summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5324.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5324.txt')
-rw-r--r--doc/rfc/rfc5324.txt12099
1 files changed, 12099 insertions, 0 deletions
diff --git a/doc/rfc/rfc5324.txt b/doc/rfc/rfc5324.txt
new file mode 100644
index 0000000..09d4155
--- /dev/null
+++ b/doc/rfc/rfc5324.txt
@@ -0,0 +1,12099 @@
+
+
+
+
+
+
+Network Working Group C. DeSanti
+Request for Comments: 5324 F. Maino
+Category: Standards Track K. McCloghrie
+ Cisco Systems
+ September 2008
+
+
+ MIB for Fibre-Channel Security Protocols (FC-SP)
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes managed objects for information related
+ to FC-SP, the Security Protocols defined for Fibre Channel.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. The Internet-Standard Management Framework ......................3
+ 3. Overview of Fibre Channel .......................................3
+ 3.1. Introduction ...............................................3
+ 3.2. Zoning .....................................................4
+ 3.3. Virtual Fabrics ............................................5
+ 3.4. Security ...................................................5
+ 3.4.1. Authentication ......................................5
+ 3.4.2. Security Associations ...............................6
+ 3.4.3. Fabric Security Policies ............................7
+ 3.4.4. Policy Model ........................................8
+ 3.4.5. Policy Objects ......................................9
+ 3.4.5.1. Policy Object Names .......................10
+ 3.4.6. Three Kinds of Switches ............................10
+ 3.4.7. Security Policy Management .........................11
+ 3.4.8. FC-SP Zoning .......................................11
+ 4. Document Overview ..............................................12
+ 4.1. Fibre Channel Management Instance .........................12
+ 4.2. Entity Name ...............................................12
+ 4.3. Fabric Index ..............................................13
+ 4.4. Interface Index ...........................................13
+ 4.5. Syntax for Policy Object Names ............................14
+
+
+
+De Santi, et al. Standards Track [Page 1]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ 4.6. Certificates, CAs, and CRLs ...............................14
+ 4.7. Traffic Selectors .........................................15
+ 4.8. The MIB Modules ...........................................16
+ 4.8.1. The T11-FC-SP-TC-MIB Module ........................16
+ 4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module ............16
+ 4.8.3. The T11-FC-SP-ZONING-MIB Module ....................16
+ 4.8.4. The T11-FC-SP-POLICY-MIB Module ....................17
+ 4.8.5. The T11-FC-SP-SA-MIB Module ........................17
+ 4.9. Rate Control for Notifications ............................18
+ 5. Relationship to Other MIB Modules ..............................19
+ 6. MIB Module Definitions .........................................20
+ 6.1. The T11-FC-SP-TC-MIB Module ...............................20
+ 6.2. The T11-FC-SP-AUTHENTICATION-MIB Module ...................33
+ 6.3. The T11-FC-SP-ZONING-MIB Module ...........................52
+ 6.4. The T11-FC-SP-POLICY-MIB Module ...........................64
+ 6.5. The T11-FC-SP-SA-MIB Module ..............................152
+ 7. IANA Considerations ...........................................204
+ 8. Security Considerations .......................................204
+ 8.1. Information Not Defined in This Document .................204
+ 8.2. The T11-FC-SP-TC-MIB Module ..............................204
+ 8.3. The T11-FC-SP-AUTHENTICATION-MIB Module ..................205
+ 8.4. The T11-FC-SP-ZONING-MIB Module ..........................206
+ 8.5. The T11-FC-SP-POLICY-MIB Module ..........................207
+ 8.6. The T11-FC-SP-SA-MIB Module ..............................209
+ 8.7. Recommendations Common to All MIB Modules ................211
+ 9. Normative References ..........................................212
+ 10. Informative References .......................................213
+ 11. Acknowledgements .............................................215
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 2]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes managed objects for information
+ concerning the Fibre Channel Security Protocols (FC-SP), as specified
+ in [FC-SP]. The FC-SP standard includes the definition of protocols
+ to authenticate Fibre Channel entities, protocols to set up session
+ keys, protocols to negotiate the parameters required to ensure frame-
+ by-frame integrity and confidentiality, and protocols to establish
+ and distribute policies across a Fibre Channel Fabric.
+
+ This memo was initially developed by the INCITS T11 committee
+ (http://www.t11.org), which subsequently approved it for forwarding
+ to the IETF.
+
+ This memo uses one of the following terms:
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
+
+2. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base, or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
+ [RFC2580].
+
+3. Overview of Fibre Channel
+
+3.1. Introduction
+
+ Fibre Channel (FC) is logically a bidirectional point-to-point serial
+ data channel, structured for high performance. Fibre Channel
+ provides a general transport vehicle for higher-level protocols such
+ as Small Computer System Interface (SCSI) command sets, the High-
+ Performance Parallel Interface (HIPPI) data framing, IP (Internet
+ Protocol), IEEE 802.2, and others.
+
+
+
+De Santi, et al. Standards Track [Page 3]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Physically, Fibre Channel is an interconnection of multiple
+ communication points, called N_Ports, interconnected either by a
+ switching network, called a Fabric, or by a point-to-point link. A
+ Fibre Channel "Node" consists of one or more N_Ports. A Fabric may
+ consist of multiple Interconnect Elements, some of which are
+ Switches. An N_Port connects to the Fabric via a port on a Switch
+ called an F_Port. When multiple FC Nodes are connected to a single
+ port on a Switch via an "Arbitrated Loop" topology, the Switch port
+ is called an FL_Port, and the Nodes' ports are called NL_Ports. The
+ term Nx_Port is used to refer to either an N_Port or an NL_Port. The
+ term Fx_Port is used to refer to either an F_Port or an FL_Port. A
+ Switch port, which is interconnected to another Switch port via an
+ Inter-Switch Link (ISL), is called an E_Port. A B_Port connects a
+ bridge device with an E_Port on a Switch; a B_Port provides a subset
+ of E_Port functionality.
+
+ Many Fibre Channel components, including the Fabric, each Node, and
+ most ports, have globally unique names. These globally unique names
+ are typically formatted as World Wide Names (WWNs). More information
+ on WWNs can be found in [FC-FS-2]. WWNs are expected to be
+ persistent across agent and unit resets.
+
+ Fibre Channel frames contain 24-bit address identifiers that identify
+ the frame's source and destination ports. Each FC port has both an
+ address identifier and a WWN. When a Fabric is in use, the FC
+ address identifiers are dynamic and are assigned by a Switch. Each
+ octet of a 24-bit address represents a level in an address hierarchy,
+ with a Domain_ID being the highest level of the hierarchy.
+
+3.2. Zoning
+
+ Zones within a Fabric provide a mechanism to control frame delivery
+ between Nx_Ports ("Hard Zoning") or to expose selected views of Name
+ Server information ("Soft Zoning").
+
+ Communication is only possible when the communicating endpoints are
+ members of a common zone. This technique is similar to virtual
+ private networks in that the Fabric has the ability to group devices
+ into Zones.
+
+ Hard zoning and soft zoning are two different means of realizing
+ this. Hard zoning is enforced in the Fabric (i.e., Switches),
+ whereas soft zoning is enforced at the endpoints (e.g., Host Bus
+ Adapters) by relying on the endpoints to not send traffic to an
+ N_Port_ID not obtained from the Name Server with a few exceptions for
+ well known Addresses (e.g., the Name Server).
+
+
+
+
+
+De Santi, et al. Standards Track [Page 4]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Administrators create Zones to increase network security, and prevent
+ data loss or corruption, by controlling access between devices or
+ user groups.
+
+3.3. Virtual Fabrics
+
+ The standard for an interconnecting Fabric containing multiple Fabric
+ Switch elements is [FC-SW-4]. [FC-SW-4] carries forward the earlier
+ specification for the operation of a single Fabric in a physical
+ infrastructure, and augments it with the definition of Virtual
+ Fabrics and with the specification of how multiple Virtual Fabrics
+ can operate within one or more physical infrastructures. The use of
+ Virtual Fabrics provides for each frame to be tagged in its header to
+ indicate which one of several Virtual Fabrics that frame is being
+ transmitted on. All frames entering a particular "Core Switch"
+ [FC-SW-4] (i.e., a physical Switch) on the same Virtual Fabric are
+ processed by the same "Virtual Switch" within that Core Switch.
+
+3.4. Security
+
+ The Fibre Channel Security Protocols (FC-SP) standard [FC-SP]
+ describes the protocols used to implement security in a Fibre Channel
+ Fabric, including the definition of:
+
+ - protocols to authenticate Fibre Channel entities,
+
+ - protocols to set up session keys,
+
+ - protocols to negotiate the parameters required to ensure frame-
+ by-frame integrity and confidentiality, and
+
+ - protocols to establish and distribute (security) policies across
+ a Fibre Channel Fabric.
+
+3.4.1. Authentication
+
+ Two entities may negotiate whether authentication is required and
+ which Authentication Protocol is to be used. Authentication can be
+ used in Switch-to-Switch, Node-to-Switch, and Node-to-Node
+ communication. The defined Authentication Protocols are able to
+ perform mutual authentication with optional shared key establishment.
+ The shared key computed at the end of an Authentication Transaction
+ may be used to establish Security Associations.
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 5]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The Fabric security architecture is defined for several
+ authentication infrastructures. Secret-based, certificate-based, and
+ password-based authentication infrastructures are accommodated.
+ Specific authentication protocols that directly leverage these three
+ authentication infrastructures are defined.
+
+ With a secret-based infrastructure, entities within the Fabric
+ environment that establish a security relationship share a common
+ secret or centralize the secret administration in an external (e.g.,
+ RADIUS [RFC2865], Diameter [RFC3588], or Terminal Access Controller
+ Access Control System (TACACS) [RFC1492]) server. Entities may
+ mutually authenticate with other entities by using the Diffie-Hellman
+ Challenge Handshake Authentication Protocol (DH-CHAP) [FC-SP].
+ Security Associations may be set up using the session key computed at
+ the end of the DH-CHAP transaction.
+
+ With a certificate-based infrastructure, entities within the Fabric
+ environment are certified by a trusted Certificate Authority (CA).
+ The resulting certificates bind each entity to a public-private key
+ pair that may be used to mutually authenticate with other certified
+ entities via the Fibre Channel Certificate Authentication Protocol
+ (FCAP) [FC-SP]. Security Associations may be set up by using these
+ entity certificates and associated keys or by using the session key
+ computed at the end of the FCAP transaction.
+
+ With a password-based infrastructure, entities within the Fabric
+ environment that establish a security relationship have knowledge of
+ the password-based credential material of other entities. Entities
+ may use this credential material to mutually authenticate with other
+ entities using the Fibre Channel Password Authentication Protocol
+ (FCPAP) [FC-SP]. Security Associations may be set up using the
+ session key computed at the end of the FCPAP transaction.
+
+ In addition to DH-CHAP, FCAP, and FCPAP, one other Authentication
+ Protocol is defined: Internet Key Exchange Protocol version 2-AUTH
+ (IKEv2-AUTH), which refers to the use of an SA Management Transaction
+ of the Security Association Management Protocol (see below) to
+ perform two functions: not only SA management but also
+ authentication. The credentials used in an IKEv2-AUTH transaction
+ are either strong shared secrets or certificates.
+
+3.4.2. Security Associations
+
+ A subset of the IKEv2 protocol [RFC4306] suitable for Fibre Channel
+ is defined as the (Fibre Channel) Security Association Management
+ protocol [RFC4595]. This protocol -- which is *not* IPsec --
+ provides the means to establish Security Associations (SAs) between
+ Fibre Channel entities. Traffic Selectors are defined to specify
+
+
+
+De Santi, et al. Standards Track [Page 6]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ which type of traffic has to be protected by which SA, and what the
+ characteristics of the protection are. Two mechanisms are available
+ to protect specific classes of traffic:
+
+ - ESP_Header is used to protect FC-2 frames (see [FC-FS-2] and the
+ conceptually similar mechanisms in [RFC4303]), and
+
+ - CT_Authentication is used to protect CT_IUs (Common Transport
+ Information Units) [FC-GS-5].
+
+ An entity protecting specific classes of traffic maintains an
+ internal Security Association Database (SADB) that contains the
+ currently active Security Associations and Traffic Selectors.
+
+ Each active SA has a Security Association entry in the SADB. Each SA
+ entry includes the SA's SPI (the Security Parameters Index, which is
+ included in frames transmitted on the SA), a Sequence Number counter,
+ and the parameters for the selected transforms (e.g., encryption
+ algorithm, integrity algorithm, mode of operation of the algorithms,
+ keys).
+
+ Each active Traffic Selector has an entry in the SADB that indicates
+ whether it is used for ingress traffic or for egress traffic. These
+ Traffic Selector entries are ordered such that they are searched
+ (when checking for a match) in the given order. Two types of Traffic
+ Selector entries may be present:
+
+ - Traffic Selector entries identifying FC-2 frames or CT_IUs to be
+ bypassed or discarded; and
+
+ - Traffic Selector entries identifying FC-2 frames or CT_IUs to be
+ protected or verified. These entries point to the corresponding
+ SA entry defining the parameters and the security processing to
+ be performed.
+
+ SAs are unidirectional, but they always exist as an SA pair of the
+ same type, one in each direction.
+
+3.4.3. Fabric Security Policies
+
+ Two separate approaches to defining Policies are adopted in FC-SP,
+ but both approaches follow the same general concept for their Policy
+ model. One is the definition of a Policy Model for Fabric Policies
+ that focus on Security. These Security Policies specify the
+ membership and connectivity allowed within a Fabric, and also which
+ IP hosts are allowed to manage a Fabric.
+
+
+
+
+
+De Santi, et al. Standards Track [Page 7]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The other approach is to define a variant of the Enhanced Zoning
+ model defined in [FC-SW-4] and [FC-GS-5], such that the variant
+ specifies extensions for use in a secure environment. This variant
+ of Zoning, denoted as "FC-SP Zoning", follows the same general
+ concepts of the Policy model for Security Policies, but keeps Zoning
+ management and enforcement completely independent from the management
+ and enforcement of other policies.
+
+3.4.4. Policy Model
+
+ Figure 25 of [FC-SP] depicts FC-SP's policy management model like
+ this:
+
+ ***** ************************
+ * * * Policy * *********************
+ * M * Add, * Configuration * * Policy *
+ * A * Get, * Entity * * Enforcement *
+ * N * Remove * * * Entity *
+ * A * Policy * +----------------+ * * *
+ * G * Objects * | Non-Active | * * +-------------+ *
+ * I *<-------->* | Policy Objects |==*====*=>| Active | *
+ * N * * +----------------+ * * | Policy | *
+ * G * ************************ * | Objects | *
+ * * * +-------------+ *
+ * * Activate Policy Summary * *
+ * E *=====================================>* +-------------+ *
+ * N * Deactivate Policy Summary * | Policy | *
+ * T *=====================================>* | Summary | *
+ * I * * | Object | *
+ * T * Get Policy Summary * +-------------+ *
+ * Y *<-------------------------------------* *
+ * * Get Policy Objects * *
+ * *<-------------------------------------* *
+ ***** *********************
+
+ Note that the arrows in the picture above are used to indicate the
+ movement of "data", rather than the direction of "messages", e.g.,
+ for a "Get" (with no data) in one direction which invokes a
+ "Response" (typically with data) in the reverse direction, the
+ diagram has arrows only for the "with data" direction.
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 8]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+3.4.5. Policy Objects
+
+ The Policies to be enforced by a Fabric are specified in a set of
+ Policy Objects. The various types of Policy Objects are:
+
+ - The Policy Summary Object is a list of pointers to other Policy
+ Objects, one pointer per each other active Policy Object. Each
+ pointer in a Policy Summary Object is paired with a
+ cryptographic hash of the referenced Policy Object.
+
+ - The Switch Membership List Object is a Fabric-wide Policy Object
+ that defines which Switches are allowed to be part of a Fabric.
+
+ - The Node Membership List Object is a Fabric-wide Policy Object
+ that defines which Nodes are allowed to be connected to a
+ Fabric.
+
+ - The IP Management List Object is a Fabric-wide Policy Object
+ that describes which IP hosts are allowed to manage a Fabric.
+
+ - A Switch Connectivity Object is a per-Switch Policy Object that
+ describes the topology restrictions for a specific Switch; it
+ specifies the other Switches or Nodes to which the particular
+ Switch may be connected at the Node level and/or at the Port
+ level.
+
+ - Attribute Objects are Fabric-wide Policy Objects that define
+ optional attributes to be associated with Switches or Nodes.
+ They allow the extension of this policy model by defining new
+ attributes as required.
+
+ Note that the administratively specified name for a Fabric is
+ contained in the Switch Membership List Object (not in the Policy
+ Summary Object).
+
+ When FC-SP is in use, each Fabric has a set of active Policy Objects:
+
+ - one Policy Summary Object,
+
+ - one Switch Membership List Object,
+
+ - one Node Membership List Object,
+
+ - one IP Management List Object,
+
+ - zero or more Switch Connectivity Objects, and
+
+ - zero or more Attribute Objects.
+
+
+
+De Santi, et al. Standards Track [Page 9]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The active Policy Objects specify the Policies currently being
+ enforced. In addition, policies not currently being enforced are
+ contained in non-active Policy Objects. To change the active Policy
+ Objects, the non-active Policy Objects are edited as necessary and a
+ new Policy Summary Object that includes/references the changed Policy
+ Objects is activated.
+
+3.4.5.1. Policy Object Names
+
+ Every Policy Object has a name. In a Fabric's database of Policy
+ Objects, a Policy Object Name is specified as a type/length/value
+ (see section 7.2 of [FC-SP]). The possible types are:
+
+ - Node_Name
+
+ - Restricted Node_Name
+
+ - Port_Name
+
+ - Restricted Port_Name
+
+ - Wildcard
+
+ - Negated Wildcard
+
+ - Alphanumeric Name
+
+ - IPv6 Address Range
+
+ - IPv4 Address Range
+
+3.4.6. Three Kinds of Switches
+
+ For a Fabric composed of n Switches and m Nodes, the potential
+ complexity of Switch Connectivity Objects is O(n**2) to describe
+ Switch to Switch connections, and O(n*m) for Switch to Node
+ connections. To provide better scaling, the Switch Connectivity
+ Objects are not Fabric-wide information, but are distributed only to
+ where they are needed. To support this, the policy model supports
+ three kinds of Switches in a Fabric:
+
+ - Server Switches, which maintain the Fabric-wide Policy Objects,
+ all the Switch Connectivity Objects, and a full copy of the FC-
+ SP Zoning Database;
+
+ - Autonomous Switches, which maintain the Fabric-wide Policy
+ Objects, their own Switch Connectivity Object, and a full copy
+ of the FC-SP Zoning Database; and
+
+
+
+De Santi, et al. Standards Track [Page 10]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ - Client Switches, which maintain the Fabric-wide Policy Objects,
+ their own Switch Connectivity Object, and a subset of the FC-SP
+ Active Zone Set (which is the configurations of zones currently
+ being enforced by a Fabric, see section 10.4.3.3 of [FC-SW-4]).
+
+3.4.7. Security Policy Management
+
+ Security Policy can be changed in a server session [FC-GS-5] with a
+ Security Policy Server. All write access to a Security Policy Server
+ occurs within a server session. While read access to a Security
+ Policy Server may occur at any time, the consistency of the returned
+ data is guaranteed only inside a server session.
+
+ The Enhanced Commit Service [FC-SW-4] is used to perform Fabric
+ operations as and when necessary (see table 144 of [FC-SP]). Many of
+ these operations are named as if they were acronyms, e.g., SSB for
+ Server Session Begin; SSE for Server Session End; SW_ILS for Switch
+ Fabric Internal Link Services; EACA for Enhanced Acquire Change
+ Authorization; ERCA for Enhanced Release Change Authorization; SFC
+ for Stage Fabric Configuration.
+
+ Each server session begins and ends, with a SSB request and a SSE
+ request respectively, sent to a Security Policy Server. In the
+ Fabric, the SSB requests a lock of the Fabric via an EACA SW_ILS,
+ while the SSE requests a release of the lock via the ERCA SW_ILS
+ [FC-SW-4]. Active and non-active Policy Objects are persistent in
+ that they survive after the end of a server session.
+
+3.4.8. FC-SP Zoning
+
+ To preserve backward compatibility with existing Zoning definitions
+ and implementations, FC-SP Zoning is defined as a variant of the
+ Enhanced Zoning model defined in [FC-SW-4] and [FC-GS-5] that follows
+ the general concepts of the Policy model for Security Policy
+ Management, but keeps Zoning management and enforcement completely
+ independent.
+
+ FC-SP Zoning allows for some Switches to retain less than a complete
+ replicated copy of the Zoning Database, as follows:
+
+ - Server Switches maintain the policies data structures for all
+ Switches in the Fabric plus a replica of the Zoning data
+ structures;
+
+ - Autonomous Switches maintain only the subset of policies data
+ structures relevant for their operations plus a replica of the
+ Zoning Database; and
+
+
+
+
+De Santi, et al. Standards Track [Page 11]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ - Client Switches maintain only the subset of policies data
+ structures and the subset of the Active Zone Set relevant for
+ their operations.
+
+ When Client Switches are deployed in a Fabric, at least one Server
+ Switch must also be deployed in the same Fabric. A client-server
+ protocol allows Client Switches to dynamically retrieve the Zoning
+ information they may require from the Server Switches.
+
+ A management application manages the Fabric Zoning configuration
+ through the Fabric Zone Server, while other policies are managed
+ through the Security Policy Server. A new Zoning Check Protocol
+ replaces the Zone Merge Protocol [FC-SW-4], and new command codes are
+ defined for the SFC SW_ILS to distribute the FC-SP Zoning
+ configuration on a Fabric. The Zoning definitions are ordered to
+ allow for the computation of a hash of the Active Zone Set and a hash
+ of the Zone Set Database, plus other optional security data (e.g.,
+ for integrity protection of Zoning information).
+
+4. Document Overview
+
+ This document defines five MIB modules that together provide the
+ means for monitoring the operation of, and configuring some
+ parameters of, one or more instances of the FC-SP protocols.
+
+4.1. Fibre Channel Management Instance
+
+ A Fibre Channel management instance is defined in [RFC4044] as a
+ separable managed instance of Fibre Channel functionality. Fibre
+ Channel functionality may be grouped into Fibre Channel management
+ instances in whatever way is most convenient for the
+ implementation(s). For example, one such grouping accommodates a
+ single SNMP agent having multiple AgentX [RFC2741] sub-agents, with
+ each sub-agent implementing a different Fibre Channel management
+ instance.
+
+ The object, fcmInstanceIndex, is IMPORTed from the FC-MGMT-MIB
+ [RFC4044] as the index value to uniquely identify each Fibre Channel
+ management instance, for example, within the same SNMP context
+ ([RFC3411] section 3.3.1).
+
+4.2. Entity Name
+
+ A central capability of FC-SP is the use of an Authentication
+ Protocol. The purpose of each of the possible Authentication
+ Protocols is to allow a Fibre Channel entity to be assured of the
+ identity of each entity with which it is communicating. Examples of
+ such entities are Fibre Channel Switches and Fibre Channel Nx_Ports.
+
+
+
+De Santi, et al. Standards Track [Page 12]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Each entity is identified by a name. The FC-MGMT-MIB [RFC4044]
+ defines MIB objects for such names:
+
+ - for entities that are Fibre Channel Switches, the definition of
+ a Fibre Channel management instance allows multiple Switches to
+ be managed by the same Fibre Channel management instance. In
+ this case, each entity is a Switch and has the name given by the
+ MIB object, fcmSwitchWWN.
+
+ - for entities other than Fibre Channel Switches, a Fibre Channel
+ management instance can manage only one entity, and the name of
+ the entity is given by the MIB object, fcmInstanceWwn.
+
+4.3. Fabric Index
+
+ With multiple Fabrics, each Fabric has its own instances of the
+ Fabric-related management instrumentation. Thus, these MIB modules
+ define all Fabric-related information in tables that are INDEX-ed by
+ an arbitrary integer, named a "Fabric Index". The syntax of a Fabric
+ Index is T11FabricIndex, imported from T11-TC-MIB [RFC4439]. When a
+ device is connected to a single physical Fabric, without use of any
+ virtual Fabrics, the value of this Fabric Index will always be 1. In
+ an environment of multiple virtual and/or physical Fabrics, this
+ index provides a means to distinguish one Fabric from another.
+
+4.4. Interface Index
+
+ Several of the MIB modules defined in this document use the
+ InterfaceIndexOrZero syntax in order to allow information to be
+ specified/instantiated on a per-port/interface basis, e.g., for:
+ statistics, Traffic Selectors, Security Associations, etc. This
+ allows the same object to be used either when there is a separate row
+ for each of multiple ports/interfaces, or when multiple interfaces
+ are represented by a single row. The use of a zero value supports
+ the simpler cases of: a) when there is only one port/interface, b)
+ where the implementation chooses to aggregate the information for
+ multiple ports/interfaces. The minimum (for compliance) requirement
+ is to implement any one of the above cases.
+
+ When a Fabric Index and an object with the InterfaceIndexOrZero
+ syntax are used together in a single INDEX clause, the
+ InterfaceIndexOrZero object is listed before the Fabric Index in
+ order to simplify management queries that retrieve information
+ concerning multiple Fabrics connected to the same port/interface.
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 13]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+4.5. Syntax for Policy Object Names
+
+ T11FcSpPolicyNameType and T11FcSpPolicyName are two Textual
+ Conventions defined in this document (in the T11-FC-SP-TC-MIB module)
+ to represent the types and values of Policy Object Names (see section
+ 3.4.5.1 above). However, two of the nine possible types are IPv4
+ Address Range and IPv6 Address Range. It is standard practice in MIB
+ modules to represent all IP addresses using the standard Textual
+ Conventions defined in [RFC4001] for IP addresses: specifically,
+ InetAddressType and InetAddress. This document adheres to such
+ standard practice to the following extent:
+
+ - for MIB objects representing a Policy Object Name that can
+ *only* be an IPv4 Address Range or an IPv6 Address Range, then
+ those MIB objects are defined as a 3-tuple: (InetAddressType,
+ InetAddress, InetAddress), in which the first address is the low
+ end of the range, the second address is the high end of the
+ range, and both addresses are of the type given by
+ InetAddressType.
+
+ - for MIB objects representing a Policy Object Name that is
+ (possibly) of a different type, i.e., it is not (necessarily) an
+ IPv4 or IPv6 Address Range, then those MIB objects are defined
+ as a 2-tuple: (T11FcSpPolicyNameType, T11FcSpPolicyName), in
+ which the first object represents the type of Policy Object Name
+ and the second object represents the value of the Policy Object
+ Name. For MIB objects defined in this manner, if and when they
+ represent a range of IP addresses: a) the value of
+ T11FcSpPolicyNameType differentiates between an IPv4 Address
+ Range and an IPv6 Address Range; and b) the value of
+ T11FcSpPolicyName is one string containing the concatenation of
+ the two addresses that are the low and high addresses of the
+ range. This is the same format as used within FC-SP Policy
+ Objects [FC-SP].
+
+4.6. Certificates, CAs, and CRLs
+
+ In order to authenticate with the FCAP protocol, each entity,
+ identified by a unique Name, is provided with: a digital certificate
+ associated with that Name, the private/public key pair that
+ corresponds to the certificate, and with the Root Certificate (the
+ certificate of the signing Certification Authority). To authenticate
+ another entity, an entity is required to be provided with the
+ certificate of the associated Certification Authority.
+
+ FCAP requires entities to support at least four Root Certificates
+ against which received corresponding certificates can be validated.
+ Support for certificate chains and verification of certificate chains
+
+
+
+De Santi, et al. Standards Track [Page 14]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ containing more than one certificate is optional. Entities need to
+ be able to access a Certificate Revocation List (CRL) for each
+ configured Root Certificate, if one is available from the CA.
+ Certificates on the CRL are considered invalid.
+
+ The management of certificates, Certification Authorities, and
+ Certificate Revocation Lists is the same in Fibre Channel networks as
+ it is in other networks. Therefore, this document does not define
+ any MIB objects for such management.
+
+4.7. Traffic Selectors
+
+ When Traffic Selectors are compared against an ingress or egress
+ frame in order to determine the security processing to be applied to
+ that frame, there are circumstances in which multiple Traffic
+ Selectors, specifying different actions, can match with the frame.
+ Specifically, when matching against an egress frame to decide which
+ active Security Association to transmit on, or, against an ingress
+ frame unprotected by FC-SP, i.e., without an SPI value in it, to
+ decide which action ('drop' or 'bypass') to apply. For these cases,
+ the MIB includes a unique precedence value for each Traffic Selector
+ such that the one with the numerically lowest precedence value is
+ determined to be the one that matches. In contrast, ingress frames
+ on active Security Associations (i.e., protected by FC-SP) are
+ compared against the set of traffic selectors negotiated when the
+ Security Association was set up and identified by the SPI value
+ contained in the frame; the action taken depends on whether any
+ Traffic Selector matches, but not on which one.
+
+ This difference between ingress and egress Traffic Selectors on
+ active Security Associations is reflected in having separate MIB
+ tables defined for them: the table for Traffic Selectors on egress
+ SAs, t11FcSpSaTSelNegOutTable, has a precedence value in its INDEX
+ clause; whereas the table for Traffic Selectors on ingress SAs,
+ t11FcSpSaTSelNegInTable, has an arbitrary integer value in its INDEX
+ clause. For 'drop' and 'bypass' Traffic Selectors, one table,
+ t11FcSpSaTSelDrByTable, having a precedence value in its INDEX
+ clause, is sufficient for both ingress and egress traffic.
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 15]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+4.8. The MIB Modules
+
+4.8.1. The T11-FC-SP-TC-MIB Module
+
+ This MIB module defines Textual Conventions that are being, or have
+ the potential to be, used in more than one MIB module. The module
+ also defines Object Identifiers to identify the Cryptographic
+ Algorithms listed in [FC-SP] so that they can be used as the value of
+ various MIB objects that specify the algorithms being/to be used by
+ an FC-SP implementation.
+
+4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module
+
+ This MIB module specifies the management information required to
+ manage FC-SP Authentication Protocols. It defines three tables:
+
+ - t11FcSpAuEntityTable -- a table of Fibre Channel entities that
+ can be authenticated using FC-SP's Authentication Protocols,
+ including the names, capabilities, and basic configuration
+ parameters of the entities.
+
+ - t11FcSpAuIfStatTable -- this table has two purposes: to be a
+ list of the mappings of a FC-SP Authentication entity onto an
+ interface and to contain Authentication Protocol per-interface
+ statistics.
+
+ - t11FcSpAuRejectTable -- a table of FC-SP Authentication Protocol
+ transactions that were recently rejected.
+
+ It also defines two notifications: one for sending a reject in
+ response to an AUTH message and another for receiving a reject in
+ response to an AUTH message.
+
+4.8.3. The T11-FC-SP-ZONING-MIB Module
+
+ This MIB module specifies the extensions to the T11-FC-ZONE-SERVER-
+ MIB module [RFC4936] for the management of FC-SP Zoning Servers.
+ Specifically, it augments three tables defined in T11-FC-ZONE-SERVER-
+ MIB:
+
+ - t11FcSpZsServerTable -- to this table, it adds FC-SP Zoning
+ information defined for Zone Servers.
+
+ - t11ZsStatsTable -- to this table, it adds FC-SP Zoning
+ statistics for Zone Servers.
+
+ - t11ZsNotifyControlTable -- to this table, it adds control
+ information for FC-SP Zoning notifications.
+
+
+
+De Santi, et al. Standards Track [Page 16]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ It also defines two FC-SP Zoning notifications: one for success and
+ one for failure in the joining of two Fabrics.
+
+4.8.4. The T11-FC-SP-POLICY-MIB Module
+
+ This MIB module specifies management information that is used to
+ manage FC-SP policies. The MIB module has five parts:
+
+ - Active Policy Objects - read-only MIB objects representing the
+ set of active Policy Objects for each Fabric;
+
+ - Activate/Deactivate Operations - read-write MIB objects for
+ invoking operations, either 1) to activate policies that are
+ specified as a set of non-active Policy Objects, or 2) to
+ deactivate the currently active policies; also included are
+ objects giving the status of invoked operations;
+
+ - Non-Active Policy Objects - read-create MIB objects to create
+ and modify non-active Policy Objects;
+
+ - Statistics for FC-SP Security Policy Servers;
+
+ - The definition and control of notifications for the success or
+ failure of the activation or deactivation of FC-SP policies.
+
+4.8.5. The T11-FC-SP-SA-MIB Module
+
+ This MIB module specifies the management information required to
+ manage Security Associations established via FC-SP. All of the
+ tables in this MIB module are INDEX-ed by t11FcSpSaIfIndex, with
+ syntax InterfaceIndexOrZero, which is either non-zero for a specific
+ interface or zero for all (of the management instance's) interfaces
+ to the particular Fabric.
+
+ The MIB module consists of six parts:
+
+ - a per-Fabric table, t11FcSpSaIfTable, of capabilities,
+ parameters, status information, and counters; the counters
+ include non-transient aggregates of per-SA transient counters;
+
+ - three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable, and
+ t11FcSpSaTransTable, specifying the proposals for an FC-SP
+ entity acting as an SA_Initiator to present to the SA_Responder
+ during the negotiation of Security Associations. The same
+ information is also used by an FC-SP entity acting as an
+ SA_Responder to decide what to accept during the negotiation of
+
+
+
+
+
+De Santi, et al. Standards Track [Page 17]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Security Associations. One of these tables,
+ t11FcSpSaTransTable, is used not only for information about
+ security transforms to propose and to accept, but also as agreed
+ upon during the negotiation of Security Associations;
+
+ - a table, t11FcSpSaTSelDrByTable, of Traffic Selectors having the
+ security action of 'drop' or 'bypass' to be applied either to
+ ingress traffic, which is unprotected by FC-SP, or to all egress
+ traffic;
+
+ - four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable,
+ t11FcSpSaTSelNegOutTable, and t11FcSpSaTSelSpiTable, containing
+ information about active bidirectional pairs of Security
+ Associations; in particular, t11FcSpSaPairTable has one row per
+ active bidirectional SA pair, t11FcSpSaTSelNegInTable and
+ t11FcSpSaTSelNegOutTable contain information on the Traffic
+ Selectors negotiated on the SAs, and the t11FcSpSaTSelSpiTable
+ is an alternate lookup table such that the Traffic Selector(s)
+ in use on a particular Security Association can be quickly
+ determined based on its (ingress) SPI value;
+
+ - a table, t11FcSpSaControlTable, of control and other information
+ concerning the generation of notifications for events related to
+ FC-SP Security Associations;
+
+ - one notification, t11FcSpSaNotifyAuthFailure, generated on the
+ occurrence of an Authentication failure for a received FC-2 or
+ CT_IU frame.
+
+4.9. Rate Control for Notifications
+
+ All but one of the notifications defined in the five MIB modules in
+ this document are notifications that are generated based on events
+ occurring in the "control plane", e.g., notifications that are
+ generated at the frequency of operator-initiated activities. The one
+ exception is t11FcSpSaNotifyAuthFailure, which is generated based on
+ an event occurring in the "data plane", and could (in a worst case
+ scenario) occur for every received ingress frame. Therefore, a
+ method of rate controlling the generation of notifications is needed
+ for t11FcSpSaNotifyAuthFailure, but not for any of the other
+ notifications.
+
+ For t11FcSpSaNotifyAuthFailure, rate control is achieved by
+ specifying that a) after the first occurrence of an Authentication
+ failure on any particular Security Association, the SNMP
+ notifications for second and subsequent failures are suppressed for
+ the duration of a time window and b) that even the notification for
+ the first occurrence is suppressed after it is sent in the same time
+
+
+
+De Santi, et al. Standards Track [Page 18]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ window for a configured (in t11FcSpSaControlMaxNotifs) number of
+ Security Associations within a Fabric. Note that while these
+ suppressions prevent the network from being flooded with
+ notifications, the Authentication Failures themselves must still be
+ detected and counted.
+
+ The length of the time window is given by t11FcSpSaControlWindow, a
+ read-write object in the t11FcSpSaControlTable. If and when the time
+ since the last generation of the notification is less than the value
+ of sysUpTime (e.g., if one or more notifications have occurred since
+ the last re-initialization of the management system), then
+ t11FcSpSaControlElapsed and t11FcSpSaControlSuppressed contain the
+ elapsed time since the last notification and the number of
+ notifications suppressed in the window after sending the last one,
+ respectively. Otherwise, t11FcSpSaControlElapsed contains the value
+ of sysUpTime and t11FcSpSaControlSuppressed has the value zero.
+
+5. Relationship to Other MIB Modules
+
+ The first standardized MIB module for Fibre Channel [RFC2837] was
+ focused on Fibre Channel Switches. It was obsoleted by the more
+ generic Fibre Channel Management MIB [RFC4044], which defines basic
+ information for Fibre Channel Nodes and Switches, including
+ extensions to the standard IF-MIB [RFC2863] for Fibre Channel
+ interfaces. Several other MIB modules have since been defined to
+ extend [RFC4044] for various specific Fibre Channel functionality,
+ (e.g., [RFC4438], [RFC4439], [RFC4625], [RFC4626], [RFC4747],
+ [RFC4936], [RFC4935], and [RFC4983]).
+
+ The MIB modules defined in this memo further extend [RFC4044] to
+ cover the operation of Fibre Channel Security Protocols, as specified
+ in [FC-SP].
+
+ One part of the FC-SP specification is "FC-SP Zoning", which is an
+ extension/variant of the Fibre Channel Zoning defined in [FC-GS-5].
+ Management information for the latter is defined in the T11-FC-ZONE-
+ SERVER-MIB module [RFC4936]. Consequently, the T11-FC-SP-ZONING-MIB
+ module defined in this document defines the extensions to the T11-FC-
+ ZONE-SERVER-MIB module that are needed to manage FC-SP Zoning.
+
+ The MIB modules in this memo import some common Textual Conventions
+ from T11-TC-MIB, defined in [RFC4439], and from INET-ADDRESS-MIB,
+ defined in [RFC4001].
+
+ If the RADIUS protocol is used for access to an external server,
+ information about RADIUS Servers is likely to be available from the
+ RADIUS-AUTH-CLIENT-MIB [RFC4668].
+
+
+
+
+De Santi, et al. Standards Track [Page 19]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+6. MIB Module Definitions
+
+6.1. The T11-FC-SP-TC-MIB Module
+
+T11-FC-SP-TC-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-IDENTITY, mib-2,
+ Unsigned32 FROM SNMPv2-SMI -- [RFC2578]
+ TEXTUAL-CONVENTION FROM SNMPv2-TC; -- [RFC2579]
+
+t11FcTcMIB MODULE-IDENTITY
+ LAST-UPDATED "200808200000Z"
+ ORGANIZATION "This MIB module was developed through the
+ coordinated effort of two organizations:
+ T11 began the development and the IETF (in
+ the IMSS Working Group) finished it."
+ CONTACT-INFO
+ " Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ EMail: cds@cisco.com
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Email: kzm@cisco.com"
+ DESCRIPTION
+ "This MIB module defines Textual Conventions for use in
+ the multiple MIB modules, which together define the
+ instrumentation for an implementation of the Fibre Channel
+ Security Protocols (FC-SP) specification.
+
+ This MIB module also defines Object Identities (for use as
+ possible values of MIB objects with syntax AutonomousType),
+ including OIDs for the Cryptographic Algorithms defined
+ in FC-SP.
+
+ Copyright (C) The IETF Trust (2008). This version
+ of this MIB module is part of RFC 5324; see the RFC
+ itself for full legal notices."
+ REVISION "200808200000Z"
+ DESCRIPTION
+ "Initial version of this MIB module, published as RFC 5324."
+ ::= { mib-2 175 }
+
+
+
+
+De Santi, et al. Standards Track [Page 20]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpIdentities OBJECT IDENTIFIER ::= { t11FcTcMIB 1 }
+t11FcSpAlgorithms OBJECT IDENTIFIER ::= { t11FcSpIdentities 1 }
+
+--
+-- Textual Conventions
+--
+
+T11FcSpPolicyHashFormat ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "Identifies a cryptographic hash function used to create
+ a hash value that summarizes an FC-SP Policy Object.
+
+ Each definition of an object with this TC as its syntax
+ must be accompanied by a corresponding definition of an
+ object with T11FcSpPolicyHashValue as its syntax, and
+ containing the hash value.
+
+ The first two cryptographic hash functions are:
+
+ Hash Type Hash Tag Hash Length (Bytes)
+ SHA-1 '00000001'h 20
+ SHA-256 '00000002'h 32
+ "
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3.1 and table 106.
+ - FIPS PUB 180-2."
+ SYNTAX OCTET STRING (SIZE (4))
+
+T11FcSpPolicyHashValue ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "Represents the value of the cryptographic hash function
+ of an FC-SP Policy Object.
+
+ Each definition of an object with this TC as its syntax
+ must be accompanied by a corresponding definition of an
+ object with T11FcSpPolicyHashFormat as its syntax.
+ The corresponding object identifies the cryptographic
+ hash function used to create the hash value."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3.1 and table 106."
+ SYNTAX OCTET STRING (SIZE (0..64))
+
+
+
+
+De Santi, et al. Standards Track [Page 21]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+T11FcSpHashCalculationStatus ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "When some kind of 'database' is defined in a set of
+ read-write MIB objects, it is common that multiple changes
+ in the data need to be made at the same time. So, if hash
+ values are maintained for that data, those hash values are
+ only correct if and when they are re-calculated after every
+ change. In such circumstances, the use of an object with
+ this syntax allows the re-calculation of the hash values to
+ be deferred until all changes have been made, and therefore
+ the calculation need only be done once after all changes,
+ rather than repeatedly/after each individual change.
+
+ The definition of an object defined using this TC is
+ required to specify which one or more instances of which
+ MIB objects contain the hash values operated upon (or
+ whose status is given) by the value of this TC.
+
+ When read, the value of an object with this syntax is
+ either:
+
+ correct -- the identified MIB object instance(s)
+ contain the correct hash values; or
+ stale -- the identified MIB object instance(s)
+ contain stale (possibly incorrect) values.
+
+ Writing a value of 'calculate' is a request to re-calculate
+ and update the values of the corresponding instances of the
+ identified MIB objects. Writing a value of 'correct' or
+ 'stale' to this object is an error (e.g., 'wrongValue')."
+ SYNTAX INTEGER {
+ calculate(1),
+ correct(2),
+ stale(3)
+ }
+
+T11FcSpAuthRejectReasonCode ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A reason code contained in an AUTH_Reject message, or
+ in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT
+ (rejecting an AUTH-ELS)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 17, 48, 52."
+ SYNTAX INTEGER {
+
+
+
+De Santi, et al. Standards Track [Page 22]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ authFailure(1),
+ logicalError(2),
+ logicalBusy(3),
+ authILSNotSupported(4),
+ authELSNotSupported(5),
+ notLoggedIn(6)
+ }
+
+T11FcSpAuthRejReasonCodeExp ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A reason code explanation contained in an AUTH_Reject
+ message, or in an SW_RJT (rejecting an AUTH_ILS), or in
+ an LS_RJT (rejecting an AUTH-ELS)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Tables 18, 48, 52."
+ SYNTAX INTEGER {
+ authMechanismNotUsable(1),
+ dhGroupNotUsable(2),
+ hashFunctionNotUsable(3),
+ authTransactionAlreadyStarted(4),
+ authenticationFailed(5),
+ incorrectPayload(6),
+ incorrectAuthProtocolMessage(7),
+ restartAuthProtocol(8),
+ authConcatNotSupported(9),
+ unsupportedProtocolVersion(10),
+ logicalBusy(11),
+ authILSNotSupported(12),
+ authELSNotSupported(13),
+ notLoggedIn(14)
+ }
+
+T11FcSpHashFunctions ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A set of zero, one, or more hash functions defined for
+ use in FC-SP."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 14."
+ SYNTAX BITS {
+ md5(0),
+ sha1(1)
+ }
+
+
+
+De Santi, et al. Standards Track [Page 23]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+T11FcSpSignFunctions ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A set of zero, one, or more signature functions defined
+ for signing certificates for use with FCAP in FC-SP."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, tables 38 & 39."
+ SYNTAX BITS {
+ rsaSha1(0)
+ }
+
+T11FcSpDhGroups ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A set of zero, one, or more DH Groups defined for use
+ in FC-SP."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 15."
+ SYNTAX BITS {
+ null(0),
+ group1024(1),
+ group1280(2),
+ group1536(3),
+ group2048(4),
+ group3072(5),
+ group4096(6),
+ group6144(7),
+ group8192(8)
+ }
+
+T11FcSpPolicyObjectType ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A value that identifies the type of an FC-SP Policy
+ Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 102."
+ SYNTAX INTEGER {
+ summary(1),
+ switchMemberList(2),
+ nodeMemberList(3),
+ switchConnectivity(4),
+
+
+
+De Santi, et al. Standards Track [Page 24]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ipMgmtList(5),
+ attribute(6)
+ }
+
+T11FcSpPolicyNameType ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "The format and usage of a companion object having
+ T11FcSpPolicyName as its syntax.
+
+ Six of the values indicate the same format, i.e., they
+ differ only in semantics. That common format is a Fibre
+ Channel 'Name_Identifier', i.e., the same syntax as
+ 'FcNameIdOrZero (SIZE(8))'.
+
+ These six are three pairs of one restricted and one
+ unrestricted. Each usage of this syntax must specify
+ what the meaning of 'restricted' is for that usage and
+ how the characteristics and behavior of restricted
+ names differ from unrestricted names.
+
+ The six are:
+
+ 'nodeName' - a Node_Name, which is the
+ Name_Identifier associated
+ with a Fibre Channel Node.
+
+ 'restrictedNodeName' - a Restricted Node_Name.
+
+ 'portName' - the Name_Identifier associated
+ with a Fibre Channel Port.
+
+ 'restrictedPortName' - a Restricted Port_Name.
+
+ 'wildcard' - a Wildcard value that is used to
+ identify 'all others' (typically,
+ all other members of a Policy
+ Object, not all other Policy
+ Objects).
+
+ 'restrictedWildcard' - a Restricted Wildcard value.
+
+ Other possible values are:
+
+ 'alphaNumericName' - the value begins with an ASCII
+ letter (upper or lower case) followed by (0 ... 63)
+ characters from the set: lower case letters, upper case
+ letters, digits, and the four symbols: dollar-sign ($),
+
+
+
+De Santi, et al. Standards Track [Page 25]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ dash (-), caret (^), and underscore (_).
+
+ 'ipv6AddressRange' - two IPv6 addresses in network
+ byte order, the numerically smallest first and the
+ numerically largest second; total length is 32 bytes.
+
+ 'ipv4AddressRange' - two IPv4 addresses in network
+ byte order, the numerically smallest first and the
+ numerically largest second; total length is 8 bytes."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 103."
+ SYNTAX INTEGER {
+ nodeName(1),
+ restrictedNodeName(2),
+ portName(3),
+ restrictedPortName(4),
+ wildcard(5),
+ restrictedWildcard(6),
+ alphaNumericName(7),
+ ipv6AddressRange(8),
+ ipv4AddressRange(9)
+ }
+
+T11FcSpPolicyName ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A syntax used, when defining Policy Objects, for the
+ name of something.
+
+ An object that uses this syntax always identifies a
+ companion object with syntax T11FcSpPolicyNameType
+ such that the companion object specifies the format
+ and usage of the object with this syntax.
+
+ When the companion object has the value 'wildcard' or
+ 'restrictedWildcard', the value of the T11FcSpPolicyName
+ object is: '0000000000000000'h."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 103."
+ SYNTAX OCTET STRING (SIZE (1..64))
+
+T11FcSpAlphaNumName ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 26]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "A syntax used when defining Policy Objects for the
+ name of something, where the name is always in the format
+ specified by:
+
+ T11FcSpPolicyNameType = 'alphaNumericName'
+ "
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 103."
+ SYNTAX OCTET STRING (SIZE (1..64))
+
+T11FcSpAlphaNumNameOrAbsent ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "An extension of the T11FcSpAlphaNumName TC with
+ one additional possible value: the zero-length string
+ to indicate the absence of a name."
+ SYNTAX OCTET STRING (SIZE (0..64))
+
+T11FcSaDirection ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "The direction of frame transmission on a Security
+ Association. Note that Security Associations are
+ unidirectional, but they always exist as part of an
+ SA pair of the same type in opposite directions."
+ SYNTAX INTEGER { ingress(1), egress(2) }
+
+T11FcSpiIndex ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "An SPI (Security Parameter Index) value is carried in the
+ SPI field of a frame protected by the ESP_Header. An SPI
+ is also carried in the SAID field of a Common Transport
+ Information Unit (CT_IU) protected by CT_Authentication.
+ An SPI value identifies the Security Association on which
+ the frame is being transmitted."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 4.7.2 and 4.7.3."
+ SYNTAX Unsigned32 (0..4294967295) -- the default range!!
+
+T11FcSpPrecedence ::= TEXTUAL-CONVENTION
+ DISPLAY-HINT "d"
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 27]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The precedence of a Traffic Selector. If a frame
+ matches with two or more Traffic Selectors, then the match
+ that takes precedence is the one with the Traffic Selector
+ having the numerically smallest precedence value. Note that
+ precedence values are not necessarily contiguous."
+ SYNTAX Unsigned32 (0..4294967295) -- the default range!!
+
+T11FcRoutingControl ::= TEXTUAL-CONVENTION
+ DISPLAY-HINT "1x"
+ STATUS current
+ DESCRIPTION
+ "A value stored in the R_CTL (Routing Control) 8-bit field
+ of an FC-2 frame containing routing and information bits to
+ categorize the frame function.
+
+ For FC-2 frames, an R_CTL value typically distinguishes
+ between control versus data frames and/or solicited versus
+ unsolicited frames, and in combination with the TYPE field
+ (see T11FcSpType), identifies a particular link-layer
+ service/protocol using FC-2.
+
+ For CT_Authentication, the information field in the R_CTL
+ field contains '02'h for Request CT_IUs and '03'h for
+ Response CT_IUs.
+
+ The comparison of two values having this syntax is done
+ by treating each string as an 8-bit numeric value."
+ REFERENCE
+ "- Fibre Channel - Framing and Signaling-2 (FC-FS-2),
+ ANSI INCITS 424-2007, Project T11/1619-D,
+ February 2007, section 9.3.
+ - Fibre Channel - Generic Services-5 (FC-GS-5),
+ ANSI INCITS 427-2006, sections 4.5.2.4.2, 4.5.2.4.3
+ and table 12."
+ SYNTAX OCTET STRING (SIZE(1))
+
+T11FcSpType ::= TEXTUAL-CONVENTION
+ DISPLAY-HINT "2x"
+ STATUS current
+ DESCRIPTION
+ "A value, or combination of values, contained in a frame
+ header used in identifying the link layer service/protocol
+ of a frame. The value is always two octets:
+
+ - for FC-2 frames, the first octet is zero and the second
+ octet contains the Data structure type (TYPE) value
+ defined by FC-FS-2. The TYPE value is used in
+ combination with T11FcRoutingControl to identify a link
+
+
+
+De Santi, et al. Standards Track [Page 28]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ layer service/protocol.
+
+ - for Common Transport Information Units (CT_IUs), the
+ first octet contains a GS_Type value and the second
+ octet contains a GS_Subtype value, defined by FC-GS-5.
+
+ The comparison of two values having this syntax is done
+ by treating each string as the numeric value obtained by
+ numerically combining the individual octet's value as
+ follows:
+
+ (256 * 1st-octet) + 2nd-octet
+ "
+ REFERENCE
+ "- Fibre Channel - Framing and Signaling-2 (FC-FS-2),
+ ANSI INCITS 424-2007, Project T11/1619-D,
+ February 2007, section 9.6.
+ - Fibre Channel - Generic Services-5 (FC-GS-5),
+ ANSI INCITS 427-2006, sections 4.3.2.4 and 4.3.2.5."
+ SYNTAX OCTET STRING (SIZE(2))
+
+T11FcSpTransforms ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A list of the standardized transforms that are defined
+ by FC-SP for use with ESP_Header, CT_Authentication, and/or
+ IKEv2 Support."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ Appendix A.3.1, tables A.23, A.24, A.25, A.26."
+ SYNTAX BITS {
+ encrNull(0),
+ encrAesCbc(1),
+ encrAesCtr(2),
+ encrAesGcm(3),
+ encr3Des(4),
+ prfHmacMd5(5),
+ prfHmacSha1(6),
+ prfAesCbc(7),
+ authHmacMd5L96(8),
+ authHmacSha1L96(9),
+ authHmacMd5L128(10),
+ authHmacSha1L160(11),
+ encrNullAuthAesGmac(12),
+ dhGroups1024bit(13),
+ dhGroups2048bit(14)
+ }
+
+
+
+De Santi, et al. Standards Track [Page 29]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+T11FcSpSecurityProtocolId ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "A Security Protocol identifier to identify
+ the protocol by which traffic is to be protected,
+ e.g., ESP_Header or CT_Authentication."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.2 and table 67."
+ SYNTAX INTEGER { espHeader(1), ctAuth(2) }
+
+T11FcSpLifetimeLeft ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "This TC is used for one object of an associated pair
+ of objects. The object with this syntax specifies a
+ remaining lifetime of something, e.g., of an SA, where
+ the lifetime is given in the units specified by the other
+ object of the pair which has T11FcSpLifetimeLeftUnits
+ as its syntax."
+ SYNTAX Unsigned32
+
+T11FcSpLifetimeLeftUnits ::= TEXTUAL-CONVENTION
+ STATUS current
+ DESCRIPTION
+ "An object, defined using T11FcSpLifetimeLeft TC as
+ its syntax, is required to be one of an associated
+ pair of objects such that the other object of the pair
+ is defined with this T11FcSpLifetimeLeftUnits TC as
+ its syntax and with its value specifying the
+ units of the remaining lifetime given by the
+ value of the T11FcSpLifetimeLeft object."
+ SYNTAX INTEGER {
+ seconds(1), -- seconds
+ kiloBytes(2), -- 10^^3 bytes
+ megaBytes(3), -- 10^^6 bytes
+ gigaBytes(4), -- 10^^9 bytes
+ teraBytes(5), -- 10^^12 bytes
+ petaBytes(6), -- 10^^15 bytes
+ exaBytes(7), -- 10^^18 bytes
+ zettaBytes(8), -- 10^^21 bytes
+ yottaBytes(9) -- 10^^24 bytes
+ }
+
+--
+-- Object Identities to identify the Cryptographic Algorithms
+-- listed in FC-SP.
+
+
+
+De Santi, et al. Standards Track [Page 30]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+
+t11FcSpEncryptAlgorithms
+ OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 1 }
+
+t11FcSpEncrNull OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_NULL algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+ ::= { t11FcSpEncryptAlgorithms 1 }
+
+t11FcSpEncrAesCbc OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_AES_CBC algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+ ::= { t11FcSpEncryptAlgorithms 2 }
+
+t11FcSpEncrAesCtr OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_AES_CTR algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+ ::= { t11FcSpEncryptAlgorithms 3 }
+
+t11FcSpEncrAesGcm OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_AES_GCM algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+ ::= { t11FcSpEncryptAlgorithms 4 }
+
+t11FcSpEncr3Des OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_3DES algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+
+
+
+De Santi, et al. Standards Track [Page 31]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpEncryptAlgorithms 5 }
+
+t11FcSpAuthAlgorithms
+ OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 2 }
+
+t11FcSpAuthNull OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The AUTH_NONE algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 72."
+ ::= { t11FcSpAuthAlgorithms 1 }
+
+t11FcSpAuthHmacMd5L96 OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The AUTH_HMAC_MD5_96 algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 72."
+ ::= { t11FcSpAuthAlgorithms 2 }
+
+t11FcSpAuthHmacSha1L96 OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The AUTH_HMAC_SHA1_96 algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 72."
+ ::= { t11FcSpAuthAlgorithms 3 }
+
+t11FcSpAuthHmacMd5L128 OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The AUTH_HMAC_MD5_128 algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 72."
+ ::= { t11FcSpAuthAlgorithms 4 }
+
+t11FcSpAuthHmacSha1L160 OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The AUTH_HMAC_SHA1_160 algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 72."
+
+
+
+De Santi, et al. Standards Track [Page 32]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpAuthAlgorithms 5 }
+
+t11FcSpEncrNullAuthAesGmac OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION "The ENCR_NULL_AUTH_AES_GMAC algorithm."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 70."
+ ::= { t11FcSpEncryptAlgorithms 6 }
+
+END
+
+6.2. The T11-FC-SP-AUTHENTICATION-MIB Module
+
+--********************************************************************
+-- FC-SP Authentication Protocols
+--
+
+T11-FC-SP-AUTHENTICATION-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ NOTIFICATION-TYPE,
+ mib-2, Counter32, Unsigned32
+ FROM SNMPv2-SMI -- [RFC2578]
+ MODULE-COMPLIANCE, OBJECT-GROUP,
+ NOTIFICATION-GROUP
+ FROM SNMPv2-CONF -- [RFC2580]
+ StorageType, AutonomousType,
+ TruthValue, TimeStamp FROM SNMPv2-TC -- [RFC2579]
+ InterfaceIndex FROM IF-MIB -- [RFC2863]
+ fcmInstanceIndex,
+ FcNameIdOrZero FROM FC-MGMT-MIB -- [RFC4044]
+ t11FamLocalSwitchWwn
+ FROM T11-FC-FABRIC-ADDR-MGR-MIB -- [RFC4439]
+ T11FabricIndex FROM T11-TC-MIB -- [RFC4439]
+ T11FcSpDhGroups,
+ T11FcSpHashFunctions,
+ T11FcSpSignFunctions,
+ T11FcSpLifetimeLeft,
+ T11FcSpLifetimeLeftUnits,
+ T11FcSpAuthRejectReasonCode,
+ T11FcSpAuthRejReasonCodeExp FROM T11-FC-SP-TC-MIB;
+
+t11FcSpAuthenticationMIB MODULE-IDENTITY
+ LAST-UPDATED "200808200000Z"
+ ORGANIZATION "This MIB module was developed through the
+
+
+
+De Santi, et al. Standards Track [Page 33]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ coordinated effort of two organizations:
+ T11 began the development and the IETF (in
+ the IMSS Working Group) finished it."
+ CONTACT-INFO
+ " Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ EMail: cds@cisco.com
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Email: kzm@cisco.com"
+ DESCRIPTION
+ "This MIB module specifies the management information
+ required to manage the Authentication Protocols defined by
+ Fibre Channel's FC-SP specification.
+
+ This MIB module defines three tables:
+
+ - t11FcSpAuEntityTable is a table of Fibre Channel
+ entities that can be authenticated using FC-SP's
+ Authentication Protocols.
+
+ - t11FcSpAuIfStatTable is a table with one row for each
+ mapping of an Authentication entity onto an interface,
+ containing statistics information.
+
+ - t11FcSpAuRejectTable is a table of volatile information
+ about FC-SP Authentication Protocol transactions
+ that were most recently rejected.
+
+ Copyright (C) The IETF Trust (2008). This version
+ of this MIB module is part of RFC 5324; see the RFC
+ itself for full legal notices."
+ REVISION "200808200000Z"
+ DESCRIPTION
+ "Initial version of this MIB module, published as RFC 5324."
+ ::= { mib-2 176 }
+
+t11FcSpAuMIBNotifications
+ OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 0 }
+t11FcSpAuMIBObjects
+ OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 1 }
+t11FcSpAuMIBConformance
+ OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 2 }
+
+
+
+De Santi, et al. Standards Track [Page 34]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpAuMIBIdentities
+ OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 3 }
+
+--
+-- OIDs defined for use as values of t11FcSpAuServerProtocol
+--
+
+t11FcSpAuServerProtocolRadius OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "This OID identifies RADIUS as the protocol used
+ to communicate with an External Server as part of
+ the process by which identities are verified.
+ In this case, information about the RADIUS Servers
+ is likely to be provided in radiusAuthServerExtTable
+ defined in the RADIUS-AUTH-CLIENT-MIB."
+ REFERENCE
+ "radiusAuthServerExtTable in 'RADIUS Authentication
+ Client MIB', RFC 4668, August 2006."
+ ::= { t11FcSpAuMIBIdentities 1 }
+
+t11FcSpAuServerProtocolDiameter OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "This OID identifies Diameter as the protocol used
+ to communicate with an External Server as part of
+ the process by which identities are verified."
+ REFERENCE
+ "RFC 3588, September 2003."
+ ::= { t11FcSpAuMIBIdentities 2 }
+
+t11FcSpAuServerProtocolTacacs OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "This OID identifies TACACS as the protocol used
+ to communicate with an External Server as part of
+ the process by which identities are verified."
+ REFERENCE
+ "RFC 1492, July 1993."
+ ::= { t11FcSpAuMIBIdentities 3 }
+
+--
+-- Configuration for the Authentication Protocols
+--
+
+t11FcSpAuEntityTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpAuEntityEntry
+ MAX-ACCESS not-accessible
+
+
+
+De Santi, et al. Standards Track [Page 35]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "A table of Fibre Channel entities that can be authenticated
+ using FC-SP's Authentication Protocols.
+
+ The purpose of an FC-SP Authentication Protocol is to verify
+ that a claimed name is associated with the claiming entity.
+ The Authentication Protocols can be used to authenticate
+ Nx_Ports, B_Ports, or Switches."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 3.2.25."
+ ::= { t11FcSpAuMIBObjects 1 }
+
+t11FcSpAuEntityEntry OBJECT-TYPE
+ SYNTAX T11FcSpAuEntityEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Information about the configuration and capabilities of an
+ FC-SP entity (which is managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex) on a
+ particular Fabric with respect to FC-SP's Authentication
+ Protocols."
+ INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
+ t11FcSpAuFabricIndex }
+ ::= { t11FcSpAuEntityTable 1 }
+
+T11FcSpAuEntityEntry ::= SEQUENCE {
+ t11FcSpAuEntityName FcNameIdOrZero,
+ t11FcSpAuFabricIndex T11FabricIndex,
+ t11FcSpAuServerProtocol AutonomousType,
+ -- Config parameters
+ t11FcSpAuStorageType StorageType,
+ t11FcSpAuSendRejNotifyEnable TruthValue,
+ t11FcSpAuRcvRejNotifyEnable TruthValue,
+ t11FcSpAuDefaultLifetime T11FcSpLifetimeLeft,
+ t11FcSpAuDefaultLifetimeUnits T11FcSpLifetimeLeftUnits,
+ t11FcSpAuRejectMaxRows Unsigned32,
+ -- Capabilities
+ t11FcSpAuDhChapHashFunctions T11FcSpHashFunctions,
+ t11FcSpAuDhChapDhGroups T11FcSpDhGroups,
+ t11FcSpAuFcapHashFunctions T11FcSpHashFunctions,
+ t11FcSpAuFcapCertsSignFunctions T11FcSpSignFunctions,
+ t11FcSpAuFcapDhGroups T11FcSpDhGroups,
+ t11FcSpAuFcpapHashFunctions T11FcSpHashFunctions,
+ t11FcSpAuFcpapDhGroups T11FcSpDhGroups
+
+
+
+De Santi, et al. Standards Track [Page 36]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+}
+
+t11FcSpAuEntityName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name used to identify the FC-SP entity.
+
+ For entities that are Fibre Channel Switches, this value
+ corresponds to the Switch's value of fcmSwitchWWN. For
+ entities other than Fibre Channel Switches, this value
+ corresponds to the value of fcmInstanceWwn for the
+ corresponding Fibre Channel management instance."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.3.
+ - fcmInstanceWwn & fcmSwitchWWN,
+ 'Fibre Channel Management MIB', RFC 4044, May 2005."
+ ::= { t11FcSpAuEntityEntry 1 }
+
+t11FcSpAuFabricIndex OBJECT-TYPE
+ SYNTAX T11FabricIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a
+ particular Fabric to which the entity is attached."
+ ::= { t11FcSpAuEntityEntry 2 }
+
+t11FcSpAuServerProtocol OBJECT-TYPE
+ SYNTAX AutonomousType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The protocol, if any, used by the entity to communicate
+ with a third party (i.e., an External Server) as part of
+ the process by which it verifies DH-CHAP responses. For
+ example, if the entity is using an external RADIUS server
+ to verify DH-CHAP responses, then this object will have
+ the value t11FcSpAuServerProtocolRadius.
+
+ The value, zeroDotZero, is used to indicate that no
+ protocol is being used to communicate with a third
+ party to verify DH-CHAP responses.
+
+ When no protocol is being used, or if the third party is
+
+
+
+De Santi, et al. Standards Track [Page 37]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ unreachable via the specified protocol, then locally
+ configured information (if any) may be used instead."
+ ::= { t11FcSpAuEntityEntry 3 }
+
+t11FcSpAuStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies the memory realization of
+ configuration information related to an FC-SP
+ Entity on a particular Fabric: specifically, for
+ MIB objects in the row containing this object.
+
+ Even if an instance of this object has the value
+ 'permanent(4)', none of the information in the
+ corresponding row of this table needs to be writable."
+ ::= { t11FcSpAuEntityEntry 4 }
+
+t11FcSpAuSendRejNotifyEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "An indication of whether or not the entity should issue
+ t11FcSpAuRejectSentNotify notifications when sending
+ AUTH_Reject/SW_RJT/LS_RJT to reject an AUTH message.
+
+ If the value of the object is 'true', then this type of
+ notification is generated. If the value is 'false',
+ this type of notification is not generated."
+ DEFVAL { false }
+ ::= { t11FcSpAuEntityEntry 5 }
+
+t11FcSpAuRcvRejNotifyEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "An indication of whether or not the entity should issue
+ t11FcSpAuRejectReceivedNotify notifications on the receipt
+ of AUTH_Reject/SW_RJT/LS_RJT messages.
+
+ If the value of the object is 'true', then this type of
+ notification is generated. If the value is 'false',
+ this type of notification is not generated."
+ DEFVAL { false }
+ ::= { t11FcSpAuEntityEntry 6 }
+
+
+
+De Santi, et al. Standards Track [Page 38]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpAuDefaultLifetime OBJECT-TYPE
+ SYNTAX T11FcSpLifetimeLeft
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "When the value of this object is non-zero, it specifies the
+ default value of a lifetime, specified in units given by
+ the corresponding instance of t11FcSpAuDefaultLifetimeUnits.
+ This default lifetime is to be used for any Security
+ Association that has no explicitly specified value for its
+ lifetime.
+
+ An SA's lifetime is either the time interval or the number
+ of passed bytes, after which the SA has to be terminated and
+ (if necessary) replaced with a new SA.
+
+ If this object is zero, then there is no default value for
+ lifetime."
+ DEFVAL { 28800 } -- 8 hours (in units of seconds)
+ ::= { t11FcSpAuEntityEntry 7 }
+
+t11FcSpAuDefaultLifetimeUnits OBJECT-TYPE
+ SYNTAX T11FcSpLifetimeLeftUnits
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The units in which the value of the corresponding
+ instance of t11FcSpAuDefaultLifetime specifies a
+ default lifetime for a Security Association that has
+ no explicitly-specified value for its lifetime."
+ DEFVAL { seconds }
+ ::= { t11FcSpAuEntityEntry 8 }
+
+t11FcSpAuRejectMaxRows OBJECT-TYPE
+ SYNTAX Unsigned32 (0..1000)
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The maximum number of rows in the t11FcSpAuRejectTable for
+ this entity on this Fabric. If and when an AUTH message is
+ rejected, and the t11FcSpAuRejectTable already contains this
+ maximum number of rows for the specific entity and Fabric,
+ the row containing the oldest information is discarded and
+ replaced by a row containing information about the new
+ rejection.
+
+ There will be less than this maximum number of rows in
+ the t11FcSpAuRejectTable in exceptional circumstances,
+
+
+
+De Santi, et al. Standards Track [Page 39]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ e.g., after an agent restart.
+
+ In an implementation that does not support the
+ t11FcSpAuRejectTable, this object will always be zero."
+ ::= { t11FcSpAuEntityEntry 9 }
+
+t11FcSpAuDhChapHashFunctions OBJECT-TYPE
+ SYNTAX T11FcSpHashFunctions
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The hash functions that the entity supports when using
+ the DH-CHAP algorithm."
+ ::= { t11FcSpAuEntityEntry 10 }
+
+t11FcSpAuDhChapDhGroups OBJECT-TYPE
+ SYNTAX T11FcSpDhGroups
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The DH Groups that the entity supports when using the
+ DH-CHAP algorithm in FC-SP."
+ ::= { t11FcSpAuEntityEntry 11 }
+
+t11FcSpAuFcapHashFunctions OBJECT-TYPE
+ SYNTAX T11FcSpHashFunctions
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The hash functions that the entity supports when
+ specified as Protocol Parameters in the AUTH_Negotiate
+ message for FCAP in FC-SP."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.5.2.1 and table 28."
+ ::= { t11FcSpAuEntityEntry 12 }
+
+t11FcSpAuFcapCertsSignFunctions OBJECT-TYPE
+ SYNTAX T11FcSpSignFunctions
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The signature functions used within certificates that
+ the entity supports when using FCAP in FC-SP."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+
+
+
+De Santi, et al. Standards Track [Page 40]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ February 2007, section 5.5.4.2 and tables 38 & 39."
+ ::= { t11FcSpAuEntityEntry 13 }
+
+t11FcSpAuFcapDhGroups OBJECT-TYPE
+ SYNTAX T11FcSpDhGroups
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The DH Groups that the entity supports when using the
+ FCAP algorithm in FC-SP."
+ ::= { t11FcSpAuEntityEntry 14 }
+
+t11FcSpAuFcpapHashFunctions OBJECT-TYPE
+ SYNTAX T11FcSpHashFunctions
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The hash functions that the entity supports when using
+ the FCPAP algorithm in FC-SP."
+ ::= { t11FcSpAuEntityEntry 15 }
+
+t11FcSpAuFcpapDhGroups OBJECT-TYPE
+ SYNTAX T11FcSpDhGroups
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The DH Groups that the entity supports when using the
+ FCPAP algorithm in FC-SP."
+ ::= { t11FcSpAuEntityEntry 16 }
+
+--
+-- The Mapping of Authentication Entities onto Interfaces
+-- and Statistics
+--
+
+t11FcSpAuIfStatTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpAuIfStatEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each FC-SP Authentication entity can operate on one or more
+ interfaces, but at most one of them can operate on each
+ interface. A row in this table exists for each interface
+ to each Fabric on which each Authentication entity operates.
+
+ The objects within this table contain statistics information
+ related to FC-SP's Authentication Protocols."
+ ::= { t11FcSpAuMIBObjects 2 }
+
+
+
+De Santi, et al. Standards Track [Page 41]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpAuIfStatEntry OBJECT-TYPE
+ SYNTAX T11FcSpAuIfStatEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A set of Authentication Protocols statistics for an FC-SP
+ Authentication entity (identified by t11FcSpAuEntityName) on
+ one of its interfaces to a particular Fabric, which is
+ managed within the Fibre Channel management instance
+ identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
+ t11FcSpAuIfStatInterfaceIndex,
+ t11FcSpAuIfStatFabricIndex }
+ ::= { t11FcSpAuIfStatTable 1 }
+
+T11FcSpAuIfStatEntry ::= SEQUENCE {
+ t11FcSpAuIfStatInterfaceIndex InterfaceIndex,
+ t11FcSpAuIfStatFabricIndex T11FabricIndex,
+ t11FcSpAuIfStatTimeouts Counter32,
+ t11FcSpAuIfStatInAcceptedMsgs Counter32,
+ t11FcSpAuIfStatInLsSwRejectedMsgs Counter32,
+ t11FcSpAuIfStatInAuthRejectedMsgs Counter32,
+ t11FcSpAuIfStatOutAcceptedMsgs Counter32,
+ t11FcSpAuIfStatOutLsSwRejectedMsgs Counter32,
+ t11FcSpAuIfStatOutAuthRejectedMsgs Counter32
+}
+
+t11FcSpAuIfStatInterfaceIndex OBJECT-TYPE
+ SYNTAX InterfaceIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The interface on which the FC-SP Authentication entity
+ operates and for which the statistics are collected."
+ ::= { t11FcSpAuIfStatEntry 1 }
+
+t11FcSpAuIfStatFabricIndex OBJECT-TYPE
+ SYNTAX T11FabricIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value identifying the particular Fabric for
+ which the statistics are collected."
+ ::= { t11FcSpAuIfStatEntry 2 }
+
+t11FcSpAuIfStatTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+
+
+
+De Santi, et al. Standards Track [Page 42]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages sent
+ by the particular entity on the particular Fabric on the
+ particular interface, for which no response was received
+ within a timeout period.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.11."
+ ::= { t11FcSpAuIfStatEntry 3 }
+
+t11FcSpAuIfStatInAcceptedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages
+ received and accepted by the particular entity on the
+ particular Fabric on the particular interface.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+ ::= { t11FcSpAuIfStatEntry 4 }
+
+t11FcSpAuIfStatInLsSwRejectedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages
+ received by the particular entity on the particular Fabric
+ on the particular interface, and rejected by a lower-level
+ (SW_RJT or LS_RJT) reject.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+
+
+
+De Santi, et al. Standards Track [Page 43]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpAuIfStatEntry 5 }
+
+t11FcSpAuIfStatInAuthRejectedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages
+ received by the particular entity on the particular Fabric
+ on the particular interface, and rejected by an AUTH_Reject
+ message.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+ ::= { t11FcSpAuIfStatEntry 6 }
+
+t11FcSpAuIfStatOutAcceptedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages sent
+ by the particular entity on the particular Fabric on the
+ particular interface, which were accepted by the
+ neighboring entity, i.e., not rejected by an AUTH_Reject
+ message, nor by a lower-level (SW_RJT or LS_RJT) reject.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+ ::= { t11FcSpAuIfStatEntry 7 }
+
+t11FcSpAuIfStatOutLsSwRejectedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages sent
+ by the particular entity on the particular Fabric on the
+ particular interface, which were rejected by a lower-level
+ (SW_RJT or LS_RJT) reject.
+
+
+
+De Santi, et al. Standards Track [Page 44]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+ ::= { t11FcSpAuIfStatEntry 8 }
+
+t11FcSpAuIfStatOutAuthRejectedMsgs OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Authentication Protocol messages sent
+ by the particular entity on the particular Fabric on the
+ particular interface, which were rejected by an
+ AUTH_Reject message.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.1."
+ ::= { t11FcSpAuIfStatEntry 9 }
+
+--
+-- Information about Authentication Protocol Transactions
+-- which were recently rejected
+--
+
+t11FcSpAuRejectTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpAuRejectEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of volatile information about FC-SP Authentication
+ Protocol transactions that were recently rejected with
+ an AUTH_Reject message, or with an SW_RJT/LS_RJT.
+
+ The maximum number of rows in this table for a specific
+ entity on a specific Fabric is given by the value of the
+ corresponding instance of t11FcSpAuRejectMaxRows.
+
+ The syntax of t11FcSpAuRejTimestamp is TimeStamp, and thus
+ its value rolls over to zero after approximately 497 days.
+ To avoid any confusion due to such a rollover, rows should
+ be deleted from this table before they are 497 days old.
+
+
+
+De Santi, et al. Standards Track [Page 45]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ This table will be empty if no AUTH_Reject messages,
+ nor any SW_RJT/LS_RJT's rejecting an AUTH message,
+ have been sent or received since the last
+ re-initialization of the agent."
+ ::= { t11FcSpAuMIBObjects 3 }
+
+t11FcSpAuRejectEntry OBJECT-TYPE
+ SYNTAX T11FcSpAuRejectEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Information about one AUTH message (either an
+ AUTH_ELS or an AUTH_ILS) that was rejected with an
+ AUTH_Reject, SW_RJT or LS_RJT message, sent/received by
+ the entity identified by values of fcmInstanceIndex and
+ t11FcSpAuEntityName, on an interface to a particular
+ Fabric."
+ INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
+ t11FcSpAuRejInterfaceIndex, t11FcSpAuRejFabricIndex,
+ t11FcSpAuRejTimestamp }
+ ::= { t11FcSpAuRejectTable 1 }
+
+T11FcSpAuRejectEntry ::= SEQUENCE {
+ t11FcSpAuRejInterfaceIndex InterfaceIndex,
+ t11FcSpAuRejFabricIndex T11FabricIndex,
+ t11FcSpAuRejTimestamp TimeStamp,
+ t11FcSpAuRejDirection INTEGER,
+ t11FcSpAuRejType INTEGER,
+ t11FcSpAuRejAuthMsgString OCTET STRING,
+ t11FcSpAuRejReasonCode T11FcSpAuthRejectReasonCode,
+ t11FcSpAuRejReasonCodeExp T11FcSpAuthRejReasonCodeExp
+}
+
+t11FcSpAuRejInterfaceIndex OBJECT-TYPE
+ SYNTAX InterfaceIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The interface on which the rejected AUTH message was
+ sent or received."
+ ::= { t11FcSpAuRejectEntry 1 }
+
+t11FcSpAuRejFabricIndex OBJECT-TYPE
+ SYNTAX T11FabricIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value identifying the particular Fabric on
+
+
+
+De Santi, et al. Standards Track [Page 46]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ which the rejected AUTH message was sent or received."
+ ::= { t11FcSpAuRejectEntry 2 }
+
+t11FcSpAuRejTimestamp OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The time at which the AUTH message was rejected. If two
+ rows have the same value of this object for the same
+ entity on the same interface and Fabric, the value of
+ this object for the later one is incremented by one."
+ ::= { t11FcSpAuRejectEntry 3 }
+
+t11FcSpAuRejDirection OBJECT-TYPE
+ SYNTAX INTEGER { sent(1), received(2) }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "An indication of whether the rejection was sent or
+ received by the identified entity.
+
+ The value 'sent(1)' corresponds to a notification of
+ type t11FcSpAuRejectSentNotify; the value 'received(2)'
+ corresponds to t11FcSpAuRejectReceivedNotify."
+ ::= { t11FcSpAuRejectEntry 4 }
+
+t11FcSpAuRejType OBJECT-TYPE
+ SYNTAX INTEGER {
+ authReject(1),
+ swRjt(2),
+ lsRjt(3)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "An indication of whether the rejection was an
+ AUTH_Reject, an SW_RJT or an LS_RJT."
+ ::= { t11FcSpAuRejectEntry 5 }
+
+t11FcSpAuRejAuthMsgString OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE(0..255))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The binary content of the AUTH message that was
+ rejected, formatted as an octet string (in network
+ byte order) containing the content of the message.
+
+
+
+De Santi, et al. Standards Track [Page 47]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ If the binary content is unavailable, then the
+ length is zero. Otherwise, the first octet of the
+ message identifies the type of message:
+
+ '90'h - an AUTH_ELS, see Table 6 in FC-SP,
+ '40'h - an AUTH_ILS, see Table 3 in FC-SP, or
+ '41'h - an B_AUTH_ILS, see Table 5 in FC-SP.
+
+ and the remainder of the message may be truncated."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Tables 3, 5 and 6."
+ ::= { t11FcSpAuRejectEntry 6 }
+
+t11FcSpAuRejReasonCode OBJECT-TYPE
+ SYNTAX T11FcSpAuthRejectReasonCode
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The reason code with which this AUTH message was
+ rejected."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 17, 48, 52."
+ ::= { t11FcSpAuRejectEntry 7 }
+
+t11FcSpAuRejReasonCodeExp OBJECT-TYPE
+ SYNTAX T11FcSpAuthRejReasonCodeExp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The reason code explanation with which this AUTH
+ message was rejected."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 17, 48, 52."
+ ::= { t11FcSpAuRejectEntry 8 }
+
+--
+-- Notifications
+--
+
+t11FcSpAuRejectSentNotify NOTIFICATION-TYPE
+ OBJECTS { t11FamLocalSwitchWwn,
+ t11FcSpAuRejAuthMsgString,
+
+
+
+De Santi, et al. Standards Track [Page 48]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpAuRejType,
+ t11FcSpAuRejReasonCode,
+ t11FcSpAuRejReasonCodeExp }
+ STATUS current
+ DESCRIPTION
+ "This notification indicates that a Switch (identified
+ by the value of t11FamLocalSwitchWwn) has sent a reject
+ message of the type indicated by t11FcSpAuRejType in
+ response to an AUTH message.
+
+ The content of the rejected AUTH message is given by the
+ value of t11FcSpAuRejAuthMsgString. The values of the
+ Reason Code and Reason Code Explanation in the
+ AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of
+ t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp."
+ ::= { t11FcSpAuMIBNotifications 1 }
+
+t11FcSpAuRejectReceivedNotify NOTIFICATION-TYPE
+ OBJECTS { t11FamLocalSwitchWwn,
+ t11FcSpAuRejAuthMsgString,
+ t11FcSpAuRejType,
+ t11FcSpAuRejReasonCode,
+ t11FcSpAuRejReasonCodeExp }
+ STATUS current
+ DESCRIPTION
+ "This notification indicates that a Switch (identified
+ by the value of t11FamLocalSwitchWwn) has received a
+ reject message of the type indicated by t11FcSpAuRejType
+ in response to an AUTH message.
+
+ The content of the rejected AUTH message is given by the
+ value of t11FcSpAuRejAuthMsgString. The values of the
+ Reason Code and Reason Code Explanation in the
+ AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of
+ t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp."
+ ::= { t11FcSpAuMIBNotifications 2 }
+
+--
+-- Conformance
+--
+
+t11FcSpAuMIBCompliances
+ OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 1 }
+t11FcSpAuMIBGroups
+ OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 2 }
+
+t11FcSpAuMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 49]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "The compliance statement for entities that
+ implement one or more of the Authentication Protocols
+ defined in FC-SP."
+
+ MODULE -- this module
+ MANDATORY-GROUPS { t11FcSpAuGeneralGroup,
+ t11FcSpAuRejectedGroup,
+ t11FcSpAuNotificationGroup }
+
+ GROUP t11FcSpAuIfStatsGroup
+ DESCRIPTION
+ "These counters, of particular FC-SP messages and
+ events, are mandatory only for those systems that
+ count such messages/events."
+
+-- Write access is not required for any objects in this MIB module:
+
+ OBJECT t11FcSpAuStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpAuSendRejNotifyEnable
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpAuRcvRejNotifyEnable
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpAuDefaultLifetime
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpAuDefaultLifetimeUnits
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpAuRejectMaxRows
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+
+
+
+De Santi, et al. Standards Track [Page 50]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpAuMIBCompliances 1 }
+
+-- Units of Conformance
+
+t11FcSpAuGeneralGroup OBJECT-GROUP
+ OBJECTS { t11FcSpAuServerProtocol,
+ t11FcSpAuStorageType,
+ t11FcSpAuSendRejNotifyEnable,
+ t11FcSpAuRcvRejNotifyEnable,
+ t11FcSpAuDefaultLifetime,
+ t11FcSpAuDefaultLifetimeUnits,
+ t11FcSpAuRejectMaxRows,
+ t11FcSpAuDhChapHashFunctions,
+ t11FcSpAuDhChapDhGroups,
+ t11FcSpAuFcapHashFunctions,
+ t11FcSpAuFcapCertsSignFunctions,
+ t11FcSpAuFcapDhGroups,
+ t11FcSpAuFcpapHashFunctions,
+ t11FcSpAuFcpapDhGroups,
+ t11FcSpAuIfStatTimeouts }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects for the capabilities and
+ configuration parameters of FC-SP's Authentication
+ Protocols. The inclusion of t11FcSpAuIfStatTimeouts
+ in this group provides information on mappings of
+ Authentication entities onto interfaces."
+ ::= { t11FcSpAuMIBGroups 1 }
+
+t11FcSpAuIfStatsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpAuIfStatInAcceptedMsgs,
+ t11FcSpAuIfStatInLsSwRejectedMsgs,
+ t11FcSpAuIfStatInAuthRejectedMsgs,
+ t11FcSpAuIfStatOutAcceptedMsgs,
+ t11FcSpAuIfStatOutLsSwRejectedMsgs,
+ t11FcSpAuIfStatOutAuthRejectedMsgs }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects for monitoring the
+ operations of FC-SP's Authentication Protocols."
+ ::= { t11FcSpAuMIBGroups 2 }
+
+t11FcSpAuRejectedGroup OBJECT-GROUP
+ OBJECTS { t11FcSpAuRejDirection,
+ t11FcSpAuRejType,
+ t11FcSpAuRejAuthMsgString,
+ t11FcSpAuRejReasonCode,
+ t11FcSpAuRejReasonCodeExp }
+
+
+
+De Santi, et al. Standards Track [Page 51]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "A collection of objects holding information concerning
+ FC-SP Authentication Protocol transactions that were
+ recently rejected with an AUTH_Reject, with an SW_RJT,
+ or with an LS_RJT."
+ ::= { t11FcSpAuMIBGroups 3 }
+
+t11FcSpAuNotificationGroup NOTIFICATION-GROUP
+ NOTIFICATIONS { t11FcSpAuRejectSentNotify,
+ t11FcSpAuRejectReceivedNotify }
+ STATUS current
+ DESCRIPTION
+ "A collection of notifications for use in the management
+ of FC-SP's Authentication Protocols."
+ ::= { t11FcSpAuMIBGroups 4 }
+
+END
+
+6.3. The T11-FC-SP-ZONING-MIB Module
+
+--*******************************************************************
+-- FC-SP Zoning
+--
+
+T11-FC-SP-ZONING-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ NOTIFICATION-TYPE, mib-2,
+ Counter32
+ FROM SNMPv2-SMI -- [RFC2578]
+ TruthValue FROM SNMPv2-TC -- [RFC2579]
+ MODULE-COMPLIANCE, OBJECT-GROUP,
+ NOTIFICATION-GROUP
+ FROM SNMPv2-CONF -- [RFC2580]
+ ifIndex FROM IF-MIB -- [RFC2863]
+ t11ZsServerEntry,
+ t11ZsStatsEntry,
+ t11ZsNotifyControlEntry,
+ t11ZsFabricIndex FROM T11-FC-ZONE-SERVER-MIB -- [RFC4936]
+ T11FcSpPolicyHashValue,
+ T11FcSpPolicyHashFormat,
+ T11FcSpHashCalculationStatus
+ FROM T11-FC-SP-TC-MIB;
+
+t11FcSpZoningMIB MODULE-IDENTITY
+ LAST-UPDATED "200808200000Z"
+
+
+
+De Santi, et al. Standards Track [Page 52]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ORGANIZATION "This MIB module was developed through the
+ coordinated effort of two organizations:
+ T11 began the development and the IETF (in
+ the IMSS Working Group) finished it."
+ CONTACT-INFO
+ " Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ EMail: cds@cisco.com
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Email: kzm@cisco.com"
+ DESCRIPTION
+ "This MIB module specifies the extensions to the
+ T11-FC-ZONE-SERVER-MIB module that are necessary for the
+ management of Fibre Channel's FC-SP Zoning Servers, as
+ defined in the FC-SP specification.
+
+ The persistence of values written to these MIB objects is
+ the same as the persistence of the objects they extend,
+ i.e., it is given by the value of the relevant instance of
+ t11ZsServerDatabaseStorageType (defined in the
+ T11-FC-ZONE-SERVER-MIB module).
+
+ Copyright (C) The IETF Trust (2008). This version
+ of this MIB module is part of RFC 5324; see the RFC
+ itself for full legal notices."
+ REVISION "200808200000Z"
+ DESCRIPTION
+ "Initial version of this MIB module, published as RFC 5324."
+ ::= { mib-2 177 }
+
+t11FcSpZsMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 0 }
+t11FcSpZsMIBObjects OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 1 }
+t11FcSpZsMIBConformance OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 2 }
+t11FcSpZsConfiguration OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 1 }
+t11FcSpZsStatistics OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 2 }
+
+--
+-- Augmenting the table of Zone Servers
+--
+
+t11FcSpZsServerTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpZsServerEntry
+
+
+
+De Santi, et al. Standards Track [Page 53]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table which provides FC-SP-specific information about
+ the Zone Servers on each Fabric in one or more Switches."
+ ::= { t11FcSpZsConfiguration 1 }
+
+t11FcSpZsServerEntry OBJECT-TYPE
+ SYNTAX T11FcSpZsServerEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information relevant to FC-SP
+ for a particular Zone Server for a particular Fabric
+ on a particular Switch. The Fabric and Switch are
+ identified in the same manner as in t11ZsServerEntry."
+ AUGMENTS { t11ZsServerEntry }
+ ::= { t11FcSpZsServerTable 1 }
+
+T11FcSpZsServerEntry ::= SEQUENCE {
+ t11FcSpZsServerCapabilityObject BITS,
+ t11FcSpZsServerEnabled TruthValue,
+ t11FcSpZoneSetHashStatus T11FcSpHashCalculationStatus,
+ t11FcSpActiveZoneSetHashType T11FcSpPolicyHashFormat,
+ t11FcSpActiveZoneSetHash T11FcSpPolicyHashValue,
+ t11FcSpZoneSetDatabaseHashType T11FcSpPolicyHashFormat,
+ t11FcSpZoneSetDatabaseHash T11FcSpPolicyHashValue
+}
+
+t11FcSpZsServerCapabilityObject OBJECT-TYPE
+ SYNTAX BITS {
+ fcSpZoning(0)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "Capabilities of the Zone Server for the particular Fabric
+ on the particular Switch, with respect to FC-SP Zoning:
+
+ fcSpZoning -- set to 1 to indicate the Switch is
+ capable of supporting FC-SP Zoning.
+ "
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 184."
+ ::= { t11FcSpZsServerEntry 1 }
+
+
+
+
+De Santi, et al. Standards Track [Page 54]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpZsServerEnabled OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object indicates whether the Zone Server for the
+ particular Fabric on the particular Switch, is operating in
+ FC-SP Zoning mode."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 185."
+ ::= { t11FcSpZsServerEntry 2 }
+
+t11FcSpZoneSetHashStatus OBJECT-TYPE
+ SYNTAX T11FcSpHashCalculationStatus
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "When read, the value of this object is either:
+
+ correct -- the corresponding instances of both
+ t11FcSpActiveZoneSetHash and
+ t11FcSpZoneSetDatabaseHash contain
+ the correct hash values; or
+ stale -- the corresponding instances of
+ t11FcSpActiveZoneSetHash and
+ t11FcSpZoneSetDatabaseHash contain
+ stale (possibly incorrect) values;
+
+ Writing a value of 'calculate' is a request to re-calculate
+ and update the values of the corresponding instances of both
+ t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash.
+ Writing a value of 'correct' or 'stale' to this object
+ is an error (e.g., 'wrongValue').
+
+ When the Active Zone Set and/or the Zone Set Database are
+ updated, it is common that multiple changes need to be made
+ at the same time. In such circumstances, the use of this
+ object allows the hash values to be updated only once after
+ all changes, rather than repeatedly/after each individual
+ change.
+
+ If and when the corresponding instance of
+ t11ZsServerDatabaseStorageType has the value 'permanent(4)',
+ then if write access is supported to any instance of a
+ read-write object in any row of any table governed by the
+ 'permanent' value of t11ZsServerDatabaseStorageType, then
+
+
+
+De Santi, et al. Standards Track [Page 55]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ write access to the corresponding instance of this object
+ must also be supported."
+ REFERENCE
+ "t11ZsServerDatabaseStorageType in
+ 'Fibre Channel Zone Server MIB', RFC 4936, August 2007."
+ DEFVAL { stale }
+ ::= { t11FcSpZsServerEntry 3 }
+
+t11FcSpActiveZoneSetHashType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashFormat
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The format used for the hash value contained in the
+ corresponding instance of t11FcSpActiveZoneSetHash."
+ ::= { t11FcSpZsServerEntry 4 }
+
+t11FcSpActiveZoneSetHash OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashValue
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of the hash for the current Active Zone Set.
+ The format of this value is given by the corresponding
+ instance of t11FcSpActiveZoneSetHashType."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 187."
+ ::= { t11FcSpZsServerEntry 5 }
+
+t11FcSpZoneSetDatabaseHashType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashFormat
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The format used for the hash value contained in the
+ corresponding instance of t11FcSpZoneSetDatabaseHash."
+ ::= { t11FcSpZsServerEntry 6 }
+
+t11FcSpZoneSetDatabaseHash OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashValue
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of the hash for the current Zone Set Database.
+ The format of this value is given by the corresponding
+ instance of t11FcSpZoneSetDatabaseHashType."
+
+
+
+De Santi, et al. Standards Track [Page 56]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Table 187."
+ ::= { t11FcSpZsServerEntry 7 }
+
+--
+-- Additional Statistics for FC-SP Zoning
+--
+
+t11FcSpZsStatsTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpZsStatsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of statistics specific to FC-SP that are
+ maintained by Zone Servers."
+ ::= { t11FcSpZsStatistics 1 }
+
+t11FcSpZsStatsEntry OBJECT-TYPE
+ SYNTAX T11FcSpZsStatsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A set of statistics specific to FC-SP for a particular
+ Zone Server for a particular Fabric on a particular Switch.
+ The Fabric and Switch are identified in the same manner as
+ in t11ZsStatsEntry."
+ AUGMENTS { t11ZsStatsEntry }
+ ::= { t11FcSpZsStatsTable 1 }
+
+T11FcSpZsStatsEntry ::= SEQUENCE {
+ t11FcSpZsSPCMITrequestsSent Counter32,
+ t11FcSpZsSPCMITrequestsAccepted Counter32,
+ t11FcSpZsSPCMITrequestsRejected Counter32,
+ t11FcSpZsZcpRequestsSent Counter32,
+ t11FcSpZsZcpRequestsAccepted Counter32,
+ t11FcSpZsZcpRequestsRejected Counter32,
+ t11FcSpZsZirRequestsAccepted Counter32,
+ t11FcSpZsZirRequestsRejected Counter32
+}
+
+t11FcSpZsSPCMITrequestsSent OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of SP Commit Zone Changes (SPCMIT) operation
+
+
+
+De Santi, et al. Standards Track [Page 57]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ requests sent by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 1 }
+
+t11FcSpZsSPCMITrequestsAccepted OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of SP Commit Zone Changes (SPCMIT) operation
+ requests received and accepted by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 2 }
+
+t11FcSpZsSPCMITrequestsRejected OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of SP Commit Zone Changes (SPCMIT) operation
+ requests received but rejected by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 3 }
+
+t11FcSpZsZcpRequestsSent OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Zoning Check Protocol (ZCP) requests sent
+ by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 4 }
+
+t11FcSpZsZcpRequestsAccepted OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Zoning Check Protocol (ZCP) requests received
+
+
+
+De Santi, et al. Standards Track [Page 58]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ and accepted by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 5 }
+
+t11FcSpZsZcpRequestsRejected OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Zoning Check Protocol (ZCP) requests received
+ but rejected by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 6 }
+
+t11FcSpZsZirRequestsAccepted OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Zoning Information Request (ZIR) requests
+ received and accepted by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 7 }
+
+t11FcSpZsZirRequestsRejected OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Zoning Information Request (ZIR) requests
+ received but rejected by the Zone Server.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ ::= { t11FcSpZsStatsEntry 8 }
+
+--
+-- Enable/Disable for Notifications
+--
+
+t11FcSpZsNotifyControlTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpZsNotifyControlEntry
+
+
+
+De Santi, et al. Standards Track [Page 59]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of control information for notifications
+ generated due to Zone Server events related to
+ FC-SP Zoning."
+ ::= { t11FcSpZsConfiguration 2 }
+
+t11FcSpZsNotifyControlEntry OBJECT-TYPE
+ SYNTAX T11FcSpZsNotifyControlEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry is an augmentation of the notification control
+ information for a Zone Server for a particular Fabric on a
+ particular Switch. The Fabric and Switch are identified in
+ the same manner as in t11ZsNotifyControlEntry."
+ AUGMENTS { t11ZsNotifyControlEntry }
+ ::= { t11FcSpZsNotifyControlTable 1 }
+
+T11FcSpZsNotifyControlEntry ::= SEQUENCE {
+ t11FcSpZsNotifyJoinSuccessEnable TruthValue,
+ t11FcSpZsNotifyJoinFailureEnable TruthValue
+}
+
+t11FcSpZsNotifyJoinSuccessEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether
+ t11FcSpZsFabricJoinFailureNotify notifications should be
+ generated by the Zone Server for this Fabric."
+ ::= { t11FcSpZsNotifyControlEntry 1 }
+
+t11FcSpZsNotifyJoinFailureEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether
+ t11FcSpZsFabricJoinSuccessNotify notifications should be
+ generated by the Zone Server for this Fabric."
+ ::= { t11FcSpZsNotifyControlEntry 2 }
+
+--
+-- Notifications
+--
+
+
+
+De Santi, et al. Standards Track [Page 60]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpZsFabricJoinSuccessNotify NOTIFICATION-TYPE
+ OBJECTS { ifIndex, t11ZsFabricIndex }
+ STATUS current
+ DESCRIPTION
+ "This notification indicates that a Switch that is part
+ of one Fabric (indicated by the value of t11ZsFabricIndex)
+ has successfully joined (on the interface indicated by the
+ value of ifIndex) with a Switch that is part of another
+ Fabric.
+
+ If multiple Virtual Fabrics are configured on an interface,
+ and all are successfully joined at the same time, and if
+ the agent so chooses, then it can generate just one
+ notification in which t11ZsFabricIndex has the value 4096."
+ ::= { t11FcSpZsMIBNotifications 1 }
+
+t11FcSpZsFabricJoinFailureNotify NOTIFICATION-TYPE
+ OBJECTS { ifIndex, t11ZsFabricIndex }
+ STATUS current
+ DESCRIPTION
+ "This notification indicates that an E_Port on the local
+ Switch has entered the Isolated state because a join
+ between two Fabrics failed. The failure occurred on the
+ local Fabric indicated by the value of t11ZsFabricIndex,
+ on the interface indicated by the value of ifIndex.
+
+ If multiple Virtual Fabrics are configured on an interface,
+ and all have a failure to join at the same time, and if the
+ agent so chooses, then it can generate just one notification
+ in which t11ZsFabricIndex has the value 4096."
+ ::= { t11FcSpZsMIBNotifications 2 }
+
+--
+-- Conformance
+--
+
+t11FcSpZsMIBCompliances
+ OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 1 }
+t11FcSpZsMIBGroups OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 2 }
+
+t11FcSpZsMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities that
+ implement the extensions specified in FC-SP for
+ Fibre Channel's Zone Server."
+
+ MODULE -- this module
+
+
+
+De Santi, et al. Standards Track [Page 61]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MANDATORY-GROUPS { t11FcSpZsObjectsGroup,
+ t11FcSpZsNotificationControlGroup,
+ t11FcSpZsNotificationGroup }
+
+ GROUP t11FcSpZsStatisticsGroup
+ DESCRIPTION
+ "These counters, containing Zone Server statistics,
+ are mandatory only for those systems that count
+ such events."
+
+-- Write access is not required for any objects in this MIB module:
+
+ OBJECT t11FcSpZsServerEnabled
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpZoneSetHashStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpZsNotifyJoinSuccessEnable
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpZsNotifyJoinFailureEnable
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ ::= { t11FcSpZsMIBCompliances 1 }
+
+-- Units of Conformance
+
+t11FcSpZsObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpZsServerCapabilityObject,
+ t11FcSpZsServerEnabled,
+ t11FcSpZoneSetHashStatus,
+ t11FcSpActiveZoneSetHashType,
+ t11FcSpActiveZoneSetHash,
+ t11FcSpZoneSetDatabaseHashType,
+ t11FcSpZoneSetDatabaseHash
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects for Zone configuration
+
+
+
+De Santi, et al. Standards Track [Page 62]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ information of a Zone Server capable of
+ operating in FC-SP Zoning mode."
+ ::= { t11FcSpZsMIBGroups 1 }
+
+t11FcSpZsNotificationControlGroup OBJECT-GROUP
+ OBJECTS { t11FcSpZsNotifyJoinSuccessEnable,
+ t11FcSpZsNotifyJoinFailureEnable
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of notification control objects for
+ monitoring Zone Server failures specific to FC-SP."
+ ::= { t11FcSpZsMIBGroups 2 }
+
+t11FcSpZsStatisticsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpZsSPCMITrequestsSent,
+ t11FcSpZsSPCMITrequestsAccepted,
+ t11FcSpZsSPCMITrequestsRejected,
+ t11FcSpZsZcpRequestsSent,
+ t11FcSpZsZcpRequestsAccepted,
+ t11FcSpZsZcpRequestsRejected,
+ t11FcSpZsZirRequestsAccepted,
+ t11FcSpZsZirRequestsRejected
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects for collecting Zone Server
+ statistics which are specific to FC-SP."
+ ::= { t11FcSpZsMIBGroups 3 }
+
+t11FcSpZsNotificationGroup NOTIFICATION-GROUP
+ NOTIFICATIONS { t11FcSpZsFabricJoinSuccessNotify,
+ t11FcSpZsFabricJoinFailureNotify
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of notification(s) for monitoring
+ Zone Server events that are specific to FC-SP."
+ ::= { t11FcSpZsMIBGroups 4 }
+
+END
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 63]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+6.4. The T11-FC-SP-POLICY-MIB Module
+
+--*******************************************************************
+-- FC-SP Policy
+--
+
+T11-FC-SP-POLICY-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, mib-2,
+ Counter32, Unsigned32
+ FROM SNMPv2-SMI -- [RFC2578]
+ RowStatus, StorageType, TimeStamp,
+ TruthValue FROM SNMPv2-TC -- [RFC2579]
+ MODULE-COMPLIANCE, OBJECT-GROUP,
+ NOTIFICATION-GROUP
+ FROM SNMPv2-CONF -- [RFC2580]
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
+ InetAddress, InetPortNumber,
+ InetAddressType FROM INET-ADDRESS-MIB -- [RFC4001]
+ fcmInstanceIndex,
+ FcNameIdOrZero,
+ FcDomainIdOrZero FROM FC-MGMT-MIB -- [RFC4044]
+ T11NsGs4RejectReasonCode
+ FROM T11-FC-NAME-SERVER-MIB -- [RFC4438]
+ T11FabricIndex FROM T11-TC-MIB -- [RFC4439]
+ T11FcSpAlphaNumName,
+ T11FcSpAlphaNumNameOrAbsent,
+ T11FcSpPolicyName,
+ T11FcSpPolicyNameType,
+ T11FcSpPolicyObjectType,
+ T11FcSpPolicyHashFormat,
+ T11FcSpPolicyHashValue,
+ T11FcSpHashCalculationStatus FROM T11-FC-SP-TC-MIB;
+
+t11FcSpPolicyMIB MODULE-IDENTITY
+ LAST-UPDATED "200808200000Z"
+ ORGANIZATION "This MIB module was developed through the
+ coordinated effort of two organizations:
+ T11 began the development and the IETF (in
+ the IMSS Working Group) finished it."
+ CONTACT-INFO
+ " Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ EMail: cds@cisco.com
+
+
+
+
+De Santi, et al. Standards Track [Page 64]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Email: kzm@cisco.com"
+ DESCRIPTION
+ "This MIB module specifies the management information
+ required to manage Fabric Policies as defined by Fibre
+ Channel's FC-SP specification.
+
+ FC-SP uses the term 'Policy Objects', sometimes abbreviated
+ to just 'Objects', to refer to containers used to hold the
+ data by which Fabric Policies are specified/stored. This
+ obviously has the potential to cause confusion between
+ 'Policy Objects' and 'MIB objects'. The DESCRIPTIONs in
+ this MIB module attempt to avoid such confusion by the use
+ of different adjectives and capitalization, even though such
+ mechanisms are less effective when used in descriptors.
+
+ Some types of Policy Objects contain multiple items of
+ information, each of which are held in the same format
+ within the Policy Object. In such cases, FC-SP uses the
+ term 'Entry' to describe each instance of the common format.
+ For example, FC-SP defines an Attribute Policy Object as
+ containing one or more 'Attribute Entries'. Again, this MIB
+ module attempts to avoid confusion by the use of adjectives
+ and capitalization to distinguish an Entry within a Policy
+ Object from an entry within a MIB table.
+
+ A Fabric's database of Policy Objects consists of a set of
+ active Objects that are to be enforced by that Fabric, as
+ well as non-active Objects that are not enforced.
+ Operations defined (in FC-SP) for Policy Management are:
+
+ - Add/Get/Remove operations on individual non-active
+ Policy Objects,
+ - Activate/Deactivate operations on a Policy Summary
+ Object, and
+ - Get operations on the active Policy Summary Object
+ and/or on individual active Policy Objects.
+
+ This MIB module has five parts:
+
+ 1) Active Policy Objects - read-only MIB objects
+ representing the set of active Policy Objects for
+ each Fabric,
+
+ 2) Activate/Deactivate Operations
+
+
+
+De Santi, et al. Standards Track [Page 65]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ - a read-write MIB object to invoke an Activate
+ operation of the policies specified via a non-active
+ Policy Summary Object, and
+ - a read-write MIB object to invoke a Deactivate
+ operation.
+
+ 3) Non-active Policy Objects
+ - read-create MIB objects to allow the creation of
+ non-active Policy Summary Objects (which reference
+ non-active Policy Objects), and
+ - read-create MIB objects representing non-active
+ Policy Objects.
+
+ 4) Statistics
+
+ 5) Control information and Notifications
+
+ Copyright (C) The IETF Trust (2008). This version
+ of this MIB module is part of RFC 5324; see the RFC
+ itself for full legal notices."
+ REVISION "200808200000Z"
+ DESCRIPTION
+ "Initial version of this MIB module, published as RFC 5324."
+ ::= { mib-2 178 }
+
+t11FcSpPoMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 0 }
+t11FcSpPoMIBObjects OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 1 }
+t11FcSpPoMIBConformance OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 2 }
+t11FcSpPoActive OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 1 }
+t11FcSpPoOperations OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 2 }
+t11FcSpPoNonActive OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 3 }
+t11FcSpPoStatistics OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 4 }
+t11FcSpPoControl OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 5 }
+
+--
+-- Part 1 - Active Policy Objects
+--
+
+t11FcSpPoTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing top-level information about active
+ FC-SP policies on various Fabrics."
+ ::= { t11FcSpPoActive 1 }
+
+t11FcSpPoEntry OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 66]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpPoEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about active FC-SP policies
+ for a particular Fabric, managed as part of the Fibre
+ Channel management instance identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex }
+ ::= { t11FcSpPoTable 1 }
+
+T11FcSpPoEntry ::= SEQUENCE {
+ t11FcSpPoFabricIndex T11FabricIndex,
+ t11FcSpPoPolicySummaryObjName T11FcSpAlphaNumName,
+ t11FcSpPoAdminFabricName FcNameIdOrZero,
+ t11FcSpPoActivatedTimeStamp TimeStamp
+}
+
+t11FcSpPoFabricIndex OBJECT-TYPE
+ SYNTAX T11FabricIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Fabric."
+ ::= { t11FcSpPoEntry 1 }
+
+t11FcSpPoPolicySummaryObjName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The name of this Fabric's (active) Policy Summary Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3 and table 104."
+ ::= { t11FcSpPoEntry 2 }
+
+t11FcSpPoAdminFabricName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The administratively-specified name for this Fabric, as
+ specified in the active Switch Membership List Object.
+ This value is meaningful only when Static Domain_IDs are
+ in use in a Fabric (see FC-SW-4). Static Domain_IDs are
+ administratively enabled by a setting of the Switch Flags
+
+
+
+De Santi, et al. Standards Track [Page 67]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ in each Switch Entry in the Switch Membership List Object.
+ If Static Domain_IDs are not in use, this value might be
+ '0000000000000000'h.
+
+ The t11FamEnable, t11FamFabricName, and
+ t11FamConfigDomainIdType objects defined in the
+ T11-FC-FABRIC-ADDR-MGR-MIB module are also concerned with
+ the use of an administratively-specified name for a Fabric
+ and Static Domain_IDs. When FC-SP Policy is in use in a
+ Fabric, the values of t11FamEnable, t11FamFabricName, and
+ t11FamConfigDomainIdType must be read-only and reflect the
+ active Policy Objects. For example, the value of
+ t11FamFabricName must reflect the value of
+ t11FcSpPoAdminFabricName."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 108.
+ - Fibre Channel - Switch Fabric-4 (FC-SW-4),
+ ANSI INCITS 418-2006, April 2006, section 7.1.
+ - Fibre Channel Fabric Address Manager MIB', RFC 4439,
+ March 2006."
+ ::= { t11FcSpPoEntry 3 }
+
+t11FcSpPoActivatedTimeStamp OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of sysUpTime at which this Fabric's Policy
+ Summary Object was last activated, or zero if the same
+ Policy Summary Object has been active since the last
+ restart of the management system."
+ ::= { t11FcSpPoEntry 4 }
+
+--
+-- The table of Policy Summary Objects
+--
+
+t11FcSpPoSummaryTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoSummaryEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of information about active Policy Objects listed
+ within FC-SP Policy Summary Objects."
+ ::= { t11FcSpPoActive 2 }
+
+
+
+
+De Santi, et al. Standards Track [Page 68]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoSummaryEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoSummaryEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one of the active
+ Policy Objects listed within the Policy Summary Object for
+ the Fabric identified by t11FcSpPoFabricIndex and managed
+ within the Fibre Channel management instance identified by
+ fcmInstanceIndex.
+
+ How many Policy Objects of a given type can be active at
+ any one time for a given Fabric depends on the type, as
+ specified in FC-SP. For some types, it is one per Fabric;
+ for other types, more than one can be active per Fabric.
+ In both of these cases, the absence of any entries in this
+ table for a particular type is equivalent to there being one
+ Policy Object of that type that is empty, e.g., a Switch
+ Membership List Object that identifies zero Switches."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3 and table 104."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoSummaryPolicyNameType,
+ t11FcSpPoSummaryPolicyName }
+ ::= { t11FcSpPoSummaryTable 1 }
+
+T11FcSpPoSummaryEntry ::= SEQUENCE {
+ t11FcSpPoSummaryPolicyNameType T11FcSpPolicyNameType,
+ t11FcSpPoSummaryPolicyName T11FcSpPolicyName,
+ t11FcSpPoSummaryPolicyType T11FcSpPolicyObjectType,
+ t11FcSpPoSummaryHashFormat T11FcSpPolicyHashFormat,
+ t11FcSpPoSummaryHashValue T11FcSpPolicyHashValue
+}
+
+t11FcSpPoSummaryPolicyNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ alphaNumericName(7)
+ }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoSummaryPolicyNameType and
+ t11FcSpPoSummaryPolicyName specify the name of the Policy
+ Object contained in the Policy Summary Object.
+
+
+
+
+De Santi, et al. Standards Track [Page 69]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The type of name is 'nodeName' if the value of the
+ corresponding instance of t11FcSpPoSummaryPolicyType is
+ 'switchConnectivity', or 'alphaNumericName' otherwise."
+ ::= { t11FcSpPoSummaryEntry 1 }
+
+t11FcSpPoSummaryPolicyName OBJECT-TYPE
+ SYNTAX T11FcSpPolicyName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoSummaryPolicyNameType and
+ t11FcSpPoSummaryPolicyName specify the name of the Policy
+ Object contained in the Policy Summary Object."
+ ::= { t11FcSpPoSummaryEntry 2 }
+
+t11FcSpPoSummaryPolicyType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyObjectType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The 'Identifier' that specifies the type of this
+ Policy Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3.1 and table 104."
+ ::= { t11FcSpPoSummaryEntry 3 }
+
+t11FcSpPoSummaryHashFormat OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashFormat
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The format of this Policy Object's hash value as
+ contained in the corresponding instance of the
+ t11FcSpPoSummaryHashValue object."
+ ::= { t11FcSpPoSummaryEntry 4 }
+
+t11FcSpPoSummaryHashValue OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashValue
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The hash value of this Policy Object, in the format
+ identified by the corresponding instance of the
+ t11FcSpPoSummaryHashFormat object."
+ ::= { t11FcSpPoSummaryEntry 5 }
+
+
+
+
+De Santi, et al. Standards Track [Page 70]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- Switch Entries in Active Switch Membership List Objects
+--
+
+t11FcSpPoSwMembTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoSwMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Switch Entries in active Switch Membership List
+ Objects.
+
+ One Switch Membership List Object is represented by all
+ of the rows of this table that have the same values
+ of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoActive 3 }
+
+t11FcSpPoSwMembEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoSwMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Switch Entry
+ within the active Switch Membership List Object for the
+ Fabric identified by t11FcSpPoFabricIndex and managed
+ within the Fibre Channel management instance identified
+ by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoSwMembSwitchNameType, t11FcSpPoSwMembSwitchName }
+ ::= { t11FcSpPoSwMembTable 1 }
+
+T11FcSpPoSwMembEntry ::= SEQUENCE {
+ t11FcSpPoSwMembSwitchNameType T11FcSpPolicyNameType,
+ t11FcSpPoSwMembSwitchName FcNameIdOrZero,
+ t11FcSpPoSwMembSwitchFlags BITS,
+ t11FcSpPoSwMembDomainID FcDomainIdOrZero,
+ t11FcSpPoSwMembPolicyDataRole INTEGER,
+ t11FcSpPoSwMembAuthBehaviour BITS,
+ t11FcSpPoSwMembAttribute T11FcSpAlphaNumNameOrAbsent
+}
+
+t11FcSpPoSwMembSwitchNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+
+
+
+De Santi, et al. Standards Track [Page 71]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ restrictedNodeName(2),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'nodeName' or
+ 'restrictedNodeName', then the combination of
+ this object and t11FcSpPoSwMembSwitchName specify the
+ Switch Name of this Switch Entry.
+
+ The membership is restricted or unrestricted based on the
+ name type. Restricted membership means that the Switch is
+ not allowed to be part of the Fabric unless allowed by a
+ specific Switch Connectivity Object. Unrestricted
+ membership means that the Switch is allowed to be part of
+ the Fabric unless disallowed by a specific Switch
+ Connectivity Object.
+
+ The values of 'wildcard' and 'restrictedWildcard' provide
+ the means to specify whether to allow/deny membership for
+ Switches not explicitly named in the Switch Membership
+ List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoSwMembEntry 1 }
+
+t11FcSpPoSwMembSwitchName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When the value of t11FcSpPoSwMembSwitchNameType is
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+ Otherwise, the combination of t11FcSpPoSwMembSwitchNameType
+ and this object specify the Switch Name of this Switch
+ Entry."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoSwMembEntry 2 }
+
+
+
+
+De Santi, et al. Standards Track [Page 72]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoSwMembSwitchFlags OBJECT-TYPE
+ SYNTAX BITS {
+ staticDomainID(0),
+ insistentDomainID(1),
+ serialPortsAccess(2),
+ physicalPortsAccess(3),
+ managerRole(4)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "Configurable options in respect to the administration
+ of Policy Objects at this Switch:
+
+ 'staticDomainID' - if this bit is set, the Switch
+ uses the 'Static Domain_IDs behavior' (as defined in
+ FC-SW-4). This bit needs to have the same setting for all
+ Switches in a Fabric's Switch Membership List Object, or
+ else the Fabric will partition. If this bit is set, the
+ Domain_ID for the Switch is given by the corresponding
+ instance of t11FcSpPoSwMembDomainID.
+
+ 'insistentDomainID' - if this bit is set, the
+ Switch uses the 'Insistent Domain_ID behavior' (see
+ t11FamConfigDomainId of T11-FC-FABRIC-ADDR-MGR-MIB), the
+ Domain_ID for the Switch is given by the corresponding
+ instance of t11FcSpPoSwMembDomainID.
+
+ 'serialPortsAccess' - the Switch allows management
+ through serial ports when and only when this bit is set.
+
+ 'physicalPortsAccess' - the Switch allows management
+ through the physical panel when and only when this bit
+ is set.
+
+ 'managerRole' - the Switch is allowed to change
+ the Fabric Policy configuration (on receipt of any of the
+ EACA, Enhanced Stage Fabric Configuration (ESFC), Enhanced
+ Update Fabric Configuration (EUFC), ACA, SFC, or UFC
+ SW_ILSs) if and only if this bit is set.
+
+ Whenever a Fabric has Active Policy Objects, the value of
+ the t11FamConfigDomainIdType object defined in the
+ T11-FC-FABRIC-ADDR-MGR-MIB module must be read-only and
+ reflect the values of the 'staticDomainID' and
+ 'insistentDomainID' bits of this object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+
+
+
+De Santi, et al. Standards Track [Page 73]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 112.
+ - Fibre Channel - Switch Fabric-4 (FC-SW-4),
+ ANSI INCITS 418-2006, April 2006, section 7.1.
+ - t11FamConfigDomainIdType, T11-FC-FABRIC-ADDR-MGR-MIB,
+ Fibre Channel Fabric Address Manager MIB, RFC 4439."
+ ::= { t11FcSpPoSwMembEntry 3 }
+
+t11FcSpPoSwMembDomainID OBJECT-TYPE
+ SYNTAX FcDomainIdOrZero
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The specified Domain_ID value when either of the
+ 'staticDomainID' or 'insistentDomainID' bits are set in
+ the corresponding instance of t11FcSpPoSwMembSwitchFlags.
+
+ Whenever a Fabric has Active Policy Objects, the value
+ of the t11FamConfigDomainId object defined in the
+ T11-FC-FABRIC-ADDR-MGR-MIB module must be read-only and
+ reflect the value of this object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and tables 111 and 112.
+ - t11FamConfigDomainId, T11-FC-FABRIC-ADDR-MGR-MIB,
+ Fibre Channel Fabric Address Manager MIB, RFC 4439."
+ ::= { t11FcSpPoSwMembEntry 4 }
+
+t11FcSpPoSwMembPolicyDataRole OBJECT-TYPE
+ SYNTAX INTEGER {
+ client(1),
+ autonomous(2),
+ server(3)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The role of the Switch in terms of which Policy data
+ it retains/maintains:
+
+ 'client' - the Switch operates as a Client Switch.
+ A Client Switch maintains its own Switch Connectivity
+ Object and all Fabric-wide List Objects. If FC-SP
+ Zoning is used, a Client Switch maintains only the
+ subset of the Active Zone Set that it requires to
+ enforce the current Fabric Zoning configuration.
+
+
+
+
+De Santi, et al. Standards Track [Page 74]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ 'autonomous' - the Switch operates as an Autonomous
+ Switch. An Autonomous Switch maintains its own Switch
+ Connectivity Object and all Fabric-wide List Objects.
+ This is the same as 'client' except that if FC-SP Zoning
+ is used, an Autonomous Switch maintains a complete copy
+ of the Fabric Zoning Database.
+
+ 'server' - the Switch operates as a Server Switch.
+ A Server Switch maintains all Fabric-wide List Objects
+ and the Switch Connectivity Objects of each Switch in
+ the Fabric. If FC-SP Zoning is used, a Server Switch
+ maintains a complete copy of the Fabric Zoning Database."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 113."
+ ::= { t11FcSpPoSwMembEntry 5 }
+
+t11FcSpPoSwMembAuthBehaviour OBJECT-TYPE
+ SYNTAX BITS {
+ mustAuthenticate(0),
+ rejectIsFailure(1)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The authentication behaviour of the Switch:
+
+ 'mustAuthenticate' - if this bit is set, all connections
+ between this Switch and neighbor Switches must be
+ authenticated.
+
+ 'rejectIsFailure' - if this bit is set, the rejection of
+ an AUTH_Negotiate message must be considered as an
+ authentication failure by this Switch."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 114."
+ ::= { t11FcSpPoSwMembEntry 6 }
+
+t11FcSpPoSwMembAttribute OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The name of an active Attribute Policy Object that is
+ defined for this Switch, or the zero-length string. The
+
+
+
+De Santi, et al. Standards Track [Page 75]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ zero-length string indicates that no Attribute Policy
+ Object is defined for this Switch."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoSwMembEntry 7 }
+
+--
+-- Node Entries in Active Node Membership List Objects
+--
+
+t11FcSpPoNoMembTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNoMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Node Entries in active Node Membership List
+ Objects.
+
+ One Node Membership List Object is represented by all
+ of the rows of this table that have the same values
+ of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ ::= { t11FcSpPoActive 4 }
+
+t11FcSpPoNoMembEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNoMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Node Entry
+ within the active Node Membership List Object for the
+ Fabric identified by t11FcSpPoFabricIndex and managed
+ within the Fibre Channel management instance identified
+ by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNoMembNodeNameType, t11FcSpPoNoMembNodeName }
+ ::= { t11FcSpPoNoMembTable 1 }
+
+T11FcSpPoNoMembEntry ::= SEQUENCE {
+ t11FcSpPoNoMembNodeNameType T11FcSpPolicyNameType,
+ t11FcSpPoNoMembNodeName FcNameIdOrZero,
+ t11FcSpPoNoMembFlags BITS,
+ t11FcSpPoNoMembCtAccessIndex Unsigned32,
+ t11FcSpPoNoMembAttribute T11FcSpAlphaNumNameOrAbsent
+}
+
+t11FcSpPoNoMembNodeNameType OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 76]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ restrictedNodeName(2),
+ portName(3),
+ restrictedPortName(4),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'wildcard' or
+ 'restrictedWildcard', this Node Entry applies to Nodes not
+ explicitly named in the Node Membership List Object.
+
+ Otherwise, the combination of this object and
+ t11FcSpPoNoMembNodeName specify the name of this Node Entry
+ in the active Node Membership List Object. A Node is
+ identified by its Node Name or by one or more of its Port
+ Names.
+
+ Restricted membership means that a Node is not allowed to be
+ connected to the Fabric unless allowed by a specific Switch
+ Connectivity Object. Unrestricted membership means that a
+ Node is allowed to be connected to the Fabric unless
+ disallowed by a specific Switch Connectivity Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+ ::= { t11FcSpPoNoMembEntry 1 }
+
+t11FcSpPoNoMembNodeName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of t11FcSpPoNoMembNodeNameType is
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+ Otherwise, the combination of t11FcSpPoNoMembNodeNameType
+ and this object specify the name of this Node Entry is the
+ active Node Membership List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+
+
+
+De Santi, et al. Standards Track [Page 77]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpPoNoMembEntry 2 }
+
+t11FcSpPoNoMembFlags OBJECT-TYPE
+ SYNTAX BITS {
+ scsiEnclosureAccess(0),
+ authenticationRequired(1)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "Configurable options in respect to the administration
+ of Policy Objects at this Node:
+
+ 'scsiEnclosureAccess' - the Node is allowed to
+ control any Switch through SCSI Enclosure Services if this
+ bit is set. If a Switch does not support SCSI Enclosure
+ Services, this bit is ignored.
+
+ 'authenticationRequired' - the Node is required to
+ authenticate itself to any Switch to which it is connected
+ if and only if this bit is set."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 118."
+ ::= { t11FcSpPoNoMembEntry 3 }
+
+t11FcSpPoNoMembCtAccessIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is zero, then access by this
+ Node to Generic Services is not limited by a Common
+ Transport Access Specifier.
+
+ Otherwise, the limits are specified by the set of Common
+ Transport Access Descriptors contained in those rows of
+ the t11FcSpPoCtDescrTable for the same Fabric and for which
+ the value of t11FcSpPoCtDescrSpecifierIndex is the same as
+ the value of this object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.4.1 and tables 118/119/120/121."
+ ::= { t11FcSpPoNoMembEntry 4 }
+
+t11FcSpPoNoMembAttribute OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 78]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The name of an active Attribute Policy Object that is
+ defined for this Node, or the zero-length string. The
+ zero-length string indicates that no Attribute Policy
+ Object is defined for this Node."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+ ::= { t11FcSpPoNoMembEntry 5 }
+
+--
+--
+-- Common Transport Access Descriptors
+--
+
+t11FcSpPoCtDescrTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoCtDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Common Transport Access Descriptors being used
+ within active Policy Objects.
+
+ A Common Transport Access Specifier is a list of Common
+ Transport Access Descriptors that specify whether a Node
+ is allowed to access a Generic Service or Sub-Server.
+
+ An active Common Transport Access Specifier is represented
+ by all rows of this table that have the same values of
+ fcmInstanceIndex, t11FcSpPoFabricIndex, and
+ t11FcSpPoCtDescrSpecifierIndex."
+ ::= { t11FcSpPoActive 5 }
+
+t11FcSpPoCtDescrEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoCtDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Common
+ Transport Access Descriptor of an active Common Transport
+ Access Specifier used within the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+
+
+
+De Santi, et al. Standards Track [Page 79]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoCtDescrSpecifierIndex, t11FcSpPoCtDescrIndex }
+ ::= { t11FcSpPoCtDescrTable 1 }
+
+T11FcSpPoCtDescrEntry ::= SEQUENCE {
+ t11FcSpPoCtDescrSpecifierIndex Unsigned32,
+ t11FcSpPoCtDescrIndex Unsigned32,
+ t11FcSpPoCtDescrFlags BITS,
+ t11FcSpPoCtDescrGsType OCTET STRING,
+ t11FcSpPoCtDescrGsSubType OCTET STRING
+}
+
+t11FcSpPoCtDescrSpecifierIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Common Transport Access Specifier within a Fabric."
+ ::= { t11FcSpPoCtDescrEntry 1 }
+
+t11FcSpPoCtDescrIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Common Transport Access Descriptor within a Common Transport
+ Access Specifier."
+ ::= { t11FcSpPoCtDescrEntry 2 }
+
+t11FcSpPoCtDescrFlags OBJECT-TYPE
+ SYNTAX BITS {
+ allow(0),
+ gsTypeWildcard(1),
+ gsSubTypeWildcard(2),
+ readOnly(3)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The flag bits that specify how access is to be limited by
+ this Common Transport Access Descriptor:
+
+ - allow -- access to the specified Generic Service and
+ Server is allowed if this bit is set, and is to be denied
+ if this bit is not set.
+
+ - gsTypeWildcard -- if this bit is set, the Generic Service
+
+
+
+De Santi, et al. Standards Track [Page 80]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ to be allowed/denied is specified by the value of
+ t11FcSpPoCtDescrGsType. If this bit is set, then the
+ gsSubTypeWildcard bit must not be set.
+
+ - gsSubTypeWildcard -- if this bit is set, the Generic
+ Service to be allowed/denied is specified by the value of
+ t11FcSpPoCtDescrGsSubType. If this bit is set, then the
+ gsTypeWildcard bit must not be set.
+
+ - readOnly -- if this bit is set, then access is to be
+ granted only for reading."
+ ::= { t11FcSpPoCtDescrEntry 3 }
+
+t11FcSpPoCtDescrGsType OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (1))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The GS_Type of the Generic Service (e.g., the FC-GS-5
+ Management Service) that is subject to access control.
+ This value is ignored if the gsTypeWildcard bit is not set
+ in the corresponding value of t11FcSpPoCtDescrFlags."
+ REFERENCE
+ "- Fibre Channel - Generic Services-5 (FC-GS-5),
+ ANSI INCITS 427-2006, section 4.3.2.4."
+ ::= { t11FcSpPoCtDescrEntry 4 }
+
+t11FcSpPoCtDescrGsSubType OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (1))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The GS_Subtype of the Generic Server (e.g., the Fabric Zone
+ Server) that is subject to access control. This value is
+ ignored if the gsSubTypeWildcard bit is not set in the
+ corresponding value of t11FcSpPoCtDescrFlags."
+ REFERENCE
+ "- Fibre Channel - Generic Services-5 (FC-GS-5),
+ ANSI INCITS 427-2006, section 4.3.2.5."
+ ::= { t11FcSpPoCtDescrEntry 5 }
+
+--
+--
+-- Switches/Nodes in Active Switch Connectivity Objects
+--
+
+t11FcSpPoSwConnTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoSwConnEntry
+
+
+
+De Santi, et al. Standards Track [Page 81]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of active Switch Connectivity Objects.
+
+ A Switch Connectivity Object defines to which other
+ Switches or Nodes a particular Switch may/may not be
+ connected at the Node level and/or at the Port level."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1, tables 123/124."
+ ::= { t11FcSpPoActive 6 }
+
+t11FcSpPoSwConnEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoSwConnEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains the name of either a Switch or a Node
+ with which any port of a particular Switch, or a particular
+ port of that Switch, is allowed or not allowed to be
+ connected.
+
+ The particular Switch is on the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoSwConnSwitchName, t11FcSpPoSwConnAllowedType,
+ t11FcSpPoSwConnPortNameOrAll,
+ t11FcSpPoSwConnAllowedIndex }
+ ::= { t11FcSpPoSwConnTable 1 }
+
+T11FcSpPoSwConnEntry ::= SEQUENCE {
+ t11FcSpPoSwConnSwitchName FcNameIdOrZero,
+ t11FcSpPoSwConnAllowedType INTEGER,
+ t11FcSpPoSwConnPortNameOrAll FcNameIdOrZero,
+ t11FcSpPoSwConnAllowedIndex Unsigned32,
+ t11FcSpPoSwConnAllowedNameType T11FcSpPolicyNameType,
+ t11FcSpPoSwConnAllowedName T11FcSpPolicyName
+}
+
+t11FcSpPoSwConnSwitchName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the particular Switch for which this Switch
+
+
+
+De Santi, et al. Standards Track [Page 82]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Connectivity Object specifies topology restrictions."
+ ::= { t11FcSpPoSwConnEntry 1 }
+
+t11FcSpPoSwConnAllowedType OBJECT-TYPE
+ SYNTAX INTEGER { switch(1), node(2) }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether this row refers to
+ Switch-to-Switch or Switch-to-Node connectivity, i.e.,
+ whether the corresponding instance of
+ t11FcSpPoSwConnAllowedName specifies the name of a Switch
+ or the name of a Node."
+ ::= { t11FcSpPoSwConnEntry 2 }
+
+t11FcSpPoSwConnPortNameOrAll OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE(0 | 8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object specifies either the particular port to which
+ this topology restriction applies, or if the value is the
+ zero-length string, that the topology restriction applies
+ to all ports on the particular Switch.
+
+ In the FC-SP Policy Database, restrictions for a particular
+ port are formatted within a Port Connectivity Entry of a
+ Switch Connectivity Object, whereas restrictions for all
+ ports on the Switch are specified in the main part of a
+ Switch Connectivity Object, i.e., not in a Port Connectivity
+ Entry."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1, tables 123/124."
+ ::= { t11FcSpPoSwConnEntry 3 }
+
+t11FcSpPoSwConnAllowedIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When multiple rows in this table apply to the same
+ port(s) in the same Switch's Switch Connectivity Object,
+ this object provides a unique index value to distinguish
+ between such rows."
+ ::= { t11FcSpPoSwConnEntry 4 }
+
+
+
+
+De Santi, et al. Standards Track [Page 83]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoSwConnAllowedNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ restrictedNodeName(2),
+ portName(3),
+ restrictedPortName(4),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'wildcard' or
+ 'restrictedWildcard', this row specifies whether
+ connectivity is allowed/not allowed with entities not
+ explicitly named by other rows.
+
+ Otherwise, the combination of t11FcSpPoSwConnAllowedNameType
+ and t11FcSpPoSwConnAllowedName specify the name of:
+
+ - a Switch (if t11FcSpPoSwConnAllowedType = 'switch'), or
+ - a Node (if t11FcSpPoSwConnAllowedType = 'node')
+
+ to which connectivity is:
+
+ - allowed by 'nodeName' and 'portName',
+ - not allowed by 'restrictedNodeName' and
+ 'restrictedPortName'."
+ ::= { t11FcSpPoSwConnEntry 5 }
+
+t11FcSpPoSwConnAllowedName OBJECT-TYPE
+ SYNTAX T11FcSpPolicyName (SIZE (8))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the value of t11FcSpPoSwConnAllowedNameType is
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+ Otherwise, the combination of t11FcSpPoSwConnAllowedNameType
+ and t11FcSpPoSwConnAllowedName specify the name of:
+
+ - a Switch (if t11FcSpPoSwConnAllowedType = 'switch'), or
+ - a Node (if t11FcSpPoSwConnAllowedType = 'node')
+
+ to which connectivity is allowed/restricted."
+ ::= { t11FcSpPoSwConnEntry 6 }
+
+
+
+
+De Santi, et al. Standards Track [Page 84]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- IP Management Entries in Active IP Management List Objects
+--
+
+t11FcSpPoIpMgmtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoIpMgmtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of IP Management Entries in active IP Management
+ List Objects. An IP Management List Object is a
+ Fabric-wide Policy Object that describes which IP hosts
+ are allowed to manage a Fabric.
+
+ One IP Management List Object is represented by all
+ of the rows of this table that have the same values
+ of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7"
+ ::= { t11FcSpPoActive 7 }
+
+t11FcSpPoIpMgmtEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoIpMgmtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one IP Management
+ Entry within the active IP Management List Object for the
+ Fabric identified by t11FcSpPoFabricIndex and managed
+ within the Fibre Channel management instance identified
+ by fcmInstanceIndex.
+
+ The Policy Object Name of an IP Management Entry Policy
+ Object is either an IPv6 Address Range or an IPv4 Address
+ Range, where in each case, the range is specified as two
+ addresses: the low and high ends of the range. In
+ particular, since the Policy Object Name in this situation
+ can only be an IPv6 Address Range or an IPv4 Address Range,
+ it is represented here by three MIB objects defined as a
+ (InetAddressType, InetAddress, InetAddress) tuple, in which
+ the first address is the low end of the range, the second
+ address is the high end of the range, and both addresses are
+ of the type designated by InetAddressType.
+
+ In theory, the use of t11FcSpPoIpMgmtEntryNameLow and
+ t11FcSpPoIpMgmtEntryNameHigh (which both have the syntax
+
+
+
+De Santi, et al. Standards Track [Page 85]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ of InetAddress) in the INDEX could cause the need for
+ excessively long OIDs. In practice, this can't happen
+ because FC-SP doesn't allow these objects to be specified
+ as DNS names."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoIpMgmtEntryNameType,
+ t11FcSpPoIpMgmtEntryNameLow,
+ t11FcSpPoIpMgmtEntryNameHigh }
+ ::= { t11FcSpPoIpMgmtTable 1 }
+
+T11FcSpPoIpMgmtEntry ::= SEQUENCE {
+ t11FcSpPoIpMgmtEntryNameType InetAddressType,
+ t11FcSpPoIpMgmtEntryNameLow InetAddress,
+ t11FcSpPoIpMgmtEntryNameHigh InetAddress,
+ t11FcSpPoIpMgmtWkpIndex Unsigned32,
+ t11FcSpPoIpMgmtAttribute T11FcSpAlphaNumNameOrAbsent
+}
+
+t11FcSpPoIpMgmtEntryNameType OBJECT-TYPE
+ SYNTAX InetAddressType
+ -- INTEGER { ipv4(1), ipv6(2) }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoIpMgmtNameType,
+ t11FcSpPoIpMgmtNameLow, and t11FcSpPoIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object.
+
+ The FC-SP specification does not allow the use of a
+ DNS domain name to specify the address at the lower end
+ or at the higher end of the Internet address range, nor does
+ it allow the specification of a zone index. Therefore, the
+ type of address must be one of: 'ipv4', or 'ipv6'."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ sections 7.1.7.1 & 7.1.2, tables 103/126."
+ ::= { t11FcSpPoIpMgmtEntry 1 }
+
+t11FcSpPoIpMgmtEntryNameLow OBJECT-TYPE
+ SYNTAX InetAddress (SIZE(4 | 16))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The lower end of an Internet address range. The type
+ of this address is given by the corresponding instance
+ of t11FcSpPoIpMgmtEntryNameType.
+
+
+
+De Santi, et al. Standards Track [Page 86]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The combination of t11FcSpPoIpMgmtNameType,
+ t11FcSpPoIpMgmtNameLow, and t11FcSpPoIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ sections 7.1.7.1 & 7.1.2, tables 103/126."
+ ::= { t11FcSpPoIpMgmtEntry 2 }
+
+t11FcSpPoIpMgmtEntryNameHigh OBJECT-TYPE
+ SYNTAX InetAddress (SIZE(4 | 16))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The higher end of an Internet address range. The type
+ of this address is given by the corresponding instance
+ of t11FcSpPoIpMgmtEntryNameType.
+
+ The combination of t11FcSpPoIpMgmtNameType,
+ t11FcSpPoIpMgmtNameLow, and t11FcSpPoIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 7.1.7.1 & 7.1.2, tables 103/126."
+ ::= { t11FcSpPoIpMgmtEntry 3 }
+
+t11FcSpPoIpMgmtWkpIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This object identifies the restrictions for IP management
+ access by IP hosts in this range of IP addresses, specified
+ as the set of Well-Known Protocols Access Descriptors
+ contained in those rows of the t11FcSpPoWkpDescrTable for
+ which the value of t11FcSpPoWkpDescrSpecifierIndex is the
+ same as the value of this object. A value of zero indicates
+ that this IP Management Entry does not identify a Well-Known
+ Protocols Access Specifier."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and tables 127/129."
+ ::= { t11FcSpPoIpMgmtEntry 4 }
+
+
+
+
+De Santi, et al. Standards Track [Page 87]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoIpMgmtAttribute OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The name of an active Attribute Policy Object that is
+ defined for this IP Management entry or the zero-length
+ string. The zero-length string indicates that no Attribute
+ Policy Object is defined for this IP Management entry."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 128."
+ ::= { t11FcSpPoIpMgmtEntry 5 }
+
+--
+-- Well-Known Protocol Access Descriptors
+--
+
+t11FcSpPoWkpDescrTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoWkpDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of the Well-Known Protocol Access Descriptors
+ being used within active Policy Objects.
+
+ A Well-Known Protocol Access Specifier is a list of
+ Well-Known Protocol Access Descriptors each of which
+ specifies a protocol number, a port number, and/or various
+ flags specifying how IP management access is restricted.
+
+ A Well-Known Protocol Transport Access Specifier is
+ represented by all rows of this table that have the
+ same values of fcmInstanceIndex, t11FcSpPoFabricIndex,
+ and t11FcSpPoWkpDescrSpecifierIndex."
+ ::= { t11FcSpPoActive 8 }
+
+t11FcSpPoWkpDescrEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoWkpDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Well-Known
+ Protocol Access Descriptor of a Well-Known Protocol
+ Access Specifier used within the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex."
+
+
+
+De Santi, et al. Standards Track [Page 88]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoWkpDescrSpecifierIndex, t11FcSpPoWkpDescrIndex }
+ ::= { t11FcSpPoWkpDescrTable 1 }
+
+T11FcSpPoWkpDescrEntry ::= SEQUENCE {
+ t11FcSpPoWkpDescrSpecifierIndex Unsigned32,
+ t11FcSpPoWkpDescrIndex Unsigned32,
+ t11FcSpPoWkpDescrFlags BITS,
+ t11FcSpPoWkpDescrWkpNumber Unsigned32,
+ t11FcSpPoWkpDescrDestPort InetPortNumber
+}
+
+t11FcSpPoWkpDescrSpecifierIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Well-Known Protocol Access Specifier within a Fabric."
+ ::= { t11FcSpPoWkpDescrEntry 1 }
+
+t11FcSpPoWkpDescrIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Well-Known Protocol Access Descriptor within a Well-Known
+ Protocol Access Specifier."
+ ::= { t11FcSpPoWkpDescrEntry 2 }
+
+t11FcSpPoWkpDescrFlags OBJECT-TYPE
+ SYNTAX BITS {
+ allow(0),
+ wkpWildcard(1),
+ destPortWildcard(2),
+ readOnly(3)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The flag bits that specify how access is to be limited by
+ this Well-Known Protocol Access Descriptor:
+
+ - allow -- IP management access using this protocol/port
+ is allowed if this bit is set, and to be denied if this
+ bit is not set.
+
+
+
+
+De Santi, et al. Standards Track [Page 89]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ - wkpWildcard -- if this bit is set, the IP Protocol number
+ of the Well-Known Protocol to be allowed/denied is
+ specified by the value of t11FcSpPoWkpDescrWkpNumber.
+
+ - destPortWildcard -- if this bit is set, the Destination
+ (TCP/UDP) Port number of the Well-Known Protocol to be
+ allowed/denied is specified by the value of
+ t11FcSpPoWkpDescrDestPort.
+
+ - readOnly -- if this bit is set, then access is to be
+ granted only for reading."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131."
+ ::= { t11FcSpPoWkpDescrEntry 3 }
+
+t11FcSpPoWkpDescrWkpNumber OBJECT-TYPE
+ SYNTAX Unsigned32 (0..255)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "When the 'wkpWildcard' bit is set in the corresponding
+ instance of t11FcSpPoWkpDescrFlags, this object specifies
+ the IP protocol number of the Well-Known Protocol."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131.
+ - http://www.iana.org/assignments/protocol-numbers."
+ ::= { t11FcSpPoWkpDescrEntry 4 }
+
+t11FcSpPoWkpDescrDestPort OBJECT-TYPE
+ SYNTAX InetPortNumber
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "When the 'destPortWildcard' bit is set in the corresponding
+ instance of t11FcSpPoWkpDescrFlags, this object specifies
+ the Destination (TCP/UDP) Port number of the Well-Known
+ Protocol. When the 'destPortWildcard' bit is reset, this
+ object is ignored (and can have the value zero)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131.
+ - http://www.iana.org/assignments/port-numbers."
+ ::= { t11FcSpPoWkpDescrEntry 5 }
+
+
+
+De Santi, et al. Standards Track [Page 90]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- Attribute Entries in Active Attribute Policy Objects
+--
+
+t11FcSpPoAttribTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoAttribEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of the Attribute Policy Objects being used within
+ active Policy Objects. In the FC-SP Policy Database, each
+ Attribute Policy Object consists of an Attribute Object Name
+ and a set of Attribute Entries.
+
+ An active Attribute Policy Object is represented by all the
+ Attribute Entries in this table that have the same value
+ of t11FcSpPoAttribName."
+ ::= { t11FcSpPoActive 9 }
+
+t11FcSpPoAttribEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoAttribEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each row contains information specific to an Attribute
+ Entry contained within an Attribute Policy Object that is
+ active within the Fabric identified by t11FcSpPoFabricIndex
+ and managed within the Fibre Channel management instance
+ identified by fcmInstanceIndex.
+
+ For some types of Attribute Policy Objects, it is valuable
+ to break out some semantically significant parts of the
+ Policy Object's value into their own individual MIB
+ objects; for example, to extract the one or more individual
+ Authentication Protocol Identifiers and associated
+ Authentication Protocol Parameters out of an Attribute
+ Object containing a 'AUTH_Negotiate Message Payload'.
+ For such types, another MIB table is defined to hold the
+ extracted values in MIB objects specific to the Attribute
+ Policy Object's type. In such cases, the
+ t11FcSpPoAttribExtension object in this table points to the
+ other MIB table.
+
+ If the value of one Attribute Entry is too large (more than
+ 256 bytes) to be contained within the value of one instance
+ of t11FcSpPoAttribValue, then one row in this table contains
+ the first 256 bytes, and one (or more) other row(s) in this
+ table contain the rest of the value."
+
+
+
+De Santi, et al. Standards Track [Page 91]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoAttribName, t11FcSpPoAttribEntryIndex,
+ t11FcSpPoAttribPartIndex }
+ ::= { t11FcSpPoAttribTable 1 }
+
+T11FcSpPoAttribEntry ::= SEQUENCE {
+ t11FcSpPoAttribName T11FcSpAlphaNumName,
+ t11FcSpPoAttribEntryIndex Unsigned32,
+ t11FcSpPoAttribPartIndex Unsigned32,
+ t11FcSpPoAttribType Unsigned32,
+ t11FcSpPoAttribValue OCTET STRING,
+ t11FcSpPoAttribExtension OBJECT IDENTIFIER
+}
+
+t11FcSpPoAttribName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the Attribute Policy Object containing one
+ or more Attribute Entries."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.8.1 and table 133."
+ ::= { t11FcSpPoAttribEntry 1 }
+
+t11FcSpPoAttribEntryIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A unique value to distinguish this Attribute Entry
+ from other Attribute Entries contained in the same
+ Attribute Policy Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.8.1, tables 133/134."
+ ::= { t11FcSpPoAttribEntry 2 }
+
+t11FcSpPoAttribPartIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When the value of an Attribute Entry is shorter than 257
+ bytes, the whole value is contained in one instance of
+
+
+
+De Santi, et al. Standards Track [Page 92]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoAttribValue, and the value of this object is 1.
+
+ If the value of an Attribute Entry is longer than 256 bytes,
+ then that value is divided up on 256-byte boundaries such
+ that all parts are 256 bytes long except the last part, which
+ is shorter if necessary, with each such part contained in
+ a separate row of this table, and the value of this object
+ is set to the part number. That is, this object has the
+ value of 1 for bytes 0-255, the value of 2 for bytes
+ 256-511, etc."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.8.1, tables 134/135."
+ ::= { t11FcSpPoAttribEntry 3 }
+
+t11FcSpPoAttribType OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of attribute. The first type to be defined is:
+
+ t11FcSpPoAttribType t11FcSpPoAttribValue
+ =================== ====================
+ '00000001'h The AUTH_Negotiate Message Payload
+ "
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.8.1, tables 134/135 and table 10."
+ ::= { t11FcSpPoAttribEntry 4 }
+
+t11FcSpPoAttribValue OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..256))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of an Attribute Entry is divided up on 256-byte
+ boundaries such that all parts are 256 bytes long except the
+ last part, which is shorter if necessary, and each such part
+ is contained in a separate instance of this object.
+
+ The value of this object is independent of whether some
+ parts of its value are broken out into separate MIB objects
+ pointed to by the corresponding instance of
+ t11FcSpPoAttribExtension."
+ REFERENCE
+
+
+
+De Santi, et al. Standards Track [Page 93]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.8.1, tables 134/135 and table 10."
+ ::= { t11FcSpPoAttribEntry 5 }
+
+t11FcSpPoAttribExtension OBJECT-TYPE
+ SYNTAX OBJECT IDENTIFIER
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "For some types of Attribute Policy Object, the value of
+ this MIB object points to type-specific MIB objects that
+ contain individual/broken-out parts of the Attribute Policy
+ Object's value. If this object doesn't point to such
+ type-specific MIB objects, then it contains the value:
+ zeroDotZero.
+
+ In particular, when the value of t11FcSpPoAttribType
+ indicates 'AUTH_Negotiate Message Payload', one or more
+ Authentication Protocol Identifiers and their associated
+ Authentication Protocol Parameters are embedded within the
+ value of the corresponding instance of t11FcSpPoAttribValue;
+ MIB objects to contain these individual values are defined
+ in the t11FcSpPoAuthProtTable. Thus, for an 'AUTH_Negotiate
+ Message Payload' Attribute, the value of this object
+ contains an OID within the t11FcSpPoAuthProtTable, e.g.,
+ of the whole table, of an individual row, or of an individual
+ instance within the table."
+ ::= { t11FcSpPoAttribEntry 6 }
+
+--
+-- Auth. Protocol Parameters in Active Attribute Policy Objects
+--
+
+t11FcSpPoAuthProtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoAuthProtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Authentication Protocol Identifier and
+ Authentication Protocol Parameters that are embedded in
+ Attribute Policy Objects being used within active Policy
+ Objects.
+
+ This table is used for Attribute Entries of Attribute Policy
+ Objects for which the value of t11FcSpPoAttribType indicates
+ 'AUTH_Negotiate Message Payload' and the value of
+ t11FcSpPoAttribExtension contains the OID of this table."
+
+
+
+De Santi, et al. Standards Track [Page 94]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ sections 5.3.2 & 7.1.8.1, tables 134/135 and tables
+ 10/11."
+ ::= { t11FcSpPoActive 10 }
+
+t11FcSpPoAuthProtEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoAuthProtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about an Authentication
+ Protocol that is extracted out of the Attribute Entry
+ (identified by t11FcSpPoAttribEntryIndex) of the Policy
+ Attribute Object (identified by t11FcSpPoAttribName), which
+ is active within the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ If the value of one Attribute Protocol Parameters string is
+ too large (more than 256 bytes) to be contained within the
+ value of one instance of t11FcSpPoAuthProtParams, then one
+ row in this table contains the first 256 bytes, and one (or
+ more) other row(s) in this table contain the rest of the
+ value."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoAttribName, t11FcSpPoAttribEntryIndex,
+ t11FcSpPoAuthProtIdentifier,
+ t11FcSpPoAuthProtPartIndex }
+ ::= { t11FcSpPoAuthProtTable 1 }
+
+T11FcSpPoAuthProtEntry ::= SEQUENCE {
+ t11FcSpPoAuthProtIdentifier Unsigned32,
+ t11FcSpPoAuthProtPartIndex Unsigned32,
+ t11FcSpPoAuthProtParams OCTET STRING
+}
+
+t11FcSpPoAuthProtIdentifier OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The Authentication Protocol Identifier:
+
+ 1 = DH-CHAP
+ 2 = FCAP
+ 3 = FCPAP
+
+
+
+De Santi, et al. Standards Track [Page 95]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ 4 = IKEv2
+ 5 = IKEv2-AUTH
+ 240 thru 255 = Vendor Specific Protocols
+
+ all other values are 'Reserved' (by T11)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 11."
+ ::= { t11FcSpPoAuthProtEntry 1 }
+
+t11FcSpPoAuthProtPartIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When the value of an Attribute Protocol Parameters string
+ is shorter than 257 bytes, the whole value is contained in
+ one instance of t11FcSpPoAuthProtParams, and the value of
+ this object is 1. (This includes the case when the Attribute
+ Protocol Parameters string is zero bytes in length.)
+
+ If the value of an Authentication Protocol Parameters string
+ is longer than 256 bytes, then that value is divided up on
+ 256-byte boundaries such that all parts are 256 bytes long
+ except the last part, which is shorter if necessary, with
+ each such part contained in a separate row of this table,
+ and the value of this object is set to the part number.
+ That is, this object has the value of 1 for bytes 0-255,
+ the value of 2 for bytes 256-511, etc."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 10."
+ ::= { t11FcSpPoAuthProtEntry 2 }
+
+t11FcSpPoAuthProtParams OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..256))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The value of an Authentication Protocol Parameters string
+ is divided up on 256-byte boundaries such that all parts
+ are 256 bytes long except the last part, which is shorter
+ if necessary, and each such part is contained in a
+ separate instance of this object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+
+
+
+De Santi, et al. Standards Track [Page 96]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 10."
+ ::= { t11FcSpPoAuthProtEntry 3 }
+
+--
+-- Part 2 - Activate/De-Activate Operations
+--
+
+--
+-- Objects to Invoke Activate/De-Activate Operations
+--
+
+t11FcSpPoOperTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoOperEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table that allows Activate and Deactivate operations
+ to be invoked for FC-SP Policies on various Fabrics.
+
+ Activating a new policy configuration is a two-step
+ process:
+
+ 1) create a single Policy Summary Object as a set of rows
+ in the t11FcSpPoNaSummaryTable specifying a set of
+ Policy Objects that describe the new configuration; and
+ 2) activate that Policy Summary Object using the
+ t11FcSpPoOperActivate object defined in this table.
+
+ Deactivating the current policy configuration is a one-step
+ process: the current Policy Summary Object is deactivated
+ using the t11FcSpPoOperDeActivate object."
+ ::= { t11FcSpPoOperations 1 }
+
+t11FcSpPoOperEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoOperEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry allows an Activate and/or Deactivate operation
+ to be invoked on a particular Fabric, which is managed as
+ part of the Fibre Channel management instance identified
+ by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex }
+ ::= { t11FcSpPoOperTable 1 }
+
+T11FcSpPoOperEntry ::= SEQUENCE {
+ t11FcSpPoOperActivate T11FcSpAlphaNumName,
+
+
+
+De Santi, et al. Standards Track [Page 97]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoOperDeActivate T11FcSpAlphaNumName,
+ t11FcSpPoOperResult INTEGER,
+ t11FcSpPoOperFailCause SnmpAdminString
+}
+
+t11FcSpPoOperActivate OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Writing the name of a Policy Summary Object into this
+ object is a request to activate the policy configuration
+ described by the combination of all rows in
+ t11FcSpPoNaSummaryTable that have that name as their
+ value of t11FcSpPoNaSummaryName and are for the same
+ Fabric.
+
+ Before issuing such a request, the relevant rows in the
+ t11FcSpPoNaSummaryTable must exist and represent a complete
+ and consistent Policy Summary Object. If they do not, the
+ request will fail, with t11FcSpPoOperResult having the
+ 'badSummaryObject' value.
+
+ When read, the value of this object is always the zero-
+ length string.
+
+ Writing to this object does not delete (or in any way
+ affect) any rows in the MIB tables for non-active
+ Policy Objects."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.2"
+ ::= { t11FcSpPoOperEntry 1 }
+
+t11FcSpPoOperDeActivate OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Writing the current value of t11FcSpPoPolicySummaryObjName
+ into this object (for a particular Fabric) is a request
+ to deactivate that Fabric's current policy configuration.
+ Writing any other value into this object is an error
+ (e.g., 'wrongValue').
+
+ When read, the value of this object is always the zero-
+ length string."
+
+
+
+De Santi, et al. Standards Track [Page 98]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.3"
+ ::= { t11FcSpPoOperEntry 2 }
+
+t11FcSpPoOperResult OBJECT-TYPE
+ SYNTAX INTEGER {
+ activateSuccess(1),
+ badSummaryObject(2),
+ activateFailure(3),
+ deactivateSuccess(4),
+ deactivateFailure(5),
+ inProgress(6),
+ none(7)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This object indicates the status/result of the last
+ activation/deactivation that was invoked via the
+ corresponding instance of t11FcSpPoOperActivate or
+ t11FcSpPoOperDeActivate.
+
+ When the value of this object is 'inProgress', the
+ values of the corresponding instances of
+ t11FcSpPoOperActivate and t11FcSpPoOperDeActivate
+ cannot be modified.
+
+ The value 'badSummaryObject' indicates an activation
+ request that did not name a complete and consistent
+ Policy Summary Object.
+
+ The value 'none' indicates activation/deactivation
+ has not been attempted since the last restart of
+ the management system."
+ ::= { t11FcSpPoOperEntry 3 }
+
+t11FcSpPoOperFailCause OBJECT-TYPE
+ SYNTAX SnmpAdminString (SIZE (0..64))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "A textual message indicating the reason for the
+ most recent activation/deactivation failure, or the
+ zero-length string if no information is available
+ (e.g., because the corresponding instance of
+ t11FcSpPoOperResult has the value 'none').
+
+
+
+De Santi, et al. Standards Track [Page 99]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ When the corresponding instance of
+ t11FcSpPoOperResult is either 'activateFailure'
+ or 'deactivateFailure', the value of this object
+ indicates the reason for that failure."
+ ::= { t11FcSpPoOperEntry 4 }
+
+--
+-- Part 3 - Non-Active Policy Objects
+--
+
+--
+-- Non-Active Policy Summary Objects Available for Activation
+--
+
+t11FcSpPoNaSummaryTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaSummaryEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of non-active Policy Summary Objects available
+ to be activated.
+
+ The functionality of this table deviates slightly from FC-SP
+ in that FC-SP specifies that the only Policy Summary Object
+ is the Active one, i.e., FC-SP does not store non-active
+ Policy Summary Objects in the Policy Database. Instead,
+ FC-SP requires a new Policy Summary Object to be created
+ for, and embedded within, every Activate (APS) request.
+ Thus, the newly created Policy Summary Object outlasts the
+ APS request only as the new active Policy Summary Object and
+ only if the APS succeeds. In contrast, the Activate
+ operation provided by this MIB module consists of two steps:
+
+ 1) create a non-active Policy Summary Object as a set of
+ entries in this table describing a new configuration;
+ 2) activate a Policy Summary Object (stored as a set of
+ entries in this table) using t11FcSpPoOperActivate.
+
+ These two steps are only loosely connected, i.e., the result
+ of the first operation is a non-active Policy Summary Object
+ that is retained (in this table) even if it isn't
+ immediately activated. Even after an attempt to activate
+ it succeeds or fails, a non-active Policy Summary Object
+ is not deleted, but is retained and still available for
+ subsequent modification/re-use."
+ ::= { t11FcSpPoNonActive 1 }
+
+t11FcSpPoNaSummaryEntry OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 100]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpPoNaSummaryEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one non-active
+ Policy Object within a non-active Policy Summary Object
+ defined for potential use on the Fabric identified by
+ t11FcSpPoFabricIndex, and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ A non-active Policy Summary Object is described by a set
+ of entries in this table that have the same value of
+ t11FcSpPoNaSummaryName.
+
+ As and when a Policy Summary Object is activated using the
+ t11FcSpPoOperActivate object, if the activation is
+ successful, existing rows (if any) in MIB tables for active
+ Policy Objects are deleted and replaced by the appropriate
+ new set of rows. Existing rows in this table and/or in
+ other tables for non-active Policy Objects are not
+ affected by the activate operation.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3 and table 104."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaSummaryName, t11FcSpPoNaSummaryPolicyType,
+ t11FcSpPoNaSummaryPolicyIndex }
+ ::= { t11FcSpPoNaSummaryTable 1 }
+
+T11FcSpPoNaSummaryEntry ::= SEQUENCE {
+ t11FcSpPoNaSummaryName T11FcSpAlphaNumName,
+ t11FcSpPoNaSummaryPolicyType T11FcSpPolicyObjectType,
+ t11FcSpPoNaSummaryPolicyIndex Unsigned32,
+ t11FcSpPoNaSummaryPolicyNameType T11FcSpPolicyNameType,
+ t11FcSpPoNaSummaryPolicyName T11FcSpPolicyName,
+ t11FcSpPoNaSummaryHashStatus T11FcSpHashCalculationStatus,
+ t11FcSpPoNaSummaryHashFormat T11FcSpPolicyHashFormat,
+ t11FcSpPoNaSummaryHashValue T11FcSpPolicyHashValue,
+ t11FcSpPoNaSummaryRowStatus RowStatus
+}
+
+t11FcSpPoNaSummaryName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+
+
+
+De Santi, et al. Standards Track [Page 101]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the non-active Policy Summary Object that
+ contains this Policy Object."
+ ::= { t11FcSpPoNaSummaryEntry 1 }
+
+t11FcSpPoNaSummaryPolicyType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyObjectType
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The 'Identifier' (i.e., the type) of this Policy Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.3.1 and table 104."
+ ::= { t11FcSpPoNaSummaryEntry 2 }
+
+t11FcSpPoNaSummaryPolicyIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A unique integer value to distinguish this Policy Object
+ from any others that have the same type and that are
+ contained in the same Policy Summary Object."
+ ::= { t11FcSpPoNaSummaryEntry 3 }
+
+t11FcSpPoNaSummaryPolicyNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ alphaNumericName(7)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoNaSummaryPolicyNameType and
+ t11FcSpPoNaSummaryPolicyName specify the name of the
+ non-active Policy Object identified by this row.
+
+ The type of name must be 'nodeName' if the value of the
+ corresponding instance of t11FcSpPoNaSummaryPolicyType is
+ 'switchConnectivity', or 'alphaNumericName' otherwise."
+ ::= { t11FcSpPoNaSummaryEntry 4 }
+
+t11FcSpPoNaSummaryPolicyName OBJECT-TYPE
+ SYNTAX T11FcSpPolicyName
+
+
+
+De Santi, et al. Standards Track [Page 102]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoNaSummaryPolicyNameType and
+ t11FcSpPoNaSummaryPolicyName specify the name of the
+ non-active Policy Object identified by this row."
+ ::= { t11FcSpPoNaSummaryEntry 5 }
+
+t11FcSpPoNaSummaryHashStatus OBJECT-TYPE
+ SYNTAX T11FcSpHashCalculationStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "When read, the value of this object is either:
+
+ correct -- the corresponding instance of
+ t11FcSpPoNaSummaryHashValue contains
+ the correct value; or
+ stale -- the corresponding instance of
+ t11FcSpPoNaSummaryHashValue contains
+ a stale (possibly incorrect) value;
+
+ Writing a value of 'calculate' is a request to re-calculate
+ and update the value of the corresponding instance of
+ t11FcSpPoNaSummaryHashValue. Writing a value of 'correct'
+ or 'stale' to this object is an error (e.g., 'wrongValue')."
+ DEFVAL { stale }
+ ::= { t11FcSpPoNaSummaryEntry 6 }
+
+t11FcSpPoNaSummaryHashFormat OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashFormat
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The format of this Policy Object's hash value as
+ contained in the corresponding instance of the
+ t11FcSpPoNaSummaryHashValue object."
+ DEFVAL { '00000001'h }
+ ::= { t11FcSpPoNaSummaryEntry 7 }
+
+t11FcSpPoNaSummaryHashValue OBJECT-TYPE
+ SYNTAX T11FcSpPolicyHashValue
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The hash value of this Policy Object, in the format
+ identified by the corresponding instance of the
+ t11FcSpPoNaSummaryHashFormat object."
+
+
+
+De Santi, et al. Standards Track [Page 103]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DEFVAL { "" }
+ ::= { t11FcSpPoNaSummaryEntry 8 }
+
+t11FcSpPoNaSummaryRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row.
+
+ Before a row in this table can have 'active' status,
+ a non-Active Policy Object must already be represented
+ in the table corresponding to the value of
+ t11FcSpPoNaSummaryPolicyType with the name given by the
+ combination of t11FcSpPoNaSummaryPolicyNameType and
+ t11FcSpPoNaSummaryPolicyName. If such a Policy Object gets
+ deleted from the relevant table, the row in this table must
+ also get deleted.
+
+ When a row has 'active' status, the only write-able MIB
+ objects in this table are t11FcSpPoNaSummaryHashStatus and
+ t11FcSpPoNaSummaryRowStatus."
+ ::= { t11FcSpPoNaSummaryEntry 9 }
+
+--
+-- Non-Active Switch Membership List Objects
+--
+
+t11FcSpPoNaSwListTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaSwListEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of non-active Switch Membership List Objects."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 108."
+ ::= { t11FcSpPoNonActive 2 }
+
+t11FcSpPoNaSwListEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaSwListEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one non-active
+ Switch Membership List Object for the Fabric identified
+ by t11FcSpPoFabricIndex and managed within the Fibre
+
+
+
+De Santi, et al. Standards Track [Page 104]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Channel management instance identified by
+ fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaSwListName }
+ ::= { t11FcSpPoNaSwListTable 1 }
+
+T11FcSpPoNaSwListEntry ::= SEQUENCE {
+ t11FcSpPoNaSwListName T11FcSpAlphaNumName,
+ t11FcSpPoNaSwListFabricName FcNameIdOrZero,
+ t11FcSpPoNaSwListRowStatus RowStatus
+}
+
+t11FcSpPoNaSwListName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the Switch Membership List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 108."
+ ::= { t11FcSpPoNaSwListEntry 1 }
+
+t11FcSpPoNaSwListFabricName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The administratively specified Fabric_Name. This value
+ is meaningful only when static Domain_IDs are used in a
+ Fabric. If Static Domain_IDs are not used, the Fabric_Name
+ is dynamically determined, in which case the value of this
+ object can be '0000000000000000'h or the zero-length
+ string."
+ REFERENCE
+ "- t11FamConfigDomainId, T11-FC-FABRIC-ADDR-MGR-MIB,
+ Fibre Channel Fabric Address Manager MIB, RFC 4439;
+ - ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, table 108."
+ ::= { t11FcSpPoNaSwListEntry 2 }
+
+t11FcSpPoNaSwListRowStatus OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 105]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time.
+
+ If a row in this table is deleted, any row in the
+ t11FcSpPoNaSwMembTable for the same Switch Membership
+ List Object will also get deleted."
+ ::= { t11FcSpPoNaSwListEntry 3 }
+
+--
+-- Switch Entries in Non-Active Switch Membership List Objects
+--
+
+t11FcSpPoNaSwMembTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaSwMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Switch Entries in non-active Switch Membership
+ List Objects."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoNonActive 3 }
+
+t11FcSpPoNaSwMembEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaSwMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Switch that
+ is listed in a Switch Entry of a non-active Switch Membership
+ List Object for the Fabric identified by t11FcSpPoFabricIndex
+ and managed within the Fibre Channel management instance
+ identified by fcmInstanceIndex.
+
+ A row cannot exist unless there is a row in
+ t11FcSpPoNaSwListTable for the given Switch Membership List
+ Object, i.e., the row in t11FcSpPoNaSwListTable for a
+ Switch Membership List Object must be created before (or
+ simultaneously with) a row in this table for a Switch
+ Entry in that Switch Membership List Object, and when a
+ row in t11FcSpPoNaSwListTable is deleted, all rows in this
+ table for Switch Entries in that Switch Membership List
+
+
+
+De Santi, et al. Standards Track [Page 106]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Object also get deleted.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaSwListName,
+ t11FcSpPoNaSwMembSwitchNameType,
+ t11FcSpPoNaSwMembSwitchName }
+ ::= { t11FcSpPoNaSwMembTable 1 }
+
+T11FcSpPoNaSwMembEntry ::= SEQUENCE {
+ t11FcSpPoNaSwMembSwitchNameType T11FcSpPolicyNameType,
+ t11FcSpPoNaSwMembSwitchName FcNameIdOrZero,
+ t11FcSpPoNaSwMembFlags BITS,
+ t11FcSpPoNaSwMembDomainID FcDomainIdOrZero,
+ t11FcSpPoNaSwMembPolicyDataRole INTEGER,
+ t11FcSpPoNaSwMembAuthBehaviour BITS,
+ t11FcSpPoNaSwMembAttribute T11FcSpAlphaNumNameOrAbsent,
+ t11FcSpPoNaSwMembRowStatus RowStatus
+}
+
+t11FcSpPoNaSwMembSwitchNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ restrictedNodeName(2),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'nodeName' or
+ 'restrictedNodeName', then the combination of
+ this object and t11FcSpPoNaSwMembSwitchName specify the
+ Switch Name of this Switch Entry.
+
+ The membership is restricted or unrestricted based on the
+ name type. Restricted membership means that the Switch is
+ not allowed to be part of the Fabric unless allowed by a
+ specific Switch Connectivity Object. Unrestricted
+ membership means that the Switch is allowed to be part of
+ the Fabric unless disallowed by a specific Switch
+ Connectivity Object.
+
+ The values of 'wildcard' and 'restrictedWildcard' provide
+ the means to specify whether to allow/deny membership for
+ Switches not explicitly named in the Switch Membership
+
+
+
+De Santi, et al. Standards Track [Page 107]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoNaSwMembEntry 1 }
+
+t11FcSpPoNaSwMembSwitchName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of t11FcSpPoSwMembSwitchNameType is
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+ Otherwise, the combination of
+ t11FcSpPoNaSwMembSwitchNameType and this object specify the
+ Switch Name of this Switch Entry."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoNaSwMembEntry 2 }
+
+t11FcSpPoNaSwMembFlags OBJECT-TYPE
+ SYNTAX BITS {
+ staticDomainID(0),
+ insistentDomainID(1),
+ serialPortsAccess(2),
+ physicalPortsAccess(3),
+ managerRole(4)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Configurable options in respect to the administration
+ of Policy Objects at this Switch:
+
+ 'staticDomainID' - the Switch uses the 'Static
+ Domain_IDs behavior' (as defined in FC-SW-4) when this bit
+ is set. This bit should have the same setting for all
+ Switches in a Fabric's Switch Membership List Object, or
+ else the Fabric will partition. If this bit is set,
+ the 'insistentDomainID' bit must not be set.
+
+ 'insistentDomainID' - if this bit is set, the Switch
+ uses the 'Insistent Domain_IDs behavior' (as defined in
+
+
+
+De Santi, et al. Standards Track [Page 108]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ FC-SW-4), and the 'staticDomainID' bit must not be set.
+
+ 'serialPortsAccess' - the Switch allows management
+ through serial ports when and only when this bit is set.
+
+ 'physicalPortsAccess' - the Switch allows management
+ through the physical panel when and only when this bit
+ is set.
+
+ 'managerRole' - the Switch is allowed to change
+ the Fabric Policy configuration (on receipt of any of the
+ EACA, ESFC, EUFC, ACA, SFC, or UFC SW_ILSs) if this bit is
+ set."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 112."
+ ::= { t11FcSpPoNaSwMembEntry 3 }
+
+t11FcSpPoNaSwMembDomainID OBJECT-TYPE
+ SYNTAX FcDomainIdOrZero
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The Domain_ID to be used when either the 'staticDomainID'
+ bit or the 'insistentDomainID' bit is set in the
+ corresponding value of t11FcSpPoNaSwMembFlags."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and tables 111 and 112."
+ ::= { t11FcSpPoNaSwMembEntry 4 }
+
+t11FcSpPoNaSwMembPolicyDataRole OBJECT-TYPE
+ SYNTAX INTEGER {
+ client(1),
+ autonomous(2),
+ server(3)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The role of the Switch in terms of which Policy data
+ it retains/maintains:
+
+ 'client' - the Switch operates as a Client Switch.
+ A Client Switch maintains its own Switch Connectivity
+ Object and all Fabric-wide List Objects. If FC-SP
+
+
+
+De Santi, et al. Standards Track [Page 109]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Zoning is used, a Client Switch maintains only the
+ subset of the Active Zone Set that it requires to
+ enforce the current Fabric Zoning configuration.
+
+ 'autonomous' - the Switch operates as an Autonomous
+ Switch. An Autonomous Switch maintains its own Switch
+ Connectivity Object and all Fabric-wide List Objects.
+ This is the same as 'client' except that if FC-SP Zoning
+ is used, an Autonomous Switch maintains a complete copy
+ of the Fabric Zoning Database.
+
+ 'server' - the Switch operates as a Server Switch.
+ A Server Switch maintains all Fabric-wide List Objects
+ and the Switch Connectivity Objects of each Switch in
+ the Fabric. If FC-SP Zoning is used, a Server Switch
+ maintains a complete copy of the Fabric Zoning Database."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 113."
+ ::= { t11FcSpPoNaSwMembEntry 5 }
+
+t11FcSpPoNaSwMembAuthBehaviour OBJECT-TYPE
+ SYNTAX BITS {
+ mustAuthenticate(0),
+ rejectIsFailure(1)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The authentication behaviour of the Switch:
+
+ 'mustAuthenticate' - if this bit is set, all connections
+ between this Switch and neighbor Switches must be
+ authenticated.
+
+ 'rejectIsFailure' - if this bit is set, the rejection of
+ an AUTH_Negotiate message must be considered as an
+ authentication failure by this Switch."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 114."
+ ::= { t11FcSpPoNaSwMembEntry 6 }
+
+t11FcSpPoNaSwMembAttribute OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-create
+
+
+
+De Santi, et al. Standards Track [Page 110]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "The name of a non-active Attribute Policy Object that
+ is defined for this Switch. The zero-length string
+ indicates that no non-active Attribute Policy Object is
+ defined for this Switch.
+
+ The effect of having no rows in the t11FcSpPoNaAttribTable
+ for which the value of t11FcSpPoNaAttribName is the
+ same as the value of this object, is the same as
+ this object's value being the zero-length string."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 110."
+ ::= { t11FcSpPoNaSwMembEntry 7 }
+
+t11FcSpPoNaSwMembRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time.
+
+ A row cannot exist unless there is a row in the
+ t11FcSpPoNaSwListTable for the Switch Membership List
+ Object containing the Switch Entry for this Switch, i.e.,
+ the row in t11FcSpPoNaSwListTable for a Switch Membership
+ List Object must be created before (or simultaneously)
+ with a row in this table for a Switch Entry in that
+ Switch Membership List Object; and when a row in
+ t11FcSpPoNaSwListTable is deleted, any row in this
+ table for a Switch Entry in that Switch Membership
+ List Object also gets deleted."
+ ::= { t11FcSpPoNaSwMembEntry 8 }
+
+--
+-- Node Entries in Non-Active Node Membership List Objects
+--
+
+t11FcSpPoNaNoMembTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaNoMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Node Entries in non-active Node Membership List
+ Objects.
+
+
+
+De Santi, et al. Standards Track [Page 111]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ One Node Membership List Object is represented by all
+ the rows in this table that have the same value of
+ t11FcSpPoNaNoMembListName."
+ ::= { t11FcSpPoNonActive 4 }
+
+t11FcSpPoNaNoMembEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaNoMembEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Node Entry of
+ a non-active Node Membership List Object for the Fabric
+ identified by t11FcSpPoFabricIndex and managed within
+ the Fibre Channel management instance identified by
+ fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaNoMembListName,
+ t11FcSpPoNaNoMembNodeNameType,
+ t11FcSpPoNaNoMembNodeName }
+ ::= { t11FcSpPoNaNoMembTable 1 }
+
+T11FcSpPoNaNoMembEntry ::= SEQUENCE {
+ t11FcSpPoNaNoMembListName T11FcSpAlphaNumName,
+ t11FcSpPoNaNoMembNodeNameType T11FcSpPolicyNameType,
+ t11FcSpPoNaNoMembNodeName FcNameIdOrZero,
+ t11FcSpPoNaNoMembFlags BITS,
+ t11FcSpPoNaNoMembCtAccessIndex Unsigned32,
+ t11FcSpPoNaNoMembAttribute T11FcSpAlphaNumNameOrAbsent,
+ t11FcSpPoNaNoMembRowStatus RowStatus
+}
+
+t11FcSpPoNaNoMembListName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the non-active Node Membership List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+ ::= { t11FcSpPoNaNoMembEntry 1 }
+
+t11FcSpPoNaNoMembNodeNameType OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 112]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ restrictedNodeName(2),
+ portName(3),
+ restrictedPortName(4),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'wildcard' or
+ 'restrictedWildcard', this Node Entry applies to Nodes not
+ explicitly named in the Node Membership List Object.
+
+ Otherwise, the combination of this object and
+ t11FcSpPoNaNoMembNodeName specify the name of this Node Entry
+ in the active Node Membership List Object. A Node is
+ identified by its Node Name or by one or more of its Port
+ Names.
+
+ Restricted membership means that a Node is not allowed to be
+ connected to the Fabric unless allowed by a specific Switch
+ Connectivity Object. Unrestricted membership means that a
+ Node is allowed to be connected to the Fabric unless
+ disallowed by a specific Switch Connectivity Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+ ::= { t11FcSpPoNaNoMembEntry 2 }
+
+t11FcSpPoNaNoMembNodeName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "If the value of t11FcSpPoNaNoMembNodeNameType is
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+ Otherwise, the combination of t11FcSpPoNaNoMembNodeNameType
+ and this object specify the name of this Node Entry is the
+ active Node Membership List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+
+
+
+De Santi, et al. Standards Track [Page 113]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpPoNaNoMembEntry 3 }
+
+t11FcSpPoNaNoMembFlags OBJECT-TYPE
+ SYNTAX BITS {
+ scsiEnclosureAccess(0),
+ authenticationRequired(1)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "Configurable options in respect to the administration
+ of Policy Objects at this Node:
+
+ 'scsiEnclosureAccess' - the Node is allowed to
+ control any Switch through SCSI Enclosure Services if this
+ bit is set. If a Switch does not support SCSI Enclosure
+ Services, this bit is ignored.
+
+ 'authenticationRequired' - the Node is required to
+ authenticate itself to any Switch to which it is connected
+ if and only if this bit is set."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 118."
+ ::= { t11FcSpPoNaNoMembEntry 4 }
+
+t11FcSpPoNaNoMembCtAccessIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is zero, then access by this
+ Node to Generic Services is not limited by a Common
+ Transport Access Specifier.
+
+ Otherwise, the limits are specified by the set of Common
+ Transport Access Descriptors contained in those rows of
+ the t11FcSpPoNaCtDescrTable for which the value of
+ t11FcSpPoNaCtDescrSpecifierIndex is the same as the value
+ of this object. No such rows in t11FcSpPoNaCtDescrTable
+ have the same effect as this object's value being zero."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.4.1 and tables 118/119/120/121."
+ ::= { t11FcSpPoNaNoMembEntry 5 }
+
+
+
+
+De Santi, et al. Standards Track [Page 114]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoNaNoMembAttribute OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The name of a non-active Attribute Policy Object that
+ is defined for this Node. The zero-length string indicates
+ that no non-active Attribute Policy Object is defined for
+ this Node.
+
+ The effect of having no rows in the t11FcSpPoNaAttribTable
+ for which the value of t11FcSpPoNaAttribName is the
+ same as the value of this object, is the same as
+ this object's value being the zero-length string."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.4.1 and table 116."
+ ::= { t11FcSpPoNaNoMembEntry 6 }
+
+t11FcSpPoNaNoMembRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaNoMembEntry 7 }
+
+--
+--
+-- Non-Active Common Transport Access Descriptors
+--
+
+t11FcSpPoNaCtDescrTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaCtDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Common Transport Access Descriptors referenced
+ by non-active Policy Objects.
+
+ A Common Transport Access Specifier is a list of Common
+ Transport Access Descriptors that specify whether a Node
+ is allowed to access a Generic Service or Sub-Server.
+
+ A non-active Common Transport Access Specifier is
+ represented by all rows of this table that have the same
+
+
+
+De Santi, et al. Standards Track [Page 115]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ values of fcmInstanceIndex, t11FcSpPoFabricIndex, and
+ t11FcSpPoNaCtDescrSpecifierIndex."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.5"
+ ::= { t11FcSpPoNonActive 5 }
+
+t11FcSpPoNaCtDescrEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaCtDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Common Transport
+ Access Descriptor of an non-active Common Transport Access
+ Specifier used within the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaCtDescrSpecifierIndex, t11FcSpPoNaCtDescrIndex }
+ ::= { t11FcSpPoNaCtDescrTable 1 }
+
+T11FcSpPoNaCtDescrEntry ::= SEQUENCE {
+ t11FcSpPoNaCtDescrSpecifierIndex Unsigned32,
+ t11FcSpPoNaCtDescrIndex Unsigned32,
+ t11FcSpPoNaCtDescrFlags BITS,
+ t11FcSpPoNaCtDescrGsType OCTET STRING,
+ t11FcSpPoNaCtDescrGsSubType OCTET STRING,
+ t11FcSpPoNaCtDescrRowStatus RowStatus
+}
+
+t11FcSpPoNaCtDescrSpecifierIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Common Transport Access Specifier within a Fabric."
+ ::= { t11FcSpPoNaCtDescrEntry 1 }
+
+t11FcSpPoNaCtDescrIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 116]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Common Transport Access Descriptor within a Common Transport
+ Access Specifier."
+ ::= { t11FcSpPoNaCtDescrEntry 2 }
+
+t11FcSpPoNaCtDescrFlags OBJECT-TYPE
+ SYNTAX BITS {
+ allow(0),
+ gsTypeWildcard(1),
+ gsSubTypeWildcard(2),
+ readOnly(3)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The flag bits that specify how access is to be limited by
+ this Common Transport Access Descriptor:
+
+ - allow -- access to the specified Generic Service and
+ Server is allowed if this bit is set, and is to be denied
+ if this bit is not set.
+
+ - gsTypeWildcard -- if this bit is set, the Generic Service
+ to be allowed/denied is specified by the value of
+ t11FcSpPoNaCtDescrGsType, and the gsSubTypeWildcard bit
+ must not also be set.
+
+ - gsSubTypeWildcard -- if this bit is set, the Generic
+ Service to be allowed/denied is specified by the value of
+ t11FcSpPoNaCtDescrGsSubType, and the gsTypeWildcard bit
+ must not also be set.
+
+ - readOnly -- if this bit is set, then access is to be
+ granted only for reading."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.5.1, and tables 117, 118, and 120."
+ ::= { t11FcSpPoNaCtDescrEntry 3 }
+
+t11FcSpPoNaCtDescrGsType OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (1))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The GS_Type of the Generic Service (e.g., the FC-GS-5
+ Management Service) that is subject to access control.
+
+
+
+De Santi, et al. Standards Track [Page 117]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ This value is ignored if the gsTypeWildcard bit is not set
+ in the corresponding value of t11FcSpPoNaCtDescrFlags."
+ REFERENCE
+ "- ANSI INCITS 427-2006,
+ Fibre Channel - Generic Services-5 (FC-GS-5),
+ section 4.3.2.4.
+ - ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.5.1 and table 120."
+ ::= { t11FcSpPoNaCtDescrEntry 4 }
+
+t11FcSpPoNaCtDescrGsSubType OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (1))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The GS_Subtype of the Generic Server (e.g., the Fabric Zone
+ Server) that is subject to access control. This value is
+ ignored if the gsSubTypeWildcard bit is not set in the
+ corresponding value of t11FcSpPoNaCtDescrFlags."
+ REFERENCE
+ "- ANSI INCITS 427-2006,
+ Fibre Channel - Generic Services-5 (FC-GS-5),
+ section 4.3.2.5.
+ - ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.5.1 and table 120."
+ ::= { t11FcSpPoNaCtDescrEntry 5 }
+
+t11FcSpPoNaCtDescrRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaCtDescrEntry 6 }
+
+--
+-- Switches/Nodes in Non-Active Switch Connectivity Objects
+--
+
+t11FcSpPoNaSwConnTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaSwConnEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of non-active Switch Connectivity Objects.
+
+
+
+De Santi, et al. Standards Track [Page 118]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ A Switch Connectivity Object defines to which other
+ Switches or Nodes a particular Switch may/may not be
+ connected at the Node level and/or at the Port level."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6."
+ ::= { t11FcSpPoNonActive 6 }
+
+t11FcSpPoNaSwConnEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaSwConnEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains the name of a Switch/Node with which
+ any port of a particular Switch on a particular Fabric, or
+ a particular port on that Switch, is allowed or not allowed
+ to be connected.
+
+ The particular Fabric is identified by t11FcSpPoFabricIndex
+ and managed within the Fibre Channel management instance
+ identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaSwConnSwitchName,
+ t11FcSpPoNaSwConnAllowedType,
+ t11FcSpPoNaSwConnPortNameOrAll,
+ t11FcSpPoNaSwConnAllowedIndex }
+ ::= { t11FcSpPoNaSwConnTable 1 }
+
+T11FcSpPoNaSwConnEntry ::= SEQUENCE {
+ t11FcSpPoNaSwConnSwitchName FcNameIdOrZero,
+ t11FcSpPoNaSwConnAllowedType INTEGER,
+ t11FcSpPoNaSwConnPortNameOrAll FcNameIdOrZero,
+ t11FcSpPoNaSwConnAllowedIndex Unsigned32,
+ t11FcSpPoNaSwConnAllowedNameType T11FcSpPolicyNameType,
+ t11FcSpPoNaSwConnAllowedName FcNameIdOrZero,
+ t11FcSpPoNaSwConnRowStatus RowStatus
+}
+
+t11FcSpPoNaSwConnSwitchName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 119]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The name of the Switch for which this Switch Connectivity
+ Object specifies topology restrictions."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1 and table 123."
+ ::= { t11FcSpPoNaSwConnEntry 1 }
+
+t11FcSpPoNaSwConnAllowedType OBJECT-TYPE
+ SYNTAX INTEGER { switch(1), node(2) }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether this row refers to an
+ 'Allowed Switch' that concerns Switch-to-Switch
+ connectivity or an 'Allowed Node' that concerns
+ Switch-to-Node connectivity. Consequently, this object's
+ value indicates whether the corresponding instance of
+ t11FcSpPoNaSwConnAllowedName specifies the name of a Switch
+ or the name of a Node."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1 and table 123."
+ ::= { t11FcSpPoNaSwConnEntry 2 }
+
+t11FcSpPoNaSwConnPortNameOrAll OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE(0 | 8))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object specifies either the particular port on which
+ this topology restriction applies, or if the value is the
+ zero-length string, that the topology restriction applies
+ to all ports of the Switch.
+
+ In other words, if this object's value contains the name of
+ a port, then this row represents a 'Port Connectivity Entry'
+ (as described in FC-SP) within a Switch Connectivity Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1 and tables 123/124."
+ ::= { t11FcSpPoNaSwConnEntry 3 }
+
+t11FcSpPoNaSwConnAllowedIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+
+
+
+De Santi, et al. Standards Track [Page 120]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "When multiple rows in this table refer to different
+ 'Allowed Switches' or to different 'Allowed Nodes' for the
+ same port(s) in the same Switch Connectivity Object, this
+ object provides a unique index value to distinguish between
+ such rows."
+ ::= { t11FcSpPoNaSwConnEntry 4 }
+
+t11FcSpPoNaSwConnAllowedNameType OBJECT-TYPE
+ SYNTAX T11FcSpPolicyNameType {
+ nodeName(1),
+ restrictedNodeName(2),
+ portName(3),
+ restrictedPortName(4),
+ wildcard(5),
+ restrictedWildcard(6)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "If the value of this object is 'wildcard' or
+ 'restrictedWildcard', this row specifies whether
+ connectivity is allowed/not allowed with entities not
+ explicitly named by other rows.
+
+ Otherwise, the combination of
+ t11FcSpPoNaSwConnAllowedNameType and
+ t11FcSpPoNaSwConnAllowedName specify the name of:
+
+ - a Switch (if t11FcSpPoNaSwConnAllowedType = 'switch'), or
+ - a Node (if t11FcSpPoNaSwConnAllowedType = 'node')
+
+ to which connectivity is allowed/not allowed."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1 and tables 123/124."
+ ::= { t11FcSpPoNaSwConnEntry 5 }
+
+t11FcSpPoNaSwConnAllowedName OBJECT-TYPE
+ SYNTAX FcNameIdOrZero (SIZE (8))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "If t11FcSpPoNaSwConnAllowedNameType has the value
+ 'wildcard' or 'restrictedWildcard', this object has the
+ value '0000000000000000'h.
+
+
+
+De Santi, et al. Standards Track [Page 121]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Otherwise, the combination of
+ t11FcSpPoNaSwConnAllowedNameType and
+ t11FcSpPoNaSwConnAllowedName specify the name of:
+
+ - a Switch (if t11FcSpPoNaSwConnAllowedType = 'switch'), or
+ - a Node (if t11FcSpPoNaSwConnAllowedType = 'node')
+
+ to which connectivity is allowed/not allowed."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.6.1 and tables 123/124."
+ ::= { t11FcSpPoNaSwConnEntry 6 }
+
+t11FcSpPoNaSwConnRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaSwConnEntry 7 }
+
+--
+-- IP Management Entries in Non-Active IP Management List Objects
+--
+
+t11FcSpPoNaIpMgmtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaIpMgmtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of IP Management Entries in non-active IP
+ Management List Objects. The IP Management List Object is a
+ Fabric-wide Policy Object that describes which IP hosts are
+ allowed to manage a Fabric.
+
+ One non-active IP Management List Object is represented by
+ all rows of this table that have the same values of
+ fcmInstanceIndex and t11FcSpPoFabricIndex."
+ ::= { t11FcSpPoNonActive 7 }
+
+t11FcSpPoNaIpMgmtEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaIpMgmtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one IP Management
+
+
+
+De Santi, et al. Standards Track [Page 122]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ entry within a non-active IP Management List Object for the
+ Fabric identified by t11FcSpPoFabricIndex and managed
+ within the Fibre Channel management instance identified
+ by fcmInstanceIndex.
+
+ The Policy Object Name of an IP Management Entry Policy
+ Object is either an IPv6 Address Range or an IPv4 Address
+ Range. In a Fabric's database of Policy Objects, every
+ Policy Object Name, including these Internet address ranges,
+ is represented as a (T11FcSpPolicyNameType,
+ T11FcSpPolicyName) tuple. In contrast, this MIB module
+ uses the conventional MIB syntax for IP addresses, and
+ therefore represents the Policy Object Name of an IP
+ Management Entry Policy Object as a (InetAddressType,
+ InetAddress, InetAddress) tuple.
+
+ In theory, the use of t11FcSpPoNaIpMgmtEntryNameLow and
+ t11FcSpPoNaIpMgmtEntryNameHigh, which have the syntax of
+ InetAddress, in the INDEX could cause the need for
+ excessively long OIDs. In practice, this can't happen
+ because FC-SP doesn't allow these objects to be specified
+ as DNS names.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaIpMgmtListName,
+ t11FcSpPoNaIpMgmtEntryNameType,
+ t11FcSpPoNaIpMgmtEntryNameLow,
+ t11FcSpPoNaIpMgmtEntryNameHigh }
+ ::= { t11FcSpPoNaIpMgmtTable 1 }
+
+T11FcSpPoNaIpMgmtEntry ::= SEQUENCE {
+ t11FcSpPoNaIpMgmtListName T11FcSpAlphaNumName,
+ t11FcSpPoNaIpMgmtEntryNameType InetAddressType,
+ t11FcSpPoNaIpMgmtEntryNameLow InetAddress,
+ t11FcSpPoNaIpMgmtEntryNameHigh InetAddress,
+ t11FcSpPoNaIpMgmtWkpIndex Unsigned32,
+ t11FcSpPoNaIpMgmtAttribute T11FcSpAlphaNumNameOrAbsent,
+ t11FcSpPoNaIpMgmtRowStatus RowStatus
+}
+
+t11FcSpPoNaIpMgmtListName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 123]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The name of a non-active Node Membership List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 125."
+ ::= { t11FcSpPoNaIpMgmtEntry 1 }
+
+t11FcSpPoNaIpMgmtEntryNameType OBJECT-TYPE
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The combination of t11FcSpPoNaIpMgmtEntryNameType,
+ t11FcSpPoNaIpMgmtNameLow, and t11FcSpPoNaIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object.
+
+ The FC-SP specification does not allow this address to
+ be specified using a DNS domain name, nor does it allow
+ the specification of zone indexes. Therefore, the
+ type of address must be one of: 'ipv4' or 'ipv6'."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 7.1.7.1 and table 126."
+ ::= { t11FcSpPoNaIpMgmtEntry 2 }
+
+t11FcSpPoNaIpMgmtEntryNameLow OBJECT-TYPE
+ SYNTAX InetAddress (SIZE(4 | 16))
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The lower end of an Internet address range. The type
+ of this address is given by the corresponding instance
+ of t11FcSpPoNaIpMgmtEntryNameType.
+
+ The combination of t11FcSpPoNaIpMgmtEntryNameType,
+ t11FcSpPoNaIpMgmtNameLow, and t11FcSpPoIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 7.1.7.1 and table 126."
+ ::= { t11FcSpPoNaIpMgmtEntry 3 }
+
+t11FcSpPoNaIpMgmtEntryNameHigh OBJECT-TYPE
+ SYNTAX InetAddress (SIZE(4 | 16))
+
+
+
+De Santi, et al. Standards Track [Page 124]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The higher end of an Internet address range. The type
+ of this address is given by the corresponding instance
+ of t11FcSpPoNaIpMgmtEntryNameType.
+
+ The combination of t11FcSpPoNaIpMgmtEntryNameType,
+ t11FcSpPoNaIpMgmtNameLow, and t11FcSpPoNaIpMgmtNameHigh
+ specify the Internet address range of this IP Management
+ Entry in the IP Management List Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 7.1.7.1 and table 126."
+ ::= { t11FcSpPoNaIpMgmtEntry 4 }
+
+t11FcSpPoNaIpMgmtWkpIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object identifies the restrictions for IP management
+ access by IP hosts in this range of IP addresses.
+
+ The restrictions are specified as the set of Well-Known
+ Protocols Access Descriptors contained in those rows of the
+ t11FcSpPoNaWkpDescrTable for which the value of
+ t11FcSpPoNaWkpDescrSpecifierIndx is the same as the value
+ of this object. If there are no such rows or if the value
+ of this object is zero, then this IP Management Entry does
+ not identify any Well-Known Protocols Access restrictions."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and tables 127/129."
+ ::= { t11FcSpPoNaIpMgmtEntry 5 }
+
+t11FcSpPoNaIpMgmtAttribute OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumNameOrAbsent
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The name of a non-active Attribute Policy Object that
+ is defined for this IP Management entry. The zero-length
+ string indicates that no non-active Attribute Policy Object
+ is defined for it.
+
+
+
+
+De Santi, et al. Standards Track [Page 125]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The effect of having no rows in the t11FcSpPoNaAttribTable
+ for which the value of t11FcSpPoNaAttribName is the same
+ as the value of this object, is the same as this object's
+ value being the zero-length string."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 128."
+ ::= { t11FcSpPoNaIpMgmtEntry 6 }
+
+t11FcSpPoNaIpMgmtRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaIpMgmtEntry 7 }
+
+--
+-- Non-Active Well-Known Protocol Access Descriptors
+--
+
+t11FcSpPoNaWkpDescrTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaWkpDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of the Well-Known Protocol Access Descriptors
+ referenced from non-active Policy Objects.
+
+ A Well-Known Protocol Access Specifier is a list of
+ Well-Known Protocol Access Descriptors each of which
+ specifies a protocol number, a port number, and/or various
+ flags specifying how IP management access is restricted.
+
+ A non-active Well-Known Protocol Transport Access Specifier
+ is represented by all rows of this table that have the same
+ values of fcmInstanceIndex, t11FcSpPoFabricIndex, and
+ t11FcSpPoNaWkpDescrSpecifierIndx."
+ ::= { t11FcSpPoNonActive 8 }
+
+t11FcSpPoNaWkpDescrEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaWkpDescrEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Well-Known
+
+
+
+De Santi, et al. Standards Track [Page 126]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Protocol Access Descriptor of a non-active Well-Known
+ Protocol Access Specifier used within the Fabric identified
+ by t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaWkpDescrSpecifierIndx,
+ t11FcSpPoNaWkpDescrIndex }
+ ::= { t11FcSpPoNaWkpDescrTable 1 }
+
+T11FcSpPoNaWkpDescrEntry ::= SEQUENCE {
+ t11FcSpPoNaWkpDescrSpecifierIndx Unsigned32,
+ t11FcSpPoNaWkpDescrIndex Unsigned32,
+ t11FcSpPoNaWkpDescrFlags BITS,
+ t11FcSpPoNaWkpDescrWkpNumber Unsigned32,
+ t11FcSpPoNaWkpDescrDestPort InetPortNumber,
+ t11FcSpPoNaWkpDescrRowStatus RowStatus
+}
+
+t11FcSpPoNaWkpDescrSpecifierIndx OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ non-active Well-Known Protocol Access Specifier within
+ a Fabric."
+ ::= { t11FcSpPoNaWkpDescrEntry 1 }
+
+t11FcSpPoNaWkpDescrIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Well-Known Protocol Access Descriptor within a
+ non-active Well-Known Protocol Access Specifier."
+ ::= { t11FcSpPoNaWkpDescrEntry 2 }
+
+t11FcSpPoNaWkpDescrFlags OBJECT-TYPE
+ SYNTAX BITS {
+ allow(0),
+ wkpWildcard(1),
+ destPortWildcard(2),
+ readOnly(3)
+
+
+
+De Santi, et al. Standards Track [Page 127]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The flag bits that specify how access is to be limited by
+ this Well-Known Protocol Access Descriptor:
+
+ - allow -- IP management access using this protocol/port
+ is allowed if this bit is set, and to be denied if this
+ bit is not set.
+
+ - wkpWildcard -- if this bit is set, the IP Protocol number
+ of the Well-Known Protocol to be allowed/denied is
+ specified by the value of t11FcSpPoNaWkpDescrWkpNumber.
+
+ - destPortWildcard -- if this bit is set, the Destination
+ (TCP/UDP) Port number of the Well-Known Protocol to be
+ allowed/denied is specified by the value of
+ t11FcSpPoNaWkpDescrDestPort.
+
+ - readOnly -- if this bit is set, then access is to be
+ granted only for reading."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131."
+ ::= { t11FcSpPoNaWkpDescrEntry 3 }
+
+t11FcSpPoNaWkpDescrWkpNumber OBJECT-TYPE
+ SYNTAX Unsigned32 (0..255)
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "When the 'wkpWildcard' bit is set in the corresponding
+ instance of t11FcSpPoNaWkpDescrFlags, this object specifies
+ the IP protocol number of the Well-Known Protocol."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131.
+ - http://www.iana.org/assignments/protocol-numbers."
+ ::= { t11FcSpPoNaWkpDescrEntry 4 }
+
+t11FcSpPoNaWkpDescrDestPort OBJECT-TYPE
+ SYNTAX InetPortNumber
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 128]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "When the 'destPortWildcard' bit is set in the corresponding
+ instance of t11FcSpPoNaWkpDescrFlags, this object specifies
+ the Destination (TCP/UDP) Port number of the Well-Known
+ Protocol. When the 'destPortWildcard' bit is reset, this
+ object is ignored (and can have the value zero)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.7.1 and table 131.
+ - http://www.iana.org/assignments/port-numbers."
+ ::= { t11FcSpPoNaWkpDescrEntry 5 }
+
+t11FcSpPoNaWkpDescrRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaWkpDescrEntry 6 }
+
+--
+-- Attribute Entries in Non-Active Attribute Policy Objects
+--
+
+t11FcSpPoNaAttribTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaAttribEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of the Attribute Policy Objects being used within
+ non-active Policy Objects.
+
+ A non-active Attribute Policy Object is represented by all
+ the Attribute Entries in this table that have the same
+ value of t11FcSpPoNaAttribName."
+ ::= { t11FcSpPoNonActive 9 }
+
+t11FcSpPoNaAttribEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaAttribEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Attribute
+ Entry contained within an Attribute Policy Object
+ that is non-active within the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+
+
+De Santi, et al. Standards Track [Page 129]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ For some types of Attribute Policy Objects, it is valuable
+ to break out some semantically significant parts of the
+ Policy Object's value into their own individual MIB
+ objects; for example, to extract the one or more individual
+ Authentication Protocol Identifiers and associated
+
+ Authentication Protocol Parameters out of an Attribute
+ containing a 'AUTH_Negotiate Message Payload'. For such
+ types, another MIB table is defined to hold the extracted
+ values in MIB objects specific to the Attribute Policy
+ Object's type. In such cases, the
+ t11FcSpPoNaAttribExtension object in this table points to
+ the other MIB table.
+
+ If the value of one Attribute Entry is too large (more than
+ 256 bytes) to be contained within the value of one instance
+ of t11FcSpPoNaAttribValue, then one row in this table
+ contains the first 256 bytes, and one (or more) other row(s)
+ in this table contain the rest of the value.
+
+ The StorageType of a row in this table is specified by the
+ instance of t11FcSpPoStorageType that is INDEX-ed by the
+ same values of fcmInstanceIndex and t11FcSpPoFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaAttribName, t11FcSpPoNaAttribEntryIndex,
+ t11FcSpPoNaAttribPartIndex }
+ ::= { t11FcSpPoNaAttribTable 1 }
+
+T11FcSpPoNaAttribEntry ::= SEQUENCE {
+ t11FcSpPoNaAttribName T11FcSpAlphaNumName,
+ t11FcSpPoNaAttribEntryIndex Unsigned32,
+ t11FcSpPoNaAttribPartIndex Unsigned32,
+ t11FcSpPoNaAttribType Unsigned32,
+ t11FcSpPoNaAttribValue OCTET STRING,
+ t11FcSpPoNaAttribExtension OBJECT IDENTIFIER,
+ t11FcSpPoNaAttribRowStatus RowStatus
+}
+
+t11FcSpPoNaAttribName OBJECT-TYPE
+ SYNTAX T11FcSpAlphaNumName
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The name of the Attribute Policy Object containing one
+ or more Attribute Entries."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+
+
+
+De Santi, et al. Standards Track [Page 130]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ February 2007, section 7.1.8.1 and table 133."
+ ::= { t11FcSpPoNaAttribEntry 1 }
+
+t11FcSpPoNaAttribEntryIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A unique value to distinguish this Attribute Entry
+ from other Attribute Entries contained in the same
+ Attribute Policy Object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.8.1, tables 133/134."
+ ::= { t11FcSpPoNaAttribEntry 2 }
+
+t11FcSpPoNaAttribPartIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When the value of an Attribute Entry is shorter than 257
+ bytes, the whole value is contained in one instance of
+ t11FcSpPoNaAttribValue, and the value of this object is 1.
+
+ If the value of an Attribute Entry is longer than 256 bytes,
+ then that value is divided up on 256-byte boundaries such
+ that all parts are 256 bytes long except the last part which
+ is shorter if necessary, with each such part contained in
+ a separate row of this table, and the value of this object
+ is set to the part number. That is, this object has the
+ value of 1 for bytes 0-255, the value of 2 for bytes
+ 256-511, etc."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.1.8.1, tables 134/135."
+ ::= { t11FcSpPoNaAttribEntry 3 }
+
+t11FcSpPoNaAttribType OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The type of attribute. The first type to be defined is:
+
+ t11FcSpPoNaAttribType t11FcSpPoNaAttribValue
+
+
+
+De Santi, et al. Standards Track [Page 131]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ===================== ======================
+ '00000001'h The AUTH_Negotiate Message Payload
+ "
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.8.1, tables 134/135 and table 10."
+ ::= { t11FcSpPoNaAttribEntry 4 }
+
+t11FcSpPoNaAttribValue OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..256))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The value of an Attribute Entry is divided up on 256-byte
+ boundaries such that all parts are 256 bytes long except the
+ last part, which is shorter if necessary, and each such part
+ is contained in a separate instance of this object.
+
+ When the value of the corresponding instance of
+ t11FcSpPoNaAttribExtension is not zeroDotZero, then the same
+ underlying management data has its value contained both in
+ this object and in the individual/broken-out parts pointed
+ to by t11FcSpPoNaAttribExtension. Thus, after any
+ modification of the underlying management data, e.g., after
+ a Set operation to the value of either MIB representation,
+ then that modification is reflected in the values of both
+ MIB representations."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP), February 2007,
+ section 7.1.8.1, tables 134/135 and table 10."
+ ::= { t11FcSpPoNaAttribEntry 5 }
+
+t11FcSpPoNaAttribExtension OBJECT-TYPE
+ SYNTAX OBJECT IDENTIFIER
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "For some types of Attribute Policy Object, the value of
+ this MIB object points to type-specific MIB objects that
+ contain individual/broken-out parts of the Attribute Policy
+ Object's value. If this object doesn't point to such
+ type-specific MIB objects, then it contains the value:
+ zeroDotZero.
+
+ In particular, when the value of t11FcSpPoNaAttribType
+ indicates 'AUTH_Negotiate Message Payload', one or more
+
+
+
+De Santi, et al. Standards Track [Page 132]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Authentication Protocol Identifiers and their associated
+ Authentication Protocol Parameters are embedded within
+ the value of the corresponding instance of
+ t11FcSpPoNaAttribValue; MIB objects to contain these
+ individual values are defined in the
+ t11FcSpPoAuthProtTable. Thus, for an 'AUTH_Negotiate
+ Message Payload' Attribute, the value of this object would
+ contain the OID of t11FcSpPoNaAuthProtTable.
+
+ When the value of this object is not zeroDotZero, then the
+ same underlying management data has its value contained in
+ both the individual/broken-out parts pointed to by this
+ object and in the corresponding instance of
+ t11FcSpPoNaAttribValue. Thus, after any modification of the
+ underlying management data, e.g., after a Set operation to
+ the value of either MIB representation, then that
+ modification is reflected in the values of both MIB
+ representations."
+ ::= { t11FcSpPoNaAttribEntry 6 }
+
+t11FcSpPoNaAttribRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaAttribEntry 7 }
+
+--
+-- Auth. Protocol Parameters in Non-Active Attribute Policy Objects
+--
+
+t11FcSpPoNaAuthProtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoNaAuthProtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of Authentication Protocol Identifier and
+ Authentication Protocol Parameters that are embedded in
+ Attribute Policy Objects being used within non-active
+ Policy Objects.
+
+ This table is used for Attribute Entries of Attribute Policy
+ Objects for which the value of t11FcSpPoNaAttribType
+ indicates 'AUTH_Negotiate Message Payload' and the value of
+ t11FcSpPoNaAttribExtension contains the OID of this table."
+ REFERENCE
+
+
+
+De Santi, et al. Standards Track [Page 133]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 5.3.2 & 7.1.8.1,
+ tables 134/135 and tables 10/11."
+ ::= { t11FcSpPoNonActive 10 }
+
+t11FcSpPoNaAuthProtEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoNaAuthProtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each row contains information about an Authentication
+ Protocol that is extracted out of the Attribute Entry
+ (identified by t11FcSpPoNaAttribEntryIndex) of the
+ non-active Policy Attribute Object (identified by
+ t11FcSpPoNaAttribName) for the Fabric identified by
+ t11FcSpPoFabricIndex and managed within the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ If the value of one Attribute Protocol Parameters string is
+ too large (more than 256 bytes) to be contained within the
+ value of one instance of t11FcSpPoNaAuthProtParams, then
+ one row in this table contains the first 256 bytes, and
+ one (or more) other row(s) in this table contain the rest
+ of the value.
+
+ The same underlying management data that is represented in
+ rows of this table is also represented by the corresponding
+ instances of t11FcSpPoNaAttribValue. Thus, after any
+ modification of the underlying management data, e.g., after
+ a Set operation to the value of either MIB representation,
+ then that modification is reflected in the values of both
+ MIB representations."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex,
+ t11FcSpPoNaAttribName, t11FcSpPoNaAttribEntryIndex,
+ t11FcSpPoNaAuthProtIdentifier,
+ t11FcSpPoNaAuthProtPartIndex }
+ ::= { t11FcSpPoNaAuthProtTable 1 }
+
+T11FcSpPoNaAuthProtEntry ::= SEQUENCE {
+ t11FcSpPoNaAuthProtIdentifier Unsigned32,
+ t11FcSpPoNaAuthProtPartIndex Unsigned32,
+ t11FcSpPoNaAuthProtParams OCTET STRING,
+ t11FcSpPoNaAuthProtRowStatus RowStatus
+}
+
+t11FcSpPoNaAuthProtIdentifier OBJECT-TYPE
+ SYNTAX Unsigned32 (0..4294967295)
+
+
+
+De Santi, et al. Standards Track [Page 134]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The Authentication Protocol Identifier:
+
+ 1 = DH-CHAP
+ 3 = FCPAP
+ 4 = IKEv2
+ 5 = IKEv2-AUTH
+ 240 thru 255 = Vendor Specific Protocols
+
+ all other values are 'Reserved' (by T11)."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 11."
+ ::= { t11FcSpPoNaAuthProtEntry 1 }
+
+t11FcSpPoNaAuthProtPartIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "When the value of an Attribute Protocol Parameters string
+ is shorter than 257 bytes, the whole value is contained in
+ one instance of t11FcSpPoNaAuthProtParams, and the value of
+ this object is 1. (This includes the case when the Attribute
+ Protocol Parameters string is zero bytes in length.)
+
+ If the value of an Authentication Protocol Parameters string
+ is longer than 256 bytes, then that value is divided up on
+ 256-byte boundaries such that all parts are 256 bytes long
+ except the last part, which is shorter if necessary, with
+ each such part contained in a separate row of this table,
+ and the value of this object is set to the part number.
+ That is, this object has the value of 1 for bytes 0-255,
+ the value of 2 for bytes 256-511, etc."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 10."
+ ::= { t11FcSpPoNaAuthProtEntry 2 }
+
+t11FcSpPoNaAuthProtParams OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..256))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 135]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The value of an Authentication Protocol Parameters string
+ is divided up on 256-byte boundaries such that all parts
+ are 256 bytes long except the last part, which is shorter
+ if necessary, and each such part is contained in a
+ separate instance of this object."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 5.3.2, table 10."
+ ::= { t11FcSpPoNaAuthProtEntry 3 }
+
+t11FcSpPoNaAuthProtRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpPoNaAuthProtEntry 4 }
+
+--
+-- Part 4 - Statistics
+--
+
+t11FcSpPoStatsTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoStatsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of statistics maintained by FC-SP Security
+ Policy Servers."
+ ::= { t11FcSpPoStatistics 1 }
+
+t11FcSpPoStatsEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoStatsEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A set of statistics for the FC-SP Security Policy Server on
+ the Fabric identified by the value of t11FcSpPoFabricIndex,
+ and managed within the Fibre Channel management instance
+ identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex }
+ ::= { t11FcSpPoStatsTable 1 }
+
+T11FcSpPoStatsEntry ::= SEQUENCE {
+ t11FcSpPoInRequests Counter32,
+ t11FcSpPoInAccepts Counter32,
+
+
+
+De Santi, et al. Standards Track [Page 136]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoInRejects Counter32
+}
+
+t11FcSpPoInRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of FC-SP Policy Management Requests
+ (e.g., GPS, APS, etc.) received by this FC-SP
+ Security Policy Server on this Fabric.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3."
+ ::= { t11FcSpPoStatsEntry 1 }
+
+t11FcSpPoInAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that this FC-SP Security Policy Server
+ sent an Accept CT_IU on this Fabric in response to a
+ received FC-SP Policy Management Request (e.g., GPS, APS,
+ etc.).
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3."
+ ::= { t11FcSpPoStatsEntry 2 }
+
+t11FcSpPoInRejects OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that this FC-SP Security Policy Server
+ sent a Reject CT_IU on this Fabric in response to a
+ received FC-SP Policy Management Request (e.g., GPS, APS,
+ etc.).
+
+
+
+
+De Santi, et al. Standards Track [Page 137]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3."
+ ::= { t11FcSpPoStatsEntry 3 }
+
+--
+-- Part 5 - Control Information & Notifications
+--
+
+--
+-- Control Information
+--
+
+t11FcSpPoServerAddress OBJECT-TYPE
+ SYNTAX FcNameIdOrZero
+ MAX-ACCESS accessible-for-notify
+ STATUS current
+ DESCRIPTION
+ "The WWN of the FC-SP Security Policy Server that
+ received a request that is referenced in a
+ notification."
+ ::= { t11FcSpPoControl 1 }
+
+
+t11FcSpPoControlTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpPoControlEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of control information, including the memory
+ realization of FC-SP Policy Databases, and concerning
+ the generation of notifications due to FC-SP
+ Policy-related events."
+ ::= { t11FcSpPoControl 2 }
+
+t11FcSpPoControlEntry OBJECT-TYPE
+ SYNTAX T11FcSpPoControlEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains control information specific to FC-SP
+ Policy and Policy-related events for the Fabric identified
+ by the value of t11FcSpPoFabricIndex, and managed within
+ the Fibre Channel management instance identified by
+ fcmInstanceIndex."
+
+
+
+De Santi, et al. Standards Track [Page 138]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex }
+ ::= { t11FcSpPoControlTable 1 }
+
+T11FcSpPoControlEntry ::= SEQUENCE {
+ t11FcSpPoStorageType StorageType,
+ t11FcSpPoNotificationEnable TruthValue,
+ t11FcSpPoLastNotifyType INTEGER,
+ t11FcSpPoRequestSource FcNameIdOrZero,
+ t11FcSpPoReasonCode T11NsGs4RejectReasonCode,
+ t11FcSpPoCtCommandString OCTET STRING,
+ t11FcSpPoReasonCodeExp Unsigned32,
+ t11FcSpPoReasonVendorCode OCTET STRING
+}
+
+t11FcSpPoStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies the memory realization of FC-SP
+ Policy Objects and related information for a particular
+ Fabric; specifically, for:
+
+ - rows created and/or modified for the particular
+ Fabric in these tables:
+
+ t11FcSpPoNaSummaryTable
+ t11FcSpPoNaSwListTable
+ t11FcSpPoNaSwMembTable
+ t11FcSpPoNaNoMembTable
+ t11FcSpPoNaCtDescrTable
+ t11FcSpPoNaSwConnTable
+ t11FcSpPoNaIpMgmtTable
+ t11FcSpPoNaWkpDescrTable
+ t11FcSpPoNaAttribTable
+
+ - the activate and deactivate actions invoked through
+ the t11FcSpPoOperActivate and t11FcSpPoOperDeActivate
+ objects for the particular Fabric; and
+
+ - modified information contained in the same row
+ as an instance of this object.
+
+ Even if an instance of this object has the value
+ 'permanent(4)', none of the information defined in
+ this MIB module for the given Fabric needs to be
+ writable."
+ ::= { t11FcSpPoControlEntry 1 }
+
+
+
+De Santi, et al. Standards Track [Page 139]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpPoNotificationEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether the following types of
+ notifications:
+
+ t11FcSpPoNotifyActivation,
+ t11FcSpPoNotifyActivateFail,
+ t11FcSpPoNotifyDeactivation and
+ t11FcSpPoNotifyDeactivateFail
+
+ should be generated for this Fabric."
+ ::= { t11FcSpPoControlEntry 2 }
+
+t11FcSpPoLastNotifyType OBJECT-TYPE
+ SYNTAX INTEGER {
+ none(1),
+ activation(2),
+ activateFail(3),
+ deactivation(4),
+ deactivateFail(5)
+ }
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "An indication of which of the following types of
+ notification is currently being/was most recently
+ generated for the Fabric:
+
+ 'activation' -- t11FcSpPoNotifyActivation
+ 'activateFail' -- t11FcSpPoNotifyActivateFail
+ 'deactivation' -- t11FcSpPoNotifyDeactivation
+ 'deactivateFail' -- t11FcSpPoNotifyDeactivateFail
+
+ The value 'none' indicates that none of these types of
+ notifications have been generated since the last restart
+ of the network management system, and therefore that the
+ corresponding instances of: t11FcSpPoRequestSource,
+ t11FcSpPoReasonCode, t11FcSpPoCtCommandString,
+ t11FcSpPoReasonCodeExp, and
+ t11FcSpPoReasonVendorCode are irrelevant."
+ ::= { t11FcSpPoControlEntry 3 }
+
+t11FcSpPoRequestSource OBJECT-TYPE
+ SYNTAX FcNameIdOrZero
+ MAX-ACCESS read-only
+
+
+
+De Santi, et al. Standards Track [Page 140]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "The WWN of the source of the (Activate Policy Summary
+ or Deactivate Policy Summary) request for which the
+ current/most recent notification of the type indicated by
+ the corresponding instance of t11FcSpPoLastNotifyType
+ is being/was generated.
+
+ If no source is available, the value of this object is
+ the zero-length string."
+ DEFVAL { "" }
+ ::= { t11FcSpPoControlEntry 4 }
+
+t11FcSpPoReasonCode OBJECT-TYPE
+ SYNTAX T11NsGs4RejectReasonCode
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The reason code associated with the failure that is
+ indicated when the value of the corresponding instance
+ of t11FcSpPoLastNotifyType is 'activateFail' or
+ 'deactivateFail'.
+
+ For other values of t11FcSpPoLastNotifyType, the value
+ of this object is 'none(1)'."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.2 & 7.3.6.3"
+ ::= { t11FcSpPoControlEntry 5 }
+
+t11FcSpPoCtCommandString OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..255))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The binary content of the failed request that is
+ indicated when the value of the corresponding instance of
+ t11FcSpPoLastNotifyType is 'activateFail' or
+ 'deactivateFail'. The content of the request is formatted
+ as an octet string (in network byte order) containing the
+ CT_IU, as described in Table 2 of [FC-GS-5] (including the
+ preamble).
+
+ For other values of t11FcSpPoLastNotifyType, or if the
+ CT_IU's content is unavailable, the value of this object
+ is the zero-length string.
+
+
+
+
+De Santi, et al. Standards Track [Page 141]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ When the length of this object is 255 octets, it
+ contains the first 255 octets of the CT_IU (in
+ network-byte order)."
+ ::= { t11FcSpPoControlEntry 6 }
+
+t11FcSpPoReasonCodeExp OBJECT-TYPE
+ SYNTAX Unsigned32 (0..255)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The reason code explanation associated with the failure
+ that is indicated when the value of the corresponding
+ instance of t11FcSpPoLastNotifyType is 'activateFail' or
+ 'deactivateFail'.
+
+ For other values of t11FcSpPoLastNotifyType, the value
+ of this object is zero."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.2 & 7.3.6.3"
+ ::= { t11FcSpPoControlEntry 7 }
+
+t11FcSpPoReasonVendorCode OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0 | 1))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The vendor-specific reason code associated with the failure
+ that is indicated when the value of the corresponding
+ instance of t11FcSpPoLastNotifyType is 'activateFail' or
+ 'deactivateFail'.
+
+ For other values of t11FcSpPoLastNotifyType, or if no
+ vendor-specific reason code is available, the value
+ of this object is the zero-length string."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.2 & 7.3.6.3"
+ ::= { t11FcSpPoControlEntry 8 }
+
+--
+-- Notification definitions
+--
+
+t11FcSpPoNotifyActivation NOTIFICATION-TYPE
+ OBJECTS { t11FcSpPoServerAddress,
+
+
+
+De Santi, et al. Standards Track [Page 142]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoPolicySummaryObjName,
+ t11FcSpPoRequestSource }
+ STATUS current
+ DESCRIPTION
+ "This notification is generated whenever a Security
+ Policy Server (indicated by the value of
+ t11FcSpPoServerAddress) successfully completes the
+ execution of an Activate Policy Summary request.
+ The value of t11FcSpPoRequestSource indicates
+ the source of the APS request. The value of
+ t11FcSpPoPolicySummaryObjName indicates the name of
+ the activated Policy Summary Object."
+ ::= { t11FcSpPoMIBNotifications 1 }
+
+t11FcSpPoNotifyActivateFail NOTIFICATION-TYPE
+ OBJECTS { t11FcSpPoServerAddress,
+ t11FcSpPoRequestSource,
+ t11FcSpPoCtCommandString,
+ t11FcSpPoReasonCode,
+ t11FcSpPoReasonCodeExp,
+ t11FcSpPoReasonVendorCode }
+ STATUS current
+ DESCRIPTION
+ "This notification is generated whenever a Security Policy
+ Server (indicated by the value of t11FcSpPoServerAddress)
+ fails to complete the execution of an Activate Policy
+ Summary request.
+
+ The value of t11FcSpPoCtCommandString indicates the
+ rejected request, and the values of t11FcSpPoReasonCode,
+ t11FcSpPoReasonCodeExp, and t11FcSpPoReasonVendorCode
+ indicate the reason for the rejection. The value of
+ t11FcSpPoRequestSource indicates the source of the
+ request."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.2."
+ ::= { t11FcSpPoMIBNotifications 2 }
+
+t11FcSpPoNotifyDeactivation NOTIFICATION-TYPE
+ OBJECTS { t11FcSpPoServerAddress,
+ t11FcSpPoRequestSource }
+ STATUS current
+ DESCRIPTION
+ "This notification is generated whenever a Security
+ Policy Server (indicated by the value of
+ t11FcSpPoServerAddress) successfully completes the
+
+
+
+De Santi, et al. Standards Track [Page 143]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ execution of a Deactivate Policy Summary request.
+ The value of t11FcSpPoRequestSource indicates
+ the source of the DPS request."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 7.3.6.3."
+ ::= { t11FcSpPoMIBNotifications 3 }
+
+t11FcSpPoNotifyDeactivateFail NOTIFICATION-TYPE
+ OBJECTS { t11FcSpPoServerAddress,
+ t11FcSpPoRequestSource,
+ t11FcSpPoCtCommandString,
+ t11FcSpPoReasonCode,
+ t11FcSpPoReasonCodeExp,
+ t11FcSpPoReasonVendorCode }
+ STATUS current
+ DESCRIPTION
+ "This notification is generated whenever a Security Policy
+ Server (indicated by the value of t11FcSpPoServerAddress)
+ fails to complete the execution of a Deactivate Policy
+ Summary request.
+
+ The value of t11FcSpPoCtCommandString indicates the
+ rejected request, and the values of t11FcSpPoReasonCode,
+ t11FcSpPoReasonCodeExp, and t11FcSpPoReasonVendorCode
+ indicate the reason for the rejection. The value of
+ t11FcSpPoRequestSource indicates the source of the
+ request."
+ ::= { t11FcSpPoMIBNotifications 4 }
+
+--
+-- Conformance
+--
+
+t11FcSpPoMIBCompliances
+ OBJECT IDENTIFIER ::= { t11FcSpPoMIBConformance 1 }
+t11FcSpPoMIBGroups OBJECT IDENTIFIER ::= { t11FcSpPoMIBConformance 2 }
+
+t11FcSpPoMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities that
+ support the Fabric Policies defined in FC-SP,"
+
+ MODULE -- this module
+ MANDATORY-GROUPS { t11FcSpPoActiveObjectsGroup }
+
+
+
+
+De Santi, et al. Standards Track [Page 144]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ GROUP t11FcSpPoNonActiveObjectsGroup
+ DESCRIPTION
+ "These objects are mandatory for FC-SP Security Policy
+ Servers."
+
+ GROUP t11FcSpPoNotifyObjectsGroup
+ DESCRIPTION
+ "These objects are mandatory for FC-SP Security Policy
+ Servers."
+
+ GROUP t11FcSpPoNotificationGroup
+ DESCRIPTION
+ "These notifications are mandatory for FC-SP Security
+ Policy Servers."
+
+ GROUP t11FcSpPoOperationsObjectsGroup
+ DESCRIPTION
+ "These objects are mandatory only for FC-SP Security
+ Policy Servers that support the activation/deactivation
+ of policies via SNMP."
+
+ GROUP t11FcSpPoStatsObjectsGroup
+ DESCRIPTION
+ "These objects are optional."
+
+-- Write access is not required for any objects in this MIB module:
+
+ OBJECT t11FcSpPoOperActivate
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoOperDeActivate
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNotificationEnable
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSummaryPolicyNameType
+
+
+
+De Santi, et al. Standards Track [Page 145]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSummaryPolicyName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSummaryHashStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSummaryRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwListFabricName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwListRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwMembFlags
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwMembDomainID
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwMembPolicyDataRole
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwMembAuthBehaviour
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+
+
+De Santi, et al. Standards Track [Page 146]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ OBJECT t11FcSpPoNaSwMembAttribute
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwMembRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaNoMembFlags
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaNoMembCtAccessIndex
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaNoMembAttribute
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaNoMembRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaCtDescrFlags
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaCtDescrGsType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaCtDescrGsSubType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaCtDescrRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 147]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwConnAllowedNameType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwConnAllowedName
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaSwConnRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaIpMgmtWkpIndex
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaIpMgmtAttribute
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaIpMgmtRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaWkpDescrFlags
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaWkpDescrWkpNumber
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaWkpDescrDestPort
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaWkpDescrRowStatus
+
+
+
+De Santi, et al. Standards Track [Page 148]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaAttribType
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaAttribValue
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaAttribRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaAuthProtParams
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ OBJECT t11FcSpPoNaAuthProtRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION
+ "Write access is not required."
+
+ ::= { t11FcSpPoMIBCompliances 1 }
+
+-- Units of Conformance
+
+t11FcSpPoActiveObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpPoPolicySummaryObjName,
+ t11FcSpPoAdminFabricName,
+ t11FcSpPoActivatedTimeStamp,
+ t11FcSpPoSummaryPolicyType,
+ t11FcSpPoSummaryHashFormat,
+ t11FcSpPoSummaryHashValue,
+ t11FcSpPoSwMembSwitchFlags,
+ t11FcSpPoSwMembDomainID,
+ t11FcSpPoSwMembPolicyDataRole,
+ t11FcSpPoSwMembAuthBehaviour,
+ t11FcSpPoSwMembAttribute,
+ t11FcSpPoNoMembFlags,
+ t11FcSpPoNoMembCtAccessIndex,
+ t11FcSpPoNoMembAttribute,
+
+
+
+De Santi, et al. Standards Track [Page 149]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoCtDescrFlags,
+ t11FcSpPoCtDescrGsType,
+ t11FcSpPoCtDescrGsSubType,
+ t11FcSpPoSwConnAllowedNameType,
+ t11FcSpPoSwConnAllowedName,
+ t11FcSpPoIpMgmtWkpIndex,
+ t11FcSpPoIpMgmtAttribute,
+ t11FcSpPoWkpDescrFlags,
+ t11FcSpPoWkpDescrWkpNumber,
+ t11FcSpPoWkpDescrDestPort,
+ t11FcSpPoAttribType,
+ t11FcSpPoAttribValue,
+ t11FcSpPoAttribExtension,
+ t11FcSpPoAuthProtParams
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of MIB objects that contain information
+ about active Policy Objects that express Fibre Channel
+ Security (FC-SP) policy."
+ ::= { t11FcSpPoMIBGroups 1 }
+
+t11FcSpPoOperationsObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpPoOperActivate,
+ t11FcSpPoOperDeActivate,
+ t11FcSpPoOperResult,
+ t11FcSpPoOperFailCause
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of MIB objects that allow a new set of
+ Fibre Channel Security (FC-SP) policies to be activated
+ or an existing set to be deactivated."
+ ::= { t11FcSpPoMIBGroups 2 }
+
+t11FcSpPoNonActiveObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpPoStorageType,
+ t11FcSpPoNaSummaryPolicyNameType,
+ t11FcSpPoNaSummaryPolicyName,
+ t11FcSpPoNaSummaryHashStatus,
+ t11FcSpPoNaSummaryHashFormat,
+ t11FcSpPoNaSummaryHashValue,
+ t11FcSpPoNaSummaryRowStatus,
+ t11FcSpPoNaSwListFabricName,
+ t11FcSpPoNaSwListRowStatus,
+ t11FcSpPoNaSwMembFlags,
+ t11FcSpPoNaSwMembDomainID,
+ t11FcSpPoNaSwMembPolicyDataRole,
+
+
+
+De Santi, et al. Standards Track [Page 150]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoNaSwMembAuthBehaviour,
+ t11FcSpPoNaSwMembAttribute,
+ t11FcSpPoNaSwMembRowStatus,
+ t11FcSpPoNaNoMembFlags,
+ t11FcSpPoNaNoMembCtAccessIndex,
+ t11FcSpPoNaNoMembAttribute,
+ t11FcSpPoNaNoMembRowStatus,
+ t11FcSpPoNaCtDescrFlags,
+ t11FcSpPoNaCtDescrGsType,
+ t11FcSpPoNaCtDescrGsSubType,
+ t11FcSpPoNaCtDescrRowStatus,
+ t11FcSpPoNaSwConnAllowedNameType,
+ t11FcSpPoNaSwConnAllowedName,
+ t11FcSpPoNaSwConnRowStatus,
+ t11FcSpPoNaIpMgmtWkpIndex,
+ t11FcSpPoNaIpMgmtAttribute,
+ t11FcSpPoNaIpMgmtRowStatus,
+ t11FcSpPoNaWkpDescrFlags,
+ t11FcSpPoNaWkpDescrWkpNumber,
+ t11FcSpPoNaWkpDescrDestPort,
+ t11FcSpPoNaWkpDescrRowStatus,
+ t11FcSpPoNaAttribType,
+ t11FcSpPoNaAttribValue,
+ t11FcSpPoNaAttribExtension,
+ t11FcSpPoNaAttribRowStatus,
+ t11FcSpPoNaAuthProtParams,
+ t11FcSpPoNaAuthProtRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of MIB objects that contain information
+ about non-active Policy Objects available for activation
+ in order to change Fibre Channel Security (FC-SP) policy."
+ ::= { t11FcSpPoMIBGroups 3 }
+
+t11FcSpPoStatsObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpPoInRequests,
+ t11FcSpPoInAccepts,
+ t11FcSpPoInRejects
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of MIB objects that contain statistics
+ that can be maintained by FC-SP Security Policy Servers."
+ ::= { t11FcSpPoMIBGroups 4 }
+
+t11FcSpPoNotifyObjectsGroup OBJECT-GROUP
+ OBJECTS { t11FcSpPoNotificationEnable,
+
+
+
+De Santi, et al. Standards Track [Page 151]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoServerAddress,
+ t11FcSpPoLastNotifyType,
+ t11FcSpPoRequestSource,
+ t11FcSpPoReasonCode,
+ t11FcSpPoCtCommandString,
+ t11FcSpPoReasonCodeExp,
+ t11FcSpPoReasonVendorCode
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of MIB objects to control the generation of
+ notifications concerning Fibre Channel Security (FC-SP)
+ policy, and to hold information contained in such
+ notifications."
+ ::= { t11FcSpPoMIBGroups 5 }
+
+t11FcSpPoNotificationGroup NOTIFICATION-GROUP
+ NOTIFICATIONS { t11FcSpPoNotifyActivation,
+ t11FcSpPoNotifyActivateFail,
+ t11FcSpPoNotifyDeactivation,
+ t11FcSpPoNotifyDeactivateFail
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of notifications of events concerning
+ Fibre Channel Security (FC-SP) policy."
+ ::= { t11FcSpPoMIBGroups 6 }
+
+END
+
+6.5. The T11-FC-SP-SA-MIB Module
+
+--*******************************************************************
+-- FC-SP Security Associations
+--
+
+T11-FC-SP-SA-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE,
+ Unsigned32, Counter32, Counter64, TimeTicks, Gauge32,
+ mib-2 FROM SNMPv2-SMI -- [RFC2578]
+ RowStatus, StorageType, AutonomousType, TimeStamp,
+ TruthValue FROM SNMPv2-TC -- [RFC2579]
+ MODULE-COMPLIANCE, OBJECT-GROUP,
+ NOTIFICATION-GROUP
+ FROM SNMPv2-CONF -- [RFC2580]
+ InterfaceIndex,
+
+
+
+De Santi, et al. Standards Track [Page 152]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ InterfaceIndexOrZero FROM IF-MIB -- [RFC2863]
+ fcmInstanceIndex,
+ FcAddressIdOrZero FROM FC-MGMT-MIB -- [RFC4044]
+ T11FabricIndex FROM T11-TC-MIB -- [RFC4439]
+ T11FcSpType,
+ T11FcSpiIndex,
+ T11FcSpLifetimeLeft,
+ T11FcSpLifetimeLeftUnits,
+ T11FcSpSecurityProtocolId,
+ T11FcRoutingControl,
+ T11FcSaDirection,
+ T11FcSpPrecedence,
+ T11FcSpTransforms FROM T11-FC-SP-TC-MIB;
+
+t11FcSpSaMIB MODULE-IDENTITY
+ LAST-UPDATED "200808200000Z"
+ ORGANIZATION "This MIB module was developed through the
+ coordinated effort of two organizations:
+ T11 began the development and the IETF (in
+ the IMSS Working Group) finished it."
+ CONTACT-INFO
+ " Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ EMail: cds@cisco.com
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Email: kzm@cisco.com"
+ DESCRIPTION
+ "This MIB module specifies the management information
+ required to manage Security Associations established via
+ Fibre Channel's FC-SP specification.
+
+ The MIB module consists of six parts:
+
+ - a per-Fabric table, t11FcSpSaIfTable, of capabilities,
+ parameters, status information, and counters; the counters
+ include non-transient aggregates of per-SA transient
+ counters;
+
+ - three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable,
+ and t11FcSpSaTransTable, specifying the proposals for an
+ FC-SP entity acting as an SA_Initiator to present to the
+ SA_Responder during the negotiation of Security
+
+
+
+De Santi, et al. Standards Track [Page 153]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ Associations. The same information is also used by an
+ FC-SP entity acting as an SA_Responder to decide what to
+ accept during the negotiation of Security Associations.
+ One of these tables, t11FcSpSaTransTable, is used not only
+ for information about security transforms to propose and
+ to accept, but also as agreed upon during the negotiation
+ of Security Associations;
+
+ - a table, t11FcSpSaTSelDrByTable, of Traffic Selectors
+ having the security action of 'drop' or 'bypass' to be
+ applied either to ingress traffic that is unprotected by
+ FC-SP, or to all egress traffic;
+
+ - four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable,
+ t11FcSpSaTSelNegOutTable, and t11FcSpSaTSelSpiTable,
+ containing information about active bidirectional pairs of
+ Security Associations; in particular, t11FcSpSaPairTable
+ has one row per active bidirectional SA pair,
+ t11FcSpSaTSelNegInTable and t11FcSpSaTSelNegOutTable
+ contain information on the Traffic Selectors negotiated on
+ the SAs, and the t11FcSpSaTSelSpiTable is an alternate
+ lookup table such that the Traffic Selector(s) in use on a
+ particular Security Association can be quickly determined
+ based on the (ingress) SPI value;
+
+ - a table, t11FcSpSaControlTable, of control and other
+ information concerning the generation of notifications for
+ events related to FC-SP Security Associations;
+
+ - one notification, t11FcSpSaNotifyAuthFailure, generated on
+ the occurrence of an Authentication failure for a received
+ FC-2 or CT_IU frame.
+
+ Copyright (C) The IETF Trust (2008). This version
+ of this MIB module is part of RFC 5324; see the RFC
+ itself for full legal notices."
+ REVISION "200808200000Z"
+ DESCRIPTION
+ "Initial version of this MIB module, published as RFC 5324."
+ ::= { mib-2 179 }
+
+t11FcSpSaMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpSaMIB 0 }
+t11FcSpSaMIBObjects OBJECT IDENTIFIER ::= { t11FcSpSaMIB 1 }
+t11FcSpSaMIBConformance OBJECT IDENTIFIER ::= { t11FcSpSaMIB 2 }
+t11FcSpSaBase OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 1 }
+t11FcSpSaConfig OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 2 }
+t11FcSpSaActive OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 3 }
+t11FcSpSaControl OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 4 }
+
+
+
+De Santi, et al. Standards Track [Page 154]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- Base-level Per-Fabric Information
+--
+
+t11FcSpSaIfTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaIfEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing per-Fabric information related to
+ FC-SP Security Associations."
+ ::= { t11FcSpSaBase 1 }
+
+t11FcSpSaIfEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaIfEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information related to Security
+ Associations on a particular Fabric, and managed as part
+ of the Fibre Channel management instance identified by
+ fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
+ t11FcSpSaIfFabricIndex }
+ ::= { t11FcSpSaIfTable 1 }
+
+T11FcSpSaIfEntry ::= SEQUENCE {
+ t11FcSpSaIfIndex InterfaceIndexOrZero,
+ t11FcSpSaIfFabricIndex T11FabricIndex,
+ -- capabilities
+ t11FcSpSaIfEspHeaderCapab T11FcSpTransforms,
+ t11FcSpSaIfCTAuthCapab T11FcSpTransforms,
+ t11FcSpSaIfIKEv2Capab T11FcSpTransforms,
+ t11FcSpSaIfIkev2AuthCapab TruthValue,
+ -- parameters and status
+ t11FcSpSaIfStorageType StorageType,
+ t11FcSpSaIfReplayPrevention TruthValue,
+ t11FcSpSaIfReplayWindowSize Unsigned32,
+ t11FcSpSaIfDeadPeerDetections Counter32,
+ t11FcSpSaIfTerminateAllSas INTEGER,
+ -- summary frame counters
+ t11FcSpSaIfOutDrops Counter64,
+ t11FcSpSaIfOutBypasses Counter64,
+ t11FcSpSaIfOutProcesses Counter64,
+ t11FcSpSaIfOutUnMatcheds Counter64,
+ t11FcSpSaIfInUnprotUnmtchDrops Counter64,
+ -- aggregates of per-SA transient counters
+ t11FcSpSaIfInDetReplays Counter64,
+
+
+
+De Santi, et al. Standards Track [Page 155]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpSaIfInUnprotMtchDrops Counter64,
+ t11FcSpSaIfInBadXforms Counter64,
+ t11FcSpSaIfInGoodXforms Counter64,
+ t11FcSpSaIfInProtUnmtchs Counter64
+}
+
+t11FcSpSaIfIndex OBJECT-TYPE
+ SYNTAX InterfaceIndexOrZero
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object has a non-zero value to identify a particular
+ interface, or the value zero to indicate that the
+ information in this row applies to all (of the management
+ instance's) interfaces to the particular Fabric.
+
+ If any row has a non-zero value of t11FcSpSaIfIndex, then
+ all rows for the same Fibre Channel management instance must
+ also have a non-zero value of t11FcSpSaIfIndex and thereby
+ be specific to a particular interface.
+
+ As and when zero values of t11FcSpSaIfIndex are used in
+ this table, then they must also be used in each other
+ table that has t11FcSpSaIfIndex in its INDEX clause."
+ ::= { t11FcSpSaIfEntry 1 }
+
+t11FcSpSaIfFabricIndex OBJECT-TYPE
+ SYNTAX T11FabricIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ Fabric."
+ ::= { t11FcSpSaIfEntry 2 }
+
+t11FcSpSaIfEspHeaderCapab OBJECT-TYPE
+ SYNTAX T11FcSpTransforms
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "A list of the standardized transforms supported by this
+ entity on this interface for ESP_Header protection."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Appendix A.3.1, tables A.23, A.25."
+ ::= { t11FcSpSaIfEntry 3 }
+
+
+
+
+De Santi, et al. Standards Track [Page 156]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpSaIfCTAuthCapab OBJECT-TYPE
+ SYNTAX T11FcSpTransforms
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "A list of the standardized transforms supported by this
+ entity on this interface for CT_Authentication protection."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Appendix A.3.1, tables A.23, A.25."
+ ::= { t11FcSpSaIfEntry 4 }
+
+t11FcSpSaIfIKEv2Capab OBJECT-TYPE
+ SYNTAX T11FcSpTransforms
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "A list of the standardized transforms supported by this
+ entity on this interface with IKEv2 protection."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, Appendix A.3.1, tables A.23, A.24,
+ A.25, A.26."
+ ::= { t11FcSpSaIfEntry 5 }
+
+t11FcSpSaIfIkev2AuthCapab OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "An indication of whether the entity is capable of
+ supporting the IKEv2-AUTH protocol on this interface, i.e.,
+ concatenation of Authentication and SA Management
+ Transactions, such that an SA Management Transaction is
+ used to perform both the authentication function and
+ SA management."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.7.2, and table A.27."
+ ::= { t11FcSpSaIfEntry 6 }
+
+t11FcSpSaIfStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-write
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 157]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "This object specifies the memory realization of
+ information related to FC-SP Security Associations
+ for interface(s) to a particular Fabric; specifically,
+ for rows created and/or modified in these tables:
+
+ t11FcSpSaPropTable
+ t11FcSpSaTSelDrByTable
+ t11FcSpSaControlTable
+
+ and, for modified information contained in the same
+ row as an instance of this object.
+
+ Even if an instance of this object has the value
+ 'permanent(4)', none of the information defined in
+ this MIB module for interface(s) to the given Fabric
+ need to be writable."
+ ::= { t11FcSpSaIfEntry 7 }
+
+t11FcSpSaIfReplayPrevention OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object indicates whether anti-replay protection is
+ enabled for frame reception on this interface.
+
+ Note that the replay-protection mechanism in FC-SP is
+ conceptually similar to the corresponding mechanism in
+ IPsec ESP."
+ REFERENCE
+ "- IP Encapsulating Security Payload (ESP),
+ RFC 4303, December 2005, section 3.3.3."
+ ::= { t11FcSpSaIfEntry 8 }
+
+t11FcSpSaIfReplayWindowSize OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The size of the replay window to be used when
+ anti-replay protection is enabled for frame reception
+ on this interface.
+
+ Note that the replay-protection mechanism in FC-SP is
+ conceptually similar to the corresponding mechanism in
+ IPsec ESP."
+ REFERENCE
+
+
+
+De Santi, et al. Standards Track [Page 158]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "- IP Encapsulating Security Payload (ESP),
+ RFC 4303, December 2005, section 3.4.3."
+ ::= { t11FcSpSaIfEntry 9 }
+
+t11FcSpSaIfDeadPeerDetections OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a dead peer condition has been
+ detected on this interface.
+
+ This counter has no discontinuities other than those
+ that all Counter32's have when sysUpTime=0."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 8.5.3.3."
+ ::= { t11FcSpSaIfEntry 10 }
+
+t11FcSpSaIfTerminateAllSas OBJECT-TYPE
+ SYNTAX INTEGER { noop(1), terminate(2) }
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Setting this object to 'terminate' is a request to
+ terminate all outstanding Security Associations on this
+ interface.
+
+ When read, the value of this object is always 'noop'.
+ Setting this object to 'noop' has no effect."
+ ::= { t11FcSpSaIfEntry 11 }
+
+t11FcSpSaIfOutDrops OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of output frames that were dropped, instead
+ of being transmitted on this interface, because they matched
+ an active (at that time) Traffic Selector with an action of
+ 'Drop'.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 12 }
+
+t11FcSpSaIfOutBypasses OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 159]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of output frames that were transmitted
+ unchanged by FC-SP on this interface because they matched
+ an active (at that time) Traffic Selector with an action
+ of 'Bypass'.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 13 }
+
+t11FcSpSaIfOutProcesses OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of output frames that were protected by FC-SP
+ before being transmitted on this interface because they
+ matched an active (at that time) Traffic Selector with an
+ action of 'Process'.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 14 }
+
+t11FcSpSaIfOutUnMatcheds OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames that were transmitted unchanged by
+ FC-SP on this interface because they did not match any
+ Traffic Selector active at that time.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 15 }
+
+t11FcSpSaIfInUnprotUnmtchDrops OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames received on this interface that
+ were dropped because they were unprotected and did not
+ match any Traffic Selector active at that time.
+
+
+
+De Santi, et al. Standards Track [Page 160]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 16 }
+
+t11FcSpSaIfInDetReplays OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a replay has been detected on
+ a Security Association that is currently active or was
+ previously active on this interface. Note that a frame
+ that is discarded because it is 'behind' the window,
+ i.e., too old, is counted as a replay.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 17 }
+
+t11FcSpSaIfInUnprotMtchDrops OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a frame received on this
+ interface was dropped because it matched with a Traffic
+ Selector for a Security Association that was active at
+ the time of receipt but the frame was not protected as
+ negotiated for that Security Association.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 18 }
+
+t11FcSpSaIfInBadXforms OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a frame received on this
+ interface was dropped because of a failure of one of the
+ transforms negotiated for the Security Association on
+ which it was received.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 19 }
+
+
+
+
+De Santi, et al. Standards Track [Page 161]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpSaIfInGoodXforms OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames received on this interface on a
+ Security Association for which the transforms negotiated
+ for that Security Association were successfully applied,
+ and that matched a Traffic Selector for that Security
+ Association.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 20 }
+
+t11FcSpSaIfInProtUnmtchs OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames received on this interface that
+ were dropped because they did not match any of the Traffic
+ Selectors negotiated for the Security Association on which
+ they were received, even though the Security Association's
+ transforms were successfully applied.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaIfEntry 21 }
+
+--
+-- Proposals to present in Security Association negotiation
+--
+
+t11FcSpSaPropTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaPropEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of proposals for an FC-SP entity acting as an
+ SA_Initiator to present to the SA_Responder during the
+ negotiation of Security Associations. This information
+ is also used by an FC-SP entity acting as an SA_Responder
+ to decide what to accept during the negotiation of
+ Security Associations."
+ ::= { t11FcSpSaConfig 1 }
+
+t11FcSpSaPropEntry OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 162]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSpSaPropEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one proposal for
+ the FC-SP entity to present, or what to accept, during
+ the negotiation of Security Associations on one or more
+ interfaces (identified by t11FcSpSaIfIndex) to a
+ particular Fabric (identified by t11FcSpSaIfFabricIndex),
+ and managed as part of the Fibre Channel management
+ instance identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by
+ the instance of t11FcSpSaIfStorageType that is INDEX-ed
+ by the same values of fcmInstanceIndex, t11FcSpSaIfIndex
+ and t11FcSpSaIfFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
+ t11FcSpSaIfFabricIndex,
+ t11FcSpSaPropIndex }
+ ::= { t11FcSpSaPropTable 1 }
+
+T11FcSpSaPropEntry ::= SEQUENCE {
+ t11FcSpSaPropIndex Unsigned32,
+ t11FcSpSaPropSecurityProt T11FcSpSecurityProtocolId,
+ t11FcSpSaPropTSelListIndex Unsigned32,
+ t11FcSpSaPropTransListIndex Unsigned32,
+ t11FcSpSaPropAcceptAlgorithm INTEGER,
+ t11FcSpSaPropOutMatchSucceeds Counter64,
+ t11FcSpSaPropRowStatus RowStatus
+}
+
+t11FcSpSaPropIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ proposal for use on one or more interfaces to a Fabric."
+ ::= { t11FcSpSaPropEntry 1 }
+
+t11FcSpSaPropSecurityProt OBJECT-TYPE
+ SYNTAX T11FcSpSecurityProtocolId
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The Security Protocol identifier for this proposal, i.e.,
+ whether the proposal is for traffic to be protected using
+ ESP_Header or CT_Authentication."
+
+
+
+De Santi, et al. Standards Track [Page 163]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.2 and table 67."
+ ::= { t11FcSpSaPropEntry 2 }
+
+t11FcSpSaPropTSelListIndex OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "When the value of this object is non-zero, it points
+ to the proposal's list of Traffic Selectors. The value
+ must be non-zero in an active row of this table.
+
+ The identified list is represented by all rows in the
+ t11FcSpSaTSelPropTable for which t11FcSpSaTSelPropListIndex
+ has the same value as this object (and with corresponding
+ values of t11FcSpSaIfIndex and fcmInstanceIndex)."
+ ::= { t11FcSpSaPropEntry 3 }
+
+t11FcSpSaPropTransListIndex OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "When the value of this object is non-zero, it points to
+ the proposal's list of Transforms. The value must be
+ non-zero in an active row of this table.
+
+ The identified list is represented by all rows in the
+ t11FcSpSaTransTable for which t11FcSpSaTransListIndex
+ has the same value as this object (and with corresponding
+ values of t11FcSpSaIfIndex and fcmInstanceIndex)."
+ ::= { t11FcSpSaPropEntry 4 }
+
+t11FcSpSaPropAcceptAlgorithm OBJECT-TYPE
+ SYNTAX INTEGER {
+ intersection(1),
+ union(2),
+ other(3)
+ }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The algorithm by which an SA_Responder in an SA negotiation
+ decides on which Traffic Selectors to specify in a response
+ to an IKE_Create_Child_SA request. This algorithm is used
+
+
+
+De Santi, et al. Standards Track [Page 164]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ when the Traffic Selectors specified by an SA_Initiator in
+ an IKE_Create_Child_SA request overlap with this proposal's
+ list of Traffic Selectors:
+
+ intersection(1) - the SA_Responder specifies the largest
+ subset of what the SA_Initiator proposed,
+ which is also a subset of this proposal's
+ Traffic Selectors.
+
+ union(2) - the SA_Responder specifies the smallest
+ superset of what the SA_Initiator proposed,
+ which is also a superset of this proposal's
+ Traffic Selectors.
+
+ other(3) - the SA_Responder uses some other algorithm.
+ "
+ ::= { t11FcSpSaPropEntry 5 }
+
+t11FcSpSaPropOutMatchSucceeds OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of egress frames that have matched a Traffic
+ Selector that was negotiated to select traffic for an
+ SA based on this proposal being accepted.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaPropEntry 6 }
+
+t11FcSpSaPropRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of a row. Values of object instances
+ within an active row can be modified at any time.
+
+ The status cannot be set to 'active' unless and
+ until the instances of t11FcSpSaPropTSelListIndex
+ and t11FcSpSaPropTransListIndex in the row have
+ been set to point to active rows in the
+ t11FcSpSaTSelPropTable and t11FcSpSaTransTable
+ tables, respectively. A row in this table is
+ deleted if the active rows it points to are deleted."
+ ::= { t11FcSpSaPropEntry 7 }
+
+
+
+
+De Santi, et al. Standards Track [Page 165]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- Traffic Selector Proposals
+--
+
+t11FcSpSaTSelPropTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTSelPropEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing information about Traffic Selectors
+ to propose and/or to accept during the negotiation of
+ Security Associations."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5.
+ - Use of IKEv2 in FC-SP, RFC 4595,
+ July 2006, section 4.4."
+ ::= { t11FcSpSaConfig 2 }
+
+t11FcSpSaTSelPropEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTSelPropEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one Traffic
+ Selector within a list of Traffic Selectors to propose,
+ or for use in determining what to accept during Security
+ Association negotiation.
+
+ One such list is configured for use on a Fabric by
+ configuring the list's value of t11FcSpSaTSelPropListIndex
+ as the value of an instance of t11FcSpSaPropTSelListIndex,
+ for corresponding values of t11FcSpSaIfIndex and
+ fcmInstanceIndex. Further, the proposing and accepting
+ of Traffic Selectors is only done as a part of a proposal
+ specified by a row of the t11FcSpSaPropTable, i.e.,
+ in combination with the proposing and accepting of security
+ transforms as specified by the combination of
+ t11FcSpSaPropTSelListIndex and t11FcSpSaPropTransListIndex
+ in one row of the t11FcSpSaPropTable.
+
+ The StorageType of a row in this table is specified by
+ the instance of t11FcSpSaTSelPropStorageType in that row."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
+ t11FcSpSaTSelPropListIndex, t11FcSpSaTSelPropPrecedence }
+ ::= { t11FcSpSaTSelPropTable 1 }
+
+
+
+
+De Santi, et al. Standards Track [Page 166]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+T11FcSpSaTSelPropEntry ::= SEQUENCE {
+ t11FcSpSaTSelPropListIndex Unsigned32,
+ t11FcSpSaTSelPropPrecedence T11FcSpPrecedence,
+ t11FcSpSaTSelPropDirection T11FcSaDirection,
+ t11FcSpSaTSelPropStartSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelPropEndSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelPropStartDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelPropEndDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelPropStartRCtl T11FcRoutingControl,
+ t11FcSpSaTSelPropEndRCtl T11FcRoutingControl,
+ t11FcSpSaTSelPropStartType T11FcSpType,
+ t11FcSpSaTSelPropEndType T11FcSpType,
+ t11FcSpSaTSelPropStorageType StorageType,
+ t11FcSpSaTSelPropRowStatus RowStatus
+}
+
+t11FcSpSaTSelPropListIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that identifies a particular list of
+ Traffic Selectors."
+ ::= { t11FcSpSaTSelPropEntry 1 }
+
+t11FcSpSaTSelPropPrecedence OBJECT-TYPE
+ SYNTAX T11FcSpPrecedence
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The precedence of this Traffic Selector. Each
+ Traffic Selector within a particular list of
+ Traffic Selectors must have a different precedence.
+
+ If an egress frame matches multiple Traffic Selectors,
+ it should be transmitted on the SA associated with the
+ Traffic Selector having the numerically smallest
+ precedence value."
+ ::= { t11FcSpSaTSelPropEntry 2 }
+
+t11FcSpSaTSelPropDirection OBJECT-TYPE
+ SYNTAX T11FcSaDirection
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "An indication of whether this Traffic Selector is
+ to be proposed for ingress or egress traffic."
+ DEFVAL { egress }
+
+
+
+De Santi, et al. Standards Track [Page 167]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpSaTSelPropEntry 3 }
+
+t11FcSpSaTSelPropStartSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { '000000'h }
+ ::= { t11FcSpSaTSelPropEntry 4 }
+
+t11FcSpSaTSelPropEndSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { 'FFFFFF'h }
+ ::= { t11FcSpSaTSelPropEntry 5 }
+
+t11FcSpSaTSelPropStartDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { '000000'h }
+ ::= { t11FcSpSaTSelPropEntry 6 }
+
+t11FcSpSaTSelPropEndDstAddr OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 168]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { 'FFFFFF'h }
+ ::= { t11FcSpSaTSelPropEntry 7 }
+
+t11FcSpSaTSelPropStartRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { '00'h }
+ ::= { t11FcSpSaTSelPropEntry 8 }
+
+t11FcSpSaTSelPropEndRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { 'FF'h }
+ ::= { t11FcSpSaTSelPropEntry 9 }
+
+t11FcSpSaTSelPropStartType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-create
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 169]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "The numerically smallest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { '0000'h }
+ ::= { t11FcSpSaTSelPropEntry 10 }
+
+t11FcSpSaTSelPropEndType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.4.5."
+ DEFVAL { 'FFFF'h }
+ ::= { t11FcSpSaTSelPropEntry 11 }
+
+t11FcSpSaTSelPropStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object specifies the memory realization of
+ the information in this row.
+
+ Even if an instance of this object has the value
+ 'permanent(4)', none of the information in its row
+ needs to be writable."
+ ::= { t11FcSpSaTSelPropEntry 12 }
+
+t11FcSpSaTSelPropRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpSaTSelPropEntry 13 }
+
+
+
+
+De Santi, et al. Standards Track [Page 170]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+--
+-- Transform Proposals
+--
+
+t11FcSpSaTransTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTransEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing information about security transforms
+ to propose, to accept and/or agreed upon during the
+ negotiation of Security Associations."
+ ::= { t11FcSpSaConfig 3 }
+
+t11FcSpSaTransEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTransEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one proposal within a
+ list of security transforms to be proposed, to be accepted,
+ or already agreed upon, for use on a pair of Security
+ Associations on one or more interfaces (identified by
+ t11FcSpSaIfIndex), managed as part of the Fibre Channel
+ management instance identified by fcmInstanceIndex.
+
+ One such list is configured to be proposed or accepted for
+ use on a Fabric, by having the list's value of
+ t11FcSpSaTransListIndex be the value of an instance of
+ t11FcSpSaPropTransListIndex for that Fabric. Further,
+ the proposing and accepting of security transforms is only
+ done as a part of a proposal specified by a row of the
+ t11FcSpSaPropTable, i.e., in combination with the proposing
+ and accepting of Traffic Selectors as specified by the
+ combination of t11FcSpSaPropTSelListIndex and
+ t11FcSpSaPropTransListIndex in one row of the
+ t11FcSpSaPropTable.
+
+ The security (encryption and integrity) transform in use on
+ an SA pair is indicated by having the pair's values of
+ t11FcSpSaPairTransListIndex and t11FcSpSaPairTransIndex
+ contain the values of t11FcSpSaTransListIndex and
+ t11FcSpSaTransIndex for the transform's row in this table.
+
+ The StorageType of a row in this table is specified by
+ the instance of t11FcSpSaTransStorageType in that row."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
+ t11FcSpSaTransListIndex, t11FcSpSaTransIndex }
+
+
+
+De Santi, et al. Standards Track [Page 171]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpSaTransTable 1 }
+
+T11FcSpSaTransEntry ::= SEQUENCE {
+ t11FcSpSaTransListIndex Unsigned32,
+ t11FcSpSaTransIndex Unsigned32,
+ t11FcSpSaTransSecurityProt T11FcSpSecurityProtocolId,
+ t11FcSpSaTransEncryptAlg AutonomousType,
+ t11FcSpSaTransEncryptKeyLen Unsigned32,
+ t11FcSpSaTransIntegrityAlg AutonomousType,
+ t11FcSpSaTransStorageType StorageType,
+ t11FcSpSaTransRowStatus RowStatus
+}
+
+t11FcSpSaTransListIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies a particular
+ list of security transforms to be proposed, to be accepted,
+ or already agreed upon."
+ ::= { t11FcSpSaTransEntry 1 }
+
+t11FcSpSaTransIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that uniquely identifies one security
+ transform within a list identified by
+ t11FcSpSaTransListIndex."
+ ::= { t11FcSpSaTransEntry 2 }
+
+t11FcSpSaTransSecurityProt OBJECT-TYPE
+ SYNTAX T11FcSpSecurityProtocolId
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The Security Protocol identifier that indicates
+ whether this transform is for traffic to be protected
+ using ESP_Header or using CT_Authentication."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.2 and table 67."
+ ::= { t11FcSpSaTransEntry 3 }
+
+t11FcSpSaTransEncryptAlg OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 172]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX AutonomousType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The Encryption Algorithm for this transform."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.3 and tables 69 & 70."
+ ::= { t11FcSpSaTransEntry 4 }
+
+t11FcSpSaTransEncryptKeyLen OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The key length in bits to be used with an encryption
+ algorithm that has a variable length key. This object
+ is ignored when the corresponding instance of
+ t11FcSpSaTransEncryptAlg specifies an algorithm with a
+ fixed length key."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.5 and table 77."
+ ::= { t11FcSpSaTransEntry 5 }
+
+t11FcSpSaTransIntegrityAlg OBJECT-TYPE
+ SYNTAX AutonomousType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The Integrity Algorithm for this transform."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, section 6.3.2.3 and tables 69 & 72."
+ ::= { t11FcSpSaTransEntry 6 }
+
+t11FcSpSaTransStorageType OBJECT-TYPE
+ SYNTAX StorageType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "This object specifies the memory realization of
+ the information in this row.
+
+ Even if an instance of this object has the value
+
+
+
+De Santi, et al. Standards Track [Page 173]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ 'permanent(4)', none of the information in its row
+ needs to be writable."
+ ::= { t11FcSpSaTransEntry 7 }
+
+t11FcSpSaTransRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row.
+
+ When an instance of t11FcSpSaPairTransListIndex points to
+ a row in this table, values of object instances in the row
+ cannot be modified nor can the row be deleted. Otherwise,
+ a row can be modified or deleted at any time."
+ ::= { t11FcSpSaTransEntry 8 }
+
+--
+-- Traffic Selectors for Drop & Bypass
+--
+
+t11FcSpSaTSelDrByTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTSelDrByEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing Traffic Selectors to select which
+ traffic is to be dropped or is to bypass further
+ security processing."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 4.6, 4.7, and 6.4.5.
+ - Use of IKEv2 in FC-SP, RFC 4595,
+ July 2006, section 4.4."
+ ::= { t11FcSpSaConfig 4 }
+
+t11FcSpSaTSelDrByEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTSelDrByEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry represents one Traffic Selector having the
+ security action of 'drop' or 'bypass', which is applied
+ based on a precedence value, either to ingress traffic
+ that is unprotected by FC-SP, or to all egress
+ traffic on one or more interfaces (identified by
+ t11FcSpSaIfIndex) to a particular Fabric (identified
+
+
+
+De Santi, et al. Standards Track [Page 174]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ by t11FcSpSaIfFabricIndex), and managed as part of the Fibre
+ Channel management instance identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by
+ the instance of t11FcSpSaIfStorageType that is INDEX-ed
+ by the same values of fcmInstanceIndex, t11FcSpSaIfIndex
+ and t11FcSpSaIfFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, t11FcSpSaIfFabricIndex,
+ t11FcSpSaTSelDrByDirection, t11FcSpSaTSelDrByPrecedence }
+ ::= { t11FcSpSaTSelDrByTable 1 }
+
+T11FcSpSaTSelDrByEntry ::= SEQUENCE {
+ t11FcSpSaTSelDrByDirection T11FcSaDirection,
+ t11FcSpSaTSelDrByPrecedence T11FcSpPrecedence,
+ t11FcSpSaTSelDrByAction INTEGER,
+ t11FcSpSaTSelDrByStartSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelDrByEndSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelDrByStartDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelDrByEndDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelDrByStartRCtl T11FcRoutingControl,
+ t11FcSpSaTSelDrByEndRCtl T11FcRoutingControl,
+ t11FcSpSaTSelDrByStartType T11FcSpType,
+ t11FcSpSaTSelDrByEndType T11FcSpType,
+ t11FcSpSaTSelDrByMatches Counter64,
+ t11FcSpSaTSelDrByRowStatus RowStatus
+}
+
+t11FcSpSaTSelDrByDirection OBJECT-TYPE
+ SYNTAX T11FcSaDirection
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An indication of whether this Traffic Selector is
+ for ingress or egress traffic."
+ ::= { t11FcSpSaTSelDrByEntry 1 }
+
+t11FcSpSaTSelDrByPrecedence OBJECT-TYPE
+ SYNTAX T11FcSpPrecedence
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The precedence of this Traffic Selector. If and when a
+ frame is compared against multiple Traffic Selectors, and
+ multiple of them have a match with the frame, the security
+ action to be taken for the frame is that specified for the
+ matching Traffic Selector having the numerically smallest
+ precedence value."
+ ::= { t11FcSpSaTSelDrByEntry 2 }
+
+
+
+De Santi, et al. Standards Track [Page 175]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpSaTSelDrByAction OBJECT-TYPE
+ SYNTAX INTEGER { drop(1), bypass(2) }
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The security action to be taken for a frame that
+ matches this Traffic Selector."
+ DEFVAL { drop }
+ ::= { t11FcSpSaTSelDrByEntry 3 }
+
+t11FcSpSaTSelDrByStartSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ DEFVAL { '000000'h }
+ ::= { t11FcSpSaTSelDrByEntry 4 }
+
+t11FcSpSaTSelDrByEndSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ DEFVAL { 'FFFFFF'h }
+ ::= { t11FcSpSaTSelDrByEntry 5 }
+
+t11FcSpSaTSelDrByStartDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ DEFVAL { '000000'h }
+ ::= { t11FcSpSaTSelDrByEntry 6 }
+
+t11FcSpSaTSelDrByEndDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 176]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The numerically largest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ DEFVAL { 'FFFFFF'h }
+ ::= { t11FcSpSaTSelDrByEntry 7 }
+
+t11FcSpSaTSelDrByStartRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ DEFVAL { '00'h }
+ ::= { t11FcSpSaTSelDrByEntry 8 }
+
+t11FcSpSaTSelDrByEndRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ DEFVAL { 'FF'h }
+ ::= { t11FcSpSaTSelDrByEntry 9 }
+
+t11FcSpSaTSelDrByStartType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ DEFVAL { '0000'h }
+ ::= { t11FcSpSaTSelDrByEntry 10 }
+
+t11FcSpSaTSelDrByEndType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The numerically largest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ DEFVAL { 'FFFF'h }
+
+
+
+De Santi, et al. Standards Track [Page 177]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ ::= { t11FcSpSaTSelDrByEntry 11 }
+
+t11FcSpSaTSelDrByMatches OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames for which the action specified by
+ the corresponding instance of t11FcSpSaTSelDrByAction was
+ taken because of a match with this Traffic Selector.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaTSelDrByEntry 12 }
+
+t11FcSpSaTSelDrByRowStatus OBJECT-TYPE
+ SYNTAX RowStatus
+ MAX-ACCESS read-create
+ STATUS current
+ DESCRIPTION
+ "The status of this row. Values of object instances
+ within the row can be modified at any time."
+ ::= { t11FcSpSaTSelDrByEntry 13 }
+
+--
+-- Active Security Associations
+--
+
+t11FcSpSaPairTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaPairEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing information about active
+ bidirectional pairs of Security Associations."
+ ::= { t11FcSpSaActive 1 }
+
+t11FcSpSaPairEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaPairEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one active
+ bidirectional pair of Security Associations on an
+ interface to a particular Fabric (identified by
+ t11FcSpSaIfFabricIndex), managed as part of the Fibre
+ Channel management instance identified by
+ fcmInstanceIndex."
+
+
+
+De Santi, et al. Standards Track [Page 178]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
+ t11FcSpSaIfFabricIndex, t11FcSpSaPairInboundSpi }
+ ::= { t11FcSpSaPairTable 1 }
+
+T11FcSpSaPairEntry ::= SEQUENCE {
+ t11FcSpSaPairIfIndex InterfaceIndex,
+ t11FcSpSaPairInboundSpi T11FcSpiIndex,
+ t11FcSpSaPairSecurityProt T11FcSpSecurityProtocolId,
+ t11FcSpSaPairTransListIndex Unsigned32,
+ t11FcSpSaPairTransIndex Unsigned32,
+ t11FcSpSaPairLifetimeLeft T11FcSpLifetimeLeft,
+ t11FcSpSaPairLifetimeLeftUnits T11FcSpLifetimeLeftUnits,
+ t11FcSpSaPairTerminate INTEGER,
+ t11FcSpSaPairInProtUnMatchs Counter64,
+ t11FcSpSaPairInDetReplays Counter64,
+ t11FcSpSaPairInBadXforms Counter64,
+ t11FcSpSaPairInGoodXforms Counter64
+}
+
+t11FcSpSaPairIfIndex OBJECT-TYPE
+ SYNTAX InterfaceIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "This object identifies the interface to the particular
+ Fabric on which this SA pair is active."
+ ::= { t11FcSpSaPairEntry 1 }
+
+t11FcSpSaPairInboundSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The SPI value that is used to indicate that an incoming
+ frame was received on the ingress SA of this SA pair."
+ ::= { t11FcSpSaPairEntry 2 }
+
+t11FcSpSaPairSecurityProt OBJECT-TYPE
+ SYNTAX T11FcSpSecurityProtocolId
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The object indicates whether this SA uses ESP_Header to
+ protect FC-2 frames, or CT_Authentication to protect Common
+ Transport Information Units (CT_IUs)."
+ ::= { t11FcSpSaPairEntry 3 }
+
+t11FcSpSaPairTransListIndex OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 179]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The combination of this value and the value of the
+ corresponding instance of t11FcSpSaPairTransIndex
+ identify the row in the t11FcSpSaTransTable that
+ contains the transforms that are in use on this SA pair."
+ ::= { t11FcSpSaPairEntry 4 }
+
+t11FcSpSaPairTransIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The combination of this value and the value of the
+ corresponding instance of t11FcSpSaPairTransListIndex
+ identify the row in the t11FcSpSaTransTable that
+ contains the transforms that are in use on this SA pair."
+ ::= { t11FcSpSaPairEntry 5 }
+
+t11FcSpSaPairLifetimeLeft OBJECT-TYPE
+ SYNTAX T11FcSpLifetimeLeft
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The remaining lifetime of this SA pair, given in the
+ units specified by the value of the corresponding
+ instance of t11FcSpSaPairLifetimeLeft."
+ ::= { t11FcSpSaPairEntry 6 }
+
+t11FcSpSaPairLifetimeLeftUnits OBJECT-TYPE
+ SYNTAX T11FcSpLifetimeLeftUnits
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The units in which the value of the corresponding
+ instance of t11FcSpSaPairLifetimeLeft specifies the
+ remaining lifetime of this SA pair."
+ ::= { t11FcSpSaPairEntry 7 }
+
+t11FcSpSaPairTerminate OBJECT-TYPE
+ SYNTAX INTEGER { noop(1), terminate(2) }
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Setting this object to 'terminate' is a request
+ to terminate this pair of Security Associations.
+
+
+
+De Santi, et al. Standards Track [Page 180]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ When read, the value of this object is always 'noop'.
+ Setting this object to 'noop' has no effect."
+ ::= { t11FcSpSaPairEntry 8 }
+
+t11FcSpSaPairInProtUnMatchs OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of frames received on this SA for which the
+ SA's transforms were successfully applied to the frame,
+ but the frame was still dropped because it did not match
+ any of the SA's ingress Traffic Selectors.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaPairEntry 9 }
+
+t11FcSpSaPairInDetReplays OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a replay has been detected on
+ this Security Association. Note that a frame that is
+ discarded because it is 'behind' the window, i.e., too old,
+ is counted as a replay.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaPairEntry 10 }
+
+t11FcSpSaPairInBadXforms OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a received frame was dropped
+ because one of the transforms negotiated for this Security
+ Association failed.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaPairEntry 11 }
+
+t11FcSpSaPairInGoodXforms OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+
+
+
+De Santi, et al. Standards Track [Page 181]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "The number of received frames for which the transforms
+ negotiated for this Security Association, were
+ successfully applied.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaPairEntry 12 }
+
+--
+-- Negotiated Ingress Traffic Selectors
+--
+
+t11FcSpSaTSelNegInTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTSelNegInEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing information about ingress Traffic
+ Selectors that are in use on active Security
+ Associations."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 4.6, 4.7, and 6.4.5.
+ - Use of IKEv2 in FC-SP, RFC 4595,
+ July 2006, section 4.4."
+ ::= { t11FcSpSaActive 2 }
+
+t11FcSpSaTSelNegInEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTSelNegInEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one ingress Traffic
+ Selector that is in use on an active Security Association
+ on an interface (identified by t11FcSpSaPairIfIndex) to
+ a particular Fabric (identified by t11FcSpSaIfFabricIndex),
+ managed as part of the Fibre Channel management instance
+ identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
+ t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegInIndex }
+ ::= { t11FcSpSaTSelNegInTable 1 }
+
+T11FcSpSaTSelNegInEntry ::= SEQUENCE {
+ t11FcSpSaTSelNegInIndex Unsigned32,
+ t11FcSpSaTSelNegInInboundSpi T11FcSpiIndex,
+
+
+
+De Santi, et al. Standards Track [Page 182]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpSaTSelNegInStartSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegInEndSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegInStartDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegInEndDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegInStartRCtl T11FcRoutingControl,
+ t11FcSpSaTSelNegInEndRCtl T11FcRoutingControl,
+ t11FcSpSaTSelNegInStartType T11FcSpType,
+ t11FcSpSaTSelNegInEndType T11FcSpType,
+ t11FcSpSaTSelNegInUnpMtchDrops Counter64
+}
+
+t11FcSpSaTSelNegInIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value to distinguish an ingress Traffic Selector
+ from all others currently in use by Security Associations
+ on the same interface to a particular Fabric."
+ ::= { t11FcSpSaTSelNegInEntry 1 }
+
+t11FcSpSaTSelNegInInboundSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The SPI of the ingress SA on which this Traffic Selector
+ is in use.
+
+ This value can be used to find the SA pair's row in the
+ t11FcSpSaPairTable."
+ ::= { t11FcSpSaTSelNegInEntry 2 }
+
+t11FcSpSaTSelNegInStartSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegInEntry 3 }
+
+t11FcSpSaTSelNegInEndSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+
+
+
+De Santi, et al. Standards Track [Page 183]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ "The numerically largest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegInEntry 4 }
+
+t11FcSpSaTSelNegInStartDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ ::= { t11FcSpSaTSelNegInEntry 5 }
+
+t11FcSpSaTSelNegInEndDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ ::= { t11FcSpSaTSelNegInEntry 6 }
+
+t11FcSpSaTSelNegInStartRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ ::= { t11FcSpSaTSelNegInEntry 7 }
+
+t11FcSpSaTSelNegInEndRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ ::= { t11FcSpSaTSelNegInEntry 8 }
+
+t11FcSpSaTSelNegInStartType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-only
+
+
+
+De Santi, et al. Standards Track [Page 184]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegInEntry 9 }
+
+t11FcSpSaTSelNegInEndType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegInEntry 10 }
+
+t11FcSpSaTSelNegInUnpMtchDrops OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of times that a received frame was dropped
+ because it matched with this Traffic Selector but the
+ frame was not protected as negotiated for the Security
+ Association identified by t11FcSpSaTSelNegInInboundSpi.
+
+ This counter has no discontinuities other than those
+ that all Counter64's have when sysUpTime=0."
+ ::= { t11FcSpSaTSelNegInEntry 11 }
+
+--
+-- Negotiated Egress Traffic Selectors
+--
+
+t11FcSpSaTSelNegOutTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTSelNegOutEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table containing information about egress Traffic
+ Selectors that are in use on active Security
+ Associations."
+ REFERENCE
+ "- ANSI INCITS 426-2007, T11/Project 1570-D,
+ Fibre Channel - Security Protocols (FC-SP),
+ February 2007, sections 4.6, 4.7, and 6.4.5.
+ - Use of IKEv2 in FC-SP, RFC 4595,
+
+
+
+De Santi, et al. Standards Track [Page 185]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ July 2006, section 4.4."
+ ::= { t11FcSpSaActive 3 }
+
+t11FcSpSaTSelNegOutEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTSelNegOutEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry contains information about one egress Traffic
+ Selector that is in use on an active Security Association
+ on an interface (identified by t11FcSpSaPairIfIndex) to
+ a particular Fabric (identified by t11FcSpSaIfFabricIndex),
+ managed as part of the Fibre Channel management instance
+ identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
+ t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegOutPrecedence }
+ ::= { t11FcSpSaTSelNegOutTable 1 }
+
+T11FcSpSaTSelNegOutEntry ::= SEQUENCE {
+ t11FcSpSaTSelNegOutPrecedence T11FcSpPrecedence,
+ t11FcSpSaTSelNegOutInboundSpi T11FcSpiIndex,
+ t11FcSpSaTSelNegOutStartSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegOutEndSrcAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegOutStartDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegOutEndDstAddr FcAddressIdOrZero,
+ t11FcSpSaTSelNegOutStartRCtl T11FcRoutingControl,
+ t11FcSpSaTSelNegOutEndRCtl T11FcRoutingControl,
+ t11FcSpSaTSelNegOutStartType T11FcSpType,
+ t11FcSpSaTSelNegOutEndType T11FcSpType
+}
+
+t11FcSpSaTSelNegOutPrecedence OBJECT-TYPE
+ SYNTAX T11FcSpPrecedence
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The precedence of this Traffic Selector. If and when a
+ frame is compared against multiple Traffic Selectors, and
+ multiple of them have a match with the frame, the security
+ action to be taken for the frame is that specified for the
+ matching Traffic Selector having the numerically smallest
+ precedence value."
+ ::= { t11FcSpSaTSelNegOutEntry 1 }
+
+t11FcSpSaTSelNegOutInboundSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 186]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "The SPI of the ingress SA of the SA pair for which this
+ Traffic Selector is in use on the egress SA.
+
+ This value can be used to find the SA pair's row in the
+ t11FcSpSaPairTable."
+ ::= { t11FcSpSaTSelNegOutEntry 2 }
+
+t11FcSpSaTSelNegOutStartSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 3 }
+
+t11FcSpSaTSelNegOutEndSrcAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a source address
+ (S_ID) of a frame that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 4 }
+
+t11FcSpSaTSelNegOutStartDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 5 }
+
+t11FcSpSaTSelNegOutEndDstAddr OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero (SIZE (3))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 24-bit value of a destination
+ address (D_ID) of a frame that will match with this
+ Traffic Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 6 }
+
+
+
+
+De Santi, et al. Standards Track [Page 187]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpSaTSelNegOutStartRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 7 }
+
+t11FcSpSaTSelNegOutEndRCtl OBJECT-TYPE
+ SYNTAX T11FcRoutingControl
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest 8-bit value contained within a
+ Routing Control (R_CTL) field of a frame that will match
+ with this Traffic Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 8 }
+
+t11FcSpSaTSelNegOutStartType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically smallest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 9 }
+
+t11FcSpSaTSelNegOutEndType OBJECT-TYPE
+ SYNTAX T11FcSpType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The numerically largest of a range of possible 'type'
+ values of frames that will match with this Traffic
+ Selector."
+ ::= { t11FcSpSaTSelNegOutEntry 10 }
+
+--
+-- Traffic Selectors index-ed by SPI
+--
+
+t11FcSpSaTSelSpiTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaTSelSpiEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+
+
+
+De Santi, et al. Standards Track [Page 188]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ DESCRIPTION
+ "A table identifying the Traffic Selectors in use on
+ particular Security Associations, INDEX-ed by their
+ (ingress) SPI values."
+ ::= { t11FcSpSaActive 4 }
+
+t11FcSpSaTSelSpiEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaTSelSpiEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry identifies one Traffic Selector in use on an SA
+ pair on the interface (identified by t11FcSpSaPairIfIndex)
+ to a particular Fabric (identified by
+ t11FcSpSaIfFabricIndex), and managed as part of the Fibre
+ Channel management instance identified by fcmInstanceIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
+ t11FcSpSaIfFabricIndex,
+ t11FcSpSaTSelSpiInboundSpi, t11FcSpSaTSelSpiTrafSelIndex }
+ ::= { t11FcSpSaTSelSpiTable 1 }
+
+T11FcSpSaTSelSpiEntry ::= SEQUENCE {
+ t11FcSpSaTSelSpiInboundSpi T11FcSpiIndex,
+ t11FcSpSaTSelSpiTrafSelIndex Unsigned32,
+ t11FcSpSaTSelSpiDirection T11FcSaDirection,
+ t11FcSpSaTSelSpiTrafSelPtr Unsigned32
+}
+
+t11FcSpSaTSelSpiInboundSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An SPI value that identifies the ingress Security
+ Association of a particular SA pair."
+ ::= { t11FcSpSaTSelSpiEntry 1 }
+
+t11FcSpSaTSelSpiTrafSelIndex OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An index value that distinguishes between the
+ (potentially multiple) Traffic Selectors in use on
+ this Security Association pair."
+ ::= { t11FcSpSaTSelSpiEntry 2 }
+
+t11FcSpSaTSelSpiDirection OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 189]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX T11FcSaDirection
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This object indicates whether this Traffic Selector
+ is being used for ingress or for egress traffic."
+ ::= { t11FcSpSaTSelSpiEntry 3 }
+
+t11FcSpSaTSelSpiTrafSelPtr OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "This object contains a pointer into another table that
+ can be used to obtain more information about this Traffic
+ Selector.
+
+ If the corresponding instance of t11FcSpSaTSelSpiDirection
+ has the value 'egress', then this object contains the
+ value of t11FcSpSaTSelNegOutPrecedence in the row of
+ t11FcSpSaTSelNegOutTable, which contains more information.
+
+ If the corresponding instance of t11FcSpSaTSelSpiDirection
+ has the value 'ingress', then this object contains the
+ value of t11FcSpSaTSelNegInIndex that identifies the row
+ in t11FcSpSaTSelNegInTable containing more information."
+ ::= { t11FcSpSaTSelSpiEntry 4 }
+
+--
+-- Notification information & control
+--
+
+t11FcSpSaControlTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF T11FcSpSaControlEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A table of control and other information concerning
+ the generation of notifications for events related
+ to FC-SP Security Associations."
+ ::= { t11FcSpSaControl 1 }
+
+t11FcSpSaControlEntry OBJECT-TYPE
+ SYNTAX T11FcSpSaControlEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "Each entry identifies information for the one or more
+
+
+
+De Santi, et al. Standards Track [Page 190]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ interfaces (identified by t11FcSpSaIfIndex) to a
+ particular Fabric (identified by t11FcSpSaIfFabricIndex),
+ and managed as part of the Fibre Channel management
+ instance identified by fcmInstanceIndex.
+
+ The StorageType of a row in this table is specified by
+ the instance of t11FcSpSaIfStorageType that is INDEX-ed
+ by the same values of fcmInstanceIndex, t11FcSpSaIfIndex,
+ and t11FcSpSaIfFabricIndex."
+ INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
+ t11FcSpSaIfFabricIndex }
+ ::= { t11FcSpSaControlTable 1 }
+
+T11FcSpSaControlEntry ::= SEQUENCE {
+ t11FcSpSaControlAuthFailEnable TruthValue,
+ t11FcSpSaControlInboundSpi T11FcSpiIndex,
+ t11FcSpSaControlSource FcAddressIdOrZero,
+ t11FcSpSaControlDestination FcAddressIdOrZero,
+ t11FcSpSaControlFrame OCTET STRING,
+ t11FcSpSaControlElapsed TimeTicks,
+ t11FcSpSaControlSuppressed Gauge32,
+ t11FcSpSaControlWindow Unsigned32,
+ t11FcSpSaControlMaxNotifs Unsigned32,
+ t11FcSpSaControlLifeExcdEnable TruthValue,
+ t11FcSpSaControlLifeExcdSpi T11FcSpiIndex,
+ t11FcSpSaControlLifeExcdDir T11FcSaDirection,
+ t11FcSpSaControlLifeExcdTime TimeStamp
+}
+
+t11FcSpSaControlAuthFailEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether a t11FcSpSaNotifyAuthFailure
+ notification should be generated for the first occurrence
+ of an Authentication failure within a time window for this
+ Fabric."
+ ::= { t11FcSpSaControlEntry 1 }
+
+t11FcSpSaControlInboundSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The SPI value of the ingress Security Association on
+ which was received the last frame for which a
+ t11FcSpSaNotifyAuthFailure was generated.
+
+
+
+De Santi, et al. Standards Track [Page 191]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ If no t11FcSpSaNotifyAuthFailure notifications have
+ been generated, the value of this object is zero."
+ ::= { t11FcSpSaControlEntry 2 }
+
+t11FcSpSaControlSource OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The S_ID contained in the last frame for which a
+ t11FcSpSaNotifyAuthFailure was generated.
+
+ If no t11FcSpSaNotifyAuthFailure notifications have
+ been generated, the value of this object is the
+ zero-length string."
+ ::= { t11FcSpSaControlEntry 3 }
+
+t11FcSpSaControlDestination OBJECT-TYPE
+ SYNTAX FcAddressIdOrZero
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The D_ID contained in the last frame for which a
+ t11FcSpSaNotifyAuthFailure was generated.
+
+ If no t11FcSpSaNotifyAuthFailure notifications have
+ been generated, the value of this object is the
+ zero-length string."
+ ::= { t11FcSpSaControlEntry 4 }
+
+t11FcSpSaControlFrame OBJECT-TYPE
+ SYNTAX OCTET STRING (SIZE (0..256))
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The binary content of the last frame for which a
+ t11FcSpSaNotifyAuthFailure was generated. If more than
+ 256 bytes of the frame are available, then this object
+ contains the first 256 bytes. If less than 256 bytes of
+ the frame are available, then this object contains the
+ first N bytes, where N is greater or equal to zero.
+
+ If no t11FcSpSaNotifyAuthFailure notifications have
+ been generated, the value of this object is the
+ zero-length string."
+ ::= { t11FcSpSaControlEntry 5 }
+
+t11FcSpSaControlElapsed OBJECT-TYPE
+
+
+
+De Santi, et al. Standards Track [Page 192]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The elapsed time since the last generation of a
+ t11FcSpSaNotifyAuthFailure notification on the same
+ Fabric, or the value of sysUpTime if no
+ t11FcSpSaNotifyAuthFailure notifications have been
+ generated since the last restart."
+ ::= { t11FcSpSaControlEntry 6 }
+
+t11FcSpSaControlSuppressed OBJECT-TYPE
+ SYNTAX Gauge32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of occurrences of an Authentication failure
+ on a Fabric that were suppressed because they occurred
+ on the same Fabric within the same time window as a
+ previous Authentication failure for which a
+ t11FcSpSaNotifyAuthFailure notification was generated.
+
+ The value of this object is reset to zero on a restart
+ of the network management subsystem, and whenever a
+ t11FcSpSaNotifyAuthFailure notification is generated.
+ In the event that the value of this object reaches its
+ maximum value, it remains at that value until it is
+ reset on the generation of the next
+ t11FcSpSaNotifyAuthFailure notification."
+ ::= { t11FcSpSaControlEntry 7 }
+
+t11FcSpSaControlWindow OBJECT-TYPE
+ SYNTAX Unsigned32 (1..4294967295)
+ UNITS "seconds"
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The length of a time window that begins when a
+ t11FcSpSaNotifyAuthFailure notification is generated for
+ any Security Association on a particular Fabric. For the
+ duration of the time window, further Authentication failures
+ occurring for the same Security Association are counted but
+ no t11FcSpSaNotifyAuthFailure notification is generated.
+
+ When this object is modified before the end of a time
+ window, that time window is immediately terminated, i.e.,
+ the next Authentication failure on the relevant Fabric
+ after the modification will cause a new time window to
+
+
+
+De Santi, et al. Standards Track [Page 193]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ begin with the new length."
+ DEFVAL { 300 }
+ ::= { t11FcSpSaControlEntry 8 }
+
+t11FcSpSaControlMaxNotifs OBJECT-TYPE
+ SYNTAX Unsigned32
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "The maximum number of t11FcSpSaNotifyAuthFailure
+ notifications to be generated per Fabric within a
+ t11FcSpSaControlWindow time window. Subsequent
+ Authentication failures occurring on the same Fabric
+ in the same time window are counted, but no
+ t11FcSpSaNotifyAuthFailure notification is generated.
+
+ When this object is modified before the end of a time
+ window, that time window is immediately terminated, i.e.,
+ the next Authentication failure on the relevant Fabric
+ after the modification will cause a new time window to
+ begin with the new length."
+ DEFVAL { 16 }
+ ::= { t11FcSpSaControlEntry 9 }
+
+t11FcSpSaControlLifeExcdEnable OBJECT-TYPE
+ SYNTAX TruthValue
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "This object specifies whether t11FcSpSaNotifyLifeExceeded
+ notifications should be generated for this Fabric."
+ DEFVAL { true }
+ ::= { t11FcSpSaControlEntry 10 }
+
+t11FcSpSaControlLifeExcdSpi OBJECT-TYPE
+ SYNTAX T11FcSpiIndex
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The SPI of the SA that was most recently terminated
+ because its lifetime (in seconds or in passed bytes)
+ was exceeded. Such terminations include those due to
+ a failed attempt to renew an SA after its lifetime was
+ exceeded."
+ ::= { t11FcSpSaControlEntry 11 }
+
+t11FcSpSaControlLifeExcdDir OBJECT-TYPE
+ SYNTAX T11FcSaDirection
+
+
+
+De Santi, et al. Standards Track [Page 194]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The direction of frame transmission on the SA that was
+ most recently terminated because its lifetime (in seconds
+ or in passed bytes) was exceeded."
+ ::= { t11FcSpSaControlEntry 12 }
+
+t11FcSpSaControlLifeExcdTime OBJECT-TYPE
+ SYNTAX TimeStamp
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time of the most recent termination of an SA
+ due to its lifetime (in seconds or in passed bytes)
+ being exceeded. Such terminations include those
+ due to a failed attempt to renew an SA after its
+ lifetime was exceeded."
+ ::= { t11FcSpSaControlEntry 13 }
+
+--
+-- Notification definitions
+--
+
+t11FcSpSaNotifyAuthFailure NOTIFICATION-TYPE
+ OBJECTS { t11FcSpSaControlInboundSpi,
+ t11FcSpSaControlSource,
+ t11FcSpSaControlDestination,
+ t11FcSpSaControlFrame,
+ t11FcSpSaControlElapsed,
+ t11FcSpSaControlSuppressed }
+ STATUS current
+ DESCRIPTION
+ "When this notification is generated, it indicates the
+ occurrence of an Authentication failure for a received
+ FC-2 or CT_IU frame. The t11FcSpSaControlInboundSpi,
+ t11FcSpSaControlSource, and t11FcSpSaControlDestination
+ objects in the varbindlist are the frame's SPI, source and
+ destination addresses, respectively. t11FcSpSaControlFrame
+ provides the (beginning of the) frame's content if such is
+ available.
+
+ This notification is generated only for the first
+ occurrence of an Authentication failure on a Fabric within
+ a time window. Subsequent occurrences of an Authentication
+ Failure on the same Fabric within the same time window
+ are counted but suppressed.
+
+
+
+
+De Santi, et al. Standards Track [Page 195]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ The value of t11FcSpSaControlElapsed contains (a lower bound
+ on) the elapsed time since the last generation of this
+ notification for the same Fabric. The value of
+ t11FcSpSaControlSuppressed contains the number of
+ generations which were suppressed in the time window after
+ that last generation, or zero if unknown."
+ ::= { t11FcSpSaMIBNotifications 1 }
+
+t11FcSpSaNotifyLifeExceeded NOTIFICATION-TYPE
+ OBJECTS { t11FcSpSaControlLifeExcdSpi,
+ t11FcSpSaControlLifeExcdDir }
+ STATUS current
+ DESCRIPTION
+ "This notification is generated when the lifetime (in
+ seconds or in passed bytes) of an SA is exceeded, and the
+ SA is either immediately terminated or is terminated
+ because an attempt to renew the SA fails. The values of
+ t11FcSpSaControlLifeExcdSpi and t11FcSpSaControlLifeExcdDir
+ contain the SPI and direction of the terminated SA."
+ ::= { t11FcSpSaMIBNotifications 2 }
+
+--
+-- Conformance
+--
+
+t11FcSpSaMIBCompliances
+ OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 1 }
+t11FcSpSaMIBGroups OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 2 }
+
+t11FcSpSaMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities that implement
+ FC-SP Security Associations."
+
+ MODULE -- this module
+ MANDATORY-GROUPS
+ { t11FcSpSaCapabilityGroup,
+ t11FcSpSaParamStatusGroup,
+ t11FcSpSaSummaryCountGroup,
+ t11FcSpSaProposalGroup,
+ t11FcSpSaDropBypassGroup,
+ t11FcSpSaActiveGroup,
+ t11FcSpSaNotifInfoGroup,
+ t11FcSpSaNotificationGroup
+ }
+
+ -- The following is an auxiliary (listed in an INDEX clause)
+
+
+
+De Santi, et al. Standards Track [Page 196]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ -- object for which the SMIv2 does not allow an OBJECT clause
+ -- to be specified, but for which this MIB has the following
+ -- compliance requirement:
+ -- OBJECT t11FcSpSaIfIndex
+ -- DESCRIPTION
+ -- Compliance requires support for either one of:
+ -- - individual interfaces using ifIndex values, or
+ -- - the use of the zero value.
+
+-- Write access is not required for any objects in this MIB module:
+
+ OBJECT t11FcSpSaIfStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransStorageType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaIfReplayPrevention
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaIfReplayWindowSize
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaIfTerminateAllSas
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPropSecurityProt
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPropTSelListIndex
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPropTransListIndex
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPropAcceptAlgorithm
+
+
+
+De Santi, et al. Standards Track [Page 197]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPropRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropDirection
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropStartSrcAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropEndSrcAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropStartDstAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropEndDstAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropStartRCtl
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropEndRCtl
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropStartType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropEndType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelPropRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransSecurityProt
+
+
+
+De Santi, et al. Standards Track [Page 198]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransEncryptAlg
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransEncryptKeyLen
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransIntegrityAlg
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTransRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByAction
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByStartSrcAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByEndSrcAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByStartDstAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByEndDstAddr
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByStartRCtl
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByEndRCtl
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByStartType
+
+
+
+De Santi, et al. Standards Track [Page 199]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByEndType
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaTSelDrByRowStatus
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaPairTerminate
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaControlAuthFailEnable
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaControlWindow
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaControlMaxNotifs
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ OBJECT t11FcSpSaControlLifeExcdEnable
+ MIN-ACCESS read-only
+ DESCRIPTION "Write access is not required."
+
+ ::= { t11FcSpSaMIBCompliances 1 }
+
+-- Units of Conformance
+
+t11FcSpSaCapabilityGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaIfEspHeaderCapab,
+ t11FcSpSaIfCTAuthCapab,
+ t11FcSpSaIfIKEv2Capab,
+ t11FcSpSaIfIkev2AuthCapab
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing information
+ related to capabilities of FC-SP entities."
+ ::= { t11FcSpSaMIBGroups 1 }
+
+t11FcSpSaParamStatusGroup OBJECT-GROUP
+
+
+
+De Santi, et al. Standards Track [Page 200]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ OBJECTS { t11FcSpSaIfStorageType,
+ t11FcSpSaIfReplayPrevention,
+ t11FcSpSaIfReplayWindowSize,
+ t11FcSpSaIfDeadPeerDetections,
+ t11FcSpSaIfTerminateAllSas
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing parameters
+ and status information related to FC-SP entities."
+ ::= { t11FcSpSaMIBGroups 2 }
+
+t11FcSpSaSummaryCountGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaIfOutDrops,
+ t11FcSpSaIfOutBypasses,
+ t11FcSpSaIfOutProcesses,
+ t11FcSpSaIfOutUnMatcheds,
+ t11FcSpSaIfInUnprotUnmtchDrops,
+ t11FcSpSaIfInDetReplays,
+ t11FcSpSaIfInUnprotMtchDrops,
+ t11FcSpSaIfInBadXforms,
+ t11FcSpSaIfInGoodXforms,
+ t11FcSpSaIfInProtUnmtchs
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing summary
+ counters for FC-SP Security Associations."
+ ::= { t11FcSpSaMIBGroups 3 }
+
+t11FcSpSaProposalGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaPropSecurityProt,
+ t11FcSpSaPropTSelListIndex,
+ t11FcSpSaPropTransListIndex,
+ t11FcSpSaPropAcceptAlgorithm,
+ t11FcSpSaPropOutMatchSucceeds,
+ t11FcSpSaPropRowStatus,
+ t11FcSpSaTSelPropDirection,
+ t11FcSpSaTSelPropStartSrcAddr,
+ t11FcSpSaTSelPropEndSrcAddr,
+ t11FcSpSaTSelPropStartDstAddr,
+ t11FcSpSaTSelPropEndDstAddr,
+ t11FcSpSaTSelPropStartRCtl,
+ t11FcSpSaTSelPropEndRCtl,
+ t11FcSpSaTSelPropStartType,
+ t11FcSpSaTSelPropEndType,
+ t11FcSpSaTSelPropStorageType,
+ t11FcSpSaTSelPropRowStatus
+
+
+
+De Santi, et al. Standards Track [Page 201]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing information
+ related to making and accepting proposals for
+ FC-SP Security Associations."
+ ::= { t11FcSpSaMIBGroups 4 }
+
+t11FcSpSaDropBypassGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaTSelDrByAction,
+ t11FcSpSaTSelDrByStartSrcAddr,
+ t11FcSpSaTSelDrByEndSrcAddr,
+ t11FcSpSaTSelDrByStartDstAddr,
+ t11FcSpSaTSelDrByEndDstAddr,
+ t11FcSpSaTSelDrByStartRCtl,
+ t11FcSpSaTSelDrByEndRCtl,
+ t11FcSpSaTSelDrByStartType,
+ t11FcSpSaTSelDrByEndType,
+ t11FcSpSaTSelDrByMatches,
+ t11FcSpSaTSelDrByRowStatus
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing information
+ about Traffic Selectors of traffic to drop or bypass
+ for FC-SP Security."
+ ::= { t11FcSpSaMIBGroups 5 }
+
+t11FcSpSaActiveGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaPairSecurityProt,
+ t11FcSpSaPairTransListIndex,
+ t11FcSpSaPairTransIndex,
+ t11FcSpSaPairLifetimeLeft,
+ t11FcSpSaPairLifetimeLeftUnits,
+ t11FcSpSaPairTerminate,
+ t11FcSpSaPairInProtUnMatchs,
+ t11FcSpSaPairInDetReplays,
+ t11FcSpSaPairInBadXforms,
+ t11FcSpSaPairInGoodXforms,
+ t11FcSpSaTransSecurityProt,
+ t11FcSpSaTransEncryptAlg,
+ t11FcSpSaTransEncryptKeyLen,
+ t11FcSpSaTransIntegrityAlg,
+ t11FcSpSaTransStorageType,
+ t11FcSpSaTransRowStatus,
+ t11FcSpSaTSelNegInInboundSpi,
+ t11FcSpSaTSelNegInStartSrcAddr,
+ t11FcSpSaTSelNegInEndSrcAddr,
+
+
+
+De Santi, et al. Standards Track [Page 202]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpSaTSelNegInStartDstAddr,
+ t11FcSpSaTSelNegInEndDstAddr,
+ t11FcSpSaTSelNegInStartRCtl,
+ t11FcSpSaTSelNegInEndRCtl,
+ t11FcSpSaTSelNegInStartType,
+ t11FcSpSaTSelNegInEndType,
+ t11FcSpSaTSelNegInUnpMtchDrops,
+ t11FcSpSaTSelNegOutInboundSpi,
+ t11FcSpSaTSelNegOutStartSrcAddr,
+ t11FcSpSaTSelNegOutEndSrcAddr,
+ t11FcSpSaTSelNegOutStartDstAddr,
+ t11FcSpSaTSelNegOutEndDstAddr,
+ t11FcSpSaTSelNegOutStartRCtl,
+ t11FcSpSaTSelNegOutEndRCtl,
+ t11FcSpSaTSelNegOutStartType,
+ t11FcSpSaTSelNegOutEndType,
+ t11FcSpSaTSelSpiDirection,
+ t11FcSpSaTSelSpiTrafSelPtr
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing information related
+ to currently active FC-SP Security Associations."
+ ::= { t11FcSpSaMIBGroups 6 }
+
+t11FcSpSaNotifInfoGroup OBJECT-GROUP
+ OBJECTS { t11FcSpSaControlAuthFailEnable,
+ t11FcSpSaControlInboundSpi,
+ t11FcSpSaControlSource,
+ t11FcSpSaControlDestination,
+ t11FcSpSaControlFrame,
+ t11FcSpSaControlElapsed,
+ t11FcSpSaControlSuppressed,
+ t11FcSpSaControlWindow,
+ t11FcSpSaControlMaxNotifs,
+ t11FcSpSaControlLifeExcdEnable,
+ t11FcSpSaControlLifeExcdSpi,
+ t11FcSpSaControlLifeExcdDir,
+ t11FcSpSaControlLifeExcdTime
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of objects containing information
+ related to notifications of events concerning
+ FC-SP Security Associations."
+ ::= { t11FcSpSaMIBGroups 7 }
+
+
+
+
+
+De Santi, et al. Standards Track [Page 203]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+t11FcSpSaNotificationGroup NOTIFICATION-GROUP
+ NOTIFICATIONS { t11FcSpSaNotifyAuthFailure,
+ t11FcSpSaNotifyLifeExceeded
+ }
+ STATUS current
+ DESCRIPTION
+ "A collection of notifications of events concerning
+ FC-SP Security Associations."
+ ::= { t11FcSpSaMIBGroups 8 }
+
+END
+
+7. IANA Considerations
+
+ IANA has made one MIB OID assignment, under the appropriate subtree,
+ for each of the five MIB modules defined in this document.
+
+8. Security Considerations
+
+ In this section, the first sub-section explains why this document
+ does not define MIB objects for particular items of (management)
+ information. This is followed by one sub-section for each of the MIB
+ modules defined in section 6, listing their individual Security
+ Considerations. The section concludes with Security Considerations
+ common to all of these MIB modules.
+
+ The key word "RECOMMENDED" contained in this section is to be
+ interpreted as described in BCP 14 [RFC2119].
+
+8.1. Information Not Defined in This Document
+
+ This document doesn't define any MIB objects for the secrets that
+ need to be known/determined by FC-SP entities in order to use DH-CHAP
+ to authenticate each other. Such secrets are "highly sensitive" and
+ need to be "strong secrets" (e.g., randomly generated and/or from an
+ external source, see section 5.4.8 of [FC-SP]) rather than just
+ passwords. Thus, such secrets need to be managed by mechanisms other
+ than the MIB modules defined here.
+
+8.2. The T11-FC-SP-TC-MIB Module
+
+ This MIB module defines some data types and assigns some Object
+ Identifiers, for use as the syntax and as values of MIB objects,
+ respectively, but it itself defines no MIB objects. Thus, there is
+ no direct read or write access via a management protocol, such as
+ SNMP, to these definitions. Nevertheless, it does include the
+ assignment of enumerations and OIDs to represent cryptographic
+ algorithms/transforms, and it is appropriate for such assignments to
+
+
+
+De Santi, et al. Standards Track [Page 204]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ be augmented with new assignments as and when new
+ algorithms/transforms are available.
+
+8.3. The T11-FC-SP-AUTHENTICATION-MIB Module
+
+ There are several management objects defined in this MIB module with
+ a MAX-ACCESS clause of read-write. Such objects may be considered
+ sensitive or vulnerable in some network environments. The support
+ for SET operations in a non-secure environment without proper
+ protection can have a negative effect on network operations. These
+ objects and their sensitivity/vulnerability are:
+
+ t11FcSpAuStorageType
+ - could cause changes in the configuration to be retained or
+ not retained over restarts, against the wishes of management.
+
+ t11FcSpAuSendRejNotifyEnable
+ t11FcSpAuRcvRejNotifyEnable
+ - could cause the suppression of SNMP notifications (e.g., of
+ authentication failures or protocol failures), or the
+ disruption of network operations due to the generation of
+ unwanted notifications.
+
+ t11FcSpAuDefaultLifetime
+ t11FcSpAuDefaultLifetimeUnits
+ - could cause the lifetimes of Security Associations to be
+ extended longer than might be secure, or shortened to cause
+ an increase in the overhead of using security.
+
+ t11FcSpAuRejectMaxRows
+ - could cause a smaller audit trail of Authentication rejects,
+ thereby hiding the tracks of an attacker, or a larger audit
+ trail of Authentication rejects causing resources to be
+ wasted.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+ t11FcSpAuEntityTable
+ - the capabilities of FC-SP Authentication entities in terms of
+ what cryptographic algorithms they support, and various
+ configuration parameters of FC-SP Authentication entities.
+
+
+
+
+De Santi, et al. Standards Track [Page 205]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpAuIfStatTable
+ - the mapping of which FC-SP Authentication entities operate on
+ which interfaces.
+
+ t11FcSpAuRejectTable
+ - an audit trail of authentication failures and other
+ Authentication Protocol failures.
+
+8.4. The T11-FC-SP-ZONING-MIB Module
+
+ There are several management objects defined in this MIB module with
+ a MAX-ACCESS clause of read-write and/or read-create. Such objects
+ may be considered sensitive or vulnerable in some network
+ environments. The support for SET operations in a non-secure
+ environment without proper protection can have a negative effect on
+ network operations. These objects and their
+ sensitivity/vulnerability are:
+
+ t11FcSpZsServerEnabled
+ - could cause FC-SP Zoning mode to be enabled or not enabled,
+ against the wishes of management.
+
+ t11FcSpZoneSetHashStatus
+ - could cause an FC-SP implementation to recalculate the values
+ of the Active Zone Set Hash and the Zone Set Database Hash
+ more frequently than is required by management.
+
+ t11FcSpZsNotifyJoinSuccessEnable
+ t11FcSpZsNotifyJoinFailureEnable
+ - could cause the suppression of SNMP notifications that a
+ Switch in one Fabric has successfully joined/failed to join
+ with a Switch in another Fabric, or the disruption of network
+ operations due to the generation of unwanted notifications.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the objects and their
+ sensitivity/vulnerability:
+
+ t11FcSpZsServerCapabilityObject
+ t11FcSpZsServerEnabled
+ - the FC-SP Zoning capabilities and status of the FC-SP
+ implementation.
+
+
+
+
+
+De Santi, et al. Standards Track [Page 206]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpZoneSetHashStatus
+ t11FcSpActiveZoneSetHashType
+ t11FcSpActiveZoneSetHash
+ t11FcSpZoneSetDatabaseHashType
+ t11FcSpZoneSetDatabaseHash
+ - the current values of the Active Zone Set Hash and the Zone
+ Set Database Hash.
+
+8.5. The T11-FC-SP-POLICY-MIB Module
+
+ There are many management objects defined in this MIB module with a
+ MAX-ACCESS clause of read-write and/or read-create. Such objects may
+ be considered sensitive or vulnerable in some network environments.
+ The support for SET operations in a non-secure environment without
+ proper protection can have a negative effect on network operations.
+ The objects and tables and their sensitivity/vulnerability are:
+
+ t11FcSpPoNaSummaryTable
+ t11FcSpPoNaSwListTable
+ t11FcSpPoNaSwMembTable
+ t11FcSpPoNaNoMembTable
+ t11FcSpPoNaCtDescrTable
+ t11FcSpPoNaSwConnTable
+ t11FcSpPoNaIpMgmtTable
+ - could change the currently inactive FC-SP Fabric Policies, so
+ as to allow unauthorized connectivity of Switches and/or
+ Nodes to the network, or between Switches in the network, or,
+ to prohibit such connectivity even when authorized.
+
+ t11FcSpPoNaIpMgmtTable
+ t11FcSpPoNaWkpDescrTable
+ - could change the currently inactive FC-SP Fabric Policies, so
+ as to allow unauthorized management access to Switches, or
+ prohibit authorized management access to Switches.
+
+ t11FcSpPoNaSummaryTable
+ t11FcSpPoNaSwMembTable
+ t11FcSpPoNaNoMembTable
+ t11FcSpPoNaAttribTable
+ t11FcSpPoNaAuthProtTable
+ - could change the currently inactive FC-SP Fabric Policies, so
+ as to allow Security Associations with reduced security or
+ require Security Associations that are unnecessarily secure.
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 207]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpPoOperActivate
+ t11FcSpPoOperDeActivate
+ - could cause the currently active FC-SP Fabric Policies to be
+ de-activated and currently inactive FC-SP Fabric Policies
+ (e.g., those modified as above) to be activated instead.
+
+ t11FcSpPoStorageType
+ - could cause changes in the configuration and/or in FC-SP
+ Fabric Policies to be retained or not retained over restarts,
+ against the wishes of management.
+
+ t11FcSpPoNotificationEnable
+ - could cause the suppression of SNMP notifications on the
+ successful/unsuccessful activation/deactivation of Fabric
+ Policies, and thereby hide successful/failed attempts to make
+ unauthorized changes, or cause the disruption of network
+ operations due to the generation of unwanted notifications.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and their
+ sensitivity/vulnerability:
+
+ t11FcSpPoTable
+ t11FcSpPoSummaryTable
+ t11FcSpPoSwMembTable
+ t11FcSpPoNoMembTable
+ t11FcSpPoCtDescrTable
+ t11FcSpPoSwConnTable
+ t11FcSpPoIpMgmtTable
+ t11FcSpPoWkpDescrTable
+ t11FcSpPoAttribTable
+ t11FcSpPoAuthProtTable
+ - the currently active FC-SP Fabric Policies that can be
+ examined by an attacker looking for possible security
+ vulnerabilities in the active policies.
+
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 208]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+8.6. The T11-FC-SP-SA-MIB Module
+
+ There are several management objects defined in this MIB module with
+ a MAX-ACCESS clause of read-write and/or read-create. Such objects
+ may be considered sensitive or vulnerable in some network
+ environments. The support for SET operations in a non-secure
+ environment without proper protection can have a negative effect on
+ network operations. These objects and their
+ sensitivity/vulnerability are:
+
+ t11FcSpSaIfStorageType
+ t11FcSpSaTSelPropStorageType
+ t11FcSpSaTransStorageType
+ - could cause changes in configuration information related to
+ FC-SP Security Associations to be retained or not retained
+ over restarts, against the wishes of management.
+
+ t11FcSpSaIfReplayPrevention
+ t11FcSpSaIfReplayWindowSize
+ - could cause changes in the operation of anti-replay
+ protection, thereby permitting an attacker to conduct replay
+ attacks, or requiring FC-SP implementations to engage in
+ unnecessary protection against replay.
+
+ t11FcSpSaIfTerminateAllSas
+ t11FcSpSaPairTerminate
+ - could cause FC-SP Security Associations to be aborted
+ unnecessarily.
+
+ t11FcSpSaControlAuthFailEnable
+ - could cause the suppression of SNMP notifications on the
+ occurrence of Authentication failures for received FC-2 or
+ CT_IU frames, thereby hiding attempts to subvert security
+ measures, or cause the disruption of network operations due
+ to the generation of unwanted notifications.
+
+ t11FcSpSaControlLifeExcdEnable
+ - could cause the suppression of SNMP notifications on the
+ occurrence of an FC-SP Security Association exceeding its
+ lifetime, thereby possibly causing disruption to network
+ usage due to a delay in determining the problem and/or re-
+ establishing the Security Association.
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 209]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpSaControlWindow
+ - could cause the suppression of second and subsequent SNMP
+ notifications on the occurrence of Authentication failures
+ for received FC-2 or CT_IU frames, thereby masking repeated
+ attempts to subvert security measures, or cause the
+ disruption of network operations due to the generation of
+ unwanted notifications.
+
+ t11FcSpSaControlMaxNotifs
+ - could cause the suppression of all SNMP notifications on the
+ occurrence of Authentication failures for received FC-2 or
+ CT_IU frames, thereby masking attempts to subvert security
+ measures, or cause the disruption of network operations due
+ to the generation of unwanted notifications.
+
+ t11FcSpSaPropTable
+ t11FcSpSaTSelPropTable
+ t11FcSpSaTransTable
+ - could cause an FC-SP entity to propose the setup of Security
+ Associations that apply to a different selection of traffic
+ and/or using different security transforms, such that some
+ traffic has a reduced level of security that might improve an
+ attacker's chance of subverting security, or an increased
+ level of security that would involve unnecessary security
+ processing, or cause the negotiation of Security Associations
+ to fail to find commonly acceptable parameters such that no
+ Security Associations can be established.
+
+ t11FcSpSaTSelDrByTable
+ - could cause an FC-SP entity to select different sets of
+ traffic which are: a) to be sent/received without being
+ protected by FC-SP security, thereby providing an attacker
+ with access to read authentic traffic or the ability to
+ introduce unauthentic traffic; or b) to be dropped instead of
+ being sent/after being received, thereby causing disruption
+ to network usage.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 210]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ t11FcSpSaIfTable
+ - information concerning the capabilities, parameters and
+ status of an FC-SP entity's support for Security
+ Associations.
+
+ t11FcSpSaPropTable
+ t11FcSpSaTSelPropTable
+ t11FcSpSaTransTable
+ - information on the proposals that will be used by an FC-SP
+ entity to negotiate Security Associations.
+
+ t11FcSpSaTSelDrByTable
+ - information on which subsets of traffic an FC-SP entity will
+ send or receive without being protected by FC-SP security, or
+ will drop before sending/after receiving.
+
+ t11FcSpSaPairTable
+ t11FcSpSaTSelNegInTable
+ t11FcSpSaTSelNegOutTable
+ t11FcSpSaTSelSpiTable
+ - information on which Security Associations are currently
+ active, what subsets of traffic they are carrying, and what
+ security protection is being given to them.
+
+8.7. Recommendations Common to All MIB Modules
+
+ SNMP versions prior to SNMPv3 did not include adequate security.
+ Even if the network itself is secure (for example by using IPsec),
+ even then, there is no control as to who on the secure network is
+ allowed to access and GET/SET (read/change/create/delete) the objects
+ in this MIB module.
+
+ It is RECOMMENDED that implementors consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+ Because the two algorithms currently specified for
+ T11FcSpPolicyHashFormat are SHA-1 and SHA-256, the definition of
+ T11FcSpHashCalculationStatus expresses a concern in regard to not
+
+
+
+De Santi, et al. Standards Track [Page 211]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ incrementally recomputing the hashes after each change when a series
+ of multiple related changes are being made. This method of reducing
+ computation is intended as a responsiveness measure (i.e.,
+ cooperating SNMP managers and agents can get things done faster), not
+ as a Denial-of-Service (DoS) countermeasure. Nevertheless,
+ implementations should also consider the DoS possibilities in these
+ scenarios; potential countermeasures include: requiring
+ authentication for SETs and the rate-limiting of SET operations if
+ they can cause significant computation.
+
+9. Normative References
+
+ [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+ Rose, M. and S. Waldbusser, "Structure of Management
+ Information Version 2 (SMIv2)", STD 58, RFC 2578, April
+ 1999.
+
+ [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+ Rose, M. and S. Waldbusser, "Textual Conventions for
+ SMIv2", STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+ Rose, M. and S. Waldbusser, "Conformance Statements for
+ SMIv2", STD 58, RFC 2580, April 1999.
+
+ [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
+ MIB", RFC 2863, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+ [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044,
+ May 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
+ 4303, December 2005.
+
+ [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
+ Protocol", RFC 4306, December 2005.
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 212]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ [RFC4438] DeSanti, C., Gaonkar, V., Vivek, H., McCloghrie, K., and
+ S. Gai, "Fibre-Channel Name Server MIB", RFC 4438, April
+ 2006.
+
+ [RFC4439] DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai,
+ "Fibre Channel Fabric Address Manager MIB", RFC 4439,
+ March 2006.
+
+ [RFC4936] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre
+ Channel Zone Server MIB", RFC 4936, August 2007.
+
+ [FC-FS-2] "Fibre Channel - Framing and Signaling-2 (FC-FS-2)",
+ ANSI INCITS 424-2007, February 2007.
+
+ [FC-GS-5] "Fibre Channel - Generic Services-5 (FC-GS-5)",
+ ANSI INCITS 427-2006, December 2006.
+
+ [FC-SP] "Fibre Channel - Security Protocols (FC-SP)",
+ ANSI INCITS 426-2007, T11/Project 1570-D, February 2007.
+
+ [FC-SW-4] "Fibre Channel - Switch Fabric-4 (FC-SW-4)",
+ ANSI INCITS 418-2006, April 2006.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+10. Informative References
+
+ [RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called
+ TACACS", RFC 1492, July 1993.
+
+ [RFC2741] Daniele, M., Wijnen, B., Ellison, M., and D. Francisco,
+ "Agent Extensibility (AgentX) Protocol Version 1", RFC
+ 2741, January 2000.
+
+ [RFC2837] Teow, K., "Definitions of Managed Objects for the Fabric
+ Element in Fibre Channel Standard", RFC 2837, May 2000.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)", RFC
+ 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
+ Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
+
+
+
+De Santi, et al. Standards Track [Page 213]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+ [RFC4595] Maino, F. and D. Black, "Use of IKEv2 in the Fibre Channel
+ Security Association Management Protocol", RFC 4595, July
+ 2006.
+
+ [RFC4625] DeSanti, C., McCloghrie, K., Kode, S., and S. Gai, "Fibre
+ Channel Routing Information MIB", RFC 4625, September
+ 2006.
+
+ [RFC4626] DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai, "MIB
+ for Fibre Channel's Fabric Shortest Path First (FSPF)
+ Protocol", RFC 4626, September 2006.
+
+ [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
+ RFC 4668, August 2006.
+
+ [RFC4747] Kipp, S., Ramkumar, G., and K. McCloghrie, "The Virtual
+ Fabrics MIB", RFC 4747, November 2006.
+
+ [RFC4935] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre
+ Channel Fabric Configuration Server MIB", RFC 4935, August
+ 2007.
+
+ [RFC4983] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre
+ Channel Registered State Change Notification (RSCN) MIB",
+ RFC 4983, August 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 214]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+11. Acknowledgements
+
+ This document was initially developed and approved by the INCITS Task
+ Group T11.5 (http://www.t11.org) as the SM-FSM project. We wish to
+ acknowledge the contributions and comments from the INCITS Technical
+ Committee T11, including the following:
+
+ T11 Chair: Robert Snively, Brocade
+ T11 Vice Chair: Claudio DeSanti, Cisco Systems
+ T11.5 Chair: Roger Cummings, Symantec
+ T11.5 members:
+ David Black, EMC
+ Don Fraser, HP
+ Larry Hofer, Brocade
+ Scott Kipp, Brocade
+ Ralph Weber, ENDL
+
+ The document was subsequently a work item of the IMSS Working Group
+ (of the IETF), chaired by David Black (EMC Corporation). Bert Wijnen
+ (Alcatel-Lucent) deserves many thanks for his thorough review of all
+ five MIB modules in this (large!) document. We also wish to
+ acknowledge Dan Romascanu (Avaya), the IETF Area Director, for his
+ comments and assistance.
+
+Authors' Addresses
+
+ Claudio DeSanti
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Phone: +1 408 853-9172
+ EMail: cds@cisco.com
+
+ Fabio Maino
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA 95134 USA
+ Phone: +1 408 853-7530
+ EMail: fmaino@cisco.com
+
+ Keith McCloghrie
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, CA USA 95134
+ Phone: +1 408-526-5260
+ EMail: kzm@cisco.com
+
+
+
+
+
+De Santi, et al. Standards Track [Page 215]
+
+RFC 5324 MIB for FC-SP September 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+De Santi, et al. Standards Track [Page 216]
+