IPSP M. Baer Internet-Draft Sparta, Inc. Intended status: Informational R. Charlet Expires: April 22, 2007 Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang ARO/North Carolina State University October 19, 2006 IPsec Security Policy IPsec Action MIB draft-ietf-ipsp-ipsecaction-mib-02.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 22, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Baer, et al. Expires April 22, 2007 [Page 1] Internet-Draft IPsec IPsec Action MIB October 2006 Abstract This document defines an SMIv2 Management Information Base (MIB) module for configuring IPsec actions for the security policy database (SPD) of a device that uses the IPsec Security Policy Database Configuration MIB for configuring the IPSec protocol actions on that device. The IPsec Action MIB integrates directly with the IPsec Security Policy Database Configuration MIB and it is meant to work within the framework of an action referenced by that MIB. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 40 7.2. Protecting against unauthenticated access . . . . . . . . 41 7.3. Protecting against involuntary disclosure . . . . . . . . 42 7.4. Bootstrapping your configuration . . . . . . . . . . . . . 42 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 10.1. Normative References . . . . . . . . . . . . . . . . . . . 43 10.2. Informative References . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44 Intellectual Property and Copyright Statements . . . . . . . . . . 46 Baer, et al. Expires April 22, 2007 [Page 2] Internet-Draft IPsec IPsec Action MIB October 2006 1. Introduction This document defines a MIB module for configuration of an IPsec action within the IPsec security policy database (SPD). This module works within the framework of the IPsec Security Policy Database Configuration MIB (IPSEC-SPD-MIB) [RFCZZZZ]. It can be referenced as an action by the IPSEC-SPD-MIB and is used to configure IPsec SA's [RFC2401] that are created for network traffic between devices. The companion document [RFCZZZZ], documents the IPsec Security Policy Database Configuration MIB (IPSEC-SPD-MIB). For information surrounding the configuration of IKE and its parameters, see the companion document [RFCYYYY] which documents the IPsec Security Policy IKE Action MIB. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410] Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 4. Relationship to the DMTF Policy Model The Distributed Management Task Force has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy model. The IPCP document describes a model for configuring IPsec. This MIB module is a task specific derivation (i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model for use over SNMPv3. This MIB Baer, et al. Expires April 22, 2007 [Page 3] Internet-Draft IPsec IPsec Action MIB October 2006 includes the necessary transform, negotiation, and IPsec action information required to create an IPsec SA within the IPsec Policy framework. 5. MIB Module Overview The MIB module describes the necessary information to implement IPsec actions and their associated Security Associations referred to by the IPsec Security Policy Database Configuration MIB. A basic understanding of IPsec processing, of the IPsec Configuration Policy Model and of how actions fit in to the framework of the IPSEC-SPD-MIB are required to use this MIB properly. When referring to an action in this MIB from the IPSEC-SPD-MIB, the filters within the IPSEC-SPD- MIB that are associated to the action are limited to those that are supported by IPsec [RFC2401] and this MIB. 6. MIB definition The following MIB Module imports from: [RFC2578], [RFC2579], [RFC2580], [RFC3289], [RFC3411], [RFC4001]. IPSEC-IPSECACTION-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 FROM SNMPv2-SMI -- [rfc2578] TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType FROM SNMPv2-TC -- [rfc2579] MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF -- [rfc2580] SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [rfc3411] InetAddressType, InetAddress FROM INET-ADDRESS-MIB -- [rfc4001] Baer, et al. Expires April 22, 2007 [Page 4] Internet-Draft IPsec IPsec Action MIB October 2006 spdActions, SpdIPPacketLogging, SpdAdminStatus FROM IPSEC-SPD-MIB -- [rfcZZZZ] IfDirection FROM DIFFSERV-MIB -- [rfc3289] ; -- -- module identity -- ipsaMIB MODULE-IDENTITY LAST-UPDATED "200610170000Z" -- 17 October 2006 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer P.O. Box 72682 Davis, CA 95617 Phone: +1 530 902 3131 Email: baerm@tislabs.com Ricky Charlet Email: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 Phone: +1 530 792 1913 Email: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 Phone: +1 770 617 3722 Email: rstory@sparta.com Cliff Wang ARO/North Carolina State University 4300 S. Miami Blvd. RTP, NC 27709 E-Mail: cliffwangmail@yahoo.com" DESCRIPTION "The MIB module defines IPsec actions for managing IPsec Security Policy. Baer, et al. Expires April 22, 2007 [Page 5] Internet-Draft IPsec IPsec Action MIB October 2006 Copyright (C) The Internet Society (2006). This version of this MIB module is part of RFC XXXX, see the RFC itself for full legal notices." -- Revision History REVISION "200610170000Z" -- 17 October 2006 DESCRIPTION "Initial version, published as RFC XXXX." -- RFC-editor assigns XXXX ::= { spdActions 1 } -- -- groups of related objects -- ipsaConfigObjects OBJECT IDENTIFIER ::= { ipsaMIB 1 } ipsaNotificationObjects OBJECT IDENTIFIER ::= { ipsaMIB 2 } ipsaConformanceObjects OBJECT IDENTIFIER ::= { ipsaMIB 3 } -- -- Textual Conventions -- IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The Encapsulation Mode used as an IPsec DOI SA Attributes definition in the Transform Payload of a Phase II IKE negotiation. This set of values defines encapsulation modes used for AH, ESP, and IPCOMP when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Unused values <= 61439 are reserved to IANA. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI tunnel(1), transport(2) Values 61440-65535 are for private use." SYNTAX Unsigned32 (0..65535) Baer, et al. Expires April 22, 2007 [Page 6] Internet-Draft IPsec IPsec Action MIB October 2006 IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPsec DOI IPCOMP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide IP-level compression before ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPsec DOI, when the Protocol-Id of the associated Proposal Payload is 4 (IPCOMP). The values 1-47 are reserved for algorithms for which an RFC has been approved for publication. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI ipcompOui(1), -- proprietary compression -- transform ipcompDeflate(2), -- 'zlib' deflate algorithm ipcompLzs(3), -- Stac Electronics LZS ipcompLzjh(4) -- ITU-T V.44 packet method The values 48-63 are reserved for private use amongst cooperating systems. The values 64-255 are reserved for future expansion." REFERENCE "RFC 2407 sections 4.4.5 and 6.6, RFC 3051" SYNTAX Unsigned32 (0..255) IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The ESP Authentication Algorithm used in the IPsec DOI as a SA Attributes definition in the Transform Payload of Phase II of an IKE negotiation. This set of values defines the AH authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 2 (AH). This set of values defines the ESP authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Unused values <= 61439 are reserved to IANA. Currently assigned values at the time of this writing: Baer, et al. Expires April 22, 2007 [Page 7] Internet-Draft IPsec IPsec Action MIB October 2006 none(0), -- reserved in DOI, used -- in MIBs to reflect no -- encryption used hmacMd5(1), -- hashed MAC using MD5 hmacSha(2), -- hashed MAC using SHA-1 desMac(3), -- DES MAC kpdk(4), -- RFC 1826 -- Key/Pad/Data/Key hmacSha256(5), -- hashed MAC using SHA-256 hmacSha384(6), -- hashed MAC using SHA-384 hmacSha512(7), -- hashed MAC using SHA-512 hamcRipemd(8) -- hashed MAC using -- RIPEMD-160-96 Values 61440-65535 are for private use. In a MIB, a value of 0 indicates that ESP has been negotiated without authentication." REFERENCE "RFC 2407 section 4.5, RFC 2407 section 4.4.3.1, RFC 1826, IANA, RFC 2857" SYNTAX Unsigned32 (0..65535) IpsecDoiEspTransform ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The values of the IPsec DOI ESP Transform Identifier which identify a particular algorithm to be used to provide secrecy protection for ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPsec DOI, when the Protocol-Id of the associated Proposal Payload is 2 (AH), 3 (ESP), and 4 (IPCOMP). Currently assigned values at the time of this writing: none(0), -- reserved in DOI, used -- in MIBs to reflect no -- encryption used espDesIv64(1), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 64-bit IV espDes(2), -- generic DES transform -- using DES-CBC esp3Des(3), -- generic triple-DES -- transform espRc5(4), -- RC5 transform Baer, et al. Expires April 22, 2007 [Page 8] Internet-Draft IPsec IPsec Action MIB October 2006 espIdea(5), -- IDEA transform espCast(6), -- CAST transform espBlowfish(7), -- BLOWFISH transform esp3Idea(8), -- reserved for triple-IDEA espDesIv32(9), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 32-bit IV espRc4(10), -- reserved for RC4 espNull(11), -- no confidentiality -- provided by ESP espAes(12) -- NIST AES transform The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.4 and 6.5, IANA" SYNTAX Unsigned32 (0..255) IpsecDoiIdentType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPsec DOI Identification Type is an 8-bit value which is used in the ID Type field as a discriminant for interpretation of the variable-length Identification Payload. Currently assigned values at the time of this writing: reserved(0), -- reserved in DOI idIpv4Addr(1), -- a single four (4) octet -- IPv4 address idFqdn(2), -- fully-qualified domain -- name string idUserFqdn(3), -- fully-qualified username -- string idIpv4AddrSubnet(4), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is an -- address and the second -- is a mask idIpv6Addr(5), -- a single sixteen (16) -- octet IPv6 address idIpv6AddrSubnet(6), -- a range of IPv6 addresses, -- represented by two Baer, et al. Expires April 22, 2007 [Page 9] Internet-Draft IPsec IPsec Action MIB October 2006 -- sixteen (16) octet values, -- where the first is an -- address and the second -- is a mask idIpv4AddrRange(7), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is the -- beginning IPv4 address -- and the second is the -- ending IPv4 address idIpv6AddrRange(8), -- a range of IPv6 addresses, -- represented by two -- sixteen (16) octet values, -- where the first is the -- beginning IPv6 address -- and the second is the -- ending IPv6 address idDerAsn1Dn(9), -- the binary DER encoding of -- ASN1 X.500 -- DistinguishedName idDerAsn1Gn(10), -- the binary DER encoding of -- ASN1 X.500 GeneralName idKeyId(11) -- opaque byte stream which -- may be used to pass -- vendor-specific -- information The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9" SYNTAX Unsigned32 (0..255) IpsaCredentialType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpsaCredentialType identifies the type of credential contained in a corresponding IpsaIdentityFilter object." SYNTAX INTEGER { reserved(0), unknown(1), sharedSecret(2), x509(3), kerberos(4) } IpsaIdentityFilter ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpsaIdentityFilter contains a string encoded Identity Type Baer, et al. Expires April 22, 2007 [Page 10] Internet-Draft IPsec IPsec Action MIB October 2006 value to be used in comparisons against an IKE Identity payload. Wherever this TC is used, there SHOULD be an accompanying column which uses the IpsecDoiIdentType TC to specify the type of data in this object. See the IpsecDoiIdentType TC for the supported identity types available. Note that the IpsecDoiIdentType TC sepcifies how to encode binary values, while this object will contain human readable string versions." SYNTAX OCTET STRING (SIZE(1..256)) -- -- Preconfigured Action Table -- ipsaSaPreconfiguredActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is a list of non-negotiated IPsec actions (SAs) that can be performed and contains or indicates the data necessary to create such an SA." ::= { ipsaConfigObjects 1 } ipsaSaPreconfiguredActionEntry OBJECT-TYPE SYNTAX IpsaSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One entry in the ipsaSaPreconfiguredActionTable." INDEX { ipsaSaPreActActionName, ipsaSaPreActSADirection } ::= { ipsaSaPreconfiguredActionTable 1 } IpsaSaPreconfiguredActionEntry ::= SEQUENCE { ipsaSaPreActActionName SnmpAdminString, ipsaSaPreActSADirection IfDirection, ipsaSaPreActActionDescription SnmpAdminString, ipsaSaPreActActionLifetimeSec Unsigned32, ipsaSaPreActActionLifetimeKB Unsigned32, ipsaSaPreActDoActionLogging TruthValue, ipsaSaPreActDoPacketLogging SpdIPPacketLogging, ipsaSaPreActDFHandling INTEGER, ipsaSaPreActActionType IpsecDoiEncapsulationMode, ipsaSaPreActAHSPI Integer32, ipsaSaPreActAHTransformName SnmpAdminString, ipsaSaPreActAHSharedSecretName SnmpAdminString, ipsaSaPreActESPSPI Integer32, Baer, et al. Expires April 22, 2007 [Page 11] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaSaPreActESPTransformName SnmpAdminString, ipsaSaPreActESPEncSecretName SnmpAdminString, ipsaSaPreActESPAuthSecretName SnmpAdminString, ipsaSaPreActIPCompSPI Integer32, ipsaSaPreActIPCompTransformName SnmpAdminString, ipsaSaPreActPeerGatewayIdName SnmpAdminString, ipsaSaPreActLastChanged TimeStamp, ipsaSaPreActStorageType StorageType, ipsaSaPreActRowStatus RowStatus } ipsaSaPreActActionName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this SaPreconfiguredActionEntry." ::= { ipsaSaPreconfiguredActionEntry 1 } ipsaSaPreActSADirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates whether a row applies to egress or ingress SAs" ::= { ipsaSaPreconfiguredActionEntry 2 } ipsaSaPreActActionDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string which can be used to describe what the action does." DEFVAL { "" } ::= { ipsaSaPreconfiguredActionEntry 3 } ipsaSaPreActActionLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActActionLifetimeSec specifies how long in seconds the security association derived from this action is used. Baer, et al. Expires April 22, 2007 [Page 12] Internet-Draft IPsec IPsec Action MIB October 2006 The default lifetime is 8 hours. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeSecs property of the associated transform. A value of 0 indicates no time limit on the lifetime of the SA." DEFVAL { 28800 } ::= { ipsaSaPreconfiguredActionEntry 4 } ipsaSaPreActActionLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActActionLifetimeKB specifies how long the security association derived from this action is used. After this value in KiloBytes has passed through the security association, this SA SHOULD be destroyed. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeKB property of the associated transform. The default value, '0', indicates no kilobyte limit." DEFVAL { 0 } ::= { ipsaSaPreconfiguredActionEntry 5 } ipsaSaPreActDoActionLogging OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActDoActionLogging specifies whether or not an audit message SHOULD be logged when a preconfigured SA is created." DEFVAL { false } ::= { ipsaSaPreconfiguredActionEntry 6 } ipsaSaPreActDoPacketLogging OBJECT-TYPE SYNTAX SpdIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaSaPreActDoPacketLogging specifies whether or not an audit message SHOULD be logged and if there is logging, how many bytes of the packet to place in the notification." Baer, et al. Expires April 22, 2007 [Page 13] Internet-Draft IPsec IPsec Action MIB October 2006 DEFVAL { -1 } ::= { ipsaSaPreconfiguredActionEntry 7 } ipsaSaPreActDFHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), -- indicates copy the DF bit from the -- internal to external IP header. set(2), -- set the DF bit in the external IP -- header to 1. clear(3) -- clear the DF bit in the external IP -- header to 0. } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies how to process the DF bit in packets sent through the preconfigured SA. This object is not used for transport SAs." DEFVAL { copy } ::= { ipsaSaPreconfiguredActionEntry 8 } ipsaSaPreActActionType OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the encapsulation mode to use for the preconfigured SA: tunnel or transport mode." DEFVAL { 1 } ::= { ipsaSaPreconfiguredActionEntry 9 } ipsaSaPreActAHSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the AH SA." ::= { ipsaSaPreconfiguredActionEntry 10 } ipsaSaPreActAHTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the AH transform to use as an index into the AHTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 11 } Baer, et al. Expires April 22, 2007 [Page 14] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaSaPreActAHSharedSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the AH SA." ::= { ipsaSaPreconfiguredActionEntry 12 } ipsaSaPreActESPSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the ESP SA." ::= { ipsaSaPreconfiguredActionEntry 13 } ipsaSaPreActESPTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the ESP transform to use as an index into the ESPTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 14 } ipsaSaPreActESPEncSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the encryption algorithm of the ESP SA." ::= { ipsaSaPreconfiguredActionEntry 15 } ipsaSaPreActESPAuthSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipsaCredentialTable which holds the pertinent keying information for the authentication algorithm of the ESP SA." Baer, et al. Expires April 22, 2007 [Page 15] Internet-Draft IPsec IPsec Action MIB October 2006 ::= { ipsaSaPreconfiguredActionEntry 16 } ipsaSaPreActIPCompSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the IPComp SA." ::= { ipsaSaPreconfiguredActionEntry 17 } ipsaSaPreActIPCompTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the IPComp transform to use as an index into the IPCompTransformTable. A zero length value indicates no transform of this type is used." ::= { ipsaSaPreconfiguredActionEntry 18 } ipsaSaPreActPeerGatewayIdName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the peer gateway. This object can be used to look up the peer gateway address in the ipsaPeerIdentityTable. This object is only used when initiating a tunnel SA, and is not used for transport SAs. If ipsaSaPreActActionType specifies tunnel mode and this object is empty, the peer gateway is determined from the source or destination of the packet." DEFVAL { "" } ::= { ipsaSaPreconfiguredActionEntry 19 } ipsaSaPreActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this Baer, et al. Expires April 22, 2007 [Page 16] Internet-Draft IPsec IPsec Action MIB October 2006 object SHOULD have a zero value." ::= { ipsaSaPreconfiguredActionEntry 20 } ipsaSaPreActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaSaPreconfiguredActionEntry 21 } ipsaSaPreActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaSaPreconfiguredActionEntry 22 } -- -- AH transform definition table -- ipsaAhTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaAhTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the AH transforms which can be used to build IPsec proposals." ::= { ipsaConfigObjects 2 } Baer, et al. Expires April 22, 2007 [Page 17] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaAhTransformEntry OBJECT-TYPE SYNTAX IpsaAhTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one AH transform." INDEX { ipsaAhTranName } ::= { ipsaAhTransformTable 1 } IpsaAhTransformEntry ::= SEQUENCE { ipsaAhTranName SnmpAdminString, ipsaAhTranMaxLifetimeSec Unsigned32, ipsaAhTranMaxLifetimeKB Unsigned32, ipsaAhTranAlgorithm IpsecDoiAuthAlgorithm, ipsaAhTranReplayProtection TruthValue, ipsaAhTranReplayWindowSize Unsigned32, ipsaAhTranLastChanged TimeStamp, ipsaAhTranStorageType StorageType, ipsaAhTranRowStatus RowStatus } ipsaAhTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this AH transform. This row will be referred to by an ipsaIpsecTransformsEntry." ::= { ipsaAhTransformEntry 1 } ipsaAhTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform SHOULD be used. A value of 0 indicates that the default lifetime of 8 hours SHOULD be used." ::= { ipsaAhTransformEntry 2 } ipsaAhTranMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create Baer, et al. Expires April 22, 2007 [Page 18] Internet-Draft IPsec IPsec Action MIB October 2006 STATUS current DESCRIPTION "ipsaAhTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform SHOULD be used." ::= { ipsaAhTransformEntry 3 } ipsaAhTranAlgorithm OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the AH algorithm for this transform." ::= { ipsaAhTransformEntry 4 } ipsaAhTranReplayProtection OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranReplayProtection indicates whether or not anti replay service is to be provided by this SA." ::= { ipsaAhTransformEntry 5 } ipsaAhTranReplayWindowSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaAhTranReplayWindowSize indicates the size, in bits, of the replay window to use if replay protection is true for this transform. The window size is assumed to be a power of two. If Replay Protection is false, this value can be ignored." ::= { ipsaAhTransformEntry 6 } ipsaAhTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." Baer, et al. Expires April 22, 2007 [Page 19] Internet-Draft IPsec IPsec Action MIB October 2006 ::= { ipsaAhTransformEntry 7 } ipsaAhTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaAhTransformEntry 8 } ipsaAhTranRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaAhTransformEntry 9 } -- -- ESP transform definition table -- ipsaEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaEspTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the ESP transforms which can be used to build IPsec proposals" ::= { ipsaConfigObjects 3 } Baer, et al. Expires April 22, 2007 [Page 20] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaEspTransformEntry OBJECT-TYPE SYNTAX IpsaEspTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one ESP transform." INDEX { ipsaEspTranName } ::= { ipsaEspTransformTable 1 } IpsaEspTransformEntry ::= SEQUENCE { ipsaEspTranName SnmpAdminString, ipsaEspTranMaxLifetimeSec Unsigned32, ipsaEspTranMaxLifetimeKB Unsigned32, ipsaEspTranCipherTransformId IpsecDoiEspTransform, ipsaEspTranCipherKeyLength Unsigned32, ipsaEspTranCipherKeyRounds Unsigned32, ipsaEspTranIntegrityAlgorithmId IpsecDoiAuthAlgorithm, ipsaEspTranReplayPrevention TruthValue, ipsaEspTranReplayWindowSize Unsigned32, ipsaEspTranLastChanged TimeStamp, ipsaEspTranStorageType StorageType, ipsaEspTranRowStatus RowStatus } ipsaEspTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this particular espTransform be referred to by an ipsaIpsecTransformsEntry." ::= { ipsaEspTransformEntry 1 } ipsaEspTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform SHOULD be used. A value of 0 indicates that the default lifetime of 8 hours SHOULD be used." ::= { ipsaEspTransformEntry 2 } ipsaEspTranMaxLifetimeKB OBJECT-TYPE Baer, et al. Expires April 22, 2007 [Page 21] Internet-Draft IPsec IPsec Action MIB October 2006 SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform is used." ::= { ipsaEspTransformEntry 3 } ipsaEspTranCipherTransformId OBJECT-TYPE SYNTAX IpsecDoiEspTransform MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the transform ID of the ESP cipher algorithm." ::= { ipsaEspTransformEntry 4 } ipsaEspTranCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies, in bits, the key length for the ESP cipher algorithm." ::= { ipsaEspTransformEntry 5 } ipsaEspTranCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the number of key rounds for the ESP cipher algorithm." ::= { ipsaEspTransformEntry 6 } ipsaEspTranIntegrityAlgorithmId OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the ESP integrity algorithm ID." ::= { ipsaEspTransformEntry 7 } ipsaEspTranReplayPrevention OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create Baer, et al. Expires April 22, 2007 [Page 22] Internet-Draft IPsec IPsec Action MIB October 2006 STATUS current DESCRIPTION "ipsaEspTranReplayPrevention indicates whether or not anti-replay service is to be provided by this SA." ::= { ipsaEspTransformEntry 8 } ipsaEspTranReplayWindowSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaEspTranReplayWindowSize indicates the size, in bits, of the replay window to use if replay protection is true for this transform. The window size is assumed to be a power of two. If Replay Protection is false, this value can be ignored." ::= { ipsaEspTransformEntry 9 } ipsaEspTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { ipsaEspTransformEntry 10 } ipsaEspTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaEspTransformEntry 11 } ipsaEspTranRowStatus OBJECT-TYPE SYNTAX RowStatus Baer, et al. Expires April 22, 2007 [Page 23] Internet-Draft IPsec IPsec Action MIB October 2006 MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by a row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaEspTransformEntry 12 } -- -- IP compression transform definition table -- ipsaIpcompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaIpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the IP compression transforms which can be used to build IPsec proposals during negotiation of a phase 2 SA." ::= { ipsaConfigObjects 4 } ipsaIpcompTransformEntry OBJECT-TYPE SYNTAX IpsaIpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one IP compression transform." INDEX { ipsaIpcompTranName } ::= { ipsaIpcompTransformTable 1 } IpsaIpcompTransformEntry ::= SEQUENCE { ipsaIpcompTranName SnmpAdminString, ipsaIpcompTranMaxLifetimeSec Unsigned32, ipsaIpcompTranMaxLifetimeKB Unsigned32, ipsaIpcompTranAlgorithm IpsecDoiIpcompTransform, ipsaIpcompTranDictionarySize Unsigned32, ipsaIpcompTranPrivateAlgorithm Unsigned32, ipsaIpcompTranLastChanged TimeStamp, Baer, et al. Expires April 22, 2007 [Page 24] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaIpcompTranStorageType StorageType, ipsaIpcompTranRowStatus RowStatus } ipsaIpcompTranName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this ipsaIpcompTransformEntry." ::= { ipsaIpcompTransformEntry 1 } ipsaIpcompTranMaxLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaIpcompTranMaxLifetimeSec specifies how long in seconds the security association derived from this transform SHOULD be used. A value of 0 indicates that the default lifetime of 8 hours SHOULD be used." ::= { ipsaIpcompTransformEntry 2 } ipsaIpcompTranMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaIpcompTranMaxLifetimeKB specifies how long in kilobytes the security association derived from this transform SHOULD be used." ::= { ipsaIpcompTransformEntry 3 } ipsaIpcompTranAlgorithm OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaIpcompTranAlgorithm specifies the transform ID of the IP compression algorithm." ::= { ipsaIpcompTransformEntry 4 } ipsaIpcompTranDictionarySize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create Baer, et al. Expires April 22, 2007 [Page 25] Internet-Draft IPsec IPsec Action MIB October 2006 STATUS current DESCRIPTION "If the algorithm in ipsaIpcompTranAlgorithm requires a dictionary size configuration parameter, then this is the place to put it. This object specifies the log2 maximum size of the dictionary for the compression algorithm." ::= { ipsaIpcompTransformEntry 5 } ipsaIpcompTranPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "If ipsaIpcompTranPrivateAlgorithm has a value other zero, then it is up to the vendors implementation to determine the meaning of this field and substitute a data compression algorithm in place of ipsaIpcompTranAlgorithm." ::= { ipsaIpcompTransformEntry 6 } ipsaIpcompTranLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { ipsaIpcompTransformEntry 7 } ipsaIpcompTranStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaIpcompTransformEntry 8 } ipsaIpcompTranRowStatus OBJECT-TYPE Baer, et al. Expires April 22, 2007 [Page 26] Internet-Draft IPsec IPsec Action MIB October 2006 SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaIpcompTransformEntry 9 } -- -- Credential Table -- ipsaCredentialTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaCredentialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of credential values. Example of Credentials are shared secrets, certificates or kerberos tickets." ::= { ipsaConfigObjects 5 } ipsaCredentialEntry OBJECT-TYPE SYNTAX IpsaCredentialEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipsaCredentialTable." INDEX { ipsaCredName } ::= { ipsaCredentialTable 1 } IpsaCredentialEntry ::= SEQUENCE { ipsaCredName SnmpAdminString, ipsaCredType IpsaCredentialType, ipsaCredCredential OCTET STRING, ipsaCredSize Integer32, ipsaCredMngName SnmpAdminString, ipsaCredRemoteID OCTET STRING, ipsaCredAdminStatus SpdAdminStatus, ipsaCredLastChanged TimeStamp, ipsaCredStorageType StorageType, Baer, et al. Expires April 22, 2007 [Page 27] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaCredRowStatus RowStatus } ipsaCredName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the name for an entry in this table." ::= { ipsaCredentialEntry 1 } ipsaCredType OBJECT-TYPE SYNTAX IpsaCredentialType MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the type of the credential for this row." ::= { ipsaCredentialEntry 2 } ipsaCredCredential OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the credential value. If the size of the credential is greater than 1024, the credential MUST be configured via the ipsaCredSegmentTable. For credential type where the disclosure of the credential would compromise the credential (e.g. shared secrets), when this object is accessed for reading, it MUST return a null length (0 length) string and MUST NOT return the configured credential." ::= { ipsaCredentialEntry 3 } ipsaCredSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This value represents the size of the credential. If this value is greater than 1024, the ipsaCreCredential column will return an empty (0 length) string. In this case, the value of the credential is retrived from the ipsaCredSegmentTable. Baer, et al. Expires April 22, 2007 [Page 28] Internet-Draft IPsec IPsec Action MIB October 2006 For credential type where the disclosure of the credential would compromise the credential (e.g. shared secrets), when this object is accessed for reading, it MUST return a value of 0 and MUST NOT return the size credential." ::= { ipsaCredentialEntry 4 } ipsaCredMngName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipsaIpsecCredMngServiceTable. For IDs that have no credential management service, this value is left blank." ::= { ipsaCredentialEntry 5 } ipsaCredRemoteID OBJECT-TYPE SYNTAX OCTET STRING(SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the Identification (e.g. user name) of the user of the key information on the remote site. If there is no ID associated with this credential, the value of this object SHOULD be the null string." ::= { ipsaCredentialEntry 6 } ipsaCredAdminStatus OBJECT-TYPE SYNTAX SpdAdminStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether this credential is considered active. Rows with a disabled status MUST NOT be used for any purpose, including IKE or IPSEC processing. For credentials whose size does not execeed the maximum size for the ipsaCredCredential, it MAY be set to enabled during row creation. For larger credentials, it SHOULD be left as disabled until all rows have been uploaded to the ipsaCredSegmentTable." DEFVAL { disabled } ::= { ipsaCredentialEntry 7 } ipsaCredLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current Baer, et al. Expires April 22, 2007 [Page 29] Internet-Draft IPsec IPsec Action MIB October 2006 DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { ipsaCredentialEntry 8 } ipsaCredStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaCredentialEntry 9 } ipsaCredRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaCredentialEntry 10 } -- -- Credential Segement Value Table -- ipsaCredentialSegmentTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaCredentialSegmentEntry Baer, et al. Expires April 22, 2007 [Page 30] Internet-Draft IPsec IPsec Action MIB October 2006 MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of credential segments. This table is used for credentials which are larger than the maximum size allowed for ipsaCredCredential." ::= { ipsaConfigObjects 6 } ipsaCredentialSegmentEntry OBJECT-TYPE SYNTAX IpsaCredentialSegmentEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipsaCredentialSegmentTable." INDEX { ipsaCredName, ipsaCredSegIndex } ::= { ipsaCredentialSegmentTable 1 } IpsaCredentialSegmentEntry ::= SEQUENCE { ipsaCredSegIndex Integer32, ipsaCredSegValue OCTET STRING, ipsaCredSegLastChanged TimeStamp, ipsaCredSegStorageType StorageType, ipsaCredSegRowStatus RowStatus } ipsaCredSegIndex OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object represents the segment number for this segment. By default, each segment will be 1024 octets. However, when this table is accessed using a context of 'ipsa4096', 'ipsa8192' or 'ipsa16384' a segment size of 4096, 8192 or 16384 (respectively) will be used instead. The number of rows which need to be retrieved or set can be calculated by obtaining the value of the ipsaCredSize column from the corresponding ipsaCredentialTable row and dividing it by the segment size." ::= { ipsaCredentialSegmentEntry 1 } ipsaCredSegValue OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION Baer, et al. Expires April 22, 2007 [Page 31] Internet-Draft IPsec IPsec Action MIB October 2006 "This object represents one segment of the credential. By default, each complete segment will be 1024 octets. (The last row for a given credential might be smaller, if the credential size is not a multiple of the segment size). An implementation MAY optionally support segment sizes of 256, 4096, 8192 or the full object size when this table is is accessed using a context of 'ipsaCred256', 'ipsaCred4096', 'ipsaCred8192' or 'ipsaCredFull' (respectively). The number of rows which need to be retrieved or set can be calculated by obtaining the value of the ipsaCredSize column from the corresponding ipsaCredentialTable row and dividing it by the segment size." ::= { ipsaCredentialSegmentEntry 2 } ipsaCredSegLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this credential was last modified or created either through SNMP SETs or by some other external means. Note that the last changed type will be the same for all segemnts of the credential. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { ipsaCredentialSegmentEntry 3 } ipsaCredSegStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-only STATUS current DESCRIPTION "The storage type for this row. This object is read-only. Rows in this table have the same value as the ipsaCrendStorageType for the corresponding row in the ipsaCredentialTable. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaCredentialSegmentEntry 4 } Baer, et al. Expires April 22, 2007 [Page 32] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaCredSegRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The segment of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaCredentialSegmentEntry 5 } -- -- Peer Identity Table -- ipsaPeerIdentityTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsaPeerIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "PeerIdentity is used to represent the identities that are used for peers to identify themselves in IKE phase I/II negotiations. PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses." ::= { ipsaConfigObjects 7 } ipsaPeerIdentityEntry OBJECT-TYPE SYNTAX IpsaPeerIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "peerIdentity matches a peer's identity to its address." INDEX { ipsaPeerIdName, ipsaPeerIdPriority } ::= { ipsaPeerIdentityTable 1 } IpsaPeerIdentityEntry ::= SEQUENCE { ipsaPeerIdName SnmpAdminString, ipsaPeerIdPriority Integer32, ipsaPeerIdType IpsecDoiIdentType, ipsaPeerIdValue IpsaIdentityFilter, ipsaPeerIdAddressType InetAddressType, Baer, et al. Expires April 22, 2007 [Page 33] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaPeerIdAddress InetAddress, ipsaPeerIdCredentialName SnmpAdminString, ipsaPeerIdLastChanged TimeStamp, ipsaPeerIdStorageType StorageType, ipsaPeerIdRowStatus RowStatus } ipsaPeerIdName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned value that, together with ipsaPeerIdPriority, uniquely identifies an entry in this table." ::= { ipsaPeerIdentityEntry 1 } ipsaPeerIdPriority OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object, along with ipsaPeerIdName, uniquely identifies an entry in this table. The priority also indicates the ordering of peer gateways from which to initiate or accept SAs. The priority value is ordered from low to high. For example, a row with a priority of 0 is used before a row with a priority of 1, a 1 before a 2, etc...." ::= { ipsaPeerIdentityEntry 2 } ipsaPeerIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaPeerIdType is an enumeration identifying the type of the Identity value." ::= { ipsaPeerIdentityEntry 3 } ipsaPeerIdValue OBJECT-TYPE SYNTAX IpsaIdentityFilter MAX-ACCESS read-create STATUS current DESCRIPTION "ipsaPeerIdValue contains an Identity filter to be used to match against the identity payload in an IKE request, or blank otherwise. If this value matches the value in the identity payload, the credential for the peer can be found Baer, et al. Expires April 22, 2007 [Page 34] Internet-Draft IPsec IPsec Action MIB October 2006 using the ipsaPeerIdCredentialName as an index into the credential table." ::= { ipsaPeerIdentityEntry 4 } ipsaPeerIdAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The property ipsaPeerIdAddressType specifies the format of the ipsaPeerIdAddress property value." ::= { ipsaPeerIdentityEntry 5 } ipsaPeerIdAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The property PeerAddress specifies the IP address of the peer. The format is specified by the ipsaPeerIdAddressType." ::= { ipsaPeerIdentityEntry 6 } ipsaPeerIdCredentialName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used as an index into the ipsaCredentialTable to look up the actual credential value and other credential information. For peer IDs that have no associated credential information, this value is left blank." ::= { ipsaPeerIdentityEntry 7 } ipsaPeerIdLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means. If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { ipsaPeerIdentityEntry 8 } Baer, et al. Expires April 22, 2007 [Page 35] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaPeerIdStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process MAY have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { ipsaPeerIdentityEntry 9 } ipsaPeerIdRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { ipsaPeerIdentityEntry 10 } -- -- -- Notification objects information -- -- ipsaNotificationVariables OBJECT IDENTIFIER ::= { ipsaNotificationObjects 1 } ipsaNotifications OBJECT IDENTIFIER ::= { ipsaNotificationObjects 0 } -- -- -- Conformance information -- Baer, et al. Expires April 22, 2007 [Page 36] Internet-Draft IPsec IPsec Action MIB October 2006 -- ipsaCompliances OBJECT IDENTIFIER ::= { ipsaConformanceObjects 1 } ipsaGroups OBJECT IDENTIFIER ::= { ipsaConformanceObjects 2 } -- -- Compliance statements -- -- ipsaIPsecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation and supports IPsec actions. There are a number of INDEX objects that cannot be represented in the form of OBJECT clauses in SMIv2, but for which we have the following compliance requirements, expressed in OBJECT clause form in this description clause: -- OBJECT ipsaPeerIdAddressType -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. -- -- OBJECT ipsaPeerIdAddress -- SYNTAX InetAddress (SIZE(4|16)) -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. --" MODULE -- This Module MANDATORY-GROUPS { ipsaPreconfiguredGroup, ipsaSharedGroup } OBJECT ipsaSaPreActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaAhTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue Baer, et al. Expires April 22, 2007 [Page 37] Internet-Draft IPsec IPsec Action MIB October 2006 burden on resource-constrained devices." OBJECT ipsaEspTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaIpcompTranLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaPeerIdLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaCredLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." OBJECT ipsaCredSegLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object is optional so as not to impose an undue burden on resource-constrained devices." ::= { ipsaCompliances 1 } -- -- -- Compliance Groups Definitions -- ipsaPreconfiguredGroup OBJECT-GROUP OBJECTS { ipsaSaPreActActionDescription, ipsaSaPreActActionLifetimeSec, ipsaSaPreActActionLifetimeKB, ipsaSaPreActDoActionLogging, ipsaSaPreActDoPacketLogging, ipsaSaPreActDFHandling, ipsaSaPreActActionType, ipsaSaPreActAHSPI, ipsaSaPreActAHTransformName, ipsaSaPreActAHSharedSecretName, ipsaSaPreActESPSPI, Baer, et al. Expires April 22, 2007 [Page 38] Internet-Draft IPsec IPsec Action MIB October 2006 ipsaSaPreActESPTransformName, ipsaSaPreActESPEncSecretName, ipsaSaPreActESPAuthSecretName, ipsaSaPreActIPCompSPI, ipsaSaPreActIPCompTransformName, ipsaSaPreActPeerGatewayIdName, ipsaSaPreActLastChanged, ipsaSaPreActStorageType, ipsaSaPreActRowStatus } STATUS current DESCRIPTION "This group is the set of objects that support preconfigured IPsec actions. These objects are from The Preconfigured Action Table. This group also includes objects from the shared tables: Peer Identity Table, Credential Table, Credential Management Service Table and the AH, ESP, and IPComp Transform Tables." ::= { ipsaGroups 1 } ipsaSharedGroup OBJECT-GROUP OBJECTS { ipsaAhTranMaxLifetimeSec, ipsaAhTranMaxLifetimeKB, ipsaAhTranAlgorithm, ipsaAhTranReplayProtection, ipsaAhTranReplayWindowSize, ipsaAhTranLastChanged, ipsaAhTranStorageType, ipsaAhTranRowStatus, ipsaEspTranMaxLifetimeSec, ipsaEspTranMaxLifetimeKB, ipsaEspTranCipherTransformId, ipsaEspTranCipherKeyLength, ipsaEspTranCipherKeyRounds, ipsaEspTranIntegrityAlgorithmId, ipsaEspTranReplayPrevention, ipsaEspTranReplayWindowSize, ipsaEspTranLastChanged, ipsaEspTranStorageType, ipsaEspTranRowStatus, ipsaIpcompTranDictionarySize, ipsaIpcompTranAlgorithm, ipsaIpcompTranMaxLifetimeSec, ipsaIpcompTranMaxLifetimeKB, ipsaIpcompTranPrivateAlgorithm, ipsaIpcompTranLastChanged, ipsaIpcompTranStorageType, ipsaIpcompTranRowStatus, ipsaCredType, ipsaCredCredential, ipsaCredMngName, ipsaCredSize, ipsaCredRemoteID, ipsaCredAdminStatus, ipsaCredLastChanged, ipsaCredStorageType, ipsaCredRowStatus, ipsaCredSegValue, ipsaCredSegLastChanged, ipsaCredSegStorageType, ipsaCredSegRowStatus, ipsaPeerIdValue, ipsaPeerIdType, ipsaPeerIdAddress, ipsaPeerIdAddressType, ipsaPeerIdCredentialName, ipsaPeerIdLastChanged, ipsaPeerIdStorageType, ipsaPeerIdRowStatus } STATUS current Baer, et al. Expires April 22, 2007 [Page 39] Internet-Draft IPsec IPsec Action MIB October 2006 DESCRIPTION "This group includes objects from tables expected to be shared by other modules: Peer Identity Table, Credential Table, Credential Management Service Table and the AH, ESP, and IPComp Transform Tables." ::= { ipsaGroups 2 } END 7. Security Considerations 7.1. Introduction This document defines a MIB module used to configure IPsec policy services. Since IPsec provides network security services, all of its configuration data (e.g. this entire MIB) SHOULD be as secure or more secure than any of the security services IPsec provides. There are two main threats you need to protect against when configuring IPsec devices. 1. Malicious Configuration: This MIB configures network security services. If an attacker has SET access to any part of this MIB, the network security services configured by this MIB SHOULD be considered broken. The network data sent through the associated gateway should no longer be considered as protected by IPsec (i.e., it is no longer confidential or authenticated). Therefore, only the official administrators SHOULD be allowed to configure a device. In other words, administrators' identities SHOULD be authenticated and their access rights checked before they are allowed to do device configuration. The support for SET operations to the IPSEC-IPSECACTION MIB in a non-secure environment, without proper protection, will invalidate the security of the network traffic affected by the IPSEC- IPSECACTION-MIB. 2. Disclosure of Configuration: In general, malicious parties SHOULD NOT be able to read security configuration data while the data is in network transit. An attacker reading the configuration data may be able to find misconfigurations in the MIB that enable attacks to the network or to the configured node. Since this entire MIB is used for security configuration, it is highly RECOMMENDED that only authorized administrators are allowed to view data in this MIB. In particular, malicious users SHOULD be prevented from reading SNMP packets containing this MIB's data. SNMP GET data SHOULD be encrypted when sent across the network. Baer, et al. Expires April 22, 2007 [Page 40] Internet-Draft IPsec IPsec Action MIB October 2006 Also, only authorized administrators SHOULD be allowed SNMP GET access to any of the MIB objects. SNMP versions prior to SNMPv3 do not include adequate security. Even if the network itself is secure (e.g. by using IPsec), earlier versions of SNMP have virtually no control as to who on the secure network is allowed to access (i.e. read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to GET or SET (change/create/delete) them. Therefore, when configuring data in the IPSEC-IPSECACTION-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once initial establishment of IPsec configuration on a device has been achieved, it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be shown to have a use for added privacy protection below. 7.2. Protecting against unauthenticated access The current SNMPv3 User Security Model provides for key based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in HMAC algorithms (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so. Baer, et al. Expires April 22, 2007 [Page 41] Internet-Draft IPsec IPsec Action MIB October 2006 7.3. Protecting against involuntary disclosure While sending IPsec configuration data to a Policy Enforcement Point (PEP), there are a few critical parameters which MUST NOT be observed by third parties. Specifically, except for public keys, keying information MUST NOT be allowed to be observed by third parties. This include IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate the device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the DES encryption algorithm. Support for other (stronger) cryptographic algorithms is in the works and may be done as you read this (e.g. AES [RFC3826]). When configure IPsec policy using this MIB, policy administrators SHOULD use a privacy security service that is at least as strong as the desired IPsec policy. E.G., If an administrator were to use this MIB to configure an IPsec connection that utilizes a 3DES algorithms, the SNMP communication configuring the connection SHOULD be protected by an algorithm as strong or stronger than the 3DES algorithm. 7.4. Bootstrapping your configuration Most vendors will not ship new products with a default SNMPv3 user/ password pair, but it is possible. If a device does ship with a default user/password pair, policy administrators SHOULD either change the password or configure a new user, deleting the default user (or at a minimum, restrict the access of the default user). Most SNMPv3 distributions should, hopefully, require an out-of-band initialization over a trusted medium, such as a local console connection. 8. IANA Considerations Only one IANA consideration exist for this document. The consideration is the node number allocation of the IPSEC-IPSECACTION- MIB under the IPSEC-SPD-MIB MIB's spdActions node. 9. Acknowledgments Many other people contributed thoughts and ideas that influenced this MIB module. Some special thanks are in order for the following Baer, et al. Expires April 22, 2007 [Page 42] Internet-Draft IPsec IPsec Action MIB October 2006 people: Lindy Foster (Sparta, Inc.) John Gillis (ADC) Jamie Jason (Intel Corporation) Roger Hartmuller (Sparta, Inc.) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) John Shriver (Internap Network Services Corporation) Eric Vyncke (Cisco Systems) 10. References 10.1. Normative References [RFCZZZZ] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy Database Configuration MIB", January 2004. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IKE Action MIB", January 2004. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. Baer, et al. Expires April 22, 2007 [Page 43] Internet-Draft IPsec IPsec Action MIB October 2006 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. 10.2. Informative References [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", More Info http://www.dmtf.org/specs/cim.html, November 2000. [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, June 2004. Authors' Addresses Michael Baer Sparta, Inc. P.O. Box 72682 Davis, CA 95617 US Email: baerm@tislabs.com Ricky Charlet Self Email: rcharlet@alumni.calpoly.edu Baer, et al. Expires April 22, 2007 [Page 44] Internet-Draft IPsec IPsec Action MIB October 2006 Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US Phone: +1 530 792 1913 Email: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US Email: rstory@sparta.com Cliff Wang ARO/North Carolina State University 4300 S. Miami Blvd RTP, NC 27709 US Email: cliffwangmail@yahoo.com Baer, et al. Expires April 22, 2007 [Page 45] Internet-Draft IPsec IPsec Action MIB October 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Baer, et al. Expires April 22, 2007 [Page 46]