Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 4807

IPsec Security Policy Database Configuration MIB

Pages: 71
Proposed Standard
Errata
Part 3 of 3 – Pages 38 to 71
First   Prev   None

Top   ToC   RFC4807 - Page 38   prevText
spdIpsoHeaderFilterTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF SpdIpsoHeaderFilterEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "This table contains a list of IPSO header filter
         definitions to be used within the spdRuleDefinitionTable or
         the spdSubfiltersTable.  IPSO headers and their values are
         described in RFC 1108."
    REFERENCE "RFC 1108"
    ::= { spdConfigObjects 10 }

spdIpsoHeaderFilterEntry OBJECT-TYPE
    SYNTAX      SpdIpsoHeaderFilterEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A definition of a particular filter."
    INDEX       {  spdIpsoHeadFiltName }
    ::= { spdIpsoHeaderFilterTable 1 }

SpdIpsoHeaderFilterEntry ::= SEQUENCE {
    spdIpsoHeadFiltName                     SnmpAdminString,
    spdIpsoHeadFiltType                     BITS,
    spdIpsoHeadFiltClassification           INTEGER,
    spdIpsoHeadFiltProtectionAuth           INTEGER,
    spdIpsoHeadFiltLastChanged              TimeStamp,
    spdIpsoHeadFiltStorageType              StorageType,
    spdIpsoHeadFiltRowStatus                RowStatus
}

spdIpsoHeadFiltName OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(1..32))
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "The administrative name for this filter."
    ::= { spdIpsoHeaderFilterEntry 1 }

spdIpsoHeadFiltType OBJECT-TYPE
    SYNTAX      BITS { classificationLevel(0),
                       protectionAuthority(1) }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates which of the IPSO header field a
         packet is filtered on for this row.  If this object is set
         to classification(0), the spdIpsoHeadFiltClassification
Top   ToC   RFC4807 - Page 39
         object indicates how the packet is filtered.  If this object
         is set to protectionAuthority(1), the
         spdIpsoHeadFiltProtectionAuth object indicates how the
         packet is filtered."
    ::= { spdIpsoHeaderFilterEntry 2 }

spdIpsoHeadFiltClassification OBJECT-TYPE
    SYNTAX      INTEGER { topSecret(61), secret(90),
                          confidential(150), unclassified(171) }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates the IPSO classification header field
         value that the packet MUST have for this row to evaluate to
         'true'.

         The values of these enumerations are defined by RFC 1108."
    REFERENCE "RFC 1108"
    ::= { spdIpsoHeaderFilterEntry 3 }

spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
    SYNTAX      INTEGER { genser(0), siopesi(1), sci(2),
                          nsa(3), doe(4) }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates the IPSO protection authority header
         field value that the packet MUST have for this row to
         evaluate to 'true'.

         The values of these enumerations are defined by RFC 1108.
         Hence the reason the SMIv2 convention of not using 0 in
         enumerated lists is violated here."
    REFERENCE "RFC 1108"
    ::= { spdIpsoHeaderFilterEntry 4 }

spdIpsoHeadFiltLastChanged OBJECT-TYPE
    SYNTAX      TimeStamp
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "The value of sysUpTime when this row was last modified
         or created either through SNMP SETs or by some other
         external means.

         If this row has not been modified since the last
         re-initialization of the network management subsystem, this
         object SHOULD have a zero value."
Top   ToC   RFC4807 - Page 40
    ::= { spdIpsoHeaderFilterEntry 5 }

spdIpsoHeadFiltStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "The storage type for this row.  Rows in this table that
         were created through an external process MAY have a storage
         type of readOnly or permanent.

         For a storage type of permanent, none of the columns have
         to be writable."
    DEFVAL { nonVolatile }
    ::= { spdIpsoHeaderFilterEntry 6 }

spdIpsoHeadFiltRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates the conceptual status of this row.

         The value of this object has no effect on whether other
         objects in this conceptual row can be modified.

         However, this object MUST NOT be set to active if the
         requirements of the spdIpsoHeadFiltType object are not met.
         Specifically, if the spdIpsoHeadFiltType bit for
         classification(0) is set, the spdIpsoHeadFiltClassification
         column MUST have a valid value for the row status to be set
         to active.  If the spdIpsoHeadFiltType bit for
         protectionAuthority(1) is set, the
         spdIpsoHeadFiltProtectionAuth column MUST have a valid
         value for the row status to be set to active.

         If active, this object MUST remain active if it is
         referenced by an active row in another table.  An attempt
         to set it to anything other than active while it is
         referenced by an active row in another table MUST result in
         an inconsistentValue error."
    ::= { spdIpsoHeaderFilterEntry 7 }

--
-- compound actions table
--

spdCompoundActionTable OBJECT-TYPE
Top   ToC   RFC4807 - Page 41
    SYNTAX      SEQUENCE OF SpdCompoundActionEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "Table used to allow multiple actions to be associated
         with a rule.  It uses the spdSubactionsTable to do this.
         The rows from spdSubactionsTable that are partially indexed
         by spdCompActName form the set of compound actions to be
         performed.  The spdCompActExecutionStrategy column in this
         table indicates how those actions are processed."
    ::= { spdConfigObjects 11 }

spdCompoundActionEntry OBJECT-TYPE
    SYNTAX      SpdCompoundActionEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A row in the spdCompoundActionTable."
    INDEX   { spdCompActName }
    ::= { spdCompoundActionTable 1 }

SpdCompoundActionEntry ::= SEQUENCE {
    spdCompActName                      SnmpAdminString,
    spdCompActExecutionStrategy         INTEGER,
    spdCompActLastChanged               TimeStamp,
    spdCompActStorageType               StorageType,
    spdCompActRowStatus                 RowStatus
}

spdCompActName OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(1..32))
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "This is an administratively assigned name of this
         compound action."
    ::= { spdCompoundActionEntry 1 }

spdCompActExecutionStrategy OBJECT-TYPE
    SYNTAX      INTEGER { doAll(1),
                          doUntilSuccess(2),
                          doUntilFailure(3) }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates how the sub-actions are executed
         based on the success of the actions as they finish
         executing.
Top   ToC   RFC4807 - Page 42
         doAll           - run each sub-action regardless of the
                           exit status of the previous action.
                           This parent action is always
                           considered to have acted successfully.

         doUntilSuccess  - run each sub-action until one succeeds,
                           at which point stop processing the
                           sub-actions within this parent
                           compound action.  If one of the
                           sub-actions did execute successfully,
                           this parent action is also considered
                           to have executed successfully.

         doUntilFailure  - run each sub-action until one fails,
                           at which point stop processing the
                           sub-actions within this compound
                           action.  If any sub-action fails, the
                           result of this parent action is
                           considered to have failed."
    DEFVAL { doUntilSuccess }
    ::= { spdCompoundActionEntry 2 }

spdCompActLastChanged OBJECT-TYPE
    SYNTAX      TimeStamp
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "The value of sysUpTime when this row was last modified
         or created either through SNMP SETs or by some other
         external means.

         If this row has not been modified since the last
         re-initialization of the network management subsystem, this
         object SHOULD have a zero value."
    ::= { spdCompoundActionEntry 3 }

spdCompActStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "The storage type for this row.  Rows in this table that
         were created through an external process MAY have a storage
         type of readOnly or permanent.

         For a storage type of permanent, none of the columns have
         to be writable."
    DEFVAL { nonVolatile }
Top   ToC   RFC4807 - Page 43
    ::= { spdCompoundActionEntry 4 }

spdCompActRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates the conceptual status of this row.

         The value of this object has no effect on whether other
         objects in this conceptual row can be modified.

         Once a row in the spdCompoundActionTable has been made
         active, this object MUST NOT be set to destroy without
         first destroying all the contained rows listed in the
         spdSubactionsTable."
    ::= { spdCompoundActionEntry 5 }


--
-- actions contained within a compound action
--

spdSubactionsTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF SpdSubactionsEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "This table contains a list of the sub-actions within a
         given compound action.  Compound actions executing these
         actions MUST execute them in series based on the
         spdSubActPriority value, with the lowest value executing
         first."
    ::= { spdConfigObjects 12 }

spdSubactionsEntry OBJECT-TYPE
    SYNTAX      SpdSubactionsEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "A row containing a reference to a given compound-action
         sub-action."
    INDEX   { spdCompActName, spdSubActPriority }
    ::= { spdSubactionsTable 1 }

SpdSubactionsEntry ::= SEQUENCE {
    spdSubActPriority                          Integer32,
    spdSubActSubActionName                     VariablePointer,
Top   ToC   RFC4807 - Page 44
    spdSubActLastChanged                       TimeStamp,
    spdSubActStorageType                       StorageType,
    spdSubActRowStatus                         RowStatus
}

spdSubActPriority OBJECT-TYPE
    SYNTAX      Integer32 (0..65535)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "The priority of a given sub-action within a compound
         action.  The order in which sub-actions MUST be executed
         are based on the value from this column, with the lowest
         numeric value executing first (i.e., priority 0 before
         priority 1, 1 before 2, etc.)."
    ::= { spdSubactionsEntry 1 }

spdSubActSubActionName OBJECT-TYPE
    SYNTAX      VariablePointer
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This column points to the action to be taken.  It MAY,
         but is not limited to, point to a row in one of the
         following tables:

            spdCompoundActionTable         - Allowing recursion
            ipsaSaPreconfiguredActionTable
            ipiaIkeActionTable
            ipiaIpsecActionTable

         It MAY also point to one of the scalar objects beneath
         spdStaticActions.

         If this object is set to a pointer to a row in an
         unsupported (or unknown) table, an inconsistentValue
         error MUST be returned.

         If this object is set to point to a non-existent row in
         an otherwise supported table, an inconsistentName error
         MUST be returned.

         If, during packet processing, this column has a value that
         references a non-existent or non-supported object, the
         packet MUST be dropped."
    ::= { spdSubactionsEntry 2 }

spdSubActLastChanged OBJECT-TYPE
Top   ToC   RFC4807 - Page 45
    SYNTAX      TimeStamp
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "The value of sysUpTime when this row was last modified
         or created either through SNMP SETs or by some other
         external means.

         If this row has not been modified since the last
         re-initialization of the network management subsystem, this
         object SHOULD have a zero value."
    ::= { spdSubactionsEntry 3 }

spdSubActStorageType OBJECT-TYPE
    SYNTAX      StorageType
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "The storage type for this row.  Rows in this table that
         were created through an external process MAY have a storage
         type of readOnly or permanent.

         For a storage type of permanent, none of the columns have
         to be writable."
    DEFVAL { nonVolatile }
    ::= { spdSubactionsEntry 4 }

spdSubActRowStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
        "This object indicates the conceptual status of this row.

         The value of this object has no effect on whether other
         objects in this conceptual row can be modified.

         If active, this object MUST remain active unless one of the
         following two conditions are met.  An attempt to set it to
         anything other than active while the following conditions
         are not met MUST result in an inconsistentValue error.  The
         two conditions are:

         I.  No active row in the spdCompoundActionTable exists
             which has a matching spdCompActName.

         II. Or, at least one other active row in this table has a
             matching spdCompActName."
Top   ToC   RFC4807 - Page 46
    ::= { spdSubactionsEntry 5 }

--
-- Static Actions
--

-- these are static actions that can be pointed to by the
-- spdRuleDefAction or the spdSubActSubActionName objects to
-- drop, accept, or reject packets.

spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }

spdDropAction    OBJECT-TYPE
    SYNTAX      Integer32 (1)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "This scalar indicates that a packet MUST be dropped
         and SHOULD NOT have action/packet logging."
    ::= { spdStaticActions 1 }

spdDropActionLog OBJECT-TYPE
    SYNTAX      Integer32 (1)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "This scalar indicates that a packet MUST be dropped
         and SHOULD have action/packet logging."
    ::= { spdStaticActions 2 }

spdAcceptAction OBJECT-TYPE
    SYNTAX      Integer32 (1)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "This Scalar indicates that a packet MUST be accepted
         (pass-through) and SHOULD NOT have action/packet logging."
    ::= { spdStaticActions 3 }

spdAcceptActionLog OBJECT-TYPE
    SYNTAX      Integer32 (1)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "This scalar indicates that a packet MUST be accepted
         (pass-through) and SHOULD have action/packet logging."
    ::= { spdStaticActions 4 }
Top   ToC   RFC4807 - Page 47
--
--
-- Notification objects information
--
--

spdNotificationVariables OBJECT IDENTIFIER ::=
   { spdNotificationObjects 1 }

spdNotifications OBJECT IDENTIFIER ::=
   { spdNotificationObjects 0 }

spdActionExecuted OBJECT-TYPE
    SYNTAX      VariablePointer
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Points to the action instance that was executed that
         resulted in the notification being sent."
    ::= { spdNotificationVariables 1 }

spdIPEndpointAddType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the address type for the interface that the
         notification triggering packet is passing through."
    ::= { spdNotificationVariables 2 }

spdIPEndpointAddress OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the interface address for the interface that the
         notification triggering packet is passing through.

         The format of this object is specified by the
         spdIPEndpointAddType object."
    ::= { spdNotificationVariables 3 }

spdIPSourceType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the source address type of the packet that
Top   ToC   RFC4807 - Page 48
         triggered the notification."
    ::= { spdNotificationVariables 4 }

spdIPSourceAddress OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the source address of the packet that
         triggered the notification.

         The format of this object is specified by the
         spdIPSourceType object."
    ::= { spdNotificationVariables 5 }

spdIPDestinationType OBJECT-TYPE
    SYNTAX      InetAddressType
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the destination address type of the packet
         that triggered the notification."
    ::= { spdNotificationVariables 6 }

spdIPDestinationAddress OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Contains the destination address of the packet that
         triggered the notification.

         The format of this object is specified by the
         spdIPDestinationType object."
    ::= { spdNotificationVariables 7 }

spdPacketDirection OBJECT-TYPE
    SYNTAX      IfDirection
    MAX-ACCESS  accessible-for-notify
    STATUS      current
    DESCRIPTION
        "Indicates if the packet that triggered the action in
         questions was ingress (inbound) or egress (outbound)."
    ::= { spdNotificationVariables 8 }

spdPacketPart OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE (0..65535))
    MAX-ACCESS  accessible-for-notify
Top   ToC   RFC4807 - Page 49
    STATUS      current
    DESCRIPTION
        "spdPacketPart is the front part of the full IP packet that
         triggered this notification.  The initial size limit is
         determined by the smaller of the size, indicated by:

         I.  The value of the object with the TC syntax
             'SpdIPPacketLogging' that indicated the packet SHOULD be
             logged and

         II. The size of the triggering packet.

         The final limit is determined by the SNMP packet size when
         sending the notification.  The maximum size that can be
         included will be the smaller of the initial size, given the
         above, and the length that will fit in a single SNMP
         notification packet after the rest of the notification's
         objects and any other necessary packet data (headers encoding,
         etc.) have been included in the packet."
    ::= { spdNotificationVariables 9 }

spdActionNotification NOTIFICATION-TYPE
    OBJECTS { spdActionExecuted, spdIPEndpointAddType,
              spdIPEndpointAddress,
              spdIPSourceType, spdIPSourceAddress,
              spdIPDestinationType,
              spdIPDestinationAddress,
              spdPacketDirection }
    STATUS  current
    DESCRIPTION
        "Notification that an action was executed by a rule.
         Only actions with logging enabled will result in this
         notification getting sent.  The object includes the
         spdActionExecuted object, which will indicate which action
         was executed within the scope of the rule.  Additionally,
         the spdIPSourceType, spdIPSourceAddress,
         spdIPDestinationType, and spdIPDestinationAddress objects
         are included to indicate the packet source and destination
         of the packet that triggered the action.  Finally, the
         spdIPEndpointAddType, spdIPEndpointAddress, and
         spdPacketDirection objects indicate which interface the
         executed action was associated with, and if the packet was
         ingress or egress through the endpoint.

         A spdActionNotification SHOULD be limited to a maximum of
         one notification sent per minute for any action
         notifications that do not have any other configuration
         controlling their send rate.
Top   ToC   RFC4807 - Page 50
         Note that compound actions with multiple executed
         sub-actions may result in multiple notifications being sent
         from a single rule execution."
    ::= { spdNotifications 1 }

spdPacketNotification NOTIFICATION-TYPE
    OBJECTS { spdActionExecuted, spdIPEndpointAddType,
              spdIPEndpointAddress,
              spdIPSourceType, spdIPSourceAddress,
              spdIPDestinationType,
              spdIPDestinationAddress,
              spdPacketDirection,
              spdPacketPart }
    STATUS  current
    DESCRIPTION
        "Notification that a packet passed through a Security
         Association (SA).  Only SAs created by actions with packet
         logging enabled will result in this notification getting
         sent.  The objects sent MUST include the spdActionExecuted,
         which will indicate which action was executed within the
         scope of the rule.  Additionally, the spdIPSourceType,
         spdIPSourceAddress, spdIPDestinationType, and
         spdIPDestinationAddress objects MUST be included to
         indicate the packet source and destination of the packet
         that triggered the action.  The spdIPEndpointAddType,
         spdIPEndpointAddress, and spdPacketDirection objects are
         included to indicate which endpoint the packet was
         associated with.  Finally, spdPacketPart is included to
         enable sending a variable sized part of the front of the
         packet with the size dependent on the value of the object of
         TC syntax 'SpdIPPacketLogging', which indicated that logging
         should be done.

         A spdPacketNotification SHOULD be limited to a maximum of
         one notification sent per minute for any action
         notifications that do not have any other configuration
         controlling their send rate.

         An action notification SHOULD be limited to a maximum of
         one notification sent per minute for any action
         notifications that do not have any other configuration
         controlling their send rate."
    ::= { spdNotifications 2 }


--
--
-- Conformance information
Top   ToC   RFC4807 - Page 51
--
--

spdCompliances OBJECT IDENTIFIER
    ::= { spdConformanceObjects 1 }
spdGroups OBJECT IDENTIFIER
    ::= { spdConformanceObjects 2 }

--
-- Compliance statements
--
--
spdRuleFilterFullCompliance MODULE-COMPLIANCE
    STATUS      current
    DESCRIPTION
        "The compliance statement for SNMP entities that include
         an IPsec MIB implementation with Endpoint, Rules, and
         filters support.

         When this MIB is implemented with support for read-create,
         then such an implementation can claim full compliance.  Such
         devices can then be both monitored and configured with this
         MIB."

    MODULE -- This Module
        MANDATORY-GROUPS { spdEndpointGroup,
                           spdGroupContentsGroup,
                           spdRuleDefinitionGroup,
                           spdStaticFilterGroup,
                           spdStaticActionGroup ,
                           diffServMIBMultiFieldClfrGroup }

        GROUP spdIpsecSystemPolicyNameGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support a system policy group
             name."

        GROUP spdCompoundFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support compound filters."

        GROUP spdIPOffsetFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support IP Offset filters.  In
             general, this SHOULD be supported by a compliant IPsec
Top   ToC   RFC4807 - Page 52
             Policy implementation."

        GROUP spdTimeFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support time filters."

        GROUP spdIpsoHeaderFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support IPSO Header filters."

        GROUP  spdCompoundActionGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support compound actions."

        OBJECT      spdEndGroupLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdGroupContComponentType
        SYNTAX      INTEGER {
                rule(2)
        }
        DESCRIPTION
            "Support of the value group(1) is only required for
             implementations that support Policy Groups within
             Policy Groups."

        OBJECT      spdGroupContLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdRuleDefLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdCompFiltLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdSubFiltLastChanged
        MIN-ACCESS  not-accessible
Top   ToC   RFC4807 - Page 53
        DESCRIPTION
             "This object not required for compliance."

        OBJECT      spdIpOffFiltLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdTimeFiltLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdIpsoHeadFiltLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdCompActLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      spdSubActLastChanged
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object not required for compliance."

        OBJECT      diffServMultiFieldClfrNextFree
        MIN-ACCESS  not-accessible
        DESCRIPTION
            "This object is not required for compliance."

    ::= { spdCompliances 1 }


spdLoggingCompliance MODULE-COMPLIANCE
    STATUS      current
    DESCRIPTION
        "The compliance statement for SNMP entities that support
         sending notifications when actions are invoked."
    MODULE -- This Module
        MANDATORY-GROUPS { spdActionLoggingObjectGroup,
                           spdActionNotificationGroup }

    ::= { spdCompliances 2 }

--
Top   ToC   RFC4807 - Page 54
-- ReadOnly Compliances
--
spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
    STATUS      current
    DESCRIPTION
        "The compliance statement for SNMP entities that include
         an IPsec MIB implementation with Endpoint, Rules, and
         filters support.

         If this MIB is implemented without support for read-create
         (i.e., in read-only), it is not in full compliance, but it
         can claim read-only compliance.  Such a device can then be
         monitored, but cannot be configured with this MIB."

    MODULE -- This Module
        MANDATORY-GROUPS { spdEndpointGroup,
                           spdGroupContentsGroup,
                           spdRuleDefinitionGroup,
                           spdStaticFilterGroup,
                           spdStaticActionGroup ,
                           diffServMIBMultiFieldClfrGroup }

        GROUP spdIpsecSystemPolicyNameGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support a system policy group
             name."

        GROUP spdCompoundFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support compound filters."

        GROUP spdIPOffsetFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support IP Offset filters.  In
             general, this SHOULD be supported by a compliant IPsec
             Policy implementation."

        GROUP spdTimeFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support time filters."

        GROUP spdIpsoHeaderFilterGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
Top   ToC   RFC4807 - Page 55
             implementations that support IPSO Header filters."

        GROUP  spdCompoundActionGroup
        DESCRIPTION
            "This group is mandatory for IPsec Policy
             implementations that support compound actions."

        OBJECT       spdCompActExecutionStrategy
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompActLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdCompActRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompActStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompFiltDescription
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompFiltLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdCompFiltLogicType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompFiltRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdCompFiltStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
Top   ToC   RFC4807 - Page 56
            "Write access is not required."

        OBJECT       spdEgressPolicyGroupName
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdEndGroupLastChanged
        DESCRIPTION
           "This object is not required for compliance."

        OBJECT       spdEndGroupName
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdEndGroupRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdEndGroupStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdGroupContComponentName
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdGroupContComponentType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdGroupContFilter
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdGroupContLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdGroupContRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
Top   ToC   RFC4807 - Page 57
            "Write access is not required."

        OBJECT       spdGroupContStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIngressPolicyGroupName
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpOffFiltLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdIpOffFiltOffset
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpOffFiltRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpOffFiltStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpOffFiltType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpOffFiltValue
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpsoHeadFiltClassification
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpsoHeadFiltLastChanged
        DESCRIPTION
Top   ToC   RFC4807 - Page 58
            "This object is not required for compliance."

        OBJECT       spdIpsoHeadFiltProtectionAuth
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpsoHeadFiltRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpsoHeadFiltStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdIpsoHeadFiltType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefAction
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefAdminStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefDescription
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefFilter
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefFilterNegated
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefLastChanged
Top   ToC   RFC4807 - Page 59
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdRuleDefRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdRuleDefStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubActLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdSubActRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubActStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubActSubActionName
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubFiltLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdSubFiltRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubFiltStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubFiltSubfilter
        MIN-ACCESS   read-only
Top   ToC   RFC4807 - Page 60
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdSubFiltSubfilterIsNegated
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltDayOfMonthMask
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltDayOfWeekMask
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltLastChanged
        DESCRIPTION
            "This object is not required for compliance."

        OBJECT       spdTimeFiltMonthOfYearMask
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltPeriod
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltRowStatus
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltTimeOfDayMask
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

        OBJECT       spdTimeFiltStorageType
        MIN-ACCESS   read-only
        DESCRIPTION
            "Write access is not required."

    ::= { spdCompliances 3 }
Top   ToC   RFC4807 - Page 61
--
--
-- Compliance Groups Definitions
--

--
-- Endpoint, Rule, Filter Compliance Groups
--

spdEndpointGroup OBJECT-GROUP
    OBJECTS {
        spdEndGroupName, spdEndGroupLastChanged,
        spdEndGroupStorageType, spdEndGroupRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy
         Endpoint Table."
    ::= { spdGroups 1 }

spdGroupContentsGroup OBJECT-GROUP
    OBJECTS {
        spdGroupContComponentType, spdGroupContFilter,
        spdGroupContComponentName, spdGroupContLastChanged,
        spdGroupContStorageType, spdGroupContRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy
         Group Contents Table."
    ::= { spdGroups 2 }

spdIpsecSystemPolicyNameGroup OBJECT-GROUP
    OBJECTS {
        spdIngressPolicyGroupName,
        spdEgressPolicyGroupName
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects represent the System
         Policy Group Names."
    ::= { spdGroups 3}

spdRuleDefinitionGroup OBJECT-GROUP
    OBJECTS {
        spdRuleDefDescription, spdRuleDefFilter,
        spdRuleDefFilterNegated, spdRuleDefAction,
        spdRuleDefAdminStatus, spdRuleDefLastChanged,
Top   ToC   RFC4807 - Page 62
        spdRuleDefStorageType, spdRuleDefRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy Rule
        Definition Table."
    ::= { spdGroups 4 }

spdCompoundFilterGroup OBJECT-GROUP
    OBJECTS {
        spdCompFiltDescription, spdCompFiltLogicType,
        spdCompFiltLastChanged, spdCompFiltStorageType,
        spdCompFiltRowStatus, spdSubFiltSubfilter,
        spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
        spdSubFiltStorageType, spdSubFiltRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy
         Compound Filter Table and Sub-Filter Table Group."
    ::= { spdGroups 5 }

spdStaticFilterGroup OBJECT-GROUP
        OBJECTS { spdTrueFilter }
     STATUS current
     DESCRIPTION
         "The static filter group.  Currently this is just a true
          filter."
    ::= { spdGroups 6 }

spdIPOffsetFilterGroup OBJECT-GROUP
    OBJECTS {
        spdIpOffFiltOffset, spdIpOffFiltType,
        spdIpOffFiltValue, spdIpOffFiltLastChanged,
        spdIpOffFiltStorageType, spdIpOffFiltRowStatus
    }

    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy IP
         Offset Filter Table."
    ::= { spdGroups 7 }

spdTimeFilterGroup OBJECT-GROUP
    OBJECTS {
        spdTimeFiltPeriod,
        spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
        spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask,
Top   ToC   RFC4807 - Page 63
        spdTimeFiltLastChanged,
        spdTimeFiltStorageType, spdTimeFiltRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy Time
         Filter Table."
    ::= { spdGroups 8 }

spdIpsoHeaderFilterGroup OBJECT-GROUP
    OBJECTS {
        spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
        spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
        spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy IPSO
         Header Filter Table."
    ::= { spdGroups 9 }

--
-- action compliance groups
--

spdStaticActionGroup OBJECT-GROUP
    OBJECTS {
        spdDropAction, spdAcceptAction,
        spdDropActionLog, spdAcceptActionLog
    }
    STATUS current
    DESCRIPTION
        "This group is made up of objects from the IPsec Policy
         Static Actions."
    ::= { spdGroups 10 }

spdCompoundActionGroup OBJECT-GROUP
    OBJECTS {
        spdCompActExecutionStrategy, spdCompActLastChanged,
        spdCompActStorageType,

        spdCompActRowStatus, spdSubActSubActionName,
        spdSubActLastChanged, spdSubActStorageType,
        spdSubActRowStatus
    }
    STATUS current
    DESCRIPTION
        "The IPsec Policy Compound Action Table and Actions In
Top   ToC   RFC4807 - Page 64
         Compound Action Table Group."
    ::= { spdGroups 11 }

spdActionLoggingObjectGroup OBJECT-GROUP
    OBJECTS {
        spdActionExecuted,
        spdIPEndpointAddType,   spdIPEndpointAddress,
        spdIPSourceType,        spdIPSourceAddress,
        spdIPDestinationType,   spdIPDestinationAddress,
        spdPacketDirection,     spdPacketPart
    }
    STATUS current
    DESCRIPTION
        "This group is made up of all the Notification objects for
        this MIB."
    ::= { spdGroups 12 }

spdActionNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS {
        spdActionNotification,
        spdPacketNotification
    }
    STATUS current
    DESCRIPTION
        "This group is made up of all the Notifications for this MIB."
    ::= { spdGroups 13 }


END
Top   ToC   RFC4807 - Page 65

7. Security Considerations

7.1. Introduction

This document defines a MIB module used to configure IPsec policy services. Since IPsec provides network security services, all of its configuration data (e.g., this entire MIB) SHOULD be as secure or more secure than any of the security services IPsec provides. There are two main threats you need to protect against when configuring IPsec devices. 1. Malicious Configuration: This MIB configures network security services. If an attacker has SET access to any part of this MIB, the network security services configured by this MIB SHOULD be considered broken. The network data sent through the associated gateway should no longer be considered as protected by IPsec (i.e., it is no longer confidential or authenticated). Therefore, only the official administrators SHOULD be allowed to configure a device. In other words, administrators' identities SHOULD be authenticated and their access rights checked before they are allowed to do device configuration. The support for SET operations to the SPD MIB in a non-secure environment, without proper protection, will invalidate the security of the network traffic affected by the SPD MIB. 2. Disclosure of Configuration: In general, malicious parties SHOULD NOT be able to read security configuration data while the data is in network transit. An attacker reading the configuration data may be able to find misconfigurations in the MIB that enable attacks to the network or to the configured node. Since this entire MIB is used for security configuration, it is highly RECOMMENDED that only authorized administrators are allowed to view data in this MIB. In particular, malicious users SHOULD be prevented from reading SNMP packets containing this MIB's data. SNMP GET data SHOULD be encrypted when sent across the network. Also, only authorized administrators SHOULD be allowed SNMP GET access to any of the MIB objects. SNMP versions prior to SNMPv3 do not include adequate security. Even if the network itself is secure (e.g., by using IPsec), earlier versions of SNMP have virtually no control as to who on the secure network is allowed to access (i.e., read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers use the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
Top   ToC   RFC4807 - Page 66
   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to GET or SET (change/create/delete) them.

   Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use
   SNMP version 3.  The rest of this discussion assumes the use of
   SNMPv3.  This is a real strength, because it allows administrators
   the ability to load new IPsec configuration on a device and keep the
   conversation private and authenticated under the protection of SNMPv3
   before any IPsec protections are available.  Once initial
   establishment of IPsec configuration on a device has been achieved,
   it would be possible to set up IPsec SAs to then also provide
   security and integrity services to the configuration conversation.
   This may seem redundant at first, but will be shown to have a use for
   added privacy protection below.

7.2. Protecting against Unauthenticated Access

The current SNMPv3 User Security Model provides for key-based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in Hashed Message Authentication Code (HMAC) algorithms (currently, MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so.

7.3. Protecting against Involuntary Disclosure

While sending IPsec configuration data to a Policy Enforcement Point (PEP), there are a few critical parameters that MUST NOT be observed by third parties. Specifically, except for public keys, keying information MUST NOT be allowed to be observed by third parties. This includes IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate the device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the
Top   ToC   RFC4807 - Page 67
   DES encryption algorithm.  Support for other (stronger) cryptographic
   algorithms is in the works and may be completed by the time you read
   this.  As of October 2006, there is a stronger standards track
   algorithm: AES [RFC3826].  When configuring the IPsec policy using
   this MIB, policy administrators SHOULD use a privacy security service
   that is at least as strong as the desired IPsec policy, e.g., If an
   administrator were to use this MIB to configure an IPsec connection
   that utilizes a AES algorithms, the SNMP communication configuring
   the connection SHOULD be protected by an algorithm as strong or
   stronger than the AES algorithm.

7.4. Bootstrapping Your Configuration

Most vendors will not ship new products with a default SNMPv3 user/ password pair, but it is possible. If a device does ship with a default user/password pair, policy administrators SHOULD either change the password or configure a new user, deleting the default user (or, at a minimum, restrict the access of the default user). Most SNMPv3 distributions should, hopefully, require an out-of-band initialization over a trusted medium, such as a local console connection.

8. IANA Considerations

Only two IANA considerations exist for this document. The first is just the node number allocation of the IPSEC-SPD-MIB itself within the MIB-2 tree. This is listed in the MIB definition in Section 6. The IPSEC-SPD-MIB also allows for extension action MIBs. Although additional actions are not required to use it, the node spdActions is allocated as a subtree under which IANA can assign additional actions. The second IANA consideration is that IANA would be responsible for creating a new subregistry for and assigning nodes under the spdActions subtree. This tree should have a prefix of iso.org.dod.internet.mgmt.mib-2.spdMIB.spdActions and be listed similar to the following: Decimal Name Description References ------- ---- ----------- ---------- A documented specification is required in order to assign a number. The action and it's meaning can be specified in an RFC or in another publicly available reference. The specification should have sufficient detail that interoperability between independent implementations is possible. The product of the IETF or of another standards body is acceptable or an assignment can be accepted under
Top   ToC   RFC4807 - Page 68
   the advice of a "designated expert". (contact IANA for the current
   expert)

9. Acknowledgments

Many people contributed thoughts and ideas that influenced this MIB module. Some special thanks are in order to the following people: Lindy Foster (Sparta, Inc.) John Gillis (ADC) Roger Hartmuller (Sparta, Inc.) Harrie Hazewinkel Jamie Jason (Intel Corporation) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) Eric Vyncke (Cisco Systems)

10. References

10.1. Normative References

[RFC1108] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000.
Top   ToC   RFC4807 - Page 69
   [RFC3060]       Moore, B., Ellesson, E., Strassner, J., and A.
                   Westerinen, "Policy Core Information Model -- Version
                   1 Specification", RFC 3060, February 2001.

   [RFC3289]       Baker, F., Chan, K., and A. Smith, "Management
                   Information Base for the Differentiated Services
                   Architecture", RFC 3289, May 2002.

   [RFC3411]       Harrington, D., Presuhn, R., and B. Wijnen, "An
                   Architecture for Describing Simple Network Management
                   Protocol (SNMP) Management Frameworks", STD 62,
                   RFC 3411, December 2002.

   [RFC3585]       Jason, J., Rafalow, L., and E. Vyncke, "IPsec
                   Configuration Policy Information Model", RFC 3585,
                   August 2003.

   [RFC3629]       Yergeau, F., "UTF-8, a transformation format of ISO
                   10646", STD 63, RFC 3629, November 2003.

   [RFC4001]       Daniele, M., Haberman, B., Routhier, S., and J.
                   Schoenwaelder, "Textual Conventions for Internet
                   Network Addresses", RFC 4001, February 2005.

   [RFC4301]       Kent, S. and K. Seo, "Security Architecture for the
                   Internet Protocol", RFC 4301, December 2005.

10.2. Informative References

[IPsec-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IPsec Action MIB", Work in Progress, October 2006. [IKE-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IKE Action MIB", Work in Progress, October 2006. [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", November 2000. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
Top   ToC   RFC4807 - Page 70
   [RFC3826]       Blumenthal, U., Maino, F., and K. McCloghrie, "The
                   Advanced Encryption Standard (AES) Cipher Algorithm
                   in the SNMP User-based Security Model", RFC 3826,
                   June 2004.

Authors' Addresses

Michael Baer Sparta, Inc. P.O. Box 72682 Davis, CA 95617 US EMail: baerm@tislabs.com Ricky Charlet Self EMail: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US Phone: +1 530 792 1913 EMail: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US EMail: rstory@ipsp.revelstone.com Cliff Wang ARO 4300 S. Miami Blvd Durham, NC 27703 US EMail: cliffwangmail@yahoo.com
Top   ToC   RFC4807 - Page 71
Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.