1 IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
4 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32,
5 Unsigned32, mib-2 FROM SNMPv2-SMI
8 TEXTUAL-CONVENTION, RowStatus, TruthValue,
9 TimeStamp, StorageType, VariablePointer
16 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
24 diffServMIBMultiFieldClfrGroup, IfDirection,
25 diffServMultiFieldClfrNextFree
29 InetAddressType, InetAddress
33 SnmpAdminString FROM SNMP-FRAMEWORK-MIB
42 spdMIB MODULE-IDENTITY
43 LAST-UPDATED "200702070000Z" -- 7 February 2007
44 ORGANIZATION "IETF IP Security Policy Working Group"
45 CONTACT-INFO "Michael Baer
48 Phone: +1 530 902 3131
49 Email: baerm@tislabs.com
52 Email: rcharlet@alumni.calpoly.edu
58 Phone: +1 530 792 1913
59 Email: hardaker@tislabs.com
68 Phone: +1 770 617 3722
69 Email: rstory@ipsp.revelstone.com
75 E-Mail: cliffwangmail@yahoo.com"
77 "This MIB module defines configuration objects for managing
78 IPsec Security Policies. In general, this MIB can be
79 implemented anywhere IPsec security services exist (e.g.,
80 bump-in-the-wire, host, gateway, firewall, router, etc.).
82 Copyright (C) The IETF Trust (2007). This version of
83 this MIB module is part of RFC 4807; see the RFC itself for
88 REVISION "200702070000Z" -- 7 February 2007
89 DESCRIPTION "Initial version, published as RFC 4807."
94 -- groups of related objects
97 spdConfigObjects OBJECT IDENTIFIER
99 spdNotificationObjects OBJECT IDENTIFIER
101 spdConformanceObjects OBJECT IDENTIFIER
103 spdActions OBJECT IDENTIFIER
107 -- Textual Conventions
110 SpdBooleanOperator ::= TEXTUAL-CONVENTION
113 "The SpdBooleanOperator operator is used to specify
114 whether sub-components in a decision-making process are
118 ANDed or ORed together to decide if the resulting
119 expression is true or false."
120 SYNTAX INTEGER { or(1), and(2) }
122 SpdAdminStatus ::= TEXTUAL-CONVENTION
125 "The SpdAdminStatus is used to specify the administrative
126 status of an object. Objects that are disabled MUST NOT
127 be used by the packet processing engine."
128 SYNTAX INTEGER { enabled(1), disabled(2) }
130 SpdIPPacketLogging ::= TEXTUAL-CONVENTION
134 "SpdIPPacketLogging specifies whether an audit message
135 SHOULD be logged if a packet is passed through a Security
136 Association (SA) and if some of that packet is included in
137 the log event. A value of '-1' indicates no logging. A
138 value of '0' or greater indicates that logging SHOULD be
139 done and indicates the number of bytes starting at the
140 beginning of the packet to place in the log. Values greater
141 than the size of the packet being processed indicate that
142 the entire packet SHOULD be sent.
146 '0' log but do not include any of the packet in the log
147 '20' log and include the first 20 bytes of the packet
150 SYNTAX Integer32 (-1..65535)
153 SpdTimePeriod ::= TEXTUAL-CONVENTION
157 "This property identifies an overall range of calendar dates
158 and time. In a boolean context, a value within this time
159 range, inclusive, is considered true.
161 This information is encoded as an octet string using
162 the UTF-8 transformation format described in STD 63,
165 It uses the format suggested in RFC 3060. An octet string
169 represents a start date and time and an end date and time.
172 yyyymmddThhmmss/yyyymmddThhmmss
174 Where: yyyy = year mm = month dd = day
175 hh = hour mm = minute ss = second
177 The first 'yyyymmddThhmmss' sub-string indicates the start
178 date and time. The second 'yyyymmddThhmmss' sub-string
179 indicates the end date and time. The character 'T' within
180 these sub-strings indicates the beginning of the time
181 portion of each sub-string. The solidus character '/'
182 separates the start from the end date and time. The end
183 date and time MUST be subsequent to the start date and
186 There are also two allowed substitutes for a
187 'yyyymmddThhmmss' sub-string: one for the start date and
188 time, and one for the end date and time.
190 If the start date and time are replaced with the string
191 'THISANDPRIOR', this sub-string would indicate the current
192 date and time and the previous dates and time.
194 If the end date and time are replaced with the string
195 'THISANDFUTURE', this sub-string would indicate the current
196 date and time and the subsequent dates and time.
198 Any of the following SHOULD be considered a
200 - Setting a value with the end date and time earlier than
201 or equal to the start date and time.
202 - Setting the start date and time to 'THISANDFUTURE'.
203 - Setting the end date and time to 'THISANDPRIOR'."
204 REFERENCE "RFC 3060, 3269"
205 SYNTAX OCTET STRING (SIZE (0..31))
207 -- Policy group definitions
210 spdLocalConfigObjects OBJECT IDENTIFIER
211 ::= { spdConfigObjects 1 }
213 spdIngressPolicyGroupName OBJECT-TYPE
214 SYNTAX SnmpAdminString (SIZE(0..32))
215 MAX-ACCESS read-write
221 "This object indicates the global system policy group that
222 is to be applied on ingress packets (i.e., arriving at an
223 interface from a network) when a given endpoint does not
224 contain a policy definition in the spdEndpointToGroupTable.
225 Its value can be used as an index into the
226 spdGroupContentsTable to retrieve a list of policies. A
227 zero length string indicates that no system-wide policy exists
228 and the default policy of 'drop' SHOULD be executed for
229 ingress packets until one is imposed by either this object
230 or by the endpoint processing a given packet.
232 This object MUST be persistent"
234 ::= { spdLocalConfigObjects 1 }
236 spdEgressPolicyGroupName OBJECT-TYPE
237 SYNTAX SnmpAdminString (SIZE(0..32))
238 MAX-ACCESS read-write
241 "This object indicates the policy group containing the
242 global system policy that is to be applied on egress
243 packets (i.e., packets leaving an interface and entering a
244 network) when a given endpoint does not contain a policy
245 definition in the spdEndpointToGroupTable. Its value can
246 be used as an index into the spdGroupContentsTable to
247 retrieve a list of policies. A zero length string
248 indicates that no system-wide policy exists and the default
249 policy of 'drop' SHOULD be executed for egress packets
250 until one is imposed by either this object or by the
251 endpoint processing a given packet.
253 This object MUST be persistent"
255 ::= { spdLocalConfigObjects 2 }
258 spdEndpointToGroupTable OBJECT-TYPE
259 SYNTAX SEQUENCE OF SpdEndpointToGroupEntry
260 MAX-ACCESS not-accessible
263 "This table maps policies (groupings) onto an endpoint
264 (interface). A policy group assigned to an endpoint is then
265 used to control access to the network traffic passing
266 through that endpoint.
271 If an endpoint has been configured with a policy group and
272 no rule within that policy group matches that packet, the
273 default action in this case SHALL be to drop the packet.
275 If no policy group has been assigned to an endpoint, then
276 the policy group specified by spdIngressPolicyGroupName MUST
277 be used on traffic inbound from the network through that
278 endpoint, and the policy group specified by
279 spdEgressPolicyGroupName MUST be used for traffic outbound
280 to the network through that endpoint."
281 ::= { spdConfigObjects 2 }
283 spdEndpointToGroupEntry OBJECT-TYPE
284 SYNTAX SpdEndpointToGroupEntry
285 MAX-ACCESS not-accessible
288 "A mapping assigning a policy group to an endpoint."
290 INDEX { spdEndGroupDirection, spdEndGroupInterface }
291 ::= { spdEndpointToGroupTable 1 }
293 SpdEndpointToGroupEntry ::= SEQUENCE {
294 spdEndGroupDirection IfDirection,
295 spdEndGroupInterface InterfaceIndex,
296 spdEndGroupName SnmpAdminString,
297 spdEndGroupLastChanged TimeStamp,
298 spdEndGroupStorageType StorageType,
299 spdEndGroupRowStatus RowStatus
302 spdEndGroupDirection OBJECT-TYPE
304 MAX-ACCESS not-accessible
307 "This object indicates which direction of packets crossing
308 the interface are associated with which spdEndGroupName
309 object. Ingress packets, or packets into the device match
310 when this value is inbound(1). Egress packets or packets
311 out of the device match when this value is outbound(2)."
312 ::= { spdEndpointToGroupEntry 1 }
314 spdEndGroupInterface OBJECT-TYPE
315 SYNTAX InterfaceIndex
316 MAX-ACCESS not-accessible
322 "This value matches the IF-MIB's ifTable's ifIndex column
323 and indicates the interface associated with a given
324 endpoint. This object can be used to uniquely identify an
325 endpoint that a set of policy groups are applied to."
326 ::= { spdEndpointToGroupEntry 2 }
328 spdEndGroupName OBJECT-TYPE
329 SYNTAX SnmpAdminString (SIZE(1..32))
330 MAX-ACCESS read-create
333 "The policy group name to apply at this endpoint. The
334 value of the spdEndGroupName object is then used as an
335 index into the spdGroupContentsTable to come up with a list
336 of rules that MUST be applied at this endpoint."
337 ::= { spdEndpointToGroupEntry 3 }
339 spdEndGroupLastChanged OBJECT-TYPE
344 "The value of sysUpTime when this row was last modified
345 or created either through SNMP SETs or by some other
348 If this row has not been modified since the last
349 re-initialization of the network management subsystem, this
350 object SHOULD have a zero value."
351 ::= { spdEndpointToGroupEntry 4 }
353 spdEndGroupStorageType OBJECT-TYPE
355 MAX-ACCESS read-create
358 "The storage type for this row. Rows in this table that
359 were created through an external process MAY have a storage
360 type of readOnly or permanent.
362 For a storage type of permanent, none of the columns have
364 DEFVAL { nonVolatile }
365 ::= { spdEndpointToGroupEntry 5 }
367 spdEndGroupRowStatus OBJECT-TYPE
369 MAX-ACCESS read-create
375 "This object indicates the conceptual status of this row.
377 The value of this object has no effect on whether other
378 objects in this conceptual row can be modified.
380 This object is considered 'notReady' and MUST NOT be set to
381 active until one or more active rows exist within the
382 spdGroupContentsTable for the group referenced by the
383 spdEndGroupName object."
384 ::= { spdEndpointToGroupEntry 6 }
387 -- policy group definition table
390 spdGroupContentsTable OBJECT-TYPE
391 SYNTAX SEQUENCE OF SpdGroupContentsEntry
392 MAX-ACCESS not-accessible
395 "This table contains a list of rules and/or subgroups
396 contained within a given policy group. For a given value
397 of spdGroupContName, the set of rows sharing that value
398 forms a 'group'. The rows in a group MUST be processed
399 according to the value of the spdGroupContPriority object
400 in each row. The processing MUST be executed starting with
401 the lowest value of spdGroupContPriority and in ascending
404 If an action is executed as the result of the processing of
405 a row in a group, the processing of further rows in that
406 group MUST stop. Iterating to the next policy group row by
407 finding the next largest spdGroupContPriority object SHALL
408 only be done if no actions were run while processing the
409 current row for a given packet."
410 ::= { spdConfigObjects 3 }
412 spdGroupContentsEntry OBJECT-TYPE
413 SYNTAX SpdGroupContentsEntry
414 MAX-ACCESS not-accessible
417 "Defines a given sub-component within a policy group. A
418 sub-component is either a rule or another group as
419 indicated by spdGroupContComponentType and referenced by
420 spdGroupContComponentName."
424 INDEX { spdGroupContName, spdGroupContPriority }
425 ::= { spdGroupContentsTable 1 }
427 SpdGroupContentsEntry ::= SEQUENCE {
428 spdGroupContName SnmpAdminString,
429 spdGroupContPriority Integer32,
430 spdGroupContFilter VariablePointer,
431 spdGroupContComponentType INTEGER,
432 spdGroupContComponentName SnmpAdminString,
433 spdGroupContLastChanged TimeStamp,
434 spdGroupContStorageType StorageType,
435 spdGroupContRowStatus RowStatus
438 spdGroupContName OBJECT-TYPE
439 SYNTAX SnmpAdminString (SIZE(1..32))
440 MAX-ACCESS not-accessible
443 "The administrative name of the group associated with this
444 row. A 'group' is formed by all the rows in this table that
445 have the same value of this object."
446 ::= { spdGroupContentsEntry 1 }
448 spdGroupContPriority OBJECT-TYPE
449 SYNTAX Integer32 (0..65535)
450 MAX-ACCESS not-accessible
453 "The priority (sequence number) of the sub-component in
454 a group that this row represents. This value indicates
455 the order that each row of this table MUST be processed
456 from low to high. For example, a row with a priority of 0
457 is processed before a row with a priority of 1, a 1 before
459 ::= { spdGroupContentsEntry 2 }
461 spdGroupContFilter OBJECT-TYPE
462 SYNTAX VariablePointer
463 MAX-ACCESS read-create
466 "spdGroupContFilter points to a filter that is evaluated
467 to determine whether the spdGroupContComponentName within
468 this row is exercised. Managers can use this object to
469 classify groups of rules, or subgroups, together in order to
470 achieve a greater degree of control and optimization over
471 the execution order of the items within the group. If the
475 filter evaluates to false, the rule or subgroup will be
476 skipped and the next rule or subgroup will be evaluated
477 instead. This value can be used to indicate a scalar or
478 row in a table. When indicating a row in a table, this
479 value MUST point to the first column instance in that row.
481 An example usage of this object would be to limit a
482 group of rules to executing only when the IP packet
483 being processed is designated to be processed by IKE.
484 This effectively creates a group of IKE-specific rules.
486 The following tables and scalars can be pointed to by this
487 column. All but diffServMultiFieldClfrTable are defined in
490 diffServMultiFieldClfrTable
491 spdIpOffsetFilterTable
493 spdCompoundFilterTable
495 spdIpsoHeaderFilterTable
497 Implementations MAY choose to provide support for other
498 filter tables or scalars.
500 If this column is set to a VariablePointer value, which
501 references a non-existent row in an otherwise supported
502 table, the inconsistentName exception MUST be returned. If
503 the table or scalar pointed to by the VariablePointer is
504 not supported at all, then an inconsistentValue exception
507 If, during packet processing, a row in this table is applied
508 to a packet and the value of this column in that row
509 references a non-existent or non-supported object, the
510 packet MUST be dropped."
512 DEFVAL { spdTrueFilterInstance }
513 ::= { spdGroupContentsEntry 3 }
515 spdGroupContComponentType OBJECT-TYPE
516 SYNTAX INTEGER { group(1), rule(2) }
517 MAX-ACCESS read-create
520 "Indicates whether the spdGroupContComponentName object
521 is the name of another group defined within the
522 spdGroupContentsTable or is the name of a rule defined
526 within the spdRuleDefinitionTable."
528 ::= { spdGroupContentsEntry 4 }
530 spdGroupContComponentName OBJECT-TYPE
531 SYNTAX SnmpAdminString (SIZE(1..32))
532 MAX-ACCESS read-create
535 "The name of the policy rule or subgroup contained within
536 this row, as indicated by the spdGroupContComponentType
538 ::= { spdGroupContentsEntry 5 }
540 spdGroupContLastChanged OBJECT-TYPE
545 "The value of sysUpTime when this row was last modified
546 or created either through SNMP SETs or by some other
549 If this row has not been modified since the last
550 re-initialization of the network management subsystem,
551 this object SHOULD have a zero value."
552 ::= { spdGroupContentsEntry 6 }
554 spdGroupContStorageType OBJECT-TYPE
556 MAX-ACCESS read-create
559 "The storage type for this row. Rows in this table that
560 were created through an external process MAY have a storage
561 type of readOnly or permanent.
563 For a storage type of permanent, none of the columns have
565 DEFVAL { nonVolatile }
566 ::= { spdGroupContentsEntry 7 }
568 spdGroupContRowStatus OBJECT-TYPE
570 MAX-ACCESS read-create
573 "This object indicates the conceptual status of this row.
577 The value of this object has no effect on whether other
578 objects in this conceptual row can be modified.
580 This object MUST NOT be set to active until the row to
581 which the spdGroupContComponentName points to exists and is
584 If active, this object MUST remain active unless one of the
585 following two conditions are met:
587 I. No active row in spdEndpointToGroupTable exists that
588 references this row's group (i.e., indicate this row's
591 II. Or at least one other active row in this table has a
592 matching spdGroupContName.
594 If neither condition is met, an attempt to set this row to
595 something other than active MUST result in an
596 inconsistentValue error."
597 ::= { spdGroupContentsEntry 8 }
601 -- policy definition table
604 spdRuleDefinitionTable OBJECT-TYPE
605 SYNTAX SEQUENCE OF SpdRuleDefinitionEntry
606 MAX-ACCESS not-accessible
609 "This table defines a rule by associating a filter
610 or a set of filters to an action to be executed."
611 ::= { spdConfigObjects 4 }
613 spdRuleDefinitionEntry OBJECT-TYPE
614 SYNTAX SpdRuleDefinitionEntry
615 MAX-ACCESS not-accessible
618 "A row defining a particular rule definition. A rule
619 definition binds a filter pointer to an action pointer."
620 INDEX { spdRuleDefName }
621 ::= { spdRuleDefinitionTable 1 }
623 SpdRuleDefinitionEntry ::= SEQUENCE {
624 spdRuleDefName SnmpAdminString,
628 spdRuleDefDescription SnmpAdminString,
629 spdRuleDefFilter VariablePointer,
630 spdRuleDefFilterNegated TruthValue,
631 spdRuleDefAction VariablePointer,
632 spdRuleDefAdminStatus SpdAdminStatus,
633 spdRuleDefLastChanged TimeStamp,
634 spdRuleDefStorageType StorageType,
635 spdRuleDefRowStatus RowStatus
638 spdRuleDefName OBJECT-TYPE
639 SYNTAX SnmpAdminString (SIZE(1..32))
640 MAX-ACCESS not-accessible
643 "spdRuleDefName is the administratively assigned name of
644 the rule referred to by the spdGroupContComponentName
646 ::= { spdRuleDefinitionEntry 1 }
648 spdRuleDefDescription OBJECT-TYPE
649 SYNTAX SnmpAdminString
650 MAX-ACCESS read-create
653 "A user defined string. This field MAY be used for
654 administrative tracking purposes."
656 ::= { spdRuleDefinitionEntry 2 }
658 spdRuleDefFilter OBJECT-TYPE
659 SYNTAX VariablePointer
660 MAX-ACCESS read-create
663 "spdRuleDefFilter points to a filter that is used to
664 evaluate whether the action associated with this row is
665 executed or not. The action will only execute if the
666 filter referenced by this object evaluates to TRUE after
667 first applying any negation required by the
668 spdRuleDefFilterNegated object.
670 The following tables and scalars can be pointed to by this
671 column. All but diffServMultiFieldClfrTable are defined in
672 this MIB. Implementations MAY choose to provide support
673 for other filter tables or scalars as well:
675 diffServMultiFieldClfrTable
679 spdIpOffsetFilterTable
681 spdCompoundFilterTable
684 If this column is set to a VariablePointer value, which
685 references a non-existent row in an otherwise supported
686 table, the inconsistentName exception MUST be returned. If
687 the table or scalar pointed to by the VariablePointer is
688 not supported at all, then an inconsistentValue exception
691 If, during packet processing, this column has a value that
692 references a non-existent or non-supported object, the
693 packet MUST be dropped."
695 ::= { spdRuleDefinitionEntry 3 }
697 spdRuleDefFilterNegated OBJECT-TYPE
699 MAX-ACCESS read-create
702 "spdRuleDefFilterNegated specifies whether or not the results of
703 the filter referenced by the spdRuleDefFilter object is
706 ::= { spdRuleDefinitionEntry 4 }
708 spdRuleDefAction OBJECT-TYPE
709 SYNTAX VariablePointer
710 MAX-ACCESS read-create
713 "This column points to the action to be taken. It MAY,
714 but is not limited to, point to a row in one of the
717 spdCompoundActionTable
718 ipsaSaPreconfiguredActionTable
722 It MAY also point to one of the scalar objects beneath
725 If this object is set to a pointer to a row in an
726 unsupported (or unknown) table, an inconsistentValue
730 error MUST be returned.
732 If this object is set to point to a non-existent row in an
733 otherwise supported table, an inconsistentName error MUST
736 If, during packet processing, this column has a value that
737 references a non-existent or non-supported object, the
738 packet MUST be dropped."
739 ::= { spdRuleDefinitionEntry 5 }
741 spdRuleDefAdminStatus OBJECT-TYPE
742 SYNTAX SpdAdminStatus
743 MAX-ACCESS read-create
746 "Indicates whether the current rule definition is considered
747 active. If the value is enabled, the rule MUST be evaluated
748 when processing packets. If the value is disabled, the
749 packet processing MUST continue as if this rule's filter
750 had effectively failed."
752 ::= { spdRuleDefinitionEntry 6 }
754 spdRuleDefLastChanged OBJECT-TYPE
759 "The value of sysUpTime when this row was last modified
760 or created either through SNMP SETs or by some other
763 If this row has not been modified since the last
764 re-initialization of the network management subsystem, this
765 object SHOULD have a zero value."
766 ::= { spdRuleDefinitionEntry 7 }
768 spdRuleDefStorageType OBJECT-TYPE
770 MAX-ACCESS read-create
773 "The storage type for this row. Rows in this table that
774 were created through an external process MAY have a
775 storage type of readOnly or permanent.
777 For a storage type of permanent, none of the columns have
782 DEFVAL { nonVolatile }
783 ::= { spdRuleDefinitionEntry 8 }
785 spdRuleDefRowStatus OBJECT-TYPE
787 MAX-ACCESS read-create
790 "This object indicates the conceptual status of this row.
792 The value of this object has no effect on whether other
793 objects in this conceptual row can be modified.
795 This object MUST NOT be set to active until the containing
796 conditions, filters, and actions have been defined. Once
797 active, it MUST remain active until no active
798 policyGroupContents entries are referencing it. A failed
799 attempt to do so MUST return an inconsistentValue error."
800 ::= { spdRuleDefinitionEntry 9 }
803 -- Policy compound filter definition table
806 spdCompoundFilterTable OBJECT-TYPE
807 SYNTAX SEQUENCE OF SpdCompoundFilterEntry
808 MAX-ACCESS not-accessible
811 "A table defining compound filters and their associated
812 parameters. A row in this table can be pointed to by a
813 spdRuleDefFilter object."
814 ::= { spdConfigObjects 5 }
816 spdCompoundFilterEntry OBJECT-TYPE
817 SYNTAX SpdCompoundFilterEntry
818 MAX-ACCESS not-accessible
821 "An entry in the spdCompoundFilterTable. Each entry in this
822 table represents a compound filter. A filter defined by
823 this table is considered to have a TRUE return value if and
826 spdCompFiltLogicType is AND and all of the sub-filters
827 associated with it, as defined in the spdSubfiltersTable,
828 are all true themselves (after applying any required
832 negation, as defined by the ficFilterIsNegated object).
834 spdCompFiltLogicType is OR and at least one of the
835 sub-filters associated with it, as defined in the
836 spdSubfiltersTable, is true itself (after applying any
837 required negation, as defined by the ficFilterIsNegated
839 INDEX { spdCompFiltName }
840 ::= { spdCompoundFilterTable 1 }
842 SpdCompoundFilterEntry ::= SEQUENCE {
843 spdCompFiltName SnmpAdminString,
844 spdCompFiltDescription SnmpAdminString,
845 spdCompFiltLogicType SpdBooleanOperator,
846 spdCompFiltLastChanged TimeStamp,
847 spdCompFiltStorageType StorageType,
848 spdCompFiltRowStatus RowStatus
851 spdCompFiltName OBJECT-TYPE
852 SYNTAX SnmpAdminString (SIZE(1..32))
853 MAX-ACCESS not-accessible
856 "A user definable string. This value is used as an index
858 ::= { spdCompoundFilterEntry 1 }
860 spdCompFiltDescription OBJECT-TYPE
861 SYNTAX SnmpAdminString
862 MAX-ACCESS read-create
865 "A user definable string. This field MAY be used for
866 your administrative tracking purposes."
868 ::= { spdCompoundFilterEntry 2 }
870 spdCompFiltLogicType OBJECT-TYPE
871 SYNTAX SpdBooleanOperator
872 MAX-ACCESS read-create
875 "Indicates whether the sub-component filters of this
876 compound filter are functionally ANDed or ORed together."
878 ::= { spdCompoundFilterEntry 3 }
883 spdCompFiltLastChanged OBJECT-TYPE
888 "The value of sysUpTime when this row was last modified
889 or created either through SNMP SETs or by some other
892 If this row has not been modified since the last
893 re-initialization of the network management subsystem, this
894 object SHOULD have a zero value."
895 ::= { spdCompoundFilterEntry 4 }
897 spdCompFiltStorageType OBJECT-TYPE
899 MAX-ACCESS read-create
902 "The storage type for this row. Rows in this table that
903 were created through an external process MAY have a
904 storage type of readOnly or permanent.
906 For a storage type of permanent, none of the columns have
908 DEFVAL { nonVolatile }
909 ::= { spdCompoundFilterEntry 5 }
911 spdCompFiltRowStatus OBJECT-TYPE
913 MAX-ACCESS read-create
916 "This object indicates the conceptual status of this row.
918 The value of this object has no effect on whether other
919 objects in this conceptual row can be modified.
921 Once active, it MUST NOT have its value changed if any
922 active rows in the spdRuleDefinitionTable are currently
923 pointing at this row."
924 ::= { spdCompoundFilterEntry 6 }
927 -- Policy filters in a cf table
930 spdSubfiltersTable OBJECT-TYPE
934 SYNTAX SEQUENCE OF SpdSubfiltersEntry
935 MAX-ACCESS not-accessible
938 "This table defines a list of filters contained within a
939 given compound filter defined in the
940 spdCompoundFilterTable."
941 ::= { spdConfigObjects 6 }
943 spdSubfiltersEntry OBJECT-TYPE
944 SYNTAX SpdSubfiltersEntry
945 MAX-ACCESS not-accessible
948 "An entry in the spdSubfiltersTable. There is an entry in
949 this table for each sub-filter of all compound filters
950 present in the spdCompoundFilterTable."
951 INDEX { spdCompFiltName, spdSubFiltPriority }
952 ::= { spdSubfiltersTable 1 }
954 SpdSubfiltersEntry ::= SEQUENCE {
955 spdSubFiltPriority Integer32,
956 spdSubFiltSubfilter VariablePointer,
957 spdSubFiltSubfilterIsNegated TruthValue,
958 spdSubFiltLastChanged TimeStamp,
959 spdSubFiltStorageType StorageType,
960 spdSubFiltRowStatus RowStatus
963 spdSubFiltPriority OBJECT-TYPE
964 SYNTAX Integer32 (0..65535)
965 MAX-ACCESS not-accessible
968 "The priority of a given filter within a compound filter.
969 The order of execution is from lowest to highest priority
970 value (i.e., priority 0 before priority 1, 1 before 2,
971 etc.). Implementations MAY choose to follow this ordering,
972 as set by the manager that created the rows. This can allow
973 a manager to intelligently construct filter lists such that
974 faster filters are evaluated first."
975 ::= { spdSubfiltersEntry 1 }
977 spdSubFiltSubfilter OBJECT-TYPE
978 SYNTAX VariablePointer
979 MAX-ACCESS read-create
985 "The OID of the contained filter. The value of this
986 object is a VariablePointer that references the filter to
987 be included in this compound filter.
989 The following tables and scalars can be pointed to by this
990 column. All but diffServMultiFieldClfrTable are defined in
991 this MIB. Implementations MAY choose to provide support
992 for other filter tables or scalars as well:
994 diffServMultiFieldClfrTable
995 spdIpsoHeaderFilterTable
996 spdIpOffsetFilterTable
998 spdCompoundFilterTable
1001 If this column is set to a VariablePointer value that
1002 references a non-existent row in an otherwise supported
1003 table, the inconsistentName exception MUST be returned. If
1004 the table or scalar pointed to by the VariablePointer is
1005 not supported at all, then an inconsistentValue exception
1008 If, during packet processing, this column has a value that
1009 references a non-existent or non-supported object, the
1010 packet MUST be dropped."
1011 REFERENCE "RFC 3289"
1012 ::= { spdSubfiltersEntry 2 }
1014 spdSubFiltSubfilterIsNegated OBJECT-TYPE
1016 MAX-ACCESS read-create
1019 "Indicates whether or not the result of applying this sub-filter
1022 ::= { spdSubfiltersEntry 3 }
1024 spdSubFiltLastChanged OBJECT-TYPE
1026 MAX-ACCESS read-only
1029 "The value of sysUpTime when this row was last modified
1030 or created either through SNMP SETs or by some other
1036 If this row has not been modified since the last
1037 re-initialization of the network management subsystem, this
1038 object SHOULD have a zero value."
1039 ::= { spdSubfiltersEntry 4 }
1041 spdSubFiltStorageType OBJECT-TYPE
1043 MAX-ACCESS read-create
1046 "The storage type for this row. Rows in this table that
1047 were created through an external process MAY have a
1048 storage type of readOnly or permanent.
1050 For a storage type of permanent, none of the columns have
1052 DEFVAL { nonVolatile }
1053 ::= { spdSubfiltersEntry 5 }
1055 spdSubFiltRowStatus OBJECT-TYPE
1057 MAX-ACCESS read-create
1060 "This object indicates the conceptual status of this row.
1062 The value of this object has no effect on whether other
1063 objects in this conceptual row can be modified.
1065 This object cannot be made active until a filter
1066 referenced by the spdSubFiltSubfilter object is both
1067 defined and active. An attempt to do so MUST result in
1068 an inconsistentValue error.
1070 If active, this object MUST remain active unless one of the
1071 following two conditions are met:
1073 I. No active row in the SpdCompoundFilterTable exists
1074 that has a matching spdCompFiltName.
1076 II. Or, at least one other active row in this table has a
1077 matching spdCompFiltName.
1079 If neither condition is met, an attempt to set this row to
1080 something other than active MUST result in an
1081 inconsistentValue error."
1082 ::= { spdSubfiltersEntry 6 }
1091 spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
1093 spdTrueFilter OBJECT-TYPE
1094 SYNTAX Integer32 (1)
1095 MAX-ACCESS read-only
1098 "This scalar indicates a (automatic) true result for
1099 a filter. That is, this is a filter that is always
1100 true; it is useful for adding as a default filter for a
1101 default action or a set of actions."
1102 ::= { spdStaticFilters 1 }
1105 spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
1109 -- Policy IP Offset filter definition table
1112 spdIpOffsetFilterTable OBJECT-TYPE
1113 SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry
1114 MAX-ACCESS not-accessible
1117 "This table contains a list of filter definitions to be
1118 used within the spdRuleDefinitionTable or the
1121 This type of filter is used to compare an administrator
1122 specified octet string to the octets at a particular
1123 location in a packet."
1124 ::= { spdConfigObjects 8 }
1126 spdIpOffsetFilterEntry OBJECT-TYPE
1127 SYNTAX SpdIpOffsetFilterEntry
1128 MAX-ACCESS not-accessible
1131 "A definition of a particular filter."
1132 INDEX { spdIpOffFiltName }
1133 ::= { spdIpOffsetFilterTable 1 }
1138 SpdIpOffsetFilterEntry ::= SEQUENCE {
1139 spdIpOffFiltName SnmpAdminString,
1140 spdIpOffFiltOffset Unsigned32,
1141 spdIpOffFiltType INTEGER,
1142 spdIpOffFiltValue OCTET STRING,
1143 spdIpOffFiltLastChanged TimeStamp,
1144 spdIpOffFiltStorageType StorageType,
1145 spdIpOffFiltRowStatus RowStatus
1148 spdIpOffFiltName OBJECT-TYPE
1149 SYNTAX SnmpAdminString (SIZE(1..32))
1150 MAX-ACCESS not-accessible
1153 "The administrative name for this filter."
1154 ::= { spdIpOffsetFilterEntry 1 }
1156 spdIpOffFiltOffset OBJECT-TYPE
1157 SYNTAX Unsigned32 (0..65535)
1158 MAX-ACCESS read-create
1161 "This is the byte offset from the front of the entire IP
1162 packet where the value or arithmetic comparison is done. A
1163 value of '0' indicates the first byte of the packet header.
1164 If this value is greater than the length of the packet, the
1165 filter represented by this row should be considered to
1167 ::= { spdIpOffsetFilterEntry 2 }
1169 spdIpOffFiltType OBJECT-TYPE
1170 SYNTAX INTEGER { equal(1),
1173 arithmeticGreaterOrEqual(4),
1174 arithmeticGreater(5),
1175 arithmeticLessOrEqual(6) }
1176 MAX-ACCESS read-create
1179 "This defines the various tests that are used when
1180 evaluating a given filter.
1182 The various tests definable in this table are as follows:
1185 - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
1189 a value in the packet starting at the given offset in
1190 the packet and comparing the entire OCTET STRING of
1191 'spdIpOffFiltValue'. Any values compared this way are
1192 assumed to be unsigned integer values in network byte
1193 order of the same length as 'spdIpOffFiltValue'.
1196 - Tests if the OCTET STRING, 'spdIpOffFiltValue', does
1197 not match a value in the packet starting at the given
1198 offset in the packet and comparing to the entire OCTET
1199 STRING of 'spdIpOffFiltValue'. Any values compared
1200 this way are assumed to be unsigned integer values in
1201 network byte order of the same length as
1202 'spdIpOffFiltValue'.
1205 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
1206 arithmetically less than ('<') the value starting at
1207 the given offset within the packet. The value in the
1208 packet is assumed to be an unsigned integer in network
1209 byte order of the same length as 'spdIpOffFiltValue'.
1211 arithmeticGreaterOrEqual:
1212 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
1213 arithmetically greater than or equal to ('>=') the
1214 value starting at the given offset within the packet.
1215 The value in the packet is assumed to be an unsigned
1216 integer in network byte order of the same length as
1217 'spdIpOffFiltValue'.
1220 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
1221 arithmetically greater than ('>') the value starting at
1222 the given offset within the packet. The value in the
1223 packet is assumed to be an unsigned integer in network
1224 byte order of the same length as 'spdIpOffFiltValue'.
1226 arithmeticLessOrEqual:
1227 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is
1228 arithmetically less than or equal to ('<=') the value
1229 starting at the given offset within the packet. The
1230 value in the packet is assumed to be an unsigned
1231 integer in network byte order of the same length as
1232 'spdIpOffFiltValue'."
1234 ::= { spdIpOffsetFilterEntry 3 }
1236 spdIpOffFiltValue OBJECT-TYPE
1240 SYNTAX OCTET STRING (SIZE(1..1024))
1241 MAX-ACCESS read-create
1244 "spdIpOffFiltValue is used for match comparisons of a
1245 packet at spdIpOffFiltOffset."
1246 ::= { spdIpOffsetFilterEntry 4 }
1248 spdIpOffFiltLastChanged OBJECT-TYPE
1250 MAX-ACCESS read-only
1253 "The value of sysUpTime when this row was last modified
1254 or created either through SNMP SETs or by some other
1257 If this row has not been modified since the last
1258 re-initialization of the network management subsystem, this
1259 object SHOULD have a zero value."
1260 ::= { spdIpOffsetFilterEntry 5 }
1263 spdIpOffFiltStorageType OBJECT-TYPE
1265 MAX-ACCESS read-create
1268 "The storage type for this row. Rows in this table that
1269 were created through an external process MAY have a
1270 storage type of readOnly or permanent.
1272 For a storage type of permanent, none of the columns have
1274 DEFVAL { nonVolatile }
1275 ::= { spdIpOffsetFilterEntry 6 }
1277 spdIpOffFiltRowStatus OBJECT-TYPE
1279 MAX-ACCESS read-create
1282 "This object indicates the conceptual status of this row.
1284 The value of this object has no effect on whether other
1285 objects in this conceptual row can be modified.
1287 If active, this object MUST remain active if it is
1291 referenced by an active row in another table. An attempt
1292 to set it to anything other than active while it is
1293 referenced by an active row in another table MUST result in
1294 an inconsistentValue error."
1295 ::= { spdIpOffsetFilterEntry 7 }
1299 -- Time/scheduling filter table
1302 spdTimeFilterTable OBJECT-TYPE
1303 SYNTAX SEQUENCE OF SpdTimeFilterEntry
1304 MAX-ACCESS not-accessible
1307 "Defines a table of filters that can be used to
1308 effectively enable or disable policies based on a valid
1310 ::= { spdConfigObjects 9 }
1312 spdTimeFilterEntry OBJECT-TYPE
1313 SYNTAX SpdTimeFilterEntry
1314 MAX-ACCESS not-accessible
1317 "A row describing a given time frame for which a policy
1318 is filtered on to activate or deactivate the rule.
1320 If all the column objects in a row are true for the current
1321 time, the row evaluates as 'true'. More explicitly, the
1322 time matching column objects in a row MUST be logically
1323 ANDed together to form the boolean true/false for the row."
1324 INDEX { spdTimeFiltName }
1325 ::= { spdTimeFilterTable 1 }
1327 SpdTimeFilterEntry ::= SEQUENCE {
1328 spdTimeFiltName SnmpAdminString,
1329 spdTimeFiltPeriod SpdTimePeriod,
1330 spdTimeFiltMonthOfYearMask BITS,
1331 spdTimeFiltDayOfMonthMask OCTET STRING,
1332 spdTimeFiltDayOfWeekMask BITS,
1333 spdTimeFiltTimeOfDayMask SpdTimePeriod,
1334 spdTimeFiltLastChanged TimeStamp,
1335 spdTimeFiltStorageType StorageType,
1336 spdTimeFiltRowStatus RowStatus
1342 spdTimeFiltName OBJECT-TYPE
1343 SYNTAX SnmpAdminString (SIZE(1..32))
1344 MAX-ACCESS not-accessible
1347 "An administratively assigned name for this filter."
1348 ::= { spdTimeFilterEntry 1 }
1351 spdTimeFiltPeriod OBJECT-TYPE
1352 SYNTAX SpdTimePeriod
1353 MAX-ACCESS read-create
1356 "The valid time period for this filter. This column is
1357 considered 'true' if the current time is within the range of
1359 DEFVAL { "THISANDPRIOR/THISANDFUTURE" }
1360 ::= { spdTimeFilterEntry 2 }
1363 spdTimeFiltMonthOfYearMask OBJECT-TYPE
1364 SYNTAX BITS { january(0), february(1), march(2),
1365 april(3), may(4), june(5), july(6),
1366 august(7), september(8), october(9),
1367 november(10), december(11) }
1368 MAX-ACCESS read-create
1371 "A bit mask that indicates acceptable months of the year.
1372 This column evaluates to 'true' if the current month's bit
1374 DEFVAL { { january, february, march, april, may, june, july,
1375 august, september, october, november, december } }
1376 ::= { spdTimeFilterEntry 3 }
1378 spdTimeFiltDayOfMonthMask OBJECT-TYPE
1379 SYNTAX OCTET STRING (SIZE(8))
1380 MAX-ACCESS read-create
1383 "Defines which days of the month the current time is
1384 valid for. It is a sequence of 64 BITS, where each BIT
1385 represents a corresponding day of the month in forward or
1386 reverse order. Starting from the left-most bit, the first
1387 31 bits identify the day of the month, counting from the
1388 beginning of the month. The following 31 bits (bits 32-62)
1389 indicate the day of the month, counting from the end of the
1393 month. For months with fewer than 31 days, the bits that
1394 correspond to the non-existent days of that month are
1395 ignored (e.g., for non-leap year Februarys, bits 29-31 and
1398 This column evaluates to 'true' if the current day of the
1401 For example, a value of 0X'80 00 00 01 00 00 00 00'
1402 indicates that this column evaluates to true on the first
1403 and last days of the month.
1405 The last two bits in the string MUST be zero."
1406 DEFVAL { 'fffffffffffffffe'H }
1407 ::= { spdTimeFilterEntry 4 }
1409 spdTimeFiltDayOfWeekMask OBJECT-TYPE
1410 SYNTAX BITS { sunday(0), monday(1), tuesday(2),
1411 wednesday(3), thursday(4), friday(5),
1413 MAX-ACCESS read-create
1416 "A bit mask that defines which days of the week that the current
1417 time is valid for. This column evaluates to 'true' if the
1418 current day of the week's bit is set."
1419 DEFVAL { { monday, tuesday, wednesday, thursday, friday,
1420 saturday, sunday } }
1421 ::= { spdTimeFilterEntry 5 }
1423 spdTimeFiltTimeOfDayMask OBJECT-TYPE
1424 SYNTAX SpdTimePeriod
1425 MAX-ACCESS read-create
1428 "Indicates the start and end time of the day for which this
1429 filter evaluates to true. The date portions of the
1430 spdTimePeriod TC are ignored for purposes of evaluating this
1431 mask, and only the time-specific portions are used.
1433 This column evaluates to 'true' if the current time of day
1434 is within the range of the start and end times of the day
1435 indicated by this object."
1436 DEFVAL { "00000000T000000/00000000T240000" }
1437 ::= { spdTimeFilterEntry 6 }
1439 spdTimeFiltLastChanged OBJECT-TYPE
1444 MAX-ACCESS read-only
1447 "The value of sysUpTime when this row was last modified
1448 or created either through SNMP SETs or by some other
1451 If this row has not been modified since the last
1452 re-initialization of the network management subsystem, this
1453 object SHOULD have a zero value."
1454 ::= { spdTimeFilterEntry 7 }
1456 spdTimeFiltStorageType OBJECT-TYPE
1458 MAX-ACCESS read-create
1461 "The storage type for this row. Rows in this table that
1462 were created through an external process MAY have a storage
1463 type of readOnly or permanent.
1465 For a storage type of permanent, none of the columns have
1467 DEFVAL { nonVolatile }
1468 ::= { spdTimeFilterEntry 8 }
1470 spdTimeFiltRowStatus OBJECT-TYPE
1472 MAX-ACCESS read-create
1475 "This object indicates the conceptual status of this
1478 The value of this object has no effect on whether other
1479 objects in this conceptual row can be modified.
1481 If active, this object MUST remain active if it is
1482 referenced by an active row in another table. An attempt
1483 to set it to anything other than active while it is
1484 referenced by an active row in another table MUST result in
1485 an inconsistentValue error."
1486 ::= { spdTimeFilterEntry 9 }
1489 -- IPSO protection authority filtering
1495 spdIpsoHeaderFilterTable OBJECT-TYPE
1496 SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry
1497 MAX-ACCESS not-accessible
1500 "This table contains a list of IPSO header filter
1501 definitions to be used within the spdRuleDefinitionTable or
1502 the spdSubfiltersTable. IPSO headers and their values are
1503 described in RFC 1108."
1504 REFERENCE "RFC 1108"
1505 ::= { spdConfigObjects 10 }
1507 spdIpsoHeaderFilterEntry OBJECT-TYPE
1508 SYNTAX SpdIpsoHeaderFilterEntry
1509 MAX-ACCESS not-accessible
1512 "A definition of a particular filter."
1513 INDEX { spdIpsoHeadFiltName }
1514 ::= { spdIpsoHeaderFilterTable 1 }
1516 SpdIpsoHeaderFilterEntry ::= SEQUENCE {
1517 spdIpsoHeadFiltName SnmpAdminString,
1518 spdIpsoHeadFiltType BITS,
1519 spdIpsoHeadFiltClassification INTEGER,
1520 spdIpsoHeadFiltProtectionAuth INTEGER,
1521 spdIpsoHeadFiltLastChanged TimeStamp,
1522 spdIpsoHeadFiltStorageType StorageType,
1523 spdIpsoHeadFiltRowStatus RowStatus
1526 spdIpsoHeadFiltName OBJECT-TYPE
1527 SYNTAX SnmpAdminString (SIZE(1..32))
1528 MAX-ACCESS not-accessible
1531 "The administrative name for this filter."
1532 ::= { spdIpsoHeaderFilterEntry 1 }
1534 spdIpsoHeadFiltType OBJECT-TYPE
1535 SYNTAX BITS { classificationLevel(0),
1536 protectionAuthority(1) }
1537 MAX-ACCESS read-create
1540 "This object indicates which of the IPSO header field a
1541 packet is filtered on for this row. If this object is set
1542 to classification(0), the spdIpsoHeadFiltClassification
1546 object indicates how the packet is filtered. If this object
1547 is set to protectionAuthority(1), the
1548 spdIpsoHeadFiltProtectionAuth object indicates how the
1549 packet is filtered."
1550 ::= { spdIpsoHeaderFilterEntry 2 }
1552 spdIpsoHeadFiltClassification OBJECT-TYPE
1553 SYNTAX INTEGER { topSecret(61), secret(90),
1554 confidential(150), unclassified(171) }
1555 MAX-ACCESS read-create
1558 "This object indicates the IPSO classification header field
1559 value that the packet MUST have for this row to evaluate to
1562 The values of these enumerations are defined by RFC 1108."
1563 REFERENCE "RFC 1108"
1564 ::= { spdIpsoHeaderFilterEntry 3 }
1566 spdIpsoHeadFiltProtectionAuth OBJECT-TYPE
1567 SYNTAX INTEGER { genser(0), siopesi(1), sci(2),
1569 MAX-ACCESS read-create
1572 "This object indicates the IPSO protection authority header
1573 field value that the packet MUST have for this row to
1576 The values of these enumerations are defined by RFC 1108.
1577 Hence the reason the SMIv2 convention of not using 0 in
1578 enumerated lists is violated here."
1579 REFERENCE "RFC 1108"
1580 ::= { spdIpsoHeaderFilterEntry 4 }
1582 spdIpsoHeadFiltLastChanged OBJECT-TYPE
1584 MAX-ACCESS read-only
1587 "The value of sysUpTime when this row was last modified
1588 or created either through SNMP SETs or by some other
1591 If this row has not been modified since the last
1592 re-initialization of the network management subsystem, this
1593 object SHOULD have a zero value."
1597 ::= { spdIpsoHeaderFilterEntry 5 }
1599 spdIpsoHeadFiltStorageType OBJECT-TYPE
1601 MAX-ACCESS read-create
1604 "The storage type for this row. Rows in this table that
1605 were created through an external process MAY have a storage
1606 type of readOnly or permanent.
1608 For a storage type of permanent, none of the columns have
1610 DEFVAL { nonVolatile }
1611 ::= { spdIpsoHeaderFilterEntry 6 }
1613 spdIpsoHeadFiltRowStatus OBJECT-TYPE
1615 MAX-ACCESS read-create
1618 "This object indicates the conceptual status of this row.
1620 The value of this object has no effect on whether other
1621 objects in this conceptual row can be modified.
1623 However, this object MUST NOT be set to active if the
1624 requirements of the spdIpsoHeadFiltType object are not met.
1625 Specifically, if the spdIpsoHeadFiltType bit for
1626 classification(0) is set, the spdIpsoHeadFiltClassification
1627 column MUST have a valid value for the row status to be set
1628 to active. If the spdIpsoHeadFiltType bit for
1629 protectionAuthority(1) is set, the
1630 spdIpsoHeadFiltProtectionAuth column MUST have a valid
1631 value for the row status to be set to active.
1633 If active, this object MUST remain active if it is
1634 referenced by an active row in another table. An attempt
1635 to set it to anything other than active while it is
1636 referenced by an active row in another table MUST result in
1637 an inconsistentValue error."
1638 ::= { spdIpsoHeaderFilterEntry 7 }
1641 -- compound actions table
1644 spdCompoundActionTable OBJECT-TYPE
1648 SYNTAX SEQUENCE OF SpdCompoundActionEntry
1649 MAX-ACCESS not-accessible
1652 "Table used to allow multiple actions to be associated
1653 with a rule. It uses the spdSubactionsTable to do this.
1654 The rows from spdSubactionsTable that are partially indexed
1655 by spdCompActName form the set of compound actions to be
1656 performed. The spdCompActExecutionStrategy column in this
1657 table indicates how those actions are processed."
1658 ::= { spdConfigObjects 11 }
1660 spdCompoundActionEntry OBJECT-TYPE
1661 SYNTAX SpdCompoundActionEntry
1662 MAX-ACCESS not-accessible
1665 "A row in the spdCompoundActionTable."
1666 INDEX { spdCompActName }
1667 ::= { spdCompoundActionTable 1 }
1669 SpdCompoundActionEntry ::= SEQUENCE {
1670 spdCompActName SnmpAdminString,
1671 spdCompActExecutionStrategy INTEGER,
1672 spdCompActLastChanged TimeStamp,
1673 spdCompActStorageType StorageType,
1674 spdCompActRowStatus RowStatus
1677 spdCompActName OBJECT-TYPE
1678 SYNTAX SnmpAdminString (SIZE(1..32))
1679 MAX-ACCESS not-accessible
1682 "This is an administratively assigned name of this
1684 ::= { spdCompoundActionEntry 1 }
1686 spdCompActExecutionStrategy OBJECT-TYPE
1687 SYNTAX INTEGER { doAll(1),
1690 MAX-ACCESS read-create
1693 "This object indicates how the sub-actions are executed
1694 based on the success of the actions as they finish
1699 doAll - run each sub-action regardless of the
1700 exit status of the previous action.
1701 This parent action is always
1702 considered to have acted successfully.
1704 doUntilSuccess - run each sub-action until one succeeds,
1705 at which point stop processing the
1706 sub-actions within this parent
1707 compound action. If one of the
1708 sub-actions did execute successfully,
1709 this parent action is also considered
1710 to have executed successfully.
1712 doUntilFailure - run each sub-action until one fails,
1713 at which point stop processing the
1714 sub-actions within this compound
1715 action. If any sub-action fails, the
1716 result of this parent action is
1717 considered to have failed."
1718 DEFVAL { doUntilSuccess }
1719 ::= { spdCompoundActionEntry 2 }
1721 spdCompActLastChanged OBJECT-TYPE
1723 MAX-ACCESS read-only
1726 "The value of sysUpTime when this row was last modified
1727 or created either through SNMP SETs or by some other
1730 If this row has not been modified since the last
1731 re-initialization of the network management subsystem, this
1732 object SHOULD have a zero value."
1733 ::= { spdCompoundActionEntry 3 }
1735 spdCompActStorageType OBJECT-TYPE
1737 MAX-ACCESS read-create
1740 "The storage type for this row. Rows in this table that
1741 were created through an external process MAY have a storage
1742 type of readOnly or permanent.
1744 For a storage type of permanent, none of the columns have
1746 DEFVAL { nonVolatile }
1750 ::= { spdCompoundActionEntry 4 }
1752 spdCompActRowStatus OBJECT-TYPE
1754 MAX-ACCESS read-create
1757 "This object indicates the conceptual status of this row.
1759 The value of this object has no effect on whether other
1760 objects in this conceptual row can be modified.
1762 Once a row in the spdCompoundActionTable has been made
1763 active, this object MUST NOT be set to destroy without
1764 first destroying all the contained rows listed in the
1765 spdSubactionsTable."
1766 ::= { spdCompoundActionEntry 5 }
1770 -- actions contained within a compound action
1773 spdSubactionsTable OBJECT-TYPE
1774 SYNTAX SEQUENCE OF SpdSubactionsEntry
1775 MAX-ACCESS not-accessible
1778 "This table contains a list of the sub-actions within a
1779 given compound action. Compound actions executing these
1780 actions MUST execute them in series based on the
1781 spdSubActPriority value, with the lowest value executing
1783 ::= { spdConfigObjects 12 }
1785 spdSubactionsEntry OBJECT-TYPE
1786 SYNTAX SpdSubactionsEntry
1787 MAX-ACCESS not-accessible
1790 "A row containing a reference to a given compound-action
1792 INDEX { spdCompActName, spdSubActPriority }
1793 ::= { spdSubactionsTable 1 }
1795 SpdSubactionsEntry ::= SEQUENCE {
1796 spdSubActPriority Integer32,
1797 spdSubActSubActionName VariablePointer,
1801 spdSubActLastChanged TimeStamp,
1802 spdSubActStorageType StorageType,
1803 spdSubActRowStatus RowStatus
1806 spdSubActPriority OBJECT-TYPE
1807 SYNTAX Integer32 (0..65535)
1808 MAX-ACCESS not-accessible
1811 "The priority of a given sub-action within a compound
1812 action. The order in which sub-actions MUST be executed
1813 are based on the value from this column, with the lowest
1814 numeric value executing first (i.e., priority 0 before
1815 priority 1, 1 before 2, etc.)."
1816 ::= { spdSubactionsEntry 1 }
1818 spdSubActSubActionName OBJECT-TYPE
1819 SYNTAX VariablePointer
1820 MAX-ACCESS read-create
1823 "This column points to the action to be taken. It MAY,
1824 but is not limited to, point to a row in one of the
1827 spdCompoundActionTable - Allowing recursion
1828 ipsaSaPreconfiguredActionTable
1830 ipiaIpsecActionTable
1832 It MAY also point to one of the scalar objects beneath
1835 If this object is set to a pointer to a row in an
1836 unsupported (or unknown) table, an inconsistentValue
1837 error MUST be returned.
1839 If this object is set to point to a non-existent row in
1840 an otherwise supported table, an inconsistentName error
1843 If, during packet processing, this column has a value that
1844 references a non-existent or non-supported object, the
1845 packet MUST be dropped."
1846 ::= { spdSubactionsEntry 2 }
1848 spdSubActLastChanged OBJECT-TYPE
1853 MAX-ACCESS read-only
1856 "The value of sysUpTime when this row was last modified
1857 or created either through SNMP SETs or by some other
1860 If this row has not been modified since the last
1861 re-initialization of the network management subsystem, this
1862 object SHOULD have a zero value."
1863 ::= { spdSubactionsEntry 3 }
1865 spdSubActStorageType OBJECT-TYPE
1867 MAX-ACCESS read-create
1870 "The storage type for this row. Rows in this table that
1871 were created through an external process MAY have a storage
1872 type of readOnly or permanent.
1874 For a storage type of permanent, none of the columns have
1876 DEFVAL { nonVolatile }
1877 ::= { spdSubactionsEntry 4 }
1879 spdSubActRowStatus OBJECT-TYPE
1881 MAX-ACCESS read-create
1884 "This object indicates the conceptual status of this row.
1886 The value of this object has no effect on whether other
1887 objects in this conceptual row can be modified.
1889 If active, this object MUST remain active unless one of the
1890 following two conditions are met. An attempt to set it to
1891 anything other than active while the following conditions
1892 are not met MUST result in an inconsistentValue error. The
1895 I. No active row in the spdCompoundActionTable exists
1896 which has a matching spdCompActName.
1898 II. Or, at least one other active row in this table has a
1899 matching spdCompActName."
1903 ::= { spdSubactionsEntry 5 }
1909 -- these are static actions that can be pointed to by the
1910 -- spdRuleDefAction or the spdSubActSubActionName objects to
1911 -- drop, accept, or reject packets.
1913 spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
1915 spdDropAction OBJECT-TYPE
1916 SYNTAX Integer32 (1)
1917 MAX-ACCESS read-only
1920 "This scalar indicates that a packet MUST be dropped
1921 and SHOULD NOT have action/packet logging."
1922 ::= { spdStaticActions 1 }
1924 spdDropActionLog OBJECT-TYPE
1925 SYNTAX Integer32 (1)
1926 MAX-ACCESS read-only
1929 "This scalar indicates that a packet MUST be dropped
1930 and SHOULD have action/packet logging."
1931 ::= { spdStaticActions 2 }
1933 spdAcceptAction OBJECT-TYPE
1934 SYNTAX Integer32 (1)
1935 MAX-ACCESS read-only
1938 "This Scalar indicates that a packet MUST be accepted
1939 (pass-through) and SHOULD NOT have action/packet logging."
1940 ::= { spdStaticActions 3 }
1942 spdAcceptActionLog OBJECT-TYPE
1943 SYNTAX Integer32 (1)
1944 MAX-ACCESS read-only
1947 "This scalar indicates that a packet MUST be accepted
1948 (pass-through) and SHOULD have action/packet logging."
1949 ::= { spdStaticActions 4 }
1956 -- Notification objects information
1960 spdNotificationVariables OBJECT IDENTIFIER ::=
1961 { spdNotificationObjects 1 }
1963 spdNotifications OBJECT IDENTIFIER ::=
1964 { spdNotificationObjects 0 }
1966 spdActionExecuted OBJECT-TYPE
1967 SYNTAX VariablePointer
1968 MAX-ACCESS accessible-for-notify
1971 "Points to the action instance that was executed that
1972 resulted in the notification being sent."
1973 ::= { spdNotificationVariables 1 }
1975 spdIPEndpointAddType OBJECT-TYPE
1976 SYNTAX InetAddressType
1977 MAX-ACCESS accessible-for-notify
1980 "Contains the address type for the interface that the
1981 notification triggering packet is passing through."
1982 ::= { spdNotificationVariables 2 }
1984 spdIPEndpointAddress OBJECT-TYPE
1986 MAX-ACCESS accessible-for-notify
1989 "Contains the interface address for the interface that the
1990 notification triggering packet is passing through.
1992 The format of this object is specified by the
1993 spdIPEndpointAddType object."
1994 ::= { spdNotificationVariables 3 }
1996 spdIPSourceType OBJECT-TYPE
1997 SYNTAX InetAddressType
1998 MAX-ACCESS accessible-for-notify
2001 "Contains the source address type of the packet that
2005 triggered the notification."
2006 ::= { spdNotificationVariables 4 }
2008 spdIPSourceAddress OBJECT-TYPE
2010 MAX-ACCESS accessible-for-notify
2013 "Contains the source address of the packet that
2014 triggered the notification.
2016 The format of this object is specified by the
2017 spdIPSourceType object."
2018 ::= { spdNotificationVariables 5 }
2020 spdIPDestinationType OBJECT-TYPE
2021 SYNTAX InetAddressType
2022 MAX-ACCESS accessible-for-notify
2025 "Contains the destination address type of the packet
2026 that triggered the notification."
2027 ::= { spdNotificationVariables 6 }
2029 spdIPDestinationAddress OBJECT-TYPE
2031 MAX-ACCESS accessible-for-notify
2034 "Contains the destination address of the packet that
2035 triggered the notification.
2037 The format of this object is specified by the
2038 spdIPDestinationType object."
2039 ::= { spdNotificationVariables 7 }
2041 spdPacketDirection OBJECT-TYPE
2043 MAX-ACCESS accessible-for-notify
2046 "Indicates if the packet that triggered the action in
2047 questions was ingress (inbound) or egress (outbound)."
2048 ::= { spdNotificationVariables 8 }
2050 spdPacketPart OBJECT-TYPE
2051 SYNTAX OCTET STRING (SIZE (0..65535))
2052 MAX-ACCESS accessible-for-notify
2058 "spdPacketPart is the front part of the full IP packet that
2059 triggered this notification. The initial size limit is
2060 determined by the smaller of the size, indicated by:
2062 I. The value of the object with the TC syntax
2063 'SpdIPPacketLogging' that indicated the packet SHOULD be
2066 II. The size of the triggering packet.
2068 The final limit is determined by the SNMP packet size when
2069 sending the notification. The maximum size that can be
2070 included will be the smaller of the initial size, given the
2071 above, and the length that will fit in a single SNMP
2072 notification packet after the rest of the notification's
2073 objects and any other necessary packet data (headers encoding,
2074 etc.) have been included in the packet."
2075 ::= { spdNotificationVariables 9 }
2077 spdActionNotification NOTIFICATION-TYPE
2078 OBJECTS { spdActionExecuted, spdIPEndpointAddType,
2079 spdIPEndpointAddress,
2080 spdIPSourceType, spdIPSourceAddress,
2081 spdIPDestinationType,
2082 spdIPDestinationAddress,
2083 spdPacketDirection }
2086 "Notification that an action was executed by a rule.
2087 Only actions with logging enabled will result in this
2088 notification getting sent. The object includes the
2089 spdActionExecuted object, which will indicate which action
2090 was executed within the scope of the rule. Additionally,
2091 the spdIPSourceType, spdIPSourceAddress,
2092 spdIPDestinationType, and spdIPDestinationAddress objects
2093 are included to indicate the packet source and destination
2094 of the packet that triggered the action. Finally, the
2095 spdIPEndpointAddType, spdIPEndpointAddress, and
2096 spdPacketDirection objects indicate which interface the
2097 executed action was associated with, and if the packet was
2098 ingress or egress through the endpoint.
2100 A spdActionNotification SHOULD be limited to a maximum of
2101 one notification sent per minute for any action
2102 notifications that do not have any other configuration
2103 controlling their send rate.
2107 Note that compound actions with multiple executed
2108 sub-actions may result in multiple notifications being sent
2109 from a single rule execution."
2110 ::= { spdNotifications 1 }
2112 spdPacketNotification NOTIFICATION-TYPE
2113 OBJECTS { spdActionExecuted, spdIPEndpointAddType,
2114 spdIPEndpointAddress,
2115 spdIPSourceType, spdIPSourceAddress,
2116 spdIPDestinationType,
2117 spdIPDestinationAddress,
2122 "Notification that a packet passed through a Security
2123 Association (SA). Only SAs created by actions with packet
2124 logging enabled will result in this notification getting
2125 sent. The objects sent MUST include the spdActionExecuted,
2126 which will indicate which action was executed within the
2127 scope of the rule. Additionally, the spdIPSourceType,
2128 spdIPSourceAddress, spdIPDestinationType, and
2129 spdIPDestinationAddress objects MUST be included to
2130 indicate the packet source and destination of the packet
2131 that triggered the action. The spdIPEndpointAddType,
2132 spdIPEndpointAddress, and spdPacketDirection objects are
2133 included to indicate which endpoint the packet was
2134 associated with. Finally, spdPacketPart is included to
2135 enable sending a variable sized part of the front of the
2136 packet with the size dependent on the value of the object of
2137 TC syntax 'SpdIPPacketLogging', which indicated that logging
2140 A spdPacketNotification SHOULD be limited to a maximum of
2141 one notification sent per minute for any action
2142 notifications that do not have any other configuration
2143 controlling their send rate.
2145 An action notification SHOULD be limited to a maximum of
2146 one notification sent per minute for any action
2147 notifications that do not have any other configuration
2148 controlling their send rate."
2149 ::= { spdNotifications 2 }
2154 -- Conformance information
2161 spdCompliances OBJECT IDENTIFIER
2162 ::= { spdConformanceObjects 1 }
2163 spdGroups OBJECT IDENTIFIER
2164 ::= { spdConformanceObjects 2 }
2167 -- Compliance statements
2170 spdRuleFilterFullCompliance MODULE-COMPLIANCE
2173 "The compliance statement for SNMP entities that include
2174 an IPsec MIB implementation with Endpoint, Rules, and
2177 When this MIB is implemented with support for read-create,
2178 then such an implementation can claim full compliance. Such
2179 devices can then be both monitored and configured with this
2182 MODULE -- This Module
2183 MANDATORY-GROUPS { spdEndpointGroup,
2184 spdGroupContentsGroup,
2185 spdRuleDefinitionGroup,
2186 spdStaticFilterGroup,
2187 spdStaticActionGroup ,
2188 diffServMIBMultiFieldClfrGroup }
2190 GROUP spdIpsecSystemPolicyNameGroup
2192 "This group is mandatory for IPsec Policy
2193 implementations that support a system policy group
2196 GROUP spdCompoundFilterGroup
2198 "This group is mandatory for IPsec Policy
2199 implementations that support compound filters."
2201 GROUP spdIPOffsetFilterGroup
2203 "This group is mandatory for IPsec Policy
2204 implementations that support IP Offset filters. In
2205 general, this SHOULD be supported by a compliant IPsec
2209 Policy implementation."
2211 GROUP spdTimeFilterGroup
2213 "This group is mandatory for IPsec Policy
2214 implementations that support time filters."
2216 GROUP spdIpsoHeaderFilterGroup
2218 "This group is mandatory for IPsec Policy
2219 implementations that support IPSO Header filters."
2221 GROUP spdCompoundActionGroup
2223 "This group is mandatory for IPsec Policy
2224 implementations that support compound actions."
2226 OBJECT spdEndGroupLastChanged
2227 MIN-ACCESS not-accessible
2229 "This object not required for compliance."
2231 OBJECT spdGroupContComponentType
2236 "Support of the value group(1) is only required for
2237 implementations that support Policy Groups within
2240 OBJECT spdGroupContLastChanged
2241 MIN-ACCESS not-accessible
2243 "This object not required for compliance."
2245 OBJECT spdRuleDefLastChanged
2246 MIN-ACCESS not-accessible
2248 "This object not required for compliance."
2250 OBJECT spdCompFiltLastChanged
2251 MIN-ACCESS not-accessible
2253 "This object not required for compliance."
2255 OBJECT spdSubFiltLastChanged
2256 MIN-ACCESS not-accessible
2261 "This object not required for compliance."
2263 OBJECT spdIpOffFiltLastChanged
2264 MIN-ACCESS not-accessible
2266 "This object not required for compliance."
2268 OBJECT spdTimeFiltLastChanged
2269 MIN-ACCESS not-accessible
2271 "This object not required for compliance."
2273 OBJECT spdIpsoHeadFiltLastChanged
2274 MIN-ACCESS not-accessible
2276 "This object not required for compliance."
2278 OBJECT spdCompActLastChanged
2279 MIN-ACCESS not-accessible
2281 "This object not required for compliance."
2283 OBJECT spdSubActLastChanged
2284 MIN-ACCESS not-accessible
2286 "This object not required for compliance."
2288 OBJECT diffServMultiFieldClfrNextFree
2289 MIN-ACCESS not-accessible
2291 "This object is not required for compliance."
2293 ::= { spdCompliances 1 }
2296 spdLoggingCompliance MODULE-COMPLIANCE
2299 "The compliance statement for SNMP entities that support
2300 sending notifications when actions are invoked."
2301 MODULE -- This Module
2302 MANDATORY-GROUPS { spdActionLoggingObjectGroup,
2303 spdActionNotificationGroup }
2305 ::= { spdCompliances 2 }
2311 -- ReadOnly Compliances
2313 spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE
2316 "The compliance statement for SNMP entities that include
2317 an IPsec MIB implementation with Endpoint, Rules, and
2320 If this MIB is implemented without support for read-create
2321 (i.e., in read-only), it is not in full compliance, but it
2322 can claim read-only compliance. Such a device can then be
2323 monitored, but cannot be configured with this MIB."
2325 MODULE -- This Module
2326 MANDATORY-GROUPS { spdEndpointGroup,
2327 spdGroupContentsGroup,
2328 spdRuleDefinitionGroup,
2329 spdStaticFilterGroup,
2330 spdStaticActionGroup ,
2331 diffServMIBMultiFieldClfrGroup }
2333 GROUP spdIpsecSystemPolicyNameGroup
2335 "This group is mandatory for IPsec Policy
2336 implementations that support a system policy group
2339 GROUP spdCompoundFilterGroup
2341 "This group is mandatory for IPsec Policy
2342 implementations that support compound filters."
2344 GROUP spdIPOffsetFilterGroup
2346 "This group is mandatory for IPsec Policy
2347 implementations that support IP Offset filters. In
2348 general, this SHOULD be supported by a compliant IPsec
2349 Policy implementation."
2351 GROUP spdTimeFilterGroup
2353 "This group is mandatory for IPsec Policy
2354 implementations that support time filters."
2356 GROUP spdIpsoHeaderFilterGroup
2358 "This group is mandatory for IPsec Policy
2362 implementations that support IPSO Header filters."
2364 GROUP spdCompoundActionGroup
2366 "This group is mandatory for IPsec Policy
2367 implementations that support compound actions."
2369 OBJECT spdCompActExecutionStrategy
2370 MIN-ACCESS read-only
2372 "Write access is not required."
2374 OBJECT spdCompActLastChanged
2376 "This object is not required for compliance."
2378 OBJECT spdCompActRowStatus
2379 MIN-ACCESS read-only
2381 "Write access is not required."
2383 OBJECT spdCompActStorageType
2384 MIN-ACCESS read-only
2386 "Write access is not required."
2388 OBJECT spdCompFiltDescription
2389 MIN-ACCESS read-only
2391 "Write access is not required."
2393 OBJECT spdCompFiltLastChanged
2395 "This object is not required for compliance."
2397 OBJECT spdCompFiltLogicType
2398 MIN-ACCESS read-only
2400 "Write access is not required."
2402 OBJECT spdCompFiltRowStatus
2403 MIN-ACCESS read-only
2405 "Write access is not required."
2407 OBJECT spdCompFiltStorageType
2408 MIN-ACCESS read-only
2413 "Write access is not required."
2415 OBJECT spdEgressPolicyGroupName
2416 MIN-ACCESS read-only
2418 "Write access is not required."
2420 OBJECT spdEndGroupLastChanged
2422 "This object is not required for compliance."
2424 OBJECT spdEndGroupName
2425 MIN-ACCESS read-only
2427 "Write access is not required."
2429 OBJECT spdEndGroupRowStatus
2430 MIN-ACCESS read-only
2432 "Write access is not required."
2434 OBJECT spdEndGroupStorageType
2435 MIN-ACCESS read-only
2437 "Write access is not required."
2439 OBJECT spdGroupContComponentName
2440 MIN-ACCESS read-only
2442 "Write access is not required."
2444 OBJECT spdGroupContComponentType
2445 MIN-ACCESS read-only
2447 "Write access is not required."
2449 OBJECT spdGroupContFilter
2450 MIN-ACCESS read-only
2452 "Write access is not required."
2454 OBJECT spdGroupContLastChanged
2456 "This object is not required for compliance."
2458 OBJECT spdGroupContRowStatus
2459 MIN-ACCESS read-only
2464 "Write access is not required."
2466 OBJECT spdGroupContStorageType
2467 MIN-ACCESS read-only
2469 "Write access is not required."
2471 OBJECT spdIngressPolicyGroupName
2472 MIN-ACCESS read-only
2474 "Write access is not required."
2476 OBJECT spdIpOffFiltLastChanged
2478 "This object is not required for compliance."
2480 OBJECT spdIpOffFiltOffset
2481 MIN-ACCESS read-only
2483 "Write access is not required."
2485 OBJECT spdIpOffFiltRowStatus
2486 MIN-ACCESS read-only
2488 "Write access is not required."
2490 OBJECT spdIpOffFiltStorageType
2491 MIN-ACCESS read-only
2493 "Write access is not required."
2495 OBJECT spdIpOffFiltType
2496 MIN-ACCESS read-only
2498 "Write access is not required."
2500 OBJECT spdIpOffFiltValue
2501 MIN-ACCESS read-only
2503 "Write access is not required."
2505 OBJECT spdIpsoHeadFiltClassification
2506 MIN-ACCESS read-only
2508 "Write access is not required."
2510 OBJECT spdIpsoHeadFiltLastChanged
2515 "This object is not required for compliance."
2517 OBJECT spdIpsoHeadFiltProtectionAuth
2518 MIN-ACCESS read-only
2520 "Write access is not required."
2522 OBJECT spdIpsoHeadFiltRowStatus
2523 MIN-ACCESS read-only
2525 "Write access is not required."
2527 OBJECT spdIpsoHeadFiltStorageType
2528 MIN-ACCESS read-only
2530 "Write access is not required."
2532 OBJECT spdIpsoHeadFiltType
2533 MIN-ACCESS read-only
2535 "Write access is not required."
2537 OBJECT spdRuleDefAction
2538 MIN-ACCESS read-only
2540 "Write access is not required."
2542 OBJECT spdRuleDefAdminStatus
2543 MIN-ACCESS read-only
2545 "Write access is not required."
2547 OBJECT spdRuleDefDescription
2548 MIN-ACCESS read-only
2550 "Write access is not required."
2552 OBJECT spdRuleDefFilter
2553 MIN-ACCESS read-only
2555 "Write access is not required."
2557 OBJECT spdRuleDefFilterNegated
2558 MIN-ACCESS read-only
2560 "Write access is not required."
2562 OBJECT spdRuleDefLastChanged
2567 "This object is not required for compliance."
2569 OBJECT spdRuleDefRowStatus
2570 MIN-ACCESS read-only
2572 "Write access is not required."
2574 OBJECT spdRuleDefStorageType
2575 MIN-ACCESS read-only
2577 "Write access is not required."
2579 OBJECT spdSubActLastChanged
2581 "This object is not required for compliance."
2583 OBJECT spdSubActRowStatus
2584 MIN-ACCESS read-only
2586 "Write access is not required."
2588 OBJECT spdSubActStorageType
2589 MIN-ACCESS read-only
2591 "Write access is not required."
2593 OBJECT spdSubActSubActionName
2594 MIN-ACCESS read-only
2596 "Write access is not required."
2598 OBJECT spdSubFiltLastChanged
2600 "This object is not required for compliance."
2602 OBJECT spdSubFiltRowStatus
2603 MIN-ACCESS read-only
2605 "Write access is not required."
2607 OBJECT spdSubFiltStorageType
2608 MIN-ACCESS read-only
2610 "Write access is not required."
2612 OBJECT spdSubFiltSubfilter
2613 MIN-ACCESS read-only
2618 "Write access is not required."
2620 OBJECT spdSubFiltSubfilterIsNegated
2621 MIN-ACCESS read-only
2623 "Write access is not required."
2625 OBJECT spdTimeFiltDayOfMonthMask
2626 MIN-ACCESS read-only
2628 "Write access is not required."
2630 OBJECT spdTimeFiltDayOfWeekMask
2631 MIN-ACCESS read-only
2633 "Write access is not required."
2635 OBJECT spdTimeFiltLastChanged
2637 "This object is not required for compliance."
2639 OBJECT spdTimeFiltMonthOfYearMask
2640 MIN-ACCESS read-only
2642 "Write access is not required."
2644 OBJECT spdTimeFiltPeriod
2645 MIN-ACCESS read-only
2647 "Write access is not required."
2649 OBJECT spdTimeFiltRowStatus
2650 MIN-ACCESS read-only
2652 "Write access is not required."
2654 OBJECT spdTimeFiltTimeOfDayMask
2655 MIN-ACCESS read-only
2657 "Write access is not required."
2659 OBJECT spdTimeFiltStorageType
2660 MIN-ACCESS read-only
2662 "Write access is not required."
2664 ::= { spdCompliances 3 }
2670 -- Compliance Groups Definitions
2674 -- Endpoint, Rule, Filter Compliance Groups
2677 spdEndpointGroup OBJECT-GROUP
2679 spdEndGroupName, spdEndGroupLastChanged,
2680 spdEndGroupStorageType, spdEndGroupRowStatus
2684 "This group is made up of objects from the IPsec Policy
2688 spdGroupContentsGroup OBJECT-GROUP
2690 spdGroupContComponentType, spdGroupContFilter,
2691 spdGroupContComponentName, spdGroupContLastChanged,
2692 spdGroupContStorageType, spdGroupContRowStatus
2696 "This group is made up of objects from the IPsec Policy
2697 Group Contents Table."
2700 spdIpsecSystemPolicyNameGroup OBJECT-GROUP
2702 spdIngressPolicyGroupName,
2703 spdEgressPolicyGroupName
2707 "This group is made up of objects represent the System
2708 Policy Group Names."
2711 spdRuleDefinitionGroup OBJECT-GROUP
2713 spdRuleDefDescription, spdRuleDefFilter,
2714 spdRuleDefFilterNegated, spdRuleDefAction,
2715 spdRuleDefAdminStatus, spdRuleDefLastChanged,
2719 spdRuleDefStorageType, spdRuleDefRowStatus
2723 "This group is made up of objects from the IPsec Policy Rule
2727 spdCompoundFilterGroup OBJECT-GROUP
2729 spdCompFiltDescription, spdCompFiltLogicType,
2730 spdCompFiltLastChanged, spdCompFiltStorageType,
2731 spdCompFiltRowStatus, spdSubFiltSubfilter,
2732 spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged,
2733 spdSubFiltStorageType, spdSubFiltRowStatus
2737 "This group is made up of objects from the IPsec Policy
2738 Compound Filter Table and Sub-Filter Table Group."
2741 spdStaticFilterGroup OBJECT-GROUP
2742 OBJECTS { spdTrueFilter }
2745 "The static filter group. Currently this is just a true
2749 spdIPOffsetFilterGroup OBJECT-GROUP
2751 spdIpOffFiltOffset, spdIpOffFiltType,
2752 spdIpOffFiltValue, spdIpOffFiltLastChanged,
2753 spdIpOffFiltStorageType, spdIpOffFiltRowStatus
2758 "This group is made up of objects from the IPsec Policy IP
2759 Offset Filter Table."
2762 spdTimeFilterGroup OBJECT-GROUP
2765 spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask,
2766 spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask,
2770 spdTimeFiltLastChanged,
2771 spdTimeFiltStorageType, spdTimeFiltRowStatus
2775 "This group is made up of objects from the IPsec Policy Time
2779 spdIpsoHeaderFilterGroup OBJECT-GROUP
2781 spdIpsoHeadFiltType, spdIpsoHeadFiltClassification,
2782 spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged,
2783 spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus
2787 "This group is made up of objects from the IPsec Policy IPSO
2788 Header Filter Table."
2792 -- action compliance groups
2795 spdStaticActionGroup OBJECT-GROUP
2797 spdDropAction, spdAcceptAction,
2798 spdDropActionLog, spdAcceptActionLog
2802 "This group is made up of objects from the IPsec Policy
2804 ::= { spdGroups 10 }
2806 spdCompoundActionGroup OBJECT-GROUP
2808 spdCompActExecutionStrategy, spdCompActLastChanged,
2809 spdCompActStorageType,
2811 spdCompActRowStatus, spdSubActSubActionName,
2812 spdSubActLastChanged, spdSubActStorageType,
2817 "The IPsec Policy Compound Action Table and Actions In
2821 Compound Action Table Group."
2822 ::= { spdGroups 11 }
2824 spdActionLoggingObjectGroup OBJECT-GROUP
2827 spdIPEndpointAddType, spdIPEndpointAddress,
2828 spdIPSourceType, spdIPSourceAddress,
2829 spdIPDestinationType, spdIPDestinationAddress,
2830 spdPacketDirection, spdPacketPart
2834 "This group is made up of all the Notification objects for
2836 ::= { spdGroups 12 }
2838 spdActionNotificationGroup NOTIFICATION-GROUP
2840 spdActionNotification,
2841 spdPacketNotification
2845 "This group is made up of all the Notifications for this MIB."
2846 ::= { spdGroups 13 }