INTERNET DRAFT Man Li IPSP working group David Arneson Expires January 2001 Nokia Standards Track Avri Doria Nortel Networks Jamie Jason Intel IPSec Policy Information Base Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document specifies a set of policy rule classes (PRC) for configuring IPSec services. Instances of these classes reside in a virtual information store called IPSec Policy Information Base (PIB). The COPS protocol [COPS] with the extensions for provisioning [COPS- PR] may be used to transmit this IPSec policy information to IPSec- Li,Arneson,Doria,Jason [Page 1] Internet Draft IPSec Policy Information Base July 2000 enabled devices (e.g., gateways) in order to configure VPN services. The PRCs defined in this IPSec PIB are intended for use by the COPS- PR IPSec client type. They complement the PRCs defined in the Framework PIB [FR-PIB]. 1. Introduction The policy rule classes (PRC) defined in this document contain parameters for IKE phase one and phase two negotiations. The IPSec PIB, when downloaded to IPSec-enabled devices, will enable them to construct a Security Policy Database (SPD). The PRCs described in this document are based on[IPSEC-IM][IKE][ESP][AH][DOI][IPCOMP][SPPI]. Please refer to [ARCH] for a description of IPSec architecture and [PCIM][FR-PIB] for information about applying the concept of role and role combination to policy management. Following the policy framework convention, the management entity that downloads policy to IPSec-enabled devices will be called a Policy Decision Point (PDP) and the IPSec-enabled devices will be called Policy Execution Points (PEP). On boot up, a PEP reports to a PDP, among other things, its role or role combinations. The PDP then determines the IPSec PIB that should be downloaded to the PEP according to the role description. Later on, if the role of the PEP changes, the PEP would notify the PDP with its new role and the PDP would send new PIB to the PEP. In addition, if policy associated with a particular role changes, PDP would download new PIB to all the PEPs that have registered with the particular role. There is an ongoing effort in defining IPSec configuration policy model[IPSEC-IM]. The PIB defined in this document is not completely aligned with the information model. As work goes on, they should be aligned in the near future. 2. Descriptions of the IPSec PIB 2.1 ipSecSelectorTable This table specifies IPSec selectors. The selectors form an ordered list and the ipSecSelectorOrder attribute defines the position of a selector within the list. Each selector is associated with an IPSec action. An IP packet is compared with the ordered selector list and the first match is selected. The action associated with that selector is then applied to the packet. Multiple selectors may be associated with the same action and, if IPSec protection is required, the same IKE phase 1 and 2 negotiation Li,Arneson,Doria,Jason Expires January 2001 [Page 2] Internet Draft IPSec Policy Information Base July 2000 parameters. These selectors are grouped together and are given the same selector group number as indicated by the ipSecSelectorGroup attribute. In some situations, either the source or the destination address of a selector needs to be a wild card. Remote access is an example. A remote terminal is dynamically assigned an IP address by its ISP. That address cannot be known beforehand and hence need to be specified as a wild-carded address in the IPSec policy. A wild-carded IP address is specified with the combination of an all zero IP address (e.g., IPv4 0.0.0.0) and an all zero address mask (e.g., IPv4 0.0.0.0). Another type of wild-carded address is a so-called semi-wild-carded address. It indicates "all the addresses protected by the PEP gateway". For a VPN that has well defined topology (e.g., fully meshed), a selector stating "tcp traffic from all the addresses protected by the PEP to network Z" can be downloaded to all the VPN gateways without spelling out the different protected IP addresses for different gateway. This simplifies PIB construction and network management. A semi-wild-carded IP address is specified with the combination of an all zero IP address and an all ones address mask (e.g., IPv4 255.255.255.255). 2.2 ipSecActionTable This table specifies the service to be provided to an IP packet. Actions include Bypass, Discard, Transport and Tunnel. When tunnel is specified, the IP address of the remote gateway to which the tunnel is to be established should also be specified. If Transport or Tunnel is specified, references to the ipSecSecurityAssociationTable and the ipSecIkeActionTable should also be specified. These two tables provide details of IKE and IPSec associations. 2.3 ipSecRuleTable This table ties the role combinations, selector groups and IPSec action together. It specifies individual rule within a security policy database. For each rule, it has references to a selector group and to an IPSec action. Effectively, it says that if a packet matches a selector in the pointed selector group, it should be provided with the service specified by the action. This table also references the ipSecPolicyTimePeriodGroupTable to specify the time periods during which a policy is valid. Li,Arneson,Doria,Jason Expires January 2001 [Page 3] Internet Draft IPSec Policy Information Base July 2000 2.4 ipSecIkeActionTable This table specifies attributes associated with IKE Associations. It also references a row in the ipSecIkeProposalGroupTable to specify proposals the PEP should propose when establishing an IKE association. 2.5 ipSecIkeProposalGroupTable This table specifies multiple IKE proposal groups. Within a group, proposals are ORed with preference. 2.6 ipSecIkeProposalTable This table specifies attributes associated with IKE proposals. 2.7 ipSecSecurityAssociationTable This table specifies attributes associated with IPSec Associations. It also references a row in the ipSecProposalGroupTable to specify proposals the PEP should propose when establishing an IPSec association. 2.8 ipSecProposalGroupTable This table specifies multiple proposal groups. Within a group, proposals are Ored with preference. 2.9 ipSecProposalTable This table specifies IPSec proposals. It references the ipSecEspTransformGroupTable, ipSecAhTransformGroupTable and ipSecCompTransformGroupTable to specify transforms within each proposal. Within a proposal, different transforms are ANDed. 2.10 ipSecEspTransformGroupTable This table specifies multiple ESP transform groups. Within a transform group, the choices are ORed with preference order. 2.11 ipSecEspTransformTable This table specifies attributes associated with ESP transforms. 2.12 ipSecAhTransformGroupTable This table specifies multiple AH transform groups. Within a transform group, the choices are ORed with preference order. Li,Arneson,Doria,Jason Expires January 2001 [Page 4] Internet Draft IPSec Policy Information Base July 2000 2.13 ipSecAhTransformTable This table specifies attributes associated with AH transforms. 2.14 ipSecCompTransformGroupTable This table specifies multiple IPComp transform groups. Within a transform group, the choices are ORed with preference order. 2.15 ipSecCompTransformTable This table specifies attributes associated with IPComp transforms. 2.16 ipSecPolicyTimePeriodTable A policy may be valid only for some given time periods. [FR-PIB] describes a method for pre-provisioning of policy and later a PDP may active the policy by a single decision message. In large networks, it may be desirable to include policy valid periods in the policy itself. It is then the responsibility of the PEPs to activate and de-activate the policy according to the time period specified. This table together with the ipSecPolicyTimePeriodGroupTable provides a way to specify policy valid periods The attributes and their formats are the same as that of the PolicyTimePeriodCondition class in [PCIM}. This consistency should help in constructing the PIB from the information model or schema. 2.17 ipSecPolicyTimePeriodGroupTable The ipSecPolicyTimePeriodTable is able to specify a single time period over multiple days (e.g., 8:00-10:00 am every Friday). This table allows one to specify multiple time periods over multiple days (e.g., 8:00-10:00 am and 2:00-5:00 pm every Friday) by putting multiple rows of the ipSecPolicyTimePeriodTable into one group. 3. The IPSec PIB IPSEC-BASE-PIB PIB-DEFINITIONS ::= BEGIN IMPORTS Li,Arneson,Doria,Jason Expires January 2001 [Page 5] Internet Draft IPSec Policy Information Base July 2000 Unsigned32, MODULE-IDENTITY, OBJECT-TYPE FROM COPS-PR-SPPI OBJECT-IDENTITY FROM SNMPv2-SMI TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC PolicyInstanceId, PolicyReferenceId FROM COPS-PR-SPPI; RoleCombination FROM POLICY-FRAMEWORK-PIB; ipSecPolicyPib MODULE-IDENTITY CLIENT-TYPE { tbd -- IPSec Client Type } LAST-UPDATED "200007101800Z" ORGANIZATION "IETF ipsp WG" CONTACT-INFO " Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com Avri Doria Nortel Networks 600 Technology Park Drive Billerica, MA 01821 Phone: +1 401 663 5024 Email: avri@nortelnetworks.com Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Fax: +1 503 264 9428 E-Mail: jamie.jason@intel.com DESCRIPTION "This PIB module contains a set of policy rule classes that describe IPSec policies." ::= { tbd } Li,Arneson,Doria,Jason Expires January 2001 [Page 6] Internet Draft IPSec Policy Information Base July 2000 ipSecBase OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies the basics of IPSec policy. " ::= { ipSecPolicyPib 1 } ipSecSecurityAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IPSec Security Associations" ::= { ipSecPolicyPib 2 } ipSecIkeAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IKE Security Associations" ::= { ipSecPolicyPib 3 } ipSecEspTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to ESP Transform" ::= { ipSecPolicyPib 4 } ipSecAhTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to AH Transform" ::= { ipSecPolicyPib 5 } ipSecCompTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IPSecComp Transform" ::= { ipSecPolicyPib 6 } Li,Arneson,Doria,Jason Expires January 2001 [Page 7] Internet Draft IPSec Policy Information Base July 2000 ipSecPolicyTimePeriod OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies the time periods during which a policy rule is valid. " ::= { ipSecPolicyPib 7 } -- -- -- The ipSecSelectorTable -- ipSecSelectorTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies IPSec address selector table" INDEX { ipSecSelectorPrid } UNIQUENESS { SrcAddressType, DstAddressType, DstAddrMask, SrcAddrMask, DestAddrMin, DestAddrMax, SrcAddrMin, SrcAddrMax, Protocol, SrcPortMin, SrcPortMax, DstPortMin, DstPortMax } ::= { ipSecBase 1 } ipSecSelectorEntry OBJECT-TYPE SYNTAX IpSecSelectorEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecSelectorTable 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 8] Internet Draft IPSec Policy Information Base July 2000 IpSecSelectorEntry ::= SEQUENCE { ipSecSelectorPrid PolicyInstanceId, ipSecSelectorSrcAddressType INTEGER, ipSecSelectorDstAddressType INTEGER, ipSecSelectorDstAddrMask OCTET STRING, ipSecSelectorSrcAddrMask OCTET STRING, ipSecSelectorDestAddrMin OCTET STRING, ipSecSelectorDestAddrMax OCTET STRING, ipSecSelectorSrcAddrMin OCTET STRING, ipSecSelectorSrcAddrMax OCTET STRING, ipSecSelectorProtocol INTEGER, ipSecSelectorSrcPortMin INTEGER, ipSecSelectorSrcPortMax INTEGER, ipSecSelectorDstPortMin INTEGER, ipSecSelectorDstPortMax INTEGER, ipSecSelectorOrder Unsigned32, ipSecSelectorGroupId Unsigned32 } ipSecSelectorPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecSelectorEntry 1 } ipSecSelectorSrcAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4(1), ipV6(2), fqdn(3) } STATUS current DESCRIPTION "Specifies the source address type. This also controls the length of the OCTET STRING for the source address objects. A value of IPv4 specifies an IPv4 address and an octet string of length 4. A value of IPv6 specifies an IPv6 address and an octet string of length 16. A value of FQDN specifies a fully qualified domain name and an octet string of variable length." ::= { ipSecSelectorEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 9] Internet Draft IPSec Policy Information Base July 2000 ipSecSelectorDstAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4(1), ipV6(2), fqdn(3) } STATUS current DESCRIPTION "Specifies the destination address type. This also controls the length of the OCTET STRING for the destination address objects. A value of IPv4 specifies an IPv4 address and an octet string of length 4. A value of IPv6 specifies an IPv6 address and an octet string of length 16. A value of FQDN specifies a fully qualified domain name and an octet string of variable length." ::= { ipSecSelectorEntry 3 } ipSecSelectorDstAddrMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "A mask for the matching of the destination IP address. A zero bit in the mask means that the corresponding bit in the address always matches. The type of this address is based on the ipSecAddressSelectorDstAddressType." ::= { ipSecSelectorEntry 4 } ipSecSelectorSrcAddrMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "A mask for the matching of the source IP address. A zero bit in the mask means that the corresponding bit in the address always matches. The type of this address is based on the ipSecAddressSelectorSrcAddressType." ::= { ipSecSelectorEntry 5 } Li,Arneson,Doria,Jason Expires January 2001 [Page 10] Internet Draft IPSec Policy Information Base July 2000 ipSecSelectorDestAddrMin OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the destination end point address or fully qualified domain name. The length of the string is based upon the address type. A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the ipSecSelectorDstAddrMask of all zero means a wild-carded address, i.e., all addresses match. A value of all zero accompanied by the ipSecSelectorDstAddrMask of all one (e.g., IPv4 255.255.255.255) means all addresses protected by the gateway. " ::= { ipSecSelectorEntry 6 } ipSecSelectorDestAddrMax OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "If a range of addresses are being used then this sepcifies the ending destination address. The type of this address must be the same as the ipSecSelectorDestAddrMin. If no range is specified or a fully qualified domain name is used then this object must be a 0 length octet string." ::= { ipSecSelectorEntry 7 } Li,Arneson,Doria,Jason Expires January 2001 [Page 11] Internet Draft IPSec Policy Information Base July 2000 ipSecSelectorSrcAddrMin OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the source address or fully qualified domain name. The length of the string is based upon the address type. A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the ipSecSelectorSrcAddrMask of all zero means a wild-carded address, i.e., all addresses match. A value of all zero accompanied by the ipSecSelectorSrcAddrMask of all one (e.g., IPv4 255.255.255.255) means all addresses protected by the gateway. " ::= { ipSecSelectorEntry 8 } ipSecSelectorSrcAddrMax OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "If a range of addresses are being used then this specifies the ending source address. The type of this address must be the same as the ipSecSelectorSrcAddrMin. If no range is specified or a fully qualified domain name is used then this object must be a 0 length octet string." ::= { ipSecSelectorEntry 9 } ipSecSelectorProtocol OBJECT-TYPE SYNTAX INTEGER (0..255) STATUS current DESCRIPTION "The IP protocol to match against the packet's protocol. A value of zero means match all." ::= { ipSecSelectorEntry 10 } ipSecSelectorSrcPortMin OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies the first layer 4 source port number of a range of ports." ::= { ipSecSelectorEntry 11 } Li,Arneson,Doria,Jason Expires January 2001 [Page 12] Internet Draft IPSec Policy Information Base July 2000 ipSecSelectorSrcPortMax OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies the last layer 4 source port in the range. If a range of ports is not being used then this object must have a value of 0. Otherwise, this value should be greater than that specified by ipSecSelectorSrcPortMin." ::= { ipSecSelectorEntry 12 } ipSecSelectorDstPortMin OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies the first layer 4 destination port number of a range of ports" ::= { ipSecSelectorEntry 13 } ipSecSelectorDstPortMax OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies the last layer 4 destination port in the range. If a range of ports is not being used then this object must have a value of 0. Otherwise, this value should be greater than that specified by ipSecSelectorDstPortMin." ::= { ipSecSelectorEntry 14 } ipSecSelectorOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order of this selector, within the ipSecSelectorTable. A given precedence order is positioned before one with a higher-valued precedence order. " ::= { ipSecSelectorEntry 15 } Li,Arneson,Doria,Jason Expires January 2001 [Page 13] Internet Draft IPSec Policy Information Base July 2000 ipSecSelectorGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the IPSec selector group this selector belongs to. Selectors in the same group are provided with the same service." ::= { ipSecSelectorEntry 16 } -- -- -- The ipSecActionTable -- ipSecActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecActionEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies IPSec action. It ties IPSec action with IPSec security association and IKE association." INDEX { ipSecActionPrid } UNIQUENESS { Action, RemoteGatewayAddressType, RemoteGatewayAddress, IpSecSecurityAssociationId, IPSecIkeActionId } ::= { ipSecBase 2 } ipSecActionEntry OBJECT-TYPE SYNTAX IpSecActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecActionTable 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 14] Internet Draft IPSec Policy Information Base July 2000 IpSecActionEntry ::= SEQUENCE { ipSecActionPrid PolicyInstanceId, ipSecActionAction INTEGER, ipSecActionRemoteGatewayAddressType INTEGER, ipSecActionRemoteGatewayAddress OCTET STRING, ipSecActionIpSecSecurityAssociationId PolicyReferenceId, ipSecActionIPSecIkeActionId PolicyReferenceId } ipSecActionPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecActionEntry 1 } ipSecActionAction OBJECT-TYPE SYNTAX INTEGER { byPass(1), discard(2), transport(3), tunnel(4) } STATUS current DESCRIPTION "Specifies the IPSec action to be applied to the traffic. ByPass(1) means that the packet should pass in clear. Discard (2) means that the packet should be denied. Transport (3) means that the packet should be protected with a security association in transport mode. Tunnel (4) means that the packet should be protected with a security association in tunnel mode. If Tunnel (4) is specified, ipSecActionRemoteGatewayAddressType and ipSecActionRemoteGateway must also be specified" ::= { ipSecActionEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 15] Internet Draft IPSec Policy Information Base July 2000 ipSecActionRemoteGatewayAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4(1), ipV6(2), fqdn(3) } STATUS current DESCRIPTION "When ipSecActionAction specifies Tunnel (4), this attribute specifies the remote gateway address type. This also controls the length of the OCTET STRING for the ipSecActionRemoteGatewayAddress attribute. A value of IPv4 specifies an IPv4 address and an octet string of length 4. A value of IPv6 specifies an IPv6 address and an octet string of length 16. A value of FQDN specifies a fully qualified domain name and an octet string of variable length. If ipSecActionAction does NOT specify Tunnel (4), this object must be a 0 length integer." ::= { ipSecActionEntry 3 } ipSecActionRemoteGatewayAddress OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "When ipSecActionAction specifies Tunnel (4), this attribute specifies the address of the point where the tunnel terminates on the remote gateway. The length of the string is based upon the address type specified in ipSecActionRemoteGatewayAddressType. If ipSecActionAction does NOT specify Tunnel (4), this attribute must be a 0 length octet string." ::= { ipSecActionEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 16] Internet Draft IPSec Policy Information Base July 2000 ipSecActionIpSecSecurityAssociationId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an IPSec association, specified in ipSecSecurityAssociationTable, that is associated with this action. When ipSecActionAction attribute specifies Bypass (1) or Discard (2), this attribute must have a value of zero. Otherwise, its value must be greater than zero." ::= { ipSecActionEntry 5 } ipSecActionIPSecIkeActionId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an IKE action, specified in ipSecIkeActionTable, that is associated with this action. When ipSecActionAction attribute specifies Bypass (1) or Discard (2), This attribute must have a value of zero. Otherwise, its value must be greater than zero." ::= { ipSecActionEntry 6 } -- -- -- The ipSecRuleTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 17] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies IPSec rules. This is the table that ties selectors and IPSec actions together." INDEX { ipSecRulePrid } UNIQUENESS { Roles, Direction, IpSecSelectorGroupId, IpSecActionId, IPSecRuleTimePeriodGroupId } ::= { ipSecBase 3 } ipSecRuleEntry OBJECT-TYPE SYNTAX IpSecRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTable 1 } IpSecRuleEntry ::= SEQUENCE { ipSecRulePrid PolicyInstanceId, ipSecRuleRoles RoleCombination, ipSecRuleDirection INTEGER, ipSecRuleIpSecSelectorGroupId PolicyReferenceId, ipSecRuleIpSecActionId PolicyReferenceId, ipSecRuleIPSecRuleTimePeriodGroupId PolicyReferenceId } ipSecRulePrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleEntry 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 18] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combinations of the interface to which this IPSec rule should apply." ::= { ipSecRuleEntry 2 } ipSecRuleDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction of traffic to which this rule should apply." ::= { ipSecRuleEntry 3 } ipSecRuleIpSecSelectorGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "This attribute identifies the IPSec selector group, defined in ipSecSelectorTable, that is associated with this rule. This value must match an ipSecSelectorGroupId attribute in the ipSecSelectorTable. " ::= { ipSecRuleEntry 4 } ipSecRuleIpSecActionId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "This attribute identifies the IPSec action, defined in ipSecActionTable, that is associated with this rule." ::= { ipSecRuleEntry 5 } Li,Arneson,Doria,Jason Expires January 2001 [Page 19] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleIPSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "This attribute identifies an IPSec rule time period group, sepcified in ipSecRuleTimePeriodGroupTable, that is associated with this rule A value of zero indicates that this IPSec rule is always valid until being deleted." ::= { ipSecRuleEntry 6 } -- -- -- The ipSecSecurityAssociationTable -- ipSecSecurityAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSecurityAssociationEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies attributes associated with IPSec associations" INDEX { ipSecSecurityAssociationPrid } UNIQUENESS { RefreshThresholdSeconds, RefreshThresholdKilobytes, MinLifetimeSeconds, MinLifetimeKilobytes, TrafficIdleTime, UsePfs, UseIkeGroup, DhGroup, Granularity, ProposalGroupId } ::= { ipSecSecurityAssociation 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 20] Internet Draft IPSec Policy Information Base July 2000 ipSecSecurityAssociationEntry OBJECT-TYPE SYNTAX IpSecSecurityAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecSecurityAssociationTable 1 } IpSecSecurityAssociationEntry ::= SEQUENCE { ipSecSecurityAssociationPrid PolicyInstanceId, ipSecSecurityAssociationRefreshThresholdSeconds INTEGER, ipSecSecurityAssociationRefreshThresholdKilobytes INTEGER, ipSecSecurityAssociationMinLifetimeSeconds Unsigned32, ipSecSecurityAssociationMinLifetimeKilobytes Unsigned32, ipSecSecurityAssociationTrafficIdleTime Unsigned32, ipSecSecurityAssociationUsePfs TruthValue, ipSecSecurityAssociationUseIkeGroup TruthValue, ipSecSecurityAssociationDhGroup Unsigned32, ipSecSecurityAssociationGranularity INTEGER, ipSecSecurityAssociationProposalGroupId PolicyReferenceId } ipSecSecurityAssociationPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecSecurityAssociationEntry 1 } ipSecSecurityAssociationRefreshThresholdSeconds OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration (in other words, the refresh threshold) of an established SA's seconds lifetime at which to begin re-negotiation of the SA. A value of 100 means that re-negotiation does not occur until the seconds lifetime value has expired." ::= { ipSecSecurityAssociationEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 21] Internet Draft IPSec Policy Information Base July 2000 ipSecSecurityAssociationRefreshThresholdKilobytes OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established SA's kilobyte lifetime at which to begin re-negotiation of the SA. A value of 100 means that re-negotiation does not occur until the seconds lifetime value has expired. " ::= { ipSecSecurityAssociationEntry 3 } ipSecSecurityAssociationMinLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecSecurityAssociationEntry 4 } ipSecSecurityAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecSecurityAssociationEntry 5 } ipSecSecurityAssociationTrafficIdleTime OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the amount of time in seconds an SA may remain idle (in other words, no traffic protected by the SA) before it is deleted. A value of zero indicates that there is no idle time detection. The expiration of the SA is determined by the expiration of one of the lifetime values." ::= { ipSecSecurityAssociationEntry 6 } Li,Arneson,Doria,Jason Expires January 2001 [Page 22] Internet Draft IPSec Policy Information Base July 2000 ipSecSecurityAssociationUsePfs OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If true, PFS should be used when negotiating the phase two IPSec SA. " ::= { ipSecSecurityAssociationEntry 7 } ipSecSecurityAssociationUseIkeGroup OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If true, the phase two DH group number should be the same as that of phase 1. Otherwise, the group number specified by the ipSecSecurityAssociationDhGroup attribute should be used. This attribute is ignored if ipSecSecurityAssociationUsePfs is false." ::= { ipSecSecurityAssociationEntry 8 } ipSecSecurityAssociationDhGroup OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "If PFS should be used during IKE phase two and ipSecSecurityAssociationUseIkeGroup is false, this attribute specifies the Diffie-Hellman group to use. This attribute is ignored if ipSecSecurityAssociationUsePfs is false." ::= { ipSecSecurityAssociationEntry 9 } Li,Arneson,Doria,Jason Expires January 2001 [Page 23] Internet Draft IPSec Policy Information Base July 2000 ipSecSecurityAssociationGranularity OBJECT-TYPE SYNTAX INTEGER { wide(1), narrow(2) } STATUS current DESCRIPTION "Specifies how this security association may be used. A value of 1 (Wide) indicates that this security association may be used by all packets that match the same selector that is matched by the packet triggering the establishment of this association. A value of 2 (Narrow) indicates that this security association can be used only by packets that have exactly the same selector attribute values as that of the packet triggering the establishment of this association. " ::= { ipSecSecurityAssociationEntry 10 } ipSecSecurityAssociationProposalGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies the IPSec proposal group, specified in ipSecProposalGroupTable, that is associated with this action." ::= { ipSecSecurityAssociationEntry 11 } -- -- -- The ipSecProposalGroupTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 24] Internet Draft IPSec Policy Information Base July 2000 ipSecProposalGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies IPSec proposal groups. Proposals within a group are ORed with preference order." INDEX { ipSecProposalGroupPrid } UNIQUENESS { ProposalGroupId, ProposalId } ::= { ipSecSecurityAssociation 2 } ipSecProposalGroupEntry OBJECT-TYPE SYNTAX IpSecProposalGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecProposalGroupTable 1 } IpSecProposalGroupEntry ::= SEQUENCE { ipSecProposalGroupPrid PolicyInstanceId, ipSecProposalGroupProposalGroupId Unsigned32, ipSecProposalGroupProposalId PolicyReferenceId, ipSecProposalGroupOrder Unsigned32 } ipSecProposalGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecProposalGroupEntry 1 } ipSecProposalGroupProposalGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies an IPSec proposal group" ::= { ipSecProposalGroupEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 25] Internet Draft IPSec Policy Information Base July 2000 ipSecProposalGroupProposalId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an IPSec Proposal, specified by ipSecProposalTable, that is included in this group." ::= { ipSecProposalGroupEntry 3 } ipSecProposalGroupOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order, within the ProposalGroup, of the proposal identified by ipSecProposalGroupProposalId. Proposals within a group are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecProposalGroupEntry 4 } -- -- -- The ipSecProposalTable -- ipSecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an IPSec proposal. It has references to ESP, AH and IPComp Transform groups. Within a proposal, different types of transforms are ANDed. Within one type of transforms, the choices are ORed with preference order." INDEX { ipSecProposalPrid } UNIQUENESS { LifetimeKilobytes, LifetimeSeconds, EspTransformGroupId, AhTransformGroupId, CompTransformGroupId } ::= { ipSecSecurityAssociation 3 } Li,Arneson,Doria,Jason Expires January 2001 [Page 26] Internet Draft IPSec Policy Information Base July 2000 ipSecProposalEntry OBJECT-TYPE SYNTAX IpSecProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecProposalTable 1 } IpSecProposalEntry ::= SEQUENCE { ipSecProposalPrid PolicyInstanceId, ipSecProposalLifetimeKilobytes Unsigned32, ipSecProposalLifetimeSeconds Unsigned32, ipSecProposalEspTransformGroupId PolicyReferenceId, ipSecProposalAhTransformGroupId PolicyReferenceId, ipSecProposalCompTransformGroupId PolicyReferenceId } ipSecProposalPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecProposalEntry 1 } ipSecProposalLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the kilobyte lifetime for this particular proposal. A value of zero indicates that there is no kilobyte lifetime. " ::= { ipSecProposalEntry 2 } ipSecProposalLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the seconds lifetime for this particular proposal. A value of zero indicates that the lifetime value defaults to 8 hours. " ::= { ipSecProposalEntry 3 } Li,Arneson,Doria,Jason Expires January 2001 [Page 27] Internet Draft IPSec Policy Information Base July 2000 ipSecProposalEspTransformGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies the ESP transform group, specified in ipSecEspTransformGroupTable, that is associated with this proposal." ::= { ipSecProposalEntry 4 } ipSecProposalAhTransformGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies the AH transform group, specified in ipSecAhTransformGroupTable, that is associated with this proposal." ::= { ipSecProposalEntry 5 } ipSecProposalCompTransformGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies the IPComp transform group, specified in ipSecCompTransformGroupTable, that is associated with this proposal." ::= { ipSecProposalEntry 6 } -- -- -- The ipSecIkeActionTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 28] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeActionEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies attributes related to IKE action" INDEX { ipSecIkeActionPrid } UNIQUENESS { RefreshThresholdSeconds, RefreshThresholdKilobytes, MinLiftetimeSeconds, MinLifetimeKilobytes, TrafficIdleTime, ExchangeMode, RefreshThresholdDerivedKeys, UseIkeIdentityType, IKEProposalGroupId } ::= { ipSecIkeAssociation 1 } ipSecIkeActionEntry OBJECT-TYPE SYNTAX IpSecIkeActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeActionTable 1 } IpSecIkeActionEntry ::= SEQUENCE { ipSecIkeActionPrid PolicyInstanceId, ipSecIkeActionRefreshThresholdSeconds INTEGER, ipSecIkeActionRefreshThresholdKilobytes INTEGER, ipSecIkeActionMinLiftetimeSeconds Unsigned32, ipSecIkeActionMinLifetimeKilobytes Unsigned32, ipSecIkeActionTrafficIdleTime Unsigned32, ipSecIkeActionExchangeMode INTEGER, ipSecIkeActionRefreshThresholdDerivedKeys INTEGER, ipSecIkeActionUseIkeIdentityType INTEGER, ipSecIkeActionIKEProposalGroupId PolicyReferenceId } Li,Arneson,Doria,Jason Expires January 2001 [Page 29] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeActionPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeActionEntry 1 } ipSecIkeActionRefreshThresholdSeconds OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration (in other words, the refresh threshold) of an established SA's seconds lifetime at which to begin re-negotiation of the SA. A value of 100 means that re-negotiation does not occur until the seconds lifetime value has expired. " ::= { ipSecIkeActionEntry 2 } ipSecIkeActionRefreshThresholdKilobytes OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established SA's kilobyte lifetime at which to begin re-negotiation of the SA. A value of 100 means that re-negotiation does not occur until the seconds lifetime value has expired." ::= { ipSecIkeActionEntry 3 } ipSecIkeActionMinLiftetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeActionEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 30] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeActionMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeActionEntry 5 } ipSecIkeActionTrafficIdleTime OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the amount of time in seconds an SA may remain idle (in other words, no traffic protected by the SA) before it is deleted. A value of zero indicates that there is no idle time detection. The expiration of the SA is determined by the expiration of one of the lifetime values. " ::= { ipSecIkeActionEntry 6 } Li,Arneson,Doria,Jason Expires January 2001 [Page 31] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeActionExchangeMode OBJECT-TYPE SYNTAX INTEGER { baseMode(1), mainMode(2), aggressiveMode(4) } STATUS current DESCRIPTION "Specifies the negotiation mode that the IKE server will use for phase one. " ::= { ipSecIkeActionEntry 7 } ipSecIkeActionRefreshThresholdDerivedKeys OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established IKE SA's derived keys lifetime at which to begin re-negotiation of the SA. A value of 100 means that re-negotiation does not occur until the derived key lifetime value has expired. " ::= { ipSecIkeActionEntry 8 } ipSecIkeActionUseIkeIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the IKE identity to use during negotiation." ::= { ipSecIkeActionEntry 9 } Li,Arneson,Doria,Jason Expires January 2001 [Page 32] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeActionIKEProposalGroupId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies the IKE proposal group, specified in ipSecIkeProposalGroupTable, that is associated with this action." ::= { ipSecIkeActionEntry 10 } -- -- -- The ipSecIkeProposalGroupTable -- ipSecIkeProposalGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposal groups. Proposals within a group are ORed with preference order. " INDEX { ipSecIkeProposalGroupPrid } UNIQUENESS { ProposalGroupId, ProposalId } ::= { ipSecIkeAssociation 2 } ipSecIkeProposalGroupEntry OBJECT-TYPE SYNTAX IpSecIkeProposalGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeProposalGroupTable 1 } IpSecIkeProposalGroupEntry ::= SEQUENCE { ipSecIkeProposalGroupPrid PolicyInstanceId, ipSecIkeProposalGroupProposalGroupId Unsigned32, ipSecIkeProposalGroupProposalId PolicyReferenceId, ipSecIkeProposalGroupOrder Unsigned32 } Li,Arneson,Doria,Jason Expires January 2001 [Page 33] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeProposalGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeProposalGroupEntry 1 } ipSecIkeProposalGroupProposalGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that uniquely identifies an IKE proposal group. " ::= { ipSecIkeProposalGroupEntry 2 } ipSecIkeProposalGroupProposalId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an IKE proposal, specified by the ipSecIkeProposalTable, that is included in this group." ::= { ipSecIkeProposalGroupEntry 3 } ipSecIkeProposalGroupOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order, within the ProposalGroup, of the proposal identified by ipSecIkeProposalGroupProposalId. Proposals within a group are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecIkeProposalGroupEntry 4 } -- -- -- The ipSecIkeProposalTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 34] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies attributes associated with an IKE proposal." INDEX { ipSecIkeProposalPrid } UNIQUENESS { LifetimeSeconds, LifetimeKilobytes, CipherAlgorithm, HashAlgorithm, AuthenticationMethod, LifetimeDerivedKeys, PrfAlgorithm, IkeDhGroup } ::= { ipSecIkeAssociation 3 } ipSecIkeProposalEntry OBJECT-TYPE SYNTAX IpSecIkeProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeProposalTable 1 } IpSecIkeProposalEntry ::= SEQUENCE { ipSecIkeProposalPrid PolicyInstanceId, ipSecIkeProposalLifetimeSeconds Unsigned32, ipSecIkeProposalLifetimeKilobytes Unsigned32, ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER, ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalLifetimeDerivedKeys Unsigned32, ipSecIkeProposalPrfAlgorithm Unsigned32, ipSecIkeProposalIkeDhGroup Unsigned32 } Li,Arneson,Doria,Jason Expires January 2001 [Page 35] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeProposalPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeProposalEntry 1 } ipSecIkeProposalLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the seconds lifetime for this particular proposal. A value of zero indicates that the lifetime value defaults to 8 hours. " ::= { ipSecIkeProposalEntry 2 } ipSecIkeProposalLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the kilobyte lifetime for this particular proposal. A value of zero indicates that there is no kilobyte lifetime. " ::= { ipSecIkeProposalEntry 3 } ipSecIkeProposalCipherAlgorithm OBJECT-TYPE SYNTAX INTEGER { des-CBC(1), idea-CBC(2), blowfish-CBC(3), rc5-R16-B64-CBC(4), tripleDes-CBC(5), cast-CBC(6) } STATUS current DESCRIPTION "Specifies the encryption algorithm to propose for the IKE association. " ::= { ipSecIkeProposalEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 36] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeProposalHashAlgorithm OBJECT-TYPE SYNTAX INTEGER { md5(1), sha-1(2), tiger(3) } STATUS current DESCRIPTION "Specifies the hash algorithm to propose for the IKE association. " ::= { ipSecIkeProposalEntry 5 } ipSecIkeProposalAuthenticationMethod OBJECT-TYPE SYNTAX INTEGER { presharedKey(1), dssSignatures(2), rsaSignatures(3), rsaEncryption(4), revisedRsaEncryption(5), kerberos(6) } STATUS current DESCRIPTION "Specifies the authentication method to propose for the IKE association. " ::= { ipSecIkeProposalEntry 6 } ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the number of times the IKE phase one key may be used to derive an IKE phase two key. A value of zero indicates that the number of times an IKE phase one key may be used to derive an IKE phase two key is limited by the seconds and/or kilobyte lifetimes. " ::= { ipSecIkeProposalEntry 7 } Li,Arneson,Doria,Jason Expires January 2001 [Page 37] Internet Draft IPSec Policy Information Base July 2000 ipSecIkeProposalPrfAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the Pseudo-Random Function (PRF) to propose for the IKE association. " ::= { ipSecIkeProposalEntry 8 } ipSecIkeProposalIkeDhGroup OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the Diffie-Hellman group to propose for the IKE association. " ::= { ipSecIkeProposalEntry 9 } -- -- -- The ipSecEspTransformGroupTable -- ipSecEspTransformGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an ESP transform group. Within a transform group, the choices are ORed with preference order." INDEX { ipSecEspTransformGroupPrid } UNIQUENESS { TransformGroupId, TransformId } ::= { ipSecEspTransform 1 } ipSecEspTransformGroupEntry OBJECT-TYPE SYNTAX IpSecEspTransformGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecEspTransformGroupTable 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 38] Internet Draft IPSec Policy Information Base July 2000 IpSecEspTransformGroupEntry ::= SEQUENCE { ipSecEspTransformGroupPrid PolicyInstanceId, ipSecEspTransformGroupTransformGroupId Unsigned32, ipSecEspTransformGroupTransformId PolicyReferenceId, ipSecEspTransformGroupOrder Unsigned32 } ipSecEspTransformGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecEspTransformGroupEntry 1 } ipSecEspTransformGroupTransformGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that identifies a group of ESP transforms" ::= { ipSecEspTransformGroupEntry 2 } ipSecEspTransformGroupTransformId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an ESP transform, specified by ipSecEspTransformTable, that is included in this group." ::= { ipSecEspTransformGroupEntry 3 } ipSecEspTransformGroupOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order, within the ipSecEspTransformGroup, of the transform identified by ipSecEspTransformGroupEspProposalId. Transforms within a group are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecEspTransformGroupEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 39] Internet Draft IPSec Policy Information Base July 2000 -- -- -- The ipSecEspTransformTable -- ipSecEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an ESP transform." INDEX { ipSecEspTransformPrid } UNIQUENESS { IntegrityTransformId, CipherTransformId, CipherKeyRounds, CipherKeyLength } ::= { ipSecEspTransform 2 } ipSecEspTransformEntry OBJECT-TYPE SYNTAX IpSecEspTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecEspTransformTable 1 } IpSecEspTransformEntry ::= SEQUENCE { ipSecEspTransformPrid PolicyInstanceId, ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherKeyRounds Unsigned32, ipSecEspTransformCipherKeyLength Unsigned32 } ipSecEspTransformPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecEspTransformEntry 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 40] Internet Draft IPSec Policy Information Base July 2000 ipSecEspTransformIntegrityTransformId OBJECT-TYPE SYNTAX INTEGER { none(0), hmacMd5(1), hmacSha(2), desMac(3), kpdk(4) } STATUS current DESCRIPTION "Specifies the ESP integrity algorithm to propose." ::= { ipSecEspTransformEntry 2 } ipSecEspTransformCipherTransformId OBJECT-TYPE SYNTAX INTEGER { desIV64(1), des(2), tripleDES(3), rc5(4), idea(5), cast(6), blowfish(7), tripleIDEA(8), desIV32(9), rc4(10), null(11) } STATUS current DESCRIPTION "Specifies the ESP cipher/encryption algorithm to propose. " ::= { ipSecEspTransformEntry 3 } ipSecEspTransformCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the number of key rounds for the ESP cipher algorithm specified by the attribute ipSecEspTransformCipherTransformId. " ::= { ipSecEspTransformEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 41] Internet Draft IPSec Policy Information Base July 2000 ipSecEspTransformCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the length of the ESP cipher key in bits. " ::= { ipSecEspTransformEntry 5 } -- -- -- The ipSecAhTransformGroupTable -- ipSecAhTransformGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an AH transform group. Within a transform group, the choices are ORed with preference order." INDEX { ipSecAhTransformGroupPrid } UNIQUENESS { TransformGroupId, TransformId } ::= { ipSecAhTransform 1 } ipSecAhTransformGroupEntry OBJECT-TYPE SYNTAX IpSecAhTransformGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAhTransformGroupTable 1 } IpSecAhTransformGroupEntry ::= SEQUENCE { ipSecAhTransformGroupPrid PolicyInstanceId, ipSecAhTransformGroupTransformGroupId Unsigned32, ipSecAhTransformGroupTransformId PolicyReferenceId, ipSecAhTransformGroupOrder Unsigned32 } Li,Arneson,Doria,Jason Expires January 2001 [Page 42] Internet Draft IPSec Policy Information Base July 2000 ipSecAhTransformGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecAhTransformGroupEntry 1 } ipSecAhTransformGroupTransformGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that identifies an AH transform group." ::= { ipSecAhTransformGroupEntry 2 } ipSecAhTransformGroupTransformId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an AH transform, as specified in ipSecAhTransformTable, that is included in this group." ::= { ipSecAhTransformGroupEntry 3 } ipSecAhTransformGroupOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order, within the ipSecAhTransformGroup, of the transform identified by ipSecAhTransformGroupTransformId. Transforms within a group are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecAhTransformGroupEntry 4 } -- -- -- The ipSecAhTransformTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 43] Internet Draft IPSec Policy Information Base July 2000 ipSecAhTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an AH transform" INDEX { ipSecAhTransformPrid } UNIQUENESS { TransformId } ::= { ipSecAhTransform 2 } ipSecAhTransformEntry OBJECT-TYPE SYNTAX IpSecAhTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAhTransformTable 1 } IpSecAhTransformEntry ::= SEQUENCE { ipSecAhTransformPrid PolicyInstanceId, ipSecAhTransformTransformId INTEGER } ipSecAhTransformPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class " ::= { ipSecAhTransformEntry 1 } ipSecAhTransformTransformId OBJECT-TYPE SYNTAX INTEGER { md5(2), sha-1(3), des(4) } STATUS current DESCRIPTION "Specifies the AH hash algorithm to propose" ::= { ipSecAhTransformEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 44] Internet Draft IPSec Policy Information Base July 2000 -- -- -- The ipSecCompTransformGroupTable -- ipSecCompTransformGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an IPComp transform group. Within a transform group, the choices are ORed with preference order." INDEX { ipSecCompTransformGroupPrid } UNIQUENESS { TransformGroupId, TransformId } ::= { ipSecCompTransform 1 } ipSecCompTransformGroupEntry OBJECT-TYPE SYNTAX IpSecCompTransformGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecCompTransformGroupTable 1 } IpSecCompTransformGroupEntry ::= SEQUENCE { ipSecCompTransformGroupPrid PolicyInstanceId, ipSecCompTransformGroupTransformGroupId Unsigned32, ipSecCompTransformGroupTransformId PolicyReferenceId, ipSecCompTransformGroupOrder Unsigned32 } ipSecCompTransformGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecCompTransformGroupEntry 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 45] Internet Draft IPSec Policy Information Base July 2000 ipSecCompTransformGroupTransformGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that identifies an IPComp transform group" ::= { ipSecCompTransformGroupEntry 2 } ipSecCompTransformGroupTransformId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an IPComp Transform, specified by ipSecCompTransformTable, that is included in this group." ::= { ipSecCompTransformGroupEntry 3 } ipSecCompTransformGroupOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order, within the ipSecCompTransformGroup, of the transform identified by ipSecCompTransformGroupTransformId. Transforms within a group are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecCompTransformGroupEntry 4 } -- -- -- The ipSecCompTransformTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 46] Internet Draft IPSec Policy Information Base July 2000 ipSecCompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies an IPComp transform." INDEX { ipSecCompTransformPrid } UNIQUENESS { Algorithm, DictionarySize, PrivateAlgorithm } ::= { ipSecCompTransform 2 } ipSecCompTransformEntry OBJECT-TYPE SYNTAX IpSecCompTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecCompTransformTable 1 } IpSecCompTransformEntry ::= SEQUENCE { ipSecCompTransformPrid PolicyInstanceId, ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformDictionarySize Unsigned32, ipSecCompTransformPrivateAlgorithm Unsigned32 } ipSecCompTransformPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecCompTransformEntry 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 47] Internet Draft IPSec Policy Information Base July 2000 ipSecCompTransformAlgorithm OBJECT-TYPE SYNTAX INTEGER { oui(1), deflate(2), lzs(3) } STATUS current DESCRIPTION "Specifies the IPComp compression algorithm to propose." ::= { ipSecCompTransformEntry 2 } ipSecCompTransformDictionarySize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the log2 maximum size of the dictionary." ::= { ipSecCompTransformEntry 3 } ipSecCompTransformPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies a specific vendor algorithm that will be used. " ::= { ipSecCompTransformEntry 4 } -- -- -- The ipSecRuleTimePeriodTable -- Li,Arneson,Doria,Jason Expires January 2001 [Page 48] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTimePeriodTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies the time periods during which a policy rule is valid. The values of second through sixth attributes in a row are ANDed together to determine the validity period(s). If any of the five attributes is not present, it is treated as having value always enabled. " INDEX { ipSecRuleTimePeriodPrid } UNIQUENESS { TimePeriod, MonthOfYearMask, DayOfMonthMask, DayOfWeekMask, TimeOfDayMask, LocalOrUtcTime } ::= { ipSecPolicyTimePeriod 1 } ipSecRuleTimePeriodEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTimePeriodTable 1 } IpSecRuleTimePeriodEntry ::= SEQUENCE { ipSecRuleTimePeriodPrid PolicyInstanceId, ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodLocalOrUtcTime INTEGER } ipSecRuleTimePeriodPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodEntry 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 49] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTimePeriodTimePeriod OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that identifies an overall range of calendar dates and times over which a policy rule is valid. It reuses the format for an explicit time period defined in RFC 2445 [ICALENDAR]: a string representing a starting date and time, in which the character `T' indicates the beginning of the time portion, followed by the character '/', followed by a similar string representing an end date and time. The first date indicates the beginning of the range, while the second date indicates the end. Thus, the second date and time must be later than the first. Date/times are expressed as sub-strings of the form yyyymmddThhmmss. There are also two special cases: - If the first date/time is replaced with the string THISANDPRIOR, then the property indicates that a policy rule is valid [from now] until the date/time that appears after the '/'. - If the second date/time is replaced with the string THISANDFUTURE, then the property indicates that a policy rule becomes valid on the date/time that appears before the '/', and remains valid from that point on. " ::= { ipSecRuleTimePeriodEntry 2 } Li,Arneson,Doria,Jason Expires January 2001 [Page 50] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which months the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000006 for this property; - a 2-octet field consisting of 12 bits identifying the 12 months of the year, beginning with January and ending with December, followed by 4 bits that are always set to '0'. For each month, the value '1' indicates that the policy is valid for that month, and the value '0' indicates that it is not valid. If this property is omitted, then the policy rule is treated as valid for all twelve months." ::= { ipSecRuleTimePeriodEntry 3 } ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the month the policy is valid for. The octet string is structured as follows: -a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x0000000C for this property; -an 8-octet field consisting of 31 bits identifying the days of the month counting from the beginning, followed by 31 more bits identifying the days of the month counting from the end, followed by 2 bits that are always set to '0'. For each day, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. For months with fewer than 31 days, the digits corresponding to days that the months do not have (counting in both directions) are ignored. " ::= { ipSecRuleTimePeriodEntry 4 } Li,Arneson,Doria,Jason Expires January 2001 [Page 51] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the week the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000005 for this property; - a 1-octet field consisting of 7 bits identifying the 7 days of the week, beginning with Sunday and ending with Saturday, followed by 1 bit that is always set to '0'. For each day of the week, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. " ::= { ipSecRuleTimePeriodEntry 5 } ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies a range of times in a day the policy is valid for. It is formatted as follows: A time string beginning with the character 'T', followed by the character '/', followed by a second time string. The first time indicates the beginning of the range, while the second time indicates the end. Times are expressed as sub-strings of the form Thhmmss. The second sub-string always identifies a later time than the first sub-string. To allow for ranges that span midnight, however, the value of the second string may be smaller than the value of the first sub-string. Thus, T080000/T210000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from 2100 until 0800 of the following day. " ::= { ipSecRuleTimePeriodEntry 6 } Li,Arneson,Doria,Jason Expires January 2001 [Page 52] Internet Draft IPSec Policy Information Base July 2000 ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE SYNTAX INTEGER { localTime(1), utcTime(2) } STATUS current DESCRIPTION "This property indicates whether the times represented in this table represent local times or UTC times. There is no provision for mixing of local times and UTC times: the value of this property applies to all of the other time-related properties. " ::= { ipSecRuleTimePeriodEntry 7 } -- -- -- The ipSecRuleTimePeriodGroupTable -- ipSecRuleTimePeriodGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodGroupEntry POLICY-ACCESS install STATUS current DESCRIPTION "Specifies multiple time periods. The ipSecPolicyTimePeriodTable is able to specify a single time period over multiple days (e.g., 8:00-10:00 am every Friday). This table allows one to specify multiple time periods over multiple days (e.g., 8:00-10:00 am and 2:00-5:00 pm every Friday) by grouping them into one group." INDEX { ipSecRuleTimePeriodGroupPrid } UNIQUENESS { RuleTimePeriodGroupId, RuleTimePeriodId } ::= { ipSecPolicyTimePeriod 2 } ipSecRuleTimePeriodGroupEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodGroupEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTimePeriodGroupTable 1 } Li,Arneson,Doria,Jason Expires January 2001 [Page 53] Internet Draft IPSec Policy Information Base July 2000 IpSecRuleTimePeriodGroupEntry ::= SEQUENCE { ipSecRuleTimePeriodGroupPrid PolicyInstanceId, ipSecRuleTimePeriodGroupRuleTimePeriodGroupId Unsigned32, ipSecRuleTimePeriodGroupRuleTimePeriodId PolicyReferenceId } ipSecRuleTimePeriodGroupPrid OBJECT-TYPE SYNTAX PolicyInstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodGroupEntry 1 } ipSecRuleTimePeriodGroupRuleTimePeriodGroupId OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that uniquely identifies an ipSecRuleTimePeriod group. " ::= { ipSecRuleTimePeriodGroupEntry 2 } ipSecRuleTimePeriodGroupRuleTimePeriodId OBJECT-TYPE SYNTAX PolicyReferenceId STATUS current DESCRIPTION "An integer that identifies an ipSecRuleTimePeriod, specified by the ipSecRuleTimePeriodTable, that is included in this group." ::= { ipSecRuleTimePeriodGroupEntry 3 } END 4. Security Consideration Since COPS is used to carry the PIB defined in this document, the security and protection of the information can be provided by either COPS or a combination of COPS and IPSec. 5. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such Li,Arneson,Doria,Jason Expires January 2001 [Page 54] Internet Draft IPSec Policy Information Base July 2000 rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 6. References [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [ARCH] S. Kent, R. Atkinson,"Security Architecture for the Internet Protocol", RFC 2401, November, 1998. [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998. [COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748, January 2000. [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning," draft-ietf-rap-cops-pr-02.txt, March 2000. [DOI] D. Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. Smith, F. Reichmeyer "Framework Policy Information Base", Internet Draft , March 2000. Li,Arneson,Doria,Jason Expires January 2001 [Page 55] Internet Draft IPSec Policy Information Base July 2000 [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [IPSEC-IM] J. Jason,"IPSec Configuration Policy Model," draft-ietf- ipsp-config-policy-model-00.txt, march 2000. [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", draft-ietf-policy-core-info-model- 06.txt, May, 2000. [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. Smith, F. Reichmeyer, "Structure of Policy Provisioning Information," draft-ietf-rap-sppi-00.txt, march 2000. 7. Author's Addresses Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com David Arneson Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3925 Email: david.arneson@nokia.com Avri Doria Nortel Networks 600 Technology Park Drive Billerica, MA 01821 Phone: +1 401 663 5024 Email: avri@nortelnetworks.com Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Fax: +1 503 264 9428 E-Mail: jamie.jason@intel.com Li,Arneson,Doria,Jason Expires January 2001 [Page 56]