IPSP                                                             M. Baer
Internet-Draft                                              Sparta, Inc.
Intended status: Informational                                R. Charlet
Expires: April 22, 2007                                             Self
                                                             W. Hardaker
                                                            Sparta, Inc.
                                                                R. Story
                                                     Revelstone Software
                                                                 C. Wang
                                                ARO/North Carolina State
                                                              University
                                                        October 19, 2006


                  IPsec Security Policy IKE Action MIB
                  draft-ietf-ipsp-ikeaction-mib-02.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 22, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).






Baer, et al.             Expires April 22, 2007                 [Page 1]


Internet-Draft            IPsec IKE Action MIB              October 2006


Abstract

   This document defines a SMIv2 Management Information Base (MIB)
   module for configuring Internet Key Exchange (IKE) actions for the
   security policy database (SPD) of a device that uses the IPsec
   Security Policy Database Configuration MIB for configuring the IKE
   protocol actions on that device.  The IPsec IKE Action MIB integrates
   directly with the IPsec Security Policy Database Configuration MIB
   and it is meant to work within the framework of an action referenced
   by that MIB.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  The Internet-Standard Management Framework . . . . . . . . . .  3
   4.  Relationship to the DMTF Policy Model  . . . . . . . . . . . .  3
   5.  MIB Module Overview  . . . . . . . . . . . . . . . . . . . . .  4
   6.  MIB definition . . . . . . . . . . . . . . . . . . . . . . . .  4
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 61
     7.1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . 61
     7.2.  Protecting against unauthenticated access  . . . . . . . . 63
     7.3.  Protecting against involuntary disclosure  . . . . . . . . 63
     7.4.  Bootstrapping your configuration . . . . . . . . . . . . . 63
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 64
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 64
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 64
     10.2. Informative References . . . . . . . . . . . . . . . . . . 65
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65
   Intellectual Property and Copyright Statements . . . . . . . . . . 67



















Baer, et al.             Expires April 22, 2007                 [Page 2]


Internet-Draft            IPsec IKE Action MIB              October 2006


1.  Introduction

   This document defines a MIB module for configuration of an Internet
   Key Exchange (IKE) [RFC2409] action within the IPsec security policy
   database (SPD).  This module works within the framework of the IPsec
   Security Policy Database Configuration MIB (IPSEC-SPD-MIB) [RFCZZZZ].
   It can be referenced as an action by the IPSEC-SPD-MIB and is used to
   configure IKE negotiations between network devices.

   Companion document [RFCZZZZ], documents the IPsec Security Policy
   Database Configuration MIB.  Companion document [RFCYYYY], documents
   the IPsec Security Policy IPsec Action MIB for configuration of
   static IPsec SAs.


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


3.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410]

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].


4.  Relationship to the DMTF Policy Model

   The Distributed Management Task Force (DMTF) has created an object
   oriented model of IPsec policy information known as the IPsec Policy
   Model White Paper [IPPMWP].  The contents of this document are also
   reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585].
   This MIB module is a task specific derivation (i.e. an SMIv2
   instantiation) of the IKE actions portions of the IPCP's IPsec
   configuration model for use with SNMPv3.  This includes the necessary
   filter, negotiation, identity and IKE action information required to



Baer, et al.             Expires April 22, 2007                 [Page 3]


Internet-Draft            IPsec IKE Action MIB              October 2006


   enable IKE negotiation within the IPsec Policy framework.


5.  MIB Module Overview

   The MIB module describes the necessary information to implement IKE
   actions and their associated negotiations referred to by the IPsec
   Security Policy Database Configuration MIB.  A basic understanding of
   IKE, of IPsec processing, of the IPsec Configuration Policy Model and
   of how actions fit into the overall framework of the IPSEC-SPD-MIB
   are required to use this MIB properly.  When referring to an action
   in this MIB from the IPSEC-SPD-MIB, the filters within the IPSEC-SPD-
   MIB that are associated to the action are limited to those that are
   supported by IKE [RFC2409] and this MIB.


6.  MIB definition

   The following MIB Module imports from: [RFC2578], [RFC2579],
   [RFC2580], [RFC3411], [RFC4001].


   IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN


   IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32
                                           FROM SNMPv2-SMI
                                                -- [rfc2578]

       TEXTUAL-CONVENTION, RowStatus, TruthValue,
       TimeStamp, StorageType, VariablePointer
                                           FROM SNMPv2-TC
                                                -- [rfc2579]

       MODULE-COMPLIANCE, OBJECT-GROUP
                                           FROM SNMPv2-CONF
                                                -- [rfc2580]

       SnmpAdminString
                                           FROM SNMP-FRAMEWORK-MIB
                                                -- [rfc3411]

       InetAddressType, InetAddress, InetPortNumber
                                           FROM INET-ADDRESS-MIB
                                                -- [rfc4001]

       spdActions, SpdIPPacketLogging, spdEndGroupInterface



Baer, et al.             Expires April 22, 2007                 [Page 4]


Internet-Draft            IPsec IKE Action MIB              October 2006


                                           FROM IPSEC-SPD-MIB
                                                -- [rfcZZZZ]

       IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter,
       ipsaSharedGroup
                                           FROM IPSEC-IPSECACTION-MIB
                                                -- [rfcXXXX]
       ;

   --
   -- module identity
   --

   ipiaMIB MODULE-IDENTITY
       LAST-UPDATED "20060905'"    -- 05 September 2006
       ORGANIZATION "IETF IP Security Policy Working Group"
       CONTACT-INFO "Michael Baer
                     P.O. Box 72682
                     Davis, CA 95617
                     Phone: +1 530 902 3131
                     Email: baerm@tislabs.com

                     Ricky Charlet
                     Email: rcharlet@alumni.calpoly.edu

                     Wes Hardaker
                     Sparta, Inc.
                     P.O. Box 382
                     Davis, CA  95617
                     Phone: +1 530 792 1913
                     Email: hardaker@tislabs.com

                     Robert Story
                     Revelstone Software
                     PO Box 1812
                     Tucker, GA 30085
                     Phone: +1 770 617 3722
                     Email: rstory@sparta.com

                     Cliff Wang
                     ARO/North Carolina State University
                     4300 S. Miami Blvd.
                     RTP, NC 27709
                     E-Mail: cliffwangmail@yahoo.com"

       DESCRIPTION
        "The MIB module for defining IKE actions for managing IPsec
         Security Policy.



Baer, et al.             Expires April 22, 2007                 [Page 5]


Internet-Draft            IPsec IKE Action MIB              October 2006


         Copyright (C) The Internet Society (2006). This version of
         this MIB module is part of RFC YYYY, see the RFC itself for
         full legal notices."

   -- Revision History

       REVISION     "20060905'"    -- 05 September 2006
       DESCRIPTION  "Initial version, published as RFC YYYY."
       -- RFC-editor assigns YYYY

       ::= { spdActions 2 }

   --
   -- groups of related objects
   --

   ipiaConfigObjects         OBJECT IDENTIFIER
        ::= { ipiaMIB 1 }
   ipiaNotificationObjects   OBJECT IDENTIFIER
        ::= { ipiaMIB 2 }
   ipiaConformanceObjects    OBJECT IDENTIFIER
        ::= { ipiaMIB 3 }

   --
   -- Textual Conventions
   --

   IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for encryption algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Encryption
                   Algorithm (1).

                   Unused values <= 65000 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in IKE
                       desCbc(1),          -- RFC 2405
                       ideaCbc(2),
                       blowfishCbc(3),
                       rc5R16B64Cbc(4),    -- RC5 R16 B64 CBC
                       tripleDesCbc(5),    -- 3DES CBC
                       castCbc(6),
                       aesCbc(7)




Baer, et al.             Expires April 22, 2007                 [Page 6]


Internet-Draft            IPsec IKE Action MIB              October 2006


                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeAuthMethod ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for authentication methods negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Authentication
                   Method (3).

                   Unused values <= 65000 are reserved to IANA.

                       reserved(0),        -- reserved in IKE
                       preSharedKey(1),
                       dssSignatures(2),
                       rsaSignatures(3),
                       encryptionWithRsa(4),
                       revisedEncryptionWithRsa(5),
                       reservedDontUse6(6), -- not to be used
                       reservedDontUse7(7), -- not to be used
                       ecdsaSignatures(8)

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeHashAlgorithm ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for hash algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Hash Algorithm (2).

                   Unused values <= 65000 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in IKE
                       md5(1),             -- RFC 1321
                       sha(2),             -- FIPS 180-1
                       tiger(3),
                       sha256(4),



Baer, et al.             Expires April 22, 2007                 [Page 7]


Internet-Draft            IPsec IKE Action MIB              October 2006


                       sha384(5),
                       sha512(6)

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IkeGroupDescription ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for Oakley key computation groups for
                   Diffie-Hellman exchange negotiated for the ISAKMP
                   SA by IKE in Phase I.  They are also used in Phase II
                   when perfect forward secrecy is in use.  These are
                   values for SA Attrbute type Group Description (4).

                   Unused values <= 32767 are reserved to IANA.
                   Currently assigned values at the time of this
                   writing:

                       none(0),            -- reserved in IKE, used
                                           -- in MIBs to reflect that
                                           -- none of the predefined
                                           -- groups are used
                       modp768(1),         -- default 768-bit MODP group
                       modp1024(2),        -- alternate 1024-bit MODP
                                           -- group
                       ec2nGF155(3),       -- EC2N group on Galois
                                           -- Field GF[2^155]
                       ec2nGF185(4),       -- EC2N group on Galois
                                           -- Field GF[2^185]
                       ec2nGF163Random(6), -- EC2N group on Galois
                                           -- Field GF[2^163],
                                           -- random seed
                       ec2nGF163Koblitz(7),
                                           -- EC2N group on Galois
                                           -- Field GF[2^163],
                                           -- Koblitz curve
                       ec2nGF283Random(8), -- EC2N group on Galois
                                           -- Field GF[2^283],
                                           -- random seed
                       ec2nGF283Koblitz(9),
                                           -- EC2N group on Galois
                                           -- Field GF[2^283],
                                           -- Koblitz curve
                       ec2nGF409Random(10),



Baer, et al.             Expires April 22, 2007                 [Page 8]


Internet-Draft            IPsec IKE Action MIB              October 2006


                                           -- EC2N group on Galois
                                           -- Field GF[2^409],
                                           -- random seed
                       ec2nGF409Koblitz(11),
                                           -- EC2N group on Galois
                                           -- Field GF[2^409],
                                           -- Koblitz curve
                       ec2nGF571Random(12),
                                           -- EC2N group on Galois
                                           -- Field GF[2^571],
                                           -- random seed
                       ec2nGF571Koblitz(13)
                                           -- EC2N group on Galois
                                           -- Field GF[2^571],
                                           -- Koblitz curve

                   Values 32768-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   IANA"
       SYNTAX      Unsigned32 (0..65535)

   IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "These are the IPsec DOI values for the Protocol-Id
                   field in an ISAKMP Proposal Payload, and in all
                   Notification Payloads.

                   They are also used as the Protocol-ID In the
                   Notification Payload and the Delete Payload.

                   Currently assigned values at the time of this
                   writing:

                       reserved(0),        -- reserved in DOI
                       protoIsakmp(1),     -- message protection
                                           -- required during Phase I
                                           -- of the IKE protocol
                       protoIpsecAh(2),    -- IP packet authentication
                                           -- via Authentication Header
                       protoIpsecEsp(3),   -- IP packet confidentiality
                                           -- via Encapsulating
                                           -- Security Payload
                       protoIpcomp(4)      -- IP payload compression

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."



Baer, et al.             Expires April 22, 2007                 [Page 9]


Internet-Draft            IPsec IKE Action MIB              October 2006


       REFERENCE   "RFC 2407 section 4.4.1"
       SYNTAX      Unsigned32 (0..255)

   --
   -- Policy group definitions
   --

   ipiaLocalConfigObjects OBJECT IDENTIFIER
        ::= { ipiaConfigObjects 1 }


   --
   -- Static Filters
   --

   ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 }

   ipiaIkePhase1Filter OBJECT-TYPE
           SYNTAX      Integer32
           MAX-ACCESS  read-only
           STATUS      current
           DESCRIPTION
               "This static filter can be used to test if a packet is
                part of an IKE phase-1 negotiation."
           ::= { ipiaStaticFilters 1 }

   ipiaIkePhase2Filter OBJECT-TYPE
           SYNTAX      Integer32
           MAX-ACCESS  read-only
           STATUS      current
           DESCRIPTION
               "This static filter can be used to test if a packet is
                part of an IKE phase-2 negotiation."
           ::= { ipiaStaticFilters 2 }


   --
   -- credential filter table
   --

   ipiaCredentialFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaCredentialFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table is used to provide credentials for IKE
            identities.




Baer, et al.             Expires April 22, 2007                [Page 10]


Internet-Draft            IPsec IKE Action MIB              October 2006


            It can be used to for filters which are matched to
            credentials of IKE peers, where the credentials in question
            have been obtained from an IKE phase 1 exchange.  They MAY
            be X.509 certificates, Kerberos tickets, etc...

            It can also be used to provide credentials for local IKE
            identities."
       ::= { ipiaConfigObjects 3 }

   ipiaCredentialFilterEntry OBJECT-TYPE
       SYNTAX      IpiaCredentialFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row defining a particular credential filter"
       INDEX   { ipiaCredFiltName }
       ::= { ipiaCredentialFilterTable 1 }

   IpiaCredentialFilterEntry ::= SEQUENCE {
       ipiaCredFiltName                      SnmpAdminString,
       ipiaCredFiltCredentialType            IpsaCredentialType,
       ipiaCredFiltMatchFieldName            OCTET STRING,
       ipiaCredFiltMatchFieldValue           OCTET STRING,
       ipiaCredFiltAcceptCredFrom            OCTET STRING,
       ipiaCredFiltLastChanged               TimeStamp,
       ipiaCredFiltStorageType               StorageType,
       ipiaCredFiltRowStatus                 RowStatus
   }

   ipiaCredFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this filter."
       ::= { ipiaCredentialFilterEntry 1 }

   ipiaCredFiltCredentialType OBJECT-TYPE
       SYNTAX      IpsaCredentialType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The credential type that is expected for this filter to
            succeed."
       DEFVAL { x509 }
       ::= { ipiaCredentialFilterEntry 2 }

   ipiaCredFiltMatchFieldName OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 11]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX      OCTET STRING (SIZE(0..256))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The piece of the credential to match against.  Examples:
            serialNumber, signatureAlgorithm, issuerName or
            subjectName.

            For credential types without fields (e.g. shared secret),
            this field SHOULD be left empty, and the entire credential
            will be matched against the ipiaCredFiltMatchFieldValue."
       ::= { ipiaCredentialFilterEntry 3 }

   ipiaCredFiltMatchFieldValue OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(1..4096))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The value that the field indicated by the
            ipiaCredFiltMatchFieldName MUST match against for the
            filter to be considered TRUE."
       ::= { ipiaCredentialFilterEntry 4 }

   ipiaCredFiltAcceptCredFrom OBJECT-TYPE
       SYNTAX      OCTET STRING(SIZE(1..117))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used to look up a row in the
            ipiaIpsecCredMngServiceTable for the Certificate Authority
            (CA) Information.  This value is empty if there is no CA
            used for this filter."
       ::= { ipiaCredentialFilterEntry 5 }

   ipiaCredFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaCredentialFilterEntry 6 }

   ipiaCredFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current



Baer, et al.             Expires April 22, 2007                [Page 12]


Internet-Draft            IPsec IKE Action MIB              October 2006


       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaCredentialFilterEntry 7 }

   ipiaCredFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaCredentialFilterEntry 8 }


   --
   -- Peer Identity Filter Table
   --

   ipiaPeerIdentityFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaPeerIdentityFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table defines filters which can be used to match
            credentials of IKE peers, where the credentials in question
            have been obtained from an IKE phase 1 exchange.  They MAY
            be X.509 certificates, Kerberos tickets, etc..."
       ::= { ipiaConfigObjects 4 }

   ipiaPeerIdentityFilterEntry OBJECT-TYPE
       SYNTAX      IpiaPeerIdentityFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 13]


Internet-Draft            IPsec IKE Action MIB              October 2006


           "A row defining a particular credential filter"
       INDEX   { ipiaPeerIdFiltName }
       ::= { ipiaPeerIdentityFilterTable 1 }

   IpiaPeerIdentityFilterEntry ::= SEQUENCE {
       ipiaPeerIdFiltName                      SnmpAdminString,
       ipiaPeerIdFiltIdentityType              IpsecDoiIdentType,
       ipiaPeerIdFiltIdentityValue             IpsaIdentityFilter,
       ipiaPeerIdFiltLastChanged               TimeStamp,
       ipiaPeerIdFiltStorageType               StorageType,
       ipiaPeerIdFiltRowStatus                 RowStatus
   }

   ipiaPeerIdFiltName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The administrative name of this filter."
       ::= { ipiaPeerIdentityFilterEntry 1 }

   ipiaPeerIdFiltIdentityType OBJECT-TYPE
       SYNTAX      IpsecDoiIdentType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The type of identity field in the peer ID payload to match
            against."
       ::= { ipiaPeerIdentityFilterEntry 2 }

   ipiaPeerIdFiltIdentityValue OBJECT-TYPE
       SYNTAX      IpsaIdentityFilter
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The string representation of the value that the peer ID
            payload value MUST match against. Wildcard mechanisms MUST
            be supported such that:

            - a ipiaPeerIdFiltIdentityValue of '*@example.com' will
              match a userFqdn ID payload of 'JDOE@EXAMPLE.COM'

            - a ipiaPeerIdFiltIdentityValue of '*.example.com' will
              match a fqdn ID payload of 'WWW.EXAMPLE.COM'

            - a ipiaPeerIdFiltIdentityValue of:
                 'cn=*,ou=engineering,o=company,c=us'
              will match a DER DN ID payload of



Baer, et al.             Expires April 22, 2007                [Page 14]


Internet-Draft            IPsec IKE Action MIB              October 2006


                 'cn=John Doe,ou=engineering,o=company,c=us'

            - a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will
              match an IPv4 address ID payload of 192.0.2.10

            - a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also
              match an IPv4 address ID payload of 192.0.2.10.

            The character '*' replaces 0 or multiple instances of any
            character."
       ::= { ipiaPeerIdentityFilterEntry 3 }

   ipiaPeerIdFiltLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaPeerIdentityFilterEntry 4 }

   ipiaPeerIdFiltStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaPeerIdentityFilterEntry 5 }

   ipiaPeerIdFiltRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            This object can not be considered active unless the
            ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue
            column values are defined.

            The value of this object has no effect on whether other



Baer, et al.             Expires April 22, 2007                [Page 15]


Internet-Draft            IPsec IKE Action MIB              October 2006


            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaPeerIdentityFilterEntry 6 }


   --
   -- Static Actions
   --

   -- these are static actions which can be pointed to by the
   -- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop,
   -- accept or reject packets.

   ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 }

   ipiaRejectIKEAction OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet SHOULD be rejected
            WITHOUT action/packet logging.  This object returns a value
            of 1 for IPsec policy implementations that support the
            reject static action."
       ::= { ipiaStaticActions 1 }

   ipiaRejectIKEActionLog OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "This scalar indicates that a packet SHOULD be rejected
            WITH action/packet logging.  This object returns a value of
            1 for IPsec policy implementations that support the reject
            static action with logging."
       ::= { ipiaStaticActions 2 }


   --
   -- ipiaIkeActionTable
   --

   ipiaIkeActionTable OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 16]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX          SEQUENCE OF IpiaIkeActionEntry
       MAX-ACCESS  not-accessible
       STATUS          current
       DESCRIPTION
           "The ipiaIkeActionTable contains a list of the parameters
            used for an IKE phase 1 SA DOI negotiation.  See the
            corresponding table ipiaIkeActionProposalsTable for a list
            of proposals contained within a given IKE Action."
       ::= { ipiaConfigObjects 6 }

   ipiaIkeActionEntry OBJECT-TYPE
       SYNTAX          IpiaIkeActionEntry
       MAX-ACCESS  not-accessible
       STATUS          current
       DESCRIPTION
           "The ipiaIkeActionEntry lists the IKE negotiation
            attributes."
       INDEX       { ipiaIkeActName }
       ::= { ipiaIkeActionTable 1 }

   IpiaIkeActionEntry ::= SEQUENCE {
       ipiaIkeActName                              SnmpAdminString,
       ipiaIkeActParametersName                    SnmpAdminString,
       ipiaIkeActThresholdDerivedKeys              Integer32,
       ipiaIkeActExchangeMode                      INTEGER,
       ipiaIkeActAgressiveModeGroupId              IkeGroupDescription,
       ipiaIkeActIdentityType                      IpsecDoiIdentType,
       ipiaIkeActIdentityContext                   SnmpAdminString,
       ipiaIkeActPeerName                          SnmpAdminString,
       ipiaIkeActDoActionLogging                   TruthValue,
       ipiaIkeActDoPacketLogging                   SpdIPPacketLogging,
       ipiaIkeActVendorId                          OCTET STRING,
       ipiaIkeActLastChanged                       TimeStamp,
       ipiaIkeActStorageType                       StorageType,
       ipiaIkeActRowStatus                         RowStatus
   }

   ipiaIkeActName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       not-accessible
       STATUS           current
       DESCRIPTION
           "This object contains the name of this ikeAction entry."
       ::= { ipiaIkeActionEntry 1 }

   ipiaIkeActParametersName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create



Baer, et al.             Expires April 22, 2007                [Page 17]


Internet-Draft            IPsec IKE Action MIB              October 2006


       STATUS           current
       DESCRIPTION
           "This object is administratively assigned to reference a row
            in the ipiaSaNegotiationParametersTable where additional
            parameters affecting this action can be found.

            An attempt to set this object to a value that does not
            exist in the ipiaSaNegotiationParametersTable MUST result
            in an inconsistentValue error."
       ::= { ipiaIkeActionEntry 2 }

   ipiaIkeActThresholdDerivedKeys OBJECT-TYPE
       SYNTAX           Integer32 (0..100)
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "ipiaIkeActThresholdDerivedKeys specifies what percentage
            of the derived key limit (see the LifetimeDerivedKeys
            property of IKEProposal) can expire before IKE SHOULD
            attempt to renegotiate the IKE phase 1 security
            association."
       DEFVAL           { 100 }
       ::= { ipiaIkeActionEntry 3 }

   ipiaIkeActExchangeMode OBJECT-TYPE
       SYNTAX           INTEGER { main(1), agressive(2) }
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "ipiaIkeActExchangeMode specifies the IKE Phase 1
            negotiation mode."
       DEFVAL { main }
       ::= { ipiaIkeActionEntry 4 }

   ipiaIkeActAgressiveModeGroupId OBJECT-TYPE
       SYNTAX           IkeGroupDescription
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The values to be used for Diffie-Hellman exchange."
       ::= { ipiaIkeActionEntry 5 }

   ipiaIkeActIdentityType OBJECT-TYPE
       SYNTAX      IpsecDoiIdentType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This column along with ipiaIkeActIdentityContext and



Baer, et al.             Expires April 22, 2007                [Page 18]


Internet-Draft            IPsec IKE Action MIB              October 2006


            endpoint information is used to refer an
            ipiaIkeIdentityEntry in the ipiaIkeIdentityTable."
       ::= { ipiaIkeActionEntry 6 }

   ipiaIkeActIdentityContext   OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This column, along with ipiaIkeActIdentityType and endpoint
            information, is used to refer to an ipiaIkeIdentityEntry in
            the ipiaIkeIdentityTable."
       ::= { ipiaIkeActionEntry 7 }

   ipiaIkeActPeerName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the peer id name of the IKE peer.
            This object can be used to look up the peer id value,
            address, credentials and other values in the
            ipiaPeerIdentityTable."
       ::= { ipiaIkeActionEntry 8 }

   ipiaIkeActDoActionLogging OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ikeDoActionLogging specifies whether or not an audit
            message SHOULD be logged when this ike SA is created."
        DEFVAL { false }
       ::= { ipiaIkeActionEntry 9 }

   ipiaIkeActDoPacketLogging OBJECT-TYPE
       SYNTAX      SpdIPPacketLogging
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ikeDoPacketLogging specifies whether or not an audit
            message SHOULD be logged and if there is logging, how many
            bytes of the packet to place in the notification."
        DEFVAL { -1 }
       ::= { ipiaIkeActionEntry 10 }

   ipiaIkeActVendorId    OBJECT-TYPE
       SYNTAX           OCTET STRING (SIZE(0..65535))



Baer, et al.             Expires April 22, 2007                [Page 19]


Internet-Draft            IPsec IKE Action MIB              October 2006


       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "Vendor ID Payload.  A value of NULL means that Vendor ID
            payload will be neither generated nor accepted.  A non-NULL
            value means that a Vendor ID payload will be generated
            (when acting as an initiator) or is expected (when acting
            as a responder)."
       DEFVAL { "" }
       ::= { ipiaIkeActionEntry 11 }

   ipiaIkeActLastChanged OBJECT-TYPE
       SYNTAX           TimeStamp
       MAX-ACCESS       read-only
       STATUS           current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeActionEntry 12 }

   ipiaIkeActStorageType OBJECT-TYPE
       SYNTAX           StorageType
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeActionEntry 13 }

   ipiaIkeActRowStatus OBJECT-TYPE
       SYNTAX           RowStatus
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object MUST NOT be set to destroy if referred to by
            other rows in other action tables.  An attempt to set it to
            anything other than active while it is referenced by an



Baer, et al.             Expires April 22, 2007                [Page 20]


Internet-Draft            IPsec IKE Action MIB              October 2006


            active row in another table MUST result in an
            inconsistentValue error."
       ::= { ipiaIkeActionEntry 14 }


   --
   -- IPsec action definition table
   --


   ipiaIpsecActionTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The ipiaIpsecActionTable contains a list of the parameters
            used for an IKE phase 2 IPsec DOI negotiation."
       ::= { ipiaConfigObjects 7 }

   ipiaIpsecActionEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecActionEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The ipiaIpsecActionEntry lists the IPsec negotiation
            attributes."
       INDEX       { ipiaIpsecActName }
       ::= { ipiaIpsecActionTable 1 }

   IpiaIpsecActionEntry ::= SEQUENCE {
       ipiaIpsecActName                          SnmpAdminString,
       ipiaIpsecActParametersName                SnmpAdminString,
       ipiaIpsecActProposalsName                 SnmpAdminString,
       ipiaIpsecActUsePfs                        TruthValue,
       ipiaIpsecActVendorId                      OCTET STRING,
       ipiaIpsecActGroupId                       IkeGroupDescription,
       ipiaIpsecActPeerGatewayIdName             OCTET STRING,
       ipiaIpsecActUseIkeGroup                   TruthValue,
       ipiaIpsecActGranularity                   INTEGER,
       ipiaIpsecActMode                          INTEGER,
       ipiaIpsecActDFHandling                    INTEGER,
       ipiaIpsecActDoActionLogging               TruthValue,
       ipiaIpsecActDoPacketLogging               SpdIPPacketLogging,
       ipiaIpsecActLastChanged                   TimeStamp,
       ipiaIpsecActStorageType                   StorageType,
       ipiaIpsecActRowStatus                     RowStatus
   }




Baer, et al.             Expires April 22, 2007                [Page 21]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaIpsecActName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
            "ipiaIpsecActName is the name of the ipsecAction entry."
       ::= { ipiaIpsecActionEntry 1 }


   ipiaIpsecActParametersName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object is used to reference a row in the
            ipiaSaNegotiationParametersTable where additional
            parameters affecting this action can be found.

            An attempt to set this column to a value that does not
            exist in the ipiaSaNegotiationParametersTable MUST result
            in an inconsistentValue error."
       ::= { ipiaIpsecActionEntry 2 }

   ipiaIpsecActProposalsName OBJECT-TYPE
       SYNTAX           SnmpAdminString (SIZE(1..32))
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object is used to reference one or more rows in the
            ipiaIpsecProposalsTable where an ordered list of proposals
            affecting this action can be found.

            An attempt to set this column to a value that does not
            exist in the ipiaIpsecProposalsTable MUST result in an
            inconsistentValue error."
       ::= { ipiaIpsecActionEntry 3 }

   ipiaIpsecActUsePfs OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This MIB object specifies whether or not perfect forward
            secrecy is used when refreshing keys.  A value of true
            indicates that PFS SHOULD be used."
       ::= { ipiaIpsecActionEntry 4 }

   ipiaIpsecActVendorId OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 22]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX      OCTET STRING (SIZE(0..255))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The VendorID property is used to identify vendor-defined
            key exchange GroupIDs."
       ::= { ipiaIpsecActionEntry 5 }

   ipiaIpsecActGroupId OBJECT-TYPE
       SYNTAX      IkeGroupDescription
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the Diffie-Hellman group to use for
            phase 2 when the object ipiaIpsecActUsePfs is true and the
            object ipiaIpsecActUseIkeGroup is false.  If the GroupID
            number is from the vendor-specific range (32768-65535), the
            VendorID qualifies the group number."
       ::= { ipiaIpsecActionEntry 6 }

   ipiaIpsecActPeerGatewayIdName OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..116))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the peer id name of the peer
            gateway.  This object can be used to look up the peer id
            value, address and other values in the
            ipiaPeerIdentityTable.  This object is used when initiating
            a tunnel SA.  This object is not used for transport SAs.
            If no value is set and ipiaIpsecActMode is tunnel, the peer
            gateway is determined from the source or destination
            address of the packet."
       ::= { ipiaIpsecActionEntry 7 }

   ipiaIpsecActUseIkeGroup OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies whether or not to use the same
            GroupId for phase 2 as was used in phase 1.  If UsePFS is
            false, this entry SHOULD be ignored."
       ::= { ipiaIpsecActionEntry 8 }

   ipiaIpsecActGranularity OBJECT-TYPE
       SYNTAX      INTEGER { subnet(1), address(2), protocol(3),
                             port(4) }



Baer, et al.             Expires April 22, 2007                [Page 23]


Internet-Draft            IPsec IKE Action MIB              October 2006


       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies how the proposed selector for the
            security association will be created.  The selector is
            created by using the FilterList information.  The selector
            can be subnet, address, porotocol, or port."
       ::= { ipiaIpsecActionEntry 9 }

   ipiaIpsecActMode OBJECT-TYPE
       SYNTAX      INTEGER { tunnel(1), transport(2) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the encapsulation of the IPsec SA
            to be negotiated."
       DEFVAL { tunnel }
       ::= { ipiaIpsecActionEntry 10 }

   ipiaIpsecActDFHandling OBJECT-TYPE
       SYNTAX      INTEGER { copy(1), set(2), clear(3) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the processing of DF bit by the
            negotiated IPsec tunnel.
            1 - DF bit is copied.
            2 - DF bit is set.
            3 - DF bit is cleared."
       DEFVAL { copy }
       ::= { ipiaIpsecActionEntry 11 }

   ipiaIpsecActDoActionLogging OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIpsecActDoActionLogging specifies whether or not an
            audit message SHOULD be logged when this ipsec SA is
            created."
        DEFVAL { false }
       ::= { ipiaIpsecActionEntry 12 }

   ipiaIpsecActDoPacketLogging OBJECT-TYPE
       SYNTAX      SpdIPPacketLogging
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 24]


Internet-Draft            IPsec IKE Action MIB              October 2006


           "ipiaIpsecActDoPacketLogging specifies whether or not an
            audit message SHOULD be logged and if there is logging, how
            many bytes of the packet to place in the notification."
        DEFVAL { -1 }
       ::= { ipiaIpsecActionEntry 13 }

   ipiaIpsecActLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecActionEntry 14 }

   ipiaIpsecActStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecActionEntry 15 }

   ipiaIpsecActRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaIpsecActionEntry 16 }

   --



Baer, et al.             Expires April 22, 2007                [Page 25]


Internet-Draft            IPsec IKE Action MIB              October 2006


   -- ipiaSaNegotiationParametersTable
   --

   --   PROPERTIES   MinLifetimeSeconds
   --                MinLifetimeKilobytes
   --                RefreshThresholdSeconds
   --                RefreshThresholdKilobytes
   --                IdleDurationSeconds

   ipiaSaNegotiationParametersTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaSaNegotiationParametersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains reusable parameters that can be pointed
            to by the ipiaIkeActionTable and ipiaIpsecActionTable.
            These parameters are reusable since it is likely an
            administrator will want to make global policy changes to
            lifetime parameters that apply to multiple actions.  This
            table allows multiple rows in the other actions tables to
            reuse global lifetime parameters in this table by
            repeatedly pointing to a row cointained within this table."
       ::= { ipiaConfigObjects 8 }

   ipiaSaNegotiationParametersEntry OBJECT-TYPE
       SYNTAX      IpiaSaNegotiationParametersEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Contains the attributes of one row in the
            ipiaSaNegotiationParametersTable."
       INDEX       { ipiaSaNegParamName }
       ::= { ipiaSaNegotiationParametersTable 1 }

   IpiaSaNegotiationParametersEntry ::= SEQUENCE {
       ipiaSaNegParamName                  SnmpAdminString,
       ipiaSaNegParamMinLifetimeSecs       Unsigned32,
       ipiaSaNegParamMinLifetimeKB         Unsigned32,
       ipiaSaNegParamRefreshThreshSecs     Unsigned32,
       ipiaSaNegParamRefreshThresholdKB    Unsigned32,
       ipiaSaNegParamIdleDurationSecs      Unsigned32,
       ipiaSaNegParamLastChanged           TimeStamp,
       ipiaSaNegParamStorageType           StorageType,
       ipiaSaNegParamRowStatus             RowStatus
   }

   ipiaSaNegParamName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))



Baer, et al.             Expires April 22, 2007                [Page 26]


Internet-Draft            IPsec IKE Action MIB              October 2006


       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This object contains the administrative name of this
            SaNegotiationParametersEntry.  This row can be referred
            to by this name in other policy action tables."
       ::= { ipiaSaNegotiationParametersEntry 1 }

   ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       UNITS       "seconds"
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds
            lifetime that will be accepted from the peer."
       ::= { ipiaSaNegotiationParametersEntry 2 }

   ipiaSaNegParamMinLifetimeKB OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte
            lifetime that will be accepted from the peer."
       ::= { ipiaSaNegotiationParametersEntry 3 }

   ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE
       SYNTAX      Unsigned32 (1..100)
       UNITS       "seconds"
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamRefreshThreshSecs specifies what percentage
            of the seconds lifetime can expire before IKE SHOULD
            attempt to renegotiate the IPsec security association.  A
            value between 1 and 100 representing a percentage.  A value
            of 100 indicates that the IPsec security association SHOULD
            not be renegotiated until the seconds lifetime has been
            completely reached."
       ::= { ipiaSaNegotiationParametersEntry 4 }

   ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE
       SYNTAX      Unsigned32 (1..100)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamRefreshThresholdKB specifies what percentage



Baer, et al.             Expires April 22, 2007                [Page 27]


Internet-Draft            IPsec IKE Action MIB              October 2006


            of the kilobyte lifetime can expire before IKE SHOULD
            attempt to renegotiate the IPsec security association.  A
            value between 1 and 100 representing a percentage.  A value
            of 100 indicates that the IPsec security association SHOULD
            not be renegotiated until the kilobyte lifetime has been
            reached."
       ::= { ipiaSaNegotiationParametersEntry 5 }

   ipiaSaNegParamIdleDurationSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       UNITS       "seconds"
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaSaNegParamIdleDurationSecs specifies how many seconds a
            security association MAY remain idle (i.e., no traffic
            protected using the security association) before it is
            deleted.  A value of zero indicates that idle detection
            SHOULD NOT be used for the security association.  Any
            non-zero value indicates the number of seconds the security
            association can remain unused."
       ::= { ipiaSaNegotiationParametersEntry 6 }

   ipiaSaNegParamLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaSaNegotiationParametersEntry 7 }

   ipiaSaNegParamStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaSaNegotiationParametersEntry 8 }

   ipiaSaNegParamRowStatus OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 28]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaSaNegotiationParametersEntry 9 }

   --
   -- ipiaIkeActionProposalsTable proposals contained within a ikeAction
   --

   ipiaIkeActionProposalsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeActionProposalsEntry
       MAX-ACCESS   not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of all ike proposal names found
            within a given IKE Action."
       ::= { ipiaConfigObjects 9 }

   ipiaIkeActionProposalsEntry OBJECT-TYPE
       SYNTAX      IpiaIkeActionProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "a row containing one ike proposal reference"
       INDEX   { ipiaIkeActName, ipiaIkeActPropPriority }
       ::= { ipiaIkeActionProposalsTable 1 }

   IpiaIkeActionProposalsEntry ::= SEQUENCE {
       ipiaIkeActPropPriority                   Integer32,
       ipiaIkeActPropName                       SnmpAdminString,
       ipiaIkeActPropLastChanged                TimeStamp,
       ipiaIkeActPropStorageType                StorageType,
       ipiaIkeActPropRowStatus                  RowStatus
   }

   ipiaIkeActPropPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)



Baer, et al.             Expires April 22, 2007                [Page 29]


Internet-Draft            IPsec IKE Action MIB              October 2006


       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The numeric priority of a given contained proposal inside
            an ike Action.  This index SHOULD be used to order the
            proposals in an IKE Phase I negotiation, lowest value first
            (i.e. 0 first, then 1,2,etc...)."
       ::= { ipiaIkeActionProposalsEntry 1 }

   ipiaIkeActPropName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The administratively assigned name that can be used to
            reference a set of values contained within the
            ipiaIkeProposalTable.

            An attempt to set this object to a value that doesn't exist
            in the ipiaIkeProposalTable MUST result in an
            inconsistentValue error."
       ::= { ipiaIkeActionProposalsEntry 2 }

   ipiaIkeActPropLastChanged OBJECT-TYPE
       SYNTAX           TimeStamp
       MAX-ACCESS       read-only
       STATUS           current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeActionProposalsEntry 3 }

   ipiaIkeActPropStorageType OBJECT-TYPE
       SYNTAX           StorageType
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeActionProposalsEntry 4 }

   ipiaIkeActPropRowStatus OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 30]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX           RowStatus
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met MUST result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the ipiaIkeActionTable exists
                which has a matching ipiaIkeActName.

            II. Or at least one other active row in this table has a
                matching ipiaIkeActName."
       ::= { ipiaIkeActionProposalsEntry 5 }


   --
   -- IKE proposal definition table
   --

   ipiaIkeProposalTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeProposalEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table contains a list of IKE proposals which are used
            in an IKE negotiation."
       ::= { ipiaConfigObjects 10 }

   ipiaIkeProposalEntry OBJECT-TYPE
       SYNTAX      IpiaIkeProposalEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "One IKE proposal entry."
       INDEX       { ipiaIkeActPropName }
       ::= { ipiaIkeProposalTable 1 }

   IpiaIkeProposalEntry ::= SEQUENCE {
       ipiaIkePropLifetimeDerivedKeys     Unsigned32,
       ipiaIkePropCipherAlgorithm         IkeEncryptionAlgorithm,



Baer, et al.             Expires April 22, 2007                [Page 31]


Internet-Draft            IPsec IKE Action MIB              October 2006


       ipiaIkePropCipherKeyLength         Unsigned32,
       ipiaIkePropCipherKeyRounds         Unsigned32,
       ipiaIkePropHashAlgorithm           IkeHashAlgorithm,
       ipiaIkePropPrfAlgorithm            INTEGER,
       ipiaIkePropVendorId                OCTET STRING,
       ipiaIkePropDhGroup                 IkeGroupDescription,
       ipiaIkePropAuthenticationMethod    IkeAuthMethod,
       ipiaIkePropMaxLifetimeSecs         Unsigned32,
       ipiaIkePropMaxLifetimeKB           Unsigned32,
       ipiaIkePropLastChanged             TimeStamp,
       ipiaIkePropStorageType             StorageType,
       ipiaIkePropRowStatus               RowStatus
   }

   ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropLifetimeDerivedKeys specifies the number of
            times that a phase 1 key will be used to derive a phase 2
            key before the phase 1 security association needs
            renegotiated."
       ::= { ipiaIkeProposalEntry 1 }

   ipiaIkePropCipherAlgorithm OBJECT-TYPE
       SYNTAX      IkeEncryptionAlgorithm
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropCipherAlgorithm specifies the proposed phase 1
            security association encryption algorithm."
       ::= { ipiaIkeProposalEntry 2 }

   ipiaIkePropCipherKeyLength OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies, in bits, the key length for
            the cipher algorithm used in IKE Phase 1 negotiation."
       ::= { ipiaIkeProposalEntry 3 }

   ipiaIkePropCipherKeyRounds OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 32]


Internet-Draft            IPsec IKE Action MIB              October 2006


           "This object specifies the number of key rounds for
            the cipher algorithm used in IKE Phase 1 negotiation."
       ::= { ipiaIkeProposalEntry 4 }

   ipiaIkePropHashAlgorithm OBJECT-TYPE
       SYNTAX      IkeHashAlgorithm
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropHashAlgorithm specifies the proposed phase 1
            security assocation hash algorithm."
       ::= { ipiaIkeProposalEntry 5 }

   ipiaIkePropPrfAlgorithm OBJECT-TYPE
       SYNTAX      INTEGER { reserved(0) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipPRFAlgorithm specifies the proposed phase 1 security
            association psuedo-random function.

            Note: currently no prf algorithms are defined."
       ::= { ipiaIkeProposalEntry 6 }

   ipiaIkePropVendorId OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..255))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The VendorID property is used to identify vendor-defined
            key exchange GroupIDs."
       ::= { ipiaIkeProposalEntry 7 }

   ipiaIkePropDhGroup OBJECT-TYPE
       SYNTAX      IkeGroupDescription
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the proposed phase 1 security
            association Diffie-Hellman group"
       ::= { ipiaIkeProposalEntry 8 }

   ipiaIkePropAuthenticationMethod OBJECT-TYPE
       SYNTAX      IkeAuthMethod
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies the proposed authentication



Baer, et al.             Expires April 22, 2007                [Page 33]


Internet-Draft            IPsec IKE Action MIB              October 2006


            method for the phase 1 security association."
       ::= { ipiaIkeProposalEntry 9 }

   ipiaIkePropMaxLifetimeSecs OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of
            time to propose a security association remain valid.

            A value of 0 indicates that the default lifetime of
            8 hours SHOULD be used."
       ::= { ipiaIkeProposalEntry 10 }

   ipiaIkePropMaxLifetimeKB OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte
            lifetime to propose a security association remain valid."
       ::= { ipiaIkeProposalEntry 11 }

   ipiaIkePropLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeProposalEntry 12 }

   ipiaIkePropStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeProposalEntry 13 }




Baer, et al.             Expires April 22, 2007                [Page 34]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaIkePropRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaIkeProposalEntry 14 }


   --
   -- ipiaIpsecProposalsTable
   --


   ipiaIpsecProposalsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table lists one or more IPsec proposals for
            IPsec actions."
       ::= { ipiaConfigObjects 11 }

   ipiaIpsecProposalsEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecProposalsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry containing (possibly a portion of) a proposal."
       INDEX       { ipiaIpsecPropName, ipiaIpsecPropPriority,
                     ipiaIpsecPropProtocolId }
       ::= { ipiaIpsecProposalsTable 1 }

   IpiaIpsecProposalsEntry ::= SEQUENCE {
       ipiaIpsecPropName                   SnmpAdminString,
       ipiaIpsecPropPriority               Integer32,
       ipiaIpsecPropProtocolId             IpsecDoiSecProtocolId,
       ipiaIpsecPropTransformsName         SnmpAdminString,
       ipiaIpsecPropLastChanged            TimeStamp,



Baer, et al.             Expires April 22, 2007                [Page 35]


Internet-Draft            IPsec IKE Action MIB              October 2006


       ipiaIpsecPropStorageType            StorageType,
       ipiaIpsecPropRowStatus              RowStatus
   }

   ipiaIpsecPropName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The name of this proposal."
       ::= { ipiaIpsecProposalsEntry 1 }

   ipiaIpsecPropPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority level (AKA sequence level) of this proposal.
            A lower number indicates a higher precedence (0 before 1,
            etc..)."
       ::= { ipiaIpsecProposalsEntry 2 }

   ipiaIpsecPropProtocolId OBJECT-TYPE
       SYNTAX      IpsecDoiSecProtocolId
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The protocol Id for the transforms for this proposal.  The
            protoIsakmp(1) value is not valid for this object.  This
            object, along with the ipiaIpsecPropTransformsName, is the
            index into the ipiaIpsecTransformsTable."
       ::= { ipiaIpsecProposalsEntry 3 }

   ipiaIpsecPropTransformsName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name of the transform or group of transforms for this
            protocol.  This object, along with the
            ipiaIpsecPropProtocolId, is the index into the
            ipiaIpsecTransformsTable.

            An attempt to set this object to a value that does not
            exist in the ipiaIpsecTransformTable MUST result in an
            inconsistentValue error."
       ::= { ipiaIpsecProposalsEntry 4 }




Baer, et al.             Expires April 22, 2007                [Page 36]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaIpsecPropLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecProposalsEntry 5 }

   ipiaIpsecPropStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecProposalsEntry 6 }

   ipiaIpsecPropRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This row MUST NOT be set to active until the corresponding
            row(s) in the ipiaIpsecTransformsTable exists and is
            active.

            If active, this object MUST remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met MUST result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the ipiaIkeActionProposalTable exists
                which has a matching ipiaIpsecPropName.

            II. Or at least one other active row in this table has a



Baer, et al.             Expires April 22, 2007                [Page 37]


Internet-Draft            IPsec IKE Action MIB              October 2006


                matching ipiaIpsecPropName."
       ::= { ipiaIpsecProposalsEntry 7 }

   --
   -- ipiaIpsecTransformsTable
   --


   ipiaIpsecTransformsTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecTransformsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table lists the IPsec proposals contained within a
            given IPsec action and the transforms within each of those
            proposals.  These proposals and transforms can then be used
            to create phase 2 negotiation proposals."
       ::= { ipiaConfigObjects 12 }

   ipiaIpsecTransformsEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecTransformsEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "An entry containing the information on an IPsec transform."
       INDEX       { ipiaIpsecTranType, ipiaIpsecTranName,
                     ipiaIpsecTranPriority }
       ::= { ipiaIpsecTransformsTable 1 }

   IpiaIpsecTransformsEntry ::= SEQUENCE {
       ipiaIpsecTranType                        IpsecDoiSecProtocolId,
       ipiaIpsecTranName                        SnmpAdminString,
       ipiaIpsecTranPriority                    Integer32,
       ipiaIpsecTranTransformName               SnmpAdminString,
       ipiaIpsecTranLastChanged                 TimeStamp,
       ipiaIpsecTranStorageType                 StorageType,
       ipiaIpsecTranRowStatus                   RowStatus
   }

   ipiaIpsecTranType OBJECT-TYPE
       SYNTAX      IpsecDoiSecProtocolId
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The protocol type for this transform.  The protoIsakmp(1)
            value is not valid for this object."
       ::= { ipiaIpsecTransformsEntry 1 }




Baer, et al.             Expires April 22, 2007                [Page 38]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaIpsecTranName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The name for this transform or group of transforms."
       ::= { ipiaIpsecTransformsEntry 2 }

   ipiaIpsecTranPriority OBJECT-TYPE
       SYNTAX      Integer32 (0..65535)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The priority level (AKA sequence level) of the this
            transform within the group of transforms (0 before 1,
            etc...).  This indicates the preference for which
            algorithms are requested when the list of transforms are
            sent to the remote host.  A lower number indicates a higher
            precedence."
       ::= { ipiaIpsecTransformsEntry 3 }

   ipiaIpsecTranTransformName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(1..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The name for the given transform.  Depending on the value
            of ipiaIpsecTranType, this value is used to lookup the
            transform's specific parameters in the
            ipiaAhTransformTable, the ipiaEspTransformTable or the
            ipiaIpcompTransformTable."
       ::= { ipiaIpsecTransformsEntry 4 }

   ipiaIpsecTranLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecTransformsEntry 5 }

   ipiaIpsecTranStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 39]


Internet-Draft            IPsec IKE Action MIB              October 2006


           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecTransformsEntry 6 }

   ipiaIpsecTranRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This row MUST NOT be set to active until the corresponding
            row in the ipiaAhTransformTable, ipiaEspTransformTable or
            the ipiaIpcompTransformTable exists.

            If active, this object MUST remain active unless one of the
            following two conditions are met.  An attempt to set it to
            anything other than active while the following conditions
            are not met MUST result in an inconsistentValue error.  The
            two conditions are:

            I.  No active row in the IpiaIpsecProposalsTable exists
                which has a matching ipiaIpsecPropTransformsName.

            II. Or at least one other active row in this table has a
                matching ipiaIpsecPropTransformsName."
       ::= { ipiaIpsecTransformsEntry 7 }


   --
   -- IKE identity definition table
   --

   ipiaIkeIdentityTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIkeIdentityEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "IKEIdentity is used to represent the identities that are
            used for an IPProtocolEndpoint (or collection of



Baer, et al.             Expires April 22, 2007                [Page 40]


Internet-Draft            IPsec IKE Action MIB              October 2006


            IPProtocolEndpoints) to identify itself in IKE phase 1
            negotiations.  The column ipiaIkeActIdentityType and
            ipiaIkeIdentityContext in an ipiaIkeActionEntry together
            with the spdEndGroupInterface in the
            spdEndpointToGroupTable specifies the unique identity to
            use in a negotiation exchange."
       ::= { ipiaConfigObjects 13 }

   ipiaIkeIdentityEntry OBJECT-TYPE
       SYNTAX      IpiaIkeIdentityEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "ikeIdentity lists the attributes of an IKE identity."

       INDEX { spdEndGroupInterface, ipiaIkeActIdentityType,
               ipiaIkeActIdentityContext }
       ::= { ipiaIkeIdentityTable 1 }

   IpiaIkeIdentityEntry ::= SEQUENCE {
       ipiaIkeIdCredentialName                 SnmpAdminString,
       ipiaIkeIdLastChanged                    TimeStamp,
       ipiaIkeIdStorageType                    StorageType,
       ipiaIkeIdRowStatus                      RowStatus
   }

   ipiaIkeIdCredentialName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used as an index into the
            ipiaCredentialFilterTable to look up the actual credential
            value and other credential information.

            For ID's without associated credential information, this
            value is left blank.

            For ID's that are address types, this value MAY be left
            blank and the associated IPProtocolEndpoint or appropriate
            member of the Collection of endpoints is used."
       ::= { ipiaIkeIdentityEntry 1 }

   ipiaIkeIdLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 41]


Internet-Draft            IPsec IKE Action MIB              October 2006


           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIkeIdentityEntry 2 }

   ipiaIkeIdStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIkeIdentityEntry 3 }

   ipiaIkeIdRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaIkeIdentityEntry 4 }


   --
   -- autostart IKE Table

   ipiaAutostartIkeTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaAutostartIkeEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The parameters in the autostart IKE Table are used to
            automatically initiate IKE phaes I and II (i.e. IPsec)
            negotiations on startup.  It also will initiate IKE phase I



Baer, et al.             Expires April 22, 2007                [Page 42]


Internet-Draft            IPsec IKE Action MIB              October 2006


            and II negotiations for a row at the time of that row's
            creation"
       ::= { ipiaConfigObjects 14 }

   ipiaAutostartIkeEntry OBJECT-TYPE
       SYNTAX      IpiaAutostartIkeEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "autostart ike provides the set of parameters to
            automatically start IKE and IPsec SA's."
       INDEX { ipiaAutoIkePriority }
       ::= { ipiaAutostartIkeTable 1 }

   IpiaAutostartIkeEntry ::= SEQUENCE {
       ipiaAutoIkePriority                     Integer32,
       ipiaAutoIkeAction                       VariablePointer,
       ipiaAutoIkeAddressType                  InetAddressType,
       ipiaAutoIkeSourceAddress                InetAddress,
       ipiaAutoIkeSourcePort                   InetPortNumber,
       ipiaAutoIkeDestAddress                  InetAddress,
       ipiaAutoIkeDestPort                     InetPortNumber,
       ipiaAutoIkeProtocol                     Unsigned32,
       ipiaAutoIkeLastChanged                  TimeStamp,
       ipiaAutoIkeStorageType                  StorageType,
       ipiaAutoIkeRowStatus                    RowStatus
   }

   ipiaAutoIkePriority  OBJECT-TYPE
       SYNTAX       Integer32 (0..65535)
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION
           "ipiaAutoIkePriority is an index into the autostartIkeAction
            table and can be used to order the autostart IKE actions (0
            before 1, etc...)."
       ::= { ipiaAutostartIkeEntry 1 }

   ipiaAutoIkeAction   OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This pointer is used to point to the action or compound
            action that is initiated by this row.  This value
            can be used to indicate a scalar or a row in a table.  When
            indicating a row in a table, this value MUST point to the
            first column instance in that row.



Baer, et al.             Expires April 22, 2007                [Page 43]


Internet-Draft            IPsec IKE Action MIB              October 2006


            If this column is set to a VariablePointer value which
            references a non-existent row in an otherwise supported
            table or if the table or scalar pointed to by the
            VariablePointer is not supported at all, the
            inconsistentValue exception MUST be returned.

            If during packet processing this column has a value that
            references a non-existent or non-supported object, the
            packet MUST be dropped."
       ::= { ipiaAutostartIkeEntry 2 }

   ipiaAutoIkeAddressType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The property ipiaAutoIkeAddressType specifies the format of
            the autoIke source and destination Address values."
       ::= { ipiaAutostartIkeEntry 3 }

   ipiaAutoIkeSourceAddress OBJECT-TYPE
       SYNTAX           InetAddress
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The property autoIkeSourecAddress specifies Source IP
            address for autostarting IKE SA's, formatted according to
            the appropriate convention as defined in the
            ipiaAutoIkeAddressType property."
       ::= { ipiaAutostartIkeEntry 4 }

   ipiaAutoIkeSourcePort OBJECT-TYPE
       SYNTAX        InetPortNumber
       MAX-ACCESS    read-create
       STATUS        current
       DESCRIPTION
           "The property ipiaAutoIkeSourcePort specifies the port
            number for the source port for auotstarting IKE SA's.

            The value of 0 for this object is illegal."
       ::= { ipiaAutostartIkeEntry 5 }

   ipiaAutoIkeDestAddress OBJECT-TYPE
       SYNTAX           InetAddress
       MAX-ACCESS       read-create
       STATUS           current
       DESCRIPTION
           "The property ipiaAutoIkeDestAddress specifies the



Baer, et al.             Expires April 22, 2007                [Page 44]


Internet-Draft            IPsec IKE Action MIB              October 2006


            Destination IP address for autostarting IKE SA's, formatted
            according to the appropriate convention as defined in the
            ipiaAutoIkeAddressType property."
       ::= { ipiaAutostartIkeEntry 6 }

   ipiaAutoIkeDestPort OBJECT-TYPE
       SYNTAX        InetPortNumber
       MAX-ACCESS    read-create
       STATUS        current
       DESCRIPTION
           "The property ipiaAutoIkeDestPort specifies the port number
            for the destination port for auotstarting IKE SA's.

            The value of 0 for this object is illegal."
       ::= { ipiaAutostartIkeEntry 7 }

   ipiaAutoIkeProtocol OBJECT-TYPE
       SYNTAX      Unsigned32 (0..255)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The property Protocol specifies the protocol number used in
            comparing with policy filter entries and used in any phase
            2 negotiations."
       ::= { ipiaAutostartIkeEntry 8 }

   ipiaAutoIkeLastChanged OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaAutostartIkeEntry 9 }

   ipiaAutoIkeStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }



Baer, et al.             Expires April 22, 2007                [Page 45]


Internet-Draft            IPsec IKE Action MIB              October 2006


       ::= { ipiaAutostartIkeEntry 10 }

   ipiaAutoIkeRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            This object MUST NOT be set to active until the object to
            which the ipiaAutoIkeAction points to exists and is
            active.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaAutostartIkeEntry 11 }


   --
   -- CA Table
   --

   ipiaIpsecCredMngServiceTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaIpsecCredMngServiceEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of Credential Management Service values.  This
            table is usually used for credential/certificate values
            that are used with a management service (e.g. Certificate
            Authorities)."
       ::= { ipiaConfigObjects 15 }

   ipiaIpsecCredMngServiceEntry OBJECT-TYPE
       SYNTAX      IpiaIpsecCredMngServiceEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaIpsecCredMngServiceTable."
       INDEX   { ipiaIcmsName }
       ::= { ipiaIpsecCredMngServiceTable 1 }




Baer, et al.             Expires April 22, 2007                [Page 46]


Internet-Draft            IPsec IKE Action MIB              October 2006


   IpiaIpsecCredMngServiceEntry ::= SEQUENCE {
           ipiaIcmsName                SnmpAdminString,
           ipiaIcmsDistinguishedName   OCTET STRING,
           ipiaIcmsPolicyStatement     OCTET STRING,
           ipiaIcmsMaxChainLength      Integer32,
           ipiaIcmsCredentialName      SnmpAdminString,
           ipiaIcmsLastChanged         TimeStamp,
           ipiaIcmsStorageType         StorageType,
           ipiaIcmsRowStatus           RowStatus
   }

   ipiaIcmsName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned string used to index
            this table."
       ::= { ipiaIpsecCredMngServiceEntry 1 }

   ipiaIcmsDistinguishedName OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(1..256))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value represents the Distinguished Name of the
            Credential Management Service."
       ::= { ipiaIpsecCredMngServiceEntry 2 }

   ipiaIcmsPolicyStatement OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..1024))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This Value represents the Credential Management Service
            Policy Statement, or a reference describing how to obtain
            it (e.g., a URL).  If one doesn't exist, this value can be
            left blank"
       ::= { ipiaIpsecCredMngServiceEntry 3 }

   ipiaIcmsMaxChainLength OBJECT-TYPE
       SYNTAX      Integer32 (0..255)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the maximum length of the chain allowble from
            the Credential Management Service to the credential in
            question."



Baer, et al.             Expires April 22, 2007                [Page 47]


Internet-Draft            IPsec IKE Action MIB              October 2006


       DEFVAL     { 0 }
       ::= { ipiaIpsecCredMngServiceEntry 4}

   ipiaIcmsCredentialName OBJECT-TYPE
       SYNTAX      SnmpAdminString (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is used as an index into the
            ipiaCredentialFilterTable to look up the actual credential
            value."
       ::= { ipiaIpsecCredMngServiceEntry 5 }

   ipiaIcmsLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaIpsecCredMngServiceEntry 6 }

   ipiaIcmsStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaIpsecCredMngServiceEntry 7 }

   ipiaIcmsRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is



Baer, et al.             Expires April 22, 2007                [Page 48]


Internet-Draft            IPsec IKE Action MIB              October 2006


            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaIpsecCredMngServiceEntry 8 }


   --
   -- CRL Table
   --

   ipiaCredMngCRLTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaCredMngCRLEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of the Credential Revocation Lists (CRL) for
            credential managment services."
       ::= { ipiaConfigObjects 16 }

   ipiaCredMngCRLEntry OBJECT-TYPE
       SYNTAX      IpiaCredMngCRLEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaCredMngCRLTable."
       INDEX   { ipiaIcmsName , ipiaCmcCRLName }
       ::= { ipiaCredMngCRLTable 1 }

   IpiaCredMngCRLEntry ::= SEQUENCE {
           ipiaCmcCRLName             SnmpAdminString,
           ipiaCmcDistributionPoint   OCTET STRING,
           ipiaCmcThisUpdate          OCTET STRING,
           ipiaCmcNextUpdate          OCTET STRING,
           ipiaCmcLastChanged         TimeStamp,
           ipiaCmcStorageType         StorageType,
           ipiaCmcRowStatus           RowStatus
   }

   ipiaCmcCRLName OBJECT-TYPE
       SYNTAX      SnmpAdminString(SIZE(1..32))
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This is an administratively assigned string used to index
            this table. It represents a CRL for a given CA from a given
            distribution point."
       ::= { ipiaCredMngCRLEntry 1 }



Baer, et al.             Expires April 22, 2007                [Page 49]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaCmcDistributionPoint OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..256))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This Value represents a Distribution Point for a Credential
            Revocation List. It can be relative to the Credential
            Management Service or a full name (URL, e-mail, etc...)."
       ::= { ipiaCredMngCRLEntry 2 }

   ipiaCmcThisUpdate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the issue date of this CRL. This
            SHOULD be in utctime or generalizedtime."
       ::= { ipiaCredMngCRLEntry 3 }

   ipiaCmcNextUpdate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value indicates the date the next version of this CRL
            will be issued. This SHOULD be in utctime or
            generalizedtime."
       ::= { ipiaCredMngCRLEntry 4 }

   ipiaCmcLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaCredMngCRLEntry 5 }

   ipiaCmcStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.




Baer, et al.             Expires April 22, 2007                [Page 50]


Internet-Draft            IPsec IKE Action MIB              October 2006


            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaCredMngCRLEntry 6 }

   ipiaCmcRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaCredMngCRLEntry 7 }


   --
   -- Revoked Certificate Table
   --

   ipiaRevokedCertificateTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF IpiaRevokedCertificateEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A table of Credentials revoked by credential managment
            services.  That is, this table is a table of Certificates
            that are on CRL's, Credential Revocation Lists."
       ::= { ipiaConfigObjects 17 }

   ipiaRevokedCertificateEntry OBJECT-TYPE
       SYNTAX      IpiaRevokedCertificateEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "A row in the ipiaRevokedCertificateTable."
       INDEX   { ipiaCmcCRLName, ipiaRctCertSerialNumber}
       ::= { ipiaRevokedCertificateTable 1 }

   IpiaRevokedCertificateEntry ::= SEQUENCE {
           ipiaRctCertSerialNumber    Unsigned32,



Baer, et al.             Expires April 22, 2007                [Page 51]


Internet-Draft            IPsec IKE Action MIB              October 2006


           ipiaRctRevokedDate         OCTET STRING,
           ipiaRctRevokedReason       INTEGER,
           ipiaRctLastChanged         TimeStamp,
           ipiaRctStorageType         StorageType,
           ipiaRctRowStatus           RowStatus
   }

   ipiaRctCertSerialNumber OBJECT-TYPE
       SYNTAX      Unsigned32 (0..4294967295)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This value is the serial number of the revoked
            certificate."
       ::= { ipiaRevokedCertificateEntry 1 }

   ipiaRctRevokedDate OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..32))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the revocation date of the certificate. This
            SHOULD be in utctime or generaltime."
       ::= { ipiaRevokedCertificateEntry 2 }

   ipiaRctRevokedReason OBJECT-TYPE
       SYNTAX INTEGER { unspecified(1), keyCompromise(2),
                        cACompromise(3), affiliationChanged(4),
                        superseded(5), cessationOfOperation(6),
                        certificateHold(7), removeFromCRL(8) }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This value is the reason this certificate was revoked."
       DEFVAL      { unspecified }
       ::= { ipiaRevokedCertificateEntry 3 }

   ipiaRctLastChanged  OBJECT-TYPE
       SYNTAX      TimeStamp
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
           "The value of sysUpTime when this row was last modified or
            created either through SNMP SETs or by some other external
            means."
       ::= { ipiaRevokedCertificateEntry 4 }

   ipiaRctStorageType OBJECT-TYPE



Baer, et al.             Expires April 22, 2007                [Page 52]


Internet-Draft            IPsec IKE Action MIB              October 2006


       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The storage type for this row.  Rows in this table which
            were created through an external process MAY have a storage
            type of readOnly or permanent.

            For a storage type of permanent, none of the columns have
            to be writable."
       DEFVAL { nonVolatile }
       ::= { ipiaRevokedCertificateEntry 5 }

   ipiaRctRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the conceptual status of this row.

            The value of this object has no effect on whether other
            objects in this conceptual row can be modified.

            If active, this object MUST remain active if it is
            referenced by an active row in another table.  An attempt
            to set it to anything other than active while it is
            referenced by an active row in another table MUST result in
            an inconsistentValue error."
       ::= { ipiaRevokedCertificateEntry 6 }

   --
   --
   -- Notification objects information
   --
   --

   ipiaNotificationVariables OBJECT IDENTIFIER ::=
      { ipiaNotificationObjects 1 }

   ipiaNotifications OBJECT IDENTIFIER ::=
      { ipiaNotificationObjects 0 }


   --
   --
   -- Conformance information
   --
   --



Baer, et al.             Expires April 22, 2007                [Page 53]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaCompliances OBJECT IDENTIFIER
       ::= { ipiaConformanceObjects 1 }
   ipiaGroups OBJECT IDENTIFIER
       ::= { ipiaConformanceObjects 2 }


   --
   -- Compliance statements
   --
   --

   ipiaIKECompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include an
            IPsec MIB implementation and supports IKE actions.

            -- OBJECT ipiaAutoIkeAddressType
            -- SYNTAX InetAddreessType { ipv4(1), ipv6(2) }
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --
            -- OBJECT ipiaAutoIkeSourceAddress
            -- SYNTAX InetAddress (SIZE(4|16))
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            -- OBJECT ipiaAutoIkeDestAddress
            -- SYNTAX InetAddress (SIZE(4|16))
            -- DESCRIPTION
            -- Only support for global IPv4 and IPv6 address
            -- types is required.
            --"
       MODULE -- This Module
           MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup,
                              ipiaStaticActionGroup, ipsaSharedGroup }

           OBJECT      ipiaIkeActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIkeActPropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue



Baer, et al.             Expires April 22, 2007                [Page 54]


Internet-Draft            IPsec IKE Action MIB              October 2006


                 burden on resource-constrained devices."

           OBJECT      ipiaIkePropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecActLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecPropLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIpsecTranLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaSaNegParamLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaIkeIdLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaAutoIkeLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object is optional so as not to impose an undue
                 burden on resource-constrained devices."

           OBJECT      ipiaCmcDistributionPoint
           MIN-ACCESS  read-only
           DESCRIPTION
                "Only read-only access is required for compliance."



Baer, et al.             Expires April 22, 2007                [Page 55]


Internet-Draft            IPsec IKE Action MIB              October 2006


           OBJECT      ipiaCmcThisUpdate
           MIN-ACCESS  read-only
           DESCRIPTION
                "Only read-only access is required for compliance."

           OBJECT      ipiaCmcNextUpdate
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaCmcLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaCmcStorageType
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaRctRevokedDate
           MIN-ACCESS  read-only
           DESCRIPTION
              "Only read-only access is required for compliance."

           OBJECT      ipiaRctRevokedReason
           MIN-ACCESS  read-only
           DESCRIPTION
              "Only read-only access is required for compliance."

           OBJECT      ipiaRctLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaRctStorageType
           MIN-ACCESS  read-only
           DESCRIPTION
              "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsDistinguishedName
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsPolicyStatement
           MIN-ACCESS  read-only
           DESCRIPTION



Baer, et al.             Expires April 22, 2007                [Page 56]


Internet-Draft            IPsec IKE Action MIB              October 2006


               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsMaxChainLength
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsCredentialName
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

           OBJECT      ipiaIcmsLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           OBJECT      ipiaIcmsStorageType
           MIN-ACCESS  read-only
           DESCRIPTION
               "Only read-only access is required for compliance."

       ::= { ipiaCompliances 1 }


   ipiaRuleFilterCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities that include an
            IKEACTION MIB implementation with IKE filters support."
       MODULE -- This Module
           MANDATORY-GROUPS { ipiaStaticFilterGroup }

           GROUP ipiaPeerIdFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support Peer Identity filters."

           OBJECT      ipiaPeerIdFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

           GROUP ipiaCredentialFilterGroup
           DESCRIPTION
               "This group is mandatory for IPsec Policy
                implementations which support IKE Credential filters."




Baer, et al.             Expires April 22, 2007                [Page 57]


Internet-Draft            IPsec IKE Action MIB              October 2006


           OBJECT      ipiaCredFiltLastChanged
           MIN-ACCESS  not-accessible
           DESCRIPTION
                "This object not required for compliance."

       ::= { ipiaCompliances 2 }

   --
   --
   -- Compliance Groups Definitions
   --

   --
   -- Compliance Groups
   --

   ipiaStaticFilterGroup OBJECT-GROUP
           OBJECTS { ipiaIkePhase1Filter,
                     ipiaIkePhase2Filter }
        STATUS current
        DESCRIPTION
            "The static filter group.  Currently this is just a true
             filter."
       ::= { ipiaGroups 1 }

   ipiaCredentialFilterGroup OBJECT-GROUP
       OBJECTS {
           ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName,
           ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom,
           ipiaCredFiltLastChanged, ipiaCredFiltStorageType,
           ipiaCredFiltRowStatus,

           ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
           ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
           ipiaCmcRowStatus,

           ipiaRctRevokedDate, ipiaRctRevokedReason,
           ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,

           ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
           ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
           ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy
           Credential Filter Table."
       ::= { ipiaGroups 2 }



Baer, et al.             Expires April 22, 2007                [Page 58]


Internet-Draft            IPsec IKE Action MIB              October 2006


   ipiaPeerIdFilterGroup OBJECT-GROUP
       OBJECTS {
           ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue,
           ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType,
           ipiaPeerIdFiltRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is made up of objects from the IPsec Policy Peer
           Identity Filter Table."
       ::= { ipiaGroups 3 }

   --
   -- action compliance groups
   --

   ipiaStaticActionGroup OBJECT-GROUP
       OBJECTS {
           ipiaRejectIKEAction,
           ipiaRejectIKEActionLog
       }
       STATUS current
       DESCRIPTION
           "This group is made up of IPsec Policy Static Actions
           objects."
       ::= { ipiaGroups 4 }

   ipiaIkeGroup OBJECT-GROUP
       OBJECTS {
           ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys,
           ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId,
           ipiaIkeActIdentityType, ipiaIkeActIdentityContext,
           ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName,
           ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging,
           ipiaIkeActLastChanged, ipiaIkeActStorageType,
           ipiaIkeActRowStatus,

           ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType,
           ipiaIkeActPropRowStatus,

           ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm,
           ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds,
           ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm,
           ipiaIkePropVendorId, ipiaIkePropDhGroup,
           ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs,
           ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged,
           ipiaIkePropStorageType,
           ipiaIkePropRowStatus,



Baer, et al.             Expires April 22, 2007                [Page 59]


Internet-Draft            IPsec IKE Action MIB              October 2006


           ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
           ipiaSaNegParamRefreshThreshSecs,
           ipiaSaNegParamRefreshThresholdKB,
           ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
           ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus,

           ipiaIkeIdCredentialName, ipiaIkeIdLastChanged,
           ipiaIkeIdStorageType, ipiaIkeIdRowStatus,

           ipiaAutoIkeAction, ipiaAutoIkeAddressType,
           ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort,
           ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort,
           ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged,
           ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus,

           ipiaCmcDistributionPoint, ipiaCmcThisUpdate,
           ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType,
           ipiaCmcRowStatus,

           ipiaRctRevokedDate, ipiaRctRevokedReason,
           ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus,

           ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement,
           ipiaIcmsMaxChainLength, ipiaIcmsCredentialName,
           ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is the set of objects that support IKE
            actions.  These objects are from The IPsec Policy IKE
            Action Table, The IKE Action Proposals Table, The IKE
            Proposal Table, The autostart IKE Table and The IKE
            Identity Table, The Peer Identity Table, The Credential
            Management Service Table, and the shared table Negotiation
            Parameters Table (from the IPSEC-IPSECACTION-MIB."
       ::= { ipiaGroups 5 }

   ipiaIpsecGroup OBJECT-GROUP
       OBJECTS {
           ipiaIpsecActParametersName, ipiaIpsecActProposalsName,
           ipiaIpsecActUsePfs, ipiaIpsecActVendorId,
           ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName,
           ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity,
           ipiaIpsecActMode, ipiaIpsecActDFHandling,
           ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging,
           ipiaIpsecActLastChanged, ipiaIpsecActStorageType,
           ipiaIpsecActRowStatus,




Baer, et al.             Expires April 22, 2007                [Page 60]


Internet-Draft            IPsec IKE Action MIB              October 2006


           ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged,
           ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus,

           ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged,
           ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus,

           ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB,
           ipiaSaNegParamRefreshThreshSecs,
           ipiaSaNegParamRefreshThresholdKB,
           ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged,
           ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus
       }
       STATUS current
       DESCRIPTION
           "This group is the set of objects that support IPsec
            actions.  These objects are from The IPsec Policy IPsec
            Actions Table, The IPsec Proposal Table, and The IPsec
            Transform Table.  This group also includes objects from the
            shared tables: Peer Identity Table, Credential Table,
            Negotiation Parameters Table, Credential Management Service
            Table and the AH, ESP, and IPComp Transform Table."
       ::= { ipiaGroups 6 }

   END



7.  Security Considerations

7.1.  Introduction

   This document defines a MIB module used to configure IPsec policy
   services.  Since IKE negotiates keys for IPsec and IPsec provides
   security services, it is important that the IKE configuration data
   SHOULD be least as protected as the IPsec provided security service.
   There are two main threats you need to thwart when configuring IPsec
   devices.

   1.  Malicious Configuration: This MIB configures network security
       services.  If an attacker has SET access to any part of this MIB,
       the network security services configured by this MIB SHOULD be
       considered broken.  The network data sent through the associated
       gateway should no longer be considered as protected by IPsec
       (i.e., it is no longer confidential or authenticated).
       Therefore, only the official administrators SHOULD be allowed to
       configure a device.  In other words, administrators' identities
       SHOULD be authenticated and their access rights checked before
       they are allowed to do device configuration.  The support for SET



Baer, et al.             Expires April 22, 2007                [Page 61]


Internet-Draft            IPsec IKE Action MIB              October 2006


       operations to the IPSEC-IKEACTION-MIB in a non-secure
       environment, without proper protection, will invalidate the
       security of the network traffic affected by the IPSEC-IKEACITON-
       MIB.

   2.  Disclosure of Configuration: In general, malicious parties SHOULD
       NOT be able to read security configuration data while the data is
       in network transit.  An attacker reading the configuration data
       may be able to find misconfigurations in the MIB that enable
       attacks to the network or to the configured node.  Since this
       entire MIB is used for security configuration, it is highly
       RECOMMENDED that only authorized administrators are allowed to
       view data in this MIB.  In particular, malicious users SHOULD be
       prevented from reading SNMP packets containing this MIB's data.
       SNMP GET data SHOULD be encrypted when sent across the network.
       Also, only authorized administrators SHOULD be allowed SNMP GET
       access to any of the MIB objects.

   SNMP versions prior to SNMPv3 do not include adequate security.  Even
   if the network itself is secure (e.g. by using IPsec), earlier
   versions of SNMP have virtually no control as to who on the secure
   network is allowed to access (i.e. read/change/create/delete) the
   objects in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to GET or SET (change/create/delete) them.

   Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you
   SHOULD use SNMP version 3.  The rest of this discussion assumes the
   use of SNMPv3.  This is a real strength, because it allows
   administrators the ability to load new IPsec configuration on a
   device and keep the conversation private and authenticated under the
   protection of SNMPv3 before any IPsec protections are available.
   Once initial establishment of IPsec configuration on a device has
   been achieved, it would be possible to set up IPsec SAs to then also
   provide security and integrity services to the configuration
   conversation.  This may seem redundant at first, but will be shown to
   have a use for added privacy protection below.



Baer, et al.             Expires April 22, 2007                [Page 62]


Internet-Draft            IPsec IKE Action MIB              October 2006


7.2.  Protecting against unauthenticated access

   The current SNMPv3 User Security Model provides for key based user
   authentication.  Typically, keys are derived from passwords (but are
   not required to be), and the keys are then used in HMAC algorithms
   (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP
   data.  Each SNMP device keeps a (configured) list of users and keys.
   Under SNMPv3 user keys may be updated as often as an administrator
   cares to have users enter new passwords.  But Perfect Forward Secrecy
   for user keys is not yet provided by standards track documents,
   although RFC2786 defines an experimental method of doing so.

7.3.  Protecting against involuntary disclosure

   While sending IPsec configuration data to a Policy Enforcement Point
   (PEP), there are a few critical parameters which MUST NOT be observed
   by third parties.  Specifically, except for public keys, keying
   information MUST NOT be allowed to be observed by third parties.
   This include IKE Pre-Shared Keys and possibly the private key of a
   public/private key pair for use in a PKI.  Were either of those
   parameters to be known to a third party, they could then impersonate
   the device to other IKE peers.  Aside from those critical parameters,
   policy administrators have an interest in not divulging any of their
   policy configuration.  Any knowledge about a device's configuration
   could help an unfriendly party compromise that device.  SNMPv3 offers
   privacy security services, but at the time this document was written,
   the only standardized encryption algorithm supported by SNMPv3 is the
   DES encryption algorithm.  Support for other (stronger) cryptographic
   algorithms is in the works and may be done as you read this (e.g.
   AES [RFC3826]).  When configure IPsec policy using this MIB, policy
   administrators SHOULD use a privacy security service that is at least
   as strong as the desired IPsec policy.  E.G., If an administrator
   were to use this MIB to configure an IPsec connection that utilizes a
   3DES algorithms, the SNMP communication configuring the connection
   SHOULD be protected by an algorithm as strong or stronger than the
   3DES algorithm.

7.4.  Bootstrapping your configuration

   Most vendors will not ship new products with a default SNMPv3 user/
   password pair, but it is possible.  If a device does ship with a
   default user/password pair, policy administrators SHOULD either
   change the password or configure a new user, deleting the default
   user (or at a minimum, restrict the access of the default user).
   Most SNMPv3 distributions should, hopefully, require an out-of-band
   initialization over a trusted medium, such as a local console
   connection.  If a product does install with default user/password
   information, these values should be changed before connecting to a



Baer, et al.             Expires April 22, 2007                [Page 63]


Internet-Draft            IPsec IKE Action MIB              October 2006


   network.


8.  IANA Considerations

   Only one IANA consideration exist for this document.  The
   consideration is the node number allocation of the IPSEC-IKEACTION-
   MIB under the IPSEC-SPD-MIB MIB's spdActions node.


9.  Acknowledgments

   Many other people contributed thoughts and ideas that influenced this
   MIB module.  Some special thanks are in order for the following
   people:

         Lindy Foster     (Sparta, Inc.)
         John Gillis      (ADC)
         Jamie Jason      (Intel Corporation)
         Roger Hartmuller (Sparta, Inc.)
         David Partain    (Ericsson)
         Lee Rafalow      (IBM)
         Jon Saperia      (JDS Consulting)
         John Shriver     (Internap Network Services Corporation)
         Eric Vyncke      (Cisco Systems)


10.  References

10.1.  Normative References

   [RFCZZZZ]  Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
              Wang, "IPsec Security Policy Database Configuration MIB",
              January 2004.

   [RFCYYYY]  Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
              Wang, "IPsec Security Policy IPsec Action MIB",
              January 2004.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
              "Introduction and Applicability Statements for Internet-
              Standard Management Framework", RFC 3410, December 2002.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management



Baer, et al.             Expires April 22, 2007                [Page 64]


Internet-Draft            IPsec IKE Action MIB              October 2006


              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.

   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Structure of Management Information
              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2",
              STD 58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Perkins, D., and J. Schoenwaelder,
              "Conformance Statements for SMIv2", STD 58, RFC 2580,
              April 1999.

   [RFC3585]  Jason, J., Rafalow, L., and E. Vyncke, "IPsec
              Configuration Policy Information Model", RFC 3585,
              August 2003.

   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
              Schoenwaelder, "Textual Conventions for Internet Network
              Addresses", RFC 4001, February 2005.

10.2.  Informative References

   [IPPMWP]   Lortz, V. and L. Rafalow, "IPsec Policy Model White
              Paper", More Info http://www.dmtf.org/specs/cim.html,
              November 2000.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826, June 2004.


Authors' Addresses

   Michael Baer
   Sparta, Inc.
   P.O. Box 72682
   Davis, CA  95617
   US

   Email: baerm@tislabs.com





Baer, et al.             Expires April 22, 2007                [Page 65]


Internet-Draft            IPsec IKE Action MIB              October 2006


   Ricky Charlet
   Self

   Email: rcharlet@alumni.calpoly.edu


   Wes Hardaker
   Sparta, Inc.
   P.O. Box 382
   Davis, CA  95617
   US

   Phone: +1 530 792 1913
   Email: hardaker@tislabs.com


   Robert Story
   Revelstone Software
   PO Box 1812
   Tucker, GA  30085
   US

   Email: rstory@sparta.com


   Cliff Wang
   ARO/North Carolina State University
   4300 S. Miami Blvd
   RTP, NC  27709
   US

   Email: cliffwangmail@yahoo.com



















Baer, et al.             Expires April 22, 2007                [Page 66]


Internet-Draft            IPsec IKE Action MIB              October 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Baer, et al.             Expires April 22, 2007                [Page 67]