Network Working Group M. Baer
Request for Comments: 4807 Sparta, Inc.
Category: Standards Track R. Charlet
Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
ARO
March 2007
IPsec Security Policy Database Configuration MIB
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document defines a Structure of Management Information Version 2
(SMIv2) Management Information Base (MIB) module for configuring the
security policy database of a device implementing the IPsec protocol.
The policy-based packet filtering and the corresponding execution of
actions described in this document are of a more general nature than
for IPsec configuration alone, such as for configuration of a
firewall. This MIB module is designed to be extensible with other
enterprise or standards-based defined packet filters and actions.
Baer, et al. Standards Track [Page 1]
RFC 4807 IPsec SPD configuration MIB March 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The Internet-Standard Management Framework . . . . . . . . . . 3
4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6
5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6
5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7
6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 65
7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65
7.2. Protecting against Unauthenticated Access . . . . . . . . 66
7.3. Protecting against Involuntary Disclosure . . . . . . . . 66
7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68
10.1. Normative References . . . . . . . . . . . . . . . . . . . 68
10.2. Informative References . . . . . . . . . . . . . . . . . . 69
Baer, et al. Standards Track [Page 2]
RFC 4807 IPsec SPD configuration MIB March 2007
1. Introduction
This document defines a MIB module for configuration of an IPsec
security policy database (SPD). The IPsec model this MIB is designed
to configure is based on the "IPsec Configuration Policy Model"
(IPCP) [RFC3585]. The IPCP's IPsec model is, in turn, derived from
the Distributed Management Task Force's (DMTF) IPsec model (see
below) and from the IPsec model specified in RFC 2401 [RFC2401].
Note: RFC 2401 has been updated by RFC 4301 [RFC4301], but this
implementation is based on RFC 2401. The policy-based packet
filtering and the corresponding execution of actions configured by
this MIB is of a more general nature than for IPsec configuration
only, such as for configuration of a firewall. It is possible to
extend this MIB module and add other packet-transforming actions that
are performed conditionally on an interface's network traffic.
The IPsec- and IKE-specific actions are as documented in
[IPsec-ACTION] and [IKE-ACTION], respectively, and are not documented
in this document.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
datatracker.ietf.org