IPsec Security Policy Database Configuration MIB
RFC 4807
Document | Type |
RFC - Proposed Standard
(March 2007; Errata)
Was draft-ietf-ipsp-spd-mib (individual in sec area)
|
|
---|---|---|---|
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4807 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group M. Baer Request for Comments: 4807 Sparta, Inc. Category: Standards Track R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang ARO March 2007 IPsec Security Policy Database Configuration MIB Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document defines a Structure of Management Information Version 2 (SMIv2) Management Information Base (MIB) module for configuring the security policy database of a device implementing the IPsec protocol. The policy-based packet filtering and the corresponding execution of actions described in this document are of a more general nature than for IPsec configuration alone, such as for configuration of a firewall. This MIB module is designed to be extensible with other enterprise or standards-based defined packet filters and actions. Baer, et al. Standards Track [Page 1] RFC 4807 IPsec SPD configuration MIB March 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6 5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7 6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 65 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65 7.2. Protecting against Unauthenticated Access . . . . . . . . 66 7.3. Protecting against Involuntary Disclosure . . . . . . . . 66 7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68 10.1. Normative References . . . . . . . . . . . . . . . . . . . 68 10.2. Informative References . . . . . . . . . . . . . . . . . . 69 Baer, et al. Standards Track [Page 2] RFC 4807 IPsec SPD configuration MIB March 2007 1. Introduction This document defines a MIB module for configuration of an IPsec security policy database (SPD). The IPsec model this MIB is designed to configure is based on the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. The IPCP's IPsec model is, in turn, derived from the Distributed Management Task Force's (DMTF) IPsec model (see below) and from the IPsec model specified in RFC 2401 [RFC2401]. Note: RFC 2401 has been updated by RFC 4301 [RFC4301], but this implementation is based on RFC 2401. The policy-based packet filtering and the corresponding execution of actions configured by this MIB is of a more general nature than for IPsec configuration only, such as for configuration of a firewall. It is possible to extend this MIB module and add other packet-transforming actions that are performed conditionally on an interface's network traffic. The IPsec- and IKE-specific actions are as documented in [IPsec-ACTION] and [IKE-ACTION], respectively, and are not documented in this document. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. The Internet-Standard Management Framework For a detailed overview of the documents that describe the currentShow full document text