implementation of this group is for any network device that
        supports the COOP."

    GROUP           cgmGdoiNotificationVariablesGroup
    DESCRIPTION
        "Implementation of this group is for any network device that
        supports the sending of notifications, packed with the
        variables defined as a part of the said table."

    OBJECT          cgmGdoiKSNewRegNotifEnable
    MIN-ACCESS      read-only
    DESCRIPTION
        "Write access is not required."

    OBJECT          cgmGdoiKSRegCompNotifEnable
    MIN-ACCESS      read-only
    DESCRIPTION
        "Write access is not required."

    OBJECT          cgmGdoiKSRekeyPushNotifEnable
    MIN-ACCESS      read-only
    DESCRIPTION
        "Write access is not required."

    OBJECT          cgmGdoiKSNoRSANotifEnable
    MIN-ACCESS      read-only
    DESCRIPTION
        "Write access is not required."
    ::= { cgmGdoiMIBCompliances 2 }

END

   

8. Security Considerations

There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.

Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. The GDOI MIB deals with a security protocol and is not a general MIB, all information reported by any of the GDOI MIB queries should be considered sensitive. However, the most sensitive information dealing directly with security associations and algorithms are:

SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.

It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).

Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.

9. IANA Considerations

IANA has assigned OID "759" under mib-2 for CISCO-GDOI-MIB.

10. Contributors

The following individuals made substantial contributions to the first version of this memo.

   Kavitha Kamarthy
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-525-1209
   Email: kavithac@cisco.com
       
   Mike Hamada
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-525-7473
   Email: michamad@cisco.com
       
   Preethi Sundaradevan
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-424-4713
   Email: prsundar@cisco.com
       
   Sheela Rowles
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-527-7677
   Email: sheela@cisco.com
       
   Tanya Roosta
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-510-220-0047
   Email: roosta@cisco.com
       

11. References

11.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999.
[RFC2271] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, DOI 10.17487/RFC2271, January 1998.
[RFC1155] Rose, M. and K. McCloghrie, "Structure and identification of management information for TCP/IP-based internets", STD 16, RFC 1155, DOI 10.17487/RFC1155, May 1990.
[RFC1212] Rose, M. and K. McCloghrie, "Concise MIB definitions", STD 16, RFC 1212, DOI 10.17487/RFC1212, March 1991.
[RFC3547] Baugher, M., Weis, B., Hardjono, T. and H. Harney, "The Group Domain of Interpretation", RFC 3547, DOI 10.17487/RFC3547, July 2003.
[RFC1902] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, DOI 10.17487/RFC1902, January 1996.
[RFC1903] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, DOI 10.17487/RFC1903, January 1996.
[RFC1904] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, DOI 10.17487/RFC1904, January 1996.
[RFC1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol (SNMP)", RFC 1157, DOI 10.17487/RFC1157, May 1990.
[RFC2272] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, DOI 10.17487/RFC2272, January 1998.
[RFC2275] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, DOI 10.17487/RFC2275, January 1998.
[RFC2273] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2273, DOI 10.17487/RFC2273, January 1998.
[RFC2274] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, DOI 10.17487/RFC2274, January 1998.
[RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, DOI 10.17487/RFC1901, January 1996.
[RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, DOI 10.17487/RFC1906, January 1996.
[RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, DOI 10.17487/RFC1905, January 1996.

11.2. Informative References

[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, DOI 10.17487/RFC3410, December 2002.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, DOI 10.17487/RFC2629, June 1999.
[RFC4181] Heard, C., "Guidelines for Authors and Reviewers of MIB Documents", BCP 111, RFC 4181, DOI 10.17487/RFC4181, September 2005.

Authors' Addresses

Yogesh Kumar Sharma (editor) Cisco Systems Cessna Business Park, Kadubeesanahalli Varthur Hobli Sarjapur Marathalli ORR Bengaluru, KA 560 103 India Phone: +91-80-4429-2076 EMail: yosharma@cisco.com
Rohini Kamath Cisco Systems Cessna Business Park, Kadubeesanahalli Varthur Hobli Sarjapur Marathalli ORR Bengaluru, KA 560 103 India Phone: +91-80-4426-7058 EMail: rohkamat@cisco.com
Amjad Inamdar Cisco Systems Cessna Business Park, Kadubeesanahalli Varthur Hobli Sarjapur Marathalli ORR Bengaluru, KA 560 103 India Phone: +91-80-4426-4834 EMail: amjads@cisco.com