IPSP M. Baer Internet-Draft Sparta, Inc. Expires: April 20, 2005 R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang SmartPipes, Inc. October 20, 2004 IPsec Security Policy IPsec Action MIB draft-ietf-ipsp-ipsecaction-mib-01.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 20, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines a SMIv2 Management Information Base (MIB) module for configuring IPsec actions for the security policy database Baer, et al. Expires April 20, 2005 [Page 1] Internet-Draft IPSP IPsec Action MIB October 2004 (SPD) of a device that uses the IPsec Security Policy Database Configuration MIB for configuring the IPSec protocol actions on that device. The IPSP IPsec Action MIB integrates directly with the IPsec Security Policy Database Configuration MIB and it is meant to work within the framework of an action referenced by that MIB. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 3 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 38 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 39 6.2 Protecting against in-authentic access . . . . . . . . . . 40 6.3 Protecting against involuntary disclosure . . . . . . . . 40 6.4 Bootstrapping your configuration . . . . . . . . . . . . . 40 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 41 8.2 Informative References . . . . . . . . . . . . . . . . . . . 42 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 42 Intellectual Property and Copyright Statements . . . . . . . . 44 Baer, et al. Expires April 20, 2005 [Page 2] Internet-Draft IPSP IPsec Action MIB October 2004 1. Introduction This document defines a MIB module for configuration of an IPsec action within the IPsec security policy database (SPD). This module works within the framework of the IPsec Security Policy Database Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action by the IPSP-SPD-MIB and is used to configure IPsec SA's that can be created for network traffic between devices. The companion document [RFCXXXX], documents the IPsec Security Policy Database Configuration MIB. For information surrounding the configuration of IKE and its parameters, see the companion document [RFCYYYY] which documents the IPsec Security Policy IKE Action MIB. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410] Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Relationship to the DMTF Policy Model The Distributed Management Task Force has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPPMWP]. The contents of this document are also reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. This MIB module is a task specific derivation of the IPsec actions portions of the IPCP for use with SNMPv3. This includes the necessary transform, negotiation, and IPsec action information required to create an IPsec SA within the IPsec Policy framework. 4. MIB Module Overview The MIB module describes the necessary information to implement IPsec actions and there associated Security Associations referred to by the IPsec Security Policy Database Configuration MIB. A basic understanding of IPsec processing, of the IPsec Configuration Policy Model and of how actions fit in to the framework of the IPSP-SPD-MIB are required to use this MIB properly. Baer, et al. Expires April 20, 2005 [Page 3] Internet-Draft IPSP IPsec Action MIB October 2004 5. MIB definition IPSEC-IPSECACTION-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress FROM INET-ADDRESS-MIB spdActions, SpdIPPacketLogging, SpdAdminStatus FROM IPSEC-SPD-MIB; -- -- module identity -- ipsaMIB MODULE-IDENTITY LAST-UPDATED "200212100000Z" -- 12 December 2002 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer Sparta, Inc. Phone: +1 530 902 3131 Email: baerm@tislabs.com Ricky Charlet Email: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 Phone: +1 530 792 1913 Email: hardaker@tislabs.com Baer, et al. Expires April 20, 2005 [Page 4] Internet-Draft IPSP IPsec Action MIB October 2004 Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 Phone: +1 770 617 3722 Email: ipsp-mib@revelstone.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: cliffwang2000@yahoo.com" DESCRIPTION "The MIB module defines IPsec actions for managing IPsec Security Policy. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC XXXX, see the RFC itself for full legal notices." -- Revision History REVISION "200301070000Z" -- 7 January 2004 DESCRIPTION "Initial version, published as RFC xxxx." -- RFC-editor assigns xxxx ::= { spdActions 1 } -- -- groups of related objects -- ipsaConfigObjects OBJECT IDENTIFIER ::= { ipsaMIB 1 } ipsaNotificationObjects OBJECT IDENTIFIER ::= { ipsaMIB 2 } ipsaConformanceObjects OBJECT IDENTIFIER ::= { ipsaMIB 3 } -- -- Textual Conventions -- IpsaSADirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpspSADirection operator is used to specify whether Baer, et al. Expires April 20, 2005 [Page 5] Internet-Draft IPSP IPsec Action MIB October 2004 or not a row should apply to outgoing or incoming SAs." SYNTAX INTEGER { outgoing(1), incoming(2) } IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The Encapsulation Mode used as an IPsec DOI SA Attributes definition in the Transform Payload of a Phase II IKE negotiation. This set of values defines encapsulation modes used for AH, ESP, and IPCOMP when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Unused values <= 61439 are reserved to IANA. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI tunnel(1), transport(2) Values 61440-65535 are for private use." SYNTAX Unsigned32 (0..65535) IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IPsec DOI IPCOMP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide IP-level compression before ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPsec DOI, when the Protocol-Id of the associated Proposal Payload is 4 (IPCOMP). The values 1-47 are reserved for algorithms for which an RFC has been approved for publication. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI ipcompOui(1), -- proprietary compression -- transform ipcompDeflate(2), -- 'zlib' deflate algorithm ipcompLzs(3), -- Stac Electronics LZS ipcompLzjh(4) -- ITU-T V.44 packet method The values 48-63 are reserved for private use amongst cooperating systems. Baer, et al. Expires April 20, 2005 [Page 6] Internet-Draft IPSP IPsec Action MIB October 2004 The values 64-255 are reserved for future expansion." REFERENCE "RFC 2407 sections 4.4.5 and 6.6, RFC 3051" SYNTAX Unsigned32 (0..255) IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The ESP Authentication Algorithm used in the IPsec DOI as a SA Attributes definition in the Transform Payload of Phase II of an IKE negotiation. This set of values defines the AH authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 2 (AH). This set of values defines the ESP authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Unused values <= 61439 are reserved to IANA. Currently assigned values at the time of this writing: none(0), -- reserved in DOI, used -- in MIBs to reflect no -- encryption used hmacMd5(1), -- hashed MAC using MD5 hmacSha(2), -- hashed MAC using SHA-1 desMac(3), -- DES MAC kpdk(4), -- RFC 1826 -- Key/Pad/Data/Key hmacSha256(5), -- hashed MAC using SHA-256 hmacSha384(6), -- hashed MAC using SHA-384 hmacSha512(7), -- hashed MAC using SHA-512 hamcRipemd(8) -- hashed MAC using -- RIPEMD-160-96 Values 61440-65535 are for private use. In a MIB, a value of 0 indicates that ESP has been negotiated without authentication." REFERENCE "RFC 2407 section 4.5, RFC 2407 section 4.4.3.1, RFC 1826, IANA, RFC 2857" SYNTAX Unsigned32 (0..65535) IpsecDoiEspTransform ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The values of the IPsec DOI ESP Transform Identifier which identify a particular algorithm to be used to Baer, et al. Expires April 20, 2005 [Page 7] Internet-Draft IPSP IPsec Action MIB October 2004 provide secrecy protection for ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPsec DOI, when the Protocol-Id of the associated Proposal Payload is 2 (AH), 3 (ESP), and 4 (IPCOMP). Currently assigned values at the time of this writing: none(0), -- reserved in DOI, used -- in MIBs to reflect no -- encryption used espDesIv64(1), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 64-bit IV espDes(2), -- generic DES transform -- using DES-CBC esp3Des(3), -- generic triple-DES -- transform espRc5(4), -- RC5 transform espIdea(5), -- IDEA transform espCast(6), -- CAST transform espBlowfish(7), -- BLOWFISH transform esp3Idea(8), -- reserved for triple-IDEA espDesIv32(9), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 32-bit IV espRc4(10), -- reserved for RC4 espNull(11), -- no confidentiality -- provided by ESP espAes(12) -- NIST AES transform The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.4 and 6.5, IANA" SYNTAX Unsigned32 (0..255) IpsecDoiIdentType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IPsec DOI Identification Type is an 8-bit value which is used in the ID Type field as a discriminant for interpretation of the variable-length Identification Payload. Currently assigned values at the time of this writing: Baer, et al. Expires April 20, 2005 [Page 8] Internet-Draft IPSP IPsec Action MIB October 2004 reserved(0), -- reserved in DOI idIpv4Addr(1), -- a single four (4) octet -- IPv4 address idFqdn(2), -- fully-qualified domain -- name string idUserFqdn(3), -- fully-qualified username -- string idIpv4AddrSubnet(4), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is an -- address and the second -- is a mask idIpv6Addr(5), -- a single sixteen (16) -- octet IPv6 address idIpv6AddrSubnet(6), -- a range of IPv6 addresses, -- represented by two -- sixteen (16) octet values, -- where the first is an -- address and the second -- is a mask idIpv4AddrRange(7), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is the -- beginning IPv4 address -- and the second is the -- ending IPv4 address idIpv6AddrRange(8), -- a range of IPv6 addresses, -- represented by two -- sixteen (16) octet values, -- where the first is the -- beginning IPv6 address -- and the second is the -- ending IPv6 address idDerAsn1Dn(9), -- the binary DER encoding of -- ASN1 X.500 -- DistinguishedName idDerAsn1Gn(10), -- the binary DER encoding of -- ASN1 X.500 GeneralName idKeyId(11) -- opaque byte stream which -- may be used to pass -- vendor-specific -- information The values 249-255 are reserved for private use Baer, et al. Expires April 20, 2005 [Page 9] Internet-Draft IPSP IPsec Action MIB October 2004 amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9" SYNTAX Unsigned32 (0..255) IpsaCredentialType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpsaCredentialType identifies the type of credential contained in a corresponding IpsaIdentityFilter object." SYNTAX INTEGER { reserved(0), unknown(1), sharedSecret(2), x509(3), kerberos(4) } IpsaIdentityFilter ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpsaIdentityFilter contains a string encoded Identity Type value to be used in comparisons against an IKE Identity payload. Wherever this TC is used, there should be an accompanying column which uses the IpsecDoiIdentType TC to specify the type of data in this object. See the IpsecDoiIdentType TC for the supported identity types available. Note that the IpsecDoiIdentType TC sepcifies how to encode binary values, while this object will contain human readable string versions." SYNTAX OCTET STRING (SIZE(1..256)) -- -- Preconfigured Action Table -- ipsaSaPreconfiguredActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is a list of non-negotiated IPsec actions (SAs) that can be performed and contains or indicates the data necessary to create such an SA." ::= { ipsaConfigObjects 1 } ipsaSaPreconfiguredActionEntry OBJECT-TYPE SYNTAX IpsaSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current Baer, et al. Expires April 20, 2005 [Page 10] Internet-Draft IPSP IPsec Action MIB October 2004 DESCRIPTION "One entry in the ipsaSaPreconfiguredActionTable." INDEX { ipsaSaPreActActionName, ipsaSaPreActSADirection } ::= { ipsaSaPreconfiguredActionTable 1 } IpsaSaPreconfiguredActionEntry ::= SEQUENCE { ipsaSaPreActActionName SnmpAdminString, ipsaSaPreActSADirection IpsaSADirection, ipsaSaPreActActionDescription SnmpAdminString, ipsaSaPreActActionLifetimeSec Unsigned32, ipsaSaPreActActionLifetimeKB Unsigned32, ipsaSaPreActDoActionLogging TruthValue, ipsaSaPreActDoPacketLogging SpdIPPacketLogging, ipsaSaPreActDFHandling INTEGER, ipsaSaPreActActionType IpsecDoiEncapsulationMode, ipsaSaPreActAHSPI Integer32, ipsaSaPreActAHTransformName SnmpAdminString, ipsaSaPreActAHSharedSecretName SnmpAdminString, ipsaSaPreActESPSPI Integer32, ipsaSaPreActESPTransformName SnmpAdminString, ipsaSaPreActESPEncSecretName SnmpAdminString, ipsaSaPreActESPAuthSecretName SnmpAdminString, ipsaSaPreActIPCompSPI Integer32, ipsaSaPreActIPCompTransformName SnmpAdminString, ipsaSaPreActPeerGatewayIdName SnmpAdminString, ipsaSaPreActLastChanged TimeStamp, ipsaSaPreActStorageType StorageType, ipsaSaPreActRowStatus RowStatus } ipsaSaPreActActionName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this SaPreconfiguredActionEntry." ::= { ipsaSaPreconfiguredActionEntry 1 } ipsaSaPreActSADirection OBJECT-TYPE SYNTAX IpsaSADirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates whether a row should apply to outgoing or incoming SAs" ::= { ipsaSaPreconfiguredActionEntry 2 } Baer, et al. Expires April 20, 2005 [Page 11] Internet-Draft IPSP IPsec Action MIB October 2004 ipsaSaPreActActionDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string which may be used to describe what the action does." DEFVAL { "" } ::= { ipsaSaPreconfiguredActionEntry 3 } ipsaSaPreActActionLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActActionLifetimeSec specifies how long in seconds the security association derived from this action should be used. The default lifetime is 8 hours. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeSecs property of the associated transform. A value of 0 indicates no time limit on the lifetime of the SA." DEFVAL { 28800 } ::= { ipsaSaPreconfiguredActionEntry 4 } ipsaSaPreActActionLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActActionLifetimeKB specifies how long the security association derived from this action should be used. After this value in KiloBytes has passed through the security association, it should no longer be used. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeKB property of the associated transform. The default value, '0', indicates no kilobyte limit." DEFVAL { 0 } ::= { ipsaSaPreconfiguredActionEntry 5 } ipsaSaPreActDoActionLogging OBJECT-TYPE SYNTAX TruthValue Baer, et al. Expires April 20, 2005 [Page 12] Internet-Draft IPSP IPsec Action MIB October 2004 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActDoActionLogging specifies whether or not an audit message should be logged when a preconfigured SA is created." DEFVAL { false } ::= { ipsaSaPreconfiguredActionEntry 6 } ipsaSaPreActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActDoPacketLogging specifies whether or not an audit message should be logged and if there is logging, how many bytes of the packet to place in the notification." DEFVAL { -1 } ::= { ipsaSaPreconfiguredActionEntry 7 } ipsaSaPreActDFHandling OBJECT-TYPE SYNTAX INTEGER { reserved(0), -- reserved copy(1), -- indicates copy the DF bit from the -- internal to external IP header. set(2), -- set the DF bit in the external IP -- header to 1. clear(3) -- clear the DF bit in the external IP -- header to 0. } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies how to process the DF bit in packets sent through the preconfigured SA. This object is not used for transport SAs." DEFVAL { copy } ::= { ipsaSaPreconfiguredActionEntry 8 } ipsaSaPreActActionType OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the encapsulation mode to use for the preconfigured SA: tunnel or transport mode." DEFVAL { 1 } ::= { ipsaSaPreconfiguredActionEntry 9 } Baer, et al. Expires April 20, 2005 [Page 13] Internet-Draft IPSP IPsec Action MIB October 2004 ipsaSaPreActAHSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the AH SA." ::= { ipsaSaPreconfiguredActionEntry 10 } ipsaSaPreActAHTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the AH transform to use as an index into the AHTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 11 } ipsaSaPreActAHSharedSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the AH SA." ::= { ipsaSaPreconfiguredActionEntry 12 } ipsaSaPreActESPSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the ESP SA." ::= { ipsaSaPreconfiguredActionEntry 13 } ipsaSaPreActESPTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the ESP transform to use as an index into the ESPTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 14 } ipsaSaPreActESPEncSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) Baer, et al. Expires April 20, 2005 [Page 14] Internet-Draft IPSP IPsec Action MIB October 2004 MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the encryption algorithm of the ESP SA." ::= { ipsaSaPreconfiguredActionEntry 15 } ipsaSaPreActESPAuthSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the authentication algorithm of the ESP SA." ::= { ipsaSaPreconfiguredActionEntry 16 } ipsaSaPreActIPCompSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the IPComp SA." ::= { ipsaSaPreconfiguredActionEntry 17 } ipsaSaPreActIPCompTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the IPComp transform to use as an index into the IPCompTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 18 } ipsaSaPreActPeerGatewayIdName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the peer gateway. This object can be used to look up the peer gateway address in the ipsaPeerIdentityTable. This object is only used when initiating a tunnel SA, and Baer, et al. Expires April 20, 2005 [Page 15] Internet-Draft IPSP IPsec Action MIB October 2004 is not used for transport SAs. If ipsaSaPreActActionType specifies tunnel mode and this object is empty, the peer gateway should be determined from the source or destination of the packet." DEFVAL { "" } ::= { ipsaSaPreconfiguredActionEntry 19 } ipsaSaPreActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaSaPreconfiguredActionEntry 20 } ipsaSaPreActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaSaPreconfiguredActionEntry 21 } ipsaSaPreActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaSaPreconfiguredActionEntry 22 } -- -- AH transform definition table -- ipsaAhTransformTable OBJECT-TYPE Baer, et al. Expires April 20, 2005 [Page 16] Internet-Draft IPSP IPsec Action MIB October 2004 SYNTAX SEQUENCE OF IpsaAhTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the AH transforms which can be used to build IPsec proposals." ::= { ipsaConfigObjects 2 } ipsaAhTransformEntry OBJECT-TYPE SYNTAX IpsaAhTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one AH transform." INDEX { ipsaAhTranName } ::= { ipsaAhTransformTable 1 } IpsaAhTransformEntry ::= SEQUENCE { ipsaAhTranName SnmpAdminString, ipsaAhTranMaxLifetimeSec Unsigned32, ipsaAhTranMaxLifetimeKB Unsigned32, ipsaAhTranAlgorithm IpsecDoiAuthAlgorithm, ipsaAhTranReplayProtection TruthValue, ipsaAhTranReplayWindowSize Unsigned32, ipsaAhTranLastChanged TimeStamp, ipsaAhTranStorageType StorageType, ipsaAhTranRowStatus RowStatus } ipsaAhTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this AH transform. This row will be referred to by an ipsaIpsecTransformsEntry." ::= { ipsaAhTransformEntry 1 } ipsaAhTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform should be used. Baer, et al. Expires April 20, 2005 [Page 17] Internet-Draft IPSP IPsec Action MIB October 2004 A value of 0 indicates that the default lifetime of 8 hours should be used." ::= { ipsaAhTransformEntry 2 } ipsaAhTranMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform should be used." ::= { ipsaAhTransformEntry 3 } ipsaAhTranAlgorithm OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the AH algorithm for this transform." ::= { ipsaAhTransformEntry 4 } ipsaAhTranReplayProtection OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranReplayProtection indicates whether or not anti replay service is to be provided by this SA." ::= { ipsaAhTransformEntry 5 } ipsaAhTranReplayWindowSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranReplayWindowSize indicates the size, in bits, of the replay window to use if replay protection is true for this transform. The window size is assumed to be a power of two. If Replay Protection is false, this value can be ignored." ::= { ipsaAhTransformEntry 6 } ipsaAhTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 18] Internet-Draft IPSP IPsec Action MIB October 2004 "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaAhTransformEntry 7 } ipsaAhTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaAhTransformEntry 8 } ipsaAhTranRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaAhTransformEntry 9 } -- -- ESP transform definition table -- ipsaEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaEspTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the ESP transforms which can be used to build IPsec proposals" ::= { ipsaConfigObjects 3 } ipsaEspTransformEntry OBJECT-TYPE SYNTAX IpsaEspTransformEntry MAX-ACCESS not-accessible Baer, et al. Expires April 20, 2005 [Page 19] Internet-Draft IPSP IPsec Action MIB October 2004 STATUS current DESCRIPTION "This entry contains the attributes of one ESP transform." INDEX { ipsaEspTranName } ::= { ipsaEspTransformTable 1 } IpsaEspTransformEntry ::= SEQUENCE { ipsaEspTranName SnmpAdminString, ipsaEspTranMaxLifetimeSec Unsigned32, ipsaEspTranMaxLifetimeKB Unsigned32, ipsaEspTranCipherTransformId IpsecDoiEspTransform, ipsaEspTranCipherKeyLength Unsigned32, ipsaEspTranCipherKeyRounds Unsigned32, ipsaEspTranIntegrityAlgorithmId IpsecDoiAuthAlgorithm, ipsaEspTranReplayPrevention TruthValue, ipsaEspTranReplayWindowSize Unsigned32, ipsaEspTranLastChanged TimeStamp, ipsaEspTranStorageType StorageType, ipsaEspTranRowStatus RowStatus } ipsaEspTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this particular espTransform be referred to by an ipsaIpsecTransformsEntry." ::= { ipsaEspTransformEntry 1 } ipsaEspTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform should be used. A value of 0 indicates that the default lifetime of 8 hours should be used." ::= { ipsaEspTransformEntry 2 } ipsaEspTranMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 20, 2005 [Page 20] Internet-Draft IPSP IPsec Action MIB October 2004 "ipsaEspTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform should be used." ::= { ipsaEspTransformEntry 3 } ipsaEspTranCipherTransformId OBJECT-TYPE SYNTAX IpsecDoiEspTransform MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the transform ID of the ESP cipher algorithm." ::= { ipsaEspTransformEntry 4 } ipsaEspTranCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies, in bits, the key length for the ESP cipher algorithm." ::= { ipsaEspTransformEntry 5 } ipsaEspTranCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the number of key rounds for the ESP cipher algorithm." ::= { ipsaEspTransformEntry 6 } ipsaEspTranIntegrityAlgorithmId OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the ESP integrity algorithm ID." ::= { ipsaEspTransformEntry 7 } ipsaEspTranReplayPrevention OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranReplayPrevention indicates whether or not anti-replay service is to be provided by this SA." Baer, et al. Expires April 20, 2005 [Page 21] Internet-Draft IPSP IPsec Action MIB October 2004 ::= { ipsaEspTransformEntry 8 } ipsaEspTranReplayWindowSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranReplayWindowSize indicates the size, in bits, of the replay window to use if replay protection is true for this transform. The window size is assumed to be a power of two. If Replay Protection is false, this value can be ignored." ::= { ipsaEspTransformEntry 9 } ipsaEspTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaEspTransformEntry 10 } ipsaEspTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaEspTransformEntry 11 } ipsaEspTranRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaEspTransformEntry 12 } Baer, et al. Expires April 20, 2005 [Page 22] Internet-Draft IPSP IPsec Action MIB October 2004 -- -- IP compression transform definition table -- ipsaIpcompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaIpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the IP compression transforms which can be used to build IPsec proposals during negotiation of a phase 2 SA." ::= { ipsaConfigObjects 4 } ipsaIpcompTransformEntry OBJECT-TYPE SYNTAX IpsaIpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one IP compression transform." INDEX { ipsaIpcompTranName } ::= { ipsaIpcompTransformTable 1 } IpsaIpcompTransformEntry ::= SEQUENCE { ipsaIpcompTranName SnmpAdminString, ipsaIpcompTranMaxLifetimeSec Unsigned32, ipsaIpcompTranMaxLifetimeKB Unsigned32, ipsaIpcompTranAlgorithm IpsecDoiIpcompTransform, ipsaIpcompTranDictionarySize Unsigned32, ipsaIpcompTranPrivateAlgorithm Unsigned32, ipsaIpcompTranLastChanged TimeStamp, ipsaIpcompTranStorageType StorageType, ipsaIpcompTranRowStatus RowStatus } ipsaIpcompTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this ipsaIpcompTransformEntry." ::= { ipsaIpcompTransformEntry 1 } ipsaIpcompTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current Baer, et al. Expires April 20, 2005 [Page 23] Internet-Draft IPSP IPsec Action MIB October 2004 DESCRIPTION "ipsaIpcompTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform should be used. A value of 0 indicates that the default lifetime of 8 hours should be used." ::= { ipsaIpcompTransformEntry 2 } ipsaIpcompTranMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaIpcompTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform should be used." ::= { ipsaIpcompTransformEntry 3 } ipsaIpcompTranAlgorithm OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaIpcompTranAlgorithm specifies the transform ID of the IP compression algorithm." ::= { ipsaIpcompTransformEntry 4 } ipsaIpcompTranDictionarySize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "If the algorithm in ipsaIpcompTranAlgorithm requires a dictionary size configuration parameter, then this is the place to put it. This object specifies the log2 maximum size of the dictionary for the compression algorithm." ::= { ipsaIpcompTransformEntry 5 } ipsaIpcompTranPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "If ipsaIpcompTranPrivateAlgorithm has a value other zero, then it is up to the vendors implementation to determine the meaning of this field and substitute a data compression algorithm in place of ipsaIpcompTranAlgorithm." Baer, et al. Expires April 20, 2005 [Page 24] Internet-Draft IPSP IPsec Action MIB October 2004 ::= { ipsaIpcompTransformEntry 6 } ipsaIpcompTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaIpcompTransformEntry 7 } ipsaIpcompTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaIpcompTransformEntry 8 } ipsaIpcompTranRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaIpcompTransformEntry 9 } -- -- Credential Table -- ipsaCredentialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaCredentialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of credential values. Example of Credentials are shared secrets, certificates or kerberos tickets." Baer, et al. Expires April 20, 2005 [Page 25] Internet-Draft IPSP IPsec Action MIB October 2004 ::= { ipsaConfigObjects 5 } ipsaCredentialEntry OBJECT-TYPE SYNTAX IpsaCredentialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipsaCredentialTable." INDEX { ipsaCredName } ::= { ipsaCredentialTable 1 } IpsaCredentialEntry ::= SEQUENCE { ipsaCredName SnmpAdminString, ipsaCredType IpsaCredentialType, ipsaCredCredential OCTET STRING, ipsaCredSize Integer32, ipsaCredMngName SnmpAdminString, ipsaCredRemoteID OCTET STRING, ipsaCredAdminStatus SpdAdminStatus, ipsaCredLastChanged TimeStamp, ipsaCredStorageType StorageType, ipsaCredRowStatus RowStatus } ipsaCredName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the name for an entry in this table." ::= { ipsaCredentialEntry 1 } ipsaCredType OBJECT-TYPE SYNTAX IpsaCredentialType MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the type of the credential for this row." ::= { ipsaCredentialEntry 2 } ipsaCredCredential OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the credential value. Baer, et al. Expires April 20, 2005 [Page 26] Internet-Draft IPSP IPsec Action MIB October 2004 If the size of the credential is greater than 1024, the credential must be configured via the ipsaCredSegmentTable. For credential type where the disclosure of the credential would compromise the credential (e.g. shared secrets), when this object is accessed for reading, it MUST return a null length (0 length) string and MUST NOT return the configured credential." ::= { ipsaCredentialEntry 3 } ipsaCredSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This value represents the size of the credential. If this value is greater than 1024, the ipsaCreCredential column will return an empty (0 length) string. In this case, the value of the credential must be retrived from the ipsaCredSegmentTable. For credential type where the disclosure of the credential would compromise the credential (e.g. shared secrets), when this object is accessed for reading, it MUST return a value of 0 and MUST NOT return the size credential." ::= { ipsaCredentialEntry 4 } ipsaCredMngName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipsaIpsecCredMngServiceTable. For IDs that have no credential management service, this value is left blank." ::= { ipsaCredentialEntry 5 } ipsaCredRemoteID OBJECT-TYPE SYNTAX OCTET STRING(SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the Identification (e.g. user name) of the user of the key information on the remote site. If there is no ID associated with this credential, the value of this object should be the null string." ::= { ipsaCredentialEntry 6 } Baer, et al. Expires April 20, 2005 [Page 27] Internet-Draft IPSP IPsec Action MIB October 2004 ipsaCredAdminStatus OBJECT-TYPE SYNTAX SpdAdminStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether this credential should be considered active. Rows with a disabled status must not be used for any purpose, including IKE or IPSEC processing. For credentials whose size does not execeed the maximum size for the ipsaCredCredential, it may be set to enabled during row creation. For larger credentials, it should be left as disabled until all rows have been uploaded to the ipsaCredSegmentTable." DEFVAL { disabled } ::= { ipsaCredentialEntry 7 } ipsaCredLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaCredentialEntry 8 } ipsaCredStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaCredentialEntry 9 } ipsaCredRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Baer, et al. Expires April 20, 2005 [Page 28] Internet-Draft IPSP IPsec Action MIB October 2004 If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaCredentialEntry 10 } -- -- Credential Segement Value Table -- ipsaCredentialSegmentTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaCredentialSegmentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of credential segments. This table is used for credentials which are larger than the maximum size allowed for ipsaCredCredential." ::= { ipsaConfigObjects 6 } ipsaCredentialSegmentEntry OBJECT-TYPE SYNTAX IpsaCredentialSegmentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipsaCredentialSegmentTable." INDEX { ipsaCredName, ipsaCredSegIndex } ::= { ipsaCredentialSegmentTable 1 } IpsaCredentialSegmentEntry ::= SEQUENCE { ipsaCredSegIndex Integer32, ipsaCredSegValue OCTET STRING, ipsaCredSegLastChanged TimeStamp, ipsaCredSegStorageType StorageType, ipsaCredSegRowStatus RowStatus } ipsaCredSegIndex OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the segment number for this segment. By default, each segment will be 1024 octets. However, when this table is accessed using a context of 'ipsa4096', 'ipsa8192' or 'ipsa16384' a segment size of 4096, 8192 or 16384 (respectively) will be used instead. Baer, et al. Expires April 20, 2005 [Page 29] Internet-Draft IPSP IPsec Action MIB October 2004 The number of rows which need to be retrieved or set can be calculated by obtaining the value of the ipsaCredSize column from the corresponding ipsaCredentialTable row and dividing it by the segment size." ::= { ipsaCredentialSegmentEntry 1 } ipsaCredSegValue OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents one segment of the credential. By default, each complete segment will be 1024 octets. (The last row for a given credential might be smaller, if the credential size is not a multiple of the segment size). An implementation may optionally support segment sizes of 256, 4096, 8192 or the full object size when this table is is accessed using a context of 'ipsaCred256', 'ipsaCred4096', 'ipsaCred8192' or 'ipsaCredFull' (respectively). The number of rows which need to be retrieved or set can be calculated by obtaining the value of the ipsaCredSize column from the corresponding ipsaCredentialTable row and dividing it by the segment size." ::= { ipsaCredentialSegmentEntry 2 } ipsaCredSegLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this credential was last modified or created either through SNMP SETs or by some other external means. Note that the last changed type will be the same for all segemnts of the credential." ::= { ipsaCredentialSegmentEntry 3 } ipsaCredSegStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-only STATUS current DESCRIPTION "The storage type for this row. This object is read-only. Rows in this table have the same value as the ipsaCredStorageType for the corresponding row in the Baer, et al. Expires April 20, 2005 [Page 30] Internet-Draft IPSP IPsec Action MIB October 2004 ipsaCredentialTable." DEFVAL { nonVolatile } ::= { ipsaCredentialSegmentEntry 4 } ipsaCredSegRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The segment of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaCredentialSegmentEntry 5 } -- -- Peer Identity Table -- ipsaPeerIdentityTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaPeerIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "PeerIdentity is used to represent the identities that may be used for peers to identify themselves in IKE phase I/II negotiations. PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses." ::= { ipsaConfigObjects 7 } ipsaPeerIdentityEntry OBJECT-TYPE SYNTAX IpsaPeerIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "peerIdentity matches a peer's identity to its address." INDEX { ipsaPeerIdName, ipsaPeerIdPriority } ::= { ipsaPeerIdentityTable 1 } IpsaPeerIdentityEntry ::= SEQUENCE { ipsaPeerIdName SnmpAdminString, ipsaPeerIdPriority Integer32, ipsaPeerIdType IpsecDoiIdentType, ipsaPeerIdValue IpsaIdentityFilter, Baer, et al. Expires April 20, 2005 [Page 31] Internet-Draft IPSP IPsec Action MIB October 2004 ipsaPeerIdAddressType InetAddressType, ipsaPeerIdAddress InetAddress, ipsaPeerIdCredentialName SnmpAdminString, ipsaPeerIdLastChanged TimeStamp, ipsaPeerIdStorageType StorageType, ipsaPeerIdRowStatus RowStatus } ipsaPeerIdName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned value that, together with ipsaPeerIdPriority, uniquely identifies an entry in this table." ::= { ipsaPeerIdentityEntry 1 } ipsaPeerIdPriority OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object, along with ipsaPeerIdName, uniquely identifies an entry in this table. The priority also indicates the order of peer gateways to initiate or accept SAs from (i.e. try until success)." ::= { ipsaPeerIdentityEntry 2 } ipsaPeerIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaPeerIdType is an enumeration identifying the type of the Identity value." ::= { ipsaPeerIdentityEntry 3 } ipsaPeerIdValue OBJECT-TYPE SYNTAX IpsaIdentityFilter MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaPeerIdValue contains an Identity filter to be used to match against the identity payload in an IKE request, or blank otherwise. If this value matches the value in the identity payload, the credential for the peer can be found using the ipsaPeerIdCredentialName as an index into the Baer, et al. Expires April 20, 2005 [Page 32] Internet-Draft IPSP IPsec Action MIB October 2004 credential table." ::= { ipsaPeerIdentityEntry 4 } ipsaPeerIdAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipsaPeerIdAddressType specifies the format of the ipsaPeerIdAddress property value." ::= { ipsaPeerIdentityEntry 5 } ipsaPeerIdAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The property PeerAddress specifies the IP address of the peer. The format is specified by the ipsaPeerIdAddressType. Values of unknown, ipv4z, ipv6z and dns are not legal values for this object." ::= { ipsaPeerIdentityEntry 6 } ipsaPeerIdCredentialName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipsaCredentialTable to look up the actual credential value and other credential information. For peer IDs that have no associated credential information, this value is left blank." ::= { ipsaPeerIdentityEntry 7 } ipsaPeerIdLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsaPeerIdentityEntry 8 } ipsaPeerIdStorageType OBJECT-TYPE SYNTAX StorageType Baer, et al. Expires April 20, 2005 [Page 33] Internet-Draft IPSP IPsec Action MIB October 2004 MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipsaPeerIdentityEntry 9 } ipsaPeerIdRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipsaPeerIdentityEntry 10 } -- -- -- Notification objects information -- -- ipsaNotificationVariables OBJECT IDENTIFIER ::= { ipsaNotificationObjects 1 } ipsaNotifications OBJECT IDENTIFIER ::= { ipsaNotificationObjects 0 } -- -- -- Conformance information -- -- ipsaCompliances OBJECT IDENTIFIER ::= { ipsaConformanceObjects 1 } ipsaGroups OBJECT IDENTIFIER ::= { ipsaConformanceObjects 2 } -- Baer, et al. Expires April 20, 2005 [Page 34] Internet-Draft IPSP IPsec Action MIB October 2004 -- Compliance statements -- -- ipsaIPsecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation and supports IPsec actions." MODULE -- This Module MANDATORY-GROUPS { ipsaPreconfiguredGroup, ipsaSharedGroup } OBJECT ipsaSaPreActRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaSaPreActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaAhTranRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaAhTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaEspTranRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." Baer, et al. Expires April 20, 2005 [Page 35] Internet-Draft IPSP IPsec Action MIB October 2004 OBJECT ipsaEspTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaIpcompTranRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaIpcompTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaPeerIdRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaPeerIdLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaCredRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaCredLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." Baer, et al. Expires April 20, 2005 [Page 36] Internet-Draft IPSP IPsec Action MIB October 2004 OBJECT ipsaCredSegRowStatus SYNTAX RowStatus { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Support of the values notInService(2), notReady(3), and createAndWait(5) is not required." OBJECT ipsaCredSegLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." ::= { ipsaCompliances 1 } -- -- -- Compliance Groups Definitions -- ipsaPreconfiguredGroup OBJECT-GROUP OBJECTS { ipsaSaPreActActionDescription, ipsaSaPreActActionLifetimeSec, ipsaSaPreActActionLifetimeKB, ipsaSaPreActDoActionLogging, ipsaSaPreActDoPacketLogging, ipsaSaPreActDFHandling, ipsaSaPreActActionType, ipsaSaPreActAHSPI, ipsaSaPreActAHTransformName, ipsaSaPreActAHSharedSecretName, ipsaSaPreActESPSPI, ipsaSaPreActESPTransformName, ipsaSaPreActESPEncSecretName, ipsaSaPreActESPAuthSecretName, ipsaSaPreActIPCompSPI, ipsaSaPreActIPCompTransformName, ipsaSaPreActPeerGatewayIdName, ipsaSaPreActLastChanged, ipsaSaPreActStorageType, ipsaSaPreActRowStatus } STATUS current DESCRIPTION "This group is the set of objects that support preconfigured IPsec actions. These objects are from The Preconfigured Action Table. This group also includes objects from the shared tables: Peer Identity Table, Credential Table, Credential Management Service Table and the AH, ESP, and IPComp Transform Tables." ::= { ipsaGroups 1 } ipsaSharedGroup OBJECT-GROUP Baer, et al. Expires April 20, 2005 [Page 37] Internet-Draft IPSP IPsec Action MIB October 2004 OBJECTS { ipsaAhTranMaxLifetimeSec, ipsaAhTranMaxLifetimeKB, ipsaAhTranAlgorithm, ipsaAhTranReplayProtection, ipsaAhTranReplayWindowSize, ipsaAhTranLastChanged, ipsaAhTranStorageType, ipsaAhTranRowStatus, ipsaEspTranMaxLifetimeSec, ipsaEspTranMaxLifetimeKB, ipsaEspTranCipherTransformId, ipsaEspTranCipherKeyLength, ipsaEspTranCipherKeyRounds, ipsaEspTranIntegrityAlgorithmId, ipsaEspTranReplayPrevention, ipsaEspTranReplayWindowSize, ipsaEspTranLastChanged, ipsaEspTranStorageType, ipsaEspTranRowStatus, ipsaIpcompTranDictionarySize, ipsaIpcompTranAlgorithm, ipsaIpcompTranMaxLifetimeSec, ipsaIpcompTranMaxLifetimeKB, ipsaIpcompTranPrivateAlgorithm, ipsaIpcompTranLastChanged, ipsaIpcompTranStorageType, ipsaIpcompTranRowStatus, ipsaCredType, ipsaCredCredential, ipsaCredMngName, ipsaCredSize, ipsaCredRemoteID, ipsaCredAdminStatus, ipsaCredLastChanged, ipsaCredStorageType, ipsaCredRowStatus, ipsaCredSegValue, ipsaCredSegLastChanged, ipsaCredSegStorageType, ipsaCredSegRowStatus, ipsaPeerIdValue, ipsaPeerIdType, ipsaPeerIdAddress, ipsaPeerIdAddressType, ipsaPeerIdCredentialName, ipsaPeerIdLastChanged, ipsaPeerIdStorageType, ipsaPeerIdRowStatus } STATUS current DESCRIPTION "This group includes objects from tables expected to be shared by other modules: Peer Identity Table, Credential Table, Credential Management Service Table and the AH, ESP, and IPComp Transform Tables." ::= { ipsaGroups 2 } END 6. Security Considerations Baer, et al. Expires April 20, 2005 [Page 38] Internet-Draft IPSP IPsec Action MIB October 2004 6.1 Introduction This document defines a MIB module used to configure IPsec policy services. Since IPsec provides security services it is important that the IPsec configuration data be at least as protected as the IPsec provided security service. There are two threats you need to thwart when configuring IPsec devices. 1. To make sure that only the official administrators are allowed to configure a device, only authenticated administrators should be allowed to do device configuration. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. 2. Unfriendly parties should not be able to read configuration data while the data is in network transit. Any knowledge about a device's IPsec policy configuration could help an unfriendly party compromise that device and/or a network it protects. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once initial establishment of IPsec configuration on a device has been achieved, Baer, et al. Expires April 20, 2005 [Page 39] Internet-Draft IPSP IPsec Action MIB October 2004 it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be shown to have a use for added privacy protection below. 6.2 Protecting against in-authentic access The current SNMPv3 User Security Model provides for key based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in HMAC algorithms (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so. 6.3 Protecting against involuntary disclosure While sending IPsec configuration data to a PEP, there are a few critical parameters which MUST NOT be observed by third parties. These include IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate your device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the DES encryption algorithm. Support for other (stronger) cryptographic algorithms was in the works and may be done as you read this. Policy administrators SHOULD use a privacy security service to configure their IPsec policy which is at least as strong as the desired IPsec policy. E.G., it is unwise to configure IPsec parameters implementing 3DES algorithms while only protecting that conversation with single DES. 6.4 Bootstrapping your configuration Hopefully vendors will not ship new products with a default SNMPv3 user/password pair, but it is possible. Most SNMPv3 distributions should hopefully require an out-of-band initialization over a trusted medium, such as a local console connection. 7. Acknowledgments Many other people contributed thoughts and ideas that influenced this Baer, et al. Expires April 20, 2005 [Page 40] Internet-Draft IPSP IPsec Action MIB October 2004 MIB module. Some special thanks are in order the following people: Lindy Foster (Sparta, Inc.) John Gillis (ADC) Jamie Jason (Intel Corporation) Roger Hartmuller (Sparta, Inc.) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) John Shriver (Internap Network Services Corporation) Eric Vyncke (Cisco Systems) 8. References 8.1 Normative References [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. Wang, "IPsec Security Policy Database Configuration MIB", January 2004. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. Wang, "IPsec Security Policy IKE Action MIB", January 2004. [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002. [RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. Baer, et al. Expires April 20, 2005 [Page 41] Internet-Draft IPSP IPsec Action MIB October 2004 [RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003. 8.2 Informative References [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", November 2000. Authors' Addresses Michael Baer Sparta, Inc. 7075 Samuel Morse Drive Columbia, MD 21046 US EMail: baerm@tislabs.com Ricky Charlet Self EMail: rcharlet@alumni.calpoly.edu Baer, et al. Expires April 20, 2005 [Page 42] Internet-Draft IPSP IPsec Action MIB October 2004 Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US Phone: +1 530 792 1913 EMail: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US EMail: ipsp-mib@revelstone.com Cliff Wang SmartPipes, Inc. Suite 300, 565 Metro Place South Dublin, OH, OH 43017 US EMail: cliffwang2000@yahoo.com Baer, et al. Expires April 20, 2005 [Page 43] Internet-Draft IPSP IPsec Action MIB October 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Baer, et al. Expires April 20, 2005 [Page 44]