One document matched: draft-ietf-ipsp-spd-mib-02.txt
Differences from draft-ietf-ipsp-spd-mib-01.txt
IPSP M. Baer
Internet-Draft Sparta, Inc.
Expires: August 21, 2005 R. Charlet
Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
ARO/North Carolina State
University
February 20, 2005
IPsec Security Policy Database Configuration MIB
draft-ietf-ipsp-spd-mib-02.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 21, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
Baer, et al. Expires August 21, 2005 [Page 1]
Internet-Draft IPsec SPD configuration MIB February 2005
This document defines a SMIv2 Management Information Base (MIB)
module for configuring the security policy database of a device
implementing the IPsec protocol. The policy-based packet filtering
and the corresponding execution of actions described in this document
is of a more general nature than for IPsec configuration alone, such
as for configuration of a firewall. This MIB module is designed to
be extensible with other enterprise or standards based defined packet
filters and actions.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
4.1 Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5
4.1.1 Notational conventions . . . . . . . . . . . . . . . . 5
4.1.2 Implementing an example SPD policy . . . . . . . . . . 6
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 61
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 61
6.2 Protecting against in-authentic access . . . . . . . . . . 63
6.3 Protecting against involuntary disclosure . . . . . . . . 63
6.4 Bootstrapping your configuration . . . . . . . . . . . . . 63
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 64
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 64
9.2 Informative References . . . . . . . . . . . . . . . . . . . 65
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 66
Intellectual Property and Copyright Statements . . . . . . . . 67
Baer, et al. Expires August 21, 2005 [Page 2]
Internet-Draft IPsec SPD configuration MIB February 2005
1. Introduction
This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The policy-based packet filtering
and the corresponding execution of actions is of a more general
nature than for IPsec configuration only, such as for configuration
of a firewall. It is possible to extend this MIB module and add
other packet transforming actions that are performed conditionally on
network traffic.
Companion documents [RFCXXXX], [RFCYYYY] document actions which are
specific to IPsec and IKE. No IPsec or IKE specific actions are
defined within this document.
Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when
these values are determined.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
(IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy
model. The IPCP document describes a model for configuring IPsec.
This MIB module is a task specific derivation (i.e. an SMIv2
instantiation) of the IPCP's IPsec configuration model for use with
SNMPv3.
The high-level areas where this MIB module diverges from the IPCP
model are:
o Policies, Groups, Conditions, and some levels of Actions are
generically named. In other words, IPsec specific prefixes like
Baer, et al. Expires August 21, 2005 [Page 3]
Internet-Draft IPsec SPD configuration MIB February 2005
"SA" (Security Association), or "IPsec" are not used. This naming
convention is used because packet classification and the matching
of conditions to actions is more general than IPsec. These tables
could possibly be reused by other packet transforming actions
which need to conditionally act on packets matching filters.
o Filters are implemented in a more generic and scalable manner,
rather than enforcing the condition/filtering pairing of the IPCP
and its restrictions upon the user. This MIB module offers a
compound filter object to provide for greater flexibility than the
IPCP when creating complex filters.
4. MIB Module Overview
The MIB module is modularized into several different parts: rules,
filters, and actions.
The rules section connects endpoints and groups of rules together.
This is made up of the spdEndpointToGroupTable,
spdGroupContentsTable, and the spdRuleDefinitionTable. Each row of
the spdRuleDefinitionTable connects a filter to an action. It should
also be noted that by referencing the spdCompoundFilterTable, the
spdRuleDefinitionTable's filter column can indicate a set of filters
to be processed. Likewise, by referencing the
spdCompoundActionTable, the spdRuleDefinitionTable's action column
can indicate multiple actions to be executed.
This MIB is structured to allow for reuse through the future creation
of extension tables that provide additional filters and/or actions.
In fact, the companion documents to this one do just that to define
IPsec and IKE specific actions to be used within this SPD
configuration MIB.
The filter section of the MIB module is composed of the different
types of filters in the Policy Model. It is made up of the
spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
spdCompoundFilterTable, spdIpsoHeaderFilterTable.
The action section of this MIB module contains only the simple static
actions required for the firewall processing that an IPsec SPD
implementation requires (e.g. accept, drop, log, ...). The
companion documents to this document define the complex actions
necessary for IPsec and IKE negotiations.
As may have been noticed above, the MIB uses recursion similarly in
several different places. In particular the spdGroupContentsTable,
Baer, et al. Expires August 21, 2005 [Page 4]
Internet-Draft IPsec SPD configuration MIB February 2005
the spdCompoundFilterTable / spdSubfiltersTable combination, and the
spdCompoundActionTable / spdSubactionsTable combination can reference
themselves.
In the case of the spdGroupContentsTable, a row can indicate a rule
(i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another
set of one or more rows in the spdGroupContentsTable). In this way a
group can contain a set of rules and sub-groups. Sub-groups are just
other groups defined in the spdGroupContentsTable. There is no
inherit MIB limit to the nesting of groups within groups.
The spdCompoundFilterTable / spdSubfiltersTable combination and
spdCompoundActionTable / spdSubactionsTable combination are designed
almost identically with one being for filters and the other for
actions respectively. The following descriptions for the compound
filter tables can be directly applied to the compound action tables.
The combination of the tables spdCompoundFilterTable and
spdSubfiltersTable allow a user to create a set of filters that can
be treated by any table that references it as a single filter. A row
in the spdCompoundFilterTable has the basic configuration information
for the compound filter. It's name (spdCompFiltname) reference a set
of rows in the spdSubfiltersTable. Each row in spdSubfiltersTable
points at a row in another filter table. In this way, a set of
ordered filters making up the compound filter is created. Note that
it is possible for one of these rows in the spdSubfiltersTable to
point at a row in the spdCompoundFilterTable. This recursion allows
the creation of a filter set that include other filter sets within
it. There is no inherit MIB limit to the nesting of compound filters
within compound filters.
4.1 Usage Tutorial
In order to make use of the tables contained in this document, a
general understanding of firewall processing is necessary. The
processing of the security policy database involves applying a set of
firewall rules to an interface on a device. The given set of rules
to apply to any given interface is defined within the
ipspEndpointToGroupTable table. This table maps a given interface to
a group of rules. In this table, the interface itself is specified
using its assigned address. There is also one group of rules per
direction (ingress and egress).
4.1.1 Notational conventions
Notes about the following example operations:
1. All of the example operations in the following section make use
Baer, et al. Expires August 21, 2005 [Page 5]
Internet-Draft IPsec SPD configuration MIB February 2005
of default values for all columns not listed. The operations and
column values below are the minimal SNMP Varbinds that must be
sent.
2. The example operations are formatted such that a row (i.e. the
table's Entry object) is operated on by using the indexes to that
row and the column values for the that row.
3. The following is a generic example of the notation used in the
following section's examples of this MIB's usage:
rowEntry(index1 = value1,
index2 = value2)
= (column1 = column_value1,
column2 = column_value2)
4. The following is a specific example of the notation used in the
following section's examples of this MIB's usage. In order to
set the address status column to deprecated for a row in the
IP-MIB::ipAddressTable with the index values of ipAddressAddrType
= ipv4 and ipAddressAddr = 192.0.2.1. The example notation would
look like the following:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4
ipAddressAddr = 0x0a000001 ) -- 192.0.2.1
= (ipAddressStatus = 2) -- deprecated
4.1.2 Implementing an example SPD policy
For our example, let us define and apply the following policy for all
ingress traffic on a network interface:
o Drop all packets from the host 10.6.6.6.
o Accept all other packets.
To do this, let us call the set of rules (as a group) "ingress" and
apply them to the ingress traffic for the interface associated with
the IPv4 address 10.0.0.1. For these rules, let us apply a policy
that accepts all traffic except for packets that arrive from a host
with an IPv4 address of "10.6.6.6". To achieve this policy, we would
follow these steps:
First, we need to create the rules to institute this policy. To
accomplish this, first we have to create the filter for the host. We
could do this using the following row insertion into the
spdIpHeaderFilterTable table:
Baer, et al. Expires August 21, 2005 [Page 6]
Internet-Draft IPsec SPD configuration MIB February 2005
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "10.6.6.6")
= (spdIpHeadFiltType = 0x80, -- sourceAddress
spdIpHeadFiltIPVersion = 1, -- IPv4
spdIpHeadFiltSrcAddressBegin = 0x0a060606,
spdIpHeadFiltSrcAddressEnd = 0x0a060606,
spdIpHeadFiltRowStatus = 4) -- createAndGo
Next, we need to bind this filter to an action of "drop" in a new
rule. We can do this as follows:
spdRuleDefinitionEntry(spdRuleDefName = "drop from 10.6.6.6")
= (spdRuleDefFilter =
spdIpHeadFiltType.8.49.48.46.54.46.54.46.54,
spdRuleDefAction = spdDropAction.0,
spdRuleDefRowStatus = 4) -- createAndGo
We also need a rule to accept all other packets:
spdRuleDefinitionEntry(spdRuleDefName = "accept all")
= (spdRuleDefFilter = spdTrueFilter.0,
spdRuleDefAction = spdAcceptAction.0,
spdRuleDefRowStatus = 4) -- createAndGo
Now, we need to put these two rules into a group. We will put the
"accept all" rule at the very end (i.e. assign it the highest
priority number), so it is matched last. Then, at an earlier
priority (1000), we will insert the "drop from 10.6.6.6" rule. We
will do this by putting the rules into the group "ingress".
SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 65535)
= (spdGroupContComponentName = "accept all",
spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress",
spdGroupContPriority = 1000)
= (spdGroupContComponentName = "drop from 10.6.6.6",
spdGroupContRowStatus = 4) -- createAndGo
Finally, we apply this group of rules to our interface:
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
spdEndGroupIdentType = 4, -- IPv4
spdEndGroupAddress = 0x0a000001)
= (spdEndGroupName = "ingress",
spdEndGroupRowStatus = 4) -- createAndGo
Baer, et al. Expires August 21, 2005 [Page 7]
Internet-Draft IPsec SPD configuration MIB February 2005
This completes the necessary steps to implement the policy. Once all
of these rules have been applied, our policy should take effect.
5. MIB definition
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
mib-2 FROM SNMPv2-SMI
--rfc2578
TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer, DateAndTime
FROM SNMPv2-TC
--rfc2579
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF
--rfc2580
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
--rfc3411
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
--rfc3291
diffServMIBMultiFieldClfrGroup, IfDirection,
diffServMultiFieldClfrNextFree
FROM DIFFSERV-MIB
--rfc3289
;
--
-- module identity
--
spdMIB MODULE-IDENTITY
LAST-UPDATED "200502170000Z" -- 17 January 2005
ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer
Sparta, Inc.
Phone: +1 530 902 3131
Email: baerm@tislabs.com
Baer, et al. Expires August 21, 2005 [Page 8]
Internet-Draft IPsec SPD configuration MIB February 2005
Ricky Charlet
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
Phone: +1 770 617 3722
Email: ipsp-mib@revelstone.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION
"This MIB module defines configuration objects for managing
IPsec Security Policies.
Copyright (C) The Internet Society (2005). This version of
this MIB module is part of RFC ZZZZ, see the RFC itself for
full legal notices."
-- Revision History
REVISION "200502170000Z" -- 17 January 2005
DESCRIPTION "Initial version, published as RFC ZZZZ."
-- RFC-editor assigns ZZZZ
-- xxx: To be assigned by IANA
::= { mib-2 xxx }
--
-- groups of related objects
--
spdConfigObjects OBJECT IDENTIFIER
::= { spdMIB 1 }
spdNotificationObjects OBJECT IDENTIFIER
::= { spdMIB 2 }
Baer, et al. Expires August 21, 2005 [Page 9]
Internet-Draft IPsec SPD configuration MIB February 2005
spdConformanceObjects OBJECT IDENTIFIER
::= { spdMIB 3 }
spdActions OBJECT IDENTIFIER
::= { spdMIB 4 }
--
-- Textual Conventions
--
SpdBooleanOperator ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The SpdBooleanOperator operator is used to specify
whether sub-components in a decision making process are
ANDed or ORed together to decide if the resulting
expression is true or false."
SYNTAX INTEGER { or(1), and(2) }
SpdAdminStatus ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The SpdAdminStatus is used to specify the administrative
status of an object. Objects which are disabled must not
be used by the packet processing engine."
SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"SpdIPPacketLogging specifies whether or not an audit
message should be logged when a packet is passed through a
Security Association (SA) and if some of that packet should
be included in the log event. A value of '-1' indicates no
logging. A value of '0' or greater indicates that logging
should be done and how many bytes of the beginning of the
packet to place in the log. Values greater than the size of
the packet being processed indicate that the entire packet
should be sent.
Examples:
'-1' no logging
'0' log but do not include any of the packet in the log
'20' log and include the first 20 bytes of the packet
in the log."
SYNTAX Integer32 (-1..65535)
Baer, et al. Expires August 21, 2005 [Page 10]
Internet-Draft IPsec SPD configuration MIB February 2005
--
-- Policy group definitions
--
spdLocalConfigObjects OBJECT IDENTIFIER
::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object indicates the policy group containing the
global system policy that is to be applied on ingress
packets (I.E., arriving at a interface) when a given
endpoint does not contain a policy definition in the
spdEndpointToGroupTable. Its value can be used as an index
into the spdGroupContentsTable to retrieve a list of
policies. A zero length string indicates no system wide
policy exits and the default policy of 'drop' should be
executed for ingress packets until one is imposed by either
this object or by the endpoint processing a given packet."
::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object indicates the policy group containing the
global system policy that is to be applied on egress
packets (I.E., leaving an interface) when a given endpoint
does not contain a policy definition in the
spdEndpointToGroupTable. Its value can be used as an index
into the spdGroupContentsTable to retrieve a list of
policies. A zero length string indicates no system wide
policy exits and the default policy of 'drop' should be
executed for egress packets until one is imposed by either
this object or by the endpoint processing a given packet."
::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is used to map policy (groupings) onto an
Baer, et al. Expires August 21, 2005 [Page 11]
Internet-Draft IPsec SPD configuration MIB February 2005
endpoint where traffic is to pass by. Any policy group
assigned to an endpoint is then used to control access
to the traffic passing by it.
If an endpoint has been configured with a policy group
and no contained rule matches the ingress packet, the
default action in this case shall be to drop the packet.
If no policy group has been assigned to an endpoint,
then the policy group specified by
spdSystemPolicyGroupName should be used for the
endpoint."
::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE
SYNTAX SpdEndpointToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A mapping assigning a policy group to an endpoint."
INDEX { spdEndGroupDirection, spdEndGroupIdentType,
spdEndGroupAddress }
::= { spdEndpointToGroupTable 1 }
SpdEndpointToGroupEntry ::= SEQUENCE {
spdEndGroupDirection IfDirection,
spdEndGroupIdentType InetAddressType,
spdEndGroupAddress InetAddress,
spdEndGroupName SnmpAdminString,
spdEndGroupLastChanged TimeStamp,
spdEndGroupStorageType StorageType,
spdEndGroupRowStatus RowStatus
}
spdEndGroupDirection OBJECT-TYPE
SYNTAX IfDirection
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indicates which direction of packets crossing
the interface should be associated with which
spdEndGroupName object. Ingress packets, or packets into
the device match when this value is inbound(1). Egress
packets or packets out of the device match when this value
is outbound(2)."
::= { spdEndpointToGroupEntry 1 }
spdEndGroupIdentType OBJECT-TYPE
Baer, et al. Expires August 21, 2005 [Page 12]
Internet-Draft IPsec SPD configuration MIB February 2005
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Internet Protocol version of the address associated
with a given endpoint. All addresses are represented as an
array of octets in network byte order. When combined with
the spdEndGroupAddress these objects can be used to
uniquely identify an endpoint that a set of policy groups
should be applied to. Devices supporting IPv4 MUST support
the ipv4 value, and devices supporting IPv6 MUST support
the ipv6 value.
Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object."
::= { spdEndpointToGroupEntry 2 }
spdEndGroupAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The address of a given endpoint, the format of which is
specified by the spdEndGroupIdentType object.
Note: Since spdEndGroupIdentType currently only allows IPv4
and IPv6 address this value should be either 4 or 16 octets
long. But Implementors should be aware that if the size of
spdEndGroupAddress ever exceeds 115 octets, column instance
OIDs in this table will have more than 128 sub-identifiers
and will be unaccessible using SNMPv1, SNMPv2c, or SNMPv3."
::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The policy group name to apply to this endpoint. The
value of the spdEndGroupName object should then be used
as an index into the spdGroupContentsTable to come up
with a list of rules that MUST be applied to this
endpoint."
::= { spdEndpointToGroupEntry 4 }
spdEndGroupLastChanged OBJECT-TYPE
SYNTAX TimeStamp
Baer, et al. Expires August 21, 2005 [Page 13]
Internet-Draft IPsec SPD configuration MIB February 2005
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdEndpointToGroupEntry 5 }
spdEndGroupStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdEndpointToGroupEntry 6 }
spdEndGroupRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object is considered 'notReady' and may not be set to
active until one or more active rows exist within the
spdGroupContentsTable for the group referenced by the
spdEndGroupName object."
::= { spdEndpointToGroupEntry 7 }
--
-- policy group definition table
--
spdGroupContentsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdGroupContentsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of rules and/or subgroups
Baer, et al. Expires August 21, 2005 [Page 14]
Internet-Draft IPsec SPD configuration MIB February 2005
contained within a given policy group. The entries are
sorted by the spdGroupContPriority object and MUST be
executed in order according to this value, starting with
the lowest value. Once a group item has been processed,
the processor MUST stop processing this packet if an action
was executed as a result of the processing of a given
group. Iterating into the next policy group item by
finding the next largest spdGroupContPriority object shall
only be done if no actions were run when processing the
last item for a given packet."
::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE
SYNTAX SpdGroupContentsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Defines a given sub-component within a policy group. A
sub-component is either a rule or another group as
indicated by spdGroupContCompontentType and referenced by
spdGroupContCompontentName."
INDEX { spdGroupContName, spdGroupContPriority }
::= { spdGroupContentsTable 1 }
SpdGroupContentsEntry ::= SEQUENCE {
spdGroupContName SnmpAdminString,
spdGroupContPriority Integer32,
spdGroupContFilter VariablePointer,
spdGroupContComponentType INTEGER,
spdGroupContComponentName SnmpAdminString,
spdGroupContLastChanged TimeStamp,
spdGroupContStorageType StorageType,
spdGroupContRowStatus RowStatus
}
spdGroupContName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name of this group."
::= { spdGroupContentsEntry 1 }
spdGroupContPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 15]
Internet-Draft IPsec SPD configuration MIB February 2005
"The priority (sequence number) of the sub-component in
this group."
::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"spdGroupContFilter points to a filter which is evaluated
to determine whether the spdGroupContComponentName within
this row should be exercised. Managers can use this object
to classify groups of rules or subgroups together in order
to achieve a greater degree of control and optimization
over the execution order of the items within the group. If
the filter evaluates to false, the rule or subgroup will be
skipped and the next rule or subgroup will be evaluated
instead.
An example usage of this object would be to limit a
group of rules to executing only when the IP packet
being process is designated to be processed by IKE.
This effectively creates a group of IKE specific rules.
This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may
choose to provide support for other filter tables or
scalars as well:
diffServMultiFieldClfrTable
spdIpOffsetFilterTable
spdTimeFilterTable
spdCompoundFilterTable
spdTrueFilter
If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported
table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an
inconsistentValue exception should be returned."
DEFVAL { spdTrueFilterInstance }
::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE
SYNTAX INTEGER { group(1), rule(2) }
MAX-ACCESS read-create
STATUS current
Baer, et al. Expires August 21, 2005 [Page 16]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"Indicates whether the spdGroupContComponentName object
is the name of another group defined within the
spdGroupContentsTable or is the name of a rule defined
within the spdRuleDefinitionTable."
DEFVAL { rule }
::= { spdGroupContentsEntry 4 }
spdGroupContComponentName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the policy rule or subgroup contained within
this group, as indicated by the spdGroupContComponentType
object."
::= { spdGroupContentsEntry 5 }
spdGroupContLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdGroupContentsEntry 6 }
spdGroupContStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdGroupContentsEntry 7 }
spdGroupContRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
Baer, et al. Expires August 21, 2005 [Page 17]
Internet-Draft IPsec SPD configuration MIB February 2005
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object may not be set to active until the row to
which the spdGroupContComponentName points to exists."
::= { spdGroupContentsEntry 8 }
--
-- policy definition table
--
spdRuleDefinitionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdRuleDefinitionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines a policy rule by associating a filter
or a set of filters to an action to be executed."
::= { spdConfigObjects 4 }
spdRuleDefinitionEntry OBJECT-TYPE
SYNTAX SpdRuleDefinitionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row defining a particular policy definition. A rule
definition binds a filter pointer to an action pointer."
INDEX { spdRuleDefName }
::= { spdRuleDefinitionTable 1 }
SpdRuleDefinitionEntry ::= SEQUENCE {
spdRuleDefName SnmpAdminString,
spdRuleDefDescription SnmpAdminString,
spdRuleDefFilter VariablePointer,
spdRuleDefFilterNegated TruthValue,
spdRuleDefAction VariablePointer,
spdRuleDefAdminStatus SpdAdminStatus,
spdRuleDefLastChanged TimeStamp,
spdRuleDefStorageType StorageType,
spdRuleDefRowStatus RowStatus
}
spdRuleDefName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 18]
Internet-Draft IPsec SPD configuration MIB February 2005
"spdRuleDefName is the administratively assigned name of
the rule referred to by the spdGroupContComponentName
object."
::= { spdRuleDefinitionEntry 1 }
spdRuleDefDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A user defined string. This field may be used for
administrative tracking purposes."
DEFVAL { "" }
::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"spdRuleDefFilter points to a filter which is used to
evaluate whether the action associated with this row should
be fired or not. The action will only fire if the filter
referenced by this object evaluates to TRUE after first
applying any negation required by the
spdRuleDefFilterNegated object.
This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may
choose to provide support for other filter tables or
scalars as well:
diffServMultiFieldClfrTable
spdIpOffsetFilterTable
spdTimeFilterTable
spdCompoundFilterTable
spdTrueFilter
If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported
table, the inconsistentName exception should be returned.
If the table or scalar pointed to by the VariablePointer is
not supported at all, then an inconsistentValue exception
should be returned."
::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE
SYNTAX TruthValue
Baer, et al. Expires August 21, 2005 [Page 19]
Internet-Draft IPsec SPD configuration MIB February 2005
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"spdRuleDefFilterNegated specifies whether the filter
referenced by the spdRuleDefFilter object should be
negated or not."
DEFVAL { false }
::= { spdRuleDefinitionEntry 4 }
spdRuleDefAction OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column points to the action to be taken. It may,
but is not limited to, point to a row in one of the
following tables:
spdCompoundActionTable
ipsaSaPreconfiguredActionTable
ipiaIkeActionTable
ipiaIpsecActionTable
It may also point to one of the scalar objects beneath
spdStaticActions.
If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue
error should be returned.
If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error
should be returned."
::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates whether the current rule definition should be
considered active. If enabled, it should be evaluated
when processing packets. If disabled, packets should
continue to be processed by the rest of the rules
defined in the spdGroupContentsTable as if this rule's
filters had effectively failed."
DEFVAL { enabled }
::= { spdRuleDefinitionEntry 6 }
Baer, et al. Expires August 21, 2005 [Page 20]
Internet-Draft IPsec SPD configuration MIB February 2005
spdRuleDefLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdRuleDefinitionEntry 7 }
spdRuleDefStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdRuleDefinitionEntry 8 }
spdRuleDefRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object may not be set to active until the
containing contitions, filters and actions have been
defined. Once active, it must remain active until no
policyGroupContents entries are referencing it."
::= { spdRuleDefinitionEntry 9 }
--
-- Policy compound filter definition table
--
spdCompoundFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundFilterEntry
MAX-ACCESS not-accessible
STATUS current
Baer, et al. Expires August 21, 2005 [Page 21]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"A table defining a compound set of filters and their
associated parameters. A row in this table can either
be pointed to by a spdRuleDefFilter object or by a
ficSubFilter object."
::= { spdConfigObjects 5 }
spdCompoundFilterEntry OBJECT-TYPE
SYNTAX SpdCompoundFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the spdCompoundFilterTable. A filter
defined by this table is considered to have a TRUE
return value if and only if:
spdCompFiltLogicType is AND and all of the sub-filters
associated with it, as defined in the spdSubfiltersTable,
are all true themselves (after applying any required
negation as defined by the ficFilterIsNegated object).
spdCompFiltLogicType is OR and at least one of the
sub-filters associated with it, as defined in the
spdSubfiltersTable, is true itself (after applying any
required negation as defined by the ficFilterIsNegated
object."
INDEX { spdCompFiltName }
::= { spdCompoundFilterTable 1 }
SpdCompoundFilterEntry ::= SEQUENCE {
spdCompFiltName SnmpAdminString,
spdCompFiltDescription SnmpAdminString,
spdCompFiltLogicType SpdBooleanOperator,
spdCompFiltLastChanged TimeStamp,
spdCompFiltStorageType StorageType,
spdCompFiltRowStatus RowStatus
}
spdCompFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A user definable string. You may use this field for
your administrative tracking purposes."
::= { spdCompoundFilterEntry 1 }
spdCompFiltDescription OBJECT-TYPE
Baer, et al. Expires August 21, 2005 [Page 22]
Internet-Draft IPsec SPD configuration MIB February 2005
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A user definable string. You may use this field for
your administrative tracking purposes."
DEFVAL { "" }
::= { spdCompoundFilterEntry 2 }
spdCompFiltLogicType OBJECT-TYPE
SYNTAX SpdBooleanOperator
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates whether the filters contained within this
filter are functionally ANDed or ORed together."
DEFVAL { and }
::= { spdCompoundFilterEntry 3 }
spdCompFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdCompoundFilterEntry 4 }
spdCompFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdCompoundFilterEntry 5 }
spdCompFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
Baer, et al. Expires August 21, 2005 [Page 23]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
Once active, it may not have its value changed if any
active rows in the spdRuleDefinitionTable are currently
pointing at this row."
::= { spdCompoundFilterEntry 6 }
--
-- Policy filters in a cf table
--
spdSubfiltersTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubfiltersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines a list of filters contained within a
given compound filter set defined in the
spdCompoundFilterTable."
::= { spdConfigObjects 6 }
spdSubfiltersEntry OBJECT-TYPE
SYNTAX SpdSubfiltersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry into the list of filters for a given compound
filter."
INDEX { spdCompFiltName, spdSubFiltPriority }
::= { spdSubfiltersTable 1 }
SpdSubfiltersEntry ::= SEQUENCE {
spdSubFiltPriority Integer32,
spdSubFiltSubfilter VariablePointer,
spdSubFiltSubfilterIsNegated TruthValue,
spdSubFiltLastChanged TimeStamp,
spdSubFiltStorageType StorageType,
spdSubFiltRowStatus RowStatus
}
spdSubFiltPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
Baer, et al. Expires August 21, 2005 [Page 24]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"The priority of a given filter within a condition.
Implementations MAY choose to follow the ordering
indicated by the manager that created the rows in order
to allow the manager to intelligently construct filter
lists such that faster filters are evaluated first."
::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The location of the contained filter. The value of this
column should be a VariablePointer which references the
properties for the filter to be included in this compound
filter.
This MIB defines the following tables and scalars which
may be pointed to by this column. Implementations may
choose to provide support for other filter tables or
scalars as well:
diffServMultiFieldClfrTable
spdIpsoHeaderFilterTable
spdIpOffsetFilterTable
spdTimeFilterTable
spdCompoundFilterTable
spdTrueFilter
If this column is set to a VariablePointer value which
references a non-existent row in an otherwise supported
table, the inconsistentName exception should be
returned. If the table or scalar pointed to by the
VariablePointer is not supported at all, then an
inconsistentValue exception should be returned."
::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates whether the result of applying this subfilter
should be negated or not."
DEFVAL { false }
::= { spdSubfiltersEntry 3 }
Baer, et al. Expires August 21, 2005 [Page 25]
Internet-Draft IPsec SPD configuration MIB February 2005
spdSubFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdSubfiltersEntry 4 }
spdSubFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdSubfiltersEntry 5 }
spdSubFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object can not be made active until the filter
referenced by the ficSubFilter object is both defined
and is active. An attempt to do so will result in an
inconsistentValue error.
If active, this object must remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met will result in an inconsistentValue error. The
two conditions are:
I. No active row in the SpdCompoundFilterTable exists
which has a matching spdCompFiltName.
II. Or at least one other active row in this table has a
Baer, et al. Expires August 21, 2005 [Page 26]
Internet-Draft IPsec SPD configuration MIB February 2005
matching spdCompFiltName."
::= { spdSubfiltersEntry 6 }
--
-- Static Filters
--
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates a (automatic) true result for
a filter. I.e. this is a filter that is always
true, useful for adding as a default filter for a
default action or a set of actions."
::= { spdStaticFilters 1 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
--
-- Policy IP Offset filter definition table
--
spdIpOffsetFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of filter definitions to be
used within the spdRuleDefinitionTable or the
spdSubfiltersTable."
::= { spdConfigObjects 8 }
spdIpOffsetFilterEntry OBJECT-TYPE
SYNTAX SpdIpOffsetFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A definition of a particular filter."
INDEX { spdIpOffFiltName }
::= { spdIpOffsetFilterTable 1 }
SpdIpOffsetFilterEntry ::= SEQUENCE {
Baer, et al. Expires August 21, 2005 [Page 27]
Internet-Draft IPsec SPD configuration MIB February 2005
spdIpOffFiltName SnmpAdminString,
spdIpOffFiltOffset Integer32,
spdIpOffFiltType INTEGER,
spdIpOffFiltValue OCTET STRING,
spdIpOffFiltLastChanged TimeStamp,
spdIpOffFiltStorageType StorageType,
spdIpOffFiltRowStatus RowStatus
}
spdIpOffFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name for this filter."
::= { spdIpOffsetFilterEntry 1 }
spdIpOffFiltOffset OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This is the byte offset from the front of the IP packet
where the value or arithmetic comparison is done. A
value of '0' indicates the first byte in the packet."
::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltType OBJECT-TYPE
SYNTAX INTEGER { equal(1),
notEqual(2),
arithmeticLess(3),
arithmeticGreaterOrEqual(4),
arithmeticGreater(5),
arithmeticLessOrEqual(6) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This defines the various tests that are used when
evaluating a given filter.
Once a row is 'active', this object's value may not be
changed unless the column, spdIpOffFiltValue, has been
appropriately configured.
The various tests definable in this table are as follows:
equal:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
Baer, et al. Expires August 21, 2005 [Page 28]
Internet-Draft IPsec SPD configuration MIB February 2005
a value in the packet starting at the given offset in
the packet and comparing the entire OCTET STRING of
'spdIpOffFiltValue'. Any numeric values compared this
way are assumed to be unsigned integer values in
network byte order of the same length as
'spdIpOffFiltValue'.
notEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', does
not match a value in the packet starting at the given
offset in the packet and comparing to the entire OCTET
STRING of 'spdIpOffFiltValue'. Any numeric values
compared this way are assumed to be unsigned integer
values in network byte order of the same length as
'spdIpOffFiltValue'.
arithmeticLess:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than ('<') the value starting at
the given offset within the packet. The value in the
packet is assumed to be an unsigned integer in network
byte order of the same length as 'spdIpOffFiltValue'.
arithmeticGreaterOrEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically greater than or equal to ('>=') the
value starting at the given offset within the packet.
The value in the packet is assumed to be an unsigned
integer in network byte order of the same length as
'spdIpOffFiltValue'.
arithmeticGreater:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically greater than ('>') the value starting at
the given offset within the packet. The value in the
packet is assumed to be an unsigned integer in network
byte order of the same length as 'spdIpOffFiltValue'.
arithmeticLessOrEqual:
- Tests if the OCTET STRING, 'spdIpOffFiltValue', is
arithmetically less than or equal to ('<=') the value
starting at the given offset within the packet. The
value in the packet is assumed to be an unsigned
integer in network byte order of the same length as
'spdIpOffFiltValue'."
::= { spdIpOffsetFilterEntry 3 }
Baer, et al. Expires August 21, 2005 [Page 29]
Internet-Draft IPsec SPD configuration MIB February 2005
spdIpOffFiltValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"spdIpOffFiltValue is used for match comparisons of a
packet at spdIpOffFiltOffset. This object is only used
if one of the match types is chosen in
spdIpOffFiltType."
::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
This object may not be set to active if the requirements
of the spdIpOffFiltType object are not met. In other
words, if the associated value columns needed by a
particular test have not been set, then attempting to
change this row to an active state will result in an
Baer, et al. Expires August 21, 2005 [Page 30]
Internet-Draft IPsec SPD configuration MIB February 2005
inconsistentValue error. See the spdIpOffFiltType
object description for further details.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdIpOffsetFilterEntry 7 }
--
-- Time/scheduling filter table
--
spdTimeFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdTimeFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Defines a table of filters which can be used to
effectively enable or disable policies based on a valid
time range."
::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE
SYNTAX SpdTimeFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row describing a given time frame for which a policy
may be filtered on to place the rule active or
inactive."
INDEX { spdTimeFiltName }
::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE {
spdTimeFiltName SnmpAdminString,
spdTimeFiltPeriodStart DateAndTime,
spdTimeFiltPeriodEnd DateAndTime,
spdTimeFiltMonthOfYearMask BITS,
spdTimeFiltDayOfMonthMask OCTET STRING,
spdTimeFiltDayOfWeekMask BITS,
spdTimeFiltStartTimeOfDayMask DateAndTime,
spdTimeFiltStopTimeOfDayMask DateAndTime,
spdTimeFiltLastChanged TimeStamp,
spdTimeFiltStorageType StorageType,
spdTimeFiltRowStatus RowStatus
Baer, et al. Expires August 21, 2005 [Page 31]
Internet-Draft IPsec SPD configuration MIB February 2005
}
spdTimeFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An administratively assigned name for this filter."
::= { spdTimeFilterEntry 1 }
spdTimeFiltPeriodStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The starting time period for this filter. In addition
to a normal DateAndTime string, this object may be set
to the OCTET STRING value THISANDPRIOR which indicates
that the filter is valid from any time before now up
until (at least) now."
DEFVAL { '00000101000000002b0000'H }
::= { spdTimeFilterEntry 2 }
spdTimeFiltPeriodEnd OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The ending time period for this filter. In addition to
a normal DateAndTime string, this object may be set to
the OCTET STRING value THISANDFUTURE which indicates
that the filter is valid without an ending date and/or
time."
DEFVAL { '99991231235959092b0000'H }
::= { spdTimeFilterEntry 3 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE
SYNTAX BITS { january(0), february(1), march(2),
april(3), may(4), june(5), july(6),
august(7), september(8), october(9),
november(10), december(11) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A bit mask which overlays the spdTimeFiltPeriodStart to
spdTimeFiltPeriodEnd date range to further restrict the
Baer, et al. Expires August 21, 2005 [Page 32]
Internet-Draft IPsec SPD configuration MIB February 2005
time period to a restricted set of months of the year."
DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } }
::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(4))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Defines which days of the month this time period is
valid for. It is a sequence of 32 BITS, where each BIT
represents a corresponding day of the month starting
from the left most bit being equal to the first day of
the month. The last bit in the string MUST be zero."
DEFVAL { 'fffffffe'H }
::= { spdTimeFilterEntry 5 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE
SYNTAX BITS { monday(0), tuesday(1), wednesday(2),
thursday(3), friday(4), saturday(5),
sunday(6) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A bit mask which overlays the spdTimeFiltPeriodStart to
spdTimeFiltPeriodEnd date range to further restrict the
time period to a restricted set of days within a given
week."
DEFVAL { { monday, tuesday, wednesday, thursday, friday,
saturday, sunday } }
::= { spdTimeFilterEntry 6 }
spdTimeFiltStartTimeOfDayMask OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates the starting time of day for which this filter
evaluates to true. The date portions of the DateAndTime
TC are ignored for purposes of evaluating this mask and
only the time specific portions are used."
DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 7 }
spdTimeFiltStopTimeOfDayMask OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
Baer, et al. Expires August 21, 2005 [Page 33]
Internet-Draft IPsec SPD configuration MIB February 2005
STATUS current
DESCRIPTION
"Indicates the ending time of day for which this filter
evaluates to true. The date portions of the DateAndTime TC
are ignored for purposes of evaluating this mask and only
the time specific portions are used. If this starting and
ending time values indicated by the
spdTimeFiltStartTimeOfDayMask and
spdTimeFiltStopTimeOfDayMask objects are equal, the filter
is expected to be evaluated over the entire 24 hour
period."
DEFVAL { '00000000000000002b0000'H }
::= { spdTimeFilterEntry 8 }
spdTimeFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdTimeFilterEntry 9 }
spdTimeFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdTimeFilterEntry 10 }
spdTimeFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this
row.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
Baer, et al. Expires August 21, 2005 [Page 34]
Internet-Draft IPsec SPD configuration MIB February 2005
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdTimeFilterEntry 11 }
--
-- IPSO protection authority filtering
--
spdIpsoHeaderFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of IPSO header filter
definitions to be used within the spdRuleDefinitionTable or
the spdSubfiltersTable. IPSO headers and their values are
described in RFC1108."
::= { spdConfigObjects 10 }
spdIpsoHeaderFilterEntry OBJECT-TYPE
SYNTAX SpdIpsoHeaderFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A definition of a particular filter."
INDEX { spdIpsoHeadFiltName }
::= { spdIpsoHeaderFilterTable 1 }
SpdIpsoHeaderFilterEntry ::= SEQUENCE {
spdIpsoHeadFiltName SnmpAdminString,
spdIpsoHeadFiltType BITS,
spdIpsoHeadFiltClassification INTEGER,
spdIpsoHeadFiltProtectionAuth INTEGER,
spdIpsoHeadFiltLastChanged TimeStamp,
spdIpsoHeadFiltStorageType StorageType,
spdIpsoHeadFiltRowStatus RowStatus
}
spdIpsoHeadFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name for this filter."
::= { spdIpsoHeaderFilterEntry 1 }
spdIpsoHeadFiltType OBJECT-TYPE
Baer, et al. Expires August 21, 2005 [Page 35]
Internet-Draft IPsec SPD configuration MIB February 2005
SYNTAX BITS { classificationLevel(0),
protectionAuthority(1) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IPSO header fields to match the value against."
::= { spdIpsoHeaderFilterEntry 2 }
spdIpsoHeadFiltClassification OBJECT-TYPE
SYNTAX INTEGER { topSecret(61), secret(90),
confidential(150), unclassified(171) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IPSO classification header field value must match
the value in this column if the classificationLevel bit
is set in the spdIpsoHeadFiltType field.
The values of these enumerations are defined by
RFC1108."
::= { spdIpsoHeaderFilterEntry 3 }
spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
nsa(3), doe(4) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IPSO protection authority header field value must
match the value in this column if the protection authority
bit is set in the spdIpsoHeadFiltType field.
The values of these enumerations are defined by RFC1108.
Hence the reason the SMIv2 convention of not using 0 in
enum lists is violated here."
::= { spdIpsoHeaderFilterEntry 4 }
spdIpsoHeadFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdIpsoHeaderFilterEntry 5 }
spdIpsoHeadFiltStorageType OBJECT-TYPE
Baer, et al. Expires August 21, 2005 [Page 36]
Internet-Draft IPsec SPD configuration MIB February 2005
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
This object may not be set to active if the requirements of
the spdIpsoHeadFiltType object are not met. In other
words, if the associated value columns needed by a
particular test have not been set, then attempting to
change this row to an active state will result in an
inconsistentValue error. See the spdIpsoHeadFiltType
object description for further details.
If active, this object must remain active if it is
referenced by an active row in another table. An attempt
to set it to anything other than active while it is
referenced by an active row in another table will result in
an inconsistentValue error."
::= { spdIpsoHeaderFilterEntry 7 }
--
-- compound actions table
--
spdCompoundActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdCompoundActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table used to allow multiple actions to be associated
with a rule. It uses the spdSubactionsTable to do
this."
::= { spdConfigObjects 11 }
Baer, et al. Expires August 21, 2005 [Page 37]
Internet-Draft IPsec SPD configuration MIB February 2005
spdCompoundActionEntry OBJECT-TYPE
SYNTAX SpdCompoundActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the spdCompoundActionTable."
INDEX { spdCompActName }
::= { spdCompoundActionTable 1 }
SpdCompoundActionEntry ::= SEQUENCE {
spdCompActName SnmpAdminString,
spdCompActExecutionStrategy INTEGER,
spdCompActLastChanged TimeStamp,
spdCompActStorageType StorageType,
spdCompActRowStatus RowStatus
}
spdCompActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned name of this
compound action."
::= { spdCompoundActionEntry 1 }
spdCompActExecutionStrategy OBJECT-TYPE
SYNTAX INTEGER { doAll(1),
doUntilSuccess(2),
doUntilFailure(3) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates how the sub-actions are executed
based on the success of the actions as they finish
executing.
doAll - run each sub-action regardless of the
exit status of the previous action.
This parent action is always
considered to have acted successfully.
doUntilSuccess - run each sub-action until one succeeds,
at which point stop processing the
sub-actions within this parent
compound action. If one of the
sub-actions did execute successfully,
this parent action is also considered
Baer, et al. Expires August 21, 2005 [Page 38]
Internet-Draft IPsec SPD configuration MIB February 2005
to have executed sucessfully.
doUntilFailure - run each sub-action until one fails,
at which point stop processing the
sub-actions within this compound
action. If any sub-action fails, the
result of this parent action is
considered to have failed."
DEFVAL { doUntilSuccess }
::= { spdCompoundActionEntry 2 }
spdCompActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdCompoundActionEntry 3 }
spdCompActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
::= { spdCompoundActionEntry 4 }
spdCompActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
Once a row in the spdCompoundActionTable has been made
active, this object may not be set to destroy without
first destroying all the contained rows listed in the
Baer, et al. Expires August 21, 2005 [Page 39]
Internet-Draft IPsec SPD configuration MIB February 2005
spdSubactionsTable."
::= { spdCompoundActionEntry 5 }
--
-- actions contained within a compound action
--
spdSubactionsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SpdSubactionsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of the sub-actions within a
given compound action. Compound actions executing these
actions MUST execute them in series based on the
spdSubActPriority value, with the lowest value executing
first."
::= { spdConfigObjects 12 }
spdSubactionsEntry OBJECT-TYPE
SYNTAX SpdSubactionsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing a reference to a given compound-action
sub-action."
INDEX { spdCompActName, spdSubActPriority }
::= { spdSubactionsTable 1 }
SpdSubactionsEntry ::= SEQUENCE {
spdSubActPriority Integer32,
spdSubActSubActionName VariablePointer,
spdSubActLastChanged TimeStamp,
spdSubActStorageType StorageType,
spdSubActRowStatus RowStatus
}
spdSubActPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The priority of a given sub-action within a compound
action. The order in which sub-actions should be
executed are based on the value from this column, with
the lowest numeric value executing first."
::= { spdSubactionsEntry 1 }
Baer, et al. Expires August 21, 2005 [Page 40]
Internet-Draft IPsec SPD configuration MIB February 2005
spdSubActSubActionName OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column points to the action to be taken. It may,
but is not limited to, point to a row in one of the
following tables:
spdCompoundActionTable - Allowing recursion
ipsaSaPreconfiguredActionTable
ipiaIkeActionTable
ipiaIpsecActionTable
It may also point to one of the scalar objects beneath
spdStaticActions.
If this object is set to a pointer to a row in an
unsupported (or unknown) table, an inconsistentValue
error should be returned.
If this object is set to point to a non-existent row in
an otherwise supported table, an inconsistentName error
should be returned."
::= { spdSubactionsEntry 2 }
spdSubActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified
or created either through SNMP SETs or by some other
external means."
::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a
storage type of readOnly or permanent.
For a storage type of permanent, none of the columns have
to be writable."
DEFVAL { nonVolatile }
Baer, et al. Expires August 21, 2005 [Page 41]
Internet-Draft IPsec SPD configuration MIB February 2005
::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active unless one of the
following two conditions are met. An attempt to set it to
anything other than active while the following conditions
are not met will result in an inconsistentValue error. The
two conditions are:
I. No active row in the spdCompoundActionTable exists
which has a matching spdCompActName.
II. Or at least one other active row in this table has a
matching spdCompActName."
::= { spdSubactionsEntry 5 }
--
-- Static Actions
--
-- these are static actions which can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet should be dropped
WITHOUT action/packet logging. This object returns a
value of 1 for IPsec policy implementations that support
the drop static action."
::= { spdStaticActions 1 }
spdDropActionLog OBJECT-TYPE
SYNTAX Integer32
Baer, et al. Expires August 21, 2005 [Page 42]
Internet-Draft IPsec SPD configuration MIB February 2005
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet should be dropped
WITH action/packet logging. This object returns a value
of 1 for IPsec policy implementations that support the
drop static action with logging."
::= { spdStaticActions 2 }
spdAcceptAction OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This Scalar indicates that a packet should be accepted
(pass-through) WITHOUT action/packet logging. This
object returns a value of 1 for IPsec policy
implementations that support the accept static action."
::= { spdStaticActions 3 }
spdAcceptActionLog OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet should be accepted
(pass-through) WITH action/packet logging. This object
returns a value of 1 for IPsec policy implementations
that support the accept static action with logging."
::= { spdStaticActions 4 }
--
--
-- Notification objects information
--
--
spdNotificationVariables OBJECT IDENTIFIER ::=
{ spdNotificationObjects 1 }
spdNotifications OBJECT IDENTIFIER ::=
{ spdNotificationObjects 0 }
spdActionExecuted OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 43]
Internet-Draft IPsec SPD configuration MIB February 2005
"Points to the action instance that was executed that
resulted in the notification being sent."
::= { spdNotificationVariables 1 }
spdIPEndpointAddType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the interface type for the interface that the
packet which triggered the notification is passing
through."
::= { spdNotificationVariables 2 }
spdIPEndpointAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the interface address for the interface that
the packet which triggered the notification is passing
through."
::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the source address type of the packet which
triggered the notification."
::= { spdNotificationVariables 4 }
spdIPSourceAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the source address of the packet which
triggered the notification."
::= { spdNotificationVariables 5 }
spdIPDestinationType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the destination address type of the packet
Baer, et al. Expires August 21, 2005 [Page 44]
Internet-Draft IPsec SPD configuration MIB February 2005
which triggered the notification."
::= { spdNotificationVariables 6 }
spdIPDestinationAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Contains the destination address of the packet which
triggered the notification."
::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE
SYNTAX IfDirection
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Indicates if the packet which triggered the action in
questions was ingress (inbound) our egress (outbound)."
::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"Is the front part of the packet that triggered this
notification. The initial size limit is determined by the
smaller of the size indicated by 'SpdIPPacketLogging' and
the size of the triggering packet.
The final limit is determined by the SNMP packet size when
sending the notification. The maximum size that can be
included will be the smaller of the initial size given
above and the length that will fit in a single SNMP
notification packet after the rest of the notification's
objects and any other necessary packet data (headers
encoding, etc...) has been included in the packet."
::= { spdNotificationVariables 9 }
spdActionNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType,
spdIPDestinationAddress,
spdPacketDirection }
STATUS current
Baer, et al. Expires August 21, 2005 [Page 45]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"Notification that an action was executed by a rule.
Only actions with logging enabled will result in this
notification getting sent. The objects sent must include
the spdActionExecuted object which will indicate which
action was executed within the scope of the rule.
Additionally the spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, and spdIPDestinationAddress objects
must be included to indicate the packet source and
destination of the packet that triggered the action.
Finally the spdIPEndpointAddType, spdIPEndpointAddress,
and spdPacketDirection objects are included to indicate
which interface the action was executed in association with
and if the packet was ingress or egress through the
endpoint.
Note that compound actions with multiple executed
subactions may result in multiple notifications being sent
from a single rule execution."
::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE
OBJECTS { spdActionExecuted, spdIPEndpointAddType,
spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType,
spdIPDestinationAddress,
spdPacketDirection,
spdPacketPart }
STATUS current
DESCRIPTION
"Notification that a packet passed through an SA. Only
SA's created by actions with packet logging enabled will
result in this notification getting sent. The objects
sent must include the spdActionExecuted which will
indicate which action was executed within the scope of
the rule. Additionally, the spdIPSourceType,
spdIPSourceAddress, spdIPDestinationType, and
spdIPDestinationAddress, objects must be included to
indicate the packet source and destination of the packet
that triggered the action. The spdIPEndpointAddType,
spdIPEndpointAddress, and spdPacketDirection objects
are included to indicate which endpoint the packet was
associated with. Finally, spdPacketPart is including
for sending a variable sized part of the front of the
packet depending on the value of SpdIPPacketLogging."
::= { spdNotifications 2 }
Baer, et al. Expires August 21, 2005 [Page 46]
Internet-Draft IPsec SPD configuration MIB February 2005
--
--
-- Conformance information
--
--
spdCompliances OBJECT IDENTIFIER
::= { spdConformanceObjects 1 }
spdGroups OBJECT IDENTIFIER
::= { spdConformanceObjects 2 }
--
-- Compliance statements
--
--
spdRuleFilterCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and
filters support."
MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup,
spdRuleDefinitionGroup,
spdStaticFilterGroup,
spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support a system policy group
name."
GROUP spdCompoundFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support compound filters."
GROUP spdIPOffsetFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In
general, this SHOULD be supported by a compliant
IPsec Policy implementation."
GROUP spdTimeFilterGroup
Baer, et al. Expires August 21, 2005 [Page 47]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support time filters."
GROUP spdIpsoHeaderFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support compound actions."
OBJECT spdEndGroupLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdGroupContComponentType
SYNTAX INTEGER {
rule(2)
}
DESCRIPTION
"Support of the value group(1) is only required for
implementations which support Policy Groups within
Policy Groups."
OBJECT spdGroupContLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdRuleDefLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdCompFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdSubFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
Baer, et al. Expires August 21, 2005 [Page 48]
Internet-Draft IPsec SPD configuration MIB February 2005
OBJECT spdIpOffFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdTimeFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdIpsoHeadFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdCompActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT spdSubActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT diffServMultiFieldClfrNextFree
MIN-ACCESS not-accessible
DESCRIPTION
"This object is not required for compliance."
::= { spdCompliances 1 }
spdLoggingCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that support
sending notifications when actions are invoked."
MODULE -- This Module
MANDATORY-GROUPS { spdActionLoggingObjectGroup,
spdActionNotificationGroup }
::= { spdCompliances 2 }
--
-- ReadOnly Compliances
--
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
Baer, et al. Expires August 21, 2005 [Page 49]
Internet-Draft IPsec SPD configuration MIB February 2005
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include
an IPsec MIB implementation with Endpoint, Rules, and
filters support.
If this MIB is implemented without support for read-create
(i.e. in read-only), it is not in full compliance but it
can claim read-only compliance. Such a device can then be
monitored but can not be configured with this MIB."
MODULE -- This Module
MANDATORY-GROUPS { spdEndpointGroup,
spdGroupContentsGroup,
spdRuleDefinitionGroup,
spdStaticFilterGroup,
spdStaticActionGroup ,
diffServMIBMultiFieldClfrGroup }
GROUP spdIpsecSystemPolicyNameGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support a system policy group
name."
GROUP spdCompoundFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support compound filters."
GROUP spdIPOffsetFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IP Offset filters. In
general, this SHOULD be supported by a compliant
IPsec Policy implementation."
GROUP spdTimeFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support time filters."
GROUP spdIpsoHeaderFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support IPSO Header filters."
GROUP spdCompoundActionGroup
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 50]
Internet-Draft IPsec SPD configuration MIB February 2005
"This group is mandatory for IPsec Policy
implementations which support compound actions."
OBJECT spdAcceptAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdAcceptActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActExecutionStrategy
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdCompActRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompActStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdCompFiltLogicType
MIN-ACCESS read-only
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 51]
Internet-Draft IPsec SPD configuration MIB February 2005
"Write access is not required."
OBJECT spdCompFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdCompFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdDropAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdDropActionLog
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEgressPolicyGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdEndGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdEndGroupStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
Baer, et al. Expires August 21, 2005 [Page 52]
Internet-Draft IPsec SPD configuration MIB February 2005
OBJECT spdGroupContComponentName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContComponentType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdGroupContRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdGroupContStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIngressPolicyGroupName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdIpOffFiltOffset
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltRowStatus
Baer, et al. Expires August 21, 2005 [Page 53]
Internet-Draft IPsec SPD configuration MIB February 2005
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpOffFiltValue
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltClassification
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdIpsoHeadFiltProtectionAuth
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdIpsoHeadFiltType
MIN-ACCESS read-only
DESCRIPTION
Baer, et al. Expires August 21, 2005 [Page 54]
Internet-Draft IPsec SPD configuration MIB February 2005
"Write access is not required."
OBJECT spdRuleDefAction
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefAdminStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefFilterNegated
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdRuleDefRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdRuleDefStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
Baer, et al. Expires August 21, 2005 [Page 55]
Internet-Draft IPsec SPD configuration MIB February 2005
OBJECT spdSubActRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubActSubActionName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdSubFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltSubfilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdSubFiltSubfilterIsNegated
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltDayOfMonthMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltDayOfWeekMask
MIN-ACCESS read-only
Baer, et al. Expires August 21, 2005 [Page 56]
Internet-Draft IPsec SPD configuration MIB February 2005
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltLastChanged
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required. This object is not
required for compliance."
OBJECT spdTimeFiltMonthOfYearMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltPeriodEnd
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltPeriodStart
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStartTimeOfDayMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStopTimeOfDayMask
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTimeFiltStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT spdTrueFilter
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
Baer, et al. Expires August 21, 2005 [Page 57]
Internet-Draft IPsec SPD configuration MIB February 2005
::= { spdCompliances 3 }
--
--
-- Compliance Groups Definitions
--
--
-- Endpoint, Rule, Filter Compliance Groups
--
spdEndpointGroup OBJECT-GROUP
OBJECTS {
spdEndGroupName, spdEndGroupLastChanged,
spdEndGroupStorageType, spdEndGroupRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy
Endpoint Table."
::= { spdGroups 1 }
spdGroupContentsGroup OBJECT-GROUP
OBJECTS {
spdGroupContComponentType, spdGroupContFilter,
spdGroupContComponentName, spdGroupContLastChanged,
spdGroupContStorageType, spdGroupContRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy
Group Contents Table."
::= { spdGroups 2 }
spdIpsecSystemPolicyNameGroup OBJECT-GROUP
OBJECTS {
spdIngressPolicyGroupName,
spdEgressPolicyGroupName
}
STATUS current
DESCRIPTION
"This group is made up of objects represent the System
Policy Group Names."
::= { spdGroups 3}
spdRuleDefinitionGroup OBJECT-GROUP
OBJECTS {
Baer, et al. Expires August 21, 2005 [Page 58]
Internet-Draft IPsec SPD configuration MIB February 2005
spdRuleDefDescription, spdRuleDefFilter,
spdRuleDefFilterNegated, spdRuleDefAction,
spdRuleDefAdminStatus, spdRuleDefLastChanged,
spdRuleDefStorageType, spdRuleDefRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy Rule
Definition Table."
::= { spdGroups 4 }
spdCompoundFilterGroup OBJECT-GROUP
OBJECTS {
spdCompFiltDescription, spdCompFiltLogicType,
spdCompFiltLastChanged, spdCompFiltStorageType,
spdCompFiltRowStatus, spdSubFiltSubfilter,
spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
spdSubFiltStorageType, spdSubFiltRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy
Compound Filter Table and Sub-Filter Table Group."
::= { spdGroups 5 }
spdStaticFilterGroup OBJECT-GROUP
OBJECTS { spdTrueFilter }
STATUS current
DESCRIPTION
"The static filter group. Currently this is just a true
filter."
::= { spdGroups 6 }
spdIPOffsetFilterGroup OBJECT-GROUP
OBJECTS {
spdIpOffFiltOffset, spdIpOffFiltType,
spdIpOffFiltValue, spdIpOffFiltLastChanged,
spdIpOffFiltStorageType, spdIpOffFiltRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy IP
Offset Filter Table."
::= { spdGroups 7 }
spdTimeFilterGroup OBJECT-GROUP
OBJECTS {
Baer, et al. Expires August 21, 2005 [Page 59]
Internet-Draft IPsec SPD configuration MIB February 2005
spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd,
spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
spdTimeFiltDayOfWeekMask, spdTimeFiltStartTimeOfDayMask,
spdTimeFiltStopTimeOfDayMask, spdTimeFiltLastChanged,
spdTimeFiltStorageType, spdTimeFiltRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy Time
Filter Table."
::= { spdGroups 8 }
spdIpsoHeaderFilterGroup OBJECT-GROUP
OBJECTS {
spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy IPSO
Header Filter Table."
::= { spdGroups 9 }
--
-- action compliance groups
--
spdStaticActionGroup OBJECT-GROUP
OBJECTS {
spdDropAction, spdAcceptAction,
spdDropActionLog, spdAcceptActionLog
}
STATUS current
DESCRIPTION
"This group is made up of objects from the IPsec Policy
Static Actions."
::= { spdGroups 10 }
spdCompoundActionGroup OBJECT-GROUP
OBJECTS {
spdCompActExecutionStrategy, spdCompActLastChanged,
spdCompActStorageType,
spdCompActRowStatus, spdSubActSubActionName,
spdSubActLastChanged, spdSubActStorageType,
spdSubActRowStatus
}
Baer, et al. Expires August 21, 2005 [Page 60]
Internet-Draft IPsec SPD configuration MIB February 2005
STATUS current
DESCRIPTION
"The IPsec Policy Compound Action Table and Actions In
Compound Action Table Group."
::= { spdGroups 11 }
spdActionLoggingObjectGroup OBJECT-GROUP
OBJECTS {
spdActionExecuted,
spdIPEndpointAddType, spdIPEndpointAddress,
spdIPSourceType, spdIPSourceAddress,
spdIPDestinationType, spdIPDestinationAddress,
spdPacketDirection, spdPacketPart
}
STATUS current
DESCRIPTION
"This group is made up of all the Notification objects for
this MIB."
::= { spdGroups 12 }
spdActionNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
spdActionNotification,
spdPacketNotification
}
STATUS current
DESCRIPTION
"This group is made up of all the Notifications for this
MIB."
::= { spdGroups 13 }
END
6. Security Considerations
6.1 Introduction
This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides security services it is important
that the IPsec configuration data be at least as protected as the
IPsec provided security service. There are two main threats you need
to thwart when configuring IPsec devices.
1. Malicious Configuration: only the official administrators should
Baer, et al. Expires August 21, 2005 [Page 61]
Internet-Draft IPsec SPD configuration MIB February 2005
be allowed to configure a device. In other words,
administrators' identities should be authenticated and their
access rights checked before they are allowed to do device
configuration. The support for SET operations to the IPSP MIB in
a non-secure environment, without proper protection, can have a
negative effect on the security of the network traffic affected
by the IPSP MIB.
2. Disclosure of Configuration: Malicious parties should not be
able to read configuration data while the data is in network
transit. Any knowledge about a device's IPsec policy
configuration could help an unfriendly party compromise that
device and/or the network(s) it protects. It is thus important
to control even GET access to these objects and possibly to even
encrypt the values of these objects when sending them over the
network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (e.g. by using IPsec), earlier
versions of SNMP have virtually no control as to who on the secure
network is allowed to access and GET/SET (read/change/create/delete)
the objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
SNMP version 3. The rest of this discussion assumes the use of
SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved,
it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation.
This may seem redundant at first, but will be shown to have a use for
added privacy protection below.
Baer, et al. Expires August 21, 2005 [Page 62]
Internet-Draft IPsec SPD configuration MIB February 2005
6.2 Protecting against in-authentic access
The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents,
although RFC2786 defines an experimental method of doing so.
6.3 Protecting against involuntary disclosure
While sending IPsec configuration data to a Policy Enforcement Point
(PEP), there are a few critical parameters which MUST NOT be observed
by third parties. Specifically, except for public keys, keying
information MUST NOT be allowed to be observed by third parties.
This include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate
the device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic
algorithms is in the works and may be done as you read this (e.g.
AES [RFC3826]). Policy administrators SHOULD use a privacy security
service to configure their IPsec policy which is at least as strong
as the desired IPsec policy. E.G., it is unwise to configure IPsec
parameters implementing 3DES algorithms while only protecting that
conversation with single DES.
6.4 Bootstrapping your configuration
Most vendors will not ship new products with a default SNMPv3
user/password pair, but it is possible. If a device does ship with a
default user/password pair, policy administrators SHOULD either
change the password or configure a new user, deleting the default
user (or at a minimum, restrict the access of the default user).
Most SNMPv3 distributions should, hopefully, require an out-of-band
initialization over a trusted medium, such as a local console
connection. If a product does install with default user/password
information, these values should be changed before connecting to a
network.
Baer, et al. Expires August 21, 2005 [Page 63]
Internet-Draft IPsec SPD configuration MIB February 2005
7. IANA Considerations
Only two IANA considerations exist for this document. The first is
just the node number allocation of the IPSEC-SPD-MIB itself.
The IPSEC-SPD-MIB also allows for extension action MIB's and
allocates a node, spdActions, for them. IANA would be responsible
for allocating the values under this node.
8. Acknowledgments
Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order for the following
people:
Lindy Foster (Sparta, Inc.)
John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson)
Lee Rafalow (IBM)
Jon Saperia (JDS Consulting)
Eric Vyncke (Cisco Systems)
9. References
9.1 Normative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410,
December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, December
2002.
[RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002.
Baer, et al. Expires August 21, 2005 [Page 64]
Internet-Draft IPsec SPD configuration MIB February 2005
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December
2002.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
Management Information Version 2 (SMIv2)", STD 58, RFC
2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003.
9.2 Informative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IPsec Action MIB", December
2002.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IKE Action MIB", December
2002.
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
Paper", November 2000.
[RFC3826] Blumenthal, U., Maino, F. and K. McCloghrie, "The Advanced
Encryption Standard (AES) Cipher Algorithm in the SNMP
User-based Security Model", RFC 3826, June 2004.
Baer, et al. Expires August 21, 2005 [Page 65]
Internet-Draft IPsec SPD configuration MIB February 2005
Authors' Addresses
Michael Baer
Sparta, Inc.
7075 Samuel Morse Drive
Columbia, MD 21046
US
EMail: baerm@tislabs.com
Ricky Charlet
Self
EMail: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
US
Phone: +1 530 792 1913
EMail: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
US
EMail: ipsp-mib@revelstone.com
Cliff Wang
ARO/North Carolina State University
4300 S. Miami Blvd
RTP, NC 27709
US
EMail: cliffwangmail@yahoo.com
Baer, et al. Expires August 21, 2005 [Page 66]
Internet-Draft IPsec SPD configuration MIB February 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Baer, et al. Expires August 21, 2005 [Page 67]
| PAFTECH AB 2003-2026 | 2026-04-23 04:09:36 |