IPSP M. Baer
Internet-Draft Sparta, Inc.
Expires: July 19, 2004 R. Charlet
Self
W. Hardaker
Sparta, Inc.
R. Story
Revelstone Software
C. Wang
SmartPipes, Inc.
January 19, 2004
IPsec Security Policy IPsec Action MIB
draft-ietf-ipsp-ipsecaction-mib-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 19, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document defines a SMIv2 Management Information Base (MIB)
module for configuring IPsec actions for the security policy database
(SPD) of a device that uses the IPsec Security Policy Database
Configuration MIB for configuring the IPSec protocol actions on that
device. The IPSP IPsec Action MIB integrates directly with the IPsec
Baer, et al. Expires July 19, 2004 [Page 1]
Internet-Draft IPSP IPsec Action MIB January 2004
Security Policy Database Configuration MIB and it is meant to work
within the framework of an action referenced by that MIB.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Internet-Standard Management Framework . . . . . . . . . . 3
3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 3
5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 38
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.2 Protecting against in-authentic access . . . . . . . . . . . . 40
6.3 Protecting against involuntary disclosure . . . . . . . . . . 40
6.4 Bootstrapping your configuration . . . . . . . . . . . . . . . 40
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40
Normative References . . . . . . . . . . . . . . . . . . . . . 41
Informative References . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 42
Intellectual Property and Copyright Statements . . . . . . . . 44
Baer, et al. Expires July 19, 2004 [Page 2]
Internet-Draft IPSP IPsec Action MIB January 2004
1. Introduction
This document defines a MIB module for configuration of an IPsec
action within the IPsec security policy database (SPD). This module
works within the framework of the IPsec Security Policy Database
Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action
by the IPSP-SPD-MIB and is used to configure IPsec SA's that can be
created for network traffic between devices.
The companion document [RFCXXXX], documents the IPsec Security Policy
Database Configuration MIB. For information surrounding the
configuration of IKE and its parameters, see the companion document
[RFCYYYY] which documents the IPsec Security Policy IKE Action MIB.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Relationship to the DMTF Policy Model
The Distributed Management Task Force has created an object oriented
model of IPsec policy information known as the IPsec Policy Model
White Paper [IPPMWP]. The contents of this document are also
reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585].
This MIB module is a task specific derivation of the IPsec actions
portions of the IPCP for use with SNMPv3. This includes the necessary
transform, negotiation, and IPsec action information required to
create an IPsec SA within the IPsec Policy framework.
4. MIB Module Overview
The MIB module describes the necessary information to implement IPsec
actions and there associated Security Associations referred to by the
IPsec Security Policy Database Configuration MIB. A basic
understanding of IPsec processing, of the IPsec Configuration Policy
Model and of how actions fit in to the framework of the IPSP-SPD-MIB
are required to use this MIB properly.
Baer, et al. Expires July 19, 2004 [Page 3]
Internet-Draft IPSP IPsec Action MIB January 2004
5. MIB definition
IPSEC-IPSECACTION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Integer32,
Unsigned32
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp,
StorageType
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
spdActions, SpdIPPacketLogging, SpdAdminStatus
FROM IPSEC-SPD-MIB;
--
-- module identity
--
ipsaMIB MODULE-IDENTITY
LAST-UPDATED "200212100000Z" -- 12 December 2002
ORGANIZATION "IETF IP Security Policy Working Group"
CONTACT-INFO "Michael Baer
Sparta, Inc.
Phone: +1 530 902 3131
Email: baerm@tislabs.com
Ricky Charlet
Email: rcharlet@alumni.calpoly.edu
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
Phone: +1 530 792 1913
Email: hardaker@tislabs.com
Baer, et al. Expires July 19, 2004 [Page 4]
Internet-Draft IPSP IPsec Action MIB January 2004
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
Phone: +1 770 617 3722
Email: ipsp-mib@revelstone.com
Cliff Wang
SmartPipes Inc.
Suite 300, 565 Metro Place South
Dublin, OH 43017
Phone: +1 614 923 6241
E-Mail: cliffwang2000@yahoo.com"
DESCRIPTION
"The MIB module defines IPsec actions for managing IPsec
Security Policy.
Copyright (C) The Internet Society (2003). This version of
this MIB module is part of RFC XXXX, see the RFC itself for
full legal notices."
-- Revision History
REVISION "200301070000Z" -- 7 January 2004
DESCRIPTION "Initial version, published as RFC xxxx."
-- RFC-editor assigns xxxx
::= { spdActions 1 }
--
-- groups of related objects
--
ipsaConfigObjects OBJECT IDENTIFIER
::= { ipsaMIB 1 }
ipsaNotificationObjects OBJECT IDENTIFIER
::= { ipsaMIB 2 }
ipsaConformanceObjects OBJECT IDENTIFIER
::= { ipsaMIB 3 }
--
-- Textual Conventions
--
IpsaSADirection ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The IpspSADirection operator is used to specify whether
Baer, et al. Expires July 19, 2004 [Page 5]
Internet-Draft IPSP IPsec Action MIB January 2004
or not a row should apply to outgoing or incoming SAs."
SYNTAX INTEGER { outgoing(1), incoming(2) }
IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "The Encapsulation Mode used as an IPsec DOI
SA Attributes definition in the Transform Payload
of a Phase II IKE negotiation. This set of
values defines encapsulation modes used for AH,
ESP, and IPCOMP when the associated Proposal Payload
has a Protocol-ID of 3 (ESP).
Unused values <= 61439 are reserved to IANA.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
tunnel(1),
transport(2)
Values 61440-65535 are for private use."
SYNTAX Unsigned32 (0..65535)
IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "The IPsec DOI IPCOMP Transform Identifier is an
8-bit value which identifies a particular algorithm
to be used to provide IP-level compression before
ESP. It is used in the Tranform-ID field of a ISAKMP
Transform Payload for the IPsec DOI, when the
Protocol-Id of the associated Proposal Payload is 4
(IPCOMP).
The values 1-47 are reserved for algorithms for which
an RFC has been approved for publication.
Currently assigned values at the time of this
writing:
reserved(0), -- reserved in DOI
ipcompOui(1), -- proprietary compression
-- transform
ipcompDeflate(2), -- 'zlib' deflate algorithm
ipcompLzs(3), -- Stac Electronics LZS
ipcompLzjh(4) -- ITU-T V.44 packet method
The values 48-63 are reserved for private use amongst
cooperating systems.
Baer, et al. Expires July 19, 2004 [Page 6]
Internet-Draft IPSP IPsec Action MIB January 2004
The values 64-255 are reserved for future expansion."
REFERENCE "RFC 2407 sections 4.4.5 and 6.6,
RFC 3051"
SYNTAX Unsigned32 (0..255)
IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "The ESP Authentication Algorithm used in the IPsec
DOI as a SA Attributes definition in the Transform
Payload of Phase II of an IKE negotiation. This
set of values defines the AH authentication
algorithm, when the associated Proposal Payload has
a Protocol-ID of 2 (AH). This set of values
defines the ESP authentication algorithm, when the
associated Proposal Payload has a Protocol-ID
of 3 (ESP).
Unused values <= 61439 are reserved to IANA.
Currently assigned values at the time of this
writing:
none(0), -- reserved in DOI, used
-- in MIBs to reflect no
-- encryption used
hmacMd5(1), -- hashed MAC using MD5
hmacSha(2), -- hashed MAC using SHA-1
desMac(3), -- DES MAC
kpdk(4), -- RFC 1826
-- Key/Pad/Data/Key
hmacSha256(5), -- hashed MAC using SHA-256
hmacSha384(6), -- hashed MAC using SHA-384
hmacSha512(7), -- hashed MAC using SHA-512
hamcRipemd(8) -- hashed MAC using
-- RIPEMD-160-96
Values 61440-65535 are for private use.
In a MIB, a value of 0 indicates that ESP
has been negotiated without authentication."
REFERENCE "RFC 2407 section 4.5, RFC 2407 section 4.4.3.1,
RFC 1826, IANA, RFC 2857"
SYNTAX Unsigned32 (0..65535)
IpsecDoiEspTransform ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "The values of the IPsec DOI ESP Transform Identifier
which identify a particular algorithm to be used to
Baer, et al. Expires July 19, 2004 [Page 7]
Internet-Draft IPSP IPsec Action MIB January 2004
provide secrecy protection for ESP. It is used in
the Tranform-ID field of a ISAKMP Transform Payload
for the IPsec DOI, when the Protocol-Id of the
associated Proposal Payload is 2 (AH), 3 (ESP),
and 4 (IPCOMP).
Currently assigned values at the time of this
writing:
none(0), -- reserved in DOI, used
-- in MIBs to reflect no
-- encryption used
espDesIv64(1), -- DES-CBC transform defined
-- in RFC 1827 and RFC 1829
-- using a 64-bit IV
espDes(2), -- generic DES transform
-- using DES-CBC
esp3Des(3), -- generic triple-DES
-- transform
espRc5(4), -- RC5 transform
espIdea(5), -- IDEA transform
espCast(6), -- CAST transform
espBlowfish(7), -- BLOWFISH transform
esp3Idea(8), -- reserved for triple-IDEA
espDesIv32(9), -- DES-CBC transform defined
-- in RFC 1827 and RFC 1829
-- using a 32-bit IV
espRc4(10), -- reserved for RC4
espNull(11), -- no confidentiality
-- provided by ESP
espAes(12) -- NIST AES transform
The values 249-255 are reserved for private use
amongst cooperating systems."
REFERENCE "RFC 2407 sections 4.4.4 and 6.5,
IANA"
SYNTAX Unsigned32 (0..255)
IpsecDoiIdentType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "The IPsec DOI Identification Type is an 8-bit value
which is used in the ID Type field as a discriminant
for interpretation of the variable-length
Identification Payload.
Currently assigned values at the time of this
writing:
Baer, et al. Expires July 19, 2004 [Page 8]
Internet-Draft IPSP IPsec Action MIB January 2004
reserved(0), -- reserved in DOI
idIpv4Addr(1), -- a single four (4) octet
-- IPv4 address
idFqdn(2), -- fully-qualified domain
-- name string
idUserFqdn(3), -- fully-qualified username
-- string
idIpv4AddrSubnet(4),
-- a range of IPv4 addresses,
-- represented by two
-- four (4) octet values,
-- where the first is an
-- address and the second
-- is a mask
idIpv6Addr(5), -- a single sixteen (16)
-- octet IPv6 address
idIpv6AddrSubnet(6),
-- a range of IPv6 addresses,
-- represented by two
-- sixteen (16) octet values,
-- where the first is an
-- address and the second
-- is a mask
idIpv4AddrRange(7), -- a range of IPv4 addresses,
-- represented by two
-- four (4) octet values,
-- where the first is the
-- beginning IPv4 address
-- and the second is the
-- ending IPv4 address
idIpv6AddrRange(8), -- a range of IPv6 addresses,
-- represented by two
-- sixteen (16) octet values,
-- where the first is the
-- beginning IPv6 address
-- and the second is the
-- ending IPv6 address
idDerAsn1Dn(9), -- the binary DER encoding of
-- ASN1 X.500
-- DistinguishedName
idDerAsn1Gn(10), -- the binary DER encoding of
-- ASN1 X.500 GeneralName
idKeyId(11) -- opaque byte stream which
-- may be used to pass
-- vendor-specific
-- information
The values 249-255 are reserved for private use
Baer, et al. Expires July 19, 2004 [Page 9]
Internet-Draft IPSP IPsec Action MIB January 2004
amongst cooperating systems."
REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9"
SYNTAX Unsigned32 (0..255)
IpsaCredentialType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IpsaCredentialType identifies the type of credential
contained in a corresponding IpsaIdentityFilter object."
SYNTAX INTEGER { reserved(0),
unknown(1),
sharedSecret(2),
x509(3),
kerberos(4) }
IpsaIdentityFilter ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IpsaIdentityFilter contains a string encoded Identity Type
value to be used in comparisons against an IKE Identity
payload. Wherever this TC is used, there should be an
accompanying column which uses the IpsecDoiIdentType TC to
specify the type of data in this object.
See the IpsecDoiIdentType TC for the supported identity
types available. Note that the IpsecDoiIdentType TC
sepcifies how to encode binary values, while this object
will contain human readable string versions."
SYNTAX OCTET STRING (SIZE(1..256))
--
-- Preconfigured Action Table
--
ipsaSaPreconfiguredActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaSaPreconfiguredActionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is a list of non-negotiated IPsec actions (SAs)
that can be performed and contains or indicates the data
necessary to create such an SA."
::= { ipsaConfigObjects 1 }
ipsaSaPreconfiguredActionEntry OBJECT-TYPE
SYNTAX IpsaSaPreconfiguredActionEntry
MAX-ACCESS not-accessible
STATUS current
Baer, et al. Expires July 19, 2004 [Page 10]
Internet-Draft IPSP IPsec Action MIB January 2004
DESCRIPTION
"One entry in the ipsaSaPreconfiguredActionTable."
INDEX { ipsaSaPreActActionName, ipsaSaPreActSADirection }
::= { ipsaSaPreconfiguredActionTable 1 }
IpsaSaPreconfiguredActionEntry ::= SEQUENCE {
ipsaSaPreActActionName SnmpAdminString,
ipsaSaPreActSADirection IpsaSADirection,
ipsaSaPreActActionDescription SnmpAdminString,
ipsaSaPreActActionLifetimeSec Unsigned32,
ipsaSaPreActActionLifetimeKB Unsigned32,
ipsaSaPreActDoActionLogging TruthValue,
ipsaSaPreActDoPacketLogging SpdIPPacketLogging,
ipsaSaPreActDFHandling INTEGER,
ipsaSaPreActActionType IpsecDoiEncapsulationMode,
ipsaSaPreActAHSPI Integer32,
ipsaSaPreActAHTransformName SnmpAdminString,
ipsaSaPreActAHSharedSecretName SnmpAdminString,
ipsaSaPreActESPSPI Integer32,
ipsaSaPreActESPTransformName SnmpAdminString,
ipsaSaPreActESPEncSecretName SnmpAdminString,
ipsaSaPreActESPAuthSecretName SnmpAdminString,
ipsaSaPreActIPCompSPI Integer32,
ipsaSaPreActIPCompTransformName SnmpAdminString,
ipsaSaPreActPeerGatewayIdName SnmpAdminString,
ipsaSaPreActLastChanged TimeStamp,
ipsaSaPreActStorageType StorageType,
ipsaSaPreActRowStatus RowStatus
}
ipsaSaPreActActionName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this
SaPreconfiguredActionEntry."
::= { ipsaSaPreconfiguredActionEntry 1 }
ipsaSaPreActSADirection OBJECT-TYPE
SYNTAX IpsaSADirection
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indicates whether a row should apply to outgoing
or incoming SAs"
::= { ipsaSaPreconfiguredActionEntry 2 }
Baer, et al. Expires July 19, 2004 [Page 11]
Internet-Draft IPSP IPsec Action MIB January 2004
ipsaSaPreActActionDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An administratively assigned string which may be used
to describe what the action does."
DEFVAL { "" }
::= { ipsaSaPreconfiguredActionEntry 3 }
ipsaSaPreActActionLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActActionLifetimeSec specifies how long in seconds
the security association derived from this action should be
used. The default lifetime is 8 hours.
Note: the actual lifetime of the preconfigured SA will be
the lesser of the value of this object and of the value of
the MaxLifetimeSecs property of the associated transform.
A value of 0 indicates no time limit on the lifetime
of the SA."
DEFVAL { 28800 }
::= { ipsaSaPreconfiguredActionEntry 4 }
ipsaSaPreActActionLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActActionLifetimeKB specifies how long the
security association derived from this action should be
used. After this value in KiloBytes has passed through the
security association, it should no longer be used.
Note: the actual lifetime of the preconfigured SA will be
the lesser of the value of this object and of the value of
the MaxLifetimeKB property of the associated transform.
The default value, '0', indicates no kilobyte limit."
DEFVAL { 0 }
::= { ipsaSaPreconfiguredActionEntry 5 }
ipsaSaPreActDoActionLogging OBJECT-TYPE
SYNTAX TruthValue
Baer, et al. Expires July 19, 2004 [Page 12]
Internet-Draft IPSP IPsec Action MIB January 2004
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActDoActionLogging specifies whether or not an
audit message should be logged when a preconfigured SA is
created."
DEFVAL { false }
::= { ipsaSaPreconfiguredActionEntry 6 }
ipsaSaPreActDoPacketLogging OBJECT-TYPE
SYNTAX SpdIPPacketLogging
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaSaPreActDoPacketLogging specifies whether or not an
audit message should be logged and if there is logging, how
many bytes of the packet to place in the notification."
DEFVAL { -1 }
::= { ipsaSaPreconfiguredActionEntry 7 }
ipsaSaPreActDFHandling OBJECT-TYPE
SYNTAX INTEGER {
reserved(0), -- reserved
copy(1), -- indicates copy the DF bit from the
-- internal to external IP header.
set(2), -- set the DF bit in the external IP
-- header to 1.
clear(3) -- clear the DF bit in the external IP
-- header to 0.
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies how to process the DF bit in packets
sent through the preconfigured SA. This object is not used
for transport SAs."
DEFVAL { copy }
::= { ipsaSaPreconfiguredActionEntry 8 }
ipsaSaPreActActionType OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the encapsulation mode to use for the
preconfigured SA: tunnel or transport mode."
DEFVAL { 1 }
::= { ipsaSaPreconfiguredActionEntry 9 }
Baer, et al. Expires July 19, 2004 [Page 13]
Internet-Draft IPSP IPsec Action MIB January 2004
ipsaSaPreActAHSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the AH SA."
::= { ipsaSaPreconfiguredActionEntry 10 }
ipsaSaPreActAHTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the AH transform to use as an
index into the AHTransformTable. A zero length value
indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 11 }
ipsaSaPreActAHSharedSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the AH SA."
::= { ipsaSaPreconfiguredActionEntry 12 }
ipsaSaPreActESPSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the ESP SA."
::= { ipsaSaPreconfiguredActionEntry 13 }
ipsaSaPreActESPTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the ESP transform to use as an
index into the ESPTransformTable. A zero length value
indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 14 }
ipsaSaPreActESPEncSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
Baer, et al. Expires July 19, 2004 [Page 14]
Internet-Draft IPSP IPsec Action MIB January 2004
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the encryption algorithm of the ESP
SA."
::= { ipsaSaPreconfiguredActionEntry 15 }
ipsaSaPreActESPAuthSecretName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a name value to be used as an index
into the ipsaCredentialTable which holds the pertinent
keying information for the authentication algorithm of the
ESP SA."
::= { ipsaSaPreconfiguredActionEntry 16 }
ipsaSaPreActIPCompSPI OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the SPI value for the IPComp SA."
::= { ipsaSaPreconfiguredActionEntry 17 }
ipsaSaPreActIPCompTransformName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is the name of the IPComp transform to use as
an index into the IPCompTransformTable. A zero length
value indicates no transform of this type is used."
::= { ipsaSaPreconfiguredActionEntry 18 }
ipsaSaPreActPeerGatewayIdName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the peer id name of the peer
gateway. This object can be used to look up the peer
gateway address in the ipsaPeerIdentityTable.
This object is only used when initiating a tunnel SA, and
Baer, et al. Expires July 19, 2004 [Page 15]
Internet-Draft IPSP IPsec Action MIB January 2004
is not used for transport SAs. If ipsaSaPreActActionType
specifies tunnel mode and this object is empty, the peer
gateway should be determined from the source or destination
of the packet."
DEFVAL { "" }
::= { ipsaSaPreconfiguredActionEntry 19 }
ipsaSaPreActLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaSaPreconfiguredActionEntry 20 }
ipsaSaPreActStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaSaPreconfiguredActionEntry 21 }
ipsaSaPreActRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaSaPreconfiguredActionEntry 22 }
--
-- AH transform definition table
--
ipsaAhTransformTable OBJECT-TYPE
Baer, et al. Expires July 19, 2004 [Page 16]
Internet-Draft IPSP IPsec Action MIB January 2004
SYNTAX SEQUENCE OF IpsaAhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the AH transforms which can be used to
build IPsec proposals."
::= { ipsaConfigObjects 2 }
ipsaAhTransformEntry OBJECT-TYPE
SYNTAX IpsaAhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry contains the attributes of one AH transform."
INDEX { ipsaAhTranName }
::= { ipsaAhTransformTable 1 }
IpsaAhTransformEntry ::= SEQUENCE {
ipsaAhTranName SnmpAdminString,
ipsaAhTranMaxLifetimeSec Unsigned32,
ipsaAhTranMaxLifetimeKB Unsigned32,
ipsaAhTranAlgorithm IpsecDoiAuthAlgorithm,
ipsaAhTranReplayProtection TruthValue,
ipsaAhTranReplayWindowSize Unsigned32,
ipsaAhTranLastChanged TimeStamp,
ipsaAhTranStorageType StorageType,
ipsaAhTranRowStatus RowStatus
}
ipsaAhTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object contains the name of this AH transform. This
row
will be referred to by an ipsaIpsecTransformsEntry."
::= { ipsaAhTransformEntry 1 }
ipsaAhTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranMaxLifetimeSec specifies how long in seconds the
security association derived from this transform should be
used.
Baer, et al. Expires July 19, 2004 [Page 17]
Internet-Draft IPSP IPsec Action MIB January 2004
A value of 0 indicates that the default lifetime of
8 hours should be used."
::= { ipsaAhTransformEntry 2 }
ipsaAhTranMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranMaxLifetimeKB specifies how long in kilobytes the
security association derived from this transform should be
used."
::= { ipsaAhTransformEntry 3 }
ipsaAhTranAlgorithm OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the AH algorithm for this transform."
::= { ipsaAhTransformEntry 4 }
ipsaAhTranReplayProtection OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranReplayProtection indicates whether or not anti
replay service is to be provided by this SA."
::= { ipsaAhTransformEntry 5 }
ipsaAhTranReplayWindowSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaAhTranReplayWindowSize indicates the size, in bits, of
the replay window to use if replay protection is true for
this transform. The window size is assumed to be a power
of two. If Replay Protection is false, this value can be
ignored."
::= { ipsaAhTransformEntry 6 }
ipsaAhTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 18]
Internet-Draft IPSP IPsec Action MIB January 2004
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaAhTransformEntry 7 }
ipsaAhTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaAhTransformEntry 8 }
ipsaAhTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaAhTransformEntry 9 }
--
-- ESP transform definition table
--
ipsaEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaEspTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the ESP transforms which can be used
to build IPsec proposals"
::= { ipsaConfigObjects 3 }
ipsaEspTransformEntry OBJECT-TYPE
SYNTAX IpsaEspTransformEntry
MAX-ACCESS not-accessible
Baer, et al. Expires July 19, 2004 [Page 19]
Internet-Draft IPSP IPsec Action MIB January 2004
STATUS current
DESCRIPTION
"This entry contains the attributes of one ESP transform."
INDEX { ipsaEspTranName }
::= { ipsaEspTransformTable 1 }
IpsaEspTransformEntry ::= SEQUENCE {
ipsaEspTranName SnmpAdminString,
ipsaEspTranMaxLifetimeSec Unsigned32,
ipsaEspTranMaxLifetimeKB Unsigned32,
ipsaEspTranCipherTransformId IpsecDoiEspTransform,
ipsaEspTranCipherKeyLength Unsigned32,
ipsaEspTranCipherKeyRounds Unsigned32,
ipsaEspTranIntegrityAlgorithmId IpsecDoiAuthAlgorithm,
ipsaEspTranReplayPrevention TruthValue,
ipsaEspTranReplayWindowSize Unsigned32,
ipsaEspTranLastChanged TimeStamp,
ipsaEspTranStorageType StorageType,
ipsaEspTranRowStatus RowStatus
}
ipsaEspTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this particular espTransform be referred to by
an ipsaIpsecTransformsEntry."
::= { ipsaEspTransformEntry 1 }
ipsaEspTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranMaxLifetimeSec specifies how long in seconds the
security association derived from this transform should be
used.
A value of 0 indicates that the default lifetime of
8 hours should be used."
::= { ipsaEspTransformEntry 2 }
ipsaEspTranMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Baer, et al. Expires July 19, 2004 [Page 20]
Internet-Draft IPSP IPsec Action MIB January 2004
"ipsaEspTranMaxLifetimeKB specifies how long in kilobytes
the security association derived from this transform should
be used."
::= { ipsaEspTransformEntry 3 }
ipsaEspTranCipherTransformId OBJECT-TYPE
SYNTAX IpsecDoiEspTransform
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the transform ID of the ESP cipher
algorithm."
::= { ipsaEspTransformEntry 4 }
ipsaEspTranCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies, in bits, the key length for
the ESP cipher algorithm."
::= { ipsaEspTransformEntry 5 }
ipsaEspTranCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the number of key rounds for
the ESP cipher algorithm."
::= { ipsaEspTransformEntry 6 }
ipsaEspTranIntegrityAlgorithmId OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the ESP integrity algorithm ID."
::= { ipsaEspTransformEntry 7 }
ipsaEspTranReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranReplayPrevention indicates whether or not
anti-replay service is to be provided by this SA."
Baer, et al. Expires July 19, 2004 [Page 21]
Internet-Draft IPSP IPsec Action MIB January 2004
::= { ipsaEspTransformEntry 8 }
ipsaEspTranReplayWindowSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaEspTranReplayWindowSize indicates the size, in bits, of
the replay window to use if replay protection is true for
this transform. The window size is assumed to be a power
of two. If Replay Protection is false, this value can be
ignored."
::= { ipsaEspTransformEntry 9 }
ipsaEspTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaEspTransformEntry 10 }
ipsaEspTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaEspTransformEntry 11 }
ipsaEspTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaEspTransformEntry 12 }
Baer, et al. Expires July 19, 2004 [Page 22]
Internet-Draft IPSP IPsec Action MIB January 2004
--
-- IP compression transform definition table
--
ipsaIpcompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaIpcompTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists all the IP compression transforms which
can be used to build IPsec proposals during negotiation of
a phase 2 SA."
::= { ipsaConfigObjects 4 }
ipsaIpcompTransformEntry OBJECT-TYPE
SYNTAX IpsaIpcompTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry contains the attributes of one IP compression
transform."
INDEX { ipsaIpcompTranName }
::= { ipsaIpcompTransformTable 1 }
IpsaIpcompTransformEntry ::= SEQUENCE {
ipsaIpcompTranName SnmpAdminString,
ipsaIpcompTranMaxLifetimeSec Unsigned32,
ipsaIpcompTranMaxLifetimeKB Unsigned32,
ipsaIpcompTranAlgorithm IpsecDoiIpcompTransform,
ipsaIpcompTranDictionarySize Unsigned32,
ipsaIpcompTranPrivateAlgorithm Unsigned32,
ipsaIpcompTranLastChanged TimeStamp,
ipsaIpcompTranStorageType StorageType,
ipsaIpcompTranRowStatus RowStatus
}
ipsaIpcompTranName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of this ipsaIpcompTransformEntry."
::= { ipsaIpcompTransformEntry 1 }
ipsaIpcompTranMaxLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
Baer, et al. Expires July 19, 2004 [Page 23]
Internet-Draft IPSP IPsec Action MIB January 2004
DESCRIPTION
"ipsaIpcompTranMaxLifetimeSec specifies how long in seconds
the security association derived from this transform should
be used.
A value of 0 indicates that the default lifetime of
8 hours should be used."
::= { ipsaIpcompTransformEntry 2 }
ipsaIpcompTranMaxLifetimeKB OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaIpcompTranMaxLifetimeKB specifies how long in kilobytes
the security association derived from this transform should
be used."
::= { ipsaIpcompTransformEntry 3 }
ipsaIpcompTranAlgorithm OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaIpcompTranAlgorithm specifies the transform ID of the
IP compression algorithm."
::= { ipsaIpcompTransformEntry 4 }
ipsaIpcompTranDictionarySize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If the algorithm in ipsaIpcompTranAlgorithm requires a
dictionary size configuration parameter, then this is the
place to put it. This object specifies the log2 maximum
size of the dictionary for the compression algorithm."
::= { ipsaIpcompTransformEntry 5 }
ipsaIpcompTranPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If ipsaIpcompTranPrivateAlgorithm has a value other zero,
then it is up to the vendors implementation to determine
the meaning of this field and substitute a data compression
algorithm in place of ipsaIpcompTranAlgorithm."
Baer, et al. Expires July 19, 2004 [Page 24]
Internet-Draft IPSP IPsec Action MIB January 2004
::= { ipsaIpcompTransformEntry 6 }
ipsaIpcompTranLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaIpcompTransformEntry 7 }
ipsaIpcompTranStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaIpcompTransformEntry 8 }
ipsaIpcompTranRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaIpcompTransformEntry 9 }
--
-- Credential Table
--
ipsaCredentialTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaCredentialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of credential values. Example of Credentials are
shared secrets, certificates or kerberos tickets."
Baer, et al. Expires July 19, 2004 [Page 25]
Internet-Draft IPSP IPsec Action MIB January 2004
::= { ipsaConfigObjects 5 }
ipsaCredentialEntry OBJECT-TYPE
SYNTAX IpsaCredentialEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipsaCredentialTable."
INDEX { ipsaCredName }
::= { ipsaCredentialTable 1 }
IpsaCredentialEntry ::= SEQUENCE {
ipsaCredName SnmpAdminString,
ipsaCredType IpsaCredentialType,
ipsaCredCredential OCTET STRING,
ipsaCredSize Integer32,
ipsaCredMngName SnmpAdminString,
ipsaCredRemoteID OCTET STRING,
ipsaCredAdminStatus SpdAdminStatus,
ipsaCredLastChanged TimeStamp,
ipsaCredStorageType StorageType,
ipsaCredRowStatus RowStatus
}
ipsaCredName OBJECT-TYPE
SYNTAX SnmpAdminString(SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the name for an entry in this table."
::= { ipsaCredentialEntry 1 }
ipsaCredType OBJECT-TYPE
SYNTAX IpsaCredentialType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the type of the credential for this
row."
::= { ipsaCredentialEntry 2 }
ipsaCredCredential OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the credential value.
Baer, et al. Expires July 19, 2004 [Page 26]
Internet-Draft IPSP IPsec Action MIB January 2004
If the size of the credential is greater than 1024, the
credential must be configured via the ipsaCredSegmentTable.
For credential type where the disclosure of the credential
would compromise the credential (e.g. shared secrets), when
this object is accessed for reading, it MUST return a null
length (0 length) string and MUST NOT return the configured
credential."
::= { ipsaCredentialEntry 3 }
ipsaCredSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value represents the size of the credential.
If this value is greater than 1024, the ipsaCreCredential
column will return an empty (0 length) string. In this case,
the value of the credential must be retrived from the
ipsaCredSegmentTable.
For credential type where the disclosure of the credential
would compromise the credential (e.g. shared secrets), when
this object is accessed for reading, it MUST return a value
of 0 and MUST NOT return the size credential."
::= { ipsaCredentialEntry 4 }
ipsaCredMngName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the
ipsaIpsecCredMngServiceTable. For IDs that have no
credential management service, this value is left blank."
::= { ipsaCredentialEntry 5 }
ipsaCredRemoteID OBJECT-TYPE
SYNTAX OCTET STRING(SIZE(0..256))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the Identification (e.g. user name)
of the user of the key information on the remote site. If
there is no ID associated with this credential, the value
of this object should be the null string."
::= { ipsaCredentialEntry 6 }
Baer, et al. Expires July 19, 2004 [Page 27]
Internet-Draft IPSP IPsec Action MIB January 2004
ipsaCredAdminStatus OBJECT-TYPE
SYNTAX SpdAdminStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates whether this credential should be considered
active. Rows with a disabled status must not be used for
any purpose, including IKE or IPSEC processing.
For credentials whose size does not execeed the maximum
size for the ipsaCredCredential, it may be set to enabled
during row creation. For larger credentials, it should be
left as disabled until all rows have been uploaded to the
ipsaCredSegmentTable."
DEFVAL { disabled }
::= { ipsaCredentialEntry 7 }
ipsaCredLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaCredentialEntry 8 }
ipsaCredStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaCredentialEntry 9 }
ipsaCredRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
Baer, et al. Expires July 19, 2004 [Page 28]
Internet-Draft IPSP IPsec Action MIB January 2004
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaCredentialEntry 10 }
--
-- Credential Segement Value Table
--
ipsaCredentialSegmentTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaCredentialSegmentEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of credential segments. This table is used for
credentials which are larger than the maximum size allowed
for ipsaCredCredential."
::= { ipsaConfigObjects 6 }
ipsaCredentialSegmentEntry OBJECT-TYPE
SYNTAX IpsaCredentialSegmentEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row in the ipsaCredentialSegmentTable."
INDEX { ipsaCredName, ipsaCredSegIndex }
::= { ipsaCredentialSegmentTable 1 }
IpsaCredentialSegmentEntry ::= SEQUENCE {
ipsaCredSegIndex Integer32,
ipsaCredSegValue OCTET STRING,
ipsaCredSegLastChanged TimeStamp,
ipsaCredSegStorageType StorageType,
ipsaCredSegRowStatus RowStatus
}
ipsaCredSegIndex OBJECT-TYPE
SYNTAX Integer32 (1..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the segment number for this segment.
By default, each segment will be 1024 octets. However, when
this table is accessed using a context of 'ipsa4096',
'ipsa8192' or 'ipsa16384' a segment size of 4096, 8192 or
16384 (respectively) will be used instead.
Baer, et al. Expires July 19, 2004 [Page 29]
Internet-Draft IPSP IPsec Action MIB January 2004
The number of rows which need to be retrieved or set can be
calculated by obtaining the value of the ipsaCredSize
column from the corresponding ipsaCredentialTable row and
dividing it by the segment size."
::= { ipsaCredentialSegmentEntry 1 }
ipsaCredSegValue OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents one segment of the credential.
By default, each complete segment will be 1024 octets. (The
last row for a given credential might be smaller, if the
credential size is not a multiple of the segment size).
An implementation may optionally support segment sizes of
256, 4096, 8192 or the full object size when this table is
is accessed using a context of 'ipsaCred256',
'ipsaCred4096', 'ipsaCred8192' or 'ipsaCredFull'
(respectively).
The number of rows which need to be retrieved or set can be
calculated by obtaining the value of the ipsaCredSize
column from the corresponding ipsaCredentialTable row and
dividing it by the segment size."
::= { ipsaCredentialSegmentEntry 2 }
ipsaCredSegLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this credential was last
modified or created either through SNMP SETs or by some
other external means. Note that the last changed type will
be the same for all segemnts of the credential."
::= { ipsaCredentialSegmentEntry 3 }
ipsaCredSegStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The storage type for this row. This object is
read-only. Rows in this table have the same value as the
ipsaCredStorageType for the corresponding row in the
Baer, et al. Expires July 19, 2004 [Page 30]
Internet-Draft IPSP IPsec Action MIB January 2004
ipsaCredentialTable."
DEFVAL { nonVolatile }
::= { ipsaCredentialSegmentEntry 4 }
ipsaCredSegRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The segment of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaCredentialSegmentEntry 5 }
--
-- Peer Identity Table
--
ipsaPeerIdentityTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsaPeerIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"PeerIdentity is used to represent the identities that may
be used for peers to identify themselves in IKE phase I/II
negotiations. PeerIdentityTable aggregates the table
entries that provide mappings between identities and their
addresses."
::= { ipsaConfigObjects 7 }
ipsaPeerIdentityEntry OBJECT-TYPE
SYNTAX IpsaPeerIdentityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"peerIdentity matches a peer's identity to its address."
INDEX { ipsaPeerIdName, ipsaPeerIdPriority }
::= { ipsaPeerIdentityTable 1 }
IpsaPeerIdentityEntry ::= SEQUENCE {
ipsaPeerIdName SnmpAdminString,
ipsaPeerIdPriority Integer32,
ipsaPeerIdType IpsecDoiIdentType,
ipsaPeerIdValue IpsaIdentityFilter,
Baer, et al. Expires July 19, 2004 [Page 31]
Internet-Draft IPSP IPsec Action MIB January 2004
ipsaPeerIdAddressType InetAddressType,
ipsaPeerIdAddress InetAddress,
ipsaPeerIdCredentialName SnmpAdminString,
ipsaPeerIdLastChanged TimeStamp,
ipsaPeerIdStorageType StorageType,
ipsaPeerIdRowStatus RowStatus
}
ipsaPeerIdName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is an administratively assigned value that, together
with ipsaPeerIdPriority, uniquely identifies an entry in
this table."
::= { ipsaPeerIdentityEntry 1 }
ipsaPeerIdPriority OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object, along with ipsaPeerIdName, uniquely identifies
an entry in this table. The priority also indicates the
order of peer gateways to initiate or accept SAs from
(i.e. try until success)."
::= { ipsaPeerIdentityEntry 2 }
ipsaPeerIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaPeerIdType is an enumeration identifying the type of the
Identity value."
::= { ipsaPeerIdentityEntry 3 }
ipsaPeerIdValue OBJECT-TYPE
SYNTAX IpsaIdentityFilter
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"ipsaPeerIdValue contains an Identity filter to be used to
match against the identity payload in an IKE request, or
blank otherwise. If this value matches the value in the
identity payload, the credential for the peer can be found
using the ipsaPeerIdCredentialName as an index into the
Baer, et al. Expires July 19, 2004 [Page 32]
Internet-Draft IPSP IPsec Action MIB January 2004
credential table."
::= { ipsaPeerIdentityEntry 4 }
ipsaPeerIdAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property ipsaPeerIdAddressType specifies the format of
the ipsaPeerIdAddress property value."
::= { ipsaPeerIdentityEntry 5 }
ipsaPeerIdAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The property PeerAddress specifies the IP address of the
peer. The format is specified by the
ipsaPeerIdAddressType.
Values of unknown, ipv4z, ipv6z and dns are not legal
values for this object."
::= { ipsaPeerIdentityEntry 6 }
ipsaPeerIdCredentialName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value is used as an index into the ipsaCredentialTable
to look up the actual credential value and other credential
information. For peer IDs that have no associated
credential information, this value is left blank."
::= { ipsaPeerIdentityEntry 7 }
ipsaPeerIdLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when this row was last modified or
created either through SNMP SETs or by some other external
means."
::= { ipsaPeerIdentityEntry 8 }
ipsaPeerIdStorageType OBJECT-TYPE
SYNTAX StorageType
Baer, et al. Expires July 19, 2004 [Page 33]
Internet-Draft IPSP IPsec Action MIB January 2004
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this row. Rows in this table which
were created through an external process may have a storage
type of readOnly or permanent."
DEFVAL { nonVolatile }
::= { ipsaPeerIdentityEntry 9 }
ipsaPeerIdRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates the conceptual status of this row.
The value of this object has no effect on whether other
objects in this conceptual row can be modified.
If active, this object must remain active if it is
referenced by a row in another table."
::= { ipsaPeerIdentityEntry 10 }
--
--
-- Notification objects information
--
--
ipsaNotificationVariables OBJECT IDENTIFIER ::=
{ ipsaNotificationObjects 1 }
ipsaNotifications OBJECT IDENTIFIER ::=
{ ipsaNotificationObjects 0 }
--
--
-- Conformance information
--
--
ipsaCompliances OBJECT IDENTIFIER
::= { ipsaConformanceObjects 1 }
ipsaGroups OBJECT IDENTIFIER
::= { ipsaConformanceObjects 2 }
--
Baer, et al. Expires July 19, 2004 [Page 34]
Internet-Draft IPSP IPsec Action MIB January 2004
-- Compliance statements
--
--
ipsaIPsecCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities that include an
IPsec MIB implementation and supports IPsec actions."
MODULE -- This Module
MANDATORY-GROUPS { ipsaPreconfiguredGroup, ipsaSharedGroup }
OBJECT ipsaSaPreActRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaSaPreActLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaAhTranRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaAhTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaEspTranRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
Baer, et al. Expires July 19, 2004 [Page 35]
Internet-Draft IPSP IPsec Action MIB January 2004
OBJECT ipsaEspTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaIpcompTranRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaIpcompTranLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaPeerIdRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaPeerIdLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
OBJECT ipsaCredRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaCredLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
Baer, et al. Expires July 19, 2004 [Page 36]
Internet-Draft IPSP IPsec Action MIB January 2004
OBJECT ipsaCredSegRowStatus
SYNTAX RowStatus {
active(1), createAndGo(4), destroy(6)
}
DESCRIPTION
"Support of the values notInService(2), notReady(3),
and createAndWait(5) is not required."
OBJECT ipsaCredSegLastChanged
MIN-ACCESS not-accessible
DESCRIPTION
"This object is optional so as not to impose an undue
burden on resource-constrained devices."
::= { ipsaCompliances 1 }
--
--
-- Compliance Groups Definitions
--
ipsaPreconfiguredGroup OBJECT-GROUP
OBJECTS {
ipsaSaPreActActionDescription,
ipsaSaPreActActionLifetimeSec, ipsaSaPreActActionLifetimeKB,
ipsaSaPreActDoActionLogging, ipsaSaPreActDoPacketLogging,
ipsaSaPreActDFHandling, ipsaSaPreActActionType,
ipsaSaPreActAHSPI, ipsaSaPreActAHTransformName,
ipsaSaPreActAHSharedSecretName, ipsaSaPreActESPSPI,
ipsaSaPreActESPTransformName, ipsaSaPreActESPEncSecretName,
ipsaSaPreActESPAuthSecretName, ipsaSaPreActIPCompSPI,
ipsaSaPreActIPCompTransformName,
ipsaSaPreActPeerGatewayIdName, ipsaSaPreActLastChanged,
ipsaSaPreActStorageType, ipsaSaPreActRowStatus
}
STATUS current
DESCRIPTION
"This group is the set of objects that support preconfigured
IPsec actions. These objects are from The Preconfigured
Action Table. This group also includes objects from the
shared tables: Peer Identity Table, Credential Table,
Credential Management Service Table and the AH, ESP, and
IPComp Transform Tables."
::= { ipsaGroups 1 }
ipsaSharedGroup OBJECT-GROUP
Baer, et al. Expires July 19, 2004 [Page 37]
Internet-Draft IPSP IPsec Action MIB January 2004
OBJECTS {
ipsaAhTranMaxLifetimeSec, ipsaAhTranMaxLifetimeKB,
ipsaAhTranAlgorithm, ipsaAhTranReplayProtection,
ipsaAhTranReplayWindowSize, ipsaAhTranLastChanged,
ipsaAhTranStorageType, ipsaAhTranRowStatus,
ipsaEspTranMaxLifetimeSec, ipsaEspTranMaxLifetimeKB,
ipsaEspTranCipherTransformId, ipsaEspTranCipherKeyLength,
ipsaEspTranCipherKeyRounds, ipsaEspTranIntegrityAlgorithmId,
ipsaEspTranReplayPrevention, ipsaEspTranReplayWindowSize,
ipsaEspTranLastChanged, ipsaEspTranStorageType,
ipsaEspTranRowStatus,
ipsaIpcompTranDictionarySize, ipsaIpcompTranAlgorithm,
ipsaIpcompTranMaxLifetimeSec, ipsaIpcompTranMaxLifetimeKB,
ipsaIpcompTranPrivateAlgorithm, ipsaIpcompTranLastChanged,
ipsaIpcompTranStorageType, ipsaIpcompTranRowStatus,
ipsaCredType, ipsaCredCredential, ipsaCredMngName,
ipsaCredSize, ipsaCredRemoteID, ipsaCredAdminStatus,
ipsaCredLastChanged, ipsaCredStorageType, ipsaCredRowStatus,
ipsaCredSegValue, ipsaCredSegLastChanged,
ipsaCredSegStorageType, ipsaCredSegRowStatus,
ipsaPeerIdValue, ipsaPeerIdType, ipsaPeerIdAddress,
ipsaPeerIdAddressType, ipsaPeerIdCredentialName,
ipsaPeerIdLastChanged, ipsaPeerIdStorageType,
ipsaPeerIdRowStatus
}
STATUS current
DESCRIPTION
"This group includes objects from tables expected
to be shared by other modules: Peer Identity Table,
Credential Table, Credential Management Service Table and
the AH, ESP, and IPComp Transform Tables."
::= { ipsaGroups 2 }
END
6. Security Considerations
Baer, et al. Expires July 19, 2004 [Page 38]
Internet-Draft IPSP IPsec Action MIB January 2004
6.1 Introduction
This document defines a MIB module used to configure IPsec policy
services. Since IPsec provides security services it is important
that the IPsec configuration data be at least as protected as the
IPsec provided security service. There are two threats you need to
thwart when configuring IPsec devices.
1. To make sure that only the official administrators are allowed to
configure a device, only authenticated administrators should be
allowed to do device configuration. The support for SET
operations in a non-secure environment without proper protection
can have a negative effect on network operations.
2. Unfriendly parties should not be able to read configuration data
while the data is in network transit. Any knowledge about a
device's IPsec policy configuration could help an unfriendly
party compromise that device and/or a network it protects. It is
thus important to control even GET access to these objects and
possibly to even encrypt the values of these objects when sending
them over the network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security. Even
if the network itself is secure (for example by using IPsec), even
then, there is no control as to who on the secure network is allowed
to access and GET/SET (read/change/create/delete) the objects in this
MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module, is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
SNMP version 3. The rest of this discussion assumes the use of
SNMPv3. This is a real strength, because it allows administrators
the ability to load new IPsec configuration on a device and keep the
conversation private and authenticated under the protection of SNMPv3
before any IPsec protections are available. Once initial
establishment of IPsec configuration on a device has been achieved,
Baer, et al. Expires July 19, 2004 [Page 39]
Internet-Draft IPSP IPsec Action MIB January 2004
it would be possible to set up IPsec SAs to then also provide
security and integrity services to the configuration conversation.
This may seem redundant at first, but will be shown to have a use for
added privacy protection below.
6.2 Protecting against in-authentic access
The current SNMPv3 User Security Model provides for key based user
authentication. Typically, keys are derived from passwords (but are
not required to be), and the keys are then used in HMAC algorithms
(currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
data. Each SNMP device keeps a (configured) list of users and keys.
Under SNMPv3 user keys may be updated as often as an administrator
cares to have users enter new passwords. But Perfect Forward Secrecy
for user keys is not yet provided by standards track documents,
although RFC2786 defines an experimental method of doing so.
6.3 Protecting against involuntary disclosure
While sending IPsec configuration data to a PEP, there are a few
critical parameters which MUST NOT be observed by third parties.
These include IKE Pre-Shared Keys and possibly the private key of a
public/private key pair for use in a PKI. Were either of those
parameters to be known to a third party, they could then impersonate
your device to other IKE peers. Aside from those critical parameters,
policy administrators have an interest in not divulging any of their
policy configuration. Any knowledge about a device's configuration
could help an unfriendly party compromise that device. SNMPv3 offers
privacy security services, but at the time this document was written,
the only standardized encryption algorithm supported by SNMPv3 is the
DES encryption algorithm. Support for other (stronger) cryptographic
algorithms was in the works and may be done as you read this. Policy
administrators SHOULD use a privacy security service to configure
their IPsec policy which is at least as strong as the desired IPsec
policy. E.G., it is unwise to configure IPsec parameters
implementing 3DES algorithms while only protecting that conversation
with single DES.
6.4 Bootstrapping your configuration
Hopefully vendors will not ship new products with a default SNMPv3
user/password pair, but it is possible. Most SNMPv3 distributions
should hopefully require an out-of-band initialization over a trusted
medium, such as a local console connection.
7. Acknowledgments
Many other people contributed thoughts and ideas that influenced this
Baer, et al. Expires July 19, 2004 [Page 40]
Internet-Draft IPSP IPsec Action MIB January 2004
MIB module. Some special thanks are in order the following people:
Lindy Foster (Sparta, Inc.)
John Gillis (ADC)
Jamie Jason (Intel Corporation)
Roger Hartmuller (Sparta, Inc.)
David Partain (Ericsson)
Lee Rafalow (IBM)
Jon Saperia (JDS Consulting)
John Shriver (Internap Network Services Corporation)
Eric Vyncke (Cisco Systems)
Normative References
[RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy Database Configuration MIB",
January 2004.
[RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C.
Wang, "IPsec Security Policy IKE Action MIB", January
2004.
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for
Internet-Standard Management Framework", RFC 3410,
December 2002.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, December
2002.
[RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December
Baer, et al. Expires July 19, 2004 [Page 41]
Internet-Draft IPSP IPsec Action MIB January 2004
2002.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
Management Information Version 2 (SMIv2)", STD 58, RFC
2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration
Policy Information Model", RFC 3585, August 2003.
Informative References
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper",
November 2000.
Authors' Addresses
Michael Baer
Sparta, Inc.
7075 Samuel Morse Drive
Columbia, MD 21046
US
EMail: baerm@tislabs.com
Ricky Charlet
Self
EMail: rcharlet@alumni.calpoly.edu
Baer, et al. Expires July 19, 2004 [Page 42]
Internet-Draft IPSP IPsec Action MIB January 2004
Wes Hardaker
Sparta, Inc.
P.O. Box 382
Davis, CA 95617
US
Phone: +1 530 792 1913
EMail: hardaker@tislabs.com
Robert Story
Revelstone Software
PO Box 1812
Tucker, GA 30085
US
EMail: rs-snmp@revelstone.com
Cliff Wang
SmartPipes, Inc.
Suite 300, 565 Metro Place South
Dublin, OH, OH 43017
US
EMail: cliffwang2000@yahoo.com
Baer, et al. Expires July 19, 2004 [Page 43]
Internet-Draft IPSP IPsec Action MIB January 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Baer, et al. Expires July 19, 2004 [Page 44]
Internet-Draft IPSP IPsec Action MIB January 2004
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Baer, et al. Expires July 19, 2004 [Page 45]