One document matched: draft-ietf-ipsp-ikeaction-mib-02.txt
Differences from draft-ietf-ipsp-ikeaction-mib-01.txt
IPSP M. Baer
Internet-Draft Sparta, Inc.
Intended status: Informational R. Charlet
Expires: April 22, 2007 Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
ARO/North Carolina State
University
October 19, 2006
IPsec Security Policy IKE Action MIB
draft-ietf-ipsp-ikeaction-mib-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 22, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Baer, et al. Expires April 22, 2007 [Page 1]
Internet-Draft IPsec IKE Action MIB October 2006
Abstract
This document defines a SMIv2 Management Information Base (MIB)
module for configuring Internet Key Exchange (IKE) actions for the
security policy database (SPD) of a device that uses the IPsec
Security Policy Database Configuration MIB for configuring the IKE
protocol actions on that device. The IPsec IKE Action MIB integrates
directly with the IPsec Security Policy Database Configuration MIB
and it is meant to work within the framework of an action referenced
by that MIB.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Internet-Standard Management Framework . . . . . . . . . . 3
4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4
7. Security Considerations . . . . . . . . . . . . . . . . . . . 61
7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 61
7.2. Protecting against unauthenticated access . . . . . . . . 63
7.3. Protecting against involuntary disclosure . . . . . . . . 63
7.4. Bootstrapping your configuration . . . . . . . . . . . . . 63
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 64
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
10.1. Normative References . . . . . . . . . . . . . . . . . . . 64
10.2. Informative References . . . . . . . . . . . . . . . . . . 65
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65
Intellectual Property and Copyright Statements . . . . . . . . . . 67
Baer, et al. Expires April 22, 2007 [Page 2]
Internet-Draft IPsec IKE Action MIB October 2006
1. Introduction
This document defines a MIB module for configuration of an Internet
Key Exchange (IKE) [RFC2409] action within the IPsec security policy
database (SPD). This module works within the framework of the IPsec
Security Policy Database Configuration MIB (IPSEC-SPD-MIB) [RFCZZZZ].
It can be referenced as an action by the IPSEC-SPD-MIB and is used to
configure IKE negotiations between network devices.
Companion document [RFCZZZZ], documents the IPsec Security Policy
Database Configuration MIB. Companion document [RFCYYYY], documents
the IPsec Security Policy IPsec Action MIB for configuration of
static IPsec SAs.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
4. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The contents of this document are also
reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585].
This MIB module is a task specific derivation (i.e. an SMIv2
instantiation) of the IKE actions portions of the IPCP's IPsec
configuration model for use with SNMPv3. This includes the necessary
filter, negotiation, identity and IKE action information required to
Baer, et al. Expires April 22, 2007 [Page 3]
Internet-Draft IPsec IKE Action MIB October 2006
enable IKE negotiation within the IPsec Policy framework.
5. MIB Module Overview
The MIB module describes the necessary information to implement IKE
actions and their associated negotiations referred to by the IPsec
Security Policy Database Configuration MIB. A basic understanding of
IKE, of IPsec processing, of the IPsec Configuration Policy Model and
of how actions fit into the overall framework of the IPSEC-SPD-MIB
are required to use this MIB properly. When referring to an action
in this MIB from the IPSEC-SPD-MIB, the filters within the IPSEC-SPD-
MIB that are associated to the action are limited to those that are
supported by IKE [RFC2409] and this MIB.
6. MIB definition
The following MIB Module imports from: [RFC2578], [RFC2579],
[RFC2580], [RFC3411], [RFC4001].
IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32
FROM SNMPv2-SMI
-- [rfc2578]
TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer
FROM SNMPv2-TC
-- [rfc2579]
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
-- [rfc2580]
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
-- [rfc3411]
InetAddressType, InetAddress, InetPortNumber
FROM INET-ADDRESS-MIB
-- [rfc4001]
spdActions, SpdIPPacketLogging, spdEndGroupInterface
Baer, et al. Expires April 22, 2007 [Page 4]
Internet-Draft IPsec IKE Action MIB October 2006
FROM IPSEC-SPD-MIB
-- [rfcZZZZ]
IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter,
ipsaSharedGroup
FROM IPSEC-IPSECACTION-MIB
-- [rfcXXXX]
;
--
-- module identity
--
ipiaMIB MODULE-IDENTITY
LAST-UPDATED "20060905'" -- 05 September 2006
ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer
P.O. Box 72682
Davis, CA 95617
Phone: +1 530 902 3131
Email: baerm@tislabs.com
Ricky Charlet
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
Phone: +1 770 617 3722
Email: rstory@sparta.com
Cliff Wang
ARO/North Carolina State University
4300 S. Miami Blvd.
RTP, NC 27709
E-Mail: cliffwangmail@yahoo.com"
DESCRIPTION
"The MIB module for defining IKE actions for managing IPsec
Security Policy.
Baer, et al. Expires April 22, 2007 [Page 5]
Internet-Draft IPsec IKE Action MIB October 2006
Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC YYYY, see the RFC itself for
full legal notices."
-- Revision History
REVISION "20060905'" -- 05 September 2006
DESCRIPTION "Initial version, published as RFC YYYY."
-- RFC-editor assigns YYYY
::= { spdActions 2 }
--
-- groups of related objects
--
ipiaConfigObjects OBJECT IDENTIFIER
::= { ipiaMIB 1 }
ipiaNotificationObjects OBJECT IDENTIFIER
::= { ipiaMIB 2 }
ipiaConformanceObjects OBJECT IDENTIFIER
::= { ipiaMIB 3 }
--
-- Textual Conventions
--
IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "Values for encryption algorithms negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Encryption
Algorithm (1).
Unused values <= 65000 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in IKE
desCbc(1), -- RFC 2405
ideaCbc(2),
blowfishCbc(3),
rc5R16B64Cbc(4), -- RC5 R16 B64 CBC
tripleDesCbc(5), -- 3DES CBC
castCbc(6),
aesCbc(7)
Baer, et al. Expires April 22, 2007 [Page 6]
Internet-Draft IPsec IKE Action MIB October 2006
Values 65001-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeAuthMethod ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "Values for authentication methods negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Authentication
Method (3).
Unused values <= 65000 are reserved to IANA.
reserved(0), -- reserved in IKE
preSharedKey(1),
dssSignatures(2),
rsaSignatures(3),
encryptionWithRsa(4),
revisedEncryptionWithRsa(5),
reservedDontUse6(6), -- not to be used
reservedDontUse7(7), -- not to be used
ecdsaSignatures(8)
Values 65001-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeHashAlgorithm ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "Values for hash algorithms negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Hash Algorithm (2).
Unused values <= 65000 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in IKE
md5(1), -- RFC 1321
sha(2), -- FIPS 180-1
tiger(3),
sha256(4),
Baer, et al. Expires April 22, 2007 [Page 7]
Internet-Draft IPsec IKE Action MIB October 2006
sha384(5),
sha512(6)
Values 65001-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeGroupDescription ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "Values for Oakley key computation groups for
Diffie-Hellman exchange negotiated for the ISAKMP
SA by IKE in Phase I. They are also used in Phase II
when perfect forward secrecy is in use. These are
values for SA Attrbute type Group Description (4).
Unused values <= 32767 are reserved to IANA.
Currently assigned values at the time of this
writing:
none(0), -- reserved in IKE, used
-- in MIBs to reflect that
-- none of the predefined
-- groups are used
modp768(1), -- default 768-bit MODP group
modp1024(2), -- alternate 1024-bit MODP
-- group
ec2nGF155(3), -- EC2N group on Galois
-- Field GF[2^155]
ec2nGF185(4), -- EC2N group on Galois
-- Field GF[2^185]
ec2nGF163Random(6), -- EC2N group on Galois
-- Field GF[2^163],
-- random seed
ec2nGF163Koblitz(7),
-- EC2N group on Galois
-- Field GF[2^163],
-- Koblitz curve
ec2nGF283Random(8), -- EC2N group on Galois
-- Field GF[2^283],
-- random seed
ec2nGF283Koblitz(9),
-- EC2N group on Galois
-- Field GF[2^283],
-- Koblitz curve
ec2nGF409Random(10),
Baer, et al. Expires April 22, 2007 [Page 8]
Internet-Draft IPsec IKE Action MIB October 2006
-- EC2N group on Galois
-- Field GF[2^409],
-- random seed
ec2nGF409Koblitz(11),
-- EC2N group on Galois
-- Field GF[2^409],
-- Koblitz curve
ec2nGF571Random(12),
-- EC2N group on Galois
-- Field GF[2^571],
-- random seed
ec2nGF571Koblitz(13)
-- EC2N group on Galois
-- Field GF[2^571],
-- Koblitz curve
Values 32768-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION "These are the IPsec DOI values for the Protocol-Id
field in an ISAKMP Proposal Payload, and in all
Notification Payloads.
They are also used as the Protocol-ID In the
Notification Payload and the Delete Payload.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
protoIsakmp(1), -- message protection
-- required during Phase I
-- of the IKE protocol
protoIpsecAh(2), -- IP packet authentication
-- via Authentication Header
protoIpsecEsp(3), -- IP packet confidentiality
-- via Encapsulating
-- Security Payload
protoIpcomp(4) -- IP payload compression
The values 249-255 are reserved for private use
amongst cooperating systems."
Baer, et al. Expires April 22, 2007 [Page 9]
Internet-Draft IPsec IKE Action MIB October 2006
REFERENCE "RFC 2407 section 4.4.1"
SYNTAX Unsigned32 (0..255)
--
-- Policy group definitions
--
ipiaLocalConfigObjects OBJECT IDENTIFIER
::= { ipiaConfigObjects 1 }
--
-- Static Filters
--
ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 }
ipiaIkePhase1Filter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This static filter can be used to test if a packet is
part of an IKE phase-1 negotiation."
::= { ipiaStaticFilters 1 }
ipiaIkePhase2Filter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This static filter can be used to test if a packet is
part of an IKE phase-2 negotiation."
::= { ipiaStaticFilters 2 }
--
-- credential filter table
--
ipiaCredentialFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaCredentialFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is used to provide credentials for IKE
identities.
Baer, et al. Expires April 22, 2007 [Page 10]
Internet-Draft IPsec IKE Action MIB October 2006
It can be used to for filters which are matched to
credentials of IKE peers, where the credentials in question
have been obtained from an IKE phase 1 exchange. They MAY
be X.509 certificates, Kerberos tickets, etc...
It can also be used to provide credentials for local IKE
identities."
::= { ipiaConfigObjects 3 }
ipiaCredentialFilterEntry OBJECT-TYPE
SYNTAX IpiaCredentialFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row defining a particular credential filter"
INDEX { ipiaCredFiltName }
::= { ipiaCredentialFilterTable 1 }
IpiaCredentialFilterEntry ::= SEQUENCE {
ipiaCredFiltName SnmpAdminString,
ipiaCredFiltCredentialType IpsaCredentialType,
ipiaCredFiltMatchFieldName OCTET STRING,
ipiaCredFiltMatchFieldValue OCTET STRING,
ipiaCredFiltAcceptCredFrom OCTET STRING,
ipiaCredFiltLastChanged TimeStamp,
ipiaCredFiltStorageType StorageType,
ipiaCredFiltRowStatus RowStatus
}
ipiaCredFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name of this filter."
::= { ipiaCredentialFilterEntry 1 }
ipiaCredFiltCredentialType OBJECT-TYPE
SYNTAX IpsaCredentialType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The credential type that is expected for this filter to
succeed."
DEFVAL { x509 }
::= { ipiaCredentialFilterEntry 2 }
ipiaCredFiltMatchFieldName OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 11]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX OCTET STRING (SIZE(0..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The piece of the credential to match against. Examples:
serialNumber, signatureAlgorithm, issuerName or
subjectName.
For credential types without fields (e.g. shared secret),
this field SHOULD be left empty, and the entire credential
will be matched against the ipiaCredFiltMatchFieldValue."
::= { ipiaCredentialFilterEntry 3 }
ipiaCredFiltMatchFieldValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..4096))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The value that the field indicated by the
ipiaCredFiltMatchFieldName MUST match against for the
filter to be considered TRUE."
::= { ipiaCredentialFilterEntry 4 }
ipiaCredFiltAcceptCredFrom OBJECT-TYPE
SYNTAX OCTET STRING(SIZE(1..117))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used to look up a row in the
ipiaIpsecCredMngServiceTable for the Certificate Authority
(CA) Information. This value is empty if there is no CA
used for this filter."
::= { ipiaCredentialFilterEntry 5 }
ipiaCredFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaCredentialFilterEntry 6 }
ipiaCredFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
Baer, et al. Expires April 22, 2007 [Page 12]
Internet-Draft IPsec IKE Action MIB October 2006
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaCredentialFilterEntry 7 }
ipiaCredFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaCredentialFilterEntry 8 }
--
-- Peer Identity Filter Table
--
ipiaPeerIdentityFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaPeerIdentityFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines filters which can be used to match
credentials of IKE peers, where the credentials in question
have been obtained from an IKE phase 1 exchange. They MAY
be X.509 certificates, Kerberos tickets, etc..."
::= { ipiaConfigObjects 4 }
ipiaPeerIdentityFilterEntry OBJECT-TYPE
SYNTAX IpiaPeerIdentityFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 13]
Internet-Draft IPsec IKE Action MIB October 2006
"A row defining a particular credential filter"
INDEX { ipiaPeerIdFiltName }
::= { ipiaPeerIdentityFilterTable 1 }
IpiaPeerIdentityFilterEntry ::= SEQUENCE {
ipiaPeerIdFiltName SnmpAdminString,
ipiaPeerIdFiltIdentityType IpsecDoiIdentType,
ipiaPeerIdFiltIdentityValue IpsaIdentityFilter,
ipiaPeerIdFiltLastChanged TimeStamp,
ipiaPeerIdFiltStorageType StorageType,
ipiaPeerIdFiltRowStatus RowStatus
}
ipiaPeerIdFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name of this filter."
::= { ipiaPeerIdentityFilterEntry 1 }
ipiaPeerIdFiltIdentityType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of identity field in the peer ID payload to match
against."
::= { ipiaPeerIdentityFilterEntry 2 }
ipiaPeerIdFiltIdentityValue OBJECT-TYPE
SYNTAX IpsaIdentityFilter
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The string representation of the value that the peer ID
payload value MUST match against. Wildcard mechanisms MUST
be supported such that:
- a ipiaPeerIdFiltIdentityValue of '*@example.com' will
match a userFqdn ID payload of 'JDOE@EXAMPLE.COM'
- a ipiaPeerIdFiltIdentityValue of '*.example.com' will
match a fqdn ID payload of 'WWW.EXAMPLE.COM'
- a ipiaPeerIdFiltIdentityValue of:
'cn=*,ou=engineering,o=company,c=us'
will match a DER DN ID payload of
Baer, et al. Expires April 22, 2007 [Page 14]
Internet-Draft IPsec IKE Action MIB October 2006
'cn=John Doe,ou=engineering,o=company,c=us'
- a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will
match an IPv4 address ID payload of 192.0.2.10
- a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also
match an IPv4 address ID payload of 192.0.2.10.
The character '*' replaces 0 or multiple instances of any
character."
::= { ipiaPeerIdentityFilterEntry 3 }
ipiaPeerIdFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaPeerIdentityFilterEntry 4 }
ipiaPeerIdFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaPeerIdentityFilterEntry 5 }
ipiaPeerIdFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
This object can not be considered active unless the
ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue
column values are defined.
The value of this object has no effect on whether other
Baer, et al. Expires April 22, 2007 [Page 15]
Internet-Draft IPsec IKE Action MIB October 2006
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaPeerIdentityFilterEntry 6 }
--
-- Static Actions
--
-- these are static actions which can be pointed to by the
-- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop,
-- accept or reject packets.
ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 }
ipiaRejectIKEAction OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet SHOULD be rejected
WITHOUT action/packet logging. This object returns a value
of 1 for IPsec policy implementations that support the
reject static action."
::= { ipiaStaticActions 1 }
ipiaRejectIKEActionLog OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet SHOULD be rejected
WITH action/packet logging. This object returns a value of
1 for IPsec policy implementations that support the reject
static action with logging."
::= { ipiaStaticActions 2 }
--
-- ipiaIkeActionTable
--
ipiaIkeActionTable OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 16]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX SEQUENCE OF IpiaIkeActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIkeActionTable contains a list of the parameters
used for an IKE phase 1 SA DOI negotiation. See the
corresponding table ipiaIkeActionProposalsTable for a list
of proposals contained within a given IKE Action."
::= { ipiaConfigObjects 6 }
ipiaIkeActionEntry OBJECT-TYPE
SYNTAX IpiaIkeActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIkeActionEntry lists the IKE negotiation
attributes."
INDEX { ipiaIkeActName }
::= { ipiaIkeActionTable 1 }
IpiaIkeActionEntry ::= SEQUENCE {
ipiaIkeActName SnmpAdminString,
ipiaIkeActParametersName SnmpAdminString,
ipiaIkeActThresholdDerivedKeys Integer32,
ipiaIkeActExchangeMode INTEGER,
ipiaIkeActAgressiveModeGroupId IkeGroupDescription,
ipiaIkeActIdentityType IpsecDoiIdentType,
ipiaIkeActIdentityContext SnmpAdminString,
ipiaIkeActPeerName SnmpAdminString,
ipiaIkeActDoActionLogging TruthValue,
ipiaIkeActDoPacketLogging SpdIPPacketLogging,
ipiaIkeActVendorId OCTET STRING,
ipiaIkeActLastChanged TimeStamp,
ipiaIkeActStorageType StorageType,
ipiaIkeActRowStatus RowStatus
}
ipiaIkeActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this ikeAction entry."
::= { ipiaIkeActionEntry 1 }
ipiaIkeActParametersName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
Baer, et al. Expires April 22, 2007 [Page 17]
Internet-Draft IPsec IKE Action MIB October 2006
STATUS current
DESCRIPTION
"This object is administratively assigned to reference a row
in the ipiaSaNegotiationParametersTable where additional
parameters affecting this action can be found.
An attempt to set this object to a value that does not
exist in the ipiaSaNegotiationParametersTable MUST result
in an inconsistentValue error."
::= { ipiaIkeActionEntry 2 }
ipiaIkeActThresholdDerivedKeys OBJECT-TYPE
SYNTAX Integer32 (0..100)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkeActThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys
property of IKEProposal) can expire before IKE SHOULD
attempt to renegotiate the IKE phase 1 security
association."
DEFVAL { 100 }
::= { ipiaIkeActionEntry 3 }
ipiaIkeActExchangeMode OBJECT-TYPE
SYNTAX INTEGER { main(1), agressive(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkeActExchangeMode specifies the IKE Phase 1
negotiation mode."
DEFVAL { main }
::= { ipiaIkeActionEntry 4 }
ipiaIkeActAgressiveModeGroupId OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The values to be used for Diffie-Hellman exchange."
::= { ipiaIkeActionEntry 5 }
ipiaIkeActIdentityType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column along with ipiaIkeActIdentityContext and
Baer, et al. Expires April 22, 2007 [Page 18]
Internet-Draft IPsec IKE Action MIB October 2006
endpoint information is used to refer an
ipiaIkeIdentityEntry in the ipiaIkeIdentityTable."
::= { ipiaIkeActionEntry 6 }
ipiaIkeActIdentityContext OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column, along with ipiaIkeActIdentityType and endpoint
information, is used to refer to an ipiaIkeIdentityEntry in
the ipiaIkeIdentityTable."
::= { ipiaIkeActionEntry 7 }
ipiaIkeActPeerName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the peer id name of the IKE peer.
This object can be used to look up the peer id value,
address, credentials and other values in the
ipiaPeerIdentityTable."
::= { ipiaIkeActionEntry 8 }
ipiaIkeActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ikeDoActionLogging specifies whether or not an audit
message SHOULD be logged when this ike SA is created."
DEFVAL { false }
::= { ipiaIkeActionEntry 9 }
ipiaIkeActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ikeDoPacketLogging specifies whether or not an audit
message SHOULD be logged and if there is logging, how many
bytes of the packet to place in the notification."
DEFVAL { -1 }
::= { ipiaIkeActionEntry 10 }
ipiaIkeActVendorId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..65535))
Baer, et al. Expires April 22, 2007 [Page 19]
Internet-Draft IPsec IKE Action MIB October 2006
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Vendor ID Payload. A value of NULL means that Vendor ID
payload will be neither generated nor accepted. A non-NULL
value means that a Vendor ID payload will be generated
(when acting as an initiator) or is expected (when acting
as a responder)."
DEFVAL { "" }
::= { ipiaIkeActionEntry 11 }
ipiaIkeActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeActionEntry 12 }
ipiaIkeActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIkeActionEntry 13 }
ipiaIkeActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object MUST NOT be set to destroy if referred to by
other rows in other action tables. An attempt to set it to
anything other than active while it is referenced by an
Baer, et al. Expires April 22, 2007 [Page 20]
Internet-Draft IPsec IKE Action MIB October 2006
active row in another table MUST result in an
inconsistentValue error."
::= { ipiaIkeActionEntry 14 }
--
-- IPsec action definition table
--
ipiaIpsecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIpsecActionTable contains a list of the parameters
used for an IKE phase 2 IPsec DOI negotiation."
::= { ipiaConfigObjects 7 }
ipiaIpsecActionEntry OBJECT-TYPE
SYNTAX IpiaIpsecActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIpsecActionEntry lists the IPsec negotiation
attributes."
INDEX { ipiaIpsecActName }
::= { ipiaIpsecActionTable 1 }
IpiaIpsecActionEntry ::= SEQUENCE {
ipiaIpsecActName SnmpAdminString,
ipiaIpsecActParametersName SnmpAdminString,
ipiaIpsecActProposalsName SnmpAdminString,
ipiaIpsecActUsePfs TruthValue,
ipiaIpsecActVendorId OCTET STRING,
ipiaIpsecActGroupId IkeGroupDescription,
ipiaIpsecActPeerGatewayIdName OCTET STRING,
ipiaIpsecActUseIkeGroup TruthValue,
ipiaIpsecActGranularity INTEGER,
ipiaIpsecActMode INTEGER,
ipiaIpsecActDFHandling INTEGER,
ipiaIpsecActDoActionLogging TruthValue,
ipiaIpsecActDoPacketLogging SpdIPPacketLogging,
ipiaIpsecActLastChanged TimeStamp,
ipiaIpsecActStorageType StorageType,
ipiaIpsecActRowStatus RowStatus
}
Baer, et al. Expires April 22, 2007 [Page 21]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIpsecActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ipiaIpsecActName is the name of the ipsecAction entry."
::= { ipiaIpsecActionEntry 1 }
ipiaIpsecActParametersName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to reference a row in the
ipiaSaNegotiationParametersTable where additional
parameters affecting this action can be found.
An attempt to set this column to a value that does not
exist in the ipiaSaNegotiationParametersTable MUST result
in an inconsistentValue error."
::= { ipiaIpsecActionEntry 2 }
ipiaIpsecActProposalsName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to reference one or more rows in the
ipiaIpsecProposalsTable where an ordered list of proposals
affecting this action can be found.
An attempt to set this column to a value that does not
exist in the ipiaIpsecProposalsTable MUST result in an
inconsistentValue error."
::= { ipiaIpsecActionEntry 3 }
ipiaIpsecActUsePfs OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This MIB object specifies whether or not perfect forward
secrecy is used when refreshing keys. A value of true
indicates that PFS SHOULD be used."
::= { ipiaIpsecActionEntry 4 }
ipiaIpsecActVendorId OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 22]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The VendorID property is used to identify vendor-defined
key exchange GroupIDs."
::= { ipiaIpsecActionEntry 5 }
ipiaIpsecActGroupId OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the Diffie-Hellman group to use for
phase 2 when the object ipiaIpsecActUsePfs is true and the
object ipiaIpsecActUseIkeGroup is false. If the GroupID
number is from the vendor-specific range (32768-65535), the
VendorID qualifies the group number."
::= { ipiaIpsecActionEntry 6 }
ipiaIpsecActPeerGatewayIdName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..116))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the peer id name of the peer
gateway. This object can be used to look up the peer id
value, address and other values in the
ipiaPeerIdentityTable. This object is used when initiating
a tunnel SA. This object is not used for transport SAs.
If no value is set and ipiaIpsecActMode is tunnel, the peer
gateway is determined from the source or destination
address of the packet."
::= { ipiaIpsecActionEntry 7 }
ipiaIpsecActUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies whether or not to use the same
GroupId for phase 2 as was used in phase 1. If UsePFS is
false, this entry SHOULD be ignored."
::= { ipiaIpsecActionEntry 8 }
ipiaIpsecActGranularity OBJECT-TYPE
SYNTAX INTEGER { subnet(1), address(2), protocol(3),
port(4) }
Baer, et al. Expires April 22, 2007 [Page 23]
Internet-Draft IPsec IKE Action MIB October 2006
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies how the proposed selector for the
security association will be created. The selector is
created by using the FilterList information. The selector
can be subnet, address, porotocol, or port."
::= { ipiaIpsecActionEntry 9 }
ipiaIpsecActMode OBJECT-TYPE
SYNTAX INTEGER { tunnel(1), transport(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the encapsulation of the IPsec SA
to be negotiated."
DEFVAL { tunnel }
::= { ipiaIpsecActionEntry 10 }
ipiaIpsecActDFHandling OBJECT-TYPE
SYNTAX INTEGER { copy(1), set(2), clear(3) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the processing of DF bit by the
negotiated IPsec tunnel.
1 - DF bit is copied.
2 - DF bit is set.
3 - DF bit is cleared."
DEFVAL { copy }
::= { ipiaIpsecActionEntry 11 }
ipiaIpsecActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIpsecActDoActionLogging specifies whether or not an
audit message SHOULD be logged when this ipsec SA is
created."
DEFVAL { false }
::= { ipiaIpsecActionEntry 12 }
ipiaIpsecActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 24]
Internet-Draft IPsec IKE Action MIB October 2006
"ipiaIpsecActDoPacketLogging specifies whether or not an
audit message SHOULD be logged and if there is logging, how
many bytes of the packet to place in the notification."
DEFVAL { -1 }
::= { ipiaIpsecActionEntry 13 }
ipiaIpsecActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecActionEntry 14 }
ipiaIpsecActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIpsecActionEntry 15 }
ipiaIpsecActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaIpsecActionEntry 16 }
--
Baer, et al. Expires April 22, 2007 [Page 25]
Internet-Draft IPsec IKE Action MIB October 2006
-- ipiaSaNegotiationParametersTable
--
-- PROPERTIES MinLifetimeSeconds
-- MinLifetimeKilobytes
-- RefreshThresholdSeconds
-- RefreshThresholdKilobytes
-- IdleDurationSeconds
ipiaSaNegotiationParametersTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaSaNegotiationParametersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains reusable parameters that can be pointed
to by the ipiaIkeActionTable and ipiaIpsecActionTable.
These parameters are reusable since it is likely an
administrator will want to make global policy changes to
lifetime parameters that apply to multiple actions. This
table allows multiple rows in the other actions tables to
reuse global lifetime parameters in this table by
repeatedly pointing to a row cointained within this table."
::= { ipiaConfigObjects 8 }
ipiaSaNegotiationParametersEntry OBJECT-TYPE
SYNTAX IpiaSaNegotiationParametersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains the attributes of one row in the
ipiaSaNegotiationParametersTable."
INDEX { ipiaSaNegParamName }
::= { ipiaSaNegotiationParametersTable 1 }
IpiaSaNegotiationParametersEntry ::= SEQUENCE {
ipiaSaNegParamName SnmpAdminString,
ipiaSaNegParamMinLifetimeSecs Unsigned32,
ipiaSaNegParamMinLifetimeKB Unsigned32,
ipiaSaNegParamRefreshThreshSecs Unsigned32,
ipiaSaNegParamRefreshThresholdKB Unsigned32,
ipiaSaNegParamIdleDurationSecs Unsigned32,
ipiaSaNegParamLastChanged TimeStamp,
ipiaSaNegParamStorageType StorageType,
ipiaSaNegParamRowStatus RowStatus
}
ipiaSaNegParamName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
Baer, et al. Expires April 22, 2007 [Page 26]
Internet-Draft IPsec IKE Action MIB October 2006
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the administrative name of this
SaNegotiationParametersEntry. This row can be referred
to by this name in other policy action tables."
::= { ipiaSaNegotiationParametersEntry 1 }
ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds
lifetime that will be accepted from the peer."
::= { ipiaSaNegotiationParametersEntry 2 }
ipiaSaNegParamMinLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte
lifetime that will be accepted from the peer."
::= { ipiaSaNegotiationParametersEntry 3 }
ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE
SYNTAX Unsigned32 (1..100)
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamRefreshThreshSecs specifies what percentage
of the seconds lifetime can expire before IKE SHOULD
attempt to renegotiate the IPsec security association. A
value between 1 and 100 representing a percentage. A value
of 100 indicates that the IPsec security association SHOULD
not be renegotiated until the seconds lifetime has been
completely reached."
::= { ipiaSaNegotiationParametersEntry 4 }
ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE
SYNTAX Unsigned32 (1..100)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamRefreshThresholdKB specifies what percentage
Baer, et al. Expires April 22, 2007 [Page 27]
Internet-Draft IPsec IKE Action MIB October 2006
of the kilobyte lifetime can expire before IKE SHOULD
attempt to renegotiate the IPsec security association. A
value between 1 and 100 representing a percentage. A value
of 100 indicates that the IPsec security association SHOULD
not be renegotiated until the kilobyte lifetime has been
reached."
::= { ipiaSaNegotiationParametersEntry 5 }
ipiaSaNegParamIdleDurationSecs OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamIdleDurationSecs specifies how many seconds a
security association MAY remain idle (i.e., no traffic
protected using the security association) before it is
deleted. A value of zero indicates that idle detection
SHOULD NOT be used for the security association. Any
non-zero value indicates the number of seconds the security
association can remain unused."
::= { ipiaSaNegotiationParametersEntry 6 }
ipiaSaNegParamLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaSaNegotiationParametersEntry 7 }
ipiaSaNegParamStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaSaNegotiationParametersEntry 8 }
ipiaSaNegParamRowStatus OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 28]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaSaNegotiationParametersEntry 9 }
--
-- ipiaIkeActionProposalsTable proposals contained within a ikeAction
--
ipiaIkeActionProposalsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeActionProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of all ike proposal names found
within a given IKE Action."
::= { ipiaConfigObjects 9 }
ipiaIkeActionProposalsEntry OBJECT-TYPE
SYNTAX IpiaIkeActionProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"a row containing one ike proposal reference"
INDEX { ipiaIkeActName, ipiaIkeActPropPriority }
::= { ipiaIkeActionProposalsTable 1 }
IpiaIkeActionProposalsEntry ::= SEQUENCE {
ipiaIkeActPropPriority Integer32,
ipiaIkeActPropName SnmpAdminString,
ipiaIkeActPropLastChanged TimeStamp,
ipiaIkeActPropStorageType StorageType,
ipiaIkeActPropRowStatus RowStatus
}
ipiaIkeActPropPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
Baer, et al. Expires April 22, 2007 [Page 29]
Internet-Draft IPsec IKE Action MIB October 2006
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The numeric priority of a given contained proposal inside
an ike Action. This index SHOULD be used to order the
proposals in an IKE Phase I negotiation, lowest value first
(i.e. 0 first, then 1,2,etc...)."
::= { ipiaIkeActionProposalsEntry 1 }
ipiaIkeActPropName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The administratively assigned name that can be used to
reference a set of values contained within the
ipiaIkeProposalTable.
An attempt to set this object to a value that doesn't exist
in the ipiaIkeProposalTable MUST result in an
inconsistentValue error."
::= { ipiaIkeActionProposalsEntry 2 }
ipiaIkeActPropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeActionProposalsEntry 3 }
ipiaIkeActPropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIkeActionProposalsEntry 4 }
ipiaIkeActPropRowStatus OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 30]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met MUST result in an inconsistentValue error. The
two conditions are:
I. No active row in the ipiaIkeActionTable exists
which has a matching ipiaIkeActName.
II. Or at least one other active row in this table has a
matching ipiaIkeActName."
::= { ipiaIkeActionProposalsEntry 5 }
--
-- IKE proposal definition table
--
ipiaIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of IKE proposals which are used
in an IKE negotiation."
::= { ipiaConfigObjects 10 }
ipiaIkeProposalEntry OBJECT-TYPE
SYNTAX IpiaIkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"One IKE proposal entry."
INDEX { ipiaIkeActPropName }
::= { ipiaIkeProposalTable 1 }
IpiaIkeProposalEntry ::= SEQUENCE {
ipiaIkePropLifetimeDerivedKeys Unsigned32,
ipiaIkePropCipherAlgorithm IkeEncryptionAlgorithm,
Baer, et al. Expires April 22, 2007 [Page 31]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIkePropCipherKeyLength Unsigned32,
ipiaIkePropCipherKeyRounds Unsigned32,
ipiaIkePropHashAlgorithm IkeHashAlgorithm,
ipiaIkePropPrfAlgorithm INTEGER,
ipiaIkePropVendorId OCTET STRING,
ipiaIkePropDhGroup IkeGroupDescription,
ipiaIkePropAuthenticationMethod IkeAuthMethod,
ipiaIkePropMaxLifetimeSecs Unsigned32,
ipiaIkePropMaxLifetimeKB Unsigned32,
ipiaIkePropLastChanged TimeStamp,
ipiaIkePropStorageType StorageType,
ipiaIkePropRowStatus RowStatus
}
ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropLifetimeDerivedKeys specifies the number of
times that a phase 1 key will be used to derive a phase 2
key before the phase 1 security association needs
renegotiated."
::= { ipiaIkeProposalEntry 1 }
ipiaIkePropCipherAlgorithm OBJECT-TYPE
SYNTAX IkeEncryptionAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropCipherAlgorithm specifies the proposed phase 1
security association encryption algorithm."
::= { ipiaIkeProposalEntry 2 }
ipiaIkePropCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies, in bits, the key length for
the cipher algorithm used in IKE Phase 1 negotiation."
::= { ipiaIkeProposalEntry 3 }
ipiaIkePropCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 32]
Internet-Draft IPsec IKE Action MIB October 2006
"This object specifies the number of key rounds for
the cipher algorithm used in IKE Phase 1 negotiation."
::= { ipiaIkeProposalEntry 4 }
ipiaIkePropHashAlgorithm OBJECT-TYPE
SYNTAX IkeHashAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropHashAlgorithm specifies the proposed phase 1
security assocation hash algorithm."
::= { ipiaIkeProposalEntry 5 }
ipiaIkePropPrfAlgorithm OBJECT-TYPE
SYNTAX INTEGER { reserved(0) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipPRFAlgorithm specifies the proposed phase 1 security
association psuedo-random function.
Note: currently no prf algorithms are defined."
::= { ipiaIkeProposalEntry 6 }
ipiaIkePropVendorId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The VendorID property is used to identify vendor-defined
key exchange GroupIDs."
::= { ipiaIkeProposalEntry 7 }
ipiaIkePropDhGroup OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the proposed phase 1 security
association Diffie-Hellman group"
::= { ipiaIkeProposalEntry 8 }
ipiaIkePropAuthenticationMethod OBJECT-TYPE
SYNTAX IkeAuthMethod
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the proposed authentication
Baer, et al. Expires April 22, 2007 [Page 33]
Internet-Draft IPsec IKE Action MIB October 2006
method for the phase 1 security association."
::= { ipiaIkeProposalEntry 9 }
ipiaIkePropMaxLifetimeSecs OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropMaxLifetimeSecs specifies the maximum amount of
time to propose a security association remain valid.
A value of 0 indicates that the default lifetime of
8 hours SHOULD be used."
::= { ipiaIkeProposalEntry 10 }
ipiaIkePropMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte
lifetime to propose a security association remain valid."
::= { ipiaIkeProposalEntry 11 }
ipiaIkePropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeProposalEntry 12 }
ipiaIkePropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIkeProposalEntry 13 }
Baer, et al. Expires April 22, 2007 [Page 34]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIkePropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaIkeProposalEntry 14 }
--
-- ipiaIpsecProposalsTable
--
ipiaIpsecProposalsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists one or more IPsec proposals for
IPsec actions."
::= { ipiaConfigObjects 11 }
ipiaIpsecProposalsEntry OBJECT-TYPE
SYNTAX IpiaIpsecProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing (possibly a portion of) a proposal."
INDEX { ipiaIpsecPropName, ipiaIpsecPropPriority,
ipiaIpsecPropProtocolId }
::= { ipiaIpsecProposalsTable 1 }
IpiaIpsecProposalsEntry ::= SEQUENCE {
ipiaIpsecPropName SnmpAdminString,
ipiaIpsecPropPriority Integer32,
ipiaIpsecPropProtocolId IpsecDoiSecProtocolId,
ipiaIpsecPropTransformsName SnmpAdminString,
ipiaIpsecPropLastChanged TimeStamp,
Baer, et al. Expires April 22, 2007 [Page 35]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIpsecPropStorageType StorageType,
ipiaIpsecPropRowStatus RowStatus
}
ipiaIpsecPropName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this proposal."
::= { ipiaIpsecProposalsEntry 1 }
ipiaIpsecPropPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The priority level (AKA sequence level) of this proposal.
A lower number indicates a higher precedence (0 before 1,
etc..)."
::= { ipiaIpsecProposalsEntry 2 }
ipiaIpsecPropProtocolId OBJECT-TYPE
SYNTAX IpsecDoiSecProtocolId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The protocol Id for the transforms for this proposal. The
protoIsakmp(1) value is not valid for this object. This
object, along with the ipiaIpsecPropTransformsName, is the
index into the ipiaIpsecTransformsTable."
::= { ipiaIpsecProposalsEntry 3 }
ipiaIpsecPropTransformsName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the transform or group of transforms for this
protocol. This object, along with the
ipiaIpsecPropProtocolId, is the index into the
ipiaIpsecTransformsTable.
An attempt to set this object to a value that does not
exist in the ipiaIpsecTransformTable MUST result in an
inconsistentValue error."
::= { ipiaIpsecProposalsEntry 4 }
Baer, et al. Expires April 22, 2007 [Page 36]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIpsecPropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecProposalsEntry 5 }
ipiaIpsecPropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIpsecProposalsEntry 6 }
ipiaIpsecPropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This row MUST NOT be set to active until the corresponding
row(s) in the ipiaIpsecTransformsTable exists and is
active.
If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met MUST result in an inconsistentValue error. The
two conditions are:
I. No active row in the ipiaIkeActionProposalTable exists
which has a matching ipiaIpsecPropName.
II. Or at least one other active row in this table has a
Baer, et al. Expires April 22, 2007 [Page 37]
Internet-Draft IPsec IKE Action MIB October 2006
matching ipiaIpsecPropName."
::= { ipiaIpsecProposalsEntry 7 }
--
-- ipiaIpsecTransformsTable
--
ipiaIpsecTransformsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecTransformsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists the IPsec proposals contained within a
given IPsec action and the transforms within each of those
proposals. These proposals and transforms can then be used
to create phase 2 negotiation proposals."
::= { ipiaConfigObjects 12 }
ipiaIpsecTransformsEntry OBJECT-TYPE
SYNTAX IpiaIpsecTransformsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the information on an IPsec transform."
INDEX { ipiaIpsecTranType, ipiaIpsecTranName,
ipiaIpsecTranPriority }
::= { ipiaIpsecTransformsTable 1 }
IpiaIpsecTransformsEntry ::= SEQUENCE {
ipiaIpsecTranType IpsecDoiSecProtocolId,
ipiaIpsecTranName SnmpAdminString,
ipiaIpsecTranPriority Integer32,
ipiaIpsecTranTransformName SnmpAdminString,
ipiaIpsecTranLastChanged TimeStamp,
ipiaIpsecTranStorageType StorageType,
ipiaIpsecTranRowStatus RowStatus
}
ipiaIpsecTranType OBJECT-TYPE
SYNTAX IpsecDoiSecProtocolId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The protocol type for this transform. The protoIsakmp(1)
value is not valid for this object."
::= { ipiaIpsecTransformsEntry 1 }
Baer, et al. Expires April 22, 2007 [Page 38]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIpsecTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name for this transform or group of transforms."
::= { ipiaIpsecTransformsEntry 2 }
ipiaIpsecTranPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The priority level (AKA sequence level) of the this
transform within the group of transforms (0 before 1,
etc...). This indicates the preference for which
algorithms are requested when the list of transforms are
sent to the remote host. A lower number indicates a higher
precedence."
::= { ipiaIpsecTransformsEntry 3 }
ipiaIpsecTranTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name for the given transform. Depending on the value
of ipiaIpsecTranType, this value is used to lookup the
transform's specific parameters in the
ipiaAhTransformTable, the ipiaEspTransformTable or the
ipiaIpcompTransformTable."
::= { ipiaIpsecTransformsEntry 4 }
ipiaIpsecTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecTransformsEntry 5 }
ipiaIpsecTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 39]
Internet-Draft IPsec IKE Action MIB October 2006
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIpsecTransformsEntry 6 }
ipiaIpsecTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This row MUST NOT be set to active until the corresponding
row in the ipiaAhTransformTable, ipiaEspTransformTable or
the ipiaIpcompTransformTable exists.
If active, this object MUST remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met MUST result in an inconsistentValue error. The
two conditions are:
I. No active row in the IpiaIpsecProposalsTable exists
which has a matching ipiaIpsecPropTransformsName.
II. Or at least one other active row in this table has a
matching ipiaIpsecPropTransformsName."
::= { ipiaIpsecTransformsEntry 7 }
--
-- IKE identity definition table
--
ipiaIkeIdentityTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IKEIdentity is used to represent the identities that are
used for an IPProtocolEndpoint (or collection of
Baer, et al. Expires April 22, 2007 [Page 40]
Internet-Draft IPsec IKE Action MIB October 2006
IPProtocolEndpoints) to identify itself in IKE phase 1
negotiations. The column ipiaIkeActIdentityType and
ipiaIkeIdentityContext in an ipiaIkeActionEntry together
with the spdEndGroupInterface in the
spdEndpointToGroupTable specifies the unique identity to
use in a negotiation exchange."
::= { ipiaConfigObjects 13 }
ipiaIkeIdentityEntry OBJECT-TYPE
SYNTAX IpiaIkeIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ikeIdentity lists the attributes of an IKE identity."
INDEX { spdEndGroupInterface, ipiaIkeActIdentityType,
ipiaIkeActIdentityContext }
::= { ipiaIkeIdentityTable 1 }
IpiaIkeIdentityEntry ::= SEQUENCE {
ipiaIkeIdCredentialName SnmpAdminString,
ipiaIkeIdLastChanged TimeStamp,
ipiaIkeIdStorageType StorageType,
ipiaIkeIdRowStatus RowStatus
}
ipiaIkeIdCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the
ipiaCredentialFilterTable to look up the actual credential
value and other credential information.
For ID's without associated credential information, this
value is left blank.
For ID's that are address types, this value MAY be left
blank and the associated IPProtocolEndpoint or appropriate
member of the Collection of endpoints is used."
::= { ipiaIkeIdentityEntry 1 }
ipiaIkeIdLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 41]
Internet-Draft IPsec IKE Action MIB October 2006
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeIdentityEntry 2 }
ipiaIkeIdStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIkeIdentityEntry 3 }
ipiaIkeIdRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaIkeIdentityEntry 4 }
--
-- autostart IKE Table
ipiaAutostartIkeTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaAutostartIkeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The parameters in the autostart IKE Table are used to
automatically initiate IKE phaes I and II (i.e. IPsec)
negotiations on startup. It also will initiate IKE phase I
Baer, et al. Expires April 22, 2007 [Page 42]
Internet-Draft IPsec IKE Action MIB October 2006
and II negotiations for a row at the time of that row's
creation"
::= { ipiaConfigObjects 14 }
ipiaAutostartIkeEntry OBJECT-TYPE
SYNTAX IpiaAutostartIkeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"autostart ike provides the set of parameters to
automatically start IKE and IPsec SA's."
INDEX { ipiaAutoIkePriority }
::= { ipiaAutostartIkeTable 1 }
IpiaAutostartIkeEntry ::= SEQUENCE {
ipiaAutoIkePriority Integer32,
ipiaAutoIkeAction VariablePointer,
ipiaAutoIkeAddressType InetAddressType,
ipiaAutoIkeSourceAddress InetAddress,
ipiaAutoIkeSourcePort InetPortNumber,
ipiaAutoIkeDestAddress InetAddress,
ipiaAutoIkeDestPort InetPortNumber,
ipiaAutoIkeProtocol Unsigned32,
ipiaAutoIkeLastChanged TimeStamp,
ipiaAutoIkeStorageType StorageType,
ipiaAutoIkeRowStatus RowStatus
}
ipiaAutoIkePriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ipiaAutoIkePriority is an index into the autostartIkeAction
table and can be used to order the autostart IKE actions (0
before 1, etc...)."
::= { ipiaAutostartIkeEntry 1 }
ipiaAutoIkeAction OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This pointer is used to point to the action or compound
action that is initiated by this row. This value
can be used to indicate a scalar or a row in a table. When
indicating a row in a table, this value MUST point to the
first column instance in that row.
Baer, et al. Expires April 22, 2007 [Page 43]
Internet-Draft IPsec IKE Action MIB October 2006
If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported
table or if the table or scalar pointed to by the
VariablePointer is not supported at all, the
inconsistentValue exception MUST be returned.
If during packet processing this column has a value that
references a non-existent or non-supported object, the
packet MUST be dropped."
::= { ipiaAutostartIkeEntry 2 }
ipiaAutoIkeAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeAddressType specifies the format of
the autoIke source and destination Address values."
::= { ipiaAutostartIkeEntry 3 }
ipiaAutoIkeSourceAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property autoIkeSourecAddress specifies Source IP
address for autostarting IKE SA's, formatted according to
the appropriate convention as defined in the
ipiaAutoIkeAddressType property."
::= { ipiaAutostartIkeEntry 4 }
ipiaAutoIkeSourcePort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeSourcePort specifies the port
number for the source port for auotstarting IKE SA's.
The value of 0 for this object is illegal."
::= { ipiaAutostartIkeEntry 5 }
ipiaAutoIkeDestAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeDestAddress specifies the
Baer, et al. Expires April 22, 2007 [Page 44]
Internet-Draft IPsec IKE Action MIB October 2006
Destination IP address for autostarting IKE SA's, formatted
according to the appropriate convention as defined in the
ipiaAutoIkeAddressType property."
::= { ipiaAutostartIkeEntry 6 }
ipiaAutoIkeDestPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeDestPort specifies the port number
for the destination port for auotstarting IKE SA's.
The value of 0 for this object is illegal."
::= { ipiaAutostartIkeEntry 7 }
ipiaAutoIkeProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property Protocol specifies the protocol number used in
comparing with policy filter entries and used in any phase
2 negotiations."
::= { ipiaAutostartIkeEntry 8 }
ipiaAutoIkeLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaAutostartIkeEntry 9 }
ipiaAutoIkeStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
Baer, et al. Expires April 22, 2007 [Page 45]
Internet-Draft IPsec IKE Action MIB October 2006
::= { ipiaAutostartIkeEntry 10 }
ipiaAutoIkeRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object MUST NOT be set to active until the object to
which the ipiaAutoIkeAction points to exists and is
active.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaAutostartIkeEntry 11 }
--
-- CA Table
--
ipiaIpsecCredMngServiceTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecCredMngServiceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of Credential Management Service values. This
table is usually used for credential/certificate values
that are used with a management service (e.g. Certificate
Authorities)."
::= { ipiaConfigObjects 15 }
ipiaIpsecCredMngServiceEntry OBJECT-TYPE
SYNTAX IpiaIpsecCredMngServiceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaIpsecCredMngServiceTable."
INDEX { ipiaIcmsName }
::= { ipiaIpsecCredMngServiceTable 1 }
Baer, et al. Expires April 22, 2007 [Page 46]
Internet-Draft IPsec IKE Action MIB October 2006
IpiaIpsecCredMngServiceEntry ::= SEQUENCE {
ipiaIcmsName SnmpAdminString,
ipiaIcmsDistinguishedName OCTET STRING,
ipiaIcmsPolicyStatement OCTET STRING,
ipiaIcmsMaxChainLength Integer32,
ipiaIcmsCredentialName SnmpAdminString,
ipiaIcmsLastChanged TimeStamp,
ipiaIcmsStorageType StorageType,
ipiaIcmsRowStatus RowStatus
}
ipiaIcmsName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned string used to index
this table."
::= { ipiaIpsecCredMngServiceEntry 1 }
ipiaIcmsDistinguishedName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value represents the Distinguished Name of the
Credential Management Service."
::= { ipiaIpsecCredMngServiceEntry 2 }
ipiaIcmsPolicyStatement OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This Value represents the Credential Management Service
Policy Statement, or a reference describing how to obtain
it (e.g., a URL). If one doesn't exist, this value can be
left blank"
::= { ipiaIpsecCredMngServiceEntry 3 }
ipiaIcmsMaxChainLength OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the maximum length of the chain allowble from
the Credential Management Service to the credential in
question."
Baer, et al. Expires April 22, 2007 [Page 47]
Internet-Draft IPsec IKE Action MIB October 2006
DEFVAL { 0 }
::= { ipiaIpsecCredMngServiceEntry 4}
ipiaIcmsCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the
ipiaCredentialFilterTable to look up the actual credential
value."
::= { ipiaIpsecCredMngServiceEntry 5 }
ipiaIcmsLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecCredMngServiceEntry 6 }
ipiaIcmsStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaIpsecCredMngServiceEntry 7 }
ipiaIcmsRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
Baer, et al. Expires April 22, 2007 [Page 48]
Internet-Draft IPsec IKE Action MIB October 2006
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaIpsecCredMngServiceEntry 8 }
--
-- CRL Table
--
ipiaCredMngCRLTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaCredMngCRLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of the Credential Revocation Lists (CRL) for
credential managment services."
::= { ipiaConfigObjects 16 }
ipiaCredMngCRLEntry OBJECT-TYPE
SYNTAX IpiaCredMngCRLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaCredMngCRLTable."
INDEX { ipiaIcmsName , ipiaCmcCRLName }
::= { ipiaCredMngCRLTable 1 }
IpiaCredMngCRLEntry ::= SEQUENCE {
ipiaCmcCRLName SnmpAdminString,
ipiaCmcDistributionPoint OCTET STRING,
ipiaCmcThisUpdate OCTET STRING,
ipiaCmcNextUpdate OCTET STRING,
ipiaCmcLastChanged TimeStamp,
ipiaCmcStorageType StorageType,
ipiaCmcRowStatus RowStatus
}
ipiaCmcCRLName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned string used to index
this table. It represents a CRL for a given CA from a given
distribution point."
::= { ipiaCredMngCRLEntry 1 }
Baer, et al. Expires April 22, 2007 [Page 49]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaCmcDistributionPoint OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This Value represents a Distribution Point for a Credential
Revocation List. It can be relative to the Credential
Management Service or a full name (URL, e-mail, etc...)."
::= { ipiaCredMngCRLEntry 2 }
ipiaCmcThisUpdate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the issue date of this CRL. This
SHOULD be in utctime or generalizedtime."
::= { ipiaCredMngCRLEntry 3 }
ipiaCmcNextUpdate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value indicates the date the next version of this CRL
will be issued. This SHOULD be in utctime or
generalizedtime."
::= { ipiaCredMngCRLEntry 4 }
ipiaCmcLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaCredMngCRLEntry 5 }
ipiaCmcStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
Baer, et al. Expires April 22, 2007 [Page 50]
Internet-Draft IPsec IKE Action MIB October 2006
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaCredMngCRLEntry 6 }
ipiaCmcRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaCredMngCRLEntry 7 }
--
-- Revoked Certificate Table
--
ipiaRevokedCertificateTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaRevokedCertificateEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of Credentials revoked by credential managment
services. That is, this table is a table of Certificates
that are on CRL's, Credential Revocation Lists."
::= { ipiaConfigObjects 17 }
ipiaRevokedCertificateEntry OBJECT-TYPE
SYNTAX IpiaRevokedCertificateEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaRevokedCertificateTable."
INDEX { ipiaCmcCRLName, ipiaRctCertSerialNumber}
::= { ipiaRevokedCertificateTable 1 }
IpiaRevokedCertificateEntry ::= SEQUENCE {
ipiaRctCertSerialNumber Unsigned32,
Baer, et al. Expires April 22, 2007 [Page 51]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaRctRevokedDate OCTET STRING,
ipiaRctRevokedReason INTEGER,
ipiaRctLastChanged TimeStamp,
ipiaRctStorageType StorageType,
ipiaRctRowStatus RowStatus
}
ipiaRctCertSerialNumber OBJECT-TYPE
SYNTAX Unsigned32 (0..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This value is the serial number of the revoked
certificate."
::= { ipiaRevokedCertificateEntry 1 }
ipiaRctRevokedDate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the revocation date of the certificate. This
SHOULD be in utctime or generaltime."
::= { ipiaRevokedCertificateEntry 2 }
ipiaRctRevokedReason OBJECT-TYPE
SYNTAX INTEGER { unspecified(1), keyCompromise(2),
cACompromise(3), affiliationChanged(4),
superseded(5), cessationOfOperation(6),
certificateHold(7), removeFromCRL(8) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the reason this certificate was revoked."
DEFVAL { unspecified }
::= { ipiaRevokedCertificateEntry 3 }
ipiaRctLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaRevokedCertificateEntry 4 }
ipiaRctStorageType OBJECT-TYPE
Baer, et al. Expires April 22, 2007 [Page 52]
Internet-Draft IPsec IKE Action MIB October 2006
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process MAY have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { ipiaRevokedCertificateEntry 5 }
ipiaRctRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object MUST remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table MUST result in
an inconsistentValue error."
::= { ipiaRevokedCertificateEntry 6 }
--
--
-- Notification objects information
--
--
ipiaNotificationVariables OBJECT IDENTIFIER ::=
{ ipiaNotificationObjects 1 }
ipiaNotifications OBJECT IDENTIFIER ::=
{ ipiaNotificationObjects 0 }
--
--
-- Conformance information
--
--
Baer, et al. Expires April 22, 2007 [Page 53]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaCompliances OBJECT IDENTIFIER
::= { ipiaConformanceObjects 1 }
ipiaGroups OBJECT IDENTIFIER
::= { ipiaConformanceObjects 2 }
--
-- Compliance statements
--
--
ipiaIKECompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IPsec MIB implementation and supports IKE actions.
-- OBJECT ipiaAutoIkeAddressType
-- SYNTAX InetAddreessType { ipv4(1), ipv6(2) }
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--
-- OBJECT ipiaAutoIkeSourceAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
-- OBJECT ipiaAutoIkeDestAddress
-- SYNTAX InetAddress (SIZE(4|16))
-- DESCRIPTION
-- Only support for global IPv4 and IPv6 address
-- types is required.
--"
MODULE -- This Module
MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup,
ipiaStaticActionGroup, ipsaSharedGroup }
OBJECT ipiaIkeActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIkeActPropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
Baer, et al. Expires April 22, 2007 [Page 54]
Internet-Draft IPsec IKE Action MIB October 2006
burden on resource-constrained devices."
OBJECT ipiaIkePropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecPropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaSaNegParamLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIkeIdLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaAutoIkeLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaCmcDistributionPoint
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
Baer, et al. Expires April 22, 2007 [Page 55]
Internet-Draft IPsec IKE Action MIB October 2006
OBJECT ipiaCmcThisUpdate
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcNextUpdate
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaCmcStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaRctRevokedDate
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaRctRevokedReason
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaRctLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaRctStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsDistinguishedName
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsPolicyStatement
MIN-ACCESS read-only
DESCRIPTION
Baer, et al. Expires April 22, 2007 [Page 56]
Internet-Draft IPsec IKE Action MIB October 2006
"Only read-only access is required for compliance."
OBJECT ipiaIcmsMaxChainLength
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsCredentialName
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaIcmsStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
::= { ipiaCompliances 1 }
ipiaRuleFilterCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IKEACTION MIB implementation with IKE filters support."
MODULE -- This Module
MANDATORY-GROUPS { ipiaStaticFilterGroup }
GROUP ipiaPeerIdFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support Peer Identity filters."
OBJECT ipiaPeerIdFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
GROUP ipiaCredentialFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IKE Credential filters."
Baer, et al. Expires April 22, 2007 [Page 57]
Internet-Draft IPsec IKE Action MIB October 2006
OBJECT ipiaCredFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
::= { ipiaCompliances 2 }
--
--
-- Compliance Groups Definitions
--
--
-- Compliance Groups
--
ipiaStaticFilterGroup OBJECT-GROUP
OBJECTS { ipiaIkePhase1Filter,
ipiaIkePhase2Filter }
STATUS current
DESCRIPTION
"The static filter group. Currently this is just a true
filter."
::= { ipiaGroups 1 }
ipiaCredentialFilterGroup OBJECT-GROUP
OBJECTS {
ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName,
ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom,
ipiaCredFiltLastChanged, ipiaCredFiltStorageType,
ipiaCredFiltRowStatus,
ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
ipiaCmcRowStatus,
ipiaRctRevokedDate, ipiaRctRevokedReason,
ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,
ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy
Credential Filter Table."
::= { ipiaGroups 2 }
Baer, et al. Expires April 22, 2007 [Page 58]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaPeerIdFilterGroup OBJECT-GROUP
OBJECTS {
ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue,
ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType,
ipiaPeerIdFiltRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy Peer
Identity Filter Table."
::= { ipiaGroups 3 }
--
-- action compliance groups
--
ipiaStaticActionGroup OBJECT-GROUP
OBJECTS {
ipiaRejectIKEAction,
ipiaRejectIKEActionLog
}
STATUS current
DESCRIPTION
"This group is made up of IPsec Policy Static Actions
objects."
::= { ipiaGroups 4 }
ipiaIkeGroup OBJECT-GROUP
OBJECTS {
ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys,
ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId,
ipiaIkeActIdentityType, ipiaIkeActIdentityContext,
ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName,
ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging,
ipiaIkeActLastChanged, ipiaIkeActStorageType,
ipiaIkeActRowStatus,
ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType,
ipiaIkeActPropRowStatus,
ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm,
ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds,
ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm,
ipiaIkePropVendorId, ipiaIkePropDhGroup,
ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs,
ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged,
ipiaIkePropStorageType,
ipiaIkePropRowStatus,
Baer, et al. Expires April 22, 2007 [Page 59]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
ipiaSaNegParamRefreshThreshSecs,
ipiaSaNegParamRefreshThresholdKB,
ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus,
ipiaIkeIdCredentialName, ipiaIkeIdLastChanged,
ipiaIkeIdStorageType, ipiaIkeIdRowStatus,
ipiaAutoIkeAction, ipiaAutoIkeAddressType,
ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort,
ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort,
ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged,
ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus,
ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
ipiaCmcRowStatus,
ipiaRctRevokedDate, ipiaRctRevokedReason,
ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,
ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support IKE
actions. These objects are from The IPsec Policy IKE
Action Table, The IKE Action Proposals Table, The IKE
Proposal Table, The autostart IKE Table and The IKE
Identity Table, The Peer Identity Table, The Credential
Management Service Table, and the shared table Negotiation
Parameters Table (from the IPSEC-IPSECACTION-MIB."
::= { ipiaGroups 5 }
ipiaIpsecGroup OBJECT-GROUP
OBJECTS {
ipiaIpsecActParametersName, ipiaIpsecActProposalsName,
ipiaIpsecActUsePfs, ipiaIpsecActVendorId,
ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName,
ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity,
ipiaIpsecActMode, ipiaIpsecActDFHandling,
ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging,
ipiaIpsecActLastChanged, ipiaIpsecActStorageType,
ipiaIpsecActRowStatus,
Baer, et al. Expires April 22, 2007 [Page 60]
Internet-Draft IPsec IKE Action MIB October 2006
ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged,
ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus,
ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged,
ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus,
ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
ipiaSaNegParamRefreshThreshSecs,
ipiaSaNegParamRefreshThresholdKB,
ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support IPsec
actions. These objects are from The IPsec Policy IPsec
Actions Table, The IPsec Proposal Table, and The IPsec
Transform Table. This group also includes objects from the
shared tables: Peer Identity Table, Credential Table,
Negotiation Parameters Table, Credential Management Service
Table and the AH, ESP, and IPComp Transform Table."
::= { ipiaGroups 6 }
END
7. Security Considerations
7.1. Introduction
This document defines a MIB module used to configure IPsec policy
services. Since IKE negotiates keys for IPsec and IPsec provides
security services, it is important that the IKE configuration data
SHOULD be least as protected as the IPsec provided security service.
There are two main threats you need to thwart when configuring IPsec
devices.
1. Malicious Configuration: This MIB configures network security
services. If an attacker has SET access to any part of this MIB,
the network security services configured by this MIB SHOULD be
considered broken. The network data sent through the associated
gateway should no longer be considered as protected by IPsec
(i.e., it is no longer confidential or authenticated).
Therefore, only the official administrators SHOULD be allowed to
configure a device. In other words, administrators' identities
SHOULD be authenticated and their access rights checked before
they are allowed to do device configuration. The support for SET
Baer, et al. Expires April 22, 2007 [Page 61]
Internet-Draft IPsec IKE Action MIB October 2006
operations to the IPSEC-IKEACTION-MIB in a non-secure
environment, without proper protection, will invalidate the
security of the network traffic affected by the IPSEC-IKEACITON-
MIB.
2. Disclosure of Configuration: In general, malicious parties SHOULD
NOT be able to read security configuration data while the data is
in network transit. An attacker reading the configuration data
may be able to find misconfigurations in the MIB that enable
attacks to the network or to the configured node. Since this
entire MIB is used for security configuration, it is highly
RECOMMENDED that only authorized administrators are allowed to
view data in this MIB. In particular, malicious users SHOULD be
prevented from reading SNMP packets containing this MIB's data.
SNMP GET data SHOULD be encrypted when sent across the network.
Also, only authorized administrators SHOULD be allowed SNMP GET
access to any of the MIB objects.
SNMP versions prior to SNMPv3 do not include adequate security. Even
if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure
network is allowed to access (i.e. read/change/create/delete) the
objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you
SHOULD use SNMP version 3. The rest of this discussion assumes the
use of SNMPv3. This is a real strength, because it allows
administrators the ability to load new IPsec configuration on a
device and keep the conversation private and authenticated under the
protection of SNMPv3 before any IPsec protections are available.
Once initial establishment of IPsec configuration on a device has
been achieved, it would be possible to set up IPsec SAs to then also
provide security and integrity services to the configuration
conversation. This may seem redundant at first, but will be shown to
have a use for added privacy protection below.
Baer, et al. Expires April 22, 2007 [Page 62]
Internet-Draft IPsec IKE Action MIB October 2006
7.2. Protecting against unauthenticated access
The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents,
although RFC2786 defines an experimental method of doing so.
7.3. Protecting against involuntary disclosure
While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed
by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and may be done as you read this (e.g.
AES [RFC3826]). When configure IPsec policy using this MIB, policy
administrators SHOULD use a privacy security service that is at least
as strong as the desired IPsec policy. E.G., If an administrator
were to use this MIB to configure an IPsec connection that utilizes a
3DES algorithms, the SNMP communication configuring the connection
SHOULD be protected by an algorithm as strong or stronger than the
3DES algorithm.
7.4. Bootstrapping your configuration
Most vendors will not ship new products with a default SNMPv3 user/
password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console
connection. If a product does install with default user/password
information, these values should be changed before connecting to a
Baer, et al. Expires April 22, 2007 [Page 63]
Internet-Draft IPsec IKE Action MIB October 2006
network.
8. IANA Considerations
Only one IANA consideration exist for this document. The
consideration is the node number allocation of the IPSEC-IKEACTION-
MIB under the IPSEC-SPD-MIB MIB's spdActions node.
9. Acknowledgments
Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order for the following
people:
Lindy Foster (Sparta, Inc.)
John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson)
Lee Rafalow (IBM)
Jon Saperia (JDS Consulting)
John Shriver (Internap Network Services Corporation)
Eric Vyncke (Cisco Systems)
10. References
10.1. Normative References
[RFCZZZZ] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy Database Configuration MIB",
January 2004.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy IPsec Action MIB",
January 2004.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Baer, et al. Expires April 22, 2007 [Page 64]
Internet-Draft IPsec IKE Action MIB October 2006
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585,
August 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
10.2. Informative References
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", More Info http://www.dmtf.org/specs/cim.html,
November 2000.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004.
Authors' Addresses
Michael Baer
Sparta, Inc.
P.O. Box 72682
Davis, CA 95617
US
Email: baerm@tislabs.com
Baer, et al. Expires April 22, 2007 [Page 65]
Internet-Draft IPsec IKE Action MIB October 2006
Ricky Charlet
Self
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
US
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
US
Email: rstory@sparta.com
Cliff Wang
ARO/North Carolina State University
4300 S. Miami Blvd
RTP, NC 27709
US
Email: cliffwangmail@yahoo.com
Baer, et al. Expires April 22, 2007 [Page 66]
Internet-Draft IPsec IKE Action MIB October 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Baer, et al. Expires April 22, 2007 [Page 67]
| PAFTECH AB 2003-2026 | 2026-04-23 05:33:12 |