IPSP M. Baer
Internet-Draft Sparta, Inc.
Expires: July 19, 2004 R. Charlet
Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
SmartPipes, Inc.
January 19, 2004
IPsec Security Policy IKE Action MIB
draft-ietf-ipsp-ikeaction-mib-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 19, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document defines a SMIv2 Management Information Base (MIB)
module for configuring IKE actions for the security policy database
(SPD) of a device that uses the IPsec Security Policy Database
Configuration MIB for configuring the IKE protocol actions on that
device. The IPSP IKE Action MIB integrates directly with the IPsec
Baer, et al. Expires July 19, 2004 [Page 1]
Internet-Draft IPSP IKE Action MIB January 2004
Security Policy Database Configuration MIB and it is meant to work
within the framework of an action referenced by that MIB.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 3
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 59
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2 Protecting against in-authentic access . . . . . . . . . . . . 60
6.3 Protecting against involuntary disclosure . . . . . . . . . . 60
6.4 Bootstrapping your configuration . . . . . . . . . . . . . . . 61
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61
Normative References . . . . . . . . . . . . . . . . . . . . . 61
Informative References . . . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63
Intellectual Property and Copyright Statements . . . . . . . . 64
Baer, et al. Expires July 19, 2004 [Page 2]
Internet-Draft IPSP IKE Action MIB January 2004
1. Introduction
This document defines a MIB module for configuration of an IKE action
within the IPsec security policy database (SPD). This module works
within the framework of the IPsec Security Policy Database
Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action
by the IPSP-SPD-MIB and is used to configure IKE negotiations between
network devices.
Companion document [RFCXXXX], documents the IPsec Security Policy
Database Configuration MIB. Companion document [RFCYYYY], documents
the IPsec Security Policy IPsec Action MIB for configuration of
static IPsec SAs.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Relationship to the DMTF Policy Model
The Distributed Management Task Force (DMTF) has created an object
oriented model of IPsec policy information known as the IPsec Policy
Model White Paper [IPPMWP]. The contents of this document are also
reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585].
This MIB module is a task specific derivation of the IKE actions
portions of the IPCP for use with SNMPv3. This includes the necessary
filters, negotiation, identity and IKE action information required to
enable IKE negotiation within the IPsec Policy framework.
4. MIB Module Overview
The MIB module describes the necessary information to implement IKE
actions and their associated negotiations referred to by the IPsec
Security Policy Database Configuration MIB. A basic understanding of
IKE, of IPsec processing, of the IPsec Configuration Policy Model and
of how actions fit in to the overall framework of the IPSP-SPD-MIB
are required to use this MIB properly.
Baer, et al. Expires July 19, 2004 [Page 3]
Internet-Draft IPSP IKE Action MIB January 2004
5. MIB definition
IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TruthValue,
TimeStamp, StorageType, VariablePointer
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddress, InetPortNumber
FROM INET-ADDRESS-MIB
spdActions, SpdIPPacketLogging, spdEndGroupIdentType,
spdEndGroupAddress
FROM IPSEC-SPD-MIB
IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter,
ipsaSharedGroup
FROM IPSEC-IPSECACTION-MIB
;
--
-- module identity
--
ipiaMIB MODULE-IDENTITY
LAST-UPDATED "200212100000Z" -- 12 December 2002
ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer
Sparta, Inc.
Phone: +1 530 902 3131
Email: baerm@tislabs.com
Ricky Charlet
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Baer, et al. Expires July 19, 2004 [Page 4]
Internet-Draft IPSP IKE Action MIB January 2004
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
Phone: +1 770 617 3722
Email: ipsp-mib@revelstone.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION
"The MIB module for defining IKE actions for managing IPsec
Security Policy.
Copyright (C) The Internet Society (2003). This version of
this MIB module is part of RFC XXXX, see the RFC itself for
full legal notices."
-- Revision History
REVISION "200301070000Z" -- 7 January 2003
DESCRIPTION "Initial version, published as RFC xxxx."
-- RFC-editor assigns xxxx
::= { spdActions 2 }
--
-- groups of related objects
--
ipiaConfigObjects OBJECT IDENTIFIER
::= { ipiaMIB 1 }
ipiaNotificationObjects OBJECT IDENTIFIER
::= { ipiaMIB 2 }
ipiaConformanceObjects OBJECT IDENTIFIER
::= { ipiaMIB 3 }
--
-- Textual Conventions
Baer, et al. Expires July 19, 2004 [Page 5]
Internet-Draft IPSP IKE Action MIB January 2004
--
IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "Values for encryption algorithms negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Encryption
Algorithm (1).
Unused values <= 65000 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in IKE
desCbc(1), -- RFC 2405
ideaCbc(2),
blowfishCbc(3),
rc5R16B64Cbc(4), -- RC5 R16 B64 CBC
tripleDesCbc(5), -- 3DES CBC
castCbc(6),
aesCbc(7)
Values 65001-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeAuthMethod ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "Values for authentication methods negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Authentication
Method (3).
Unused values <= 65000 are reserved to IANA.
reserved(0), -- reserved in IKE
preSharedKey(1),
dssSignatures(2),
rsaSignatures(3),
encryptionWithRsa(4),
revisedEncryptionWithRsa(5),
reservedDontUse6(6), -- not to be used
reservedDontUse7(7), -- not to be used
ecdsaSignatures(8)
Values 65001-65535 are for private use among
Baer, et al. Expires July 19, 2004 [Page 6]
Internet-Draft IPSP IKE Action MIB January 2004
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeHashAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "Values for hash algorithms negotiated
for the ISAKMP SA by IKE in Phase I. These are
values for SA Attrbute type Hash Algorithm (2).
Unused values <= 65000 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in IKE
md5(1), -- RFC 1321
sha(2), -- FIPS 180-1
tiger(3),
sha256(4),
sha384(5),
sha512(6)
Values 65001-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IkeGroupDescription ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "Values for Oakley key computation groups for
Diffie-Hellman exchange negotiated for the ISAKMP
SA by IKE in Phase I. They are also used in Phase II
when perfect forward secrecy is in use. These are
values for SA Attrbute type Group Description (4).
Unused values <= 32767 are reserved to IANA.
Currently assigned values at the time of this
writing:
none(0), -- reserved in IKE, used
-- in MIBs to reflect that
-- none of the predefined
-- groups are used
modp768(1), -- default 768-bit MODP group
modp1024(2), -- alternate 1024-bit MODP
-- group
Baer, et al. Expires July 19, 2004 [Page 7]
Internet-Draft IPSP IKE Action MIB January 2004
ec2nGF155(3), -- EC2N group on Galois
-- Field GF[2^155]
ec2nGF185(4), -- EC2N group on Galois
-- Field GF[2^185]
ec2nGF163Random(6), -- EC2N group on Galois
-- Field GF[2^163],
-- random seed
ec2nGF163Koblitz(7),
-- EC2N group on Galois
-- Field GF[2^163],
-- Koblitz curve
ec2nGF283Random(8), -- EC2N group on Galois
-- Field GF[2^283],
-- random seed
ec2nGF283Koblitz(9),
-- EC2N group on Galois
-- Field GF[2^283],
-- Koblitz curve
ec2nGF409Random(10),
-- EC2N group on Galois
-- Field GF[2^409],
-- random seed
ec2nGF409Koblitz(11),
-- EC2N group on Galois
-- Field GF[2^409],
-- Koblitz curve
ec2nGF571Random(12),
-- EC2N group on Galois
-- Field GF[2^571],
-- random seed
ec2nGF571Koblitz(13)
-- EC2N group on Galois
-- Field GF[2^571],
-- Koblitz curve
Values 32768-65535 are for private use among
mutually consenting parties."
REFERENCE "RFC 2409 appendix A,
IANA"
SYNTAX Unsigned32 (0..65535)
IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "These are the IPsec DOI values for the Protocol-Id
field in an ISAKMP Proposal Payload, and in all
Notification Payloads.
They are also used as the Protocol-ID In the
Baer, et al. Expires July 19, 2004 [Page 8]
Internet-Draft IPSP IKE Action MIB January 2004
Notification Payload and the Delete Payload.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
protoIsakmp(1), -- message protection
-- required during Phase I
-- of the IKE protocol
protoIpsecAh(2), -- IP packet authentication
-- via Authentication Header
protoIpsecEsp(3), -- IP packet confidentiality
-- via Encapsulating
-- Security Payload
protoIpcomp(4) -- IP payload compression
The values 249-255 are reserved for private use
amongst cooperating systems."
REFERENCE "RFC 2407 section 4.4.1"
SYNTAX Unsigned32 (0..255)
--
-- Policy group definitions
--
ipiaLocalConfigObjects OBJECT IDENTIFIER
::= { ipiaConfigObjects 1 }
--
-- Static Filters
--
ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 }
ipiaIkePhase1Filter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This static filter can be used to test if a packet is
part of an IKE phase-1 negotiation."
::= { ipiaStaticFilters 1 }
ipiaIkePhase2Filter OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
Baer, et al. Expires July 19, 2004 [Page 9]
Internet-Draft IPSP IKE Action MIB January 2004
DESCRIPTION
"This static filter can be used to test if a packet is
part of an IKE phase-2 negotiation."
::= { ipiaStaticFilters 2 }
--
-- credential filter table
--
ipiaCredentialFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaCredentialFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines filters which can be used to match
credentials of IKE peers, where the credentials in question
have been obtained from an IKE phase 1 exchange. They may
be X.509 certificates, Kerberos tickets, etc..."
::= { ipiaConfigObjects 3 }
ipiaCredentialFilterEntry OBJECT-TYPE
SYNTAX IpiaCredentialFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row defining a particular credential filter"
INDEX { ipiaCredFiltName }
::= { ipiaCredentialFilterTable 1 }
IpiaCredentialFilterEntry ::= SEQUENCE {
ipiaCredFiltName SnmpAdminString,
ipiaCredFiltCredentialType IpsaCredentialType,
ipiaCredFiltMatchFieldName OCTET STRING,
ipiaCredFiltMatchFieldValue OCTET STRING,
ipiaCredFiltAcceptCredFrom OCTET STRING,
ipiaCredFiltLastChanged TimeStamp,
ipiaCredFiltStorageType StorageType,
ipiaCredFiltRowStatus RowStatus
}
ipiaCredFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name of this filter."
::= { ipiaCredentialFilterEntry 1 }
Baer, et al. Expires July 19, 2004 [Page 10]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaCredFiltCredentialType OBJECT-TYPE
SYNTAX IpsaCredentialType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The credential type that is expected for this filter to
succeed."
DEFVAL { x509 }
::= { ipiaCredentialFilterEntry 2 }
ipiaCredFiltMatchFieldName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The piece of the credential to match against. Examples:
serialNumber, signatureAlgorithm, issuerName or
subjectName.
For credential types without fields (e.g. shared secrec),
this field should be left empty, and the entire credential
will be matched against the ipiaCredFiltMatchFieldValue."
::= { ipiaCredentialFilterEntry 3 }
ipiaCredFiltMatchFieldValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..4096))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The value that the field indicated by the
ipiaCredFiltMatchFieldName must match against for the
filter to be considered TRUE."
::= { ipiaCredentialFilterEntry 4 }
ipiaCredFiltAcceptCredFrom OBJECT-TYPE
SYNTAX OCTET STRING(SIZE(1..117))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used to look up a row in the
ipiaIpsecCredMngServiceTable for the Certificate Authority
(CA) Information. This value is empty if there is no CA
used for this filter."
::= { ipiaCredentialFilterEntry 5 }
ipiaCredFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
Baer, et al. Expires July 19, 2004 [Page 11]
Internet-Draft IPSP IKE Action MIB January 2004
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaCredentialFilterEntry 6 }
ipiaCredFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaCredentialFilterEntry 7 }
ipiaCredFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row."
::= { ipiaCredentialFilterEntry 8 }
--
-- Peer Identity Filter Table
--
ipiaPeerIdentityFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaPeerIdentityFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines filters which can be used to match
credentials of IKE peers, where the credentials in question
have been obtained from an IKE phase 1 exchange. They may
be X.509 certificates, Kerberos tickets, etc..."
::= { ipiaConfigObjects 4 }
ipiaPeerIdentityFilterEntry OBJECT-TYPE
SYNTAX IpiaPeerIdentityFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row defining a particular credential filter"
Baer, et al. Expires July 19, 2004 [Page 12]
Internet-Draft IPSP IKE Action MIB January 2004
INDEX { ipiaPeerIdFiltName }
::= { ipiaPeerIdentityFilterTable 1 }
IpiaPeerIdentityFilterEntry ::= SEQUENCE {
ipiaPeerIdFiltName SnmpAdminString,
ipiaPeerIdFiltIdentityType IpsecDoiIdentType,
ipiaPeerIdFiltIdentityValue IpsaIdentityFilter,
ipiaPeerIdFiltLastChanged TimeStamp,
ipiaPeerIdFiltStorageType StorageType,
ipiaPeerIdFiltRowStatus RowStatus
}
ipiaPeerIdFiltName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name of this filter."
::= { ipiaPeerIdentityFilterEntry 1 }
ipiaPeerIdFiltIdentityType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of identity field in the peer ID payload to match
against."
::= { ipiaPeerIdentityFilterEntry 2 }
ipiaPeerIdFiltIdentityValue OBJECT-TYPE
SYNTAX IpsaIdentityFilter
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The string representation of the value that the peer ID
payload value must match against. Wildcard mechanisms MUST
be supported such that:
- a ipiaPeerIdFiltIdentityValue of '*@example.com' will
match a userFqdn ID payload of 'JDOE@EXAMPLE.COM'
- a ipiaPeerIdFiltIdentityValue of '*.example.com' will
match a fqdn ID payload of 'WWW.EXAMPLE.COM'
- a ipiaPeerIdFiltIdentityValue of:
'cn=*,ou=engineering,o=company,c=us'
will match a DER DN ID payload of
'cn=John Doe,ou=engineering,o=company,c=us'
Baer, et al. Expires July 19, 2004 [Page 13]
Internet-Draft IPSP IKE Action MIB January 2004
- a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will
match an IPv4 address ID payload of 192.0.2.10
- a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also
match an IPv4 address ID payload of 192.0.2.10.
The character '*' replaces 0 or multiple instances of any
character."
::= { ipiaPeerIdentityFilterEntry 3 }
ipiaPeerIdFiltLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaPeerIdentityFilterEntry 4 }
ipiaPeerIdFiltStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaPeerIdentityFilterEntry 5 }
ipiaPeerIdFiltRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
This object can not be considered active unless the
ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue
column values are defined."
::= { ipiaPeerIdentityFilterEntry 6 }
--
-- Static Actions
--
-- these are static actions which can be pointed to by the
Baer, et al. Expires July 19, 2004 [Page 14]
Internet-Draft IPSP IKE Action MIB January 2004
-- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop,
-- accept or reject packets.
ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 }
ipiaRejectIKEAction OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet should be rejected
WITHOUT action/packet logging. This object returns a value
of 1 for IPsec policy implementations that support the
reject static action."
::= { ipiaStaticActions 1 }
ipiaRejectIKEActionLog OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This scalar indicates that a packet should be rejected
WITH action/packet logging. This object returns a value of
1 for IPsec policy implementations that support the reject
static action with logging."
::= { ipiaStaticActions 2 }
--
-- ipiaIkeActionTable
--
ipiaIkeActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIkeActionTable contains a list of the parameters
used for an IKE phase 1 SA DOI negotiation. See the
corresponding table ipiaIkeActionProposalsTable for a list
of proposals contained within a given IKE Action."
::= { ipiaConfigObjects 6 }
ipiaIkeActionEntry OBJECT-TYPE
SYNTAX IpiaIkeActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 15]
Internet-Draft IPSP IKE Action MIB January 2004
"The ipiaIkeActionEntry lists the IKE negotiation
attributes."
INDEX { ipiaIkeActName }
::= { ipiaIkeActionTable 1 }
IpiaIkeActionEntry ::= SEQUENCE {
ipiaIkeActName SnmpAdminString,
ipiaIkeActParametersName SnmpAdminString,
ipiaIkeActThresholdDerivedKeys Integer32,
ipiaIkeActExchangeMode INTEGER,
ipiaIkeActAgressiveModeGroupId IkeGroupDescription,
ipiaIkeActIdentityType IpsecDoiIdentType,
ipiaIkeActIdentityContext SnmpAdminString,
ipiaIkeActPeerName SnmpAdminString,
ipiaIkeActDoActionLogging TruthValue,
ipiaIkeActDoPacketLogging SpdIPPacketLogging,
ipiaIkeActVendorId OCTET STRING,
ipiaIkeActLastChanged TimeStamp,
ipiaIkeActStorageType StorageType,
ipiaIkeActRowStatus RowStatus
}
ipiaIkeActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this ikeAction entry."
::= { ipiaIkeActionEntry 1 }
ipiaIkeActParametersName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is administratively assigned to reference a row
in the ipiaSaNegotiationParametersTable where additional
parameters affecting this action may be found."
::= { ipiaIkeActionEntry 2 }
ipiaIkeActThresholdDerivedKeys OBJECT-TYPE
SYNTAX Integer32 (0..100)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkeActThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys
property of IKEProposal) can expire before IKE should
Baer, et al. Expires July 19, 2004 [Page 16]
Internet-Draft IPSP IKE Action MIB January 2004
attempt to renegotiate the IKE phase 1 security
association."
DEFVAL { 100 }
::= { ipiaIkeActionEntry 3 }
ipiaIkeActExchangeMode OBJECT-TYPE
SYNTAX INTEGER { main(1), agressive(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkeActExchangeMode specifies the IKE Phase 1
negotiation mode."
DEFVAL { main }
::= { ipiaIkeActionEntry 4 }
ipiaIkeActAgressiveModeGroupId OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The values to be used for Diffie-Hellman exchange."
::= { ipiaIkeActionEntry 5 }
ipiaIkeActIdentityType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column along with ipiaIkeActIdentityContext and
endpoint information is used to refer an
ipiaIkeIdentityEntry in the ipiaIkeIdentityTable."
::= { ipiaIkeActionEntry 6 }
ipiaIkeActIdentityContext OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This column, along with ipiaIkeActIdentityType and endpoint
information, is used to refer to an ipiaIkeIdentityEntry in
the ipiaIkeIdentityTable."
::= { ipiaIkeActionEntry 7 }
ipiaIkeActPeerName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 17]
Internet-Draft IPSP IKE Action MIB January 2004
"This object indicates the peer id name of the IKE peer.
This object can be used to look up the peer id value,
address, credentials and other values in the
ipiaPeerIdentityTable."
::= { ipiaIkeActionEntry 8 }
ipiaIkeActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ikeDoActionLogging specifies whether or not an audit
message should be logged when this ike SA is created."
DEFVAL { false }
::= { ipiaIkeActionEntry 9 }
ipiaIkeActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ikeDoPacketLogging specifies whether or not an audit
message should be logged and if there is logging, how many
bytes of the packet to place in the notification."
DEFVAL { -1 }
::= { ipiaIkeActionEntry 10 }
ipiaIkeActVendorId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..65535))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Vendor ID Payload. A value of NULL means that Vendor ID
payload will be neither generated nor accepted. A non-NULL
value means that a Vendor ID payload will be generated
(when acting as an initiator) or is expected (when acting
as a responder)."
DEFVAL { "" }
::= { ipiaIkeActionEntry 11 }
ipiaIkeActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
Baer, et al. Expires July 19, 2004 [Page 18]
Internet-Draft IPSP IKE Action MIB January 2004
means."
::= { ipiaIkeActionEntry 12 }
ipiaIkeActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIkeActionEntry 13 }
ipiaIkeActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object may not be set to destroy if refered to by
other rows in other action tables."
::= { ipiaIkeActionEntry 14 }
--
-- IPsec action definition table
--
ipiaIpsecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ipiaIpsecActionTable contains a list of the parameters
used for an IKE phase 2 IPsec DOI negotiation."
::= { ipiaConfigObjects 7 }
ipiaIpsecActionEntry OBJECT-TYPE
SYNTAX IpiaIpsecActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 19]
Internet-Draft IPSP IKE Action MIB January 2004
"The ipiaIpsecActionEntry lists the IPsec negotiation
attributes."
INDEX { ipiaIpsecActName }
::= { ipiaIpsecActionTable 1 }
IpiaIpsecActionEntry ::= SEQUENCE {
ipiaIpsecActName SnmpAdminString,
ipiaIpsecActParametersName SnmpAdminString,
ipiaIpsecActProposalsName SnmpAdminString,
ipiaIpsecActUsePfs TruthValue,
ipiaIpsecActVendorId OCTET STRING,
ipiaIpsecActGroupId IkeGroupDescription,
ipiaIpsecActPeerGatewayIdName OCTET STRING,
ipiaIpsecActUseIkeGroup TruthValue,
ipiaIpsecActGranularity INTEGER,
ipiaIpsecActMode INTEGER,
ipiaIpsecActDFHandling INTEGER,
ipiaIpsecActDoActionLogging TruthValue,
ipiaIpsecActDoPacketLogging SpdIPPacketLogging,
ipiaIpsecActLastChanged TimeStamp,
ipiaIpsecActStorageType StorageType,
ipiaIpsecActRowStatus RowStatus
}
ipiaIpsecActName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ipiaIpsecActName is the name of the ipsecAction entry."
::= { ipiaIpsecActionEntry 1 }
ipiaIpsecActParametersName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to reference a row in the
ipiaSaNegotiationParametersTable where additional
parameters affecting this action may be found."
::= { ipiaIpsecActionEntry 2 }
ipiaIpsecActProposalsName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 20]
Internet-Draft IPSP IKE Action MIB January 2004
"This object is used to reference one or more rows in the
ipiaIpsecProposalsTable where an ordered list of proposals
affecting this action may be found."
::= { ipiaIpsecActionEntry 3 }
ipiaIpsecActUsePfs OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This MIB object specifies whether or not perfect forward
secrecy should be used when refreshing keys.
A value of true indicates that PFS should be used."
::= { ipiaIpsecActionEntry 4 }
ipiaIpsecActVendorId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The VendorID property is used to identify vendor-defined
key exchange GroupIDs."
::= { ipiaIpsecActionEntry 5 }
ipiaIpsecActGroupId OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the Diffie-Hellman group to use for
phase 2 when the object ipiaIpsecActUsePfs is true and the
object ipiaIpsecActUseIkeGroup is false. If the GroupID
number is from the vendor-specific range (32768-65535), the
VendorID qualifies the group number."
::= { ipiaIpsecActionEntry 6 }
ipiaIpsecActPeerGatewayIdName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..116))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the peer id name of the peer
gateway. This object can be used to look up the peer id
value, address and other values in the
ipiaPeerIdentityTable. This object is used when initiating
a tunnel SA. This object is not used for transport SAs.
If no value is set and ipiaIpsecActMode is tunnel, the peer
gateway should be determined from the source or destination
Baer, et al. Expires July 19, 2004 [Page 21]
Internet-Draft IPSP IKE Action MIB January 2004
address of the packet."
::= { ipiaIpsecActionEntry 7 }
ipiaIpsecActUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies whether or not to use the same
GroupId for phase 2 as was used in phase 1. If UsePFS is
false, this entry should be ignored."
::= { ipiaIpsecActionEntry 8 }
ipiaIpsecActGranularity OBJECT-TYPE
SYNTAX INTEGER { subnet(1), address(2), protocol(3),
port(4) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies how the proposed selector for the
security association will be created. The selector is
created by using the FilterList information. The selector
can be subnet, address, porotocol, or port."
::= { ipiaIpsecActionEntry 9 }
ipiaIpsecActMode OBJECT-TYPE
SYNTAX INTEGER { tunnel(1), transport(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the encapsulation of the IPsec SA
to be negotiated."
DEFVAL { tunnel }
::= { ipiaIpsecActionEntry 10 }
ipiaIpsecActDFHandling OBJECT-TYPE
SYNTAX INTEGER { copy(1), set(2), clear(3) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the processing of DF bit by the
negotiated IPsec tunnel.
1 - DF bit is copied.
2 - DF bit is set.
3 - DF bit is cleared."
DEFVAL { copy }
::= { ipiaIpsecActionEntry 11 }
Baer, et al. Expires July 19, 2004 [Page 22]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaIpsecActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIpsecActDoActionLogging specifies whether or not an
audit message should be logged when this ipsec SA is
created."
DEFVAL { false }
::= { ipiaIpsecActionEntry 12 }
ipiaIpsecActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIpsecActDoPacketLogging specifies whether or not an
audit message should be logged and if there is logging, how
many bytes of the packet to place in the notification."
DEFVAL { -1 }
::= { ipiaIpsecActionEntry 13 }
ipiaIpsecActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecActionEntry 14 }
ipiaIpsecActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIpsecActionEntry 15 }
ipiaIpsecActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 23]
Internet-Draft IPSP IKE Action MIB January 2004
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipiaIpsecActionEntry 16 }
--
-- ipiaSaNegotiationParametersTable
--
-- PROPERTIES MinLifetimeSeconds
-- MinLifetimeKilobytes
-- RefreshThresholdSeconds
-- RefreshThresholdKilobytes
-- IdleDurationSeconds
ipiaSaNegotiationParametersTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaSaNegotiationParametersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains reusable parameters that can be pointed
to by the ipiaIkeActionTable and ipiaIpsecActionTable.
These parameters are reusable since it is likely an
administrator will want to make global policy changes to
lifetime parameters that apply to multiple actions. This
table allows multiple rows in the other actions tables to
reuse global lifetime parameters in this table by
repeatedly pointing to a row cointained within this table."
::= { ipiaConfigObjects 8 }
ipiaSaNegotiationParametersEntry OBJECT-TYPE
SYNTAX IpiaSaNegotiationParametersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains the attributes of one row in the
ipiaSaNegotiationParametersTable."
INDEX { ipiaSaNegParamName }
::= { ipiaSaNegotiationParametersTable 1 }
IpiaSaNegotiationParametersEntry ::= SEQUENCE {
ipiaSaNegParamName SnmpAdminString,
ipiaSaNegParamMinLifetimeSecs Unsigned32,
ipiaSaNegParamMinLifetimeKB Unsigned32,
Baer, et al. Expires July 19, 2004 [Page 24]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaSaNegParamRefreshThreshSecs Unsigned32,
ipiaSaNegParamRefreshThresholdKB Unsigned32,
ipiaSaNegParamIdleDurationSecs Unsigned32,
ipiaSaNegParamLastChanged TimeStamp,
ipiaSaNegParamStorageType StorageType,
ipiaSaNegParamRowStatus RowStatus
}
ipiaSaNegParamName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the administrative name of this
SaNegotiationParametersEntry. This row can be referred
to by this name in other policy action tables."
::= { ipiaSaNegotiationParametersEntry 1 }
ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds
lifetime that will be accepted from the peer."
::= { ipiaSaNegotiationParametersEntry 2 }
ipiaSaNegParamMinLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte
lifetime that will be accepted from the peer."
::= { ipiaSaNegotiationParametersEntry 3 }
ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE
SYNTAX Unsigned32 (1..100)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamRefreshThreshSecs specifies what percentage
of the seconds lifetime can expire before IKE should
attempt to renegotiate the IPsec security association. A
value between 1 and 100 representing a percentage. A value
of 100 indicates that the IPsec security association should
not be renegotiated until the seconds lifetime has been
completely reached."
Baer, et al. Expires July 19, 2004 [Page 25]
Internet-Draft IPSP IKE Action MIB January 2004
::= { ipiaSaNegotiationParametersEntry 4 }
ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE
SYNTAX Unsigned32 (1..100)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamRefreshThresholdKB specifies what percentage
of the kilobyte lifetime can expire before IKE should
attempt to renegotiate the IPsec security association. A
value between 1 and 100 representing a percentage. A value
of 100 indicates that the IPsec security association should
not be renegotiated until the kilobyte lifetime has been
reached."
::= { ipiaSaNegotiationParametersEntry 5 }
ipiaSaNegParamIdleDurationSecs OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaSaNegParamIdleDurationSecs specifies how many seconds a
security association may remain idle (i.e., no traffic
protected using the security association) before it is
deleted. A value of zero indicates that idle detection
should not be used for the security association. Any
non-zero value indicates the number of seconds the security
association may remain unused."
::= { ipiaSaNegotiationParametersEntry 6 }
ipiaSaNegParamLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaSaNegotiationParametersEntry 7 }
ipiaSaNegParamStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
Baer, et al. Expires July 19, 2004 [Page 26]
Internet-Draft IPSP IKE Action MIB January 2004
DEFVAL { nonVolatile }
::= { ipiaSaNegotiationParametersEntry 8 }
ipiaSaNegParamRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This object may not be set to destroy if refered to by
other rows in other action tables."
::= { ipiaSaNegotiationParametersEntry 9 }
--
-- ipiaIkeActionProposalsTable proposals contained within a ikeAction
--
ipiaIkeActionProposalsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeActionProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of all ike proposal names found
within a given IKE Action."
::= { ipiaConfigObjects 9 }
ipiaIkeActionProposalsEntry OBJECT-TYPE
SYNTAX IpiaIkeActionProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"a row containing one ike proposal reference"
INDEX { ipiaIkeActName, ipiaIkeActPropPriority }
::= { ipiaIkeActionProposalsTable 1 }
IpiaIkeActionProposalsEntry ::= SEQUENCE {
ipiaIkeActPropPriority Integer32,
ipiaIkeActPropName SnmpAdminString,
ipiaIkeActPropLastChanged TimeStamp,
ipiaIkeActPropStorageType StorageType,
ipiaIkeActPropRowStatus RowStatus
}
ipiaIkeActPropPriority OBJECT-TYPE
Baer, et al. Expires July 19, 2004 [Page 27]
Internet-Draft IPSP IKE Action MIB January 2004
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The numeric priority of a given contained proposal inside
an ike Action. This index should be used to order the
proposals in an IKE Phase I negotiation, lowest value
first."
::= { ipiaIkeActionProposalsEntry 1 }
ipiaIkeActPropName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The administratively assigned name that can be used to
reference a set of values contained within the
ipiaIkeProposalTable."
::= { ipiaIkeActionProposalsEntry 2 }
ipiaIkeActPropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeActionProposalsEntry 3 }
ipiaIkeActPropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIkeActionProposalsEntry 4 }
ipiaIkeActPropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
Baer, et al. Expires July 19, 2004 [Page 28]
Internet-Draft IPSP IKE Action MIB January 2004
The value of this object has no effect on whether other
objects in this conceptual row can be modified."
::= { ipiaIkeActionProposalsEntry 5 }
--
-- IKE proposal definition table
--
ipiaIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains a list of IKE proposals which are used
in an IKE negotiation."
::= { ipiaConfigObjects 10 }
ipiaIkeProposalEntry OBJECT-TYPE
SYNTAX IpiaIkeProposalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"One IKE proposal entry."
INDEX { ipiaIkeActPropName }
::= { ipiaIkeProposalTable 1 }
IpiaIkeProposalEntry ::= SEQUENCE {
ipiaIkePropLifetimeDerivedKeys Unsigned32,
ipiaIkePropCipherAlgorithm IkeEncryptionAlgorithm,
ipiaIkePropCipherKeyLength Unsigned32,
ipiaIkePropCipherKeyRounds Unsigned32,
ipiaIkePropHashAlgorithm IkeHashAlgorithm,
ipiaIkePropPrfAlgorithm INTEGER,
ipiaIkePropVendorId OCTET STRING,
ipiaIkePropDhGroup IkeGroupDescription,
ipiaIkePropAuthenticationMethod IkeAuthMethod,
ipiaIkePropMaxLifetimeSecs Unsigned32,
ipiaIkePropMaxLifetimeKB Unsigned32,
ipiaIkePropLastChanged TimeStamp,
ipiaIkePropStorageType StorageType,
ipiaIkePropRowStatus RowStatus
}
ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
Baer, et al. Expires July 19, 2004 [Page 29]
Internet-Draft IPSP IKE Action MIB January 2004
DESCRIPTION
"ipiaIkePropLifetimeDerivedKeys specifies the number of
times that a phase 1 key will be used to derive a phase 2
key before the phase 1 security association needs
renegotiated."
::= { ipiaIkeProposalEntry 1 }
ipiaIkePropCipherAlgorithm OBJECT-TYPE
SYNTAX IkeEncryptionAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropCipherAlgorithm specifies the proposed phase 1
security association encryption algorithm."
::= { ipiaIkeProposalEntry 2 }
ipiaIkePropCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies, in bits, the key length for
the cipher algorithm used in IKE Phase 1 negotiation."
::= { ipiaIkeProposalEntry 3 }
ipiaIkePropCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the number of key rounds for
the cipher algorithm used in IKE Phase 1 negotiation."
::= { ipiaIkeProposalEntry 4 }
ipiaIkePropHashAlgorithm OBJECT-TYPE
SYNTAX IkeHashAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropHashAlgorithm specifies the proposed phase 1
security assocation hash algorithm."
::= { ipiaIkeProposalEntry 5 }
ipiaIkePropPrfAlgorithm OBJECT-TYPE
SYNTAX INTEGER { reserved(0) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 30]
Internet-Draft IPSP IKE Action MIB January 2004
"ipPRFAlgorithm specifies the proposed phase 1 security
association psuedo-random function.
Note: currently no prf algorithms are defined."
::= { ipiaIkeProposalEntry 6 }
ipiaIkePropVendorId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The VendorID property is used to identify vendor-defined
key exchange GroupIDs."
::= { ipiaIkeProposalEntry 7 }
ipiaIkePropDhGroup OBJECT-TYPE
SYNTAX IkeGroupDescription
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the proposed phase 1 security
association Diffie-Hellman group"
::= { ipiaIkeProposalEntry 8 }
ipiaIkePropAuthenticationMethod OBJECT-TYPE
SYNTAX IkeAuthMethod
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the proposed authentication
method for the phase 1 security association."
::= { ipiaIkeProposalEntry 9 }
ipiaIkePropMaxLifetimeSecs OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipiaIkePropMaxLifetimeSecs specifies the maximum amount of
time to propose a security association remain valid.
A value of 0 indicates that the default lifetime of
8 hours should be used."
::= { ipiaIkeProposalEntry 10 }
ipiaIkePropMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
Baer, et al. Expires July 19, 2004 [Page 31]
Internet-Draft IPSP IKE Action MIB January 2004
STATUS current
DESCRIPTION
"ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte
lifetime to propose a security association remain valid."
::= { ipiaIkeProposalEntry 11 }
ipiaIkePropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeProposalEntry 12 }
ipiaIkePropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIkeProposalEntry 13 }
ipiaIkePropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified."
::= { ipiaIkeProposalEntry 14 }
--
-- ipiaIpsecProposalsTable
--
ipiaIpsecProposalsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecProposalsEntry
MAX-ACCESS not-accessible
STATUS current
Baer, et al. Expires July 19, 2004 [Page 32]
Internet-Draft IPSP IKE Action MIB January 2004
DESCRIPTION
"This table lists one or more IPsec proposals for
IPsec actions."
::= { ipiaConfigObjects 11 }
ipiaIpsecProposalsEntry OBJECT-TYPE
SYNTAX IpiaIpsecProposalsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing (possibly a portion of) a proposal."
INDEX { ipiaIpsecPropName, ipiaIpsecPropPriority,
ipiaIpsecPropProtocolId }
::= { ipiaIpsecProposalsTable 1 }
IpiaIpsecProposalsEntry ::= SEQUENCE {
ipiaIpsecPropName SnmpAdminString,
ipiaIpsecPropPriority Integer32,
ipiaIpsecPropProtocolId IpsecDoiSecProtocolId,
ipiaIpsecPropTransformsName SnmpAdminString,
ipiaIpsecPropLastChanged TimeStamp,
ipiaIpsecPropStorageType StorageType,
ipiaIpsecPropRowStatus RowStatus
}
ipiaIpsecPropName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this proposal."
::= { ipiaIpsecProposalsEntry 1 }
ipiaIpsecPropPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The priority level (AKA sequence level) of this proposal.
A lower number indicates a higher precedence."
::= { ipiaIpsecProposalsEntry 2 }
ipiaIpsecPropProtocolId OBJECT-TYPE
SYNTAX IpsecDoiSecProtocolId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The protocol Id for the transforms for this proposal. The
Baer, et al. Expires July 19, 2004 [Page 33]
Internet-Draft IPSP IKE Action MIB January 2004
protoIsakmp(1) value is not valid for this object. This
object, along with the ipiaIpsecPropTransformsName, is the
index into the ipiaIpsecTransformsTable."
::= { ipiaIpsecProposalsEntry 3 }
ipiaIpsecPropTransformsName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the transform or group of transforms for this
protocol. This object, along with the
ipiaIpsecPropProtocolId, is the index into the
ipiaIpsecTransformsTable."
::= { ipiaIpsecProposalsEntry 4 }
ipiaIpsecPropLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecProposalsEntry 5 }
ipiaIpsecPropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIpsecProposalsEntry 6 }
ipiaIpsecPropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This row may not be set to active until the corresponding
Baer, et al. Expires July 19, 2004 [Page 34]
Internet-Draft IPSP IKE Action MIB January 2004
row in the ipiaIpsecTransformsTable exists and is active."
::= { ipiaIpsecProposalsEntry 7 }
--
-- ipiaIpsecTransformsTable
--
ipiaIpsecTransformsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecTransformsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists the IPsec proposals contained within a
given IPsec action and the transforms within each of those
proposals. These proposals and transforms can then be used
to create phase 2 negotiation proposals."
::= { ipiaConfigObjects 12 }
ipiaIpsecTransformsEntry OBJECT-TYPE
SYNTAX IpiaIpsecTransformsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the information on an IPsec transform."
INDEX { ipiaIpsecTranType, ipiaIpsecTranName,
ipiaIpsecTranPriority }
::= { ipiaIpsecTransformsTable 1 }
IpiaIpsecTransformsEntry ::= SEQUENCE {
ipiaIpsecTranType IpsecDoiSecProtocolId,
ipiaIpsecTranName SnmpAdminString,
ipiaIpsecTranPriority Integer32,
ipiaIpsecTranTransformName SnmpAdminString,
ipiaIpsecTranLastChanged TimeStamp,
ipiaIpsecTranStorageType StorageType,
ipiaIpsecTranRowStatus RowStatus
}
ipiaIpsecTranType OBJECT-TYPE
SYNTAX IpsecDoiSecProtocolId
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The protocol type for this transform. The protoIsakmp(1)
value is not valid for this object."
::= { ipiaIpsecTransformsEntry 1 }
Baer, et al. Expires July 19, 2004 [Page 35]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaIpsecTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name for this transform or group of transforms."
::= { ipiaIpsecTransformsEntry 2 }
ipiaIpsecTranPriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The priority level (AKA sequence level) of the this
transform within the group of transforms. This indicates
the preference for which algorithms are requested when the
list of transforms are sent to the remote host. A lower
number indicates a higher precedence."
::= { ipiaIpsecTransformsEntry 3 }
ipiaIpsecTranTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name for the given transform. Depending on the value
of ipiaIpsecTranType, this value should be used to lookup
the transform's specific parameters in the
ipiaAhTransformTable, the ipiaEspTransformTable or the
ipiaIpcompTransformTable."
::= { ipiaIpsecTransformsEntry 4 }
ipiaIpsecTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecTransformsEntry 5 }
ipiaIpsecTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
Baer, et al. Expires July 19, 2004 [Page 36]
Internet-Draft IPSP IKE Action MIB January 2004
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIpsecTransformsEntry 6 }
ipiaIpsecTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
This row may not be set to active until the corresponding
row in the ipiaAhTransformTable, ipiaEspTransformTable or
the ipiaIpcompTransformTable exists."
::= { ipiaIpsecTransformsEntry 7 }
--
-- IKE identity definition table
--
ipiaIkeIdentityTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIkeIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IKEIdentity is used to represent the identities that may be
used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify itself in IKE phase 1
negotiations. The column ikeIdentityName in an
ipiaIkeActionEntry together with the spdEndGroupIdentType
and the spdEndGroupAddress in the
PolicyEndpointToGroupTable specifies the unique identity to
use in a negotiation exchange."
::= { ipiaConfigObjects 13 }
ipiaIkeIdentityEntry OBJECT-TYPE
SYNTAX IpiaIkeIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ikeIdentity lists the attributes of an IKE identity."
INDEX { spdEndGroupIdentType, spdEndGroupAddress,
ipiaIkeActIdentityType, ipiaIkeActIdentityContext }
Baer, et al. Expires July 19, 2004 [Page 37]
Internet-Draft IPSP IKE Action MIB January 2004
::= { ipiaIkeIdentityTable 1 }
IpiaIkeIdentityEntry ::= SEQUENCE {
ipiaIkeIdCredentialName SnmpAdminString,
ipiaIkeIdLastChanged TimeStamp,
ipiaIkeIdStorageType StorageType,
ipiaIkeIdRowStatus RowStatus
}
ipiaIkeIdCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the ipiaCredentialTable
to look up the actual credential value and other credential
information.
For ID's without associated credential information, this
value is left blank.
For ID's that are address types, this value may be left
blank and the associated IPProtocolEndpoint or appropriate
member of the Collection of endpoints is used."
::= { ipiaIkeIdentityEntry 1 }
ipiaIkeIdLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIkeIdentityEntry 2 }
ipiaIkeIdStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIkeIdentityEntry 3 }
ipiaIkeIdRowStatus OBJECT-TYPE
Baer, et al. Expires July 19, 2004 [Page 38]
Internet-Draft IPSP IKE Action MIB January 2004
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipiaIkeIdentityEntry 4 }
--
-- autostart IKE Table
ipiaAutostartIkeTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaAutostartIkeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The parameters in the autostart IKE Table are used to
automatically initiate IKE phaes I and II (i.e. IPsec)
negotiations on startup. It also will initiate IKE phase I
and II negotiations for a row at the time of that row's
creation"
::= { ipiaConfigObjects 14 }
ipiaAutostartIkeEntry OBJECT-TYPE
SYNTAX IpiaAutostartIkeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"autostart ike provides the set of parameters to
automatically start IKE and IPsec SA's."
INDEX { ipiaAutoIkePriority }
::= { ipiaAutostartIkeTable 1 }
IpiaAutostartIkeEntry ::= SEQUENCE {
ipiaAutoIkePriority Integer32,
ipiaAutoIkeAction VariablePointer,
ipiaAutoIkeAddressType InetAddressType,
ipiaAutoIkeSourceAddress InetAddress,
ipiaAutoIkeSourcePort InetPortNumber,
ipiaAutoIkeDestAddress InetAddress,
ipiaAutoIkeDestPort InetPortNumber,
ipiaAutoIkeProtocol Unsigned32,
Baer, et al. Expires July 19, 2004 [Page 39]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaAutoIkeLastChanged TimeStamp,
ipiaAutoIkeStorageType StorageType,
ipiaAutoIkeRowStatus RowStatus
}
ipiaAutoIkePriority OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"ipiaAutoIkePriority is an index into the autostartIkeAction
table and can be used to order the autostart IKE actions."
::= { ipiaAutostartIkeEntry 1 }
ipiaAutoIkeAction OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This pointer is used to point to the action or compound
action that should be initiated by this row."
::= { ipiaAutostartIkeEntry 2 }
ipiaAutoIkeAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeAddressType specifies the format of
the autoIke source and destination Address values.
Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object."
::= { ipiaAutostartIkeEntry 3 }
ipiaAutoIkeSourceAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property autoIkeSourecAddress specifies Source IP
address for autostarting IKE SA's, formatted according to
the appropriate convention as defined in the
ipiaAutoIkeAddressType property."
::= { ipiaAutostartIkeEntry 4 }
ipiaAutoIkeSourcePort OBJECT-TYPE
SYNTAX InetPortNumber
Baer, et al. Expires July 19, 2004 [Page 40]
Internet-Draft IPSP IKE Action MIB January 2004
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeSourcePort specifies the port
number for the source port for auotstarting IKE SA's.
The value of 0 for this object is illegal."
::= { ipiaAutostartIkeEntry 5 }
ipiaAutoIkeDestAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeDestAddress specifies the
Destination IP address for autostarting IKE SA's, formatted
according to the appropriate convention as defined in the
ipiaAutoIkeAddressType property."
::= { ipiaAutostartIkeEntry 6 }
ipiaAutoIkeDestPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipiaAutoIkeDestPort specifies the port number
for the destination port for auotstarting IKE SA's.
The value of 0 for this object is illegal."
::= { ipiaAutostartIkeEntry 7 }
ipiaAutoIkeProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property Protocol specifies the protocol number used in
comparing with policy filter entries and used in any phase
2 negotiations."
::= { ipiaAutostartIkeEntry 8 }
ipiaAutoIkeLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
Baer, et al. Expires July 19, 2004 [Page 41]
Internet-Draft IPSP IKE Action MIB January 2004
means."
::= { ipiaAutostartIkeEntry 9 }
ipiaAutoIkeStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaAutostartIkeEntry 10 }
ipiaAutoIkeRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified."
::= { ipiaAutostartIkeEntry 11 }
--
-- CA Table
--
ipiaIpsecCredMngServiceTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaIpsecCredMngServiceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of Credential Management Service values. This table
is usually used for credential/certificate values that are
used with a management service (e.g. Certificate
Authorities)."
::= { ipiaConfigObjects 15 }
ipiaIpsecCredMngServiceEntry OBJECT-TYPE
SYNTAX IpiaIpsecCredMngServiceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaIpsecCredMngServiceTable."
Baer, et al. Expires July 19, 2004 [Page 42]
Internet-Draft IPSP IKE Action MIB January 2004
INDEX { ipiaIcmsName }
::= { ipiaIpsecCredMngServiceTable 1 }
IpiaIpsecCredMngServiceEntry ::= SEQUENCE {
ipiaIcmsName SnmpAdminString,
ipiaIcmsDistinguishedName OCTET STRING,
ipiaIcmsPolicyStatement OCTET STRING,
ipiaIcmsMaxChainLength Integer32,
ipiaIcmsCredentialName SnmpAdminString,
ipiaIcmsLastChanged TimeStamp,
ipiaIcmsStorageType StorageType,
ipiaIcmsRowStatus RowStatus
}
ipiaIcmsName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned string used to index
this table."
::= { ipiaIpsecCredMngServiceEntry 1 }
ipiaIcmsDistinguishedName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value represents the Distinguished Name of the
Credential Management Service."
::= { ipiaIpsecCredMngServiceEntry 2 }
ipiaIcmsPolicyStatement OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This Value represents the Credential Management Service
Policy Statement, or a reference describing how to obtain
it (e.g., a URL). If one doesn't exist, this value can be
left blank"
::= { ipiaIpsecCredMngServiceEntry 3 }
ipiaIcmsMaxChainLength OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 43]
Internet-Draft IPSP IKE Action MIB January 2004
"This value is the maximum length of the chain allowble from
the Credential Management Service to the credential in
question."
DEFVAL { 0 }
::= { ipiaIpsecCredMngServiceEntry 4}
ipiaIcmsCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the ipiaCredentialTable
to look up the actual credential value."
::= { ipiaIpsecCredMngServiceEntry 5 }
ipiaIcmsLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaIpsecCredMngServiceEntry 6 }
ipiaIcmsStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaIpsecCredMngServiceEntry 7 }
ipiaIcmsRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
Baer, et al. Expires July 19, 2004 [Page 44]
Internet-Draft IPSP IKE Action MIB January 2004
::= { ipiaIpsecCredMngServiceEntry 8 }
--
-- CRL Table
--
ipiaCredMngCRLTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaCredMngCRLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of the Credential Revocation Lists (CRL) for
credential managment services."
::= { ipiaConfigObjects 16 }
ipiaCredMngCRLEntry OBJECT-TYPE
SYNTAX IpiaCredMngCRLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaCredMngCRLTable."
INDEX { ipiaIcmsName , ipiaCmcCRLName }
::= { ipiaCredMngCRLTable 1 }
IpiaCredMngCRLEntry ::= SEQUENCE {
ipiaCmcCRLName SnmpAdminString,
ipiaCmcDistributionPoint OCTET STRING,
ipiaCmcThisUpdate OCTET STRING,
ipiaCmcNextUpdate OCTET STRING,
ipiaCmcLastChanged TimeStamp,
ipiaCmcStorageType StorageType,
ipiaCmcRowStatus RowStatus
}
ipiaCmcCRLName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned string used to index
this table. It represents a CRL for a given CA from a given
distribution point."
::= { ipiaCredMngCRLEntry 1 }
ipiaCmcDistributionPoint OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..256))
MAX-ACCESS read-create
Baer, et al. Expires July 19, 2004 [Page 45]
Internet-Draft IPSP IKE Action MIB January 2004
STATUS current
DESCRIPTION
"This Value represents a Distribution Point for a Credential
Revocation List. It can be relative to the Credential
Management Service or a full name (URL, e-mail, etc...)."
::= { ipiaCredMngCRLEntry 2 }
ipiaCmcThisUpdate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the issue date of this CRL. This
should be in utctime or generalizedtime."
::= { ipiaCredMngCRLEntry 3 }
ipiaCmcNextUpdate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value indicates the date the next version of this CRL
will be issued. This should be in utctime or
generalizedtime."
::= { ipiaCredMngCRLEntry 4 }
ipiaCmcLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaCredMngCRLEntry 5 }
ipiaCmcStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaCredMngCRLEntry 6 }
ipiaCmcRowStatus OBJECT-TYPE
Baer, et al. Expires July 19, 2004 [Page 46]
Internet-Draft IPSP IKE Action MIB January 2004
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipiaCredMngCRLEntry 7 }
--
-- Revoked Certificate Table
--
ipiaRevokedCertificateTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpiaRevokedCertificateEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of Credentials revoked by credential managment
services. That is, this table is a table of Certificates
that are on CRL's, Credential Revocation Lists."
::= { ipiaConfigObjects 17 }
ipiaRevokedCertificateEntry OBJECT-TYPE
SYNTAX IpiaRevokedCertificateEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipiaRevokedCertificateTable."
INDEX { ipiaCmcCRLName, ipiaRctCertSerialNumber}
::= { ipiaRevokedCertificateTable 1 }
IpiaRevokedCertificateEntry ::= SEQUENCE {
ipiaRctCertSerialNumber Unsigned32,
ipiaRctRevokedDate OCTET STRING,
ipiaRctRevokedReason INTEGER,
ipiaRctLastChanged TimeStamp,
ipiaRctStorageType StorageType,
ipiaRctRowStatus RowStatus
}
ipiaRctCertSerialNumber OBJECT-TYPE
SYNTAX Unsigned32 (0..4294967295)
Baer, et al. Expires July 19, 2004 [Page 47]
Internet-Draft IPSP IKE Action MIB January 2004
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This value is the serial number of the revoked
certificate."
::= { ipiaRevokedCertificateEntry 1 }
ipiaRctRevokedDate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the revocation date of the certificate. This
should be in utctime or generaltime."
::= { ipiaRevokedCertificateEntry 2 }
ipiaRctRevokedReason OBJECT-TYPE
SYNTAX INTEGER { reserved(0), unspecified(1), keyCompromise(2),
cACompromise(3), affiliationChanged(4),
superseded(5), cessationOfOperation(6),
certificateHold(7), removeFromCRL(8) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is the reason this certificate was revoked."
DEFVAL { unspecified }
::= { ipiaRevokedCertificateEntry 3 }
ipiaRctLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipiaRevokedCertificateEntry 4 }
ipiaRctStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipiaRevokedCertificateEntry 5 }
Baer, et al. Expires July 19, 2004 [Page 48]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaRctRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipiaRevokedCertificateEntry 6 }
--
--
-- Notification objects information
--
--
ipiaNotificationVariables OBJECT IDENTIFIER ::=
{ ipiaNotificationObjects 1 }
ipiaNotifications OBJECT IDENTIFIER ::=
{ ipiaNotificationObjects 0 }
--
--
-- Conformance information
--
--
ipiaCompliances OBJECT IDENTIFIER
::= { ipiaConformanceObjects 1 }
ipiaGroups OBJECT IDENTIFIER
::= { ipiaConformanceObjects 2 }
--
-- Compliance statements
--
--
ipiaIKECompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
Baer, et al. Expires July 19, 2004 [Page 49]
Internet-Draft IPSP IKE Action MIB January 2004
IPsec MIB implementation and supports IKE actions."
MODULE -- This Module
MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup,
ipiaStaticActionGroup, ipsaSharedGroup }
OBJECT ipiaIkeActRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIkeActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIkeActPropRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIkeActPropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIkePropRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIkePropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecActRowStatus
Baer, et al. Expires July 19, 2004 [Page 50]
Internet-Draft IPSP IKE Action MIB January 2004
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIpsecActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecPropRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIpsecPropLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIpsecTranRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIpsecTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaSaNegParamRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
Baer, et al. Expires July 19, 2004 [Page 51]
Internet-Draft IPSP IKE Action MIB January 2004
OBJECT ipiaSaNegParamLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaIkeIdRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaIkeIdLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaAutoIkeAddressType
SYNTAX InetAddressType {
ipv4(1), ipv6(2)
}
DESCRIPTION
"Only the ipv4 and ipv6 values make sense for this
object."
OBJECT ipiaAutoIkeRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaAutoIkeLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipiaCmcDistributionPoint
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcThisUpdate
Baer, et al. Expires July 19, 2004 [Page 52]
Internet-Draft IPSP IKE Action MIB January 2004
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcNextUpdate
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaCmcStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaCmcRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
MIN-ACCESS read-only
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required. Only read-only
access is required for compliance."
OBJECT ipiaRctRevokedDate
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaRctRevokedReason
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaRctLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaRctStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
Baer, et al. Expires July 19, 2004 [Page 53]
Internet-Draft IPSP IKE Action MIB January 2004
OBJECT ipiaRctRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
MIN-ACCESS read-only
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required. Only read-only
access is required for compliance."
OBJECT ipiaIcmsDistinguishedName
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsPolicyStatement
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsMaxChainLength
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsCredentialName
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaIcmsStorageType
MIN-ACCESS read-only
DESCRIPTION
"Only read-only access is required for compliance."
OBJECT ipiaIcmsRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
MIN-ACCESS read-only
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required. Only read-only
Baer, et al. Expires July 19, 2004 [Page 54]
Internet-Draft IPSP IKE Action MIB January 2004
access is required for compliance."
OBJECT ipiaPeerIdFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaPeerIdFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
OBJECT ipiaCredFiltRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipiaCredFiltLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object not required for compliance."
::= { ipiaCompliances 1 }
ipiaRuleFilterCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IKEACTION MIB implementation with IKE filters support."
MODULE -- This Module
MANDATORY-GROUPS { ipiaStaticFilterGroup }
GROUP ipiaPeerIdFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
implementations which support Peer Identity filters."
GROUP ipiaCredentialFilterGroup
DESCRIPTION
"This group is mandatory for IPsec Policy
Baer, et al. Expires July 19, 2004 [Page 55]
Internet-Draft IPSP IKE Action MIB January 2004
implementations which support IKE Credential filters."
::= { ipiaCompliances 2 }
--
--
-- Compliance Groups Definitions
--
--
-- Compliance Groups
--
ipiaStaticFilterGroup OBJECT-GROUP
OBJECTS { ipiaIkePhase1Filter,
ipiaIkePhase2Filter }
STATUS current
DESCRIPTION
"The static filter group. Currently this is just a true
filter."
::= { ipiaGroups 1 }
ipiaCredentialFilterGroup OBJECT-GROUP
OBJECTS {
ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName,
ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom,
ipiaCredFiltLastChanged, ipiaCredFiltStorageType,
ipiaCredFiltRowStatus,
ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
ipiaCmcRowStatus,
ipiaRctRevokedDate, ipiaRctRevokedReason,
ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,
ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
}
STATUS current
DESCRIPTION
"The IPsec Policy Credential Filter Table Group."
::= { ipiaGroups 2 }
ipiaPeerIdFilterGroup OBJECT-GROUP
OBJECTS {
ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue,
Baer, et al. Expires July 19, 2004 [Page 56]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType,
ipiaPeerIdFiltRowStatus
}
STATUS current
DESCRIPTION
"The IPsec Policy Peer Identity Filter Table Group."
::= { ipiaGroups 3 }
--
-- action compliance groups
--
ipiaStaticActionGroup OBJECT-GROUP
OBJECTS {
ipiaRejectIKEAction,
ipiaRejectIKEActionLog
}
STATUS current
DESCRIPTION
"The IPsec Policy Static Actions Group."
::= { ipiaGroups 4 }
ipiaIkeGroup OBJECT-GROUP
OBJECTS {
ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys,
ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId,
ipiaIkeActIdentityType, ipiaIkeActIdentityContext,
ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName,
ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging,
ipiaIkeActLastChanged, ipiaIkeActStorageType,
ipiaIkeActRowStatus,
ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType,
ipiaIkeActPropRowStatus,
ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm,
ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds,
ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm,
ipiaIkePropVendorId, ipiaIkePropDhGroup,
ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs,
ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged,
ipiaIkePropStorageType,
ipiaIkePropRowStatus,
ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
ipiaSaNegParamRefreshThreshSecs,
ipiaSaNegParamRefreshThresholdKB,
ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
Baer, et al. Expires July 19, 2004 [Page 57]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus,
ipiaIkeIdCredentialName, ipiaIkeIdLastChanged,
ipiaIkeIdStorageType, ipiaIkeIdRowStatus,
ipiaAutoIkeAction, ipiaAutoIkeAddressType,
ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort,
ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort,
ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged,
ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus,
ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
ipiaCmcRowStatus,
ipiaRctRevokedDate, ipiaRctRevokedReason,
ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,
ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support IKE
actions. These objects are from The IPsec Policy IKE
Action Table, The IKE Action Proposals Table, The IKE
Proposal Table, The autostart IKE Table and The IKE
Identity Table, The Peer Identity Table, The Credential
Management Service Table, and the shared table Negotiation
Parameters Table (from the IPSEC-IPSECACTION-MIB."
::= { ipiaGroups 5 }
ipiaIpsecGroup OBJECT-GROUP
OBJECTS {
ipiaIpsecActParametersName, ipiaIpsecActProposalsName,
ipiaIpsecActUsePfs, ipiaIpsecActVendorId,
ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName,
ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity,
ipiaIpsecActMode, ipiaIpsecActDFHandling,
ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging,
ipiaIpsecActLastChanged, ipiaIpsecActStorageType,
ipiaIpsecActRowStatus,
ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged,
ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus,
ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged,
Baer, et al. Expires July 19, 2004 [Page 58]
Internet-Draft IPSP IKE Action MIB January 2004
ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus,
ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
ipiaSaNegParamRefreshThreshSecs,
ipiaSaNegParamRefreshThresholdKB,
ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support IPsec
actions. These objects are from The IPsec Policy IPsec
Actions Table, The IPsec Proposal Table, and The IPsec
Transform Table. This group also includes objects from the
shared tables: Peer Identity Table, Credential Table,
Negotiation Parameters Table, Credential Management Service
Table and the AH, ESP, and IPComp Transform Table."
::= { ipiaGroups 6 }
END
6. Security Considerations
6.1 Introduction
This document defines a MIB module used to configure IPsec policy
services. Since IKE negotiates keys for IPsec and IPsec provides
security services, it is important that the IKE configuration data be
at least as protected as the IPsec provided security service. There
are two threats you need to thwart when configuring IPsec devices.
1. To make sure that only the official administrators are allowed to
configure a device, only authenticated administrators should be
allowed to do device configuration. The support for SET
operations in a non-secure environment without proper protection
can have a negative effect on network operations.
2. Unfriendly parties should not be able to read configuration data
while the data is in network transit. Any knowledge about a
device's IKE policy configuration could help an unfriendly party
compromise that device and/or a network it protects. It is thus
important to control even GET access to these objects and
possibly to even encrypt the values of these objects when sending
them over the network via SNMP.
Baer, et al. Expires July 19, 2004 [Page 59]
Internet-Draft IPSP IKE Action MIB January 2004
SNMP versions prior to SNMPv3 did not include adequate security. Even
if the network itself is secure (for example by using IPsec), even
then, there is no control as to who on the secure network is allowed
to access and GET/SET (read/change/create/delete) the objects in this
MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module, is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you
SHOULD use SNMP version 3. The rest of this discussion assumes the
use of SNMPv3. This is a real strength, because it allows
administrators the ability to load new IPsec configuration on a
device and keep the conversation private and authenticated under the
protection of SNMPv3 before any IPsec protections are available.
Once initial establishment of IPsec configuration on a device has
been achieved, it would be possible to set up IPsec SAs to then also
provide security and integrity services to the configuration
conversation. This may seem redundant at first, but will be shown to
have a use for added privacy protection below.
6.2 Protecting against in-authentic access
The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents,
although RFC2786 defines an experimental method of doing so.
6.3 Protecting against involuntary disclosure
While sending IKE configuration data to a PEP, there are a few
critical parameters which MUST NOT be observed by third parties.
These include IKE Pre-Shared Keys and possibly the private key of a
Baer, et al. Expires July 19, 2004 [Page 60]
Internet-Draft IPSP IKE Action MIB January 2004
public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate
your device to other IKE peers. Aside from those critical
parameters, policy administrators have an interest in not divulging
any of their policy configuration. Any knowledge about a device's
configuration could help an unfriendly party compromise that device.
SNMPv3 offers privacy security services, but at the time this
document was written, the only standardized encryption algorithm
supported by SNMPv3 is the DES encryption algorithm. Support for
other (stronger) cryptographic algorithms was in the works and may be
done as you read this. Policy administrators SHOULD use a privacy
security service to configure their IPsec policy which is at least as
strong as the desired IPsec policy. E.G., it is unwise to configure
IPsec parameters implementing 3DES algorithms while only protecting
that conversation with single DES.
6.4 Bootstrapping your configuration
Hopefully vendors will not ship new products with a default SNMPv3
user/password pair, but it is possible. Most SNMPv3 distributions
should hopefully require an out-of-band initialization over a trusted
medium, such as a local console connection.
7. Acknowledgments
Many other people contributed thoughts and ideas that influenced this
MIB module. Some special thanks are in order the following people:
Lindy Foster (Sparta, Inc.)
John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson)
Lee Rafalow (IBM)
Jon Saperia (JDS Consulting)
John Shriver (Internap Network Services Corporation)
Eric Vyncke (Cisco Systems)
Normative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy Database Configuration MIB",
January 2004.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IPsec Action MIB", January
2004.
Baer, et al. Expires July 19, 2004 [Page 61]
Internet-Draft IPSP IKE Action MIB January 2004
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410,
December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, December
2002.
[RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December
2002.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
Management Information Version 2 (SMIv2)", STD 58, RFC
2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003.
Informative References
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper",
November 2000.
Baer, et al. Expires July 19, 2004 [Page 62]
Internet-Draft IPSP IKE Action MIB January 2004
Authors' Addresses
Michael Baer
Sparta, Inc.
7075 Samuel Morse Drive
Columbia, MD 21046
US
EMail: baerm@tislabs.com
Ricky Charlet
Self
EMail: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
US
Phone: +1 530 792 1913
EMail: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
US
EMail: rs-snmp@revelstone.com
Cliff Wang
SmartPipes, Inc.
Suite 300, 565 Metro Place South
Dublin, OH, OH 43017
US
EMail: cliffwang2000@yahoo.com
Baer, et al. Expires July 19, 2004 [Page 63]
Internet-Draft IPSP IKE Action MIB January 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Baer, et al. Expires July 19, 2004 [Page 64]
Internet-Draft