IPsec Security Policy IKE Action MIB
draft-ietf-ipsp-ikeaction-mib-02

Versions: 00 01 02                                                      
IPSP                                                             M. Baer
Internet-Draft                                              Sparta, Inc.
Expires: July 19, 2004                                        R. Charlet
                                                                    Self
                                                             W. Hardaker
                                                            Sparta, Inc.
                                                                R. Story
                                                     Revelstone Software
                                                                 C. Wang
                                                        SmartPipes, Inc.
                                                        January 19, 2004


                  IPsec Security Policy IKE Action MIB
                  draft-ietf-ipsp-ikeaction-mib-00.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 19, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

   This document defines a SMIv2 Management Information Base (MIB)
   module for configuring IKE actions for the security policy database
   (SPD) of a device that uses the IPsec Security Policy Database
   Configuration MIB for configuring the IKE protocol actions on that
   device.  The IPSP IKE Action MIB integrates directly with the IPsec



Baer, et al.             Expires July 19, 2004                  [Page 1]


Internet-Draft            IPSP IKE Action MIB               January 2004


   Security Policy Database Configuration MIB and it is meant to work
   within the framework of an action referenced by that MIB.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Internet-Standard Management Framework . . . . . . . . . .  3
   3.  Relationship to the DMTF Policy Model  . . . . . . . . . . . .  3
   4.  MIB Module Overview  . . . . . . . . . . . . . . . . . . . . .  3
   5.  MIB definition . . . . . . . . . . . . . . . . . . . . . . . .  4
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 59
   6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 59
   6.2 Protecting against in-authentic access . . . . . . . . . . . . 60
   6.3 Protecting against involuntary disclosure  . . . . . . . . . . 60
   6.4 Bootstrapping your configuration . . . . . . . . . . . . . . . 61
   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 61
       Normative References . . . . . . . . . . . . . . . . . . . . . 61
       Informative References . . . . . . . . . . . . . . . . . . . . 62
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63
       Intellectual Property and Copyright Statements . . . . . . . . 64































Baer, et al.             Expires July 19, 2004                  [Page 2]


Internet-Draft            IPSP IKE Action MIB               January 2004


1. Introduction

   This document defines a MIB module for configuration of an IKE action
   within the IPsec security policy database (SPD). This module works
   within the framework of the IPsec Security Policy Database
   Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action
   by the IPSP-SPD-MIB and is used to configure IKE negotiations between
   network devices.

   Companion document [RFCXXXX], documents the IPsec Security Policy
   Database Configuration MIB.  Companion document [RFCYYYY], documents
   the IPsec Security Policy IPsec Action MIB for configuration of
   static IPsec SAs.

2. The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410]

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].

3. Relationship to the DMTF Policy Model

   The Distributed Management Task Force (DMTF) has created an object
   oriented model of IPsec policy information known as the IPsec Policy
   Model White Paper [IPPMWP].  The contents of this document are also
   reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585].
   This MIB module is a task specific derivation of the IKE actions
   portions of the IPCP for use with SNMPv3. This includes the necessary
   filters, negotiation, identity and IKE action information required to
   enable IKE negotiation within the IPsec Policy framework.

4. MIB Module Overview

   The MIB module describes the necessary information to implement IKE
   actions and their associated negotiations referred to by the IPsec
   Security Policy Database Configuration MIB.  A basic understanding of
   IKE, of IPsec processing, of the IPsec Configuration Policy Model and
   of how actions fit in to the overall framework of the IPSP-SPD-MIB
   are required to use this MIB properly.



Baer, et al.             Expires July 19, 2004                  [Page 3]


Internet-Draft            IPSP IKE Action MIB               January 2004


5. MIB definition


   IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN


   IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32
                                           FROM SNMPv2-SMI

       TEXTUAL-CONVENTION, RowStatus, TruthValue,
       TimeStamp, StorageType, VariablePointer
                                           FROM SNMPv2-TC

       MODULE-COMPLIANCE, OBJECT-GROUP
                                           FROM SNMPv2-CONF

       SnmpAdminString
                                           FROM SNMP-FRAMEWORK-MIB

       InetAddressType, InetAddress, InetPortNumber
                                           FROM INET-ADDRESS-MIB

       spdActions, SpdIPPacketLogging, spdEndGroupIdentType,
       spdEndGroupAddress
                                        FROM IPSEC-SPD-MIB

       IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter,
       ipsaSharedGroup
                                        FROM IPSEC-IPSECACTION-MIB
       ;

   --
   -- module identity
   --

   ipiaMIB MODULE-IDENTITY
       LAST-UPDATED "200212100000Z"            -- 12 December 2002
       ORGANIZATION "IETF IP Security Policy Working Group"
       CONTACT-INFO "Michael Baer
                     Sparta, Inc.
                     Phone: +1 530 902 3131
                     Email: baerm@tislabs.com

                     Ricky Charlet
                     Email: rcharlet@alumni.calpoly.edu

                     Wes Hardaker



Baer, et al.             Expires July 19, 2004                  [Page 4]


Internet-Draft            IPSP IKE Action MIB               January 2004


                     Sparta, Inc.
                     P.O. Box 382
                     Davis, CA  95617
                     Phone: +1 530 792 1913
                     Email: hardaker@tislabs.com

                     Robert Story
                     Revelstone Software
                     PO Box 1812
                     Tucker, GA 30085
                     Phone: +1 770 617 3722
                     Email: ipsp-mib@revelstone.com

                     Cliff Wang
                     SmartPipes Inc.
                     Suite 300, 565 Metro Place South
                     Dublin, OH 43017
                     Phone: +1 614 923 6241
                     E-Mail: cliffwang2000@yahoo.com"
       DESCRIPTION
        "The MIB module for defining IKE actions for managing IPsec
         Security Policy.

         Copyright (C) The Internet Society (2003). This version of
         this MIB module is part of RFC XXXX, see the RFC itself for
         full legal notices."

   -- Revision History

       REVISION     "200301070000Z"            -- 7 January 2003
       DESCRIPTION  "Initial version, published as RFC xxxx."
       -- RFC-editor assigns xxxx

       ::= { spdActions 2 }

   --
   -- groups of related objects
   --

   ipiaConfigObjects         OBJECT IDENTIFIER
        ::= { ipiaMIB 1 }
   ipiaNotificationObjects   OBJECT IDENTIFIER
        ::= { ipiaMIB 2 }
   ipiaConformanceObjects    OBJECT IDENTIFIER
        ::= { ipiaMIB 3 }

   --
   -- Textual Conventions



Baer, et al.             Expires July 19, 2004                  [Page 5]


Internet-Draft            IPSP IKE Action MIB               January 2004


   --

   IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION
       STATUS      current
       DESCRIPTION "Values for encryption algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Encryption
                   Algorithm (1).

                   Unused values <= 65000 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in IKE
                       desCbc(1),          -- RFC 2405
                       ideaCbc(2),
                       blowfishCbc(3),
                       rc5R16B64Cbc(4),    -- RC5 R16 B64 CBC
                       tripleDesCbc(5),    -- 3DES CBC
                       castCbc(6),
                       aesCbc(7)

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeAuthMethod ::= TEXTUAL-CONVENTION
       STATUS      current
       DESCRIPTION "Values for authentication methods negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Authentication
                   Method (3).

                   Unused values <= 65000 are reserved to IANA.

                       reserved(0),        -- reserved in IKE
                       preSharedKey(1),
                       dssSignatures(2),
                       rsaSignatures(3),
                       encryptionWithRsa(4),
                       revisedEncryptionWithRsa(5),
                       reservedDontUse6(6), -- not to be used
                       reservedDontUse7(7), -- not to be used
                       ecdsaSignatures(8)

                   Values 65001-65535 are for private use among



Baer, et al.             Expires July 19, 2004                  [Page 6]


Internet-Draft            IPSP IKE Action MIB               January 2004


                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeHashAlgorithm ::= TEXTUAL-CONVENTION
       STATUS      current
       DESCRIPTION "Values for hash algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Hash Algorithm (2).

                   Unused values <= 65000 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in IKE
                       md5(1),             -- RFC 1321
                       sha(2),             -- FIPS 180-1
                       tiger(3),
                       sha256(4),
                       sha384(5),
                       sha512(6)

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeGroupDescription ::= TEXTUAL-CONVENTION
       STATUS      current
       DESCRIPTION "Values for Oakley key computation groups for
                   Diffie-Hellman exchange negotiated for the ISAKMP
                   SA by IKE in Phase I.  They are also used in Phase II
                   when perfect forward secrecy is in use.  These are
                   values for SA Attrbute type Group Description (4).

                   Unused values <= 32767 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       none(0),            -- reserved in IKE, used
                                           -- in MIBs to reflect that
                                           -- none of the predefined
                                           -- groups are used
                       modp768(1),         -- default 768-bit MODP group
                       modp1024(2),        -- alternate 1024-bit MODP
                                           -- group



Baer, et al.             Expires July 19, 2004                  [Page 7]


Internet-Draft            IPSP IKE Action MIB               January 2004


                       ec2nGF155(3),       -- EC2N group on Galois
                                           -- Field GF[2^155]
                       ec2nGF185(4),       -- EC2N group on Galois
                                           -- Field GF[2^185]
                       ec2nGF163Random(6), -- EC2N group on Galois
                                           -- Field GF[2^163],
                                           -- random seed
                       ec2nGF163Koblitz(7),
                                           -- EC2N group on Galois
                                           -- Field GF[2^163],
                                           -- Koblitz curve
                       ec2nGF283Random(8), -- EC2N group on Galois
                                           -- Field GF[2^283],
                                           -- random seed
                       ec2nGF283Koblitz(9),
                                           -- EC2N group on Galois
                                           -- Field GF[2^283],
                                           -- Koblitz curve
                       ec2nGF409Random(10),
                                           -- EC2N group on Galois
                                           -- Field GF[2^409],
                                           -- random seed
                       ec2nGF409Koblitz(11),
                                           -- EC2N group on Galois
                                           -- Field GF[2^409],
                                           -- Koblitz curve
                       ec2nGF571Random(12),
                                           -- EC2N group on Galois
                                           -- Field GF[2^571],
                                           -- random seed
                       ec2nGF571Koblitz(13)
                                           -- EC2N group on Galois
                                           -- Field GF[2^571],
                                           -- Koblitz curve

                   Values 32768-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION
       STATUS      current
       DESCRIPTION "These are the IPsec DOI values for the Protocol-Id
                   field in an ISAKMP Proposal Payload, and in all
                   Notification Payloads.

                   They are also used as the Protocol-ID In the



Baer, et al.             Expires July 19, 2004                  [Page 8]


Internet-Draft            IPSP IKE Action MIB               January 2004


                   Notification Payload and the Delete Payload.

                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in DOI
                       protoIsakmp(1),     -- message protection
                                           -- required during Phase I
                                           -- of the IKE protocol
                       protoIpsecAh(2),    -- IP packet authentication
                                           -- via Authentication Header
                       protoIpsecEsp(3),   -- IP packet confidentiality
                                           -- via Encapsulating
                                           -- Security Payload
                       protoIpcomp(4)      -- IP payload compression

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 section 4.4.1"
       SYNTAX      Unsigned32 (0..255)

   --
   -- Policy group definitions
   --

   ipiaLocalConfigObjects OBJECT IDENTIFIER
        ::= { ipiaConfigObjects 1 }


   --
   -- Static Filters
   --

   ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 }

   ipiaIkePhase1Filter OBJECT-TYPE
           SYNTAX      Integer32
           MAX-ACCESS  read-only
           STATUS      current
           DESCRIPTION
               "This static filter can be used to test if a packet is
                part of an IKE phase-1 negotiation."
           ::= { ipiaStaticFilters 1 }

   ipiaIkePhase2Filter OBJECT-TYPE
           SYNTAX      Integer32
           MAX-ACCESS  read-only
           STATUS      current



Baer, et al.             Expires July 19, 2004                  [Page 9]


Internet-Draft            IPSP IKE Action MIB               January 2004


           DESCRIPTION
               "This static filter can be used to test if a packet is
                part of an IKE phase-2 negotiation."
           ::= { ipiaStaticFilters 2 }


   --
   -- credential filter table
   --

   ipiaCredentialFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaCredentialFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines filters which can be used to match
            credentials of IKE peers, where the credentials in question
            have been obtained from an IKE phase 1 exchange.  They may
            be X.509 certificates, Kerberos tickets, etc..."
       ::= { ipiaConfigObjects 3 }

   ipiaCredentialFilterEntry OBJECT-TYPE
       SYNTAX      IpiaCredentialFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row defining a particular credential filter"
       INDEX   { ipiaCredFiltName }
       ::= { ipiaCredentialFilterTable 1 }

   IpiaCredentialFilterEntry ::= SEQUENCE {
       ipiaCredFiltName                      SnmpAdminString,
       ipiaCredFiltCredentialType            IpsaCredentialType,
       ipiaCredFiltMatchFieldName            OCTET STRING,
       ipiaCredFiltMatchFieldValue           OCTET STRING,
       ipiaCredFiltAcceptCredFrom            OCTET STRING,
       ipiaCredFiltLastChanged               TimeStamp,
       ipiaCredFiltStorageType               StorageType,
       ipiaCredFiltRowStatus                 RowStatus
   }

   ipiaCredFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this filter."
       ::= { ipiaCredentialFilterEntry 1 }



Baer, et al.             Expires July 19, 2004                 [Page 10]


Internet-Draft            IPSP IKE Action MIB               January 2004


   ipiaCredFiltCredentialType OBJECT-TYPE
       SYNTAX      IpsaCredentialType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The credential type that is expected for this filter to
            succeed."
       DEFVAL { x509 }
       ::= { ipiaCredentialFilterEntry 2 }

   ipiaCredFiltMatchFieldName OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..256))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The piece of the credential to match against.  Examples:
            serialNumber, signatureAlgorithm, issuerName or
            subjectName.

            For credential types without fields (e.g. shared secrec),
            this field should be left empty, and the entire credential
            will be matched against the ipiaCredFiltMatchFieldValue."
       ::= { ipiaCredentialFilterEntry 3 }

   ipiaCredFiltMatchFieldValue OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(1..4096))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The value that the field indicated by the
            ipiaCredFiltMatchFieldName must match against for the
            filter to be considered TRUE."
       ::= { ipiaCredentialFilterEntry 4 }

   ipiaCredFiltAcceptCredFrom OBJECT-TYPE
       SYNTAX      OCTET STRING(SIZE(1..117))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used to look up a row in the
            ipiaIpsecCredMngServiceTable for the Certificate Authority
            (CA) Information.  This value is empty if there is no CA
            used for this filter."
       ::= { ipiaCredentialFilterEntry 5 }

   ipiaCredFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only



Baer, et al.             Expires July 19, 2004                 [Page 11]


Internet-Draft            IPSP IKE Action MIB               January 2004


       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaCredentialFilterEntry 6 }

   ipiaCredFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaCredentialFilterEntry 7 }

   ipiaCredFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row."
       ::= { ipiaCredentialFilterEntry 8 }


   --
   -- Peer Identity Filter Table
   --

   ipiaPeerIdentityFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaPeerIdentityFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines filters which can be used to match
            credentials of IKE peers, where the credentials in question
            have been obtained from an IKE phase 1 exchange.  They may
            be X.509 certificates, Kerberos tickets, etc..."
       ::= { ipiaConfigObjects 4 }

   ipiaPeerIdentityFilterEntry OBJECT-TYPE
       SYNTAX      IpiaPeerIdentityFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row defining a particular credential filter"



Baer, et al.             Expires July 19, 2004                 [Page 12]


Internet-Draft            IPSP IKE Action MIB               January 2004


       INDEX   { ipiaPeerIdFiltName }
       ::= { ipiaPeerIdentityFilterTable 1 }

   IpiaPeerIdentityFilterEntry ::= SEQUENCE {
       ipiaPeerIdFiltName                      SnmpAdminString,
       ipiaPeerIdFiltIdentityType              IpsecDoiIdentType,
       ipiaPeerIdFiltIdentityValue             IpsaIdentityFilter,
       ipiaPeerIdFiltLastChanged               TimeStamp,
       ipiaPeerIdFiltStorageType               StorageType,
       ipiaPeerIdFiltRowStatus                 RowStatus
   }

   ipiaPeerIdFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this filter."
       ::= { ipiaPeerIdentityFilterEntry 1 }

   ipiaPeerIdFiltIdentityType OBJECT-TYPE
       SYNTAX      IpsecDoiIdentType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The type of identity field in the peer ID payload to match
            against."
       ::= { ipiaPeerIdentityFilterEntry 2 }

   ipiaPeerIdFiltIdentityValue OBJECT-TYPE
       SYNTAX      IpsaIdentityFilter
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The string representation of the value that the peer ID
            payload value must match against. Wildcard mechanisms MUST
            be supported such that:

            - a ipiaPeerIdFiltIdentityValue of '*@example.com' will
              match a userFqdn ID payload of 'JDOE@EXAMPLE.COM'

            - a ipiaPeerIdFiltIdentityValue of '*.example.com' will
              match a fqdn ID payload of 'WWW.EXAMPLE.COM'

            - a ipiaPeerIdFiltIdentityValue of:
                 'cn=*,ou=engineering,o=company,c=us'
              will match a DER DN ID payload of
                 'cn=John Doe,ou=engineering,o=company,c=us'



Baer, et al.             Expires July 19, 2004                 [Page 13]


Internet-Draft            IPSP IKE Action MIB               January 2004


            - a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will
              match an IPv4 address ID payload of 192.0.2.10

            - a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also
              match an IPv4 address ID payload of 192.0.2.10.

            The character '*' replaces 0 or multiple instances of any
            character."
       ::= { ipiaPeerIdentityFilterEntry 3 }

   ipiaPeerIdFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaPeerIdentityFilterEntry 4 }

   ipiaPeerIdFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaPeerIdentityFilterEntry 5 }

   ipiaPeerIdFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.
            This object can not be considered active unless the
            ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue
            column values are defined."
       ::= { ipiaPeerIdentityFilterEntry 6 }


   --
   -- Static Actions
   --

   -- these are static actions which can be pointed to by the



Baer, et al.             Expires July 19, 2004                 [Page 14]


Internet-Draft            IPSP IKE Action MIB               January 2004


   -- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop,
   -- accept or reject packets.

   ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 }

   ipiaRejectIKEAction OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be rejected
            WITHOUT action/packet logging.  This object returns a value
            of 1 for IPsec policy implementations that support the
            reject static action."
       ::= { ipiaStaticActions 1 }

   ipiaRejectIKEActionLog OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet should be rejected
            WITH action/packet logging.  This object returns a value of
            1 for IPsec policy implementations that support the reject
            static action with logging."
       ::= { ipiaStaticActions 2 }


   --
   -- ipiaIkeActionTable
   --

   ipiaIkeActionTable OBJECT-TYPE
       SYNTAX          SEQUENCE OF IpiaIkeActionEntry
       MAX-ACCESS  not-accessible
       STATUS          current
       DESCRIPTION
           "The ipiaIkeActionTable contains a list of the parameters
            used for an IKE phase 1 SA DOI negotiation.  See the
            corresponding table ipiaIkeActionProposalsTable for a list
            of proposals contained within a given IKE Action."
       ::= { ipiaConfigObjects 6 }

   ipiaIkeActionEntry OBJECT-TYPE
       SYNTAX          IpiaIkeActionEntry
       MAX-ACCESS  not-accessible
       STATUS          current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 15]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "The ipiaIkeActionEntry lists the IKE negotiation
            attributes."
       INDEX       { ipiaIkeActName }
       ::= { ipiaIkeActionTable 1 }

   IpiaIkeActionEntry ::= SEQUENCE {
       ipiaIkeActName                              SnmpAdminString,
       ipiaIkeActParametersName                    SnmpAdminString,
       ipiaIkeActThresholdDerivedKeys              Integer32,
       ipiaIkeActExchangeMode                      INTEGER,
       ipiaIkeActAgressiveModeGroupId              IkeGroupDescription,
       ipiaIkeActIdentityType                      IpsecDoiIdentType,
       ipiaIkeActIdentityContext                   SnmpAdminString,
       ipiaIkeActPeerName                          SnmpAdminString,
       ipiaIkeActDoActionLogging                   TruthValue,
       ipiaIkeActDoPacketLogging                   SpdIPPacketLogging,
       ipiaIkeActVendorId                          OCTET STRING,
       ipiaIkeActLastChanged                       TimeStamp,
       ipiaIkeActStorageType                       StorageType,
       ipiaIkeActRowStatus                         RowStatus
   }

   ipiaIkeActName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       not-accessible
       STATUS           current
       DESCRIPTION
           "This object contains the name of this ikeAction entry."
       ::= { ipiaIkeActionEntry 1 }

   ipiaIkeActParametersName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object is administratively assigned to reference a row
            in the ipiaSaNegotiationParametersTable where additional
            parameters affecting this action may be found."
       ::= { ipiaIkeActionEntry 2 }

   ipiaIkeActThresholdDerivedKeys OBJECT-TYPE
       SYNTAX           Integer32 (0..100)
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "ipiaIkeActThresholdDerivedKeys specifies what percentage
            of the derived key limit (see the LifetimeDerivedKeys
            property of IKEProposal) can expire before IKE should



Baer, et al.             Expires July 19, 2004                 [Page 16]


Internet-Draft            IPSP IKE Action MIB               January 2004


            attempt to renegotiate the IKE phase 1 security
            association."
       DEFVAL           { 100 }
       ::= { ipiaIkeActionEntry 3 }

   ipiaIkeActExchangeMode OBJECT-TYPE
       SYNTAX           INTEGER { main(1), agressive(2) }
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "ipiaIkeActExchangeMode specifies the IKE Phase 1
            negotiation mode."
       DEFVAL { main }
       ::= { ipiaIkeActionEntry 4 }

   ipiaIkeActAgressiveModeGroupId OBJECT-TYPE
       SYNTAX           IkeGroupDescription
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The values to be used for Diffie-Hellman exchange."
       ::= { ipiaIkeActionEntry 5 }

   ipiaIkeActIdentityType OBJECT-TYPE
       SYNTAX      IpsecDoiIdentType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column along with ipiaIkeActIdentityContext and
            endpoint information is used to refer an
            ipiaIkeIdentityEntry in the ipiaIkeIdentityTable."
       ::= { ipiaIkeActionEntry 6 }

   ipiaIkeActIdentityContext   OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This column, along with ipiaIkeActIdentityType and endpoint
            information, is used to refer to an ipiaIkeIdentityEntry in
            the ipiaIkeIdentityTable."
       ::= { ipiaIkeActionEntry 7 }

   ipiaIkeActPeerName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 17]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "This object indicates the peer id name of the IKE peer.
            This object can be used to look up the peer id value,
            address, credentials and other values in the
            ipiaPeerIdentityTable."
       ::= { ipiaIkeActionEntry 8 }


   ipiaIkeActDoActionLogging OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ikeDoActionLogging specifies whether or not an audit
            message should be logged when this ike SA is created."
        DEFVAL { false }
       ::= { ipiaIkeActionEntry 9 }

   ipiaIkeActDoPacketLogging OBJECT-TYPE
       SYNTAX      SpdIPPacketLogging
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ikeDoPacketLogging specifies whether or not an audit
            message should be logged and if there is logging, how many
            bytes of the packet to place in the notification."
        DEFVAL { -1 }
       ::= { ipiaIkeActionEntry 10 }

   ipiaIkeActVendorId    OBJECT-TYPE
       SYNTAX           OCTET STRING (SIZE(0..65535))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "Vendor ID Payload.  A value of NULL means that Vendor ID
            payload will be neither generated nor accepted.  A non-NULL
            value means that a Vendor ID payload will be generated
            (when acting as an initiator) or is expected (when acting
            as a responder)."
       DEFVAL { "" }
       ::= { ipiaIkeActionEntry 11 }

   ipiaIkeActLastChanged OBJECT-TYPE
       SYNTAX           TimeStamp
       MAX-ACCESS       read-only
       STATUS           current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external



Baer, et al.             Expires July 19, 2004                 [Page 18]


Internet-Draft            IPSP IKE Action MIB               January 2004


            means."
       ::= { ipiaIkeActionEntry 12 }

   ipiaIkeActStorageType OBJECT-TYPE
       SYNTAX           StorageType
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeActionEntry 13 }

   ipiaIkeActRowStatus OBJECT-TYPE
       SYNTAX           RowStatus
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to destroy if refered to by
            other rows in other action tables."
       ::= { ipiaIkeActionEntry 14 }


   --
   -- IPsec action definition table
   --


   ipiaIpsecActionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The ipiaIpsecActionTable contains a list of the parameters
            used for an IKE phase 2 IPsec DOI negotiation."
       ::= { ipiaConfigObjects 7 }

   ipiaIpsecActionEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 19]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "The ipiaIpsecActionEntry lists the IPsec negotiation
            attributes."
       INDEX       { ipiaIpsecActName }
       ::= { ipiaIpsecActionTable 1 }

   IpiaIpsecActionEntry ::= SEQUENCE {
       ipiaIpsecActName                          SnmpAdminString,
       ipiaIpsecActParametersName                SnmpAdminString,
       ipiaIpsecActProposalsName                 SnmpAdminString,
       ipiaIpsecActUsePfs                        TruthValue,
       ipiaIpsecActVendorId                      OCTET STRING,
       ipiaIpsecActGroupId                       IkeGroupDescription,
       ipiaIpsecActPeerGatewayIdName             OCTET STRING,
       ipiaIpsecActUseIkeGroup                   TruthValue,
       ipiaIpsecActGranularity                   INTEGER,
       ipiaIpsecActMode                          INTEGER,
       ipiaIpsecActDFHandling                    INTEGER,
       ipiaIpsecActDoActionLogging               TruthValue,
       ipiaIpsecActDoPacketLogging               SpdIPPacketLogging,
       ipiaIpsecActLastChanged                   TimeStamp,
       ipiaIpsecActStorageType                   StorageType,
       ipiaIpsecActRowStatus                     RowStatus
   }

   ipiaIpsecActName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
            "ipiaIpsecActName is the name of the ipsecAction entry."
       ::= { ipiaIpsecActionEntry 1 }


   ipiaIpsecActParametersName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object is used to reference a row in the
            ipiaSaNegotiationParametersTable where additional
            parameters affecting this action may be found."
       ::= { ipiaIpsecActionEntry 2 }

   ipiaIpsecActProposalsName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 20]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "This object is used to reference one or more rows in the
            ipiaIpsecProposalsTable where an ordered list of proposals
            affecting this action may be found."
       ::= { ipiaIpsecActionEntry 3 }

   ipiaIpsecActUsePfs OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This MIB object specifies whether or not perfect forward
            secrecy should be used when refreshing keys.
            A value of true indicates that PFS should be used."
       ::= { ipiaIpsecActionEntry 4 }

   ipiaIpsecActVendorId OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..255))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The VendorID property is used to identify vendor-defined
            key exchange GroupIDs."
       ::= { ipiaIpsecActionEntry 5 }

   ipiaIpsecActGroupId OBJECT-TYPE
       SYNTAX      IkeGroupDescription
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the Diffie-Hellman group to use for
            phase 2 when the object ipiaIpsecActUsePfs is true and the
            object ipiaIpsecActUseIkeGroup is false.  If the GroupID
            number is from the vendor-specific range (32768-65535), the
            VendorID qualifies the group number."
       ::= { ipiaIpsecActionEntry 6 }

   ipiaIpsecActPeerGatewayIdName OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..116))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the peer id name of the peer
            gateway.  This object can be used to look up the peer id
            value, address and other values in the
            ipiaPeerIdentityTable.  This object is used when initiating
            a tunnel SA.  This object is not used for transport SAs.
            If no value is set and ipiaIpsecActMode is tunnel, the peer
            gateway should be determined from the source or destination



Baer, et al.             Expires July 19, 2004                 [Page 21]


Internet-Draft            IPSP IKE Action MIB               January 2004


            address of the packet."
       ::= { ipiaIpsecActionEntry 7 }

   ipiaIpsecActUseIkeGroup OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies whether or not to use the same
            GroupId for phase 2 as was used in phase 1.  If UsePFS is
            false, this entry should be ignored."
       ::= { ipiaIpsecActionEntry 8 }

   ipiaIpsecActGranularity OBJECT-TYPE
       SYNTAX      INTEGER { subnet(1), address(2), protocol(3),
                             port(4) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies how the proposed selector for the
            security association will be created.  The selector is
            created by using the FilterList information.  The selector
            can be subnet, address, porotocol, or port."
       ::= { ipiaIpsecActionEntry 9 }

   ipiaIpsecActMode OBJECT-TYPE
       SYNTAX      INTEGER { tunnel(1), transport(2) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the encapsulation of the IPsec SA
            to be negotiated."
       DEFVAL { tunnel }
       ::= { ipiaIpsecActionEntry 10 }

   ipiaIpsecActDFHandling OBJECT-TYPE
       SYNTAX      INTEGER { copy(1), set(2), clear(3) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the processing of DF bit by the
            negotiated IPsec tunnel.
            1 - DF bit is copied.
            2 - DF bit is set.
            3 - DF bit is cleared."
       DEFVAL { copy }
       ::= { ipiaIpsecActionEntry 11 }




Baer, et al.             Expires July 19, 2004                 [Page 22]


Internet-Draft            IPSP IKE Action MIB               January 2004


   ipiaIpsecActDoActionLogging OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIpsecActDoActionLogging specifies whether or not an
            audit message should be logged when this ipsec SA is
            created."
        DEFVAL { false }
       ::= { ipiaIpsecActionEntry 12 }

   ipiaIpsecActDoPacketLogging OBJECT-TYPE
       SYNTAX      SpdIPPacketLogging
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIpsecActDoPacketLogging specifies whether or not an
            audit message should be logged and if there is logging, how
            many bytes of the packet to place in the notification."
        DEFVAL { -1 }
       ::= { ipiaIpsecActionEntry 13 }

   ipiaIpsecActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecActionEntry 14 }

   ipiaIpsecActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecActionEntry 15 }

   ipiaIpsecActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 23]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by a row in another table."
       ::= { ipiaIpsecActionEntry 16 }

   --
   -- ipiaSaNegotiationParametersTable
   --

   --   PROPERTIES   MinLifetimeSeconds
   --                MinLifetimeKilobytes
   --                RefreshThresholdSeconds
   --                RefreshThresholdKilobytes
   --                IdleDurationSeconds

   ipiaSaNegotiationParametersTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaSaNegotiationParametersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains reusable parameters that can be pointed
            to by the ipiaIkeActionTable and ipiaIpsecActionTable.
            These parameters are reusable since it is likely an
            administrator will want to make global policy changes to
            lifetime parameters that apply to multiple actions.  This
            table allows multiple rows in the other actions tables to
            reuse global lifetime parameters in this table by
            repeatedly pointing to a row cointained within this table."
       ::= { ipiaConfigObjects 8 }

   ipiaSaNegotiationParametersEntry OBJECT-TYPE
       SYNTAX      IpiaSaNegotiationParametersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Contains the attributes of one row in the
            ipiaSaNegotiationParametersTable."
       INDEX       { ipiaSaNegParamName }
       ::= { ipiaSaNegotiationParametersTable 1 }

   IpiaSaNegotiationParametersEntry ::= SEQUENCE {
       ipiaSaNegParamName                  SnmpAdminString,
       ipiaSaNegParamMinLifetimeSecs       Unsigned32,
       ipiaSaNegParamMinLifetimeKB         Unsigned32,



Baer, et al.             Expires July 19, 2004                 [Page 24]


Internet-Draft            IPSP IKE Action MIB               January 2004


       ipiaSaNegParamRefreshThreshSecs     Unsigned32,
       ipiaSaNegParamRefreshThresholdKB    Unsigned32,
       ipiaSaNegParamIdleDurationSecs      Unsigned32,
       ipiaSaNegParamLastChanged           TimeStamp,
       ipiaSaNegParamStorageType           StorageType,
       ipiaSaNegParamRowStatus             RowStatus
   }

   ipiaSaNegParamName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This object contains the administrative name of this
            SaNegotiationParametersEntry.  This row can be referred
            to by this name in other policy action tables."
       ::= { ipiaSaNegotiationParametersEntry 1 }

   ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds
            lifetime that will be accepted from the peer."
       ::= { ipiaSaNegotiationParametersEntry 2 }

   ipiaSaNegParamMinLifetimeKB OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte
            lifetime that will be accepted from the peer."
       ::= { ipiaSaNegotiationParametersEntry 3 }

   ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE
       SYNTAX      Unsigned32 (1..100)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamRefreshThreshSecs specifies what percentage
            of the seconds lifetime can expire before IKE should
            attempt to renegotiate the IPsec security association.  A
            value between 1 and 100 representing a percentage.  A value
            of 100 indicates that the IPsec security association should
            not be renegotiated until the seconds lifetime has been
            completely reached."



Baer, et al.             Expires July 19, 2004                 [Page 25]


Internet-Draft            IPSP IKE Action MIB               January 2004


       ::= { ipiaSaNegotiationParametersEntry 4 }

   ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE
       SYNTAX      Unsigned32 (1..100)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamRefreshThresholdKB specifies what percentage
            of the kilobyte lifetime can expire before IKE should
            attempt to renegotiate the IPsec security association.  A
            value between 1 and 100 representing a percentage.  A value
            of 100 indicates that the IPsec security association should
            not be renegotiated until the kilobyte lifetime has been
            reached."
       ::= { ipiaSaNegotiationParametersEntry 5 }

   ipiaSaNegParamIdleDurationSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamIdleDurationSecs specifies how many seconds a
            security association may remain idle (i.e., no traffic
            protected using the security association) before it is
            deleted.  A value of zero indicates that idle detection
            should not be used for the security association.  Any
            non-zero value indicates the number of seconds the security
            association may remain unused."
       ::= { ipiaSaNegotiationParametersEntry 6 }

   ipiaSaNegParamLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaSaNegotiationParametersEntry 7 }

   ipiaSaNegParamStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."



Baer, et al.             Expires July 19, 2004                 [Page 26]


Internet-Draft            IPSP IKE Action MIB               January 2004


       DEFVAL { nonVolatile }
       ::= { ipiaSaNegotiationParametersEntry 8 }

   ipiaSaNegParamRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object may not be set to destroy if refered to by
            other rows in other action tables."
       ::= { ipiaSaNegotiationParametersEntry 9 }

   --
   -- ipiaIkeActionProposalsTable proposals contained within a ikeAction
   --

   ipiaIkeActionProposalsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeActionProposalsEntry
       MAX-ACCESS   not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of all ike proposal names found
            within a given IKE Action."
       ::= { ipiaConfigObjects 9 }

   ipiaIkeActionProposalsEntry OBJECT-TYPE
       SYNTAX      IpiaIkeActionProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "a row containing one ike proposal reference"
       INDEX   { ipiaIkeActName, ipiaIkeActPropPriority }
       ::= { ipiaIkeActionProposalsTable 1 }

   IpiaIkeActionProposalsEntry ::= SEQUENCE {
       ipiaIkeActPropPriority                   Integer32,
       ipiaIkeActPropName                       SnmpAdminString,
       ipiaIkeActPropLastChanged                TimeStamp,
       ipiaIkeActPropStorageType                StorageType,
       ipiaIkeActPropRowStatus                  RowStatus
   }

   ipiaIkeActPropPriority OBJECT-TYPE



Baer, et al.             Expires July 19, 2004                 [Page 27]


Internet-Draft            IPSP IKE Action MIB               January 2004


       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The numeric priority of a given contained proposal inside
            an ike Action.  This index should be used to order the
            proposals in an IKE Phase I negotiation, lowest value
            first."
       ::= { ipiaIkeActionProposalsEntry 1 }

   ipiaIkeActPropName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The administratively assigned name that can be used to
            reference a set of values contained within the
            ipiaIkeProposalTable."
       ::= { ipiaIkeActionProposalsEntry 2 }


   ipiaIkeActPropLastChanged OBJECT-TYPE
       SYNTAX           TimeStamp
       MAX-ACCESS       read-only
       STATUS           current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeActionProposalsEntry 3 }

   ipiaIkeActPropStorageType OBJECT-TYPE
       SYNTAX           StorageType
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeActionProposalsEntry 4 }

   ipiaIkeActPropRowStatus OBJECT-TYPE
       SYNTAX           RowStatus
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object indicates the conceptual status of this row.



Baer, et al.             Expires July 19, 2004                 [Page 28]


Internet-Draft            IPSP IKE Action MIB               January 2004


            The value of this object has no effect on whether other
            objects in this conceptual row can be modified."
       ::= { ipiaIkeActionProposalsEntry 5 }


   --
   -- IKE proposal definition table
   --

   ipiaIkeProposalTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeProposalEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of IKE proposals which are used
            in an IKE negotiation."
       ::= { ipiaConfigObjects 10 }

   ipiaIkeProposalEntry OBJECT-TYPE
       SYNTAX      IpiaIkeProposalEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "One IKE proposal entry."
       INDEX       { ipiaIkeActPropName }
       ::= { ipiaIkeProposalTable 1 }

   IpiaIkeProposalEntry ::= SEQUENCE {
       ipiaIkePropLifetimeDerivedKeys     Unsigned32,
       ipiaIkePropCipherAlgorithm         IkeEncryptionAlgorithm,
       ipiaIkePropCipherKeyLength         Unsigned32,
       ipiaIkePropCipherKeyRounds         Unsigned32,
       ipiaIkePropHashAlgorithm           IkeHashAlgorithm,
       ipiaIkePropPrfAlgorithm            INTEGER,
       ipiaIkePropVendorId                OCTET STRING,
       ipiaIkePropDhGroup                 IkeGroupDescription,
       ipiaIkePropAuthenticationMethod    IkeAuthMethod,
       ipiaIkePropMaxLifetimeSecs         Unsigned32,
       ipiaIkePropMaxLifetimeKB           Unsigned32,
       ipiaIkePropLastChanged             TimeStamp,
       ipiaIkePropStorageType             StorageType,
       ipiaIkePropRowStatus               RowStatus
   }

   ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current



Baer, et al.             Expires July 19, 2004                 [Page 29]


Internet-Draft            IPSP IKE Action MIB               January 2004


       DESCRIPTION
           "ipiaIkePropLifetimeDerivedKeys specifies the number of
            times that a phase 1 key will be used to derive a phase 2
            key before the phase 1 security association needs
            renegotiated."
       ::= { ipiaIkeProposalEntry 1 }

   ipiaIkePropCipherAlgorithm OBJECT-TYPE
       SYNTAX      IkeEncryptionAlgorithm
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropCipherAlgorithm specifies the proposed phase 1
            security association encryption algorithm."
       ::= { ipiaIkeProposalEntry 2 }

   ipiaIkePropCipherKeyLength OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies, in bits, the key length for
            the cipher algorithm used in IKE Phase 1 negotiation."
       ::= { ipiaIkeProposalEntry 3 }

   ipiaIkePropCipherKeyRounds OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the number of key rounds for
            the cipher algorithm used in IKE Phase 1 negotiation."
       ::= { ipiaIkeProposalEntry 4 }

   ipiaIkePropHashAlgorithm OBJECT-TYPE
       SYNTAX      IkeHashAlgorithm
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropHashAlgorithm specifies the proposed phase 1
            security assocation hash algorithm."
       ::= { ipiaIkeProposalEntry 5 }

   ipiaIkePropPrfAlgorithm OBJECT-TYPE
       SYNTAX      INTEGER { reserved(0) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 30]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "ipPRFAlgorithm specifies the proposed phase 1 security
            association psuedo-random function.

            Note: currently no prf algorithms are defined."
       ::= { ipiaIkeProposalEntry 6 }

   ipiaIkePropVendorId OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..255))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The VendorID property is used to identify vendor-defined
            key exchange GroupIDs."
       ::= { ipiaIkeProposalEntry 7 }

   ipiaIkePropDhGroup OBJECT-TYPE
       SYNTAX      IkeGroupDescription
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the proposed phase 1 security
            association Diffie-Hellman group"
       ::= { ipiaIkeProposalEntry 8 }

   ipiaIkePropAuthenticationMethod OBJECT-TYPE
       SYNTAX      IkeAuthMethod
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the proposed authentication
            method for the phase 1 security association."
       ::= { ipiaIkeProposalEntry 9 }

   ipiaIkePropMaxLifetimeSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of
            time to propose a security association remain valid.

            A value of 0 indicates that the default lifetime of
            8 hours should be used."
       ::= { ipiaIkeProposalEntry 10 }

   ipiaIkePropMaxLifetimeKB OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create



Baer, et al.             Expires July 19, 2004                 [Page 31]


Internet-Draft            IPSP IKE Action MIB               January 2004


       STATUS      current
       DESCRIPTION
           "ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte
            lifetime to propose a security association remain valid."
       ::= { ipiaIkeProposalEntry 11 }

   ipiaIkePropLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeProposalEntry 12 }

   ipiaIkePropStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeProposalEntry 13 }

   ipiaIkePropRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified."
       ::= { ipiaIkeProposalEntry 14 }


   --
   -- ipiaIpsecProposalsTable
   --


   ipiaIpsecProposalsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current



Baer, et al.             Expires July 19, 2004                 [Page 32]


Internet-Draft            IPSP IKE Action MIB               January 2004


       DESCRIPTION
           "This table lists one or more IPsec proposals for
            IPsec actions."
       ::= { ipiaConfigObjects 11 }

   ipiaIpsecProposalsEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry containing (possibly a portion of) a proposal."
       INDEX       { ipiaIpsecPropName, ipiaIpsecPropPriority,
                     ipiaIpsecPropProtocolId }
       ::= { ipiaIpsecProposalsTable 1 }

   IpiaIpsecProposalsEntry ::= SEQUENCE {
       ipiaIpsecPropName                   SnmpAdminString,
       ipiaIpsecPropPriority               Integer32,
       ipiaIpsecPropProtocolId             IpsecDoiSecProtocolId,
       ipiaIpsecPropTransformsName         SnmpAdminString,
       ipiaIpsecPropLastChanged            TimeStamp,
       ipiaIpsecPropStorageType            StorageType,
       ipiaIpsecPropRowStatus              RowStatus
   }

   ipiaIpsecPropName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The name of this proposal."
       ::= { ipiaIpsecProposalsEntry 1 }

   ipiaIpsecPropPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority level (AKA sequence level) of this proposal.
            A lower number indicates a higher precedence."
       ::= { ipiaIpsecProposalsEntry 2 }

   ipiaIpsecPropProtocolId OBJECT-TYPE
       SYNTAX      IpsecDoiSecProtocolId
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The protocol Id for the transforms for this proposal.  The



Baer, et al.             Expires July 19, 2004                 [Page 33]


Internet-Draft            IPSP IKE Action MIB               January 2004


            protoIsakmp(1) value is not valid for this object.  This
            object, along with the ipiaIpsecPropTransformsName, is the
            index into the ipiaIpsecTransformsTable."
       ::= { ipiaIpsecProposalsEntry 3 }

   ipiaIpsecPropTransformsName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name of the transform or group of transforms for this
            protocol.  This object, along with the
            ipiaIpsecPropProtocolId, is the index into the
            ipiaIpsecTransformsTable."
       ::= { ipiaIpsecProposalsEntry 4 }

   ipiaIpsecPropLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecProposalsEntry 5 }

   ipiaIpsecPropStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecProposalsEntry 6 }

   ipiaIpsecPropRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This row may not be set to active until the corresponding



Baer, et al.             Expires July 19, 2004                 [Page 34]


Internet-Draft            IPSP IKE Action MIB               January 2004


            row in the ipiaIpsecTransformsTable exists and is active."
       ::= { ipiaIpsecProposalsEntry 7 }

   --
   -- ipiaIpsecTransformsTable
   --


   ipiaIpsecTransformsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecTransformsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table lists the IPsec proposals contained within a
            given IPsec action and the transforms within each of those
            proposals.  These proposals and transforms can then be used
            to create phase 2 negotiation proposals."
       ::= { ipiaConfigObjects 12 }

   ipiaIpsecTransformsEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecTransformsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry containing the information on an IPsec transform."
       INDEX       { ipiaIpsecTranType, ipiaIpsecTranName,
                     ipiaIpsecTranPriority }
       ::= { ipiaIpsecTransformsTable 1 }

   IpiaIpsecTransformsEntry ::= SEQUENCE {
       ipiaIpsecTranType                        IpsecDoiSecProtocolId,
       ipiaIpsecTranName                        SnmpAdminString,
       ipiaIpsecTranPriority                    Integer32,
       ipiaIpsecTranTransformName               SnmpAdminString,
       ipiaIpsecTranLastChanged                 TimeStamp,
       ipiaIpsecTranStorageType                 StorageType,
       ipiaIpsecTranRowStatus                   RowStatus
   }

   ipiaIpsecTranType OBJECT-TYPE
       SYNTAX      IpsecDoiSecProtocolId
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The protocol type for this transform.  The protoIsakmp(1)
            value is not valid for this object."
       ::= { ipiaIpsecTransformsEntry 1 }




Baer, et al.             Expires July 19, 2004                 [Page 35]


Internet-Draft            IPSP IKE Action MIB               January 2004


   ipiaIpsecTranName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The name for this transform or group of transforms."
       ::= { ipiaIpsecTransformsEntry 2 }

   ipiaIpsecTranPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority level (AKA sequence level) of the this
            transform within the group of transforms.  This indicates
            the preference for which algorithms are requested when the
            list of transforms are sent to the remote host.  A lower
            number indicates a higher precedence."
       ::= { ipiaIpsecTransformsEntry 3 }

   ipiaIpsecTranTransformName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name for the given transform.  Depending on the value
            of ipiaIpsecTranType, this value should be used to lookup
            the transform's specific parameters in the
            ipiaAhTransformTable, the ipiaEspTransformTable or the
            ipiaIpcompTransformTable."
       ::= { ipiaIpsecTransformsEntry 4 }

   ipiaIpsecTranLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecTransformsEntry 5 }

   ipiaIpsecTranStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which



Baer, et al.             Expires July 19, 2004                 [Page 36]


Internet-Draft            IPSP IKE Action MIB               January 2004


            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecTransformsEntry 6 }

   ipiaIpsecTranRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This row may not be set to active until the corresponding
            row in the ipiaAhTransformTable, ipiaEspTransformTable or
            the ipiaIpcompTransformTable exists."
       ::= { ipiaIpsecTransformsEntry 7 }


   --
   -- IKE identity definition table
   --

   ipiaIkeIdentityTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeIdentityEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "IKEIdentity is used to represent the identities that may be
            used for an IPProtocolEndpoint (or collection of
            IPProtocolEndpoints) to identify itself in IKE phase 1
            negotiations.  The column ikeIdentityName in an
            ipiaIkeActionEntry together with the spdEndGroupIdentType
            and the spdEndGroupAddress in the
            PolicyEndpointToGroupTable specifies the unique identity to
            use in a negotiation exchange."
       ::= { ipiaConfigObjects 13 }

   ipiaIkeIdentityEntry OBJECT-TYPE
       SYNTAX      IpiaIkeIdentityEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "ikeIdentity lists the attributes of an IKE identity."
       INDEX { spdEndGroupIdentType, spdEndGroupAddress,
               ipiaIkeActIdentityType, ipiaIkeActIdentityContext }



Baer, et al.             Expires July 19, 2004                 [Page 37]


Internet-Draft            IPSP IKE Action MIB               January 2004


       ::= { ipiaIkeIdentityTable 1 }

   IpiaIkeIdentityEntry ::= SEQUENCE {
       ipiaIkeIdCredentialName                 SnmpAdminString,
       ipiaIkeIdLastChanged                    TimeStamp,
       ipiaIkeIdStorageType                    StorageType,
       ipiaIkeIdRowStatus                      RowStatus
   }

   ipiaIkeIdCredentialName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used as an index into the ipiaCredentialTable
            to look up the actual credential value and other credential
            information.

            For ID's without associated credential information, this
            value is left blank.

            For ID's that are address types, this value may be left
            blank and the associated IPProtocolEndpoint or appropriate
            member of the Collection of endpoints is used."
       ::= { ipiaIkeIdentityEntry 1 }

   ipiaIkeIdLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeIdentityEntry 2 }

   ipiaIkeIdStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeIdentityEntry 3 }

   ipiaIkeIdRowStatus OBJECT-TYPE



Baer, et al.             Expires July 19, 2004                 [Page 38]


Internet-Draft            IPSP IKE Action MIB               January 2004


       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by a row in another table."
       ::= { ipiaIkeIdentityEntry 4 }


   --
   -- autostart IKE Table

   ipiaAutostartIkeTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaAutostartIkeEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The parameters in the autostart IKE Table are used to
            automatically initiate IKE phaes I and II (i.e. IPsec)
            negotiations on startup.  It also will initiate IKE phase I
            and II negotiations for a row at the time of that row's
            creation"
       ::= { ipiaConfigObjects 14 }

   ipiaAutostartIkeEntry OBJECT-TYPE
       SYNTAX      IpiaAutostartIkeEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "autostart ike provides the set of parameters to
            automatically start IKE and IPsec SA's."
       INDEX { ipiaAutoIkePriority }
       ::= { ipiaAutostartIkeTable 1 }

   IpiaAutostartIkeEntry ::= SEQUENCE {
       ipiaAutoIkePriority                     Integer32,
       ipiaAutoIkeAction                       VariablePointer,
       ipiaAutoIkeAddressType                  InetAddressType,
       ipiaAutoIkeSourceAddress                InetAddress,
       ipiaAutoIkeSourcePort                   InetPortNumber,
       ipiaAutoIkeDestAddress                  InetAddress,
       ipiaAutoIkeDestPort                     InetPortNumber,
       ipiaAutoIkeProtocol                     Unsigned32,



Baer, et al.             Expires July 19, 2004                 [Page 39]


Internet-Draft            IPSP IKE Action MIB               January 2004


       ipiaAutoIkeLastChanged                  TimeStamp,
       ipiaAutoIkeStorageType                  StorageType,
       ipiaAutoIkeRowStatus                    RowStatus
   }

   ipiaAutoIkePriority  OBJECT-TYPE
       SYNTAX       Integer32 (0..65535)
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION
           "ipiaAutoIkePriority is an index into the autostartIkeAction
            table and can be used to order the autostart IKE actions."
       ::= { ipiaAutostartIkeEntry 1 }

   ipiaAutoIkeAction   OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This pointer is used to point to the action or compound
            action that should be initiated by this row."
       ::= { ipiaAutostartIkeEntry 2 }

   ipiaAutoIkeAddressType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The property ipiaAutoIkeAddressType specifies the format of
            the autoIke source and destination Address values.

            Values of unknown, ipv4z, ipv6z and dns are not legal
            values for this object."
       ::= { ipiaAutostartIkeEntry 3 }

   ipiaAutoIkeSourceAddress OBJECT-TYPE
       SYNTAX           InetAddress
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The property autoIkeSourecAddress specifies Source IP
            address for autostarting IKE SA's, formatted according to
            the appropriate convention as defined in the
            ipiaAutoIkeAddressType property."
       ::= { ipiaAutostartIkeEntry 4 }

   ipiaAutoIkeSourcePort OBJECT-TYPE
       SYNTAX        InetPortNumber



Baer, et al.             Expires July 19, 2004                 [Page 40]


Internet-Draft            IPSP IKE Action MIB               January 2004


       MAX-ACCESS    read-create
       STATUS        current
       DESCRIPTION
           "The property ipiaAutoIkeSourcePort specifies the port
            number for the source port for auotstarting IKE SA's.

            The value of 0 for this object is illegal."
       ::= { ipiaAutostartIkeEntry 5 }

   ipiaAutoIkeDestAddress OBJECT-TYPE
       SYNTAX           InetAddress
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The property ipiaAutoIkeDestAddress specifies the
            Destination IP address for autostarting IKE SA's, formatted
            according to the appropriate convention as defined in the
            ipiaAutoIkeAddressType property."
       ::= { ipiaAutostartIkeEntry 6 }

   ipiaAutoIkeDestPort OBJECT-TYPE
       SYNTAX        InetPortNumber
       MAX-ACCESS    read-create
       STATUS        current
       DESCRIPTION
           "The property ipiaAutoIkeDestPort specifies the port number
            for the destination port for auotstarting IKE SA's.

            The value of 0 for this object is illegal."
       ::= { ipiaAutostartIkeEntry 7 }

   ipiaAutoIkeProtocol OBJECT-TYPE
       SYNTAX      Unsigned32 (0..255)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The property Protocol specifies the protocol number used in
            comparing with policy filter entries and used in any phase
            2 negotiations."
       ::= { ipiaAutostartIkeEntry 8 }

   ipiaAutoIkeLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external



Baer, et al.             Expires July 19, 2004                 [Page 41]


Internet-Draft            IPSP IKE Action MIB               January 2004


            means."
       ::= { ipiaAutostartIkeEntry 9 }

   ipiaAutoIkeStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaAutostartIkeEntry 10 }

   ipiaAutoIkeRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified."

       ::= { ipiaAutostartIkeEntry 11 }


   --
   -- CA Table
   --

   ipiaIpsecCredMngServiceTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecCredMngServiceEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of Credential Management Service values.  This table
            is usually used for credential/certificate values that are
            used with a management service (e.g. Certificate
            Authorities)."
       ::= { ipiaConfigObjects 15 }

   ipiaIpsecCredMngServiceEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecCredMngServiceEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaIpsecCredMngServiceTable."



Baer, et al.             Expires July 19, 2004                 [Page 42]


Internet-Draft            IPSP IKE Action MIB               January 2004


       INDEX   { ipiaIcmsName }
       ::= { ipiaIpsecCredMngServiceTable 1 }

   IpiaIpsecCredMngServiceEntry ::= SEQUENCE {
           ipiaIcmsName                SnmpAdminString,
           ipiaIcmsDistinguishedName   OCTET STRING,
           ipiaIcmsPolicyStatement     OCTET STRING,
           ipiaIcmsMaxChainLength      Integer32,
           ipiaIcmsCredentialName      SnmpAdminString,
           ipiaIcmsLastChanged         TimeStamp,
           ipiaIcmsStorageType         StorageType,
           ipiaIcmsRowStatus           RowStatus
   }

   ipiaIcmsName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned string used to index
            this table."
       ::= { ipiaIpsecCredMngServiceEntry 1 }

   ipiaIcmsDistinguishedName OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(1..256))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value represents the Distinguished Name of the
            Credential Management Service."
       ::= { ipiaIpsecCredMngServiceEntry 2 }

   ipiaIcmsPolicyStatement OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..1024))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This Value represents the Credential Management Service
            Policy Statement, or a reference describing how to obtain
            it (e.g., a URL).  If one doesn't exist, this value can be
            left blank"
       ::= { ipiaIpsecCredMngServiceEntry 3 }

   ipiaIcmsMaxChainLength OBJECT-TYPE
       SYNTAX      Integer32 (0..255)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires July 19, 2004                 [Page 43]


Internet-Draft            IPSP IKE Action MIB               January 2004


           "This value is the maximum length of the chain allowble from
            the Credential Management Service to the credential in
            question."
       DEFVAL     { 0 }
       ::= { ipiaIpsecCredMngServiceEntry 4}

   ipiaIcmsCredentialName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used as an index into the ipiaCredentialTable
            to look up the actual credential value."
       ::= { ipiaIpsecCredMngServiceEntry 5 }

   ipiaIcmsLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecCredMngServiceEntry 6 }

   ipiaIcmsStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecCredMngServiceEntry 7 }

   ipiaIcmsRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by a row in another table."



Baer, et al.             Expires July 19, 2004                 [Page 44]


Internet-Draft            IPSP IKE Action MIB               January 2004


       ::= { ipiaIpsecCredMngServiceEntry 8 }


   --
   -- CRL Table
   --

   ipiaCredMngCRLTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaCredMngCRLEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of the Credential Revocation Lists (CRL) for
         credential managment services."
       ::= { ipiaConfigObjects 16 }

   ipiaCredMngCRLEntry OBJECT-TYPE
       SYNTAX      IpiaCredMngCRLEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaCredMngCRLTable."
       INDEX   { ipiaIcmsName , ipiaCmcCRLName }
       ::= { ipiaCredMngCRLTable 1 }

   IpiaCredMngCRLEntry ::= SEQUENCE {
           ipiaCmcCRLName             SnmpAdminString,
           ipiaCmcDistributionPoint   OCTET STRING,
           ipiaCmcThisUpdate          OCTET STRING,
           ipiaCmcNextUpdate          OCTET STRING,
           ipiaCmcLastChanged         TimeStamp,
           ipiaCmcStorageType         StorageType,
           ipiaCmcRowStatus           RowStatus
   }

   ipiaCmcCRLName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned string used to index
            this table. It represents a CRL for a given CA from a given
            distribution point."
       ::= { ipiaCredMngCRLEntry 1 }

   ipiaCmcDistributionPoint OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..256))
       MAX-ACCESS  read-create



Baer, et al.             Expires July 19, 2004                 [Page 45]


Internet-Draft            IPSP IKE Action MIB               January 2004


       STATUS      current
       DESCRIPTION
           "This Value represents a Distribution Point for a Credential
            Revocation List. It can be relative to the Credential
         Management Service or a full name (URL, e-mail, etc...)."
       ::= { ipiaCredMngCRLEntry 2 }

   ipiaCmcThisUpdate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the issue date of this CRL. This
            should be in utctime or generalizedtime."
       ::= { ipiaCredMngCRLEntry 3 }

   ipiaCmcNextUpdate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value indicates the date the next version of this CRL
         will be issued. This should be in utctime or
         generalizedtime."
       ::= { ipiaCredMngCRLEntry 4 }

   ipiaCmcLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaCredMngCRLEntry 5 }

   ipiaCmcStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaCredMngCRLEntry 6 }

   ipiaCmcRowStatus OBJECT-TYPE



Baer, et al.             Expires July 19, 2004                 [Page 46]


Internet-Draft            IPSP IKE Action MIB               January 2004


       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by a row in another table."
       ::= { ipiaCredMngCRLEntry 7 }


   --
   -- Revoked Certificate Table
   --

   ipiaRevokedCertificateTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaRevokedCertificateEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of Credentials revoked by credential managment
            services.  That is, this table is a table of Certificates
         that are on CRL's, Credential Revocation Lists."
       ::= { ipiaConfigObjects 17 }

   ipiaRevokedCertificateEntry OBJECT-TYPE
       SYNTAX      IpiaRevokedCertificateEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaRevokedCertificateTable."
       INDEX   { ipiaCmcCRLName, ipiaRctCertSerialNumber}
       ::= { ipiaRevokedCertificateTable 1 }

   IpiaRevokedCertificateEntry ::= SEQUENCE {
           ipiaRctCertSerialNumber    Unsigned32,
           ipiaRctRevokedDate         OCTET STRING,
        ipiaRctRevokedReason       INTEGER,
           ipiaRctLastChanged         TimeStamp,
           ipiaRctStorageType         StorageType,
           ipiaRctRowStatus           RowStatus
   }

   ipiaRctCertSerialNumber OBJECT-TYPE
       SYNTAX      Unsigned32 (0..4294967295)



Baer, et al.             Expires July 19, 2004                 [Page 47]


Internet-Draft            IPSP IKE Action MIB               January 2004


       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This value is the serial number of the revoked
            certificate."
       ::= { ipiaRevokedCertificateEntry 1 }

   ipiaRctRevokedDate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the revocation date of the certificate. This
            should be in utctime or generaltime."
       ::= { ipiaRevokedCertificateEntry 2 }

   ipiaRctRevokedReason OBJECT-TYPE
       SYNTAX INTEGER { reserved(0), unspecified(1), keyCompromise(2),
                        cACompromise(3), affiliationChanged(4),
                        superseded(5), cessationOfOperation(6),
                        certificateHold(7), removeFromCRL(8) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the reason this certificate was revoked."
       DEFVAL   { unspecified }
       ::= { ipiaRevokedCertificateEntry 3 }

   ipiaRctLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaRevokedCertificateEntry 4 }

   ipiaRctStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process may have a storage
            type of readOnly or permanent."
       DEFVAL { nonVolatile }
       ::= { ipiaRevokedCertificateEntry 5 }



Baer, et al.             Expires July 19, 2004                 [Page 48]


Internet-Draft            IPSP IKE Action MIB               January 2004


   ipiaRctRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object must remain active if it is
            referenced by a row in another table."
       ::= { ipiaRevokedCertificateEntry 6 }

   --
   --
   -- Notification objects information
   --
   --

   ipiaNotificationVariables OBJECT IDENTIFIER ::=
      { ipiaNotificationObjects 1 }

   ipiaNotifications OBJECT IDENTIFIER ::=
      { ipiaNotificationObjects 0 }


   --
   --
   -- Conformance information
   --
   --

   ipiaCompliances OBJECT IDENTIFIER
       ::= { ipiaConformanceObjects 1 }
   ipiaGroups OBJECT IDENTIFIER
       ::= { ipiaConformanceObjects 2 }


   --
   -- Compliance statements
   --
   --

   ipiaIKECompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include an



Baer, et al.             Expires July 19, 2004                 [Page 49]


Internet-Draft            IPSP IKE Action MIB               January 2004


            IPsec MIB implementation and supports IKE actions."
       MODULE -- This Module
           MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup,
                           ipiaStaticActionGroup, ipsaSharedGroup }

           OBJECT      ipiaIkeActRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIkeActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIkeActPropRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIkeActPropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIkePropRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIkePropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecActRowStatus



Baer, et al.             Expires July 19, 2004                 [Page 50]


Internet-Draft            IPSP IKE Action MIB               January 2004


           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIpsecActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecPropRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIpsecPropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecTranRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIpsecTranLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaSaNegParamRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."



Baer, et al.             Expires July 19, 2004                 [Page 51]


Internet-Draft            IPSP IKE Action MIB               January 2004


           OBJECT      ipiaSaNegParamLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIkeIdRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaIkeIdLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaAutoIkeAddressType
           SYNTAX      InetAddressType {
                   ipv4(1), ipv6(2)
           }
           DESCRIPTION
               "Only the ipv4 and ipv6 values make sense for this
                object."

           OBJECT      ipiaAutoIkeRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaAutoIkeLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaCmcDistributionPoint
        MIN-ACCESS  read-only
        DESCRIPTION
             "Only read-only access is required for compliance."

           OBJECT      ipiaCmcThisUpdate



Baer, et al.             Expires July 19, 2004                 [Page 52]


Internet-Draft            IPSP IKE Action MIB               January 2004


        MIN-ACCESS  read-only
        DESCRIPTION
             "Only read-only access is required for compliance."

           OBJECT      ipiaCmcNextUpdate
        MIN-ACCESS  read-only
        DESCRIPTION
            "Only read-only access is required for compliance."

           OBJECT      ipiaCmcLastChanged
        MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaCmcStorageType
        MIN-ACCESS  read-only
        DESCRIPTION
            "Only read-only access is required for compliance."

        OBJECT      ipiaCmcRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
        MIN-ACCESS  read-only
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required. Only read-only
                access is required for compliance."

        OBJECT      ipiaRctRevokedDate
        MIN-ACCESS  read-only
        DESCRIPTION
              "Only read-only access is required for compliance."

           OBJECT      ipiaRctRevokedReason
           MIN-ACCESS  read-only
           DESCRIPTION
              "Only read-only access is required for compliance."

           OBJECT      ipiaRctLastChanged
        MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaRctStorageType
           MIN-ACCESS  read-only
           DESCRIPTION
              "Only read-only access is required for compliance."



Baer, et al.             Expires July 19, 2004                 [Page 53]


Internet-Draft            IPSP IKE Action MIB               January 2004


           OBJECT      ipiaRctRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required. Only read-only
                access is required for compliance."

           OBJECT      ipiaIcmsDistinguishedName
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsPolicyStatement
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsMaxChainLength
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsCredentialName
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsLastChanged
        MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaIcmsStorageType
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required. Only read-only



Baer, et al.             Expires July 19, 2004                 [Page 54]


Internet-Draft            IPSP IKE Action MIB               January 2004


                access is required for compliance."

           OBJECT      ipiaPeerIdFiltRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaPeerIdFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."


           OBJECT      ipiaCredFiltRowStatus
           SYNTAX      RowStatus {
                   active(1), createAndGo(4), destroy(6)
           }
           DESCRIPTION
               "Support of the values notInService(2), notReady(3),
                and createAndWait(5) is not required."

           OBJECT      ipiaCredFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."


       ::= { ipiaCompliances 1 }

   ipiaRuleFilterCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include an
            IKEACTION MIB implementation with IKE filters support."
       MODULE -- This Module
           MANDATORY-GROUPS { ipiaStaticFilterGroup }

           GROUP ipiaPeerIdFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support Peer Identity filters."

           GROUP ipiaCredentialFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy



Baer, et al.             Expires July 19, 2004                 [Page 55]


Internet-Draft            IPSP IKE Action MIB               January 2004


                implementations which support IKE Credential filters."

       ::= { ipiaCompliances 2 }

   --
   --
   -- Compliance Groups Definitions
   --

   --
   -- Compliance Groups
   --

   ipiaStaticFilterGroup OBJECT-GROUP
           OBJECTS { ipiaIkePhase1Filter,
                     ipiaIkePhase2Filter }
        STATUS current
        DESCRIPTION
            "The static filter group.  Currently this is just a true
             filter."
       ::= { ipiaGroups 1 }

   ipiaCredentialFilterGroup OBJECT-GROUP
       OBJECTS {
           ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName,
           ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom,
           ipiaCredFiltLastChanged, ipiaCredFiltStorageType,
           ipiaCredFiltRowStatus,

           ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
           ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
           ipiaCmcRowStatus,

           ipiaRctRevokedDate, ipiaRctRevokedReason,
        ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,

           ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
        ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
        ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
       }
       STATUS current
       DESCRIPTION
           "The IPsec Policy Credential Filter Table Group."
       ::= { ipiaGroups 2 }

   ipiaPeerIdFilterGroup OBJECT-GROUP
       OBJECTS {
           ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue,



Baer, et al.             Expires July 19, 2004                 [Page 56]


Internet-Draft            IPSP IKE Action MIB               January 2004


           ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType,
           ipiaPeerIdFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "The IPsec Policy Peer Identity Filter Table Group."
       ::= { ipiaGroups 3 }

   --
   -- action compliance groups
   --

   ipiaStaticActionGroup OBJECT-GROUP
       OBJECTS {
           ipiaRejectIKEAction,
           ipiaRejectIKEActionLog
       }
       STATUS current
       DESCRIPTION
           "The IPsec Policy Static Actions Group."
       ::= { ipiaGroups 4 }

   ipiaIkeGroup OBJECT-GROUP
       OBJECTS {
           ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys,
           ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId,
           ipiaIkeActIdentityType, ipiaIkeActIdentityContext,
           ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName,
           ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging,
           ipiaIkeActLastChanged, ipiaIkeActStorageType,
           ipiaIkeActRowStatus,

           ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType,
           ipiaIkeActPropRowStatus,

           ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm,
           ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds,
           ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm,
           ipiaIkePropVendorId, ipiaIkePropDhGroup,
           ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs,
           ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged,
           ipiaIkePropStorageType,
           ipiaIkePropRowStatus,

           ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
           ipiaSaNegParamRefreshThreshSecs,
           ipiaSaNegParamRefreshThresholdKB,
           ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,



Baer, et al.             Expires July 19, 2004                 [Page 57]


Internet-Draft            IPSP IKE Action MIB               January 2004


           ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus,

           ipiaIkeIdCredentialName, ipiaIkeIdLastChanged,
           ipiaIkeIdStorageType, ipiaIkeIdRowStatus,

           ipiaAutoIkeAction, ipiaAutoIkeAddressType,
           ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort,
           ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort,
           ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged,
           ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus,

           ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
           ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
           ipiaCmcRowStatus,

           ipiaRctRevokedDate, ipiaRctRevokedReason,
        ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,

           ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
        ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
        ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is the set of objects that support IKE
            actions.  These objects are from The IPsec Policy IKE
            Action Table, The IKE Action Proposals Table, The IKE
            Proposal Table, The autostart IKE Table and The IKE
            Identity Table, The Peer Identity Table, The Credential
            Management Service Table, and the shared table Negotiation
            Parameters Table (from the IPSEC-IPSECACTION-MIB."
       ::= { ipiaGroups 5 }

   ipiaIpsecGroup OBJECT-GROUP
       OBJECTS {
           ipiaIpsecActParametersName, ipiaIpsecActProposalsName,
           ipiaIpsecActUsePfs, ipiaIpsecActVendorId,
           ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName,
           ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity,
           ipiaIpsecActMode, ipiaIpsecActDFHandling,
           ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging,
           ipiaIpsecActLastChanged, ipiaIpsecActStorageType,
           ipiaIpsecActRowStatus,

           ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged,
           ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus,

           ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged,



Baer, et al.             Expires July 19, 2004                 [Page 58]


Internet-Draft            IPSP IKE Action MIB               January 2004


           ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus,

           ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
           ipiaSaNegParamRefreshThreshSecs,
           ipiaSaNegParamRefreshThresholdKB,
           ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
           ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is the set of objects that support IPsec
            actions.  These objects are from The IPsec Policy IPsec
            Actions Table, The IPsec Proposal Table, and The IPsec
            Transform Table.  This group also includes objects from the
            shared tables: Peer Identity Table, Credential Table,
            Negotiation Parameters Table, Credential Management Service
            Table and the AH, ESP, and IPComp Transform Table."
       ::= { ipiaGroups 6 }

   END




6. Security Considerations

6.1 Introduction

   This document defines a MIB module used to configure IPsec policy
   services.  Since IKE negotiates keys for IPsec and IPsec provides
   security services, it is important that the IKE configuration data be
   at least as protected as the IPsec provided security service.  There
   are two threats you need to thwart when configuring IPsec devices.

   1.  To make sure that only the official administrators are allowed to
       configure a device, only authenticated administrators should be
       allowed to do device configuration.  The support for SET
       operations in a non-secure environment without proper protection
       can have a negative effect on network operations.

   2.  Unfriendly parties should not be able to read configuration data
       while the data is in network transit. Any knowledge about a
       device's IKE policy configuration could help an unfriendly party
       compromise that device and/or a network it protects.  It is thus
       important to control even GET access to these objects and
       possibly to even encrypt the values of these objects when sending
       them over the network via SNMP.




Baer, et al.             Expires July 19, 2004                 [Page 59]


Internet-Draft            IPSP IKE Action MIB               January 2004


   SNMP versions prior to SNMPv3 did not include adequate security. Even
   if the network itself is secure (for example by using IPsec), even
   then, there is no control as to who on the secure network is allowed
   to access and GET/SET (read/change/create/delete) the objects in this
   MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module, is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

   Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you
   SHOULD use SNMP version 3.  The rest of this discussion assumes the
   use of SNMPv3.  This is a real strength, because it allows
   administrators the ability to load new IPsec configuration on a
   device and keep the conversation private and authenticated under the
   protection of SNMPv3 before any IPsec protections are available.
   Once initial establishment of IPsec configuration on a device has
   been achieved, it would be possible to set up IPsec SAs to then also
   provide security and integrity services to the configuration
   conversation. This may seem redundant at first, but will be shown to
   have a use for added privacy protection below.

6.2 Protecting against in-authentic access

   The current SNMPv3 User Security Model provides for key based user
   authentication.  Typically, keys are derived from passwords (but are
   not required to be), and the keys are then used in HMAC algorithms
   (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
   data.  Each SNMP device keeps a (configured) list of users and keys.
   Under SNMPv3 user keys may be updated as often as an administrator
   cares to have users enter new passwords.  But Perfect Forward Secrecy
   for user keys is not yet provided by standards track documents,
   although RFC2786 defines an experimental method of doing so.

6.3 Protecting against involuntary disclosure

   While sending IKE configuration data to a PEP, there are a few
   critical parameters which MUST NOT be observed by third parties.
   These include IKE Pre-Shared Keys and possibly the private key of a



Baer, et al.             Expires July 19, 2004                 [Page 60]


Internet-Draft            IPSP IKE Action MIB               January 2004


   public/private key pair for use in a PKI.  Were either of those
   parameters to be known to a third party, they could then impersonate
   your device to other IKE peers.  Aside from those critical
   parameters, policy administrators have an interest in not divulging
   any of their policy configuration.  Any knowledge about a device's
   configuration could help an unfriendly party compromise that device.
   SNMPv3 offers privacy security services, but at the time this
   document was written, the only standardized encryption algorithm
   supported by SNMPv3 is the DES encryption algorithm.  Support for
   other (stronger) cryptographic algorithms was in the works and may be
   done as you read this.  Policy administrators SHOULD use a privacy
   security service to configure their IPsec policy which is at least as
   strong as the desired IPsec policy. E.G., it is unwise to configure
   IPsec parameters implementing 3DES algorithms while only protecting
   that conversation with single DES.

6.4 Bootstrapping your configuration

   Hopefully vendors will not ship new products with a default SNMPv3
   user/password pair, but it is possible.  Most SNMPv3 distributions
   should hopefully require an out-of-band initialization over a trusted
   medium, such as a local console connection.

7. Acknowledgments

   Many other people contributed thoughts and ideas that influenced this
   MIB module.  Some special thanks are in order the following people:

         Lindy Foster     (Sparta, Inc.)
         John Gillis      (ADC)
         Jamie Jason      (Intel Corporation)
         Roger Hartmuller (Sparta, Inc.)
         David Partain    (Ericsson)
         Lee Rafalow      (IBM)
         Jon Saperia      (JDS Consulting)
         John Shriver     (Internap Network Services Corporation)
         Eric Vyncke      (Cisco Systems)

Normative References

   [RFCXXXX]  Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
              Wang, "IPsec Security Policy Database Configuration MIB",
              January 2004.

   [RFCYYYY]  Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
              Wang, "IPsec Security Policy IPsec Action MIB", January
              2004.




Baer, et al.             Expires July 19, 2004                 [Page 61]


Internet-Draft            IPSP IKE Action MIB               January 2004


   [RFC3410]  Case, J., Mundy, R., Partain, D. and B. Stewart,
              "Introduction and Applicability Statements for
              Internet-Standard Management Framework", RFC 3410,
              December 2002.

   [RFC3411]  Harrington, D., Presuhn, R. and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3412]  Case, J., Harrington, D., Presuhn, R. and B. Wijnen,
              "Message Processing and Dispatching for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3412, December
              2002.

   [RFC3413]  Levi, D., Meyer, P. and B. Stewart, "Simple Network
              Management Protocol (SNMP) Applications", STD 62, RFC
              3413, December 2002.

   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

   [RFC3415]  Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
              Access Control Model (VACM) for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3415, December
              2002.

   [RFC2578]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
              McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
              Management Information Version 2 (SMIv2)", STD 58, RFC
              2578, April 1999.

   [RFC2579]  McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
              McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
              Conventions for SMIv2", STD 58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Perkins, D. and J. Schoenwaelder,
              "Conformance Statements for SMIv2", STD 58, RFC 2580,
              April 1999.

   [RFC3585]  Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
              Policy Information Model", RFC 3585, August 2003.

Informative References

   [IPPMWP]  Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper",
             November 2000.



Baer, et al.             Expires July 19, 2004                 [Page 62]


Internet-Draft            IPSP IKE Action MIB               January 2004


Authors' Addresses

   Michael Baer
   Sparta, Inc.
   7075 Samuel Morse Drive
   Columbia, MD  21046
   US

   EMail: baerm@tislabs.com


   Ricky Charlet
   Self

   EMail: rcharlet@alumni.calpoly.edu


   Wes Hardaker
   Sparta, Inc.
   P.O. Box 382
   Davis, CA  95617
   US

   Phone: +1 530 792 1913
   EMail: hardaker@tislabs.com


   Robert Story
   Revelstone Software
   PO Box 1812
   Tucker, GA  30085
   US

   EMail: rs-snmp@revelstone.com


   Cliff Wang
   SmartPipes, Inc.
   Suite 300, 565 Metro Place South
   Dublin, OH, OH  43017
   US

   EMail: cliffwang2000@yahoo.com








Baer, et al.             Expires July 19, 2004                 [Page 63]


Internet-Draft            IPSP IKE Action MIB               January 2004


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2004). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Baer, et al.             Expires July 19, 2004                 [Page 64]

Internet-Draft