| TOC |
|
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular this document describes a high-level Management Information Base for Group Domain of Interpretation (GDOI), which is used for secure group communication in Ipsec-based networks. This draft describes managed objects used for implementations of the GDOI protocol.].
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 31, 2010.
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.
1.
Introduction
2.
The Internet-Standard Management Framework
3.
Conventions
4.
Overview
5.
Structure of the MIB Module
5.1.
Textual Conventions
5.2.
The GDOI MIB Module Subtree
5.3.
The Notifications Subtree
5.4.
The Table Structures
6.
Relationship to Other MIB Modules
6.1.
Relationship to Other MIB
6.2.
MIB modules required for IMPORTS
7.
Definitions
8.
Security Considerations
9.
IANA Considerations
10.
Contributors
11.
References
11.1.
Normative References
11.2.
Informative References
| TOC |
This memo defines the Management Information Base (MIB) for use with network management protocols. In particular it defines objects for managing the Group Domain of Interpretation (GDOI) protocol, defined by RFC3547[RFC3547] (Baugher, M., Weis, B., Hardjono, T., and H. Harney, “The Group Domain of Interpretation,” July 2003.)used for secure group communication.
| TOC |
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410] (Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” December 2002.).
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Structure of Management Information Version 2 (SMIv2),” April 1999.), STD 58, RFC 2579 [RFC2579] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Textual Conventions for SMIv2,” April 1999.) and STD 58, RFC 2580 [RFC2580] (McCloghrie, K., Perkins, D., and J. Schoenwaelder, “Conformance Statements for SMIv2,” April 1999.).
| TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
| TOC |
To support the management needs of IPsec-based networks, we have defined the GDOI MIB (module GDOI-MIB). The MIB defines a number of objects with enumeration syntax which refer to the numbers assigned by IANA to denote specific elements. The SNMP Management Framework presently consists of five major components:
The GDOI MIB module defined in this draft is used to manage network devices running a group-based key management protocol based on the GDOI standard. The MIB module supports management of two network entities, group member and key server. A GDOI group spans multiple devices in the network, and this GDOI MIB module can be used to model all the network entities that make up the GDOI group.
| TOC |
This section provides a view of the overall architecture, and describes the major MIB groups and table definitions.
| TOC |
The following new textual conventions are introduced: GdoiIdentificationType, GdoiIdentificationValue, GdoiKekSPI, GdoiIpProtocolId, GdoiKeyManagementAlgorithm, GdoiEncryptionAlgorithm, GdoiPseudoRandomFunction, GdoiIntegrityAlgorithm, GdoiSignatureMethod, GdoiDiffieHellmanGroup, GdoiEncapsulationMode, GdoiSecurityProtocol, GdoiTekSPI, GdoiKekStatus, GdoiTekStatus.
| TOC |
The following figure shows the organization of the GDOI MIB module and the dependencies among various objects. The objects at the bottom of the figure depend on the objects above them. Figure 1 shows which object of the GDOI MIB will be available for query by a network manager if only the group member resides on a networks box. Figure 2 shows the object that can be queried by the SNMP manager if only the key server is available on a box. Finally, Figure 3 shows the scenario in which both a group member and a key server reside on a box, and the MIB objects that can be queried.
--------------
| GDOI Group |
--------------
|
|
|
--------------
| Local GM |
--------------
|
| |
| |
| |
------------ ------------
| KEK SA | | TEK SA |
------------ ------------
Figure 1: GDOI MIB objects that are used when a group member
is on a box
--------------
| GDOI Group |
--------------
|
|
|
--------------
| Local KS |
--------------
|
| |
| |
| |
------------ ------------
| KEK SA | | TEK SA |
------------ ------------
Figure 2: GDOI MIB objects that are used when a key server is
on a box
--------------
| GDOI Group |
--------------
|
| |
| |
| |
| |
-------------- --------------
| Local KS | | Local GM |
-------------- --------------
| |
| | | |
| | | |
| | | |
------------ ------------ ------------ ------------
| KEK SA | | TEK SA | | KEK SA | | TEK SA |
------------ ------------ ------------ ------------
Figure 3: GDOI MIB objects that are used when a key server and a group
member ore n a box
The GDOI MIB module object definitions will be covered in Section 6.
| TOC |
Notifications are defined to inform the management station about changes that happen on the Group Member (GM) or the Key Server (KS). The gdoiKeyServerNotifs defines the KS notifications, which are sent when the following events happens on the KS:
The gdoiGmNotifs defines the GM notifications, which are sent after the occurrence of the following events:
| TOC |
The GDOI MIB module has the following tables:
| TOC |
This GDOI MIB module does not depend on any other MIB modules.
| TOC |
NA
| TOC |
The GDOI-STD-MIB module IMPORTS objects from SNMPv2-SMI [RFC2579] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Textual Conventions for SMIv2,” April 1999.), SNMPv2-TC [RFC2578] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Structure of Management Information Version 2 (SMIv2),” April 1999.), SNMPv2-CONF [RFC2580] (McCloghrie, K., Perkins, D., and J. Schoenwaelder, “Conformance Statements for SMIv2,” April 1999.).
| TOC |
-- *********************************************************************
--
-- GDOI-STD-MIB: MIB for Group Domain of Interpretation (GDOI)
--
-- March 2010 - Mike Hamada, Preethi Sundaradevan, Tanya Roosta
--
-- *********************************************************************
GDOI-STD-MIB DEFINITIONS ::= BEGIN
-- ------------------------------------------------------------------ --
-- GDOI MIB Imports & Decependencies
-- ------------------------------------------------------------------ --
IMPORTS
MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP
FROM SNMPv2-CONF
MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE, Counter32,
Unsigned32, mib-2
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DisplayString
FROM SNMPv2-TC;
-- ------------------------------------------------------------------ --
-- GDOI MIB Module Identity
-- ------------------------------------------------------------------ --
gdoiStdMIB MODULE-IDENTITY
LAST-UPDATED "201002250545Z" -- February 25, 2010
ORGANIZATION "cisco Systems, Inc."
CONTACT-INFO
"Mike Hamada
cisco Systems, Inc.
Mail: 510 McCarthy Blvd.
SJC24/2/1
Milpitas, CA 95035
USA
Phone: +1 408 525 7473
Email: michamad@cisco.com
Preethi Sundaradevan
cisco Systems, Inc.
Mail: 510 McCarthy Blvd.
SJC24/2/1
Milpitas, CA 95035
USA
Phone: +1 408 424 4713
Email: prsundar@cisco.com
Tanya Roosta
cisco Systems, Inc.
Mail: 510 McCarthy Blvd.
SJC24/2/1
Milpitas, CA 95035
USA
Phone: +1 408 424 3051
Email: roosta@cisco.com"
DESCRIPTION
"This MIB module defines objects for managing the GDOI protocol.
Copyright (c) The IETF Trust (2010). This version of this MIB
module is part of RFC ????; see the RFC itself for full legal
notices."
REVISION "201002250545Z" -- February 25, 2010
DESCRIPTION "Initial version, published as RFC ????"
::= { mib-2 ??? }
-- ------------------------------------------------------------------ --
-- GDOI MIB Textual Conventions
-- ------------------------------------------------------------------ --
GdoiIdentificationType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the type of value used to
identify a GDOI entity (i.e. Group, Key Server, or Group
Member).
Following are the Identification Type Values:
ID Type Value
------- -----
RESERVED 0 -- Not Used
ID_IPV4_ADDR 1 -- ipv4Address
ID_FQDN 2 -- domainName
ID_RFC822_ADDR 3 -- userName
(ID_USER_FQDN)
ID_IPV4_ADDR_SUBNET 4 -- ipv4Subnet - Not in RFC 4306
ID_IPV6_ADDR 5 -- ipv6Address
ID_IPV6_ADDR_SUBNET 6 -- ipv6Subnet - Not in RFC 4306
ID_IPV4_ADDR_RANGE 7 -- ipv4Range - Not in RFC 4306
ID_IPV6_ADDR_RANGE 8 -- ipv6Range - Not in RFC 4306
ID_DER_ASN1_DN 9 -- caDistinguishedName
ID_DER_ASN1_GN 10 -- caGeneralName
ID_KEY_ID 11 -- groupNumber
Following are the mappings to the type values above:
'ipv4Address' : a single four (4) octet IPv4 address.
'domainName' : a fully-qualified domain name string. An
example is, 'example.com'. The string MUST not
contain any terminators (e.g., NULL, CR, etc.).
'userName' : a fully-qualified RFC 822 username or email
address string. An example is, 'jsmith@example.com'.
The string MUST not contain any terminators.
'ipv4Subnet' : a range of IPv4 addresses, represented by
two four (4) octet values concatenated together. The
first value is an IPv4 address. The second is an
IPv4 network mask. Note that ones (1s) in the network
mask indicate that the corresponding bit in the address
is fixed, while zeros (0s) indicate a 'wildcard' bit.
'ipv6Address' : a single sixteen (16) octet IPv6 address.
'ipv6Subnet' : a range of IPv6 addresses, represented by
two sixteen (16) octet values concatenated together.
The first value is an IPv6 address. The second is an
IPv network mask. Note that ones (1s) in the network
mask indicate that the corresponding bit in the address
is fixed, while zeros (0s) indicate a 'wildcard' bit.
'ipv4Range' : a range of IPv4 addresses, represented by
two four (4) octet values. The first value is the
beginning IPv4 address (inclusive) and the second
value is the ending IPv4 address (inclusive). All
addresses falling between the two specified addresses
are considered to be within the list.
'ipv6Range' : a range of IPv6 addresses, represented by
two sixteen (16) octet values. The first value is the
beginning IPv6 address (inclusive) and the second
value is the ending IPv6 address (inclusive). All
addresses falling between the two specified addresses
are considered to be within the list.
'caDistinguishedName' : the binary DER encoding of an ASN.1
X.500 Distinguished Name [X.501].
'caGeneralName' : the binary DER encoding of an ASN.1
X.500 GeneralName [X.509].
'groupNumber' : a four (4) octet group identifier."
REFERENCE
"IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
Section: IPSEC Identification Type
http://www.iana.org/assignments/isakmp-registry
RFC 4306 - Section: 3.5. Identification Payloads"
SYNTAX INTEGER {
ipv4Address(1),
domainName(2),
userName(3),
ipv4Subnet(4),
ipv6Address(5),
ipv6Subnet(6),
ipv4Range(7),
ipv6Range(8),
caDistinguishedName(9),
caGeneralName(10),
groupNumber(11)
}
GdoiIdentificationValue ::= TEXTUAL-CONVENTION
DISPLAY-HINT "255d"
STATUS current
DESCRIPTION
"A textual convention indicating the actual value of used to
identify a GDOI entity (i.e. Group, Key Server, or Group
Member). The value of the GdoiIdentificationValue object can
be parsed based on the value of the associated
GdoiIdentificationType object.
The following GdoiIdentificationType values indicate that the
GdoiIdentificationValue object should be parsed as a binary
string of octets with the given lengths if a length is not
associated with the object:
ipv4Address(1) -- 4 octets
ipv4Subnet(4) -- 8 octets
ipv6Address(5) -- 16 octets
ipv6Subnet(6) -- 32 octets
ipv4Range(7) -- 8 octets
ipv6Range(8) -- 32 octets
groupNumber(11) -- 4 octets
The following GdoiIdentificationType values indicate that the
GdoiIdentificationValue object should be parsed as an ascii
string of characters. Note that a length MUST be associated
associated with the object in these cases:
domainName(2)
userName(3)
caDistinguishedName(9)
caGeneralName(10)
Note that the length of 48 octets was chosen because the
gdoiKsKekEntry, gdoiGmKekEntry, gdoiKsTekEntry, &
gdoiGmTekEntry will exceed the OID size limit of 255 octets
if this size is any larger than 48 octets."
REFERENCE
"IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
Section: IPSEC Identification Type
http://www.iana.org/assignments/isakmp-registry
RFC 4306 - Section: 3.5. Identification Payloads"
SYNTAX OCTET STRING (SIZE (0..48))
GdoiKekSPI ::= TEXTUAL-CONVENTION
DISPLAY-HINT "16x"
STATUS current
DESCRIPTION
"A textual convention indicating a SPI (Security Parameter
Index) of sixteen (16) octets for a KEK. The SPI must be the
ISAKMP Header cookie pair where the first 8 octets become the
'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP
HDR, and the second 8 octets become the 'Responder Cookie' in
the same HDR. These cookies are assigned by the Key Server."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK Payload"
SYNTAX OCTET STRING (SIZE (16))
GdoiIpProtocolId ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the IP
Protocol being used for the rekey datagram. Some possible
values are:
ID Value ID Type
-------- -------
06 TCP -- ipProtocolTCP
17 UDP -- ipProtocolUDP"
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK Payload"
SYNTAX INTEGER {
ipProtocolUnknown(0),
ipProtocolTCP(1),
ipProtocolUDP(2)
}
GdoiKeyManagementAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the key/KEK
management algorithm being used to provide forward or
backward access control (i.e. used to exclude group
members).
Following are the possible KEK management algorithm values &
GdoiKeyManagementAlgorithm mappings:
KEK Management Type Value
------------------- -----
LKH 1 -- keyMgmtLkh"
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK Payload"
SYNTAX INTEGER {
keyMgmtNone(0),
keyMgmtLkh(1)
}
GdoiEncryptionAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
encryption algorithm being used.
Following are the possible updated encryption algorithm
values & GdoiEncryptionAlgorithm mappings after RFC 4306:
Encryption Algorithm Type Value
--------------------------------- -----
ENCR_DES_IV64 1 -- encrAlgDes64
ENCR_DES 2 -- encrAlgDes
ENCR_3DES 3 -- encrAlg3Des
ENCR_RC5 4 -- encrAlgRc5
ENCR_IDEA 5 -- encrAlgIdea
ENCR_CAST 6 -- encrAlgCast
ENCR_BLOWFISH 7 -- encrAlgBlowfish
ENCR_3IDEA 8 -- encrAlg3Idea
ENCR_DES_IV32 9 -- encrAlgDes32
ENCR_NULL 11 -- encrAlgNull
ENCR_AES_CBC 12 -- encrAlgAesCbc
ENCR_AES_CTR 13 -- encrAlgAesCtr
ENCR_AES-CCM_8 14 -- encrAlgAesCcm8
ENCR_AES-CCM_12 15 -- encrAlgAesCcm12
ENCR_AES-CCM_16 16 -- encrAlgAesCcm16
AES-GCM (8-octet ICV) 18 -- encrAlgAesGcm8
AES-GCM (12-octet ICV) 19 -- encrAlgAesGcm12
AES-GCM (16-octet ICV) 20 -- encrAlgAesGcm16
ENCR_NULL_AUTH_AES_GMAC 21
-- encrAlgNullAuthAesGmac
ENCR_CAMELLIA_CBC 23
-- encrAlgCamelliaCbc
ENCR_CAMELLIA_CTR 24
-- encrAlgCamelliaCtr
ENCR_CAMELLIA_CCM (8-octet ICV) 25
-- encrAlgCamelliaCcm8
ENCR_CAMELLIA_CCM (12-octet ICV) 26
-- encrAlgCamelliaCcm12
ENCR_CAMELLIA_CCM (16-octet ICV) 27
-- encrAlgCamelliaCcm16
Following are the possible ESP transform identifiers &
GdoiEncryptionAlgorithm mappings from RFC 2407:
IPsec ESP Transform ID Value
------------------------ -----
ESP_DES_IV64 1 -- encrAlgDes64
ESP_DES 2 -- encrAlgDes
ESP_3DES 3 -- encrAlg3Des
ESP_RC5 4 -- encrAlgRc5
ESP_IDEA 5 -- encrAlgIdea
ESP_CAST 6 -- encrAlgCast
ESP_BLOWFISH 7 -- encrAlgBlowfish
ESP_3IDEA 8 -- encrAlg3Idea
ESP_DES_IV32 9 -- encrAlgDes32
ESP_RC4 10 -- encrAlgRc4
ESP_NULL 11 -- encrAlgNull
ESP_AES-CBC 12 -- encrAlgAesCbc
ESP_AES-CTR 13 -- encrAlgAesCtr
ESP_AES-CCM_8 14 -- encrAlgAesCcm8
ESP_AES-CCM_12 15 -- encrAlgAesCcm12
ESP_AES-CCM_16 16 -- encrAlgAesCcm16
ESP_AES-GCM_8 18 -- encrAlgAesGcm8
ESP_AES-GCM_12 19 -- encrAlgAesGcm12
ESP_AES-GCM_16 20 -- encrAlgAesGcm16
ESP_SEED_CBC 21 -- encrAlgSeedCbc
ESP_CAMELLIA 22
-- encrAlgCamelliaCbc, Ctr, Ccm8, Ccm12, Ccm16
ESP_NULL_AUTH_AES-GMAC 23
-- encrAlgNullAuthAesGmac
Following are the possible KEK_ALGORITHM values specifying
the encyption algorithm used with a KEK &
GdoiEncryptionAlgorithm mappings from the GDOI RFC 3547:
Algorithm Type Value
-------------- -----
KEK_ALG_DES 1 -- encrAlgDes
KEK_ALG_3DES 2 -- encrAlg3Des
KEK_ALG_AES 3 -- encrAlgAesCbc"
REFERENCE
"IANA IKEv2 Parameters
Section: Encryption Algorithm Transform IDs
http://www.iana.org/assignments/ikev2-parameters
IANA 'Magic Numbers' for ISAMP Protocol
Section: IPSEC ESP Transform Identifiers
http://www.iana.org/assignments/isakmp-registry
RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
RFC 3547 - Section: 5.3.3. KEK_ALGORITHM
RFC 4306 - Section: 3.3.2. Transform Substructure
RFC 4106, 4309, 4543, 5282, 5529"
SYNTAX INTEGER {
encrAlgNone(0),
encrAlgDes64(1),
encrAlgDes(2),
encrAlg3Des(3),
encrAlgRc5(4),
encrAlgIdea(5),
encrAlgCast(6),
encrAlgBlowfish(7),
encrAlg3Idea(8),
encrAlgDes32(9),
encrAlgRc4(10),
encrAlgNull(11),
encrAlgAesCbc(12),
encrAlgAesCtr(13),
encrAlgAesCcm8(14),
encrAlgAesCcm12(15),
encrAlgAesCcm16(16),
encrAlgAesGcm8(18),
encrAlgAesGcm12(19),
encrAlgAesGcm16(20),
encrAlgNullAuthAesGmac(21),
encrAlgCamelliaCbc(23),
encrAlgCamelliaCtr(24),
encrAlgCamelliaCcm8(25),
encrAlgCamelliaCcm12(26),
encrAlgCamelliaCcm1(27),
encrAlgSeedCbc(28)
}
GdoiPseudoRandomFunction ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
pseudo-random function (PRF) being used.
Following are the possible updated PRF values &
GdoiPseudoRandomFunction mappings after RFC 4306:
Pseudo-Random Function Type Value
--------------------------------- -----
PRF_HMAC_MD5 1 -- prfMd5Hmac
PRF_HMAC_SHA1 2 -- prfSha1Hmac
PRF_HMAC_TIGER 3 -- prfTigerHmac
PRF_AES128_XCBC 4 -- prfAes128Xcbc
PRF_HMAC_SHA2_256 5 -- prfSha2Hmac256
PRF_HMAC_SHA2_384 6 -- prfSha2Hmac384
PRF_HMAC_SHA2_512 7 -- prfSha2Hmac512
PRF_AES128_CMAC 8 -- prfAes128Cmac
Following are the possible SIG_HASH_ALGORITHM values &
GdoiPseudoRandomFunction mappings from the GDOI RFC 3547:
Algorithm Type Value
-------------- -----
SIG_HASH_MD5 1 -- prfMd5Hmac
SIG_HASH_SHA1 2 -- prfSha1Hmac"
REFERENCE
"IANA IKEv2 Parameters
Section: Pseudo-random Function Transform IDs
http://www.iana.org/assignments/ikev2-parameters
RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
RFC 4306 - Section: 3.3.2. Transform Substructure
RFC 4615, 4868"
SYNTAX INTEGER {
prfNone(0),
prfMd5Hmac(1),
prfSha1Hmac(2),
prfTigerHmac(3),
prfAes128Xcbc(4),
prfSha2Hmac256(5),
prfSha2Hmac384(6),
prfSha2Hmac512(7),
prfAes128Cmac(8)
}
GdoiIntegrityAlgorithm ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
integirty algorithm being used.
Following are the possible updated integrity algorithm
values & GdoiAuthenticationAlgorithm mappings after RFC 4306:
Integrity Algorithm Type Value
------------------------ -----
AUTH_HMAC_MD5_96 1 -- authAlgMd5Hmac96
AUTH_HMAC_SHA1_96 2 -- authAlgSha1Hmac96
AUTH_DES_MAC 3 -- authAlgDesMac
AUTH_KPDK_MD5 4 -- authAlgMd5Kpdk
AUTH_AES_XCBC_96 5 -- authAlgAesXcbc96
AUTH_HMAC_MD5_128 6 -- authAlgMd5Hmac128
AUTH_HMAC_SHA1_160 7 -- authAlgSha1Hmac160
AUTH_AES_CMAC_96 8 -- authAlgAesCmac96
AUTH_AES_128_GMAC 9 -- authAlgAes128Gmac
AUTH_AES_192_GMAC 10 -- authAlgAes192Gmac
AUTH_AES_256_GMAC 11 -- authAlgAes256Gmac
AUTH_HMAC_SHA2_256_128 12 -- authAlgSha2Hmac256to128
AUTH_HMAC_SHA2_384_192 13 -- authAlgSha2Hmac384to192
AUTH_HMAC_SHA2_512_256 14 -- authAlgSha2Hmac512to256
Following are the possible legacy authentication algorithm
values & GdoiAuthenticationAlgorithm mappings from RFC 2407:
Algorithm Type Value
-------------- -----
HMAC-MD5 1 -- authAlgMd5Hmac96
HMAC-SHA 2 -- authAlgSha1Hmac96
DES-MAC 3 -- authAlgDesMac
KPDK 4 -- authAlgMd5Kpdk"
REFERENCE
"IANA IKEv2 Parameters
Section: Integrity Algorithm Transform IDs
http://www.iana.org/assignments/ikev2-parameters
RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
RFC 4306 - Section: 3.3.2. Transform Substructure
RFC 4494, 4543, 4595, 4868"
SYNTAX INTEGER {
authAlgNone(0),
authAlgMd5Hmac96(1),
authAlgSha1Hmac96(2),
authAlgDesMac(3),
authAlgMd5Kpdk(4),
authAlgAesXcbc96(5),
authAlgMd5Hmac128(6),
authAlgSha1Hmac160(7),
authAlgAesCmac96(8),
authAlgAes128Gmac(9),
authAlgAes192Gmac(10),
authAlgAes256Gmac(11),
authAlgSha2Hmac256to128(12),
authAlgSha2Hmac384to192(13),
authAlgSha2Hmac512to256(14)
}
GdoiSignatureMethod ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
integirty algorithm being used.
Following are the possible updated authentication method
values & GdoiSignatureMethod mappings after RFC 4306:
Authentication Method Value
----------------------------------- -----
RSA Digital Signature 1 -- sigRsa
Shared Key Message Integrity Code 2 -- sigSharedKey
DSS Digital Signature 3 -- sigDss
ECDSA w/ SHA-256 (P-256 curve) 9 -- sigEcdsa256
ECDSA w/ SHA-384 (P-384 curve) 10 -- sigEcdsa384
ECDSA w/ SHA-512 (P-521 curve) 11 -- sigEcdsa512
Following are the possible legacy IPsec authentication method
values & GdoiSignatureMethod mappings from RFC 2409:
Authentication Method Value
-------------------------------- -----
Pre-Shared Key 1 -- sigSharedKey
DSS Signature 2 -- sigDss
RSA Signature 3 -- sigRsa
Encryption w/ RSA 4 -- sigEncryptRsa
Revised Encryption w/ RSA 5 -- sigRevEncryptRsa
ECDSA w/ SHA-256 (P-256 curve) 9 -- sigEcdsa256
ECDSA w/ SHA-384 (P-384 curve) 10 -- sigEcdsa384
ECDSA w/ SHA-512 (P-521 curve) 11 -- sigEcdsa512
Following are the possible POP algorithm values &
GdoiSignatureMethod mappings from the GDOI RFC 3547:
Algorithm Type Value
-------------- -----
POP_ALG_RSA 1 -- sigRsa
POP_ALG_DSS 2 -- sigDss
POP_ALG_ECDSS 3 -- sigEcdsa256, 384, 512
Following are the possible SIG_ALGORITHM values &
GdoiSignatureMethod mappings from the GDOI RFC 3547:
Algorithm Type Value
-------------- -----
SIG_ALG_RSA 1 -- sigRsa
SIG_ALG_DSS 2 -- sigDss
SIG_ALG_ECDSS 3 -- sigEcdsa256, 384, 512"
REFERENCE
"IANA IKEv2 Parameters
Section: Integrity Algorithm Transform IDs
http://www.iana.org/assignments/ikev2-parameters
RFC 2409 - Section: Appendix A. Authentication Method
RFC 3547 - Sections: 5.3. SA KEK payload
5.3.7. SIG_ALGORITHM
RFC 4306 - Section: 3.8. Authentication Payload
RFC 4754"
SYNTAX INTEGER {
sigNone(0),
sigRsa(1),
sigSharedKey(2),
sigDss(3),
sigEncryptRsa(4),
sigRevEncryptRsa(5),
sigEcdsa256(9),
sigEcdsa384(10),
sigEcdsa512(11)
}
GdoiDiffieHellmanGroup ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
Diffie-Hellman Group being used.
Following are the possible updated Diffie-Hellman Group
values & GdoiDiffieHellmanGroup mappings after RFC 4306:
Diffie-Hellman Group Type Value
------------------------- -----
NONE 0 -- dhNone
Group 1 - 768 Bit MODP 1 -- dhGroup1
Group 2 - 1024 Bit MODP 2 -- dhGroup2
1536-bit MODP Group 5 -- dh1536Modp
2048-bit MODP Group 14 -- dh2048Modp
3072-bit MODP Group 15 -- dh3072Modp
4096-bit MODP Group 16 -- dh4096Modp
6144-bit MODP Group 17 -- dh6144Modp
8192-bit MODP Group 18 -- dh8192Modp
256-bit random ECP group 19 -- dhEcp256
84-bit random ECP group 20 -- dhEcp84
521-bit random ECP group 21 -- dhEcp521
1024-bit MODP w/ 160-bit 22 -- dh1024Modp160
Prime Order Subgroup
2048-bit MODP w/ 224-bit 23 -- dh2048Modp224
Prime Order Subgroup
2048-bit MODP w/ 256-bit 24 -- dh2048Modp256
Prime Order Subgroup
192-bit Random ECP Group 25 -- dhEcp192
224-bit Random ECP Group 26 -- dhEcp224
Following are the possible legacy Diffie-Hellman Group
values & GdoiDiffieHellmanGroup mappings from RFC 2409:
Diffie-Hellman Group Type Value
------------------------- -----
Group 1 - 768 Bit MODP 1 -- dhGroup1
Group 2 - 1024 Bit MODP 2 -- dhGroup2
EC2N group on GP[2^155] 3 -- dhEc2nGp155
EC2N group on GP[2^185] 4 -- dhEc2nGp185"
REFERENCE
"IANA IKEv2 Parameters
Section: Diffie-Hellman Group Transform IDs
http://www.iana.org/assignments/ikev2-parameters
RFC 2409 - Sections: 6.1. First Oakley Default Group
6.2. Second Oakley Default Group
6.3. Third Oakley Default Group
6.4. Fourth Oakley Default Group"
SYNTAX INTEGER {
dhNone(0),
dhGroup1(1),
dhGroup2(2),
dhEc2nGp155(3),
dhEc2nGp185(4),
dh1536Modp(5),
dh2048Modp(14),
dh3072Modp(15),
dh4096Modp(16),
dh6144Modp(17),
dh8192Modp(18),
dhEcp256(19),
dhEcp84(20),
dhEcp521(21),
dh1024Modp160(22),
dh2048Modp224(23),
dh2048Modp256(24),
dhEcp192(25),
dhEcp224(26)
}
GdoiEncapsulationMode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
Encapsulation Mode being used.
Following are the possible Encapsulation Mode
values & GdoiEncapsulationMode mappings from RFC 2407:
Encapsulation Mode Value
---------------------------- -----
Tunnel 1 -- encapTunnel
Transport 2 -- encapTransport
UDP-Encapsulated-Tunnel 3 -- encapUdpTunnel
UDP-Encapsulated-Transport 4 -- encapUdpTransport"
REFERENCE
"IANA 'Magic Numbers' for ISAKMP Protocol
Section: Encapsulation Mode
http://www.iana.org/assignments/isakmp-registry
RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3947"
SYNTAX INTEGER {
encapUnknown(0),
encapTunnel(1),
encapTransport(2),
encapUdpTunnel(3),
encapUdpTransport(4)
}
GdoiSecurityProtocol ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the identifier of the
Security Protocol being used.
Following are the possible Security Protocol ID
values & GdoiSecurityProtocol mappings from the
GDOI RFC 3547:
Security Protocol ID Value
---------------------- -----
GDOI_PROTO_IPSEC_ESP 1 -- secProtocolIpsecEsp"
REFERENCE
"RFC 3547 - Section: 5.4. SA TEK Payload"
SYNTAX INTEGER {
secProtocolUnknown(0),
secProtocolIpsecEsp(1)
}
GdoiTekSPI ::= TEXTUAL-CONVENTION
DISPLAY-HINT "4x"
STATUS current
DESCRIPTION
"A textual convention indicating a SPI (Security Parameter
Index) of four (4) octets for a TEK using ESP."
REFERENCE
"RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
SYNTAX OCTET STRING (SIZE (16))
GdoiKekStatus ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the status of a GDOI KEK and
its corresponding Security Association (SA).
'inUse' : KEK currently being used to encrypt new KEK/TEKs
'new' : KEK currently being sent to all peers
'old' : KEK that has expired and is no longer being used"
SYNTAX INTEGER {
inUse(1),
new(2),
old(3)
}
GdoiTekStatus ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A textual convention indicating the status of a GDOI TEK and
its corresponding Security Association (SA).
'inbound' : TEK is being used as inbound (receive) SA
'outbound' : TEK is being used as outbound (transmit) SA
'notInUse' : TEK is no longer being used"
SYNTAX INTEGER {
inbound(1),
outbound(2),
notInUse(3)
}
Unsigned16 ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2d"
STATUS current
DESCRIPTION
"A textual convention indicating a 16-bit unsigned integer
value."
SYNTAX OCTET STRING (SIZE (2))
-- ------------------------------------------------------------------ --
-- GDOI MIB Groups
-- ------------------------------------------------------------------ --
gdoiMIBNotifications OBJECT IDENTIFIER ::= { gdoiStdMIB 0 }
gdoiMIBObjects OBJECT IDENTIFIER ::= { gdoiStdMIB 1 }
gdoiMIBConformance OBJECT IDENTIFIER ::= { gdoiStdMIB 2 }
-- ------------------------------------------------------------------ --
-- GDOI MIB Notifications
-- ------------------------------------------------------------------ --
-- *---------------------------------------------------------------- --
-- * GDOI Key Server (KS) Notifications
-- *---------------------------------------------------------------- --
gdoiKeyServerNewRegistration NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from a Key Server sent when a new Group
Member registers to a GDOI Group. This is equivalent to a
Key Server receiving the first message of a GROUPKEY-PULL
exchange from a Group Member."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.4. Receiver Operations"
::= { gdoiMIBNotifications 1 }
gdoiKeyServerRegistrationComplete NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from a Key Server sent when a Group Member
has successfully registered to itself. This is equivalent
to a Key Server sending the last message of a GROUPKEY-PULL
exchange to the Group Member currently registering
containing KEKs, TEKs, and their associated policies."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.4. Receiver Operations"
::= { gdoiMIBNotifications 2 }
gdoiKeyServerRekeyPushed NOTIFICATION-TYPE
OBJECTS {
gdoiKeyServerRekeysPushed
}
STATUS current
DESCRIPTION
"A notification from a Key Srver sent when a GROUPKEY-PUSH
message is sent to refresh KEK(s) and or TEK(s). A rekey
is sent periodically by a Key Server based on a configured
time to the Group Members registered to its GDOI Group."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
4. GROUPKEY-PUSH Message
4.7. GCKS Operations"
::= { gdoiMIBNotifications 3 }
gdoiKeyServerNoRsaKeys NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An error notification from a Key Server sent when an RSA key
is not setup. Each Key Server and Group Member needs to have
an RSA key established. The Key Server signs the TEK rekeys
using this RSA key, also called a Key Encryption Key (KEK).
The Group Member verifies the authenticity of the TEK rekey
using this RSA key."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
4.7. GCKS Operations"
::= { gdoiMIBNotifications 4 }
-- *---------------------------------------------------------------- --
-- * GDOI Group Member (GM) Notifications
-- *---------------------------------------------------------------- --
gdoiGmRegister NOTIFICATION-TYPE
OBJECTS {
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdValue
}
STATUS current
DESCRIPTION
"A notification from a Group Member when it is starting to
register with its GDOI Group's Key Server. Registration
includes downloading keying & security assosiation material.
This is equivalent to a Group Member or Initiator sending the
first message of a GROUPKEY-PULL exchange to its Group's Key
Server."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.3. Initiator Operations"
::= { gdoiMIBNotifications 5 }
gdoiGmRegistrationComplete NOTIFICATION-TYPE
OBJECTS {
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdValue
}
STATUS current
DESCRIPTION
"A notification from a Group Member when it has successfully
registered with a Key Server in its GDOI Group. This is
equivalent to a Group Member receiving the last message of
a GROUPKEY-PULL exchange from the Key Server containing
KEKs, TEKs, and their associated policies."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.3. Initiator Operations"
::= { gdoiMIBNotifications 6 }
gdoiGmReRegister NOTIFICATION-TYPE
OBJECTS {
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdValue
}
STATUS current
DESCRIPTION
"A notification from a Group Member when it is starting to
re-register with a Key Server in its GDOI Group. A Group
Member needs to re-register to the key server if its keying &
security association material has expired and it has not
received a rekey from the key server to refresh the material.
This is equivalent to a Group Member sending the first
message of a GROUPKEY-PULL exchange to the Key Server of a
Group it is already registered with."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.3. Initiator Operations"
::= { gdoiMIBNotifications 7 }
gdoiGmRekeyReceived NOTIFICATION-TYPE
OBJECTS {
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdValue,
gdoiGmRekeysReceived
}
STATUS current
DESCRIPTION
"A notification from a Group Member when it has successfully
received and processed a rekey from a Key Server in its GDOI
Group. Periodically the key server sends a rekey to refresh
the keying & security association material. This is
equivalent to a Group Member receiving a GROUPKEY-PUSH
message from the Key Server of the Group it is already
registered with."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
4. GROUPKEY-PUSH Message
4.8. Group Member Operations"
::= { gdoiMIBNotifications 8 }
gdoiGmIncompleteCfg NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An error notification from a Group Member when there is
necessary information missing from the policy/configuration
of a Group Member on an interface when it tries to register
with a Key Server in its GDOI Group. If the GDOI Group
configuration is not complete on a Group Member, it will not
be able to register to the Key Server."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3. GROUPKEY-PULL Exchange
3.3. Initiator Operations"
::= { gdoiMIBNotifications 9 }
gdoiGmNoIpSecFlows NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An error notification from a Group Member when no more
security associations can be installed after receiving its
keying & security association material. When the Group
Member receives the security association materials, it has
to install the cryptographic keys and policies. If there
is not enough memory to install these materials, there will
be an error thrown."
::= { gdoiMIBNotifications 10 }
gdoiGmRekeyFailure NOTIFICATION-TYPE
OBJECTS {
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdValue,
gdoiGmRekeysReceived
}
STATUS current
DESCRIPTION
"An error notification from a Group Member when it is unable
to successfully process and install a rekey (GROUPKEY-PUSH
message) sent by the Key Server in its Group that it is
registered with."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
4. GROUPKEY-PUSH Message
4.8. Group Member Operations"
::= { gdoiMIBNotifications 11 }
-- ------------------------------------------------------------------ --
-- GDOI MIB Management Objects
-- ------------------------------------------------------------------ --
--
-- *---------------------------------------------------------------- --
-- * The GDOI "Group" Table
-- *---------------------------------------------------------------- --
gdoiGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Groups in use on
the network device being queried."
::= { gdoiMIBObjects 1 }
gdoiGroupEntry OBJECT-TYPE
SYNTAX GdoiGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing GDOI Group information, uniquely
identified by the GDOI Group ID."
REFERENCE
"RFC 3547 - Sections: 5.1.1. Identification Type Values
5.1.1.1. ID_KEY_ID
RFC 4306 - Section: 3.5. Identification Payloads"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue
}
::= { gdoiGroupTable 1 }
GdoiGroupEntry ::= SEQUENCE {
gdoiGroupIdType GdoiIdentificationType,
gdoiGroupIdLength Unsigned32,
gdoiGroupIdValue GdoiIdentificationValue,
gdoiGroupName DisplayString
}
gdoiGroupIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Identification Type Value used to parse a GDOI Group ID.
The GDOI RFC 3547 defines the types that can be used as a
GDOI Group ID, and RFC 4306 defines all valid types that can
be used as an identifier. This Group ID type is sent as the
'ID Type' field of the Identification Payload for a GDOI
GROUPKEY-PULL exchange."
REFERENCE
"RFC 3547 - Sections: 5.1.1. Identification Type Values
5.1.1.1. ID_KEY_ID
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGroupEntry 1 }
gdoiGroupIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of a Group ID. If no
length is given (i.e. it has a value of 0), the default
length of its gdoiGroupIdType should be used as long as it
is not reprsented by an ASCII string. If the value has a
type that is represented by an ASCII string, a length MUST
be included. If the length given is not 0, it should match
the 'Payload Length' (subtracting the generic header length)
of the Identification Payload for a GDOI GROUPKEY-PULL
exchange."
REFERENCE
"RFC 3547 - Sections: 5.1.1. Identification Type Values
5.1.1.1. ID_KEY_ID
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGroupEntry 2 }
gdoiGroupIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of a Group ID with its type indicated by the
gdoiGroupIdType. Use the gdoiGroupIdType to parse the Group
ID correctly. This Group ID value is sent as the
'Identification Data' field of the Identification Payload
for a GDOI GROUPKEY-PULL exchange."
REFERENCE
"RFC 3547 - Sections: 5.1.1. Identification Type Values
5.1.1.1. ID_KEY_ID
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGroupEntry 3 }
gdoiGroupName OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The string-readable name configured for or given to a GDOI
Group."
::= { gdoiGroupEntry 4 }
-- *---------------------------------------------------------------- --
-- * GDOI MIB Management Object Groups
-- *---------------------------------------------------------------- --
gdoiPeers OBJECT IDENTIFIER ::= { gdoiMIBObjects 2 }
gdoiSecAssociations OBJECT IDENTIFIER ::= { gdoiMIBObjects 3 }
-- *---------------------------------------------------------------- --
-- * The GDOI "Peers" Group
-- *---------------------------------------------------------------- --
--
-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS)" Table
-- #-------------------------------------------------------------- --
gdoiKeyServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiKeyServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information for the GDOI group from the perspective
of the Key Servers (GCKSs) on the network device being
queried."
::= { gdoiPeers 1 }
gdoiKeyServerEntry OBJECT-TYPE
SYNTAX GdoiKeyServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing GDOI Key Server (KS) information,
uniquely identified by the Group & Key Server IDs."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.4. Receiver Operations
4.7. GCKS Operations"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiKeyServerIdType,
gdoiKeyServerIdValue
}
::= { gdoiKeyServerTable 1 }
GdoiKeyServerEntry ::= SEQUENCE {
gdoiKeyServerIdType GdoiIdentificationType,
gdoiKeyServerIdLength Unsigned32,
gdoiKeyServerIdValue GdoiIdentificationValue,
gdoiKeyServerActiveKEK GdoiKekSPI,
gdoiKeyServerRekeysPushed Counter32
}
gdoiKeyServerIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for a Key Server. RFC 4306 defines all valid
types that can be used as an identifier. These
identification types are sent as the 'SRC ID Type' and 'DST
ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL
and GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiKeyServerEntry 1 }
gdoiKeyServerIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of a Key Server ID. If no
length is given (i.e. it has a value of 0), the default
length of its gdoiKeyServerIdType should be used as long as
it is not reprsented by an ASCII string. If the value has a
type that is represented by an ASCII string, a length MUST
be included. If the length given is not 0, it should match
the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
the KEK and TEK payloads for GDOI GROUPKEY-PULL and
GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKeyServerEntry 2 }
gdoiKeyServerIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the identity information for a Key Server with
its type indicated by the gdoiKeyServerIdType. Use the
gdoiKeyServerIdType to parse the Key Server ID correctly.
This Key Server ID value is sent as the 'SRC
Identification Data' and 'DST Identification Data' of the
KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKeyServerEntry 3 }
gdoiKeyServerActiveKEK OBJECT-TYPE
SYNTAX GdoiKekSPI
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI of the Key Encryption Key (KEK) that is currently
being used by the Key Server to encrypt the GROUPKEY-PUSH
keying & security association material sent to the Key
Server's registered Group Members."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK payload"
::= { gdoiKeyServerEntry 4 }
gdoiKeyServerRekeysPushed OBJECT-TYPE
SYNTAX Counter32
UNITS "GROUPKEY-PUSH Messages"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The sequence number of the last rekey sent from the Key
Server to its registered Group Members for this GDOI group."
REFERENCE
"RFC 3547 - Sections: 3.2. Messages
3.4. Receiver Operations
4. GROUPKEY-PUSH Message
4.7. GCKS Operations
5.6. Sequence Number Payload"
::= { gdoiKeyServerEntry 5 }
-- #-------------------------------------------------------------- --
-- # The GDOI "Group Members" Table
-- #-------------------------------------------------------------- --
gdoiGmTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiGmEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Group Members (GMs)
locally configured on the network device being queried. Note
that Local Group Members may or may not be registered to a
Key Server in its GDOI Group on the same network device being
queried."
::= { gdoiPeers 2 }
gdoiGmEntry OBJECT-TYPE
SYNTAX GdoiGmEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing Local GDOI Group Member information,
uniquely identified by Group & GM IDs. Because the Group
Member is Local to the network device being queried, TEKs
installed for this Group Member can be queried as well."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.3. Initiator Operations
4.8. Group Member Operations"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiGmIdType,
gdoiGmIdValue
}
::= { gdoiGmTable 1 }
GdoiGmEntry ::= SEQUENCE {
gdoiGmIdType GdoiIdentificationType,
gdoiGmIdLength Unsigned32,
gdoiGmIdValue GdoiIdentificationValue,
gdoiGmRegKeyServerIdType GdoiIdentificationType,
gdoiGmRegKeyServerIdLength Unsigned32,
gdoiGmRegKeyServerIdValue GdoiIdentificationValue,
gdoiGmActiveKEK GdoiKekSPI,
gdoiGmRekeysReceived Counter32
}
gdoiGmIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for a Initiator or Group Member. RFC 4306
defines all valid types that can be used as an identifier.
These identification types are sent as the 'SRC ID Type' and
'DST ID Type' of the KEK and TEK payloads for GDOI
GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmEntry 1 }
gdoiGmIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of a Group Member ID. If
no length is given (i.e. it has a value of 0), the default
length of its gdoiGmIdType should be used as long as
it is not reprsented by an ASCII string. If the value has a
type that is represented by an ASCII string, a length MUST
be included. If the length given is not 0, it should match
the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
the KEK and TEK payloads for GDOI GROUPKEY-PULL and
GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmEntry 2 }
gdoiGmIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the identity information for a Group Member with
its type indicated by the gdoiGmIdType. Use the
gdoiGmIdType to parse the Group Member ID correctly.
This Group Member ID value is sent as the 'SRC
Identification Data' and 'DST Identification Data' of the
KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmEntry 3 }
gdoiGmRegKeyServerIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information of this Group Member's registered Key Server.
RFC 4306 defines all valid types that can be used as an
identifier. These identification types are sent as the 'SRC
ID Type' and 'DST ID Type' of the KEK and TEK payloads for
GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmEntry 4 }
gdoiGmRegKeyServerIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the registered Key
Server's ID. If no length is given (i.e. it has a value
of 0), the default length of its gdoiGmRegKeyServerIdType
should be used as long as it is not reprsented by an ASCII
string. If the value has a type that is represented by an
ASCII string, a length MUST be included. If the length given
is not 0, it should match the 'SRC ID Data Len' and 'DST ID
Data Len' fields sent in the KEK and TEK payloads for GDOI
GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmEntry 5 }
gdoiGmRegKeyServerIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for this Group Member's
registered Key Server with its type indicated by the
gdoiGmRegKeyServerIdType. Use the
gdoiGmRegKeyServerIdType to parse the registered Key
Server's ID correctly. This Key Server ID value is sent as
the 'SRC Identification Data' and 'DST Identification Data'
of the KEK and TEK payloads for GDOI GROUPKEY-PULL and
GROUPKEY-PUSH exchanges."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmEntry 6 }
gdoiGmActiveKEK OBJECT-TYPE
SYNTAX GdoiKekSPI
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI of the Key Encryption Key (KEK) that is currently
being used by the Group Member to authenticate & decrypt a
rekey from a GROUPKEY-PUSH message."
::= { gdoiGmEntry 7 }
gdoiGmRekeysReceived OBJECT-TYPE
SYNTAX Counter32
UNITS "GROUPKEY-PUSH Messages"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The sequence number of the last rekey successfully received
from this Group Member's registered Key Server."
REFERENCE
"RFC 3547 - Sections: 3.2. Messages
3.3. Initiator Operations
4. GROUPKEY-PUSH Message
4.8. Group Member Operations
5.6. Sequence Number Payload"
::= { gdoiGmEntry 8 }
-- *---------------------------------------------------------------- --
-- * The GDOI "Security Associations (SA)" Group
-- *---------------------------------------------------------------- --
--
-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS) KEK Policy/SA" Table
-- #-------------------------------------------------------------- --
gdoiKsKekTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiKsKekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Key Encryption Key
(KEK) Policies & Security Associations (SAs) currently
configured/installed for GDOI entities acting as Key Servers
on the network device being queried. There is one entry in
this table for each KEK Policy/SA that has been
configured/installed. Each KEK Policy/SA is uniquely
identified by a SPI at any given time."
::= { gdoiSecAssociations 1 }
gdoiKsKekEntry OBJECT-TYPE
SYNTAX GdoiKsKekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the attributes associated with a GDOI KEK
Policy/SA, uniquely identified by the Group ID, Key Server
ID, & SPI value assigned by the given Key Server to the KEK.
There will be at least one KEK Policy/SA entry for each Key
Server & two KEK Policy/SA entries for a given Key Server
only during a KEK rekey when a new KEK is created/installed.
The KEK SPI is unique for every KEK for a given Key Server."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.2. Messages
4. GROUPKEY-PUSH Message
5.3. SA KEK Payload
5.3.1. KEK Attributes
5.5. Key Download Payload"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiKeyServerIdType,
gdoiKeyServerIdValue,
gdoiKsKekSPI
}
::= { gdoiKsKekTable 1 }
GdoiKsKekEntry ::= SEQUENCE {
gdoiKsKekSPI GdoiKekSPI,
gdoiKsKekSrcIdType GdoiIdentificationType,
gdoiKsKekSrcIdLength Unsigned32,
gdoiKsKekSrcIdValue GdoiIdentificationValue,
gdoiKsKekSrcIdPort Unsigned16,
gdoiKsKekDstIdType GdoiIdentificationType,
gdoiKsKekDstIdLength Unsigned32,
gdoiKsKekDstIdValue GdoiIdentificationValue,
gdoiKsKekDstIdPort Unsigned16,
gdoiKsKekRekeyIdType GdoiIdentificationType,
gdoiKsKekRekeyIdLength Unsigned32,
gdoiKsKekRekeyIdValue GdoiIdentificationValue,
gdoiKsKekIpProtocol GdoiIpProtocolId,
gdoiKsKekPopAlg GdoiSignatureMethod,
gdoiKsKekPopKeyLength Unsigned32,
gdoiKsKekMgmtAlg GdoiKeyManagementAlgorithm,
gdoiKsKekEncryptAlg GdoiEncryptionAlgorithm,
gdoiKsKekEncryptKeyLength Unsigned32,
gdoiKsKekSigHashAlg GdoiPseudoRandomFunction,
gdoiKsKekSigAlg GdoiSignatureMethod,
gdoiKsKekSigKeyLength Unsigned32,
gdoiKsKekOakleyGroup GdoiDiffieHellmanGroup,
gdoiKsKekOriginalLifetime Unsigned32,
gdoiKsKekRemainingLifetime Unsigned32,
gdoiKsKekStatus GdoiKekStatus
}
gdoiKsKekSPI OBJECT-TYPE
SYNTAX GdoiKekSPI
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the Security Parameter Index (SPI) of a KEK
Policy/SA. The SPI must be the ISAKMP Header cookie pair
where the first 8 octets become the 'Initiator Cookie' field
of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
octets become the 'Responder Cookie' in the same HDR. As
described above, these cookies are assigned by the GCKS."
::= { gdoiKsKekEntry 1 }
gdoiKsKekSrcIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the source of a KEK Policy/SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'SRC ID Type' of
the KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiKsKekEntry 2 }
gdoiKsKekSrcIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the source ID of
a KEK Policy/SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiKsKekSrcIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'SRC ID Data Len' field sent in the KEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 3 }
gdoiKsKekSrcIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the source of
a KEK Policy/SA with its type indicated by the
gdoiKsKekSrcIdType. Use the gdoiKsKekSrcIdType to parse the
KEK Source ID correctly. This ID value is sent as the 'SRC
Identification Data' of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 4 }
gdoiKsKekSrcIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the source ID of
a KEK Policy/SA. A value of zero means that the port should
be ignored. This port value is sent as the `SRC ID Port`
field of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 5 }
gdoiKsKekDstIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the dest. of a KEK Policy/SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'DST ID Type' of
the KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiKsKekEntry 6 }
gdoiKsKekDstIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the destination ID of
a KEK Policy/SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiKsKekDstIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'DST ID Data Len' field sent in the KEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 7 }
gdoiKsKekDstIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the destination of
a KEK Policy/SA with its type indicated by the
gdoiKsKekDstIdType. Use the gdoiKsKekDstIdType to parse the
KEK Dest. ID correctly. This ID value is sent as the 'DST
Identification Data' of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 8 }
gdoiKsKekDstIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the dest. ID of
a KEK Policy/SA. A value of zero means that the port should
be ignored. This port value is sent as the `DST ID Port`
field of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 9 }
gdoiKsKekRekeyIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the multicast rekey address for this KEK and
associated subsequent KEKs/TEKs. RFC 4306
defines all valid types that can be used as an identifier."
REFERENCE
"RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
::= { gdoiKsKekEntry 10 }
gdoiKsKekRekeyIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the multicast rekey
address for this KEK and associated subsequent KEKs/TEKs.
If no length is given (i.e. it has a value of 0), the default
length of its gdoiKsKekRekeyIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included."
REFERENCE
"RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
::= { gdoiKsKekEntry 11 }
gdoiKsKekRekeyIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the multicast rekey
address of this KEK and associated subsequent KEKs/TEKs.
Use the gdoiKsKekRekeyIdType to parse the multicast rekey
address correctly."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 12 }
gdoiKsKekIpProtocol OBJECT-TYPE
SYNTAX GdoiIpProtocolId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the IP protocol ID (e.g. UDP/TCP) being used
for the rekey datagram."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 13 }
gdoiKsKekPopAlg OBJECT-TYPE
SYNTAX GdoiSignatureMethod
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Proof of Posession (POP) payload algorithm,
which is an authentication signature method. If no POP
algorithm is defined by the KEK Policy/SA, the value must be
zero (0). The POP payload demonstrates that the member or
GCKS has used the very secret that authenticates it.
Following are the POP payload algorithm values defined in the
GDOI RFC 3547, however the GdoiSignatureMethod TC defines all
possible values.
Algorithm Type Value
--------------- -----
RESERVED 0
POP_ALG_RSA 1
POP_ALG_DSS 2
POP_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Sections: 3.2. Messages
5.3. SA KEK payload
5.7. Proof of Possession"
::= { gdoiKsKekEntry 14 }
gdoiKsKekPopKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the length of the POP payload key. If no POP
algorithm is defined in the KEK Policy/SA, the value must
be zero (0)."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK payload"
::= { gdoiKsKekEntry 15 }
gdoiKsKekMgmtAlg OBJECT-TYPE
SYNTAX GdoiKeyManagementAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_MANAGEMENT_ALGORITHM which specifies
the group KEK management algorithm used to provide forward
or backward access control (i.e. used to exclude group
members).
KEK Management Type Value
------------------- -----
RESERVED 0
LKH 1
RESERVED 2-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM"
::= { gdoiKsKekEntry 16 }
gdoiKsKekEncryptAlg OBJECT-TYPE
SYNTAX GdoiEncryptionAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_ALGORITHM which specifies the
encryption algorithm used with the KEK Policy/SA. A GDOI
implementaiton must support KEK_ALG_3DES.
Following are the KEK encryption algoritm values defined in
the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
KEK_ALG_DES 1
KEK_ALG_3DES 2
KEK_ALG_AES 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section 5.3.3. KEK_ALGORITHM"
::= { gdoiKsKekEntry 17 }
gdoiKsKekEncryptKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_KEY_LENGTH which specifies the KEK
Algorithm key length (in bits)."
REFERENCE
"RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH"
::= { gdoiKsKekEntry 18 }
gdoiKsKekSigHashAlg OBJECT-TYPE
SYNTAX GdoiPseudoRandomFunction
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_HASH_ALGORITHM which specifies the SIG
payload hash algorithm. This is not required (i.e. could
have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
value of zero or SIG_HASH_SHA1).
Following are the Signature Hash Algorithm values defined in
the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_HASH_MD5 1
SIG_HASH_SHA1 2
RESERVED 3-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM"
::= { gdoiKsKekEntry 19 }
gdoiKsKekSigAlg OBJECT-TYPE
SYNTAX GdoiSignatureMethod
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_ALGORITHM which specifies the SIG
payload signature algorithm. A GDOI implementation must
support SIG_ALG_RSA.
Following are the Signature Algorithm values defined in
the GDOI RFC 3547, however the GdoiSignatureMethod TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_ALG_RSA 1
SIG_ALG_DSS 2
SIG_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.7. SIG_ALGORITHM"
::= { gdoiKsKekEntry 20 }
gdoiKsKekSigKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_KEY_LENGTH which specifies the length
of the SIG payload key."
REFERENCE
"RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH"
::= { gdoiKsKekEntry 21 }
gdoiKsKekOakleyGroup OBJECT-TYPE
SYNTAX GdoiDiffieHellmanGroup
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
or Diffie-Hellman Group used to compute the PFS secret in the
optional KE payload of the GDOI GROUPKEY-PULL exchange."
REFERENCE
"RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP"
::= { gdoiKsKekEntry 22 }
gdoiKsKekOriginalLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_KEY_LIFETIME which specifies the maximum
time for which a KEK is valid. The GCKS may refresh the KEK
at any time before the end of the valid period. The value is
a four (4) octet (32-bit) number defining a valid time period
in seconds."
REFERENCE
"RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
::= { gdoiKsKekEntry 23 }
gdoiKsKekRemainingLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the remaining time for which a KEK is valid.
The value is a four (4) octet (32-bit) number which begins at
the value of gdoiKsKekOriginalLifetime when the KEK is sent
and counts down to zero in seconds. If the lifetime has
already expired, this value should remain at zero (0) until
the Key Server refreshes the KEK."
REFERENCE
"RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
::= { gdoiKsKekEntry 24 }
gdoiKsKekStatus OBJECT-TYPE
SYNTAX GdoiKekStatus
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the KEK Policy/SA. When this status value is
queried, one of the following is returned:
inUse(1), new(2), old(3)."
::= { gdoiKsKekEntry 25 }
-- #-------------------------------------------------------------- --
-- # The GDOI "Group Member (GM) KEK SA" Table
-- #-------------------------------------------------------------- --
gdoiGmKekTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiGmKekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Key Encryption Key
(KEK) Security Associations (SAs) currently installed for
GDOI entities acting as Group Members on the network device
being queried. There is one entry in this table for each
KEK SA that has been installed and not yet deleted. Each
KEK SA is uniquely identified by a SPI at any given time."
::= { gdoiSecAssociations 2 }
gdoiGmKekEntry OBJECT-TYPE
SYNTAX GdoiGmKekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the attributes associated with a GDOI KEK
SA, uniquely identified by the Group ID, Group Member (GM)
ID, & SPI value assigned by the GM's registered Key Server to
the KEK. There will be at least one KEK SA entry for each GM
& two KEK SA entries for a given GM only during a KEK rekey
when a new KEK is received & installed. The KEK SPI is
unique for every KEK for a given Group Member."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.2. Messages
4. GROUPKEY-PUSH Message
5.3. SA KEK Payload
5.3.1. KEK Attributes
5.5. Key Download Payload"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiGmIdType,
gdoiGmIdValue,
gdoiGmKekSPI
}
::= { gdoiGmKekTable 1 }
GdoiGmKekEntry ::= SEQUENCE {
gdoiGmKekSPI GdoiKekSPI,
gdoiGmKekSrcIdType GdoiIdentificationType,
gdoiGmKekSrcIdLength Unsigned32,
gdoiGmKekSrcIdValue GdoiIdentificationValue,
gdoiGmKekSrcIdPort Unsigned16,
gdoiGmKekDstIdType GdoiIdentificationType,
gdoiGmKekDstIdLength Unsigned32,
gdoiGmKekDstIdValue GdoiIdentificationValue,
gdoiGmKekDstIdPort Unsigned16,
gdoiGmKekRekeyIdType GdoiIdentificationType,
gdoiGmKekRekeyIdLength Unsigned32,
gdoiGmKekRekeyIdValue GdoiIdentificationValue,
gdoiGmKekIpProtocol GdoiIpProtocolId,
gdoiGmKekPopAlg GdoiSignatureMethod,
gdoiGmKekPopKeyLength Unsigned32,
gdoiGmKekMgmtAlg GdoiKeyManagementAlgorithm,
gdoiGmKekEncryptAlg GdoiEncryptionAlgorithm,
gdoiGmKekEncryptKeyLength Unsigned32,
gdoiGmKekSigHashAlg GdoiPseudoRandomFunction,
gdoiGmKekSigAlg GdoiSignatureMethod,
gdoiGmKekSigKeyLength Unsigned32,
gdoiGmKekOakleyGroup GdoiDiffieHellmanGroup,
gdoiGmKekOriginalLifetime Unsigned32,
gdoiGmKekRemainingLifetime Unsigned32,
gdoiGmKekStatus GdoiKekStatus
}
gdoiGmKekSPI OBJECT-TYPE
SYNTAX GdoiKekSPI
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the Security Parameter Index (SPI) of a KEK
SA. The SPI must be the ISAKMP Header cookie pair
where the first 8 octets become the 'Initiator Cookie' field
of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
octets become the 'Responder Cookie' in the same HDR. As
described above, these cookies are assigned by the GCKS."
::= { gdoiGmKekEntry 1 }
gdoiGmKekSrcIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the source of a KEK SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'SRC ID Type' of
the KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmKekEntry 2 }
gdoiGmKekSrcIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the source ID of
a KEK SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiGmKekSrcIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'SRC ID Data Len' field sent in the KEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 3 }
gdoiGmKekSrcIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the source of
a KEK SA with its type indicated by the
gdoiGmKekSrcIdType. Use the gdoiGmKekSrcIdType to parse the
KEK Source ID correctly. This ID value is sent as the 'SRC
Identification Data' of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 4 }
gdoiGmKekSrcIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the source ID of
a KEK SA. A value of zero means that the port should
be ignored. This port value is sent as the `SRC ID Port`
field of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 5 }
gdoiGmKekDstIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the dest. of a KEK SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'DST ID Type' of
the KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmKekEntry 6 }
gdoiGmKekDstIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the destination ID of
a KEK SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiGmKekDstIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'DST ID Data Len' field sent in the KEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 7 }
gdoiGmKekDstIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the destination of
a KEK SA with its type indicated by the
gdoiGmKekDstIdType. Use the gdoiGmKekDstIdType to parse the
KEK Dest. ID correctly. This ID value is sent as the 'DST
Identification Data' of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 8 }
gdoiGmKekDstIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the dest. ID of
a KEK SA. A value of zero means that the port should
be ignored. This port value is sent as the `DST ID Port`
field of a KEK payload."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 9 }
gdoiGmKekRekeyIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the multicast rekey address for this KEK and
associated subsequent KEK(s)/TEK(s). RFC 4306
defines all valid types that can be used as an identifier."
REFERENCE
"RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
::= { gdoiGmKekEntry 10 }
gdoiGmKekRekeyIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the multicast rekey
address for this KEK and associated subsequent KEK(s)/TEK(s).
If no length is given (i.e. it has a value of 0), the default
length of its gdoiGmKekRekeyIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included."
REFERENCE
"RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
::= { gdoiGmKekEntry 11 }
gdoiGmKekRekeyIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the multicast rekey
address of this KEK and associated subsequent KEK(s)/TEK(s).
Use the gdoiGmKekRekeyIdType to parse the multicast rekey
address correctly."
REFERENCE
"RFC 3547 - Sections: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 12 }
gdoiGmKekIpProtocol OBJECT-TYPE
SYNTAX GdoiIpProtocolId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the IP protocol ID (e.g. UDP/TCP) being used
for the rekey datagram."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 13 }
gdoiGmKekPopAlg OBJECT-TYPE
SYNTAX GdoiSignatureMethod
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Proof of Posession (POP) payload algorithm,
which is an authentication signature method. If no POP
algorithm is defined by the KEK SA, this field must be
zero (0). The POP payload demonstrates that the member or
GCKS has used the very secret that authenticates it.
Following are the POP payload algorithm values defined in the
GDOI RFC 3547, however the GdoiSignatureMethod TC defines all
possible values.
Algorithm Type Value
--------------- -----
RESERVED 0
POP_ALG_RSA 1
POP_ALG_DSS 2
POP_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Sections: 3.2. Messages
5.3. SA KEK payload
5.7. Proof of Possession"
::= { gdoiGmKekEntry 14 }
gdoiGmKekPopKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the length of the POP payload key. If no POP
algorithm is defined in the KEK SA, this field must
be zero (0)."
REFERENCE
"RFC 3547 - Section: 5.3. SA KEK payload"
::= { gdoiGmKekEntry 15 }
gdoiGmKekMgmtAlg OBJECT-TYPE
SYNTAX GdoiKeyManagementAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_MANAGEMENT_ALGORITHM which specifies
the group KEK management algorithm used to provide forward
or backward access control (i.e. used to exclude group
members).
KEK Management Type Value
------------------- -----
RESERVED 0
LKH 1
RESERVED 2-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM"
::= { gdoiGmKekEntry 16 }
gdoiGmKekEncryptAlg OBJECT-TYPE
SYNTAX GdoiEncryptionAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_ALGORITHM which specifies the
encryption algorithm used with the KEK SA. A GDOI
implementaiton must support KEK_ALG_3DES.
Following are the KEK encryption algoritm values defined in
the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
KEK_ALG_DES 1
KEK_ALG_3DES 2
KEK_ALG_AES 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section 5.3.3. KEK_ALGORITHM"
::= { gdoiGmKekEntry 17 }
gdoiGmKekEncryptKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_KEY_LENGTH which specifies the KEK
Algorithm key length (in bits)."
REFERENCE
"RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH"
::= { gdoiGmKekEntry 18 }
gdoiGmKekSigHashAlg OBJECT-TYPE
SYNTAX GdoiPseudoRandomFunction
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_HASH_ALGORITHM which specifies the SIG
payload hash algorithm. This is not required (i.e. could
have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
value of zero or SIG_HASH_SHA1).
Following are the Signature Hash Algorithm values defined in
the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_HASH_MD5 1
SIG_HASH_SHA1 2
RESERVED 3-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM"
::= { gdoiGmKekEntry 19 }
gdoiGmKekSigAlg OBJECT-TYPE
SYNTAX GdoiSignatureMethod
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_ALGORITHM which specifies the SIG
payload signature algorithm. A GDOI implementation must
support SIG_ALG_RSA.
Following are the Signature Algorithm values defined in
the GDOI RFC 3547, however the GdoiSignatureMethod TC
defines all possible values.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_ALG_RSA 1
SIG_ALG_DSS 2
SIG_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.3.7. SIG_ALGORITHM"
::= { gdoiGmKekEntry 20 }
gdoiGmKekSigKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SIG_KEY_LENGTH which specifies the length
of the SIG payload key."
REFERENCE
"RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH"
::= { gdoiGmKekEntry 21 }
gdoiGmKekOakleyGroup OBJECT-TYPE
SYNTAX GdoiDiffieHellmanGroup
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
or Diffie-Hellman Group used to compute the PFS secret in the
optional KE payload of the GDOI GROUPKEY-PULL exchange."
REFERENCE
"RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP"
::= { gdoiGmKekEntry 22 }
gdoiGmKekOriginalLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the KEK_KEY_LIFETIME which specifies the maximum
time for which a KEK is valid. The GCKS may refresh the KEK
at any time before the end of the valid period. The value is
a four (4) octet (32-bit) number defining a valid time period
in seconds."
REFERENCE
"RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
::= { gdoiGmKekEntry 23 }
gdoiGmKekRemainingLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the remaining time for which a KEK is valid.
The value is a four (4) octet (32-bit) number which begins at
the value of gdoiGmKekOriginalLifetime and counts down to zero
in seconds. If the lifetime has already expired, this value
should remain at zero (0) until the GCKS refreshes the KEK."
REFERENCE
"RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
::= { gdoiGmKekEntry 24 }
gdoiGmKekStatus OBJECT-TYPE
SYNTAX GdoiKekStatus
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the KEK SA. When this status value is
queried, one of the following is returned:
inUse(1), new(2), old(3)."
::= { gdoiGmKekEntry 25 }
-- #-------------------------------------------------------------- --
-- # The GDOI "Key Server (KS) TEK Policy" Table
-- #-------------------------------------------------------------- --
gdoiKsTekTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiKsTekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Traffic Encryption Key
(TEK) Policies currently configured/pushed for GDOI entities
acting as Key Servers on the network device being queried.
There is one entry in this table for each TEK that has been
configured & pushed to Group Members registered to the given
Key Server."
::= { gdoiSecAssociations 3 }
gdoiKsTekEntry OBJECT-TYPE
SYNTAX GdoiKsTekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the attributes associated with a GDOI TEK
Policy, uniquely identified by the Group ID, Key Server ID,
Source/Destination IDs & Ports, and TEK SPI. There will be
one or more TEK entries for each TEK Policy sent by the given
Key Server to its registered Group Members, each with
a unique <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple.
However, due to the 255-octet constraint placed on an OID,
the <SRC-ID, SRC-PORT, DST-ID, DST-PORT> 4-tuple cannot be
used to INDEX a TEK entry for a given Group ID & Key Server
ID. Therefore, the TEK SPI for a given Group ID & Key
Server ID MUST be unique unless another indexing scheme is
used."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.2. Messages
4. GROUPKEY-PUSH Message
5.4. SA TEK Payload"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiKeyServerIdType,
gdoiKeyServerIdValue,
gdoiKsTekSPI
}
::= { gdoiKsTekTable 1 }
GdoiKsTekEntry ::= SEQUENCE {
gdoiKsTekSPI GdoiTekSPI,
gdoiKsTekSrcIdType GdoiIdentificationType,
gdoiKsTekSrcIdLength Unsigned32,
gdoiKsTekSrcIdValue GdoiIdentificationValue,
gdoiKsTekSrcIdPort Unsigned16,
gdoiKsTekDstIdType GdoiIdentificationType,
gdoiKsTekDstIdLength Unsigned32,
gdoiKsTekDstIdValue GdoiIdentificationValue,
gdoiKsTekDstIdPort Unsigned16,
gdoiKsTekSecurityProtocol GdoiSecurityProtocol,
gdoiKsTekEncapsulationMode GdoiEncapsulationMode,
gdoiKsTekEncryptionAlgorithm GdoiEncryptionAlgorithm,
gdoiKsTekEncryptionKeyLength Unsigned32,
gdoiKsTekIntegrityAlgorithm GdoiIntegrityAlgorithm,
gdoiKsTekIntegrityKeyLength Unsigned32,
gdoiKsTekWindowSize Unsigned32,
gdoiKsTekOriginalLifetime Unsigned32,
gdoiKsTekRemainingLifetime Unsigned32,
gdoiKsTekStatus GdoiTekStatus
}
gdoiKsTekSPI OBJECT-TYPE
SYNTAX GdoiTekSPI
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the Security Parameter Index (SPI) of a TEK
Policy. The SPI must be the SPI for ESP."
REFERENCE
"RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 1 }
gdoiKsTekSrcIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the source of a TEK Policy. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'SRC ID Type' of
the TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiKsTekEntry 2 }
gdoiKsTekSrcIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the source ID of
a TEK Policy. If no length is given (i.e. it has a value
of 0), the default length of its gdoiKsTekSrcIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'SRC ID Data Len' field sent in the TEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 3 }
gdoiKsTekSrcIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the source of
a TEK Policy with its type indicated by the
gdoiKsTekSrcIdType. Use the gdoiKsTekSrcIdType to parse the
TEK Source ID correctly. This ID value is sent as the 'SRC
Identification Data' of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 4 }
gdoiKsTekSrcIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the source ID of
a TEK Policy. A value of zero means that the port should
be ignored. This port value is sent as the `SRC ID Port`
field of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 5 }
gdoiKsTekDstIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the dest. of a TEK Policy. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'DST ID Type' of
the TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiKsTekEntry 6 }
gdoiKsTekDstIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the destination ID of
a TEK Policy. If no length is given (i.e. it has a value
of 0), the default length of its gdoiKsTekDstIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'DST ID Data Len' field sent in the TEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 7 }
gdoiKsTekDstIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the destination of
a TEK Policy with its type indicated by the
gdoiKsTekDstIdType. Use the gdoiKsTekDstIdType to parse the
TEK Dest. ID correctly. This ID value is sent as the 'DST
Identification Data' of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 8 }
gdoiKsTekDstIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the dest. ID of
a TEK Policy. A value of zero means that the port should
be ignored. This port value is sent as the `DST ID Port`
field of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 9 }
gdoiKsTekSecurityProtocol OBJECT-TYPE
SYNTAX GdoiSecurityProtocol
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Protocol-ID field of a SA TEK (SAT) payload
which specifies the Security Protocol for a TEK.
Following are the Security Protocol values defined in
the GDOI RFC 3547, however the GdoiSecurityProtocol TC
defines all possible values.
Protocol ID Value
---------------------- -----
RESERVED 0
GDOI_PROTO_IPSEC_ESP 1
RESERVED 2-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.4. SA TEK Payload"
::= { gdoiKsTekEntry 10 }
gdoiKsTekEncapsulationMode OBJECT-TYPE
SYNTAX GdoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Encapsulation Mode of a TEK (IPsec SA).
Following are the Encapsulation Mode values defined in
RFC 2407, however the GdoiEncapsulationMode TC defines all
possible values.
Encapsulation Mode Value
------------------ -----
RESERVED 0
Tunnel 1
Transport 2"
REFERENCE
"RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 11 }
gdoiKsTekEncryptionAlgorithm OBJECT-TYPE
SYNTAX GdoiEncryptionAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Transform ID field of a PROTO_IPSEC_ESP
payload which specifies the ESP transform to be used. If
no encryption is used, this value will be zero (0).
Following are the ESP Transform values defined in RFC 2407,
however the GdoiEncryptionAlgorithm TC defines all possible
values.
IPsec ESP Transform ID Value
------------------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
ESP_RC4 10
ESP_NULL 11"
REFERENCE
"RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 12 }
gdoiKsTekEncryptionKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the key used for encryption in a TEK
(in bits)."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 13 }
gdoiKsTekIntegrityAlgorithm OBJECT-TYPE
SYNTAX GdoiIntegrityAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Authentication Algorithm for a TEK IPsec
ESP SA. If no authentication is used, this value will be
zero (0).
Following are the Authentication Algorithm values defined in
RFC 2407, however the GdoiEncryptionAlgorithm TC defines all
possible values.
Algorithm Type Value
-------------- -----
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4"
REFERENCE
"RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 14 }
gdoiKsTekIntegrityKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the key used for integrity/authentication in a
TEK (in bits)."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 15 }
gdoiKsTekWindowSize OBJECT-TYPE
SYNTAX Unsigned32
UNITS "GROUPKEY-PUSH Messages"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The size of the Time Based Anti-Replay (TBAR) window used by
this TEK Policy."
REFERENCE
"RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
RFC 3547 - Section: 6.3.4. Replay/Reflection Attack
Protection"
::= { gdoiKsTekEntry 16 }
gdoiKsTekOriginalLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SA Life Type defined in RFC 2407 which
specifies the maximum time for which a TEK IPsec SA is valid.
The GCKS may refresh the TEK at any time before the end of
the valid period. The value is a four (4) octet (32-bit)
number defining a valid time period in seconds."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 17 }
gdoiKsTekRemainingLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the remaining time for which a TEK is valid.
The value is a four (4) octet (32-bit) number which begins at
the value of gdoiKsTekOriginalLifetime when the TEK is sent
and counts down to zero in seconds. If the lifetime has
already expired, this value should remain at zero (0) until
the Key Server refreshes the TEK."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiKsTekEntry 18 }
gdoiKsTekStatus OBJECT-TYPE
SYNTAX GdoiTekStatus
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the TEK Policy. When this status value is
queried, one of the following is returned:
inbound(1), outbound(2), notInUse(3)."
::= { gdoiKsTekEntry 19 }
-- #-------------------------------------------------------------- --
-- # The GDOI "Group Member (GM) TEK SA" Table
-- #-------------------------------------------------------------- --
gdoiGmTekTable OBJECT-TYPE
SYNTAX SEQUENCE OF GdoiGmTekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of information regarding GDOI Traffic Encryption Key
(TEK) Security Associations (SAs/Policies) received by a
Key Server & installed for GDOI entities acting as Group
Members (GMs) on the network device being queried. There is
one entry in this table for each TEK SA that has been
installed or TEK SA/Policy that exists and has not yet been
installed/deleted."
::= { gdoiSecAssociations 4 }
gdoiGmTekEntry OBJECT-TYPE
SYNTAX GdoiGmTekEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the attributes associated with a GDOI TEK
Policy/SA, uniquely identified by the Group ID, Group Member
ID, Source/Destination IDs & Ports, and TEK SPI. There will
be one or more TEK entries for each TEK Policy/SA received
and installed by the given Group Member from its registered
Key Server, each with a unique
<SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple.
However, due to the 255-octet constraint placed on an OID,
the <SRC-ID, SRC-PORT, DST-ID, DST-PORT> 4-tuple cannot be
used to INDEX a TEK entry for a given Group ID & Group
Member ID. Therefore, the TEK SPI for a given Group ID &
Group Member ID MUST be unique unless another indexing
scheme is used."
REFERENCE
"RFC 3547 - Sections: 1. Introduction
3.2. Messages
4. GROUPKEY-PUSH Message
5.4. SA TEK Payload"
INDEX {
gdoiGroupIdType,
gdoiGroupIdValue,
gdoiGmIdType,
gdoiGmIdValue,
gdoiGmTekSPI
}
::= { gdoiGmTekTable 1 }
GdoiGmTekEntry ::= SEQUENCE {
gdoiGmTekSPI GdoiTekSPI,
gdoiGmTekSrcIdType GdoiIdentificationType,
gdoiGmTekSrcIdLength Unsigned32,
gdoiGmTekSrcIdValue GdoiIdentificationValue,
gdoiGmTekSrcIdPort Unsigned16,
gdoiGmTekDstIdType GdoiIdentificationType,
gdoiGmTekDstIdLength Unsigned32,
gdoiGmTekDstIdValue GdoiIdentificationValue,
gdoiGmTekDstIdPort Unsigned16,
gdoiGmTekSecurityProtocol GdoiSecurityProtocol,
gdoiGmTekEncapsulationMode GdoiEncapsulationMode,
gdoiGmTekEncryptionAlgorithm GdoiEncryptionAlgorithm,
gdoiGmTekEncryptionKeyLength Unsigned32,
gdoiGmTekIntegrityAlgorithm GdoiIntegrityAlgorithm,
gdoiGmTekIntegrityKeyLength Unsigned32,
gdoiGmTekWindowSize Unsigned32,
gdoiGmTekOriginalLifetime Unsigned32,
gdoiGmTekRemainingLifetime Unsigned32,
gdoiGmTekStatus GdoiTekStatus
}
gdoiGmTekSPI OBJECT-TYPE
SYNTAX GdoiTekSPI
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The value of the Security Parameter Index (SPI) of a TEK
Policy/SA. The SPI must be the SPI for ESP."
REFERENCE
"RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 1 }
gdoiGmTekSrcIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the source of a TEK Policy/SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'SRC ID Type' of
the TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmTekEntry 2 }
gdoiGmTekSrcIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the source ID of
a TEK Policy/SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiGmTekSrcIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'SRC ID Data Len' field sent in the TEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 3 }
gdoiGmTekSrcIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the source of
a TEK Policy/SA with its type indicated by the
gdoiGmTekSrcIdType. Use the gdoiGmTekSrcIdType to parse the
TEK Source ID correctly. This ID value is sent as the 'SRC
Identification Data' of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 4 }
gdoiGmTekSrcIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the source ID of
a TEK Policy/SA. A value of zero means that the port should
be ignored. This port value is sent as the `SRC ID Port`
field of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 5 }
gdoiGmTekDstIdType OBJECT-TYPE
SYNTAX GdoiIdentificationType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Identification Type Value used to parse the identity
information for the dest. of a TEK Policy/SA. RFC 4306
defines all valid types that can be used as an identifier.
This identification type is sent as the 'DST ID Type' of
the TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
RFC 4306 - Section: 3.5. Identification Payloads"
::= { gdoiGmTekEntry 6 }
gdoiGmTekDstIdLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length (i.e. number of octets) of the destination ID of
a TEK Policy/SA. If no length is given (i.e. it has a value
of 0), the default length of its gdoiGmTekDstIdType should be
used as long as it is not reprsented by an ASCII string. If
the value has a type that is represented by an ASCII string,
a length MUST be included. If the length given is not 0, it
should match the 'DST ID Data Len' field sent in the TEK
payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 7 }
gdoiGmTekDstIdValue OBJECT-TYPE
SYNTAX GdoiIdentificationValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the identity information for the destination of
a TEK Policy/SA with its type indicated by the
gdoiGmTekDstIdType. Use the gdoiGmTekDstIdType to parse the
TEK Dest. ID correctly. This ID value is sent as the 'DST
Identification Data' of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 8 }
gdoiGmTekDstIdPort OBJECT-TYPE
SYNTAX Unsigned16
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value specifying a port associated with the dest. ID of
a TEK Policy/SA. A value of zero means that the port should
be ignored. This port value is sent as the `DST ID Port`
field of a TEK payload."
REFERENCE
"RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 9 }
gdoiGmTekSecurityProtocol OBJECT-TYPE
SYNTAX GdoiSecurityProtocol
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Protocol-ID field of a SA TEK (SAT) payload
which specifies the Security Protocol for a TEK.
Following are the Security Protocol values defined in
the GDOI RFC 3547, however the GdoiSecurityProtocol TC
defines all possible values.
Protocol ID Value
---------------------- -----
RESERVED 0
GDOI_PROTO_IPSEC_ESP 1
RESERVED 2-127
Private Use 128-255"
REFERENCE
"RFC 3547 - Section: 5.4. SA TEK Payload"
::= { gdoiGmTekEntry 10 }
gdoiGmTekEncapsulationMode OBJECT-TYPE
SYNTAX GdoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Encapsulation Mode of a TEK (IPsec SA).
Following are the Encapsulation Mode values defined in
RFC 2407, however the GdoiEncapsulationMode TC defines all
possible values.
Encapsulation Mode Value
------------------ -----
RESERVED 0
Tunnel 1
Transport 2"
REFERENCE
"RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 11 }
gdoiGmTekEncryptionAlgorithm OBJECT-TYPE
SYNTAX GdoiEncryptionAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Transform ID field of a PROTO_IPSEC_ESP
payload which specifies the ESP transform to be used. If
no encryption is used, this value will be zero (0).
Following are the ESP Transform values defined in RFC 2407,
however the GdoiEncryptionAlgorithm TC defines all possible
values.
IPsec ESP Transform ID Value
------------------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
ESP_RC4 10
ESP_NULL 11"
REFERENCE
"RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 12 }
gdoiGmTekEncryptionKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the key used for encryption in a TEK
(in bits)."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 13 }
gdoiGmTekIntegrityAlgorithm OBJECT-TYPE
SYNTAX GdoiIntegrityAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the Authentication Algorithm for a TEK IPsec
ESP SA. If no authentication is used, this value will be
zero (0).
Following are the Authentication Algorithm values defined in
RFC 2407, however the GdoiEncryptionAlgorithm TC defines all
possible values.
Algorithm Type Value
-------------- -----
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4"
REFERENCE
"RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 14 }
gdoiGmTekIntegrityKeyLength OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the key used for integrity/authentication in a
TEK (in bits)."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 15 }
gdoiGmTekWindowSize OBJECT-TYPE
SYNTAX Unsigned32
UNITS "GROUPKEY-PUSH Messages"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The size of the Time Based Anti-Replay (TBAR) window used by
this TEK Policy/SA."
REFERENCE
"RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
RFC 3547 - Section: 6.3.4. Replay/Reflection Attack
Protection"
::= { gdoiGmTekEntry 16 }
gdoiGmTekOriginalLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SA Life Type defined in RFC 2407 which
specifies the maximum time for which a TEK IPsec SA is valid.
The GCKS may refresh the TEK at any time before the end of
the valid period. The value is a four (4) octet (32-bit)
number defining a valid time period in seconds."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 17 }
gdoiGmTekRemainingLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "Seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the remaining time for which a TEK is valid.
The value is a four (4) octet (32-bit) number which begins at
the value of gdoiGmTekOriginalLifetime and counts down to zero
in seconds. If the lifetime has already expired, this value
should remain at zero (0) until the GCKS refreshes the TEK."
REFERENCE
"RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes
RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
::= { gdoiGmTekEntry 18 }
gdoiGmTekStatus OBJECT-TYPE
SYNTAX GdoiTekStatus
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the TEK Policy/SA. When this status value is
queried, one of the following is returned:
inbound(1), outbound(2), notInUse(3)."
::= { gdoiGmTekEntry 19 }
-- ------------------------------------------------------------------ --
-- GDOI MIB Conformance & Compliance Information
-- ------------------------------------------------------------------ --
--
-- *---------------------------------------------------------------- --
-- * GDOI MIB Conformance Information
-- *---------------------------------------------------------------- --
gdoiMIBGroups OBJECT IDENTIFIER ::= { gdoiMIBConformance 1 }
gdoiMIBCompliances OBJECT IDENTIFIER ::= { gdoiMIBConformance 2 }
-- #-------------------------------------------------------------- --
-- # GDOI MIB Units/Groups of Conformance
-- #-------------------------------------------------------------- --
gdoiGroupIdGroup OBJECT-GROUP
OBJECTS {
gdoiGroupIdLength,
gdoiGroupName
}
STATUS current
DESCRIPTION
"This group consists of:
1) GDOI Group Table"
::= { gdoiMIBGroups 1 }
gdoiKeyServerGroup OBJECT-GROUP
OBJECTS {
gdoiKeyServerIdLength,
gdoiKeyServerActiveKEK,
gdoiKeyServerRekeysPushed
}
STATUS current
DESCRIPTION
"This group consists of:
1) GDOI Key Server Table"
::= { gdoiMIBGroups 2 }
gdoiGmGroup OBJECT-GROUP
OBJECTS {
gdoiGmIdLength,
gdoiGmRegKeyServerIdType,
gdoiGmRegKeyServerIdLength,
gdoiGmRegKeyServerIdValue,
gdoiGmActiveKEK,
gdoiGmRekeysReceived
}
STATUS current
DESCRIPTION
"This group consists of:
1) GDOI GM Table"
::= { gdoiMIBGroups 3 }
gdoiKsSecurityAssociationsGroup OBJECT-GROUP
OBJECTS {
gdoiKsKekSrcIdType,
gdoiKsKekSrcIdLength,
gdoiKsKekSrcIdValue,
gdoiKsKekSrcIdPort,
gdoiKsKekDstIdType,
gdoiKsKekDstIdLength,
gdoiKsKekDstIdValue,
gdoiKsKekDstIdPort,
gdoiKsKekRekeyIdType,
gdoiKsKekRekeyIdLength,
gdoiKsKekRekeyIdValue,
gdoiKsKekIpProtocol,
gdoiKsKekPopAlg,
gdoiKsKekPopKeyLength,
gdoiKsKekMgmtAlg,
gdoiKsKekEncryptAlg,
gdoiKsKekEncryptKeyLength,
gdoiKsKekSigHashAlg,
gdoiKsKekSigAlg,
gdoiKsKekSigKeyLength,
gdoiKsKekOakleyGroup,
gdoiKsKekOriginalLifetime,
gdoiKsKekRemainingLifetime,
gdoiKsKekStatus,
gdoiKsTekSrcIdType,
gdoiKsTekSrcIdLength,
gdoiKsTekSrcIdValue,
gdoiKsTekSrcIdPort,
gdoiKsTekDstIdType,
gdoiKsTekDstIdLength,
gdoiKsTekDstIdValue,
gdoiKsTekDstIdPort,
gdoiKsTekSecurityProtocol,
gdoiKsTekEncapsulationMode,
gdoiKsTekEncryptionAlgorithm,
gdoiKsTekEncryptionKeyLength,
gdoiKsTekIntegrityAlgorithm,
gdoiKsTekIntegrityKeyLength,
gdoiKsTekWindowSize,
gdoiKsTekOriginalLifetime,
gdoiKsTekRemainingLifetime,
gdoiKsTekStatus
}
STATUS current
DESCRIPTION
"This group consists of:
1) GDOI Key Server KEK Policy/SA Table
2) GDOI Key Server TEK Policy Table"
::= { gdoiMIBGroups 4 }
gdoiGmSecurityAssociationsGroup OBJECT-GROUP
OBJECTS {
gdoiGmKekSrcIdType,
gdoiGmKekSrcIdLength,
gdoiGmKekSrcIdValue,
gdoiGmKekSrcIdPort,
gdoiGmKekDstIdType,
gdoiGmKekDstIdLength,
gdoiGmKekDstIdValue,
gdoiGmKekDstIdPort,
gdoiGmKekRekeyIdType,
gdoiGmKekRekeyIdLength,
gdoiGmKekRekeyIdValue,
gdoiGmKekIpProtocol,
gdoiGmKekPopAlg,
gdoiGmKekPopKeyLength,
gdoiGmKekMgmtAlg,
gdoiGmKekEncryptAlg,
gdoiGmKekEncryptKeyLength,
gdoiGmKekSigHashAlg,
gdoiGmKekSigAlg,
gdoiGmKekSigKeyLength,
gdoiGmKekOakleyGroup,
gdoiGmKekOriginalLifetime,
gdoiGmKekRemainingLifetime,
gdoiGmKekStatus,
gdoiGmTekSrcIdType,
gdoiGmTekSrcIdLength,
gdoiGmTekSrcIdValue,
gdoiGmTekSrcIdPort,
gdoiGmTekDstIdType,
gdoiGmTekDstIdLength,
gdoiGmTekDstIdValue,
gdoiGmTekDstIdPort,
gdoiGmTekSecurityProtocol,
gdoiGmTekEncapsulationMode,
gdoiGmTekEncryptionAlgorithm,
gdoiGmTekEncryptionKeyLength,
gdoiGmTekIntegrityAlgorithm,
gdoiGmTekIntegrityKeyLength,
gdoiGmTekWindowSize,
gdoiGmTekOriginalLifetime,
gdoiGmTekRemainingLifetime,
gdoiGmTekStatus
}
STATUS current
DESCRIPTION
"This group consists of:
1) GDOI Group Member KEK Policy/SA Table
2) GDOI Group Member TEK Policy/SA Table"
::= { gdoiMIBGroups 5 }
gdoiKeyServerNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
gdoiKeyServerNewRegistration,
gdoiKeyServerRegistrationComplete,
gdoiKeyServerRekeyPushed
}
STATUS current
DESCRIPTION
"This group contains the Key Server (GCKS) notifications
for the GDOI MIB."
::= { gdoiMIBGroups 6 }
gdoiKeyServerErrorNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
gdoiKeyServerNoRsaKeys
}
STATUS current
DESCRIPTION
"This group contains the Key Server (GCKS) error notifications
for the GDOI MIB."
::= { gdoiMIBGroups 7 }
gdoiGmNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
gdoiGmRegister,
gdoiGmRegistrationComplete,
gdoiGmReRegister,
gdoiGmRekeyReceived
}
STATUS current
DESCRIPTION
"This group contains the Group Member (GM) notifications
for the GDOI MIB."
::= { gdoiMIBGroups 8 }
gdoiGmErrorNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
gdoiGmIncompleteCfg,
gdoiGmNoIpSecFlows,
gdoiGmRekeyFailure
}
STATUS current
DESCRIPTION
"This group contains the Group Member (GM) error notifications
for the GDOI MIB."
::= { gdoiMIBGroups 9 }
-- #-------------------------------------------------------------- --
-- # GDOI MIB Compliance Statements
-- #-------------------------------------------------------------- --
gdoiMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"At minimum, only GDOI Group Member functionality is required
so only objects associated with and needed by Group Members
are mandatory to implement. If Key Server functionality is
also implemented, all other objects will need to be
implemented as well."
MODULE -- this module
MANDATORY-GROUPS {
gdoiGroupIdGroup,
gdoiGmSecurityAssociationsGroup,
gdoiGmGroup
}
GROUP gdoiKeyServerGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports being the Group Controller Key Server (GCKS)."
GROUP gdoiKsSecurityAssociationsGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports being the Group Controller Key Server (GCKS)."
GROUP gdoiKeyServerNotificationGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports the sending of notifications & being the GCKS."
GROUP gdoiKeyServerErrorNotificationGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports the sending of notifications & being the GCKS."
GROUP gdoiGmNotificationGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports the sending of notifications."
GROUP gdoiGmErrorNotificationGroup
DESCRIPTION
"Implementation of this group is for any network device
that supports the sending of notifications."
::= { gdoiMIBCompliances 1 }
END
| TOC |
There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.
Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. The GDOI MIB deals with a security protocol and is not a general MIB, all information reported by any of the GDOI MIB queries should be considered sensitive. However, the most sensitive information dealing directly with security associations and algorithms are:
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410] (Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” December 2002.), section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
| TOC |
IANA is requested to assign OID (marked xxx) under mib-2 for GDOI-STD-MIB.
| TOC |
| TOC |
| TOC |
| TOC |
| [RFC3410] | Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” RFC 3410, December 2002 (TXT). |
| [RFC2629] | Rose, M., “Writing I-Ds and RFCs using XML,” RFC 2629, June 1999 (TXT, HTML, XML). |
| [RFC4181] | Heard, C., “Guidelines for Authors and Reviewers of MIB Documents,” BCP 111, RFC 4181, September 2005 (TXT). |
| TOC |
| Tanya Roosa (editor) | |
| Cisco Systems | |
| 510 McCarthy Blvd. | |
| Milpitas | |
| USA | |
| Phone: | 510-220-0047 |
| EMail: | roosta@cisco.com |
| Sheela Rowles | |
| Cisco Systems | |
| 510 McCarthy Blvd | |
| Milpitas, CA | |
| USA | |
| Phone: | 408-527-7677 |
| Fax: | |
| EMail: | sheela@cisco.com |
| URI: | |
| Mike Hamada | |
| Cisco Systems | |
| 510 McCarthy Blvd | |
| Milpitas, CA | |
| USA | |
| Phone: | 408-525-7473 |
| Fax: | |
| EMail: | michamad@cisco.com |
| URI: | |
| Kavitha Kamarthy (editor) | |
| Cisco Systems | |
| 510 McCarthy Blvd | |
| Milpitas, CA | |
| USA | |
| Phone: | 408-525-1209 |
| Fax: | |
| EMail: | kavithac@cisco.com |
| URI: | |
| Preethi Sundaradevan | |
| Cisco Systems | |
| 510 McCarthy Blvd | |
| Milpitas, CA | |
| USA | |
| Phone: | 408-424-4713 |
| Fax: | |
| EMail: | prsundar@cisco.com |
| URI: |