summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4807.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4807.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4807.txt')
-rw-r--r--doc/rfc/rfc4807.txt3979
1 files changed, 3979 insertions, 0 deletions
diff --git a/doc/rfc/rfc4807.txt b/doc/rfc/rfc4807.txt
new file mode 100644
index 0000000..3ebd671
--- /dev/null
+++ b/doc/rfc/rfc4807.txt
@@ -0,0 +1,3979 @@
+
+
+
+
+
+
+Network Working Group M. Baer
+Request for Comments: 4807 Sparta, Inc.
+Category: Standards Track R. Charlet
+ Self
+ W. Hardaker
+ Sparta, Inc.
+ R. Story
+ Revelstone Software
+ C. Wang
+ ARO
+ March 2007
+
+
+ IPsec Security Policy Database Configuration MIB
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+ This document defines a Structure of Management Information Version 2
+ (SMIv2) Management Information Base (MIB) module for configuring the
+ security policy database of a device implementing the IPsec protocol.
+ The policy-based packet filtering and the corresponding execution of
+ actions described in this document are of a more general nature than
+ for IPsec configuration alone, such as for configuration of a
+ firewall. This MIB module is designed to be extensible with other
+ enterprise or standards-based defined packet filters and actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baer, et al. Standards Track [Page 1]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. The Internet-Standard Management Framework . . . . . . . . . . 3
+ 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3
+ 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4
+ 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6
+ 5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6
+ 5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7
+ 6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 65
+ 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65
+ 7.2. Protecting against Unauthenticated Access . . . . . . . . 66
+ 7.3. Protecting against Involuntary Disclosure . . . . . . . . 66
+ 7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
+ 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . . 68
+ 10.2. Informative References . . . . . . . . . . . . . . . . . . 69
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baer, et al. Standards Track [Page 2]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+1. Introduction
+
+ This document defines a MIB module for configuration of an IPsec
+ security policy database (SPD). The IPsec model this MIB is designed
+ to configure is based on the "IPsec Configuration Policy Model"
+ (IPCP) [RFC3585]. The IPCP's IPsec model is, in turn, derived from
+ the Distributed Management Task Force's (DMTF) IPsec model (see
+ below) and from the IPsec model specified in RFC 2401 [RFC2401].
+ Note: RFC 2401 has been updated by RFC 4301 [RFC4301], but this
+ implementation is based on RFC 2401. The policy-based packet
+ filtering and the corresponding execution of actions configured by
+ this MIB is of a more general nature than for IPsec configuration
+ only, such as for configuration of a firewall. It is possible to
+ extend this MIB module and add other packet-transforming actions that
+ are performed conditionally on an interface's network traffic.
+
+ The IPsec- and IKE-specific actions are as documented in
+ [IPsec-ACTION] and [IKE-ACTION], respectively, and are not documented
+ in this document.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410]
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Relationship to the DMTF Policy Model
+
+ The Distributed Management Task Force (DMTF) has created an object
+ oriented model of IPsec policy information known as the IPsec Policy
+ Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model"
+ (IPCP) [RFC3585] is based, in large part, on the DMTF's IPsec policy
+ model and on RFC 2401 [RFC2401]. The IPCP document describes a model
+
+
+
+Baer, et al. Standards Track [Page 3]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ for configuring IPsec. This MIB module is a task-specific derivation
+ (i.e., an SMIv2 instantiation) of the IPCP's IPsec configuration
+ model for use with Simple Network Management Protocol version 3
+ (SNMPv3).
+
+ The high-level areas where this MIB module diverges from the IPCP
+ model are:
+
+ o Policies, Groups, Conditions, and some levels of Actions are
+ generically named. In other words, IPsec-specific prefixes like
+ "SA" (Security Association), or "IPsec", are not used. This
+ naming convention is used because packet classification and the
+ matching of conditions to actions is more general than IPsec. The
+ tables in this document can possibly be reused by other packet-
+ transforming actions, which need to conditionally act on packets
+ matching filters.
+
+ o Filters are implemented in a more generic and scalable manner,
+ rather than enforcing the condition/filtering pairing of the IPCP
+ and its restrictions upon the user. This MIB module offers a
+ compound filter object providing greater flexibility for complex
+ filters than the IPCP.
+
+5. MIB Module Overview
+
+ The MIB module is modularized into several different parts: rules,
+ filters, and actions.
+
+ The rules section associates endpoints and groups of rules, and
+ consists of the spdEndpointToGroupTable, spdGroupContentsTable, and
+ the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable
+ connects a filter to an action. It should also be noted that by
+ referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's
+ filter column can indicate a set of filters to be processed.
+ Likewise, by referencing the spdCompoundActionTable, the
+ spdRuleDefinitionTable's action column can indicate multiple actions
+ to be executed.
+
+ This MIB is structured to allow for reuse through the future creation
+ of extension tables that provide additional filters and/or actions.
+ In fact, the companion documents to this one ([IPsec-ACTION] and
+ [IKE-ACTION]) do just that and define IPsec- and IKE-specific actions
+ to be used within this SPD configuration MIB. Note: it is expected
+ that, in order to function properly, extension action MIBs may impose
+ additional limitations on the objects in this MIB and how they can be
+ used with the extended actions. An extension action may only support
+ a subset of the configuration options available in this MIB.
+
+
+
+
+Baer, et al. Standards Track [Page 4]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ The filter section of the MIB module is composed of the different
+ types of filters in the Policy Model. It is made up of the
+ spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable
+ spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable,
+ spdIpsoHeaderFilterTable.
+
+ The action section of this MIB module contains only the simple static
+ actions required for the firewall processing that an IPsec SPD
+ implementation requires (e.g., accept, drop, log, etc.). The
+ companion documents of this document define the complex actions
+ necessary for IPsec and IKE negotiations.
+
+ As may have been noticed above, the MIB uses recursion in a similar
+ manner in several different places. In particular, the
+ spdGroupContentsTable, the spdCompoundFilterTable /
+ spdSubfiltersTable combination, and the spdCompoundActionTable /
+ spdSubactionsTable combination can reference themselves.
+
+ In the case of the spdGroupContentsTable, a row can indicate a rule
+ (i.e., a row in the spdRuleDefinitionTable) or a group (i.e., another
+ set of one or more rows in the spdGroupContentsTable). This way, a
+ group can contain a set of rules and sub-groups. Sub-groups are just
+ other groups defined in the spdGroupContentsTable. There is no
+ inherent MIB limit to the depth of nesting of groups.
+
+ The spdCompoundFilterTable / spdSubfiltersTable combination and
+ spdCompoundActionTable / spdSubactionsTable combination are designed
+ almost identically, with one being for filters and the other for
+ actions, respectively. The following descriptions for the compound
+ filter tables can be directly applied to the compound action tables.
+
+ The combination of the tables spdCompoundFilterTable and
+ spdSubfiltersTable allow a user to create a set of filters that can
+ be referenced from any table as a single filter. A row in the
+ spdCompoundFilterTable has the basic configuration information for
+ the compound filter. The index of spdCompoundFilterTable,
+ spdCompFiltname, is also used as a partial index to reference a set
+ of ordered rows in the spdSubfiltersTable. Each row in
+ spdSubfiltersTable points to a row in another filter table. In this
+ way, the set of rows in spdSubFiltersTable with a matching
+ spdCompFiltName, together with the row in spdCompoundFilterTable
+ indexed by spdCompFiltName, create a compound filter. Note that it
+ is possible for a row in the spdSubfiltersTable to point to a row in
+ the spdCompoundFilterTable. This recursion allows the creation of a
+ filter set that includes other filter sets within it. There is no
+ inherent MIB limit to the nesting of compound filters within compound
+ filters.
+
+
+
+
+Baer, et al. Standards Track [Page 5]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+5.1. Usage Tutorial
+
+ In order to use the tables contained in this document, a general
+ understanding of firewall processing is helpful. The processing of
+ the security policy database (SPD) involves applying a set of SPD
+ rules to an interface on a device. The given set of rules to apply
+ to any given interface is defined within the spdEndpointToGroupTable
+ table. This table maps a given interface to a group of rules. In
+ this table, the interface itself is specified using its assigned
+ address. There is also one group of rules per direction (ingress and
+ egress).
+
+5.1.1. Notational Conventions
+
+ Notes about the following example operations:
+
+ 1. All the example operations in the following section make use of
+ default values for all columns not listed. The operations and
+ column values given in the examples are the minimal SNMP Varbinds
+ that must be sent to create a row.
+
+ 2. The example operations are formatted such that a row (i.e., the
+ table's Entry object) is operated on by using the indexes to that
+ row and the column values for that row.
+
+ 3. Below is a generic example of the notation used in the following
+ section's examples of this MIB's usage. This example indicates
+ that the MIB row to be set is the row with the index values of
+ value1 for index1, and value2 for index2. Within this row,
+ column1 is set to column_value1, and column2 is set to
+ column_value2.:
+
+ rowEntry(index1 = value1,
+ index2 = value2)
+ = (column1 = column_value1,
+ column2 = column_value2)
+
+ 4. The below is a specific example of the notation used in the
+ following section's examples of this MIB's usage. This example
+ represents the status column of a row in the IP-
+ MIB::ipAddressTable table being set to deprecated. The index
+ values for this row are IPv4 and 192.0.2.1. The example notation
+ would look like the following:
+
+ ipAddressEntry(ipAddressAddrType = 1, -- ipv4
+ ipAddressAddr = 0xC0000201 ) -- 192.0.2.1
+ = (ipAddressStatus = 2) -- deprecated
+
+
+
+
+Baer, et al. Standards Track [Page 6]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+5.1.2. Implementing an Example SPD Policy
+
+ As an example, let us define the following administrative policy: On
+ the network interface with IP address 192.0.2.1, all traffic from
+ host 192.0.2.6 will be dropped and all other traffic will be
+ accepted.
+
+ This policy is enforced by setting the values in the MIB to do the
+ following:
+
+ o create a filter for 192.0.2.6
+
+ o create a rule that connects the 192.0.2.6 filter to a packet drop
+ action
+
+ o create a rule that always accepts packets
+
+ o group these rules together in the proper order so that the
+ 192.0.2.6 drop rule is checked first.
+
+ o connect this group of rules to the 192.0.2.1 interface
+
+ The first step to do this is creating the filter for the IPv4 address
+ 192.0.2.6:
+
+ SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6")
+ = (spdIpHeadFiltType = 0x80, -- sourceAddress
+ spdIpHeadFiltIPVersion = 1, -- IPv4
+ spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6
+ spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6
+ spdIpHeadFiltRowStatus = 4) -- createAndGo
+
+ Next, a rule is created to connect the above "192.0.2.6" filter to an
+ action to "drop" the packet, as follows:
+
+ spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6")
+ = (spdRuleDefFilter =
+ spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54,
+ spdRuleDefAction = spdDropAction.0,
+ spdRuleDefRowStatus = 4) -- createAndGo
+
+ Next, a rule is created that accepts all packets:
+
+ spdRuleDefinitionEntry(spdRuleDefName = "accept all")
+ = (spdRuleDefFilter = spdTrueFilter.0,
+ spdRuleDefAction = spdAcceptAction.0,
+ spdRuleDefRowStatus = 4) -- createAndGo
+
+
+
+
+Baer, et al. Standards Track [Page 7]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Next, these two rules are grouped together. Rule groups attached to
+ an interface are processed one row at a time. The rows are processed
+ from lowest to highest spdGroupContPriority value. Because the row
+ that references the "accept all" rule should be processed last, it is
+ given the higher spdGroupContPriority value.
+
+ SpdGroupContentsEntry(spdGroupContName = "ingress",
+ spdGroupContPriority = 65535)
+ = (spdGroupContComponentName = "accept all",
+ spdGroupContRowStatus = 4) -- createAndGo
+
+ SpdGroupContentsEntry(spdGroupContName = "ingress",
+ spdGroupContPriority = 1000)
+ = (spdGroupContComponentName = "drop from 192.0.2.6",
+ spdGroupContRowStatus = 4) -- createAndGo
+
+ Finally, this group of rules is connected to the 192.0.2.1 interface
+ as follows:
+
+ SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress
+ spdEndGroupIdentType = 4, -- IPv4
+ spdEndGroupAddress = 0xC0000001)
+
+ = (spdEndGroupName = "ingress",
+ spdEndGroupRowStatus = 4) -- createAndGo
+
+ This completes the necessary steps to implement the policy. Once all
+ of these rules have been applied, the policy should take effect.
+
+6. MIB Definition
+
+ The following MIB Module imports from: [RFC2578], [RFC2579],
+ [RFC2580], [RFC2863], [RFC3289], [RFC3411], and [RFC4001]. It also
+ uses definitions from [RFC1108], [RFC3060], and [RFC3629].
+
+
+IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
+ Unsigned32, mib-2 FROM SNMPv2-SMI
+ -- [RFC2578]
+
+ TEXTUAL-CONVENTION, RowStatus, TruthValue,
+ TimeStamp, StorageType, VariablePointer
+ FROM SNMPv2-TC
+ -- [RFC2579]
+
+
+
+
+Baer, et al. Standards Track [Page 8]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
+ FROM SNMPv2-CONF
+ -- [RFC2580]
+
+ InterfaceIndex
+ FROM IF-MIB
+ -- [RFC2863]
+
+ diffServMIBMultiFieldClfrGroup, IfDirection,
+ diffServMultiFieldClfrNextFree
+ FROM DIFFSERV-MIB
+ -- [RFC3289]
+
+ InetAddressType, InetAddress
+ FROM INET-ADDRESS-MIB
+ -- [RFC4001]
+
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ -- [RFC3411]
+
+ ;
+
+--
+-- module identity
+--
+
+spdMIB MODULE-IDENTITY
+ LAST-UPDATED "200702070000Z" -- 7 February 2007
+ ORGANIZATION "IETF IP Security Policy Working Group"
+ CONTACT-INFO "Michael Baer
+ P.O. Box 72682
+ Davis, CA 95617
+ Phone: +1 530 902 3131
+ Email: baerm@tislabs.com
+
+ Ricky Charlet
+ Email: rcharlet@alumni.calpoly.edu
+
+ Wes Hardaker
+ Sparta, Inc.
+ P.O. Box 382
+ Davis, CA 95617
+ Phone: +1 530 792 1913
+ Email: hardaker@tislabs.com
+
+ Robert Story
+ Revelstone Software
+ PO Box 1812
+
+
+
+Baer, et al. Standards Track [Page 9]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Tucker, GA 30085
+ Phone: +1 770 617 3722
+ Email: rstory@ipsp.revelstone.com
+
+ Cliff Wang
+ ARO
+ 4300 S. Miami Blvd.
+ Durham, NC 27703
+ E-Mail: cliffwangmail@yahoo.com"
+ DESCRIPTION
+ "This MIB module defines configuration objects for managing
+ IPsec Security Policies. In general, this MIB can be
+ implemented anywhere IPsec security services exist (e.g.,
+ bump-in-the-wire, host, gateway, firewall, router, etc.).
+
+ Copyright (C) The IETF Trust (2007). This version of
+ this MIB module is part of RFC 4807; see the RFC itself for
+ full legal notices."
+
+-- Revision History
+
+ REVISION "200702070000Z" -- 7 February 2007
+ DESCRIPTION "Initial version, published as RFC 4807."
+
+ ::= { mib-2 153 }
+
+--
+-- groups of related objects
+--
+
+spdConfigObjects OBJECT IDENTIFIER
+ ::= { spdMIB 1 }
+spdNotificationObjects OBJECT IDENTIFIER
+ ::= { spdMIB 2 }
+spdConformanceObjects OBJECT IDENTIFIER
+ ::= { spdMIB 3 }
+spdActions OBJECT IDENTIFIER
+ ::= { spdMIB 4 }
+
+--
+-- Textual Conventions
+--
+
+SpdBooleanOperator ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "The SpdBooleanOperator operator is used to specify
+ whether sub-components in a decision-making process are
+
+
+
+Baer, et al. Standards Track [Page 10]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ ANDed or ORed together to decide if the resulting
+ expression is true or false."
+ SYNTAX INTEGER { or(1), and(2) }
+
+SpdAdminStatus ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "The SpdAdminStatus is used to specify the administrative
+ status of an object. Objects that are disabled MUST NOT
+ be used by the packet processing engine."
+ SYNTAX INTEGER { enabled(1), disabled(2) }
+
+SpdIPPacketLogging ::= TEXTUAL-CONVENTION
+ DISPLAY-HINT "d"
+ STATUS current
+ DESCRIPTION
+ "SpdIPPacketLogging specifies whether an audit message
+ SHOULD be logged if a packet is passed through a Security
+ Association (SA) and if some of that packet is included in
+ the log event. A value of '-1' indicates no logging. A
+ value of '0' or greater indicates that logging SHOULD be
+ done and indicates the number of bytes starting at the
+ beginning of the packet to place in the log. Values greater
+ than the size of the packet being processed indicate that
+ the entire packet SHOULD be sent.
+
+ Examples:
+ '-1' no logging
+ '0' log but do not include any of the packet in the log
+ '20' log and include the first 20 bytes of the packet
+ in the log."
+
+ SYNTAX Integer32 (-1..65535)
+
+
+SpdTimePeriod ::= TEXTUAL-CONVENTION
+ DISPLAY-HINT "31t"
+ STATUS current
+ DESCRIPTION
+ "This property identifies an overall range of calendar dates
+ and time. In a boolean context, a value within this time
+ range, inclusive, is considered true.
+
+ This information is encoded as an octet string using
+ the UTF-8 transformation format described in STD 63,
+ RFC 3629.
+
+ It uses the format suggested in RFC 3060. An octet string
+
+
+
+Baer, et al. Standards Track [Page 11]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ represents a start date and time and an end date and time.
+ For example:
+
+ yyyymmddThhmmss/yyyymmddThhmmss
+
+ Where: yyyy = year mm = month dd = day
+ hh = hour mm = minute ss = second
+
+ The first 'yyyymmddThhmmss' sub-string indicates the start
+ date and time. The second 'yyyymmddThhmmss' sub-string
+ indicates the end date and time. The character 'T' within
+ these sub-strings indicates the beginning of the time
+ portion of each sub-string. The solidus character '/'
+ separates the start from the end date and time. The end
+ date and time MUST be subsequent to the start date and
+ time.
+
+ There are also two allowed substitutes for a
+ 'yyyymmddThhmmss' sub-string: one for the start date and
+ time, and one for the end date and time.
+
+ If the start date and time are replaced with the string
+ 'THISANDPRIOR', this sub-string would indicate the current
+ date and time and the previous dates and time.
+
+ If the end date and time are replaced with the string
+ 'THISANDFUTURE', this sub-string would indicate the current
+ date and time and the subsequent dates and time.
+
+ Any of the following SHOULD be considered a
+ 'wrongValue' error:
+ - Setting a value with the end date and time earlier than
+ or equal to the start date and time.
+ - Setting the start date and time to 'THISANDFUTURE'.
+ - Setting the end date and time to 'THISANDPRIOR'."
+ REFERENCE "RFC 3060, 3269"
+ SYNTAX OCTET STRING (SIZE (0..31))
+--
+-- Policy group definitions
+--
+
+spdLocalConfigObjects OBJECT IDENTIFIER
+ ::= { spdConfigObjects 1 }
+
+spdIngressPolicyGroupName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(0..32))
+ MAX-ACCESS read-write
+ STATUS current
+
+
+
+Baer, et al. Standards Track [Page 12]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ DESCRIPTION
+ "This object indicates the global system policy group that
+ is to be applied on ingress packets (i.e., arriving at an
+ interface from a network) when a given endpoint does not
+ contain a policy definition in the spdEndpointToGroupTable.
+ Its value can be used as an index into the
+ spdGroupContentsTable to retrieve a list of policies. A
+ zero length string indicates that no system-wide policy exists
+ and the default policy of 'drop' SHOULD be executed for
+ ingress packets until one is imposed by either this object
+ or by the endpoint processing a given packet.
+
+ This object MUST be persistent"
+ DEFVAL { "" }
+ ::= { spdLocalConfigObjects 1 }
+
+spdEgressPolicyGroupName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(0..32))
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object indicates the policy group containing the
+ global system policy that is to be applied on egress
+ packets (i.e., packets leaving an interface and entering a
+ network) when a given endpoint does not contain a policy
+ definition in the spdEndpointToGroupTable. Its value can
+ be used as an index into the spdGroupContentsTable to
+ retrieve a list of policies. A zero length string
+ indicates that no system-wide policy exists and the default
+ policy of 'drop' SHOULD be executed for egress packets
+ until one is imposed by either this object or by the
+ endpoint processing a given packet.
+
+ This object MUST be persistent"
+ DEFVAL { "" }
+ ::= { spdLocalConfigObjects 2 }
+
+
+spdEndpointToGroupTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table maps policies (groupings) onto an endpoint
+ (interface). A policy group assigned to an endpoint is then
+ used to control access to the network traffic passing
+ through that endpoint.
+
+
+
+
+Baer, et al. Standards Track [Page 13]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ If an endpoint has been configured with a policy group and
+ no rule within that policy group matches that packet, the
+ default action in this case SHALL be to drop the packet.
+
+ If no policy group has been assigned to an endpoint, then
+ the policy group specified by spdIngressPolicyGroupName MUST
+ be used on traffic inbound from the network through that
+ endpoint, and the policy group specified by
+ spdEgressPolicyGroupName MUST be used for traffic outbound
+ to the network through that endpoint."
+ ::= { spdConfigObjects 2 }
+
+spdEndpointToGroupEntry OBJECT-TYPE
+ SYNTAX SpdEndpointToGroupEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A mapping assigning a policy group to an endpoint."
+
+ INDEX { spdEndGroupDirection, spdEndGroupInterface }
+ ::= { spdEndpointToGroupTable 1 }
+
+SpdEndpointToGroupEntry ::= SEQUENCE {
+ spdEndGroupDirection IfDirection,
+ spdEndGroupInterface InterfaceIndex,
+ spdEndGroupName SnmpAdminString,
+ spdEndGroupLastChanged TimeStamp,
+ spdEndGroupStorageType StorageType,
+ spdEndGroupRowStatus RowStatus
+}
+
+spdEndGroupDirection OBJECT-TYPE
+ SYNTAX IfDirection
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object indicates which direction of packets crossing
+ the interface are associated with which spdEndGroupName
+ object. Ingress packets, or packets into the device match
+ when this value is inbound(1). Egress packets or packets
+ out of the device match when this value is outbound(2)."
+ ::= { spdEndpointToGroupEntry 1 }
+
+spdEndGroupInterface OBJECT-TYPE
+ SYNTAX InterfaceIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+
+
+
+Baer, et al. Standards Track [Page 14]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ "This value matches the IF-MIB's ifTable's ifIndex column
+ and indicates the interface associated with a given
+ endpoint. This object can be used to uniquely identify an
+ endpoint that a set of policy groups are applied to."
+ ::= { spdEndpointToGroupEntry 2 }
+
+spdEndGroupName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The policy group name to apply at this endpoint. The
+ value of the spdEndGroupName object is then used as an
+ index into the spdGroupContentsTable to come up with a list
+ of rules that MUST be applied at this endpoint."
+ ::= { spdEndpointToGroupEntry 3 }
+
+spdEndGroupLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdEndpointToGroupEntry 4 }
+
+spdEndGroupStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdEndpointToGroupEntry 5 }
+
+spdEndGroupRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+
+
+
+Baer, et al. Standards Track [Page 15]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ This object is considered 'notReady' and MUST NOT be set to
+ active until one or more active rows exist within the
+ spdGroupContentsTable for the group referenced by the
+ spdEndGroupName object."
+ ::= { spdEndpointToGroupEntry 6 }
+
+--
+-- policy group definition table
+--
+
+spdGroupContentsTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdGroupContentsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table contains a list of rules and/or subgroups
+ contained within a given policy group. For a given value
+ of spdGroupContName, the set of rows sharing that value
+ forms a 'group'. The rows in a group MUST be processed
+ according to the value of the spdGroupContPriority object
+ in each row. The processing MUST be executed starting with
+ the lowest value of spdGroupContPriority and in ascending
+ order thereafter.
+
+ If an action is executed as the result of the processing of
+ a row in a group, the processing of further rows in that
+ group MUST stop. Iterating to the next policy group row by
+ finding the next largest spdGroupContPriority object SHALL
+ only be done if no actions were run while processing the
+ current row for a given packet."
+ ::= { spdConfigObjects 3 }
+
+spdGroupContentsEntry OBJECT-TYPE
+ SYNTAX SpdGroupContentsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Defines a given sub-component within a policy group. A
+ sub-component is either a rule or another group as
+ indicated by spdGroupContComponentType and referenced by
+ spdGroupContComponentName."
+
+
+
+Baer, et al. Standards Track [Page 16]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ INDEX { spdGroupContName, spdGroupContPriority }
+ ::= { spdGroupContentsTable 1 }
+
+SpdGroupContentsEntry ::= SEQUENCE {
+ spdGroupContName SnmpAdminString,
+ spdGroupContPriority Integer32,
+ spdGroupContFilter VariablePointer,
+ spdGroupContComponentType INTEGER,
+ spdGroupContComponentName SnmpAdminString,
+ spdGroupContLastChanged TimeStamp,
+ spdGroupContStorageType StorageType,
+ spdGroupContRowStatus RowStatus
+}
+
+spdGroupContName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The administrative name of the group associated with this
+ row. A 'group' is formed by all the rows in this table that
+ have the same value of this object."
+ ::= { spdGroupContentsEntry 1 }
+
+spdGroupContPriority OBJECT-TYPE
+ SYNTAX Integer32 (0..65535)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The priority (sequence number) of the sub-component in
+ a group that this row represents. This value indicates
+ the order that each row of this table MUST be processed
+ from low to high. For example, a row with a priority of 0
+ is processed before a row with a priority of 1, a 1 before
+ a 2, etc."
+ ::= { spdGroupContentsEntry 2 }
+
+spdGroupContFilter OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "spdGroupContFilter points to a filter that is evaluated
+ to determine whether the spdGroupContComponentName within
+ this row is exercised. Managers can use this object to
+ classify groups of rules, or subgroups, together in order to
+ achieve a greater degree of control and optimization over
+ the execution order of the items within the group. If the
+
+
+
+Baer, et al. Standards Track [Page 17]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ filter evaluates to false, the rule or subgroup will be
+ skipped and the next rule or subgroup will be evaluated
+ instead. This value can be used to indicate a scalar or
+ row in a table. When indicating a row in a table, this
+ value MUST point to the first column instance in that row.
+
+ An example usage of this object would be to limit a
+ group of rules to executing only when the IP packet
+ being processed is designated to be processed by IKE.
+ This effectively creates a group of IKE-specific rules.
+
+ The following tables and scalars can be pointed to by this
+ column. All but diffServMultiFieldClfrTable are defined in
+ this MIB:
+
+ diffServMultiFieldClfrTable
+ spdIpOffsetFilterTable
+ spdTimeFilterTable
+ spdCompoundFilterTable
+ spdTrueFilter
+ spdIpsoHeaderFilterTable
+
+ Implementations MAY choose to provide support for other
+ filter tables or scalars.
+
+ If this column is set to a VariablePointer value, which
+ references a non-existent row in an otherwise supported
+ table, the inconsistentName exception MUST be returned. If
+ the table or scalar pointed to by the VariablePointer is
+ not supported at all, then an inconsistentValue exception
+ MUST be returned.
+
+ If, during packet processing, a row in this table is applied
+ to a packet and the value of this column in that row
+ references a non-existent or non-supported object, the
+ packet MUST be dropped."
+ REFERENCE "RFC 3289"
+ DEFVAL { spdTrueFilterInstance }
+ ::= { spdGroupContentsEntry 3 }
+
+spdGroupContComponentType OBJECT-TYPE
+ SYNTAX INTEGER { group(1), rule(2) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Indicates whether the spdGroupContComponentName object
+ is the name of another group defined within the
+ spdGroupContentsTable or is the name of a rule defined
+
+
+
+Baer, et al. Standards Track [Page 18]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ within the spdRuleDefinitionTable."
+ DEFVAL { rule }
+ ::= { spdGroupContentsEntry 4 }
+
+spdGroupContComponentName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The name of the policy rule or subgroup contained within
+ this row, as indicated by the spdGroupContComponentType
+ object."
+ ::= { spdGroupContentsEntry 5 }
+
+spdGroupContLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem,
+ this object SHOULD have a zero value."
+ ::= { spdGroupContentsEntry 6 }
+
+spdGroupContStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdGroupContentsEntry 7 }
+
+spdGroupContRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+
+
+Baer, et al. Standards Track [Page 19]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ This object MUST NOT be set to active until the row to
+ which the spdGroupContComponentName points to exists and is
+ active.
+
+ If active, this object MUST remain active unless one of the
+ following two conditions are met:
+
+ I. No active row in spdEndpointToGroupTable exists that
+ references this row's group (i.e., indicate this row's
+ spdGroupContName).
+
+ II. Or at least one other active row in this table has a
+ matching spdGroupContName.
+
+ If neither condition is met, an attempt to set this row to
+ something other than active MUST result in an
+ inconsistentValue error."
+ ::= { spdGroupContentsEntry 8 }
+
+
+--
+-- policy definition table
+--
+
+spdRuleDefinitionTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdRuleDefinitionEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table defines a rule by associating a filter
+ or a set of filters to an action to be executed."
+ ::= { spdConfigObjects 4 }
+
+spdRuleDefinitionEntry OBJECT-TYPE
+ SYNTAX SpdRuleDefinitionEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A row defining a particular rule definition. A rule
+ definition binds a filter pointer to an action pointer."
+ INDEX { spdRuleDefName }
+ ::= { spdRuleDefinitionTable 1 }
+
+SpdRuleDefinitionEntry ::= SEQUENCE {
+ spdRuleDefName SnmpAdminString,
+
+
+
+Baer, et al. Standards Track [Page 20]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ spdRuleDefDescription SnmpAdminString,
+ spdRuleDefFilter VariablePointer,
+ spdRuleDefFilterNegated TruthValue,
+ spdRuleDefAction VariablePointer,
+ spdRuleDefAdminStatus SpdAdminStatus,
+ spdRuleDefLastChanged TimeStamp,
+ spdRuleDefStorageType StorageType,
+ spdRuleDefRowStatus RowStatus
+}
+
+spdRuleDefName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "spdRuleDefName is the administratively assigned name of
+ the rule referred to by the spdGroupContComponentName
+ object."
+ ::= { spdRuleDefinitionEntry 1 }
+
+spdRuleDefDescription OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "A user defined string. This field MAY be used for
+ administrative tracking purposes."
+ DEFVAL { "" }
+ ::= { spdRuleDefinitionEntry 2 }
+
+spdRuleDefFilter OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "spdRuleDefFilter points to a filter that is used to
+ evaluate whether the action associated with this row is
+ executed or not. The action will only execute if the
+ filter referenced by this object evaluates to TRUE after
+ first applying any negation required by the
+ spdRuleDefFilterNegated object.
+
+ The following tables and scalars can be pointed to by this
+ column. All but diffServMultiFieldClfrTable are defined in
+ this MIB. Implementations MAY choose to provide support
+ for other filter tables or scalars as well:
+
+ diffServMultiFieldClfrTable
+
+
+
+Baer, et al. Standards Track [Page 21]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ spdIpOffsetFilterTable
+ spdTimeFilterTable
+ spdCompoundFilterTable
+ spdTrueFilter
+
+ If this column is set to a VariablePointer value, which
+ references a non-existent row in an otherwise supported
+ table, the inconsistentName exception MUST be returned. If
+ the table or scalar pointed to by the VariablePointer is
+ not supported at all, then an inconsistentValue exception
+ MUST be returned.
+
+ If, during packet processing, this column has a value that
+ references a non-existent or non-supported object, the
+ packet MUST be dropped."
+ REFERENCE "RFC 3289"
+ ::= { spdRuleDefinitionEntry 3 }
+
+spdRuleDefFilterNegated OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "spdRuleDefFilterNegated specifies whether or not the results of
+ the filter referenced by the spdRuleDefFilter object is
+ negated."
+ DEFVAL { false }
+ ::= { spdRuleDefinitionEntry 4 }
+
+spdRuleDefAction OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This column points to the action to be taken. It MAY,
+ but is not limited to, point to a row in one of the
+ following tables:
+
+ spdCompoundActionTable
+ ipsaSaPreconfiguredActionTable
+ ipiaIkeActionTable
+ ipiaIpsecActionTable
+
+ It MAY also point to one of the scalar objects beneath
+ spdStaticActions.
+
+ If this object is set to a pointer to a row in an
+ unsupported (or unknown) table, an inconsistentValue
+
+
+
+Baer, et al. Standards Track [Page 22]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ error MUST be returned.
+
+ If this object is set to point to a non-existent row in an
+ otherwise supported table, an inconsistentName error MUST
+ be returned.
+
+ If, during packet processing, this column has a value that
+ references a non-existent or non-supported object, the
+ packet MUST be dropped."
+ ::= { spdRuleDefinitionEntry 5 }
+
+spdRuleDefAdminStatus OBJECT-TYPE
+ SYNTAX SpdAdminStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Indicates whether the current rule definition is considered
+ active. If the value is enabled, the rule MUST be evaluated
+ when processing packets. If the value is disabled, the
+ packet processing MUST continue as if this rule's filter
+ had effectively failed."
+ DEFVAL { enabled }
+ ::= { spdRuleDefinitionEntry 6 }
+
+spdRuleDefLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdRuleDefinitionEntry 7 }
+
+spdRuleDefStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a
+ storage type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+
+
+
+Baer, et al. Standards Track [Page 23]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdRuleDefinitionEntry 8 }
+
+spdRuleDefRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ This object MUST NOT be set to active until the containing
+ conditions, filters, and actions have been defined. Once
+ active, it MUST remain active until no active
+ policyGroupContents entries are referencing it. A failed
+ attempt to do so MUST return an inconsistentValue error."
+ ::= { spdRuleDefinitionEntry 9 }
+
+--
+-- Policy compound filter definition table
+--
+
+spdCompoundFilterTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdCompoundFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table defining compound filters and their associated
+ parameters. A row in this table can be pointed to by a
+ spdRuleDefFilter object."
+ ::= { spdConfigObjects 5 }
+
+spdCompoundFilterEntry OBJECT-TYPE
+ SYNTAX SpdCompoundFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry in the spdCompoundFilterTable. Each entry in this
+ table represents a compound filter. A filter defined by
+ this table is considered to have a TRUE return value if and
+ only if:
+
+ spdCompFiltLogicType is AND and all of the sub-filters
+ associated with it, as defined in the spdSubfiltersTable,
+ are all true themselves (after applying any required
+
+
+
+Baer, et al. Standards Track [Page 24]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ negation, as defined by the ficFilterIsNegated object).
+
+ spdCompFiltLogicType is OR and at least one of the
+ sub-filters associated with it, as defined in the
+ spdSubfiltersTable, is true itself (after applying any
+ required negation, as defined by the ficFilterIsNegated
+ object."
+ INDEX { spdCompFiltName }
+ ::= { spdCompoundFilterTable 1 }
+
+SpdCompoundFilterEntry ::= SEQUENCE {
+ spdCompFiltName SnmpAdminString,
+ spdCompFiltDescription SnmpAdminString,
+ spdCompFiltLogicType SpdBooleanOperator,
+ spdCompFiltLastChanged TimeStamp,
+ spdCompFiltStorageType StorageType,
+ spdCompFiltRowStatus RowStatus
+}
+
+spdCompFiltName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A user definable string. This value is used as an index
+ into this table."
+ ::= { spdCompoundFilterEntry 1 }
+
+spdCompFiltDescription OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "A user definable string. This field MAY be used for
+ your administrative tracking purposes."
+ DEFVAL { "" }
+ ::= { spdCompoundFilterEntry 2 }
+
+spdCompFiltLogicType OBJECT-TYPE
+ SYNTAX SpdBooleanOperator
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Indicates whether the sub-component filters of this
+ compound filter are functionally ANDed or ORed together."
+ DEFVAL { and }
+ ::= { spdCompoundFilterEntry 3 }
+
+
+
+
+Baer, et al. Standards Track [Page 25]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+spdCompFiltLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdCompoundFilterEntry 4 }
+
+spdCompFiltStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a
+ storage type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdCompoundFilterEntry 5 }
+
+spdCompFiltRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ Once active, it MUST NOT have its value changed if any
+ active rows in the spdRuleDefinitionTable are currently
+ pointing at this row."
+ ::= { spdCompoundFilterEntry 6 }
+
+--
+-- Policy filters in a cf table
+--
+
+spdSubfiltersTable OBJECT-TYPE
+
+
+
+Baer, et al. Standards Track [Page 26]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ SYNTAX SEQUENCE OF SpdSubfiltersEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table defines a list of filters contained within a
+ given compound filter defined in the
+ spdCompoundFilterTable."
+ ::= { spdConfigObjects 6 }
+
+spdSubfiltersEntry OBJECT-TYPE
+ SYNTAX SpdSubfiltersEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry in the spdSubfiltersTable. There is an entry in
+ this table for each sub-filter of all compound filters
+ present in the spdCompoundFilterTable."
+ INDEX { spdCompFiltName, spdSubFiltPriority }
+ ::= { spdSubfiltersTable 1 }
+
+SpdSubfiltersEntry ::= SEQUENCE {
+ spdSubFiltPriority Integer32,
+ spdSubFiltSubfilter VariablePointer,
+ spdSubFiltSubfilterIsNegated TruthValue,
+ spdSubFiltLastChanged TimeStamp,
+ spdSubFiltStorageType StorageType,
+ spdSubFiltRowStatus RowStatus
+}
+
+spdSubFiltPriority OBJECT-TYPE
+ SYNTAX Integer32 (0..65535)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The priority of a given filter within a compound filter.
+ The order of execution is from lowest to highest priority
+ value (i.e., priority 0 before priority 1, 1 before 2,
+ etc.). Implementations MAY choose to follow this ordering,
+ as set by the manager that created the rows. This can allow
+ a manager to intelligently construct filter lists such that
+ faster filters are evaluated first."
+ ::= { spdSubfiltersEntry 1 }
+
+spdSubFiltSubfilter OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+
+
+
+Baer, et al. Standards Track [Page 27]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ "The OID of the contained filter. The value of this
+ object is a VariablePointer that references the filter to
+ be included in this compound filter.
+
+ The following tables and scalars can be pointed to by this
+ column. All but diffServMultiFieldClfrTable are defined in
+ this MIB. Implementations MAY choose to provide support
+ for other filter tables or scalars as well:
+
+ diffServMultiFieldClfrTable
+ spdIpsoHeaderFilterTable
+ spdIpOffsetFilterTable
+ spdTimeFilterTable
+ spdCompoundFilterTable
+ spdTrueFilter
+
+ If this column is set to a VariablePointer value that
+ references a non-existent row in an otherwise supported
+ table, the inconsistentName exception MUST be returned. If
+ the table or scalar pointed to by the VariablePointer is
+ not supported at all, then an inconsistentValue exception
+ MUST be returned.
+
+ If, during packet processing, this column has a value that
+ references a non-existent or non-supported object, the
+ packet MUST be dropped."
+ REFERENCE "RFC 3289"
+ ::= { spdSubfiltersEntry 2 }
+
+spdSubFiltSubfilterIsNegated OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Indicates whether or not the result of applying this sub-filter
+ is negated."
+ DEFVAL { false }
+ ::= { spdSubfiltersEntry 3 }
+
+spdSubFiltLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+
+
+
+Baer, et al. Standards Track [Page 28]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdSubfiltersEntry 4 }
+
+spdSubFiltStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a
+ storage type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdSubfiltersEntry 5 }
+
+spdSubFiltRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ This object cannot be made active until a filter
+ referenced by the spdSubFiltSubfilter object is both
+ defined and active. An attempt to do so MUST result in
+ an inconsistentValue error.
+
+ If active, this object MUST remain active unless one of the
+ following two conditions are met:
+
+ I. No active row in the SpdCompoundFilterTable exists
+ that has a matching spdCompFiltName.
+
+ II. Or, at least one other active row in this table has a
+ matching spdCompFiltName.
+
+ If neither condition is met, an attempt to set this row to
+ something other than active MUST result in an
+ inconsistentValue error."
+ ::= { spdSubfiltersEntry 6 }
+
+
+
+
+Baer, et al. Standards Track [Page 29]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+--
+-- Static Filters
+--
+
+spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
+
+spdTrueFilter OBJECT-TYPE
+ SYNTAX Integer32 (1)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This scalar indicates a (automatic) true result for
+ a filter. That is, this is a filter that is always
+ true; it is useful for adding as a default filter for a
+ default action or a set of actions."
+ ::= { spdStaticFilters 1 }
+
+
+spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
+
+
+--
+-- Policy IP Offset filter definition table
+--
+
+spdIpOffsetFilterTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table contains a list of filter definitions to be
+ used within the spdRuleDefinitionTable or the
+ spdSubfiltersTable.
+
+ This type of filter is used to compare an administrator
+ specified octet string to the octets at a particular
+ location in a packet."
+ ::= { spdConfigObjects 8 }
+
+spdIpOffsetFilterEntry OBJECT-TYPE
+ SYNTAX SpdIpOffsetFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A definition of a particular filter."
+ INDEX { spdIpOffFiltName }
+ ::= { spdIpOffsetFilterTable 1 }
+
+
+
+
+Baer, et al. Standards Track [Page 30]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+SpdIpOffsetFilterEntry ::= SEQUENCE {
+ spdIpOffFiltName SnmpAdminString,
+ spdIpOffFiltOffset Unsigned32,
+ spdIpOffFiltType INTEGER,
+ spdIpOffFiltValue OCTET STRING,
+ spdIpOffFiltLastChanged TimeStamp,
+ spdIpOffFiltStorageType StorageType,
+ spdIpOffFiltRowStatus RowStatus
+}
+
+spdIpOffFiltName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The administrative name for this filter."
+ ::= { spdIpOffsetFilterEntry 1 }
+
+spdIpOffFiltOffset OBJECT-TYPE
+ SYNTAX Unsigned32 (0..65535)
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This is the byte offset from the front of the entire IP
+ packet where the value or arithmetic comparison is done. A
+ value of '0' indicates the first byte of the packet header.
+ If this value is greater than the length of the packet, the
+ filter represented by this row should be considered to
+ fail."
+ ::= { spdIpOffsetFilterEntry 2 }
+
+spdIpOffFiltType OBJECT-TYPE
+ SYNTAX INTEGER { equal(1),
+ notEqual(2),
+ arithmeticLess(3),
+ arithmeticGreaterOrEqual(4),
+ arithmeticGreater(5),
+ arithmeticLessOrEqual(6) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This defines the various tests that are used when
+ evaluating a given filter.
+
+ The various tests definable in this table are as follows:
+
+ equal:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
+
+
+
+Baer, et al. Standards Track [Page 31]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ a value in the packet starting at the given offset in
+ the packet and comparing the entire OCTET STRING of
+ 'spdIpOffFiltValue'. Any values compared this way are
+ assumed to be unsigned integer values in network byte
+ order of the same length as 'spdIpOffFiltValue'.
+
+ notEqual:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
+ not match a value in the packet starting at the given
+ offset in the packet and comparing to the entire OCTET
+ STRING of 'spdIpOffFiltValue'. Any values compared
+ this way are assumed to be unsigned integer values in
+ network byte order of the same length as
+ 'spdIpOffFiltValue'.
+
+ arithmeticLess:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
+ arithmetically less than ('<') the value starting at
+ the given offset within the packet. The value in the
+ packet is assumed to be an unsigned integer in network
+ byte order of the same length as 'spdIpOffFiltValue'.
+
+ arithmeticGreaterOrEqual:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
+ arithmetically greater than or equal to ('>=') the
+ value starting at the given offset within the packet.
+ The value in the packet is assumed to be an unsigned
+ integer in network byte order of the same length as
+ 'spdIpOffFiltValue'.
+
+ arithmeticGreater:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
+ arithmetically greater than ('>') the value starting at
+ the given offset within the packet. The value in the
+ packet is assumed to be an unsigned integer in network
+ byte order of the same length as 'spdIpOffFiltValue'.
+
+ arithmeticLessOrEqual:
+ - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
+ arithmetically less than or equal to ('<=') the value
+ starting at the given offset within the packet. The
+ value in the packet is assumed to be an unsigned
+ integer in network byte order of the same length as
+ 'spdIpOffFiltValue'."
+
+ ::= { spdIpOffsetFilterEntry 3 }
+
+spdIpOffFiltValue OBJECT-TYPE
+
+
+
+Baer, et al. Standards Track [Page 32]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ SYNTAX OCTET STRING (SIZE(1..1024))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "spdIpOffFiltValue is used for match comparisons of a
+ packet at spdIpOffFiltOffset."
+ ::= { spdIpOffsetFilterEntry 4 }
+
+spdIpOffFiltLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdIpOffsetFilterEntry 5 }
+
+
+spdIpOffFiltStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a
+ storage type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdIpOffsetFilterEntry 6 }
+
+spdIpOffFiltRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ If active, this object MUST remain active if it is
+
+
+
+Baer, et al. Standards Track [Page 33]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ referenced by an active row in another table. An attempt
+ to set it to anything other than active while it is
+ referenced by an active row in another table MUST result in
+ an inconsistentValue error."
+ ::= { spdIpOffsetFilterEntry 7 }
+
+
+--
+-- Time/scheduling filter table
+--
+
+spdTimeFilterTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdTimeFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Defines a table of filters that can be used to
+ effectively enable or disable policies based on a valid
+ time range."
+ ::= { spdConfigObjects 9 }
+
+spdTimeFilterEntry OBJECT-TYPE
+ SYNTAX SpdTimeFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A row describing a given time frame for which a policy
+ is filtered on to activate or deactivate the rule.
+
+ If all the column objects in a row are true for the current
+ time, the row evaluates as 'true'. More explicitly, the
+ time matching column objects in a row MUST be logically
+ ANDed together to form the boolean true/false for the row."
+ INDEX { spdTimeFiltName }
+ ::= { spdTimeFilterTable 1 }
+
+SpdTimeFilterEntry ::= SEQUENCE {
+ spdTimeFiltName SnmpAdminString,
+ spdTimeFiltPeriod SpdTimePeriod,
+ spdTimeFiltMonthOfYearMask BITS,
+ spdTimeFiltDayOfMonthMask OCTET STRING,
+ spdTimeFiltDayOfWeekMask BITS,
+ spdTimeFiltTimeOfDayMask SpdTimePeriod,
+ spdTimeFiltLastChanged TimeStamp,
+ spdTimeFiltStorageType StorageType,
+ spdTimeFiltRowStatus RowStatus
+}
+
+
+
+
+Baer, et al. Standards Track [Page 34]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+spdTimeFiltName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An administratively assigned name for this filter."
+ ::= { spdTimeFilterEntry 1 }
+
+
+spdTimeFiltPeriod OBJECT-TYPE
+ SYNTAX SpdTimePeriod
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The valid time period for this filter. This column is
+ considered 'true' if the current time is within the range of
+ this object."
+ DEFVAL { "THISANDPRIOR/THISANDFUTURE" }
+ ::= { spdTimeFilterEntry 2 }
+
+
+spdTimeFiltMonthOfYearMask OBJECT-TYPE
+ SYNTAX BITS { january(0), february(1), march(2),
+ april(3), may(4), june(5), july(6),
+ august(7), september(8), october(9),
+ november(10), december(11) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "A bit mask that indicates acceptable months of the year.
+ This column evaluates to 'true' if the current month's bit
+ is set."
+ DEFVAL { { january, february, march, april, may, june, july,
+ august, september, october, november, december } }
+ ::= { spdTimeFilterEntry 3 }
+
+spdTimeFiltDayOfMonthMask OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE(8))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Defines which days of the month the current time is
+ valid for. It is a sequence of 64 BITS, where each BIT
+ represents a corresponding day of the month in forward or
+ reverse order. Starting from the left-most bit, the first
+ 31 bits identify the day of the month, counting from the
+ beginning of the month. The following 31 bits (bits 32-62)
+ indicate the day of the month, counting from the end of the
+
+
+
+Baer, et al. Standards Track [Page 35]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ month. For months with fewer than 31 days, the bits that
+ correspond to the non-existent days of that month are
+ ignored (e.g., for non-leap year Februarys, bits 29-31 and
+ 60-62 are ignored).
+
+ This column evaluates to 'true' if the current day of the
+ month's bit is set.
+
+ For example, a value of 0X'80 00 00 01 00 00 00 00'
+ indicates that this column evaluates to true on the first
+ and last days of the month.
+
+ The last two bits in the string MUST be zero."
+ DEFVAL { 'fffffffffffffffe'H }
+ ::= { spdTimeFilterEntry 4 }
+
+spdTimeFiltDayOfWeekMask OBJECT-TYPE
+ SYNTAX BITS { sunday(0), monday(1), tuesday(2),
+ wednesday(3), thursday(4), friday(5),
+ saturday(6) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "A bit mask that defines which days of the week that the current
+ time is valid for. This column evaluates to 'true' if the
+ current day of the week's bit is set."
+ DEFVAL { { monday, tuesday, wednesday, thursday, friday,
+ saturday, sunday } }
+ ::= { spdTimeFilterEntry 5 }
+
+spdTimeFiltTimeOfDayMask OBJECT-TYPE
+ SYNTAX SpdTimePeriod
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Indicates the start and end time of the day for which this
+ filter evaluates to true. The date portions of the
+ spdTimePeriod TC are ignored for purposes of evaluating this
+ mask, and only the time-specific portions are used.
+
+ This column evaluates to 'true' if the current time of day
+ is within the range of the start and end times of the day
+ indicated by this object."
+ DEFVAL { "00000000T000000/00000000T240000" }
+ ::= { spdTimeFilterEntry 6 }
+
+spdTimeFiltLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+
+
+
+Baer, et al. Standards Track [Page 36]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdTimeFilterEntry 7 }
+
+spdTimeFiltStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdTimeFilterEntry 8 }
+
+spdTimeFiltRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this
+ row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ If active, this object MUST remain active if it is
+ referenced by an active row in another table. An attempt
+ to set it to anything other than active while it is
+ referenced by an active row in another table MUST result in
+ an inconsistentValue error."
+ ::= { spdTimeFilterEntry 9 }
+
+--
+-- IPSO protection authority filtering
+--
+
+
+
+
+Baer, et al. Standards Track [Page 37]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+spdIpsoHeaderFilterTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table contains a list of IPSO header filter
+ definitions to be used within the spdRuleDefinitionTable or
+ the spdSubfiltersTable. IPSO headers and their values are
+ described in RFC 1108."
+ REFERENCE "RFC 1108"
+ ::= { spdConfigObjects 10 }
+
+spdIpsoHeaderFilterEntry OBJECT-TYPE
+ SYNTAX SpdIpsoHeaderFilterEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A definition of a particular filter."
+ INDEX { spdIpsoHeadFiltName }
+ ::= { spdIpsoHeaderFilterTable 1 }
+
+SpdIpsoHeaderFilterEntry ::= SEQUENCE {
+ spdIpsoHeadFiltName SnmpAdminString,
+ spdIpsoHeadFiltType BITS,
+ spdIpsoHeadFiltClassification INTEGER,
+ spdIpsoHeadFiltProtectionAuth INTEGER,
+ spdIpsoHeadFiltLastChanged TimeStamp,
+ spdIpsoHeadFiltStorageType StorageType,
+ spdIpsoHeadFiltRowStatus RowStatus
+}
+
+spdIpsoHeadFiltName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The administrative name for this filter."
+ ::= { spdIpsoHeaderFilterEntry 1 }
+
+spdIpsoHeadFiltType OBJECT-TYPE
+ SYNTAX BITS { classificationLevel(0),
+ protectionAuthority(1) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates which of the IPSO header field a
+ packet is filtered on for this row. If this object is set
+ to classification(0), the spdIpsoHeadFiltClassification
+
+
+
+Baer, et al. Standards Track [Page 38]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ object indicates how the packet is filtered. If this object
+ is set to protectionAuthority(1), the
+ spdIpsoHeadFiltProtectionAuth object indicates how the
+ packet is filtered."
+ ::= { spdIpsoHeaderFilterEntry 2 }
+
+spdIpsoHeadFiltClassification OBJECT-TYPE
+ SYNTAX INTEGER { topSecret(61), secret(90),
+ confidential(150), unclassified(171) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the IPSO classification header field
+ value that the packet MUST have for this row to evaluate to
+ 'true'.
+
+ The values of these enumerations are defined by RFC 1108."
+ REFERENCE "RFC 1108"
+ ::= { spdIpsoHeaderFilterEntry 3 }
+
+spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
+ SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
+ nsa(3), doe(4) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the IPSO protection authority header
+ field value that the packet MUST have for this row to
+ evaluate to 'true'.
+
+ The values of these enumerations are defined by RFC 1108.
+ Hence the reason the SMIv2 convention of not using 0 in
+ enumerated lists is violated here."
+ REFERENCE "RFC 1108"
+ ::= { spdIpsoHeaderFilterEntry 4 }
+
+spdIpsoHeadFiltLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+
+
+
+Baer, et al. Standards Track [Page 39]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ ::= { spdIpsoHeaderFilterEntry 5 }
+
+spdIpsoHeadFiltStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdIpsoHeaderFilterEntry 6 }
+
+spdIpsoHeadFiltRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ However, this object MUST NOT be set to active if the
+ requirements of the spdIpsoHeadFiltType object are not met.
+ Specifically, if the spdIpsoHeadFiltType bit for
+ classification(0) is set, the spdIpsoHeadFiltClassification
+ column MUST have a valid value for the row status to be set
+ to active. If the spdIpsoHeadFiltType bit for
+ protectionAuthority(1) is set, the
+ spdIpsoHeadFiltProtectionAuth column MUST have a valid
+ value for the row status to be set to active.
+
+ If active, this object MUST remain active if it is
+ referenced by an active row in another table. An attempt
+ to set it to anything other than active while it is
+ referenced by an active row in another table MUST result in
+ an inconsistentValue error."
+ ::= { spdIpsoHeaderFilterEntry 7 }
+
+--
+-- compound actions table
+--
+
+spdCompoundActionTable OBJECT-TYPE
+
+
+
+Baer, et al. Standards Track [Page 40]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ SYNTAX SEQUENCE OF SpdCompoundActionEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Table used to allow multiple actions to be associated
+ with a rule. It uses the spdSubactionsTable to do this.
+ The rows from spdSubactionsTable that are partially indexed
+ by spdCompActName form the set of compound actions to be
+ performed. The spdCompActExecutionStrategy column in this
+ table indicates how those actions are processed."
+ ::= { spdConfigObjects 11 }
+
+spdCompoundActionEntry OBJECT-TYPE
+ SYNTAX SpdCompoundActionEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A row in the spdCompoundActionTable."
+ INDEX { spdCompActName }
+ ::= { spdCompoundActionTable 1 }
+
+SpdCompoundActionEntry ::= SEQUENCE {
+ spdCompActName SnmpAdminString,
+ spdCompActExecutionStrategy INTEGER,
+ spdCompActLastChanged TimeStamp,
+ spdCompActStorageType StorageType,
+ spdCompActRowStatus RowStatus
+}
+
+spdCompActName OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE(1..32))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This is an administratively assigned name of this
+ compound action."
+ ::= { spdCompoundActionEntry 1 }
+
+spdCompActExecutionStrategy OBJECT-TYPE
+ SYNTAX INTEGER { doAll(1),
+ doUntilSuccess(2),
+ doUntilFailure(3) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates how the sub-actions are executed
+ based on the success of the actions as they finish
+ executing.
+
+
+
+Baer, et al. Standards Track [Page 41]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ doAll - run each sub-action regardless of the
+ exit status of the previous action.
+ This parent action is always
+ considered to have acted successfully.
+
+ doUntilSuccess - run each sub-action until one succeeds,
+ at which point stop processing the
+ sub-actions within this parent
+ compound action. If one of the
+ sub-actions did execute successfully,
+ this parent action is also considered
+ to have executed successfully.
+
+ doUntilFailure - run each sub-action until one fails,
+ at which point stop processing the
+ sub-actions within this compound
+ action. If any sub-action fails, the
+ result of this parent action is
+ considered to have failed."
+ DEFVAL { doUntilSuccess }
+ ::= { spdCompoundActionEntry 2 }
+
+spdCompActLastChanged OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdCompoundActionEntry 3 }
+
+spdCompActStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+
+
+
+Baer, et al. Standards Track [Page 42]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ ::= { spdCompoundActionEntry 4 }
+
+spdCompActRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ Once a row in the spdCompoundActionTable has been made
+ active, this object MUST NOT be set to destroy without
+ first destroying all the contained rows listed in the
+ spdSubactionsTable."
+ ::= { spdCompoundActionEntry 5 }
+
+
+--
+-- actions contained within a compound action
+--
+
+spdSubactionsTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF SpdSubactionsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This table contains a list of the sub-actions within a
+ given compound action. Compound actions executing these
+ actions MUST execute them in series based on the
+ spdSubActPriority value, with the lowest value executing
+ first."
+ ::= { spdConfigObjects 12 }
+
+spdSubactionsEntry OBJECT-TYPE
+ SYNTAX SpdSubactionsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A row containing a reference to a given compound-action
+ sub-action."
+ INDEX { spdCompActName, spdSubActPriority }
+ ::= { spdSubactionsTable 1 }
+
+SpdSubactionsEntry ::= SEQUENCE {
+ spdSubActPriority Integer32,
+ spdSubActSubActionName VariablePointer,
+
+
+
+Baer, et al. Standards Track [Page 43]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ spdSubActLastChanged TimeStamp,
+ spdSubActStorageType StorageType,
+ spdSubActRowStatus RowStatus
+}
+
+spdSubActPriority OBJECT-TYPE
+ SYNTAX Integer32 (0..65535)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The priority of a given sub-action within a compound
+ action. The order in which sub-actions MUST be executed
+ are based on the value from this column, with the lowest
+ numeric value executing first (i.e., priority 0 before
+ priority 1, 1 before 2, etc.)."
+ ::= { spdSubactionsEntry 1 }
+
+spdSubActSubActionName OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This column points to the action to be taken. It MAY,
+ but is not limited to, point to a row in one of the
+ following tables:
+
+ spdCompoundActionTable - Allowing recursion
+ ipsaSaPreconfiguredActionTable
+ ipiaIkeActionTable
+ ipiaIpsecActionTable
+
+ It MAY also point to one of the scalar objects beneath
+ spdStaticActions.
+
+ If this object is set to a pointer to a row in an
+ unsupported (or unknown) table, an inconsistentValue
+ error MUST be returned.
+
+ If this object is set to point to a non-existent row in
+ an otherwise supported table, an inconsistentName error
+ MUST be returned.
+
+ If, during packet processing, this column has a value that
+ references a non-existent or non-supported object, the
+ packet MUST be dropped."
+ ::= { spdSubactionsEntry 2 }
+
+spdSubActLastChanged OBJECT-TYPE
+
+
+
+Baer, et al. Standards Track [Page 44]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime when this row was last modified
+ or created either through SNMP SETs or by some other
+ external means.
+
+ If this row has not been modified since the last
+ re-initialization of the network management subsystem, this
+ object SHOULD have a zero value."
+ ::= { spdSubactionsEntry 3 }
+
+spdSubActStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The storage type for this row. Rows in this table that
+ were created through an external process MAY have a storage
+ type of readOnly or permanent.
+
+ For a storage type of permanent, none of the columns have
+ to be writable."
+ DEFVAL { nonVolatile }
+ ::= { spdSubactionsEntry 4 }
+
+spdSubActRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object indicates the conceptual status of this row.
+
+ The value of this object has no effect on whether other
+ objects in this conceptual row can be modified.
+
+ If active, this object MUST remain active unless one of the
+ following two conditions are met. An attempt to set it to
+ anything other than active while the following conditions
+ are not met MUST result in an inconsistentValue error. The
+ two conditions are:
+
+ I. No active row in the spdCompoundActionTable exists
+ which has a matching spdCompActName.
+
+ II. Or, at least one other active row in this table has a
+ matching spdCompActName."
+
+
+
+Baer, et al. Standards Track [Page 45]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ ::= { spdSubactionsEntry 5 }
+
+--
+-- Static Actions
+--
+
+-- these are static actions that can be pointed to by the
+-- spdRuleDefAction or the spdSubActSubActionName objects to
+-- drop, accept, or reject packets.
+
+spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
+
+spdDropAction OBJECT-TYPE
+ SYNTAX Integer32 (1)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This scalar indicates that a packet MUST be dropped
+ and SHOULD NOT have action/packet logging."
+ ::= { spdStaticActions 1 }
+
+spdDropActionLog OBJECT-TYPE
+ SYNTAX Integer32 (1)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This scalar indicates that a packet MUST be dropped
+ and SHOULD have action/packet logging."
+ ::= { spdStaticActions 2 }
+
+spdAcceptAction OBJECT-TYPE
+ SYNTAX Integer32 (1)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This Scalar indicates that a packet MUST be accepted
+ (pass-through) and SHOULD NOT have action/packet logging."
+ ::= { spdStaticActions 3 }
+
+spdAcceptActionLog OBJECT-TYPE
+ SYNTAX Integer32 (1)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This scalar indicates that a packet MUST be accepted
+ (pass-through) and SHOULD have action/packet logging."
+ ::= { spdStaticActions 4 }
+
+
+
+
+Baer, et al. Standards Track [Page 46]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+--
+--
+-- Notification objects information
+--
+--
+
+spdNotificationVariables OBJECT IDENTIFIER ::=
+ { spdNotificationObjects 1 }
+
+spdNotifications OBJECT IDENTIFIER ::=
+ { spdNotificationObjects 0 }
+
+spdActionExecuted OBJECT-TYPE
+ SYNTAX VariablePointer
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Points to the action instance that was executed that
+ resulted in the notification being sent."
+ ::= { spdNotificationVariables 1 }
+
+spdIPEndpointAddType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the address type for the interface that the
+ notification triggering packet is passing through."
+ ::= { spdNotificationVariables 2 }
+
+spdIPEndpointAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the interface address for the interface that the
+ notification triggering packet is passing through.
+
+ The format of this object is specified by the
+ spdIPEndpointAddType object."
+ ::= { spdNotificationVariables 3 }
+
+spdIPSourceType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the source address type of the packet that
+
+
+
+Baer, et al. Standards Track [Page 47]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ triggered the notification."
+ ::= { spdNotificationVariables 4 }
+
+spdIPSourceAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the source address of the packet that
+ triggered the notification.
+
+ The format of this object is specified by the
+ spdIPSourceType object."
+ ::= { spdNotificationVariables 5 }
+
+spdIPDestinationType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the destination address type of the packet
+ that triggered the notification."
+ ::= { spdNotificationVariables 6 }
+
+spdIPDestinationAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Contains the destination address of the packet that
+ triggered the notification.
+
+ The format of this object is specified by the
+ spdIPDestinationType object."
+ ::= { spdNotificationVariables 7 }
+
+spdPacketDirection OBJECT-TYPE
+ SYNTAX IfDirection
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "Indicates if the packet that triggered the action in
+ questions was ingress (inbound) or egress (outbound)."
+ ::= { spdNotificationVariables 8 }
+
+spdPacketPart OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..65535))
+ MAX-ACCESS accessible-for-notify
+
+
+
+Baer, et al. Standards Track [Page 48]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ STATUS current
+ DESCRIPTION
+ "spdPacketPart is the front part of the full IP packet that
+ triggered this notification. The initial size limit is
+ determined by the smaller of the size, indicated by:
+
+ I. The value of the object with the TC syntax
+ 'SpdIPPacketLogging' that indicated the packet SHOULD be
+ logged and
+
+ II. The size of the triggering packet.
+
+ The final limit is determined by the SNMP packet size when
+ sending the notification. The maximum size that can be
+ included will be the smaller of the initial size, given the
+ above, and the length that will fit in a single SNMP
+ notification packet after the rest of the notification's
+ objects and any other necessary packet data (headers encoding,
+ etc.) have been included in the packet."
+ ::= { spdNotificationVariables 9 }
+
+spdActionNotification NOTIFICATION-TYPE
+ OBJECTS { spdActionExecuted, spdIPEndpointAddType,
+ spdIPEndpointAddress,
+ spdIPSourceType, spdIPSourceAddress,
+ spdIPDestinationType,
+ spdIPDestinationAddress,
+ spdPacketDirection }
+ STATUS current
+ DESCRIPTION
+ "Notification that an action was executed by a rule.
+ Only actions with logging enabled will result in this
+ notification getting sent. The object includes the
+ spdActionExecuted object, which will indicate which action
+ was executed within the scope of the rule. Additionally,
+ the spdIPSourceType, spdIPSourceAddress,
+ spdIPDestinationType, and spdIPDestinationAddress objects
+ are included to indicate the packet source and destination
+ of the packet that triggered the action. Finally, the
+ spdIPEndpointAddType, spdIPEndpointAddress, and
+ spdPacketDirection objects indicate which interface the
+ executed action was associated with, and if the packet was
+ ingress or egress through the endpoint.
+
+ A spdActionNotification SHOULD be limited to a maximum of
+ one notification sent per minute for any action
+ notifications that do not have any other configuration
+ controlling their send rate.
+
+
+
+Baer, et al. Standards Track [Page 49]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Note that compound actions with multiple executed
+ sub-actions may result in multiple notifications being sent
+ from a single rule execution."
+ ::= { spdNotifications 1 }
+
+spdPacketNotification NOTIFICATION-TYPE
+ OBJECTS { spdActionExecuted, spdIPEndpointAddType,
+ spdIPEndpointAddress,
+ spdIPSourceType, spdIPSourceAddress,
+ spdIPDestinationType,
+ spdIPDestinationAddress,
+ spdPacketDirection,
+ spdPacketPart }
+ STATUS current
+ DESCRIPTION
+ "Notification that a packet passed through a Security
+ Association (SA). Only SAs created by actions with packet
+ logging enabled will result in this notification getting
+ sent. The objects sent MUST include the spdActionExecuted,
+ which will indicate which action was executed within the
+ scope of the rule. Additionally, the spdIPSourceType,
+ spdIPSourceAddress, spdIPDestinationType, and
+ spdIPDestinationAddress objects MUST be included to
+ indicate the packet source and destination of the packet
+ that triggered the action. The spdIPEndpointAddType,
+ spdIPEndpointAddress, and spdPacketDirection objects are
+ included to indicate which endpoint the packet was
+ associated with. Finally, spdPacketPart is included to
+ enable sending a variable sized part of the front of the
+ packet with the size dependent on the value of the object of
+ TC syntax 'SpdIPPacketLogging', which indicated that logging
+ should be done.
+
+ A spdPacketNotification SHOULD be limited to a maximum of
+ one notification sent per minute for any action
+ notifications that do not have any other configuration
+ controlling their send rate.
+
+ An action notification SHOULD be limited to a maximum of
+ one notification sent per minute for any action
+ notifications that do not have any other configuration
+ controlling their send rate."
+ ::= { spdNotifications 2 }
+
+
+--
+--
+-- Conformance information
+
+
+
+Baer, et al. Standards Track [Page 50]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+--
+--
+
+spdCompliances OBJECT IDENTIFIER
+ ::= { spdConformanceObjects 1 }
+spdGroups OBJECT IDENTIFIER
+ ::= { spdConformanceObjects 2 }
+
+--
+-- Compliance statements
+--
+--
+spdRuleFilterFullCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for SNMP entities that include
+ an IPsec MIB implementation with Endpoint, Rules, and
+ filters support.
+
+ When this MIB is implemented with support for read-create,
+ then such an implementation can claim full compliance. Such
+ devices can then be both monitored and configured with this
+ MIB."
+
+ MODULE -- This Module
+ MANDATORY-GROUPS { spdEndpointGroup,
+ spdGroupContentsGroup,
+ spdRuleDefinitionGroup,
+ spdStaticFilterGroup,
+ spdStaticActionGroup ,
+ diffServMIBMultiFieldClfrGroup }
+
+ GROUP spdIpsecSystemPolicyNameGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support a system policy group
+ name."
+
+ GROUP spdCompoundFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support compound filters."
+
+ GROUP spdIPOffsetFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support IP Offset filters. In
+ general, this SHOULD be supported by a compliant IPsec
+
+
+
+Baer, et al. Standards Track [Page 51]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Policy implementation."
+
+ GROUP spdTimeFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support time filters."
+
+ GROUP spdIpsoHeaderFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support IPSO Header filters."
+
+ GROUP spdCompoundActionGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support compound actions."
+
+ OBJECT spdEndGroupLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdGroupContComponentType
+ SYNTAX INTEGER {
+ rule(2)
+ }
+ DESCRIPTION
+ "Support of the value group(1) is only required for
+ implementations that support Policy Groups within
+ Policy Groups."
+
+ OBJECT spdGroupContLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdRuleDefLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdCompFiltLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdSubFiltLastChanged
+ MIN-ACCESS not-accessible
+
+
+
+Baer, et al. Standards Track [Page 52]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdIpOffFiltLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdTimeFiltLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdIpsoHeadFiltLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdCompActLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT spdSubActLastChanged
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object not required for compliance."
+
+ OBJECT diffServMultiFieldClfrNextFree
+ MIN-ACCESS not-accessible
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ ::= { spdCompliances 1 }
+
+
+spdLoggingCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for SNMP entities that support
+ sending notifications when actions are invoked."
+ MODULE -- This Module
+ MANDATORY-GROUPS { spdActionLoggingObjectGroup,
+ spdActionNotificationGroup }
+
+ ::= { spdCompliances 2 }
+
+--
+
+
+
+Baer, et al. Standards Track [Page 53]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+-- ReadOnly Compliances
+--
+spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for SNMP entities that include
+ an IPsec MIB implementation with Endpoint, Rules, and
+ filters support.
+
+ If this MIB is implemented without support for read-create
+ (i.e., in read-only), it is not in full compliance, but it
+ can claim read-only compliance. Such a device can then be
+ monitored, but cannot be configured with this MIB."
+
+ MODULE -- This Module
+ MANDATORY-GROUPS { spdEndpointGroup,
+ spdGroupContentsGroup,
+ spdRuleDefinitionGroup,
+ spdStaticFilterGroup,
+ spdStaticActionGroup ,
+ diffServMIBMultiFieldClfrGroup }
+
+ GROUP spdIpsecSystemPolicyNameGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support a system policy group
+ name."
+
+ GROUP spdCompoundFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support compound filters."
+
+ GROUP spdIPOffsetFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support IP Offset filters. In
+ general, this SHOULD be supported by a compliant IPsec
+ Policy implementation."
+
+ GROUP spdTimeFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support time filters."
+
+ GROUP spdIpsoHeaderFilterGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+
+
+
+Baer, et al. Standards Track [Page 54]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ implementations that support IPSO Header filters."
+
+ GROUP spdCompoundActionGroup
+ DESCRIPTION
+ "This group is mandatory for IPsec Policy
+ implementations that support compound actions."
+
+ OBJECT spdCompActExecutionStrategy
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompActLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdCompActRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompActStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompFiltDescription
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompFiltLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdCompFiltLogicType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompFiltRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdCompFiltStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+
+
+
+Baer, et al. Standards Track [Page 55]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ "Write access is not required."
+
+ OBJECT spdEgressPolicyGroupName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdEndGroupLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdEndGroupName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdEndGroupRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdEndGroupStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdGroupContComponentName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdGroupContComponentType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdGroupContFilter
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdGroupContLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdGroupContRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+
+
+
+Baer, et al. Standards Track [Page 56]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ "Write access is not required."
+
+ OBJECT spdGroupContStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIngressPolicyGroupName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpOffFiltLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdIpOffFiltOffset
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpOffFiltRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpOffFiltStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpOffFiltType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpOffFiltValue
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpsoHeadFiltClassification
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpsoHeadFiltLastChanged
+ DESCRIPTION
+
+
+
+Baer, et al. Standards Track [Page 57]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ "This object is not required for compliance."
+
+ OBJECT spdIpsoHeadFiltProtectionAuth
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpsoHeadFiltRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpsoHeadFiltStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdIpsoHeadFiltType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefAction
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefAdminStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefDescription
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefFilter
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefFilterNegated
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefLastChanged
+
+
+
+Baer, et al. Standards Track [Page 58]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdRuleDefRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdRuleDefStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubActLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdSubActRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubActStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubActSubActionName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubFiltLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdSubFiltRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubFiltStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubFiltSubfilter
+ MIN-ACCESS read-only
+
+
+
+Baer, et al. Standards Track [Page 59]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdSubFiltSubfilterIsNegated
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltDayOfMonthMask
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltDayOfWeekMask
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltLastChanged
+ DESCRIPTION
+ "This object is not required for compliance."
+
+ OBJECT spdTimeFiltMonthOfYearMask
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltPeriod
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltTimeOfDayMask
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT spdTimeFiltStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ ::= { spdCompliances 3 }
+
+
+
+Baer, et al. Standards Track [Page 60]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+--
+--
+-- Compliance Groups Definitions
+--
+
+--
+-- Endpoint, Rule, Filter Compliance Groups
+--
+
+spdEndpointGroup OBJECT-GROUP
+ OBJECTS {
+ spdEndGroupName, spdEndGroupLastChanged,
+ spdEndGroupStorageType, spdEndGroupRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy
+ Endpoint Table."
+ ::= { spdGroups 1 }
+
+spdGroupContentsGroup OBJECT-GROUP
+ OBJECTS {
+ spdGroupContComponentType, spdGroupContFilter,
+ spdGroupContComponentName, spdGroupContLastChanged,
+ spdGroupContStorageType, spdGroupContRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy
+ Group Contents Table."
+ ::= { spdGroups 2 }
+
+spdIpsecSystemPolicyNameGroup OBJECT-GROUP
+ OBJECTS {
+ spdIngressPolicyGroupName,
+ spdEgressPolicyGroupName
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects represent the System
+ Policy Group Names."
+ ::= { spdGroups 3}
+
+spdRuleDefinitionGroup OBJECT-GROUP
+ OBJECTS {
+ spdRuleDefDescription, spdRuleDefFilter,
+ spdRuleDefFilterNegated, spdRuleDefAction,
+ spdRuleDefAdminStatus, spdRuleDefLastChanged,
+
+
+
+Baer, et al. Standards Track [Page 61]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ spdRuleDefStorageType, spdRuleDefRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy Rule
+ Definition Table."
+ ::= { spdGroups 4 }
+
+spdCompoundFilterGroup OBJECT-GROUP
+ OBJECTS {
+ spdCompFiltDescription, spdCompFiltLogicType,
+ spdCompFiltLastChanged, spdCompFiltStorageType,
+ spdCompFiltRowStatus, spdSubFiltSubfilter,
+ spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
+ spdSubFiltStorageType, spdSubFiltRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy
+ Compound Filter Table and Sub-Filter Table Group."
+ ::= { spdGroups 5 }
+
+spdStaticFilterGroup OBJECT-GROUP
+ OBJECTS { spdTrueFilter }
+ STATUS current
+ DESCRIPTION
+ "The static filter group. Currently this is just a true
+ filter."
+ ::= { spdGroups 6 }
+
+spdIPOffsetFilterGroup OBJECT-GROUP
+ OBJECTS {
+ spdIpOffFiltOffset, spdIpOffFiltType,
+ spdIpOffFiltValue, spdIpOffFiltLastChanged,
+ spdIpOffFiltStorageType, spdIpOffFiltRowStatus
+ }
+
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy IP
+ Offset Filter Table."
+ ::= { spdGroups 7 }
+
+spdTimeFilterGroup OBJECT-GROUP
+ OBJECTS {
+ spdTimeFiltPeriod,
+ spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
+ spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask,
+
+
+
+Baer, et al. Standards Track [Page 62]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ spdTimeFiltLastChanged,
+ spdTimeFiltStorageType, spdTimeFiltRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy Time
+ Filter Table."
+ ::= { spdGroups 8 }
+
+spdIpsoHeaderFilterGroup OBJECT-GROUP
+ OBJECTS {
+ spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
+ spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
+ spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy IPSO
+ Header Filter Table."
+ ::= { spdGroups 9 }
+
+--
+-- action compliance groups
+--
+
+spdStaticActionGroup OBJECT-GROUP
+ OBJECTS {
+ spdDropAction, spdAcceptAction,
+ spdDropActionLog, spdAcceptActionLog
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of objects from the IPsec Policy
+ Static Actions."
+ ::= { spdGroups 10 }
+
+spdCompoundActionGroup OBJECT-GROUP
+ OBJECTS {
+ spdCompActExecutionStrategy, spdCompActLastChanged,
+ spdCompActStorageType,
+
+ spdCompActRowStatus, spdSubActSubActionName,
+ spdSubActLastChanged, spdSubActStorageType,
+ spdSubActRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "The IPsec Policy Compound Action Table and Actions In
+
+
+
+Baer, et al. Standards Track [Page 63]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Compound Action Table Group."
+ ::= { spdGroups 11 }
+
+spdActionLoggingObjectGroup OBJECT-GROUP
+ OBJECTS {
+ spdActionExecuted,
+ spdIPEndpointAddType, spdIPEndpointAddress,
+ spdIPSourceType, spdIPSourceAddress,
+ spdIPDestinationType, spdIPDestinationAddress,
+ spdPacketDirection, spdPacketPart
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of all the Notification objects for
+ this MIB."
+ ::= { spdGroups 12 }
+
+spdActionNotificationGroup NOTIFICATION-GROUP
+ NOTIFICATIONS {
+ spdActionNotification,
+ spdPacketNotification
+ }
+ STATUS current
+ DESCRIPTION
+ "This group is made up of all the Notifications for this MIB."
+ ::= { spdGroups 13 }
+
+
+END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baer, et al. Standards Track [Page 64]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+7. Security Considerations
+
+7.1. Introduction
+
+ This document defines a MIB module used to configure IPsec policy
+ services. Since IPsec provides network security services, all of its
+ configuration data (e.g., this entire MIB) SHOULD be as secure or
+ more secure than any of the security services IPsec provides. There
+ are two main threats you need to protect against when configuring
+ IPsec devices.
+
+ 1. Malicious Configuration: This MIB configures network security
+ services. If an attacker has SET access to any part of this MIB,
+ the network security services configured by this MIB SHOULD be
+ considered broken. The network data sent through the associated
+ gateway should no longer be considered as protected by IPsec
+ (i.e., it is no longer confidential or authenticated).
+ Therefore, only the official administrators SHOULD be allowed to
+ configure a device. In other words, administrators' identities
+ SHOULD be authenticated and their access rights checked before
+ they are allowed to do device configuration. The support for SET
+ operations to the SPD MIB in a non-secure environment, without
+ proper protection, will invalidate the security of the network
+ traffic affected by the SPD MIB.
+
+ 2. Disclosure of Configuration: In general, malicious parties SHOULD
+ NOT be able to read security configuration data while the data is
+ in network transit. An attacker reading the configuration data
+ may be able to find misconfigurations in the MIB that enable
+ attacks to the network or to the configured node. Since this
+ entire MIB is used for security configuration, it is highly
+ RECOMMENDED that only authorized administrators are allowed to
+ view data in this MIB. In particular, malicious users SHOULD be
+ prevented from reading SNMP packets containing this MIB's data.
+ SNMP GET data SHOULD be encrypted when sent across the network.
+ Also, only authorized administrators SHOULD be allowed SNMP GET
+ access to any of the MIB objects.
+
+ SNMP versions prior to SNMPv3 do not include adequate security. Even
+ if the network itself is secure (e.g., by using IPsec), earlier
+ versions of SNMP have virtually no control as to who on the secure
+ network is allowed to access (i.e., read/change/create/delete) the
+ objects in this MIB module.
+
+ It is RECOMMENDED that implementers use the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+
+
+Baer, et al. Standards Track [Page 65]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to GET or SET (change/create/delete) them.
+
+ Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
+ SNMP version 3. The rest of this discussion assumes the use of
+ SNMPv3. This is a real strength, because it allows administrators
+ the ability to load new IPsec configuration on a device and keep the
+ conversation private and authenticated under the protection of SNMPv3
+ before any IPsec protections are available. Once initial
+ establishment of IPsec configuration on a device has been achieved,
+ it would be possible to set up IPsec SAs to then also provide
+ security and integrity services to the configuration conversation.
+ This may seem redundant at first, but will be shown to have a use for
+ added privacy protection below.
+
+7.2. Protecting against Unauthenticated Access
+
+ The current SNMPv3 User Security Model provides for key-based user
+ authentication. Typically, keys are derived from passwords (but are
+ not required to be), and the keys are then used in Hashed Message
+ Authentication Code (HMAC) algorithms (currently, MD5 and SHA-1 HMACs
+ are defined) to authenticate all SNMP data. Each SNMP device keeps a
+ (configured) list of users and keys. Under SNMPv3 user keys may be
+ updated as often as an administrator cares to have users enter new
+ passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is
+ not yet provided by standards track documents, although RFC2786
+ defines an experimental method of doing so.
+
+7.3. Protecting against Involuntary Disclosure
+
+ While sending IPsec configuration data to a Policy Enforcement Point
+ (PEP), there are a few critical parameters that MUST NOT be observed
+ by third parties. Specifically, except for public keys, keying
+ information MUST NOT be allowed to be observed by third parties.
+ This includes IKE Pre-Shared Keys and possibly the private key of a
+ public/private key pair for use in a PKI. Were either of those
+ parameters to be known to a third party, they could then impersonate
+ the device to other IKE peers. Aside from those critical parameters,
+ policy administrators have an interest in not divulging any of their
+ policy configuration. Any knowledge about a device's configuration
+ could help an unfriendly party compromise that device. SNMPv3 offers
+ privacy security services, but at the time this document was written,
+ the only standardized encryption algorithm supported by SNMPv3 is the
+
+
+
+Baer, et al. Standards Track [Page 66]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ DES encryption algorithm. Support for other (stronger) cryptographic
+ algorithms is in the works and may be completed by the time you read
+ this. As of October 2006, there is a stronger standards track
+ algorithm: AES [RFC3826]. When configuring the IPsec policy using
+ this MIB, policy administrators SHOULD use a privacy security service
+ that is at least as strong as the desired IPsec policy, e.g., If an
+ administrator were to use this MIB to configure an IPsec connection
+ that utilizes a AES algorithms, the SNMP communication configuring
+ the connection SHOULD be protected by an algorithm as strong or
+ stronger than the AES algorithm.
+
+7.4. Bootstrapping Your Configuration
+
+ Most vendors will not ship new products with a default SNMPv3 user/
+ password pair, but it is possible. If a device does ship with a
+ default user/password pair, policy administrators SHOULD either
+ change the password or configure a new user, deleting the default
+ user (or, at a minimum, restrict the access of the default user).
+ Most SNMPv3 distributions should, hopefully, require an out-of-band
+ initialization over a trusted medium, such as a local console
+ connection.
+
+8. IANA Considerations
+
+ Only two IANA considerations exist for this document. The first is
+ just the node number allocation of the IPSEC-SPD-MIB itself within
+ the MIB-2 tree. This is listed in the MIB definition in Section 6.
+
+ The IPSEC-SPD-MIB also allows for extension action MIBs. Although
+ additional actions are not required to use it, the node spdActions is
+ allocated as a subtree under which IANA can assign additional
+ actions.
+
+ The second IANA consideration is that IANA would be responsible for
+ creating a new subregistry for and assigning nodes under the
+ spdActions subtree. This tree should have a prefix of
+ iso.org.dod.internet.mgmt.mib-2.spdMIB.spdActions and be listed
+ similar to the following:
+
+ Decimal Name Description References
+ ------- ---- ----------- ----------
+
+ A documented specification is required in order to assign a number.
+ The action and it's meaning can be specified in an RFC or in another
+ publicly available reference. The specification should have
+ sufficient detail that interoperability between independent
+ implementations is possible. The product of the IETF or of another
+ standards body is acceptable or an assignment can be accepted under
+
+
+
+Baer, et al. Standards Track [Page 67]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ the advice of a "designated expert". (contact IANA for the current
+ expert)
+
+9. Acknowledgments
+
+ Many people contributed thoughts and ideas that influenced this MIB
+ module. Some special thanks are in order to the following people:
+
+ Lindy Foster (Sparta, Inc.)
+ John Gillis (ADC)
+ Roger Hartmuller (Sparta, Inc.)
+ Harrie Hazewinkel
+ Jamie Jason (Intel Corporation)
+ David Partain (Ericsson)
+ Lee Rafalow (IBM)
+ Jon Saperia (JDS Consulting)
+ Eric Vyncke (Cisco Systems)
+
+10. References
+
+10.1. Normative References
+
+ [RFC1108] Kent, S., "U.S. Department of Defense Security
+ Options for the Internet Protocol", RFC 1108,
+ November 1991.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
+ the Internet Protocol", RFC 2401, November 1998.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management
+ Information Version 2 (SMIv2)", STD 58, RFC 2578,
+ April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces
+ Group MIB", RFC 2863, June 2000.
+
+
+
+
+Baer, et al. Standards Track [Page 68]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ [RFC3060] Moore, B., Ellesson, E., Strassner, J., and A.
+ Westerinen, "Policy Core Information Model -- Version
+ 1 Specification", RFC 3060, February 2001.
+
+ [RFC3289] Baker, F., Chan, K., and A. Smith, "Management
+ Information Base for the Differentiated Services
+ Architecture", RFC 3289, May 2002.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62,
+ RFC 3411, December 2002.
+
+ [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
+ Configuration Policy Information Model", RFC 3585,
+ August 2003.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, November 2003.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet
+ Network Addresses", RFC 4001, February 2005.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+10.2. Informative References
+
+ [IPsec-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and
+ C. Wang, "IPsec Security Policy IPsec Action MIB",
+ Work in Progress, October 2006.
+
+ [IKE-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and
+ C. Wang, "IPsec Security Policy IKE Action MIB", Work
+ in Progress, October 2006.
+
+ [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White
+ Paper", November 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for
+ Internet-Standard Management Framework", RFC 3410,
+ December 2002.
+
+
+
+
+
+
+
+Baer, et al. Standards Track [Page 69]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+ [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
+ Advanced Encryption Standard (AES) Cipher Algorithm
+ in the SNMP User-based Security Model", RFC 3826,
+ June 2004.
+
+Authors' Addresses
+
+ Michael Baer
+ Sparta, Inc.
+ P.O. Box 72682
+ Davis, CA 95617
+ US
+
+ EMail: baerm@tislabs.com
+
+
+ Ricky Charlet
+ Self
+
+ EMail: rcharlet@alumni.calpoly.edu
+
+
+ Wes Hardaker
+ Sparta, Inc.
+ P.O. Box 382
+ Davis, CA 95617
+ US
+
+ Phone: +1 530 792 1913
+ EMail: hardaker@tislabs.com
+
+
+ Robert Story
+ Revelstone Software
+ PO Box 1812
+ Tucker, GA 30085
+ US
+
+ EMail: rstory@ipsp.revelstone.com
+
+
+ Cliff Wang
+ ARO
+ 4300 S. Miami Blvd
+ Durham, NC 27703
+ US
+
+ EMail: cliffwangmail@yahoo.com
+
+
+
+Baer, et al. Standards Track [Page 70]
+
+RFC 4807 IPsec SPD configuration MIB March 2007
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2007).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Baer, et al. Standards Track [Page 71]
+