INTERNET DRAFT Man Li
IPSP working group David Arneson
Expires January 2001 Nokia
Standards Track
Avri Doria
Nortel Networks
Jamie Jason
Intel
IPSec Policy Information Base
<draft-ietf-ipsp-ipsecpib-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as "work
in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document specifies a set of policy rule classes (PRC) for
configuring IPSec services. Instances of these classes reside in a
virtual information store called IPSec Policy Information Base (PIB).
The COPS protocol [COPS] with the extensions for provisioning [COPS-
PR] may be used to transmit this IPSec policy information to IPSec-
Li,Arneson,Doria,Jason [Page 1]
Internet Draft IPSec Policy Information Base July 2000
enabled devices (e.g., gateways) in order to configure VPN services.
The PRCs defined in this IPSec PIB are intended for use by the COPS-
PR IPSec client type. They complement the PRCs defined in the
Framework PIB [FR-PIB].
1. Introduction
The policy rule classes (PRC) defined in this document contain
parameters for IKE phase one and phase two negotiations. The IPSec
PIB, when downloaded to IPSec-enabled devices, will enable them to
construct a Security Policy Database (SPD). The PRCs described in
this document are based on[IPSEC-IM][IKE][ESP][AH][DOI][IPCOMP][SPPI].
Please refer to [ARCH] for a description of IPSec architecture and
[PCIM][FR-PIB] for information about applying the concept of role
and role combination to policy management.
Following the policy framework convention, the management entity that
downloads policy to IPSec-enabled devices will be called a Policy
Decision Point (PDP) and the IPSec-enabled devices will be called
Policy Execution Points (PEP). On boot up, a PEP reports to a PDP,
among other things, its role or role combinations. The PDP then
determines the IPSec PIB that should be downloaded to the PEP
according to the role description. Later on, if the role of the PEP
changes, the PEP would notify the PDP with its new role and the PDP
would send new PIB to the PEP. In addition, if policy associated with
a particular role changes, PDP would download new PIB to all the PEPs
that have registered with the particular role.
There is an ongoing effort in defining IPSec configuration policy
model[IPSEC-IM]. The PIB defined in this document is not completely
aligned with the information model. As work goes on, they should be
aligned in the near future.
2. Descriptions of the IPSec PIB
2.1 ipSecSelectorTable
This table specifies IPSec selectors. The selectors form an ordered
list and the ipSecSelectorOrder attribute defines the position of a
selector within the list. Each selector is associated with an IPSec
action. An IP packet is compared with the ordered selector list and
the first match is selected. The action associated with that selector
is then applied to the packet.
Multiple selectors may be associated with the same action and, if
IPSec protection is required, the same IKE phase 1 and 2 negotiation
Li,Arneson,Doria,Jason Expires January 2001 [Page 2]
Internet Draft IPSec Policy Information Base July 2000
parameters. These selectors are grouped together and are given the
same selector group number as indicated by the ipSecSelectorGroup
attribute.
In some situations, either the source or the destination address of a
selector needs to be a wild card. Remote access is an example. A
remote terminal is dynamically assigned an IP address by its ISP.
That address cannot be known beforehand and hence need to be
specified as a wild-carded address in the IPSec policy. A wild-carded
IP address is specified with the combination of an all zero IP
address (e.g., IPv4 0.0.0.0) and an all zero address mask (e.g., IPv4
0.0.0.0).
Another type of wild-carded address is a so-called semi-wild-carded
address. It indicates "all the addresses protected by the PEP
gateway". For a VPN that has well defined topology (e.g., fully
meshed), a selector stating "tcp traffic from all the addresses
protected by the PEP to network Z" can be downloaded to all the VPN
gateways without spelling out the different protected IP addresses
for different gateway. This simplifies PIB construction and network
management. A semi-wild-carded IP address is specified with the
combination of an all zero IP address and an all ones address mask
(e.g., IPv4 255.255.255.255).
2.2 ipSecActionTable
This table specifies the service to be provided to an IP packet.
Actions include Bypass, Discard, Transport and Tunnel. When tunnel is
specified, the IP address of the remote gateway to which the tunnel
is to be established should also be specified.
If Transport or Tunnel is specified, references to the
ipSecSecurityAssociationTable and the ipSecIkeActionTable should also
be specified. These two tables provide details of IKE and IPSec
associations.
2.3 ipSecRuleTable
This table ties the role combinations, selector groups and IPSec
action together. It specifies individual rule within a security
policy database. For each rule, it has references to a selector group
and to an IPSec action. Effectively, it says that if a packet matches
a selector in the pointed selector group, it should be provided with
the service specified by the action.
This table also references the ipSecPolicyTimePeriodGroupTable to
specify the time periods during which a policy is valid.
Li,Arneson,Doria,Jason Expires January 2001 [Page 3]
Internet Draft IPSec Policy Information Base July 2000
2.4 ipSecIkeActionTable
This table specifies attributes associated with IKE Associations. It
also references a row in the ipSecIkeProposalGroupTable to specify
proposals the PEP should propose when establishing an IKE
association.
2.5 ipSecIkeProposalGroupTable
This table specifies multiple IKE proposal groups. Within a group,
proposals are ORed with preference.
2.6 ipSecIkeProposalTable
This table specifies attributes associated with IKE proposals.
2.7 ipSecSecurityAssociationTable
This table specifies attributes associated with IPSec Associations.
It also references a row in the ipSecProposalGroupTable to specify
proposals the PEP should propose when establishing an IPSec
association.
2.8 ipSecProposalGroupTable
This table specifies multiple proposal groups. Within a group,
proposals are Ored with preference.
2.9 ipSecProposalTable
This table specifies IPSec proposals. It references the
ipSecEspTransformGroupTable, ipSecAhTransformGroupTable and
ipSecCompTransformGroupTable to specify transforms within each
proposal. Within a proposal, different transforms are ANDed.
2.10 ipSecEspTransformGroupTable
This table specifies multiple ESP transform groups. Within a
transform group, the choices are ORed with preference order.
2.11 ipSecEspTransformTable
This table specifies attributes associated with ESP transforms.
2.12 ipSecAhTransformGroupTable
This table specifies multiple AH transform groups. Within a transform
group, the choices are ORed with preference order.
Li,Arneson,Doria,Jason Expires January 2001 [Page 4]
Internet Draft IPSec Policy Information Base July 2000
2.13 ipSecAhTransformTable
This table specifies attributes associated with AH transforms.
2.14 ipSecCompTransformGroupTable
This table specifies multiple IPComp transform groups. Within a
transform group, the choices are ORed with preference order.
2.15 ipSecCompTransformTable
This table specifies attributes associated with IPComp transforms.
2.16 ipSecPolicyTimePeriodTable
A policy may be valid only for some given time periods. [FR-PIB]
describes a method for pre-provisioning of policy and later a PDP may
active the policy by a single decision message.
In large networks, it may be desirable to include policy valid
periods in the policy itself. It is then the responsibility of the
PEPs to activate and de-activate the policy according to the time
period specified. This table together with the
ipSecPolicyTimePeriodGroupTable provides a way to specify policy
valid periods
The attributes and their formats are the same as that of the
PolicyTimePeriodCondition class in [PCIM}. This consistency should
help in constructing the PIB from the information model or schema.
2.17 ipSecPolicyTimePeriodGroupTable
The ipSecPolicyTimePeriodTable is able to specify a single time
period over multiple days (e.g., 8:00-10:00 am every Friday). This
table allows one to specify multiple time periods over multiple days
(e.g., 8:00-10:00 am and 2:00-5:00 pm every Friday) by putting
multiple rows of the ipSecPolicyTimePeriodTable into one group.
3. The IPSec PIB
IPSEC-BASE-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS
Li,Arneson,Doria,Jason Expires January 2001 [Page 5]
Internet Draft IPSec Policy Information Base July 2000
Unsigned32, MODULE-IDENTITY, OBJECT-TYPE
FROM COPS-PR-SPPI
OBJECT-IDENTITY
FROM SNMPv2-SMI
TruthValue, TEXTUAL-CONVENTION
FROM SNMPv2-TC
PolicyInstanceId, PolicyReferenceId
FROM COPS-PR-SPPI;
RoleCombination
FROM POLICY-FRAMEWORK-PIB;
ipSecPolicyPib MODULE-IDENTITY
CLIENT-TYPE { tbd -- IPSec Client Type }
LAST-UPDATED "200007101800Z"
ORGANIZATION "IETF ipsp WG"
CONTACT-INFO "
Man Li
Nokia
5 Wayside Road,
Burlington, MA 01803
Phone: +1 781 993 3923
Email: man.m.li@nokia.com
Avri Doria
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821
Phone: +1 401 663 5024
Email: avri@nortelnetworks.com
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
Phone: +1 503 264 9531
Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com
DESCRIPTION
"This PIB module contains a set of policy rule classes that
describe IPSec policies."
::= { tbd }
Li,Arneson,Doria,Jason Expires January 2001 [Page 6]
Internet Draft IPSec Policy Information Base July 2000
ipSecBase OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies the basics of IPSec policy. "
::= { ipSecPolicyPib 1 }
ipSecSecurityAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IPSec Security
Associations"
::= { ipSecPolicyPib 2 }
ipSecIkeAssociation OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IKE Security
Associations"
::= { ipSecPolicyPib 3 }
ipSecEspTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to ESP Transform"
::= { ipSecPolicyPib 4 }
ipSecAhTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to AH Transform"
::= { ipSecPolicyPib 5 }
ipSecCompTransform OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies attributes related to IPSecComp Transform"
::= { ipSecPolicyPib 6 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 7]
Internet Draft IPSec Policy Information Base July 2000
ipSecPolicyTimePeriod OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This group specifies the time periods during which a policy rule
is valid. "
::= { ipSecPolicyPib 7 }
--
--
-- The ipSecSelectorTable
--
ipSecSelectorTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSelectorEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPSec address selector table"
INDEX { ipSecSelectorPrid }
UNIQUENESS {
SrcAddressType,
DstAddressType,
DstAddrMask,
SrcAddrMask,
DestAddrMin,
DestAddrMax,
SrcAddrMin,
SrcAddrMax,
Protocol,
SrcPortMin,
SrcPortMax,
DstPortMin,
DstPortMax
}
::= { ipSecBase 1 }
ipSecSelectorEntry OBJECT-TYPE
SYNTAX IpSecSelectorEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecSelectorTable 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 8]
Internet Draft IPSec Policy Information Base July 2000
IpSecSelectorEntry ::= SEQUENCE {
ipSecSelectorPrid
PolicyInstanceId,
ipSecSelectorSrcAddressType
INTEGER,
ipSecSelectorDstAddressType
INTEGER,
ipSecSelectorDstAddrMask OCTET STRING,
ipSecSelectorSrcAddrMask OCTET STRING,
ipSecSelectorDestAddrMin OCTET STRING,
ipSecSelectorDestAddrMax OCTET STRING,
ipSecSelectorSrcAddrMin OCTET STRING,
ipSecSelectorSrcAddrMax OCTET STRING,
ipSecSelectorProtocol
INTEGER,
ipSecSelectorSrcPortMin
INTEGER,
ipSecSelectorSrcPortMax
INTEGER,
ipSecSelectorDstPortMin
INTEGER,
ipSecSelectorDstPortMax
INTEGER,
ipSecSelectorOrder
Unsigned32,
ipSecSelectorGroupId
Unsigned32
}
ipSecSelectorPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecSelectorEntry 1 }
ipSecSelectorSrcAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4(1),
ipV6(2),
fqdn(3)
}
STATUS current
DESCRIPTION
"Specifies the source address type. This also controls the length
of the OCTET STRING for the source address objects.
A value of IPv4 specifies an IPv4 address and an octet string of
length 4.
A value of IPv6 specifies an IPv6 address and an octet string of
length 16.
A value of FQDN specifies a fully qualified domain name and an
octet string of variable length."
::= { ipSecSelectorEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 9]
Internet Draft IPSec Policy Information Base July 2000
ipSecSelectorDstAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4(1),
ipV6(2),
fqdn(3)
}
STATUS current
DESCRIPTION
"Specifies the destination address type. This also controls the
length of the OCTET STRING for the destination address objects.
A value of IPv4 specifies an IPv4 address and an octet string of
length 4.
A value of IPv6 specifies an IPv6 address and an octet string of
length 16.
A value of FQDN specifies a fully qualified domain name and an
octet string of variable length."
::= { ipSecSelectorEntry 3 }
ipSecSelectorDstAddrMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A mask for the matching of the destination IP address. A zero
bit in the mask means that the corresponding bit in the address
always matches. The type of this address is based on the
ipSecAddressSelectorDstAddressType."
::= { ipSecSelectorEntry 4 }
ipSecSelectorSrcAddrMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A mask for the matching of the source IP address. A zero bit in
the mask means that the corresponding bit in the address always
matches. The type of this address is based on the
ipSecAddressSelectorSrcAddressType."
::= { ipSecSelectorEntry 5 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 10]
Internet Draft IPSec Policy Information Base July 2000
ipSecSelectorDestAddrMin OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the destination end point address or fully qualified
domain name.
The length of the string is based upon the address type.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecSelectorDstAddrMask of all zero means a wild-carded address,
i.e., all addresses match.
A value of all zero accompanied by the ipSecSelectorDstAddrMask
of all one (e.g., IPv4 255.255.255.255) means all addresses
protected by the gateway. "
::= { ipSecSelectorEntry 6 }
ipSecSelectorDestAddrMax OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"If a range of addresses are being used then this sepcifies the
ending destination address. The type of this address must be the
same as the ipSecSelectorDestAddrMin.
If no range is specified or a fully qualified domain name is used
then this object must be a 0 length octet string."
::= { ipSecSelectorEntry 7 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 11]
Internet Draft IPSec Policy Information Base July 2000
ipSecSelectorSrcAddrMin OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"Specifies the source address or fully qualified domain name.
The length of the string is based upon the address type.
A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the
ipSecSelectorSrcAddrMask of all zero means a wild-carded address,
i.e., all addresses match.
A value of all zero accompanied by the ipSecSelectorSrcAddrMask
of all one (e.g., IPv4 255.255.255.255) means all addresses
protected by the gateway. "
::= { ipSecSelectorEntry 8 }
ipSecSelectorSrcAddrMax OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"If a range of addresses are being used then this specifies the
ending source address. The type of this address must be the same
as the ipSecSelectorSrcAddrMin.
If no range is specified or a fully qualified domain name is used
then this object must be a 0 length octet string."
::= { ipSecSelectorEntry 9 }
ipSecSelectorProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current
DESCRIPTION
"The IP protocol to match against the packet's protocol. A value
of zero means match all."
::= { ipSecSelectorEntry 10 }
ipSecSelectorSrcPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies the first layer 4 source port number of a range of
ports."
::= { ipSecSelectorEntry 11 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 12]
Internet Draft IPSec Policy Information Base July 2000
ipSecSelectorSrcPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies the last layer 4 source port in the range. If a range
of ports is not being used then this object must have a value of
0. Otherwise, this value should be greater than that specified by
ipSecSelectorSrcPortMin."
::= { ipSecSelectorEntry 12 }
ipSecSelectorDstPortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies the first layer 4 destination port number of a range
of ports"
::= { ipSecSelectorEntry 13 }
ipSecSelectorDstPortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"Specifies the last layer 4 destination port in the range. If a
range of ports is not being used then this object must have a
value of 0. Otherwise, this value should be greater than that
specified by ipSecSelectorDstPortMin."
::= { ipSecSelectorEntry 14 }
ipSecSelectorOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order of this selector,
within the ipSecSelectorTable. A given precedence order is
positioned before one with a higher-valued precedence order. "
::= { ipSecSelectorEntry 15 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 13]
Internet Draft IPSec Policy Information Base July 2000
ipSecSelectorGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the IPSec selector group this selector belongs to.
Selectors in the same group are provided with the same service."
::= { ipSecSelectorEntry 16 }
--
--
-- The ipSecActionTable
--
ipSecActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecActionEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPSec action. It ties IPSec action with IPSec security
association and IKE association."
INDEX { ipSecActionPrid }
UNIQUENESS {
Action,
RemoteGatewayAddressType,
RemoteGatewayAddress,
IpSecSecurityAssociationId,
IPSecIkeActionId
}
::= { ipSecBase 2 }
ipSecActionEntry OBJECT-TYPE
SYNTAX IpSecActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecActionTable 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 14]
Internet Draft IPSec Policy Information Base July 2000
IpSecActionEntry ::= SEQUENCE {
ipSecActionPrid
PolicyInstanceId,
ipSecActionAction
INTEGER,
ipSecActionRemoteGatewayAddressType
INTEGER,
ipSecActionRemoteGatewayAddress OCTET STRING,
ipSecActionIpSecSecurityAssociationId
PolicyReferenceId,
ipSecActionIPSecIkeActionId
PolicyReferenceId
}
ipSecActionPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecActionEntry 1 }
ipSecActionAction OBJECT-TYPE
SYNTAX INTEGER {
byPass(1),
discard(2),
transport(3),
tunnel(4)
}
STATUS current
DESCRIPTION
"Specifies the IPSec action to be applied to the traffic.
ByPass(1) means that the packet should pass in clear. Discard (2)
means that the packet should be denied. Transport (3) means that
the packet should be protected with a security association in
transport mode. Tunnel (4) means that the packet should be
protected with a security association in tunnel mode. If Tunnel
(4) is specified, ipSecActionRemoteGatewayAddressType and
ipSecActionRemoteGateway must also be specified"
::= { ipSecActionEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 15]
Internet Draft IPSec Policy Information Base July 2000
ipSecActionRemoteGatewayAddressType OBJECT-TYPE
SYNTAX INTEGER {
ipV4(1),
ipV6(2),
fqdn(3)
}
STATUS current
DESCRIPTION
"When ipSecActionAction specifies Tunnel (4), this attribute
specifies the remote gateway address type. This also controls the
length of the OCTET STRING for the
ipSecActionRemoteGatewayAddress attribute.
A value of IPv4 specifies an IPv4 address and an octet string of
length 4.
A value of IPv6 specifies an IPv6 address and an octet string of
length 16.
A value of FQDN specifies a fully qualified domain name and an
octet string of variable length.
If ipSecActionAction does NOT specify Tunnel (4), this object
must be a 0 length integer."
::= { ipSecActionEntry 3 }
ipSecActionRemoteGatewayAddress OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"When ipSecActionAction specifies Tunnel (4), this attribute
specifies the address of the point where the tunnel terminates on
the remote gateway. The length of the string is based upon the
address type specified in ipSecActionRemoteGatewayAddressType.
If ipSecActionAction does NOT specify Tunnel (4), this attribute
must be a 0 length octet string."
::= { ipSecActionEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 16]
Internet Draft IPSec Policy Information Base July 2000
ipSecActionIpSecSecurityAssociationId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an IPSec association, specified in
ipSecSecurityAssociationTable, that is associated with this
action.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), this attribute must have a value of zero. Otherwise, its
value must be greater than zero."
::= { ipSecActionEntry 5 }
ipSecActionIPSecIkeActionId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an IKE action, specified in
ipSecIkeActionTable, that is associated with this action.
When ipSecActionAction attribute specifies Bypass (1) or Discard
(2), This attribute must have a value of zero. Otherwise, its
value must be greater than zero."
::= { ipSecActionEntry 6 }
--
--
-- The ipSecRuleTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 17]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPSec rules. This is the table that ties selectors and
IPSec actions together."
INDEX { ipSecRulePrid }
UNIQUENESS {
Roles,
Direction,
IpSecSelectorGroupId,
IpSecActionId,
IPSecRuleTimePeriodGroupId
}
::= { ipSecBase 3 }
ipSecRuleEntry OBJECT-TYPE
SYNTAX IpSecRuleEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTable 1 }
IpSecRuleEntry ::= SEQUENCE {
ipSecRulePrid
PolicyInstanceId,
ipSecRuleRoles
RoleCombination,
ipSecRuleDirection
INTEGER,
ipSecRuleIpSecSelectorGroupId
PolicyReferenceId,
ipSecRuleIpSecActionId
PolicyReferenceId,
ipSecRuleIPSecRuleTimePeriodGroupId
PolicyReferenceId
}
ipSecRulePrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleEntry 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 18]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"Specifies the role combinations of the interface to which this
IPSec rule should apply."
::= { ipSecRuleEntry 2 }
ipSecRuleDirection OBJECT-TYPE
SYNTAX INTEGER {
in(1),
out(2),
bi-directional(3)
}
STATUS current
DESCRIPTION
"Specifies the direction of traffic to which this rule should
apply."
::= { ipSecRuleEntry 3 }
ipSecRuleIpSecSelectorGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"This attribute identifies the IPSec selector group, defined in
ipSecSelectorTable, that is associated with this rule. This value
must match an ipSecSelectorGroupId attribute in the
ipSecSelectorTable. "
::= { ipSecRuleEntry 4 }
ipSecRuleIpSecActionId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"This attribute identifies the IPSec action, defined in
ipSecActionTable, that is associated with this rule."
::= { ipSecRuleEntry 5 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 19]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleIPSecRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"This attribute identifies an IPSec rule time period group,
sepcified in ipSecRuleTimePeriodGroupTable, that is associated
with this rule
A value of zero indicates that this IPSec rule is always valid
until being deleted."
::= { ipSecRuleEntry 6 }
--
--
-- The ipSecSecurityAssociationTable
--
ipSecSecurityAssociationTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecSecurityAssociationEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes associated with IPSec associations"
INDEX { ipSecSecurityAssociationPrid }
UNIQUENESS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLifetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
UsePfs,
UseIkeGroup,
DhGroup,
Granularity,
ProposalGroupId
}
::= { ipSecSecurityAssociation 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 20]
Internet Draft IPSec Policy Information Base July 2000
ipSecSecurityAssociationEntry OBJECT-TYPE
SYNTAX IpSecSecurityAssociationEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecSecurityAssociationTable 1 }
IpSecSecurityAssociationEntry ::= SEQUENCE {
ipSecSecurityAssociationPrid
PolicyInstanceId,
ipSecSecurityAssociationRefreshThresholdSeconds
INTEGER,
ipSecSecurityAssociationRefreshThresholdKilobytes
INTEGER,
ipSecSecurityAssociationMinLifetimeSeconds
Unsigned32,
ipSecSecurityAssociationMinLifetimeKilobytes
Unsigned32,
ipSecSecurityAssociationTrafficIdleTime
Unsigned32,
ipSecSecurityAssociationUsePfs
TruthValue,
ipSecSecurityAssociationUseIkeGroup
TruthValue,
ipSecSecurityAssociationDhGroup
Unsigned32,
ipSecSecurityAssociationGranularity
INTEGER,
ipSecSecurityAssociationProposalGroupId
PolicyReferenceId
}
ipSecSecurityAssociationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecSecurityAssociationEntry 1 }
ipSecSecurityAssociationRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration (in other words, the
refresh threshold) of an established SA's seconds lifetime at
which to begin re-negotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecSecurityAssociationEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 21]
Internet Draft IPSec Policy Information Base July 2000
ipSecSecurityAssociationRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin re-negotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
seconds lifetime value has expired.
"
::= { ipSecSecurityAssociationEntry 3 }
ipSecSecurityAssociationMinLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be accepted
from a peer while negotiating an SA based upon this action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecSecurityAssociationEntry 4 }
ipSecSecurityAssociationMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this
action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecSecurityAssociationEntry 5 }
ipSecSecurityAssociationTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle
(in other words, no traffic protected by the SA) before it is
deleted.
A value of zero indicates that there is no idle time detection.
The expiration of the SA is determined by the expiration of one
of the lifetime values."
::= { ipSecSecurityAssociationEntry 6 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 22]
Internet Draft IPSec Policy Information Base July 2000
ipSecSecurityAssociationUsePfs OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If true, PFS should be used when negotiating the phase two IPSec
SA.
"
::= { ipSecSecurityAssociationEntry 7 }
ipSecSecurityAssociationUseIkeGroup OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If true, the phase two DH group number should be the same as
that of phase 1. Otherwise, the group number specified by the
ipSecSecurityAssociationDhGroup attribute should be used.
This attribute is ignored if ipSecSecurityAssociationUsePfs is
false."
::= { ipSecSecurityAssociationEntry 8 }
ipSecSecurityAssociationDhGroup OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"If PFS should be used during IKE phase two and
ipSecSecurityAssociationUseIkeGroup is false, this attribute
specifies the Diffie-Hellman group to use.
This attribute is ignored if ipSecSecurityAssociationUsePfs is
false."
::= { ipSecSecurityAssociationEntry 9 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 23]
Internet Draft IPSec Policy Information Base July 2000
ipSecSecurityAssociationGranularity OBJECT-TYPE
SYNTAX INTEGER {
wide(1),
narrow(2)
}
STATUS current
DESCRIPTION
"Specifies how this security association may be used.
A value of 1 (Wide) indicates that this security association may
be used by all packets that match the same selector that is
matched by the packet triggering the establishment of this
association.
A value of 2 (Narrow) indicates that this security association
can be used only by packets that have exactly the same selector
attribute values as that of the packet triggering the
establishment of this association.
" ::= { ipSecSecurityAssociationEntry 10 }
ipSecSecurityAssociationProposalGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies the IPSec proposal group, specified
in ipSecProposalGroupTable, that is associated with this action."
::= { ipSecSecurityAssociationEntry 11 }
--
--
-- The ipSecProposalGroupTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 24]
Internet Draft IPSec Policy Information Base July 2000
ipSecProposalGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies IPSec proposal groups. Proposals within a group are
ORed with preference order."
INDEX { ipSecProposalGroupPrid }
UNIQUENESS {
ProposalGroupId,
ProposalId
}
::= { ipSecSecurityAssociation 2 }
ipSecProposalGroupEntry OBJECT-TYPE
SYNTAX IpSecProposalGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalGroupTable 1 }
IpSecProposalGroupEntry ::= SEQUENCE {
ipSecProposalGroupPrid
PolicyInstanceId,
ipSecProposalGroupProposalGroupId
Unsigned32,
ipSecProposalGroupProposalId
PolicyReferenceId,
ipSecProposalGroupOrder
Unsigned32
}
ipSecProposalGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecProposalGroupEntry 1 }
ipSecProposalGroupProposalGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies an IPSec proposal group"
::= { ipSecProposalGroupEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 25]
Internet Draft IPSec Policy Information Base July 2000
ipSecProposalGroupProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an IPSec Proposal, specified by
ipSecProposalTable, that is included in this group."
::= { ipSecProposalGroupEntry 3 }
ipSecProposalGroupOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order, within the
ProposalGroup, of the proposal identified by
ipSecProposalGroupProposalId. Proposals within a group are ORed
with preference order. A given precedence order is positioned
before one with a higher-valued precedence order."
::= { ipSecProposalGroupEntry 4 }
--
--
-- The ipSecProposalTable
--
ipSecProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecProposalEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an IPSec proposal. It has references to ESP, AH and
IPComp Transform groups. Within a proposal, different types of
transforms are ANDed. Within one type of transforms, the choices
are ORed with preference order."
INDEX { ipSecProposalPrid }
UNIQUENESS {
LifetimeKilobytes,
LifetimeSeconds,
EspTransformGroupId,
AhTransformGroupId,
CompTransformGroupId
}
::= { ipSecSecurityAssociation 3 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 26]
Internet Draft IPSec Policy Information Base July 2000
ipSecProposalEntry OBJECT-TYPE
SYNTAX IpSecProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecProposalTable 1 }
IpSecProposalEntry ::= SEQUENCE {
ipSecProposalPrid
PolicyInstanceId,
ipSecProposalLifetimeKilobytes
Unsigned32,
ipSecProposalLifetimeSeconds
Unsigned32,
ipSecProposalEspTransformGroupId
PolicyReferenceId,
ipSecProposalAhTransformGroupId
PolicyReferenceId,
ipSecProposalCompTransformGroupId
PolicyReferenceId
}
ipSecProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecProposalEntry 1 }
ipSecProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime.
"
::= { ipSecProposalEntry 2 }
ipSecProposalLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8
hours.
"
::= { ipSecProposalEntry 3 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 27]
Internet Draft IPSec Policy Information Base July 2000
ipSecProposalEspTransformGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies the ESP transform group, specified in
ipSecEspTransformGroupTable, that is associated with this
proposal."
::= { ipSecProposalEntry 4 }
ipSecProposalAhTransformGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies the AH transform group, specified in
ipSecAhTransformGroupTable, that is associated with this
proposal."
::= { ipSecProposalEntry 5 }
ipSecProposalCompTransformGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies the IPComp transform group, specified
in ipSecCompTransformGroupTable, that is associated with this
proposal."
::= { ipSecProposalEntry 6 }
--
--
-- The ipSecIkeActionTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 28]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeActionTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeActionEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes related to IKE action"
INDEX { ipSecIkeActionPrid }
UNIQUENESS {
RefreshThresholdSeconds,
RefreshThresholdKilobytes,
MinLiftetimeSeconds,
MinLifetimeKilobytes,
TrafficIdleTime,
ExchangeMode,
RefreshThresholdDerivedKeys,
UseIkeIdentityType,
IKEProposalGroupId
}
::= { ipSecIkeAssociation 1 }
ipSecIkeActionEntry OBJECT-TYPE
SYNTAX IpSecIkeActionEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeActionTable 1 }
IpSecIkeActionEntry ::= SEQUENCE {
ipSecIkeActionPrid
PolicyInstanceId,
ipSecIkeActionRefreshThresholdSeconds
INTEGER,
ipSecIkeActionRefreshThresholdKilobytes
INTEGER,
ipSecIkeActionMinLiftetimeSeconds
Unsigned32,
ipSecIkeActionMinLifetimeKilobytes
Unsigned32,
ipSecIkeActionTrafficIdleTime
Unsigned32,
ipSecIkeActionExchangeMode
INTEGER,
ipSecIkeActionRefreshThresholdDerivedKeys
INTEGER,
ipSecIkeActionUseIkeIdentityType
INTEGER,
ipSecIkeActionIKEProposalGroupId
PolicyReferenceId
}
Li,Arneson,Doria,Jason Expires January 2001 [Page 29]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeActionPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeActionEntry 1 }
ipSecIkeActionRefreshThresholdSeconds OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration (in other words, the
refresh threshold) of an established SA's seconds lifetime at
which to begin re-negotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
seconds lifetime value has expired.
"
::= { ipSecIkeActionEntry 2 }
ipSecIkeActionRefreshThresholdKilobytes OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established SA's
kilobyte lifetime at which to begin re-negotiation of the SA.
A value of 100 means that re-negotiation does not occur until the
seconds lifetime value has expired."
::= { ipSecIkeActionEntry 3 }
ipSecIkeActionMinLiftetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum SA seconds lifetime that will be
accepted from a peer while negotiating an SA based upon this
action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeActionEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 30]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeActionMinLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the minimum kilobyte lifetime that will be accepted
from a negotiating peer while negotiating an SA based upon this
action.
A value of zero indicates that there is no minimum lifetime
enforced."
::= { ipSecIkeActionEntry 5 }
ipSecIkeActionTrafficIdleTime OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the amount of time in seconds an SA may remain idle
(in other words, no traffic protected by the SA) before it is
deleted.
A value of zero indicates that there is no idle time detection.
The expiration of the SA is determined by the expiration of one
of the lifetime values.
"
::= { ipSecIkeActionEntry 6 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 31]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeActionExchangeMode OBJECT-TYPE
SYNTAX INTEGER {
baseMode(1),
mainMode(2),
aggressiveMode(4)
}
STATUS current
DESCRIPTION
"Specifies the negotiation mode that the IKE server will use for
phase one.
"
::= { ipSecIkeActionEntry 7 }
ipSecIkeActionRefreshThresholdDerivedKeys OBJECT-TYPE
SYNTAX INTEGER (1..100)
STATUS current
DESCRIPTION
"Specifies the percentage of expiration of an established IKE
SA's derived keys lifetime at which to begin re-negotiation of
the SA.
A value of 100 means that re-negotiation does not occur until the
derived key lifetime value has expired.
"
::= { ipSecIkeActionEntry 8 }
ipSecIkeActionUseIkeIdentityType OBJECT-TYPE
SYNTAX INTEGER {
ipV4-Address(1),
fqdn(2),
user-Fqdn(3),
ipV4-Subnet(4),
ipV6-Address(5),
ipV6-Subnet(6),
ipV4-Address-Range(7),
ipV6-Address-Range(8),
der-Asn1-DN(9),
der-Asn1-GN(10),
key-Id(11)
}
STATUS current
DESCRIPTION
"Specifies the IKE identity to use during negotiation."
::= { ipSecIkeActionEntry 9 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 32]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeActionIKEProposalGroupId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies the IKE proposal group, specified in
ipSecIkeProposalGroupTable, that is associated with this action."
::= { ipSecIkeActionEntry 10 }
--
--
-- The ipSecIkeProposalGroupTable
--
ipSecIkeProposalGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies IKE proposal groups. Proposals within a group are ORed
with preference order. "
INDEX { ipSecIkeProposalGroupPrid }
UNIQUENESS {
ProposalGroupId,
ProposalId
}
::= { ipSecIkeAssociation 2 }
ipSecIkeProposalGroupEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalGroupTable 1 }
IpSecIkeProposalGroupEntry ::= SEQUENCE {
ipSecIkeProposalGroupPrid
PolicyInstanceId,
ipSecIkeProposalGroupProposalGroupId
Unsigned32,
ipSecIkeProposalGroupProposalId
PolicyReferenceId,
ipSecIkeProposalGroupOrder
Unsigned32
}
Li,Arneson,Doria,Jason Expires January 2001 [Page 33]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeProposalGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalGroupEntry 1 }
ipSecIkeProposalGroupProposalGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that uniquely identifies an IKE proposal group. "
::= { ipSecIkeProposalGroupEntry 2 }
ipSecIkeProposalGroupProposalId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an IKE proposal, specified by the
ipSecIkeProposalTable, that is included in this group."
::= { ipSecIkeProposalGroupEntry 3 }
ipSecIkeProposalGroupOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order, within the
ProposalGroup, of the proposal identified by
ipSecIkeProposalGroupProposalId. Proposals within a group are
ORed with preference order. A given precedence order is
positioned before one with a higher-valued precedence order."
::= { ipSecIkeProposalGroupEntry 4 }
--
--
-- The ipSecIkeProposalTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 34]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeProposalTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecIkeProposalEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies attributes associated with an IKE proposal."
INDEX { ipSecIkeProposalPrid }
UNIQUENESS {
LifetimeSeconds,
LifetimeKilobytes,
CipherAlgorithm,
HashAlgorithm,
AuthenticationMethod,
LifetimeDerivedKeys,
PrfAlgorithm,
IkeDhGroup
}
::= { ipSecIkeAssociation 3 }
ipSecIkeProposalEntry OBJECT-TYPE
SYNTAX IpSecIkeProposalEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecIkeProposalTable 1 }
IpSecIkeProposalEntry ::= SEQUENCE {
ipSecIkeProposalPrid
PolicyInstanceId,
ipSecIkeProposalLifetimeSeconds
Unsigned32,
ipSecIkeProposalLifetimeKilobytes
Unsigned32,
ipSecIkeProposalCipherAlgorithm
INTEGER,
ipSecIkeProposalHashAlgorithm
INTEGER,
ipSecIkeProposalAuthenticationMethod
INTEGER,
ipSecIkeProposalLifetimeDerivedKeys
Unsigned32,
ipSecIkeProposalPrfAlgorithm
Unsigned32,
ipSecIkeProposalIkeDhGroup
Unsigned32
}
Li,Arneson,Doria,Jason Expires January 2001 [Page 35]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeProposalPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecIkeProposalEntry 1 }
ipSecIkeProposalLifetimeSeconds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the seconds lifetime for this particular proposal.
A value of zero indicates that the lifetime value defaults to 8
hours.
"
::= { ipSecIkeProposalEntry 2 }
ipSecIkeProposalLifetimeKilobytes OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the kilobyte lifetime for this particular proposal.
A value of zero indicates that there is no kilobyte lifetime.
"
::= { ipSecIkeProposalEntry 3 }
ipSecIkeProposalCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
des-CBC(1),
idea-CBC(2),
blowfish-CBC(3),
rc5-R16-B64-CBC(4),
tripleDes-CBC(5),
cast-CBC(6)
}
STATUS current
DESCRIPTION
"Specifies the encryption algorithm to propose for the IKE
association.
"
::= { ipSecIkeProposalEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 36]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeProposalHashAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
md5(1),
sha-1(2),
tiger(3)
}
STATUS current
DESCRIPTION
"Specifies the hash algorithm to propose for the IKE association.
"
::= { ipSecIkeProposalEntry 5 }
ipSecIkeProposalAuthenticationMethod OBJECT-TYPE
SYNTAX INTEGER {
presharedKey(1),
dssSignatures(2),
rsaSignatures(3),
rsaEncryption(4),
revisedRsaEncryption(5),
kerberos(6)
}
STATUS current
DESCRIPTION
"Specifies the authentication method to propose for the IKE
association.
"
::= { ipSecIkeProposalEntry 6 }
ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the number of times the IKE phase one key may be used
to derive an IKE phase two key. A value of zero indicates that
the number of times an IKE phase one key may be used to derive an
IKE phase two key is limited by the seconds and/or kilobyte
lifetimes.
"
::= { ipSecIkeProposalEntry 7 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 37]
Internet Draft IPSec Policy Information Base July 2000
ipSecIkeProposalPrfAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the Pseudo-Random Function (PRF) to propose for the
IKE association.
"
::= { ipSecIkeProposalEntry 8 }
ipSecIkeProposalIkeDhGroup OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the Diffie-Hellman group to propose for the IKE
association. "
::= { ipSecIkeProposalEntry 9 }
--
--
-- The ipSecEspTransformGroupTable
--
ipSecEspTransformGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an ESP transform group. Within a transform group, the
choices are ORed with preference order."
INDEX { ipSecEspTransformGroupPrid }
UNIQUENESS {
TransformGroupId,
TransformId
}
::= { ipSecEspTransform 1 }
ipSecEspTransformGroupEntry OBJECT-TYPE
SYNTAX IpSecEspTransformGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecEspTransformGroupTable 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 38]
Internet Draft IPSec Policy Information Base July 2000
IpSecEspTransformGroupEntry ::= SEQUENCE {
ipSecEspTransformGroupPrid
PolicyInstanceId,
ipSecEspTransformGroupTransformGroupId
Unsigned32,
ipSecEspTransformGroupTransformId
PolicyReferenceId,
ipSecEspTransformGroupOrder
Unsigned32
}
ipSecEspTransformGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformGroupEntry 1 }
ipSecEspTransformGroupTransformGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that identifies a group of ESP transforms"
::= { ipSecEspTransformGroupEntry 2 }
ipSecEspTransformGroupTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an ESP transform, specified by
ipSecEspTransformTable, that is included in this group."
::= { ipSecEspTransformGroupEntry 3 }
ipSecEspTransformGroupOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order, within the
ipSecEspTransformGroup, of the transform identified by
ipSecEspTransformGroupEspProposalId. Transforms within a group
are ORed with preference order. A given precedence order is
positioned before one with a higher-valued precedence order."
::= { ipSecEspTransformGroupEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 39]
Internet Draft IPSec Policy Information Base July 2000
--
--
-- The ipSecEspTransformTable
--
ipSecEspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecEspTransformEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an ESP transform."
INDEX { ipSecEspTransformPrid }
UNIQUENESS {
IntegrityTransformId,
CipherTransformId,
CipherKeyRounds,
CipherKeyLength
}
::= { ipSecEspTransform 2 }
ipSecEspTransformEntry OBJECT-TYPE
SYNTAX IpSecEspTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecEspTransformTable 1 }
IpSecEspTransformEntry ::= SEQUENCE {
ipSecEspTransformPrid
PolicyInstanceId,
ipSecEspTransformIntegrityTransformId
INTEGER,
ipSecEspTransformCipherTransformId
INTEGER,
ipSecEspTransformCipherKeyRounds
Unsigned32,
ipSecEspTransformCipherKeyLength
Unsigned32
}
ipSecEspTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecEspTransformEntry 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 40]
Internet Draft IPSec Policy Information Base July 2000
ipSecEspTransformIntegrityTransformId OBJECT-TYPE
SYNTAX INTEGER {
none(0),
hmacMd5(1),
hmacSha(2),
desMac(3),
kpdk(4)
}
STATUS current
DESCRIPTION
"Specifies the ESP integrity algorithm to propose."
::= { ipSecEspTransformEntry 2 }
ipSecEspTransformCipherTransformId OBJECT-TYPE
SYNTAX INTEGER {
desIV64(1),
des(2),
tripleDES(3),
rc5(4),
idea(5),
cast(6),
blowfish(7),
tripleIDEA(8),
desIV32(9),
rc4(10),
null(11)
}
STATUS current
DESCRIPTION
"Specifies the ESP cipher/encryption algorithm to propose.
"
::= { ipSecEspTransformEntry 3 }
ipSecEspTransformCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the number of key rounds for the ESP cipher
algorithm specified by the attribute
ipSecEspTransformCipherTransformId.
"
::= { ipSecEspTransformEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 41]
Internet Draft IPSec Policy Information Base July 2000
ipSecEspTransformCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the length of the ESP cipher key in bits.
"
::= { ipSecEspTransformEntry 5 }
--
--
-- The ipSecAhTransformGroupTable
--
ipSecAhTransformGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an AH transform group. Within a transform group, the
choices are ORed with preference order."
INDEX { ipSecAhTransformGroupPrid }
UNIQUENESS {
TransformGroupId,
TransformId
}
::= { ipSecAhTransform 1 }
ipSecAhTransformGroupEntry OBJECT-TYPE
SYNTAX IpSecAhTransformGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAhTransformGroupTable 1 }
IpSecAhTransformGroupEntry ::= SEQUENCE {
ipSecAhTransformGroupPrid
PolicyInstanceId,
ipSecAhTransformGroupTransformGroupId
Unsigned32,
ipSecAhTransformGroupTransformId
PolicyReferenceId,
ipSecAhTransformGroupOrder
Unsigned32
}
Li,Arneson,Doria,Jason Expires January 2001 [Page 42]
Internet Draft IPSec Policy Information Base July 2000
ipSecAhTransformGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecAhTransformGroupEntry 1 }
ipSecAhTransformGroupTransformGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that identifies an AH transform group."
::= { ipSecAhTransformGroupEntry 2 }
ipSecAhTransformGroupTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an AH transform, as specified in
ipSecAhTransformTable, that is included in this group."
::= { ipSecAhTransformGroupEntry 3 }
ipSecAhTransformGroupOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order, within the
ipSecAhTransformGroup, of the transform identified by
ipSecAhTransformGroupTransformId. Transforms within a group are
ORed with preference order. A given precedence order is
positioned before one with a higher-valued precedence order."
::= { ipSecAhTransformGroupEntry 4 }
--
--
-- The ipSecAhTransformTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 43]
Internet Draft IPSec Policy Information Base July 2000
ipSecAhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecAhTransformEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an AH transform"
INDEX { ipSecAhTransformPrid }
UNIQUENESS {
TransformId
}
::= { ipSecAhTransform 2 }
ipSecAhTransformEntry OBJECT-TYPE
SYNTAX IpSecAhTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecAhTransformTable 1 }
IpSecAhTransformEntry ::= SEQUENCE {
ipSecAhTransformPrid
PolicyInstanceId,
ipSecAhTransformTransformId
INTEGER
}
ipSecAhTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class
"
::= { ipSecAhTransformEntry 1 }
ipSecAhTransformTransformId OBJECT-TYPE
SYNTAX INTEGER {
md5(2),
sha-1(3),
des(4)
}
STATUS current
DESCRIPTION
"Specifies the AH hash algorithm to propose"
::= { ipSecAhTransformEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 44]
Internet Draft IPSec Policy Information Base July 2000
--
--
-- The ipSecCompTransformGroupTable
--
ipSecCompTransformGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an IPComp transform group. Within a transform group,
the choices are ORed with preference order."
INDEX { ipSecCompTransformGroupPrid }
UNIQUENESS {
TransformGroupId,
TransformId
}
::= { ipSecCompTransform 1 }
ipSecCompTransformGroupEntry OBJECT-TYPE
SYNTAX IpSecCompTransformGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformGroupTable 1 }
IpSecCompTransformGroupEntry ::= SEQUENCE {
ipSecCompTransformGroupPrid
PolicyInstanceId,
ipSecCompTransformGroupTransformGroupId
Unsigned32,
ipSecCompTransformGroupTransformId
PolicyReferenceId,
ipSecCompTransformGroupOrder
Unsigned32
}
ipSecCompTransformGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformGroupEntry 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 45]
Internet Draft IPSec Policy Information Base July 2000
ipSecCompTransformGroupTransformGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that identifies an IPComp transform group"
::= { ipSecCompTransformGroupEntry 2 }
ipSecCompTransformGroupTransformId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an IPComp Transform, specified by
ipSecCompTransformTable, that is included in this group."
::= { ipSecCompTransformGroupEntry 3 }
ipSecCompTransformGroupOrder OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that specifies the precedence order, within the
ipSecCompTransformGroup, of the transform identified by
ipSecCompTransformGroupTransformId. Transforms within a group are
ORed with preference order. A given precedence order is
positioned before one with a higher-valued precedence order."
::= { ipSecCompTransformGroupEntry 4 }
--
--
-- The ipSecCompTransformTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 46]
Internet Draft IPSec Policy Information Base July 2000
ipSecCompTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecCompTransformEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies an IPComp transform."
INDEX { ipSecCompTransformPrid }
UNIQUENESS {
Algorithm,
DictionarySize,
PrivateAlgorithm
}
::= { ipSecCompTransform 2 }
ipSecCompTransformEntry OBJECT-TYPE
SYNTAX IpSecCompTransformEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecCompTransformTable 1 }
IpSecCompTransformEntry ::= SEQUENCE {
ipSecCompTransformPrid
PolicyInstanceId,
ipSecCompTransformAlgorithm
INTEGER,
ipSecCompTransformDictionarySize
Unsigned32,
ipSecCompTransformPrivateAlgorithm
Unsigned32
}
ipSecCompTransformPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecCompTransformEntry 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 47]
Internet Draft IPSec Policy Information Base July 2000
ipSecCompTransformAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
oui(1),
deflate(2),
lzs(3)
}
STATUS current
DESCRIPTION
"Specifies the IPComp compression algorithm to propose."
::= { ipSecCompTransformEntry 2 }
ipSecCompTransformDictionarySize OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies the log2 maximum size of the dictionary."
::= { ipSecCompTransformEntry 3 }
ipSecCompTransformPrivateAlgorithm OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"Specifies a specific vendor algorithm that will be used. "
::= { ipSecCompTransformEntry 4 }
--
--
-- The ipSecRuleTimePeriodTable
--
Li,Arneson,Doria,Jason Expires January 2001 [Page 48]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTimePeriodTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies the time periods during which a policy rule is valid.
The values of second through sixth attributes in a row are ANDed
together to determine the validity period(s). If any of the five
attributes is not present, it is treated as having value always
enabled. "
INDEX { ipSecRuleTimePeriodPrid }
UNIQUENESS {
TimePeriod,
MonthOfYearMask,
DayOfMonthMask,
DayOfWeekMask,
TimeOfDayMask,
LocalOrUtcTime
}
::= { ipSecPolicyTimePeriod 1 }
ipSecRuleTimePeriodEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodTable 1 }
IpSecRuleTimePeriodEntry ::= SEQUENCE {
ipSecRuleTimePeriodPrid
PolicyInstanceId,
ipSecRuleTimePeriodTimePeriod OCTET STRING,
ipSecRuleTimePeriodMonthOfYearMask OCTET STRING,
ipSecRuleTimePeriodDayOfMonthMask OCTET STRING,
ipSecRuleTimePeriodDayOfWeekMask OCTET STRING,
ipSecRuleTimePeriodTimeOfDayMask OCTET STRING,
ipSecRuleTimePeriodLocalOrUtcTime
INTEGER
}
ipSecRuleTimePeriodPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodEntry 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 49]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTimePeriodTimePeriod OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that identifies an overall range of calendar
dates and times over which a policy rule is valid. It reuses the
format for an explicit time period defined in RFC 2445
[ICALENDAR]: a string representing a starting date and time, in
which the character `T' indicates the beginning of the time
portion, followed by the character '/', followed by a similar
string representing an end date and time. The first date
indicates the beginning of the range, while the second date
indicates the end. Thus, the second date and time must be later
than the first. Date/times are expressed as sub-strings of the
form yyyymmddThhmmss.
There are also two special cases:
- If the first date/time is replaced with the string
THISANDPRIOR, then the property indicates that a policy rule is
valid [from now] until the date/time that appears after the '/'.
- If the second date/time is replaced with the string
THISANDFUTURE, then the property indicates that a policy rule
becomes valid on the date/time that appears before the '/', and
remains valid from that point on.
"
::= { ipSecRuleTimePeriodEntry 2 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 50]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which months the policy is valid
for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000006 for this
property;
- a 2-octet field consisting of 12 bits identifying the 12 months
of the year, beginning with January and ending with December,
followed by 4 bits that are always set to '0'. For each month,
the value '1' indicates that the policy is valid for that month,
and the value '0' indicates that it is not valid.
If this property is omitted, then the policy rule is treated as
valid for all twelve months."
::= { ipSecRuleTimePeriodEntry 3 }
ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which days of the month the
policy is valid for. The octet string is structured as follows:
-a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x0000000C for this
property;
-an 8-octet field consisting of 31 bits identifying the days of
the month counting from the beginning, followed by 31 more bits
identifying the days of the month counting from the end, followed
by 2 bits that are always set to '0'. For each day, the value
'1' indicates that the policy is valid for that day, and the
value '0' indicates that it is not valid.
For months with fewer than 31 days, the digits corresponding to
days that the months do not have (counting in both directions)
are ignored.
"
::= { ipSecRuleTimePeriodEntry 4 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 51]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies which days of the week the policy
is valid for. The octet string is structured as follows:
- a 4-octet length field, indicating the length of the entire
octet string; this field is always set to 0x00000005 for this
property;
- a 1-octet field consisting of 7 bits identifying the 7 days of
the week, beginning with Sunday and ending with Saturday,
followed by 1 bit that is always set to '0'. For each day of the
week, the value '1' indicates that the policy is valid for that
day, and the value '0' indicates that it is not valid.
"
::= { ipSecRuleTimePeriodEntry 5 }
ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"An octet string that specifies a range of times in a day the
policy is valid for. It is formatted as follows:
A time string beginning with the character 'T', followed by the
character '/', followed by a second time string. The first time
indicates the beginning of the range, while the second time
indicates the end. Times are expressed as sub-strings of the
form Thhmmss.
The second sub-string always identifies a later time than the
first sub-string. To allow for ranges that span midnight,
however, the value of the second string may be smaller than the
value of the first sub-string. Thus, T080000/T210000 identifies
the range from 0800 until 2100, while T210000/T080000 identifies
the range from 2100 until 0800 of the following day.
"
::= { ipSecRuleTimePeriodEntry 6 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 52]
Internet Draft IPSec Policy Information Base July 2000
ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE
SYNTAX INTEGER {
localTime(1),
utcTime(2)
}
STATUS current
DESCRIPTION
"This property indicates whether the times represented in this
table represent local times or UTC times. There is no provision
for mixing of local times and UTC times: the value of this
property applies to all of the other time-related properties.
"
::= { ipSecRuleTimePeriodEntry 7 }
--
--
-- The ipSecRuleTimePeriodGroupTable
--
ipSecRuleTimePeriodGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSecRuleTimePeriodGroupEntry
POLICY-ACCESS install
STATUS current
DESCRIPTION
"Specifies multiple time periods. The ipSecPolicyTimePeriodTable
is able to specify a single time period over multiple days (e.g.,
8:00-10:00 am every Friday). This table allows one to specify
multiple time periods over multiple days (e.g., 8:00-10:00 am and
2:00-5:00 pm every Friday) by grouping them into one group."
INDEX { ipSecRuleTimePeriodGroupPrid }
UNIQUENESS {
RuleTimePeriodGroupId,
RuleTimePeriodId
}
::= { ipSecPolicyTimePeriod 2 }
ipSecRuleTimePeriodGroupEntry OBJECT-TYPE
SYNTAX IpSecRuleTimePeriodGroupEntry
STATUS current
DESCRIPTION
"Specifies an instance of this class"
::= { ipSecRuleTimePeriodGroupTable 1 }
Li,Arneson,Doria,Jason Expires January 2001 [Page 53]
Internet Draft IPSec Policy Information Base July 2000
IpSecRuleTimePeriodGroupEntry ::= SEQUENCE {
ipSecRuleTimePeriodGroupPrid
PolicyInstanceId,
ipSecRuleTimePeriodGroupRuleTimePeriodGroupId
Unsigned32,
ipSecRuleTimePeriodGroupRuleTimePeriodId
PolicyReferenceId
}
ipSecRuleTimePeriodGroupPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify an instance of this class"
::= { ipSecRuleTimePeriodGroupEntry 1 }
ipSecRuleTimePeriodGroupRuleTimePeriodGroupId OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"An integer that uniquely identifies an ipSecRuleTimePeriod
group. "
::= { ipSecRuleTimePeriodGroupEntry 2 }
ipSecRuleTimePeriodGroupRuleTimePeriodId OBJECT-TYPE
SYNTAX PolicyReferenceId
STATUS current
DESCRIPTION
"An integer that identifies an ipSecRuleTimePeriod, specified by
the ipSecRuleTimePeriodTable, that is included in this group."
::= { ipSecRuleTimePeriodGroupEntry 3 }
END
4. Security Consideration
Since COPS is used to carry the PIB defined in this document, the
security and protection of the information can be provided by
either COPS or a combination of COPS and IPSec.
5. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described
in this document or the extent to which any license under such
Li,Arneson,Doria,Jason Expires January 2001 [Page 54]
Internet Draft IPSec Policy Information Base July 2000
rights might or might not be available; neither does it represent
that it has made any effort to identify any such rights.
Information on the IETF's procedures with respect to rights in
standards-track and standards-related documentation can be found
in BCP-11.
Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights which may cover technology that may be required
to practice this standard. Please address the information to the
IETF Executive Director.
6. References
[AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998.
[ARCH] S. Kent, R. Atkinson,"Security Architecture for the Internet
Protocol", RFC 2401, November, 1998.
[ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)", RFC 2445, November
1998.
[COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry,
"The COPS (Common Open Policy Service) Protocol" RFC 2748, January
2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F.
Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000.
[DOI] D. Piper, "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.
[ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.
[FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A.
Smith, F. Reichmeyer "Framework Policy Information Base", Internet
Draft , March 2000.
Li,Arneson,Doria,Jason Expires January 2001 [Page 55]
Internet Draft IPSec Policy Information Base July 2000
[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC
2409, November 1998.
[IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload
Compression Protocol (IPComp)", RFC 2393, August 1998.
[IPSEC-IM] J. Jason,"IPSec Configuration Policy Model," draft-ietf-
ipsp-config-policy-model-00.txt, march 2000.
[PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
Model -- Version 1 Specification", draft-ietf-policy-core-info-model-
06.txt, May, 2000.
[SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A.
Smith, F. Reichmeyer, "Structure of Policy Provisioning Information,"
draft-ietf-rap-sppi-00.txt, march 2000.
7. Author's Addresses
Man Li
Nokia
5 Wayside Road,
Burlington, MA 01803
Phone: +1 781 993 3923
Email: man.m.li@nokia.com
David Arneson
Nokia
5 Wayside Road,
Burlington, MA 01803
Phone: +1 781 993 3925
Email: david.arneson@nokia.com
Avri Doria
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821
Phone: +1 401 663 5024
Email: avri@nortelnetworks.com
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
Phone: +1 503 264 9531
Fax: +1 503 264 9428
E-Mail: jamie.jason@intel.com
Li,Arneson,Doria,Jason Expires January 2001 [Page 56]
