Internet Engineering Task Force T. Roosta, Ed. Internet-Draft S. Rowles Intended status: Standards Track M. Hamada Expires: August 30, 2010 K. Kamarthy, Ed. P. Sundaradevan Cisco Systems February 26, 2010 Management Information Base for the Group Domain of Interpretation draft-kamarthy-gdoi-mib-00 Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular this document describes a high-level Management Information Base for Group Domain of Interpretation (GDOI), which is used for secure group communication in Ipsec-based networks. This draft describes managed objects used for implementations of the GDOI protocol.]. Status of This Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 30, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the Roosta, et al. Expires August 30, 2010 [Page 1] Internet-Draft GDOI MIB module February 2010 document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 5.1. Textual Conventions . . . . . . . . . . . . . . . . . . . 4 5.2. The GDOI MIB Module Subtree . . . . . . . . . . . . . . . 4 5.3. The Notifications Subtree . . . . . . . . . . . . . . . . 6 5.4. The Table Structures . . . . . . . . . . . . . . . . . . . 7 6. Relationship to Other MIB Modules . . . . . . . . . . . . . . 8 6.1. Relationship to Other MIB . . . . . . . . . . . . . . . . 8 6.2. MIB modules required for IMPORTS . . . . . . . . . . . . . 8 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 78 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 79 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 79 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 79 11.1. Normative References . . . . . . . . . . . . . . . . . . . 79 11.2. Informative References . . . . . . . . . . . . . . . . . . 81 Roosta, et al. Expires August 30, 2010 [Page 2] Internet-Draft GDOI MIB module February 2010 1. Introduction This memo defines the Management Information Base (MIB) for use with network management protocols. In particular it defines objects for managing the Group Domain of Interpretation (GDOI) protocol, defined by RFC3547[RFC3547]used for secure group communication. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 4. Overview To support the management needs of IPsec-based networks, we have defined the GDOI MIB (module GDOI-MIB). The MIB defines a number of objects with enumeration syntax which refer to the numbers assigned by IANA to denote specific elements. The SNMP Management Framework presently consists of five major components: 1. An overall architecture, described in RFC 2271[RFC2271] 2. Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [RFC1155], RFC 1212 [RFC1212] and RFC 1215 [RFC1212]. The second version, called SMIv2, is described in RFC 1902 [RFC1902],RFC 1903 [RFC1903] and RFC 1904 [RFC1904]. 3. Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [RFC1157]. A second version of the SNMP Roosta, et al. Expires August 30, 2010 [Page 3] Internet-Draft GDOI MIB module February 2010 message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2272 [RFC2272] and RFC 2274 [RFC2274]. 4. Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905] . 5. A set of fundamental applications described in RFC 2273 [RFC2273] and the view-based access control mechanism described in RFC 2275 [RFC2275]. The GDOI MIB module defined in this draft is used to manage network devices running a group-based key management protocol based on the GDOI standard. The MIB module supports management of two network entities, group member and key server. A GDOI group spans multiple devices in the network, and this GDOI MIB module can be used to model all the network entities that make up the GDOI group. 5. Structure of the MIB Module This section provides a view of the overall architecture, and describes the major MIB groups and table definitions. 5.1. Textual Conventions The following new textual conventions are introduced: GdoiIdentificationType, GdoiIdentificationValue, GdoiKekSPI, GdoiIpProtocolId, GdoiKeyManagementAlgorithm, GdoiEncryptionAlgorithm, GdoiPseudoRandomFunction, GdoiIntegrityAlgorithm, GdoiSignatureMethod, GdoiDiffieHellmanGroup, GdoiEncapsulationMode, GdoiSecurityProtocol, GdoiTekSPI, GdoiKekStatus, GdoiTekStatus. 5.2. The GDOI MIB Module Subtree The following figure shows the organization of the GDOI MIB module and the dependencies among various objects. The objects at the bottom of the figure depend on the objects above them. Figure 1 shows which object of the GDOI MIB will be available for query by a network manager if only the group member resides on a networks box. Figure 2 shows the object that can be queried by the SNMP manager if only the key server is available on a box. Finally, Figure 3 shows the scenario in which both a group member and a key server reside on Roosta, et al. Expires August 30, 2010 [Page 4] Internet-Draft GDOI MIB module February 2010 a box, and the MIB objects that can be queried. -------------- | GDOI Group | -------------- | | | -------------- | Local GM | -------------- | | | | | | | ------------ ------------ | KEK SA | | TEK SA | ------------ ------------ Figure 1: GDOI MIB objects that are used when a group member is on a box -------------- | GDOI Group | -------------- | | | -------------- | Local KS | -------------- | | | | | | | ------------ ------------ | KEK SA | | TEK SA | ------------ ------------ Figure 2: GDOI MIB objects that are used when a key server is on a box -------------- Roosta, et al. Expires August 30, 2010 [Page 5] Internet-Draft GDOI MIB module February 2010 | GDOI Group | -------------- | | | | | | | | | -------------- -------------- | Local KS | | Local GM | -------------- -------------- | | | | | | | | | | | | | | ------------ ------------ ------------ ------------ | KEK SA | | TEK SA | | KEK SA | | TEK SA | ------------ ------------ ------------ ------------ Figure 3: GDOI MIB objects that are used when a key server and a group member ore n a box The GDOI MIB module object definitions will be covered in Section 6. 5.3. The Notifications Subtree Notifications are defined to inform the management station about changes that happen on the Group Member (GM) or the Key Server (KS). The gdoiKeyServerNotifs defines the KS notifications, which are sent when the following events happens on the KS: 1. A new group member registers to a GDOI group, gdoiKeyServerNewRegistration 2. RSA keys were not created or they are missing, gdoiKeyServerNoRsaKeys 3. Send the rekey to the GDOI group, gdoiKeyServerRekeyPushed The gdoiGmNotifs defines the GM notifications, which are sent after the occurrence of the following events: 1. Registration cannot be completed because the GDOI group configuration may be missing the group ID, server ID, or both, gdoiGmIncompleteCfg Roosta, et al. Expires August 30, 2010 [Page 6] Internet-Draft GDOI MIB module February 2010 2. Start the registration to the key server, gdoiGmRegister 3. Hardware limitation for IPsec flow limit reached. Cannot create any more IPsec SAs, gdoiGmNoIpSecFlows 4. Registration to the key server is completed and the SAs are downloaded properly, gdoiGmRegistrationComplete 5. IPsec SA created for one group may have expired or been cleared. The GM needs to reregister to the key server, gdoiGmReRegister 6. During GDOI rekey the payload parsing failed on this group member from the key server, gdoiGmRekeyFailure 7. The GM received the multicast rekey with the sequence number displayed, gdoiGmRekeyReceived 5.4. The Table Structures The GDOI MIB module has the following tables: o gdoiGroupTable: This table is used to store the GDOI group information which are group type, group ID and group name. This is consistent with the GDOI group definition from RFC 3547. The group type can be: integer, Ipv4, Ipv6, CA name, Ipv4 subnet, Ipv6 subnet. o gdoiKeyServerTable: TA table of information for the GDOI group from the perspective of the Key Servers (GCKSs) on the network device being queried. o gdoiKsKekTable: A table of information regarding GDOI Key Encryption Key (KEK) Policies & Security Associations (SAs) currently configured/installed for GDOI entities acting as Key Servers on the network device being queried. There is one entry in this table for each KEK Policy/SA that has been configured/ installed. Each KEK Policy/SA is uniquely identified by a SPI at any given time. o gdoiKsTekTable: A table of information regarding GDOI Traffic Encryption Key (TEK) Policies currently configured/pushed for GDOI entities acting as Key Servers on the network device being queried. There is one entry in this table for each TEK that has been configured & pushed to Group Members registered to the given Key Server. o gdoiGmTable: A table of information regarding GDOI Group Members (GMs) locally configured on the network device being queried. Roosta, et al. Expires August 30, 2010 [Page 7] Internet-Draft GDOI MIB module February 2010 Note that Local Group Members may or may not be registered to a Key Server in its GDOI Group on the same network device being queried. o gdoiGmKekTable: A table of information regarding GDOI Key Encryption Key (KEK) Security Associations (SAs) currently installed for GDOI entities acting as Group Members on the network device being queried. There is one entry in this table for each KEK SA that has been installed and not yet deleted. Each KEK SA is uniquely identified by a SPI at any given time. o gdoiGmTekTable: A table of information regarding GDOI Traffic Encryption Key (TEK) Security Associations (SAs/Policies) received by a Key Server & installed for GDOI entities acting as Group Members (GMs) on the network device being queried. There is one entry in this table for each TEK SA that has been installed or TEK SA/Policy that exists and has not yet been installed/deleted. 6. Relationship to Other MIB Modules This GDOI MIB module does not depend on any other MIB modules. 6.1. Relationship to Other MIB NA 6.2. MIB modules required for IMPORTS The GDOI-STD-MIB module IMPORTS objects from SNMPv2-SMI [RFC2579], SNMPv2-TC [RFC2578], SNMPv2-CONF [RFC2580]. 7. Definitions -- ********************************************************************* -- -- GDOI-STD-MIB: MIB for Group Domain of Interpretation (GDOI) -- -- March 2010 - Mike Hamada, Preethi Sundaradevan, Tanya Roosta -- -- ********************************************************************* GDOI-STD-MIB DEFINITIONS ::= BEGIN -- ------------------------------------------------------------------ -- -- GDOI MIB Imports & Decependencies -- ------------------------------------------------------------------ -- Roosta, et al. Expires August 30, 2010 [Page 8] Internet-Draft GDOI MIB module February 2010 IMPORTS MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE, Counter32, Unsigned32, mib-2 FROM SNMPv2-SMI TEXTUAL-CONVENTION, DisplayString FROM SNMPv2-TC; -- ------------------------------------------------------------------ -- -- GDOI MIB Module Identity -- ------------------------------------------------------------------ -- gdoiStdMIB MODULE-IDENTITY LAST-UPDATED "201002250545Z" -- February 25, 2010 ORGANIZATION "cisco Systems, Inc." CONTACT-INFO "Mike Hamada cisco Systems, Inc. Mail: 510 McCarthy Blvd. SJC24/2/1 Milpitas, CA 95035 USA Phone: +1 408 525 7473 Email: michamad@cisco.com Preethi Sundaradevan cisco Systems, Inc. Mail: 510 McCarthy Blvd. SJC24/2/1 Milpitas, CA 95035 USA Phone: +1 408 424 4713 Email: prsundar@cisco.com Tanya Roosta cisco Systems, Inc. Mail: 510 McCarthy Blvd. SJC24/2/1 Milpitas, CA 95035 USA Phone: +1 408 424 3051 Email: roosta@cisco.com" DESCRIPTION "This MIB module defines objects for managing the GDOI protocol. Roosta, et al. Expires August 30, 2010 [Page 9] Internet-Draft GDOI MIB module February 2010 Copyright (c) The IETF Trust (2010). This version of this MIB module is part of RFC ????; see the RFC itself for full legal notices." REVISION "201002250545Z" -- February 25, 2010 DESCRIPTION "Initial version, published as RFC ????" ::= { mib-2 ??? } -- ------------------------------------------------------------------ -- -- GDOI MIB Textual Conventions -- ------------------------------------------------------------------ -- GdoiIdentificationType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the type of value used to identify a GDOI entity (i.e. Group, Key Server, or Group Member). Following are the Identification Type Values: ID Type Value ------- ----- RESERVED 0 -- Not Used ID_IPV4_ADDR 1 -- ipv4Address ID_FQDN 2 -- domainName ID_RFC822_ADDR 3 -- userName (ID_USER_FQDN) ID_IPV4_ADDR_SUBNET 4 -- ipv4Subnet - Not in RFC 4306 ID_IPV6_ADDR 5 -- ipv6Address ID_IPV6_ADDR_SUBNET 6 -- ipv6Subnet - Not in RFC 4306 ID_IPV4_ADDR_RANGE 7 -- ipv4Range - Not in RFC 4306 ID_IPV6_ADDR_RANGE 8 -- ipv6Range - Not in RFC 4306 ID_DER_ASN1_DN 9 -- caDistinguishedName ID_DER_ASN1_GN 10 -- caGeneralName ID_KEY_ID 11 -- groupNumber Following are the mappings to the type values above: 'ipv4Address' : a single four (4) octet IPv4 address. 'domainName' : a fully-qualified domain name string. An example is, 'example.com'. The string MUST not contain any terminators (e.g., NULL, CR, etc.). Roosta, et al. Expires August 30, 2010 [Page 10] Internet-Draft GDOI MIB module February 2010 'userName' : a fully-qualified RFC 822 username or email address string. An example is, 'jsmith@example.com'. The string MUST not contain any terminators. 'ipv4Subnet' : a range of IPv4 addresses, represented by two four (4) octet values concatenated together. The first value is an IPv4 address. The second is an IPv4 network mask. Note that ones (1s) in the network mask indicate that the corresponding bit in the address is fixed, while zeros (0s) indicate a 'wildcard' bit. 'ipv6Address' : a single sixteen (16) octet IPv6 address. 'ipv6Subnet' : a range of IPv6 addresses, represented by two sixteen (16) octet values concatenated together. The first value is an IPv6 address. The second is an IPv network mask. Note that ones (1s) in the network mask indicate that the corresponding bit in the address is fixed, while zeros (0s) indicate a 'wildcard' bit. 'ipv4Range' : a range of IPv4 addresses, represented by two four (4) octet values. The first value is the beginning IPv4 address (inclusive) and the second value is the ending IPv4 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list. 'ipv6Range' : a range of IPv6 addresses, represented by two sixteen (16) octet values. The first value is the beginning IPv6 address (inclusive) and the second value is the ending IPv6 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list. 'caDistinguishedName' : the binary DER encoding of an ASN.1 X.500 Distinguished Name [X.501]. 'caGeneralName' : the binary DER encoding of an ASN.1 X.500 GeneralName [X.509]. 'groupNumber' : a four (4) octet group identifier." REFERENCE "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol Section: IPSEC Identification Type http://www.iana.org/assignments/isakmp-registry RFC 4306 - Section: 3.5. Identification Payloads" SYNTAX INTEGER { Roosta, et al. Expires August 30, 2010 [Page 11] Internet-Draft GDOI MIB module February 2010 ipv4Address(1), domainName(2), userName(3), ipv4Subnet(4), ipv6Address(5), ipv6Subnet(6), ipv4Range(7), ipv6Range(8), caDistinguishedName(9), caGeneralName(10), groupNumber(11) } GdoiIdentificationValue ::= TEXTUAL-CONVENTION DISPLAY-HINT "255d" STATUS current DESCRIPTION "A textual convention indicating the actual value of used to identify a GDOI entity (i.e. Group, Key Server, or Group Member). The value of the GdoiIdentificationValue object can be parsed based on the value of the associated GdoiIdentificationType object. The following GdoiIdentificationType values indicate that the GdoiIdentificationValue object should be parsed as a binary string of octets with the given lengths if a length is not associated with the object: ipv4Address(1) -- 4 octets ipv4Subnet(4) -- 8 octets ipv6Address(5) -- 16 octets ipv6Subnet(6) -- 32 octets ipv4Range(7) -- 8 octets ipv6Range(8) -- 32 octets groupNumber(11) -- 4 octets The following GdoiIdentificationType values indicate that the GdoiIdentificationValue object should be parsed as an ascii string of characters. Note that a length MUST be associated associated with the object in these cases: domainName(2) userName(3) caDistinguishedName(9) caGeneralName(10) Note that the length of 48 octets was chosen because the gdoiKsKekEntry, gdoiGmKekEntry, gdoiKsTekEntry, & Roosta, et al. Expires August 30, 2010 [Page 12] Internet-Draft GDOI MIB module February 2010 gdoiGmTekEntry will exceed the OID size limit of 255 octets if this size is any larger than 48 octets." REFERENCE "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol Section: IPSEC Identification Type http://www.iana.org/assignments/isakmp-registry RFC 4306 - Section: 3.5. Identification Payloads" SYNTAX OCTET STRING (SIZE (0..48)) GdoiKekSPI ::= TEXTUAL-CONVENTION DISPLAY-HINT "16x" STATUS current DESCRIPTION "A textual convention indicating a SPI (Security Parameter Index) of sixteen (16) octets for a KEK. The SPI must be the ISAKMP Header cookie pair where the first 8 octets become the 'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8 octets become the 'Responder Cookie' in the same HDR. These cookies are assigned by the Key Server." REFERENCE "RFC 3547 - Section: 5.3. SA KEK Payload" SYNTAX OCTET STRING (SIZE (16)) GdoiIpProtocolId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the IP Protocol being used for the rekey datagram. Some possible values are: ID Value ID Type -------- ------- 06 TCP -- ipProtocolTCP 17 UDP -- ipProtocolUDP" REFERENCE "RFC 3547 - Section: 5.3. SA KEK Payload" SYNTAX INTEGER { ipProtocolUnknown(0), ipProtocolTCP(1), ipProtocolUDP(2) } GdoiKeyManagementAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the key/KEK management algorithm being used to provide forward or Roosta, et al. Expires August 30, 2010 [Page 13] Internet-Draft GDOI MIB module February 2010 backward access control (i.e. used to exclude group members). Following are the possible KEK management algorithm values & GdoiKeyManagementAlgorithm mappings: KEK Management Type Value ------------------- ----- LKH 1 -- keyMgmtLkh" REFERENCE "RFC 3547 - Section: 5.3. SA KEK Payload" SYNTAX INTEGER { keyMgmtNone(0), keyMgmtLkh(1) } GdoiEncryptionAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the encryption algorithm being used. Following are the possible updated encryption algorithm values & GdoiEncryptionAlgorithm mappings after RFC 4306: Encryption Algorithm Type Value --------------------------------- ----- ENCR_DES_IV64 1 -- encrAlgDes64 ENCR_DES 2 -- encrAlgDes ENCR_3DES 3 -- encrAlg3Des ENCR_RC5 4 -- encrAlgRc5 ENCR_IDEA 5 -- encrAlgIdea ENCR_CAST 6 -- encrAlgCast ENCR_BLOWFISH 7 -- encrAlgBlowfish ENCR_3IDEA 8 -- encrAlg3Idea ENCR_DES_IV32 9 -- encrAlgDes32 ENCR_NULL 11 -- encrAlgNull ENCR_AES_CBC 12 -- encrAlgAesCbc ENCR_AES_CTR 13 -- encrAlgAesCtr ENCR_AES-CCM_8 14 -- encrAlgAesCcm8 ENCR_AES-CCM_12 15 -- encrAlgAesCcm12 ENCR_AES-CCM_16 16 -- encrAlgAesCcm16 AES-GCM (8-octet ICV) 18 -- encrAlgAesGcm8 AES-GCM (12-octet ICV) 19 -- encrAlgAesGcm12 AES-GCM (16-octet ICV) 20 -- encrAlgAesGcm16 ENCR_NULL_AUTH_AES_GMAC 21 -- encrAlgNullAuthAesGmac ENCR_CAMELLIA_CBC 23 Roosta, et al. Expires August 30, 2010 [Page 14] Internet-Draft GDOI MIB module February 2010 -- encrAlgCamelliaCbc ENCR_CAMELLIA_CTR 24 -- encrAlgCamelliaCtr ENCR_CAMELLIA_CCM (8-octet ICV) 25 -- encrAlgCamelliaCcm8 ENCR_CAMELLIA_CCM (12-octet ICV) 26 -- encrAlgCamelliaCcm12 ENCR_CAMELLIA_CCM (16-octet ICV) 27 -- encrAlgCamelliaCcm16 Following are the possible ESP transform identifiers & GdoiEncryptionAlgorithm mappings from RFC 2407: IPsec ESP Transform ID Value ------------------------ ----- ESP_DES_IV64 1 -- encrAlgDes64 ESP_DES 2 -- encrAlgDes ESP_3DES 3 -- encrAlg3Des ESP_RC5 4 -- encrAlgRc5 ESP_IDEA 5 -- encrAlgIdea ESP_CAST 6 -- encrAlgCast ESP_BLOWFISH 7 -- encrAlgBlowfish ESP_3IDEA 8 -- encrAlg3Idea ESP_DES_IV32 9 -- encrAlgDes32 ESP_RC4 10 -- encrAlgRc4 ESP_NULL 11 -- encrAlgNull ESP_AES-CBC 12 -- encrAlgAesCbc ESP_AES-CTR 13 -- encrAlgAesCtr ESP_AES-CCM_8 14 -- encrAlgAesCcm8 ESP_AES-CCM_12 15 -- encrAlgAesCcm12 ESP_AES-CCM_16 16 -- encrAlgAesCcm16 ESP_AES-GCM_8 18 -- encrAlgAesGcm8 ESP_AES-GCM_12 19 -- encrAlgAesGcm12 ESP_AES-GCM_16 20 -- encrAlgAesGcm16 ESP_SEED_CBC 21 -- encrAlgSeedCbc ESP_CAMELLIA 22 -- encrAlgCamelliaCbc, Ctr, Ccm8, Ccm12, Ccm16 ESP_NULL_AUTH_AES-GMAC 23 -- encrAlgNullAuthAesGmac Following are the possible KEK_ALGORITHM values specifying the encyption algorithm used with a KEK & GdoiEncryptionAlgorithm mappings from the GDOI RFC 3547: Algorithm Type Value -------------- ----- KEK_ALG_DES 1 -- encrAlgDes KEK_ALG_3DES 2 -- encrAlg3Des Roosta, et al. Expires August 30, 2010 [Page 15] Internet-Draft GDOI MIB module February 2010 KEK_ALG_AES 3 -- encrAlgAesCbc" REFERENCE "IANA IKEv2 Parameters Section: Encryption Algorithm Transform IDs http://www.iana.org/assignments/ikev2-parameters IANA 'Magic Numbers' for ISAMP Protocol Section: IPSEC ESP Transform Identifiers http://www.iana.org/assignments/isakmp-registry RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers RFC 3547 - Section: 5.3.3. KEK_ALGORITHM RFC 4306 - Section: 3.3.2. Transform Substructure RFC 4106, 4309, 4543, 5282, 5529" SYNTAX INTEGER { encrAlgNone(0), encrAlgDes64(1), encrAlgDes(2), encrAlg3Des(3), encrAlgRc5(4), encrAlgIdea(5), encrAlgCast(6), encrAlgBlowfish(7), encrAlg3Idea(8), encrAlgDes32(9), encrAlgRc4(10), encrAlgNull(11), encrAlgAesCbc(12), encrAlgAesCtr(13), encrAlgAesCcm8(14), encrAlgAesCcm12(15), encrAlgAesCcm16(16), encrAlgAesGcm8(18), encrAlgAesGcm12(19), encrAlgAesGcm16(20), encrAlgNullAuthAesGmac(21), encrAlgCamelliaCbc(23), encrAlgCamelliaCtr(24), encrAlgCamelliaCcm8(25), encrAlgCamelliaCcm12(26), encrAlgCamelliaCcm1(27), encrAlgSeedCbc(28) } GdoiPseudoRandomFunction ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the Roosta, et al. Expires August 30, 2010 [Page 16] Internet-Draft GDOI MIB module February 2010 pseudo-random function (PRF) being used. Following are the possible updated PRF values & GdoiPseudoRandomFunction mappings after RFC 4306: Pseudo-Random Function Type Value --------------------------------- ----- PRF_HMAC_MD5 1 -- prfMd5Hmac PRF_HMAC_SHA1 2 -- prfSha1Hmac PRF_HMAC_TIGER 3 -- prfTigerHmac PRF_AES128_XCBC 4 -- prfAes128Xcbc PRF_HMAC_SHA2_256 5 -- prfSha2Hmac256 PRF_HMAC_SHA2_384 6 -- prfSha2Hmac384 PRF_HMAC_SHA2_512 7 -- prfSha2Hmac512 PRF_AES128_CMAC 8 -- prfAes128Cmac Following are the possible SIG_HASH_ALGORITHM values & GdoiPseudoRandomFunction mappings from the GDOI RFC 3547: Algorithm Type Value -------------- ----- SIG_HASH_MD5 1 -- prfMd5Hmac SIG_HASH_SHA1 2 -- prfSha1Hmac" REFERENCE "IANA IKEv2 Parameters Section: Pseudo-random Function Transform IDs http://www.iana.org/assignments/ikev2-parameters RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM RFC 4306 - Section: 3.3.2. Transform Substructure RFC 4615, 4868" SYNTAX INTEGER { prfNone(0), prfMd5Hmac(1), prfSha1Hmac(2), prfTigerHmac(3), prfAes128Xcbc(4), prfSha2Hmac256(5), prfSha2Hmac384(6), prfSha2Hmac512(7), prfAes128Cmac(8) } GdoiIntegrityAlgorithm ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the integirty algorithm being used. Roosta, et al. Expires August 30, 2010 [Page 17] Internet-Draft GDOI MIB module February 2010 Following are the possible updated integrity algorithm values & GdoiAuthenticationAlgorithm mappings after RFC 4306: Integrity Algorithm Type Value ------------------------ ----- AUTH_HMAC_MD5_96 1 -- authAlgMd5Hmac96 AUTH_HMAC_SHA1_96 2 -- authAlgSha1Hmac96 AUTH_DES_MAC 3 -- authAlgDesMac AUTH_KPDK_MD5 4 -- authAlgMd5Kpdk AUTH_AES_XCBC_96 5 -- authAlgAesXcbc96 AUTH_HMAC_MD5_128 6 -- authAlgMd5Hmac128 AUTH_HMAC_SHA1_160 7 -- authAlgSha1Hmac160 AUTH_AES_CMAC_96 8 -- authAlgAesCmac96 AUTH_AES_128_GMAC 9 -- authAlgAes128Gmac AUTH_AES_192_GMAC 10 -- authAlgAes192Gmac AUTH_AES_256_GMAC 11 -- authAlgAes256Gmac AUTH_HMAC_SHA2_256_128 12 -- authAlgSha2Hmac256to128 AUTH_HMAC_SHA2_384_192 13 -- authAlgSha2Hmac384to192 AUTH_HMAC_SHA2_512_256 14 -- authAlgSha2Hmac512to256 Following are the possible legacy authentication algorithm values & GdoiAuthenticationAlgorithm mappings from RFC 2407: Algorithm Type Value -------------- ----- HMAC-MD5 1 -- authAlgMd5Hmac96 HMAC-SHA 2 -- authAlgSha1Hmac96 DES-MAC 3 -- authAlgDesMac KPDK 4 -- authAlgMd5Kpdk" REFERENCE "IANA IKEv2 Parameters Section: Integrity Algorithm Transform IDs http://www.iana.org/assignments/ikev2-parameters RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM RFC 4306 - Section: 3.3.2. Transform Substructure RFC 4494, 4543, 4595, 4868" SYNTAX INTEGER { authAlgNone(0), authAlgMd5Hmac96(1), authAlgSha1Hmac96(2), authAlgDesMac(3), authAlgMd5Kpdk(4), authAlgAesXcbc96(5), authAlgMd5Hmac128(6), authAlgSha1Hmac160(7), authAlgAesCmac96(8), Roosta, et al. Expires August 30, 2010 [Page 18] Internet-Draft GDOI MIB module February 2010 authAlgAes128Gmac(9), authAlgAes192Gmac(10), authAlgAes256Gmac(11), authAlgSha2Hmac256to128(12), authAlgSha2Hmac384to192(13), authAlgSha2Hmac512to256(14) } GdoiSignatureMethod ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the integirty algorithm being used. Following are the possible updated authentication method values & GdoiSignatureMethod mappings after RFC 4306: Authentication Method Value ----------------------------------- ----- RSA Digital Signature 1 -- sigRsa Shared Key Message Integrity Code 2 -- sigSharedKey DSS Digital Signature 3 -- sigDss ECDSA w/ SHA-256 (P-256 curve) 9 -- sigEcdsa256 ECDSA w/ SHA-384 (P-384 curve) 10 -- sigEcdsa384 ECDSA w/ SHA-512 (P-521 curve) 11 -- sigEcdsa512 Following are the possible legacy IPsec authentication method values & GdoiSignatureMethod mappings from RFC 2409: Authentication Method Value -------------------------------- ----- Pre-Shared Key 1 -- sigSharedKey DSS Signature 2 -- sigDss RSA Signature 3 -- sigRsa Encryption w/ RSA 4 -- sigEncryptRsa Revised Encryption w/ RSA 5 -- sigRevEncryptRsa ECDSA w/ SHA-256 (P-256 curve) 9 -- sigEcdsa256 ECDSA w/ SHA-384 (P-384 curve) 10 -- sigEcdsa384 ECDSA w/ SHA-512 (P-521 curve) 11 -- sigEcdsa512 Following are the possible POP algorithm values & GdoiSignatureMethod mappings from the GDOI RFC 3547: Algorithm Type Value -------------- ----- POP_ALG_RSA 1 -- sigRsa POP_ALG_DSS 2 -- sigDss POP_ALG_ECDSS 3 -- sigEcdsa256, 384, 512 Roosta, et al. Expires August 30, 2010 [Page 19] Internet-Draft GDOI MIB module February 2010 Following are the possible SIG_ALGORITHM values & GdoiSignatureMethod mappings from the GDOI RFC 3547: Algorithm Type Value -------------- ----- SIG_ALG_RSA 1 -- sigRsa SIG_ALG_DSS 2 -- sigDss SIG_ALG_ECDSS 3 -- sigEcdsa256, 384, 512" REFERENCE "IANA IKEv2 Parameters Section: Integrity Algorithm Transform IDs http://www.iana.org/assignments/ikev2-parameters RFC 2409 - Section: Appendix A. Authentication Method RFC 3547 - Sections: 5.3. SA KEK payload 5.3.7. SIG_ALGORITHM RFC 4306 - Section: 3.8. Authentication Payload RFC 4754" SYNTAX INTEGER { sigNone(0), sigRsa(1), sigSharedKey(2), sigDss(3), sigEncryptRsa(4), sigRevEncryptRsa(5), sigEcdsa256(9), sigEcdsa384(10), sigEcdsa512(11) } GdoiDiffieHellmanGroup ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the Diffie-Hellman Group being used. Following are the possible updated Diffie-Hellman Group values & GdoiDiffieHellmanGroup mappings after RFC 4306: Diffie-Hellman Group Type Value ------------------------- ----- NONE 0 -- dhNone Group 1 - 768 Bit MODP 1 -- dhGroup1 Group 2 - 1024 Bit MODP 2 -- dhGroup2 1536-bit MODP Group 5 -- dh1536Modp 2048-bit MODP Group 14 -- dh2048Modp 3072-bit MODP Group 15 -- dh3072Modp 4096-bit MODP Group 16 -- dh4096Modp Roosta, et al. Expires August 30, 2010 [Page 20] Internet-Draft GDOI MIB module February 2010 6144-bit MODP Group 17 -- dh6144Modp 8192-bit MODP Group 18 -- dh8192Modp 256-bit random ECP group 19 -- dhEcp256 84-bit random ECP group 20 -- dhEcp84 521-bit random ECP group 21 -- dhEcp521 1024-bit MODP w/ 160-bit 22 -- dh1024Modp160 Prime Order Subgroup 2048-bit MODP w/ 224-bit 23 -- dh2048Modp224 Prime Order Subgroup 2048-bit MODP w/ 256-bit 24 -- dh2048Modp256 Prime Order Subgroup 192-bit Random ECP Group 25 -- dhEcp192 224-bit Random ECP Group 26 -- dhEcp224 Following are the possible legacy Diffie-Hellman Group values & GdoiDiffieHellmanGroup mappings from RFC 2409: Diffie-Hellman Group Type Value ------------------------- ----- Group 1 - 768 Bit MODP 1 -- dhGroup1 Group 2 - 1024 Bit MODP 2 -- dhGroup2 EC2N group on GP[2^155] 3 -- dhEc2nGp155 EC2N group on GP[2^185] 4 -- dhEc2nGp185" REFERENCE "IANA IKEv2 Parameters Section: Diffie-Hellman Group Transform IDs http://www.iana.org/assignments/ikev2-parameters RFC 2409 - Sections: 6.1. First Oakley Default Group 6.2. Second Oakley Default Group 6.3. Third Oakley Default Group 6.4. Fourth Oakley Default Group" SYNTAX INTEGER { dhNone(0), dhGroup1(1), dhGroup2(2), dhEc2nGp155(3), dhEc2nGp185(4), dh1536Modp(5), dh2048Modp(14), dh3072Modp(15), dh4096Modp(16), dh6144Modp(17), dh8192Modp(18), dhEcp256(19), dhEcp84(20), dhEcp521(21), dh1024Modp160(22), Roosta, et al. Expires August 30, 2010 [Page 21] Internet-Draft GDOI MIB module February 2010 dh2048Modp224(23), dh2048Modp256(24), dhEcp192(25), dhEcp224(26) } GdoiEncapsulationMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the Encapsulation Mode being used. Following are the possible Encapsulation Mode values & GdoiEncapsulationMode mappings from RFC 2407: Encapsulation Mode Value ---------------------------- ----- Tunnel 1 -- encapTunnel Transport 2 -- encapTransport UDP-Encapsulated-Tunnel 3 -- encapUdpTunnel UDP-Encapsulated-Transport 4 -- encapUdpTransport" REFERENCE "IANA 'Magic Numbers' for ISAKMP Protocol Section: Encapsulation Mode http://www.iana.org/assignments/isakmp-registry RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3947" SYNTAX INTEGER { encapUnknown(0), encapTunnel(1), encapTransport(2), encapUdpTunnel(3), encapUdpTransport(4) } GdoiSecurityProtocol ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the identifier of the Security Protocol being used. Following are the possible Security Protocol ID values & GdoiSecurityProtocol mappings from the GDOI RFC 3547: Security Protocol ID Value ---------------------- ----- Roosta, et al. Expires August 30, 2010 [Page 22] Internet-Draft GDOI MIB module February 2010 GDOI_PROTO_IPSEC_ESP 1 -- secProtocolIpsecEsp" REFERENCE "RFC 3547 - Section: 5.4. SA TEK Payload" SYNTAX INTEGER { secProtocolUnknown(0), secProtocolIpsecEsp(1) } GdoiTekSPI ::= TEXTUAL-CONVENTION DISPLAY-HINT "4x" STATUS current DESCRIPTION "A textual convention indicating a SPI (Security Parameter Index) of four (4) octets for a TEK using ESP." REFERENCE "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" SYNTAX OCTET STRING (SIZE (16)) GdoiKekStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the status of a GDOI KEK and its corresponding Security Association (SA). 'inUse' : KEK currently being used to encrypt new KEK/TEKs 'new' : KEK currently being sent to all peers 'old' : KEK that has expired and is no longer being used" SYNTAX INTEGER { inUse(1), new(2), old(3) } GdoiTekStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A textual convention indicating the status of a GDOI TEK and its corresponding Security Association (SA). 'inbound' : TEK is being used as inbound (receive) SA 'outbound' : TEK is being used as outbound (transmit) SA 'notInUse' : TEK is no longer being used" SYNTAX INTEGER { inbound(1), outbound(2), notInUse(3) } Roosta, et al. Expires August 30, 2010 [Page 23] Internet-Draft GDOI MIB module February 2010 Unsigned16 ::= TEXTUAL-CONVENTION DISPLAY-HINT "2d" STATUS current DESCRIPTION "A textual convention indicating a 16-bit unsigned integer value." SYNTAX OCTET STRING (SIZE (2)) -- ------------------------------------------------------------------ -- -- GDOI MIB Groups -- ------------------------------------------------------------------ -- gdoiMIBNotifications OBJECT IDENTIFIER ::= { gdoiStdMIB 0 } gdoiMIBObjects OBJECT IDENTIFIER ::= { gdoiStdMIB 1 } gdoiMIBConformance OBJECT IDENTIFIER ::= { gdoiStdMIB 2 } -- ------------------------------------------------------------------ -- -- GDOI MIB Notifications -- ------------------------------------------------------------------ -- -- *---------------------------------------------------------------- -- -- * GDOI Key Server (KS) Notifications -- *---------------------------------------------------------------- -- gdoiKeyServerNewRegistration NOTIFICATION-TYPE STATUS current DESCRIPTION "A notification from a Key Server sent when a new Group Member registers to a GDOI Group. This is equivalent to a Key Server receiving the first message of a GROUPKEY-PULL exchange from a Group Member." REFERENCE "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.4. Receiver Operations" ::= { gdoiMIBNotifications 1 } gdoiKeyServerRegistrationComplete NOTIFICATION-TYPE STATUS current DESCRIPTION "A notification from a Key Server sent when a Group Member has successfully registered to itself. This is equivalent to a Key Server sending the last message of a GROUPKEY-PULL exchange to the Group Member currently registering containing KEKs, TEKs, and their associated policies." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 24] Internet-Draft GDOI MIB module February 2010 "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.4. Receiver Operations" ::= { gdoiMIBNotifications 2 } gdoiKeyServerRekeyPushed NOTIFICATION-TYPE OBJECTS { gdoiKeyServerRekeysPushed } STATUS current DESCRIPTION "A notification from a Key Srver sent when a GROUPKEY-PUSH message is sent to refresh KEK(s) and or TEK(s). A rekey is sent periodically by a Key Server based on a configured time to the Group Members registered to its GDOI Group." REFERENCE "RFC 3547 - Sections: 1. Introduction 4. GROUPKEY-PUSH Message 4.7. GCKS Operations" ::= { gdoiMIBNotifications 3 } gdoiKeyServerNoRsaKeys NOTIFICATION-TYPE STATUS current DESCRIPTION "An error notification from a Key Server sent when an RSA key is not setup. Each Key Server and Group Member needs to have an RSA key established. The Key Server signs the TEK rekeys using this RSA key, also called a Key Encryption Key (KEK). The Group Member verifies the authenticity of the TEK rekey using this RSA key." REFERENCE "RFC 3547 - Sections: 1. Introduction 4.7. GCKS Operations" ::= { gdoiMIBNotifications 4 } -- *---------------------------------------------------------------- -- -- * GDOI Group Member (GM) Notifications -- *---------------------------------------------------------------- -- gdoiGmRegister NOTIFICATION-TYPE OBJECTS { gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdValue } STATUS current DESCRIPTION "A notification from a Group Member when it is starting to register with its GDOI Group's Key Server. Registration Roosta, et al. Expires August 30, 2010 [Page 25] Internet-Draft GDOI MIB module February 2010 includes downloading keying & security assosiation material. This is equivalent to a Group Member or Initiator sending the first message of a GROUPKEY-PULL exchange to its Group's Key Server." REFERENCE "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.3. Initiator Operations" ::= { gdoiMIBNotifications 5 } gdoiGmRegistrationComplete NOTIFICATION-TYPE OBJECTS { gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdValue } STATUS current DESCRIPTION "A notification from a Group Member when it has successfully registered with a Key Server in its GDOI Group. This is equivalent to a Group Member receiving the last message of a GROUPKEY-PULL exchange from the Key Server containing KEKs, TEKs, and their associated policies." REFERENCE "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.3. Initiator Operations" ::= { gdoiMIBNotifications 6 } gdoiGmReRegister NOTIFICATION-TYPE OBJECTS { gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdValue } STATUS current DESCRIPTION "A notification from a Group Member when it is starting to re-register with a Key Server in its GDOI Group. A Group Member needs to re-register to the key server if its keying & security association material has expired and it has not received a rekey from the key server to refresh the material. This is equivalent to a Group Member sending the first message of a GROUPKEY-PULL exchange to the Key Server of a Group it is already registered with." REFERENCE "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.3. Initiator Operations" ::= { gdoiMIBNotifications 7 } Roosta, et al. Expires August 30, 2010 [Page 26] Internet-Draft GDOI MIB module February 2010 gdoiGmRekeyReceived NOTIFICATION-TYPE OBJECTS { gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdValue, gdoiGmRekeysReceived } STATUS current DESCRIPTION "A notification from a Group Member when it has successfully received and processed a rekey from a Key Server in its GDOI Group. Periodically the key server sends a rekey to refresh the keying & security association material. This is equivalent to a Group Member receiving a GROUPKEY-PUSH message from the Key Server of the Group it is already registered with." REFERENCE "RFC 3547 - Sections: 1. Introduction 4. GROUPKEY-PUSH Message 4.8. Group Member Operations" ::= { gdoiMIBNotifications 8 } gdoiGmIncompleteCfg NOTIFICATION-TYPE STATUS current DESCRIPTION "An error notification from a Group Member when there is necessary information missing from the policy/configuration of a Group Member on an interface when it tries to register with a Key Server in its GDOI Group. If the GDOI Group configuration is not complete on a Group Member, it will not be able to register to the Key Server." REFERENCE "RFC 3547 - Sections: 1. Introduction 3. GROUPKEY-PULL Exchange 3.3. Initiator Operations" ::= { gdoiMIBNotifications 9 } gdoiGmNoIpSecFlows NOTIFICATION-TYPE STATUS current DESCRIPTION "An error notification from a Group Member when no more security associations can be installed after receiving its keying & security association material. When the Group Member receives the security association materials, it has to install the cryptographic keys and policies. If there is not enough memory to install these materials, there will be an error thrown." ::= { gdoiMIBNotifications 10 } Roosta, et al. Expires August 30, 2010 [Page 27] Internet-Draft GDOI MIB module February 2010 gdoiGmRekeyFailure NOTIFICATION-TYPE OBJECTS { gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdValue, gdoiGmRekeysReceived } STATUS current DESCRIPTION "An error notification from a Group Member when it is unable to successfully process and install a rekey (GROUPKEY-PUSH message) sent by the Key Server in its Group that it is registered with." REFERENCE "RFC 3547 - Sections: 1. Introduction 4. GROUPKEY-PUSH Message 4.8. Group Member Operations" ::= { gdoiMIBNotifications 11 } -- ------------------------------------------------------------------ -- -- GDOI MIB Management Objects -- ------------------------------------------------------------------ -- -- -- *---------------------------------------------------------------- -- -- * The GDOI "Group" Table -- *---------------------------------------------------------------- -- gdoiGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Groups in use on the network device being queried." ::= { gdoiMIBObjects 1 } gdoiGroupEntry OBJECT-TYPE SYNTAX GdoiGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing GDOI Group information, uniquely identified by the GDOI Group ID." REFERENCE "RFC 3547 - Sections: 5.1.1. Identification Type Values 5.1.1.1. ID_KEY_ID RFC 4306 - Section: 3.5. Identification Payloads" INDEX { Roosta, et al. Expires August 30, 2010 [Page 28] Internet-Draft GDOI MIB module February 2010 gdoiGroupIdType, gdoiGroupIdValue } ::= { gdoiGroupTable 1 } GdoiGroupEntry ::= SEQUENCE { gdoiGroupIdType GdoiIdentificationType, gdoiGroupIdLength Unsigned32, gdoiGroupIdValue GdoiIdentificationValue, gdoiGroupName DisplayString } gdoiGroupIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Identification Type Value used to parse a GDOI Group ID. The GDOI RFC 3547 defines the types that can be used as a GDOI Group ID, and RFC 4306 defines all valid types that can be used as an identifier. This Group ID type is sent as the 'ID Type' field of the Identification Payload for a GDOI GROUPKEY-PULL exchange." REFERENCE "RFC 3547 - Sections: 5.1.1. Identification Type Values 5.1.1.1. ID_KEY_ID RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGroupEntry 1 } gdoiGroupIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of a Group ID. If no length is given (i.e. it has a value of 0), the default length of its gdoiGroupIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'Payload Length' (subtracting the generic header length) of the Identification Payload for a GDOI GROUPKEY-PULL exchange." REFERENCE "RFC 3547 - Sections: 5.1.1. Identification Type Values 5.1.1.1. ID_KEY_ID RFC 4306 - Section: 3.5. Identification Payloads" Roosta, et al. Expires August 30, 2010 [Page 29] Internet-Draft GDOI MIB module February 2010 ::= { gdoiGroupEntry 2 } gdoiGroupIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of a Group ID with its type indicated by the gdoiGroupIdType. Use the gdoiGroupIdType to parse the Group ID correctly. This Group ID value is sent as the 'Identification Data' field of the Identification Payload for a GDOI GROUPKEY-PULL exchange." REFERENCE "RFC 3547 - Sections: 5.1.1. Identification Type Values 5.1.1.1. ID_KEY_ID RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGroupEntry 3 } gdoiGroupName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The string-readable name configured for or given to a GDOI Group." ::= { gdoiGroupEntry 4 } -- *---------------------------------------------------------------- -- -- * GDOI MIB Management Object Groups -- *---------------------------------------------------------------- -- gdoiPeers OBJECT IDENTIFIER ::= { gdoiMIBObjects 2 } gdoiSecAssociations OBJECT IDENTIFIER ::= { gdoiMIBObjects 3 } -- *---------------------------------------------------------------- -- -- * The GDOI "Peers" Group -- *---------------------------------------------------------------- -- -- -- #-------------------------------------------------------------- -- -- # The GDOI "Key Server (KS)" Table -- #-------------------------------------------------------------- -- gdoiKeyServerTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiKeyServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Roosta, et al. Expires August 30, 2010 [Page 30] Internet-Draft GDOI MIB module February 2010 "A table of information for the GDOI group from the perspective of the Key Servers (GCKSs) on the network device being queried." ::= { gdoiPeers 1 } gdoiKeyServerEntry OBJECT-TYPE SYNTAX GdoiKeyServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing GDOI Key Server (KS) information, uniquely identified by the Group & Key Server IDs." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.4. Receiver Operations 4.7. GCKS Operations" INDEX { gdoiGroupIdType, gdoiGroupIdValue, gdoiKeyServerIdType, gdoiKeyServerIdValue } ::= { gdoiKeyServerTable 1 } GdoiKeyServerEntry ::= SEQUENCE { gdoiKeyServerIdType GdoiIdentificationType, gdoiKeyServerIdLength Unsigned32, gdoiKeyServerIdValue GdoiIdentificationValue, gdoiKeyServerActiveKEK GdoiKekSPI, gdoiKeyServerRekeysPushed Counter32 } gdoiKeyServerIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for a Key Server. RFC 4306 defines all valid types that can be used as an identifier. These identification types are sent as the 'SRC ID Type' and 'DST ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiKeyServerEntry 1 } Roosta, et al. Expires August 30, 2010 [Page 31] Internet-Draft GDOI MIB module February 2010 gdoiKeyServerIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of a Key Server ID. If no length is given (i.e. it has a value of 0), the default length of its gdoiKeyServerIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKeyServerEntry 2 } gdoiKeyServerIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the identity information for a Key Server with its type indicated by the gdoiKeyServerIdType. Use the gdoiKeyServerIdType to parse the Key Server ID correctly. This Key Server ID value is sent as the 'SRC Identification Data' and 'DST Identification Data' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKeyServerEntry 3 } gdoiKeyServerActiveKEK OBJECT-TYPE SYNTAX GdoiKekSPI MAX-ACCESS read-only STATUS current DESCRIPTION "The SPI of the Key Encryption Key (KEK) that is currently being used by the Key Server to encrypt the GROUPKEY-PUSH keying & security association material sent to the Key Server's registered Group Members." REFERENCE "RFC 3547 - Section: 5.3. SA KEK payload" Roosta, et al. Expires August 30, 2010 [Page 32] Internet-Draft GDOI MIB module February 2010 ::= { gdoiKeyServerEntry 4 } gdoiKeyServerRekeysPushed OBJECT-TYPE SYNTAX Counter32 UNITS "GROUPKEY-PUSH Messages" MAX-ACCESS read-only STATUS current DESCRIPTION "The sequence number of the last rekey sent from the Key Server to its registered Group Members for this GDOI group." REFERENCE "RFC 3547 - Sections: 3.2. Messages 3.4. Receiver Operations 4. GROUPKEY-PUSH Message 4.7. GCKS Operations 5.6. Sequence Number Payload" ::= { gdoiKeyServerEntry 5 } -- #-------------------------------------------------------------- -- -- # The GDOI "Group Members" Table -- #-------------------------------------------------------------- -- gdoiGmTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiGmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Group Members (GMs) locally configured on the network device being queried. Note that Local Group Members may or may not be registered to a Key Server in its GDOI Group on the same network device being queried." ::= { gdoiPeers 2 } gdoiGmEntry OBJECT-TYPE SYNTAX GdoiGmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing Local GDOI Group Member information, uniquely identified by Group & GM IDs. Because the Group Member is Local to the network device being queried, TEKs installed for this Group Member can be queried as well." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.3. Initiator Operations 4.8. Group Member Operations" INDEX { Roosta, et al. Expires August 30, 2010 [Page 33] Internet-Draft GDOI MIB module February 2010 gdoiGroupIdType, gdoiGroupIdValue, gdoiGmIdType, gdoiGmIdValue } ::= { gdoiGmTable 1 } GdoiGmEntry ::= SEQUENCE { gdoiGmIdType GdoiIdentificationType, gdoiGmIdLength Unsigned32, gdoiGmIdValue GdoiIdentificationValue, gdoiGmRegKeyServerIdType GdoiIdentificationType, gdoiGmRegKeyServerIdLength Unsigned32, gdoiGmRegKeyServerIdValue GdoiIdentificationValue, gdoiGmActiveKEK GdoiKekSPI, gdoiGmRekeysReceived Counter32 } gdoiGmIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for a Initiator or Group Member. RFC 4306 defines all valid types that can be used as an identifier. These identification types are sent as the 'SRC ID Type' and 'DST ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmEntry 1 } gdoiGmIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of a Group Member ID. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in Roosta, et al. Expires August 30, 2010 [Page 34] Internet-Draft GDOI MIB module February 2010 the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmEntry 2 } gdoiGmIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the identity information for a Group Member with its type indicated by the gdoiGmIdType. Use the gdoiGmIdType to parse the Group Member ID correctly. This Group Member ID value is sent as the 'SRC Identification Data' and 'DST Identification Data' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmEntry 3 } gdoiGmRegKeyServerIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information of this Group Member's registered Key Server. RFC 4306 defines all valid types that can be used as an identifier. These identification types are sent as the 'SRC ID Type' and 'DST ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmEntry 4 } gdoiGmRegKeyServerIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the registered Key Roosta, et al. Expires August 30, 2010 [Page 35] Internet-Draft GDOI MIB module February 2010 Server's ID. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmRegKeyServerIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmEntry 5 } gdoiGmRegKeyServerIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for this Group Member's registered Key Server with its type indicated by the gdoiGmRegKeyServerIdType. Use the gdoiGmRegKeyServerIdType to parse the registered Key Server's ID correctly. This Key Server ID value is sent as the 'SRC Identification Data' and 'DST Identification Data' of the KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmEntry 6 } gdoiGmActiveKEK OBJECT-TYPE SYNTAX GdoiKekSPI MAX-ACCESS read-only STATUS current DESCRIPTION "The SPI of the Key Encryption Key (KEK) that is currently being used by the Group Member to authenticate & decrypt a rekey from a GROUPKEY-PUSH message." ::= { gdoiGmEntry 7 } gdoiGmRekeysReceived OBJECT-TYPE SYNTAX Counter32 UNITS "GROUPKEY-PUSH Messages" MAX-ACCESS read-only STATUS current DESCRIPTION "The sequence number of the last rekey successfully received Roosta, et al. Expires August 30, 2010 [Page 36] Internet-Draft GDOI MIB module February 2010 from this Group Member's registered Key Server." REFERENCE "RFC 3547 - Sections: 3.2. Messages 3.3. Initiator Operations 4. GROUPKEY-PUSH Message 4.8. Group Member Operations 5.6. Sequence Number Payload" ::= { gdoiGmEntry 8 } -- *---------------------------------------------------------------- -- -- * The GDOI "Security Associations (SA)" Group -- *---------------------------------------------------------------- -- -- -- #-------------------------------------------------------------- -- -- # The GDOI "Key Server (KS) KEK Policy/SA" Table -- #-------------------------------------------------------------- -- gdoiKsKekTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiKsKekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Key Encryption Key (KEK) Policies & Security Associations (SAs) currently configured/installed for GDOI entities acting as Key Servers on the network device being queried. There is one entry in this table for each KEK Policy/SA that has been configured/installed. Each KEK Policy/SA is uniquely identified by a SPI at any given time." ::= { gdoiSecAssociations 1 } gdoiKsKekEntry OBJECT-TYPE SYNTAX GdoiKsKekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the attributes associated with a GDOI KEK Policy/SA, uniquely identified by the Group ID, Key Server ID, & SPI value assigned by the given Key Server to the KEK. There will be at least one KEK Policy/SA entry for each Key Server & two KEK Policy/SA entries for a given Key Server only during a KEK rekey when a new KEK is created/installed. The KEK SPI is unique for every KEK for a given Key Server." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.2. Messages 4. GROUPKEY-PUSH Message 5.3. SA KEK Payload Roosta, et al. Expires August 30, 2010 [Page 37] Internet-Draft GDOI MIB module February 2010 5.3.1. KEK Attributes 5.5. Key Download Payload" INDEX { gdoiGroupIdType, gdoiGroupIdValue, gdoiKeyServerIdType, gdoiKeyServerIdValue, gdoiKsKekSPI } ::= { gdoiKsKekTable 1 } GdoiKsKekEntry ::= SEQUENCE { gdoiKsKekSPI GdoiKekSPI, gdoiKsKekSrcIdType GdoiIdentificationType, gdoiKsKekSrcIdLength Unsigned32, gdoiKsKekSrcIdValue GdoiIdentificationValue, gdoiKsKekSrcIdPort Unsigned16, gdoiKsKekDstIdType GdoiIdentificationType, gdoiKsKekDstIdLength Unsigned32, gdoiKsKekDstIdValue GdoiIdentificationValue, gdoiKsKekDstIdPort Unsigned16, gdoiKsKekRekeyIdType GdoiIdentificationType, gdoiKsKekRekeyIdLength Unsigned32, gdoiKsKekRekeyIdValue GdoiIdentificationValue, gdoiKsKekIpProtocol GdoiIpProtocolId, gdoiKsKekPopAlg GdoiSignatureMethod, gdoiKsKekPopKeyLength Unsigned32, gdoiKsKekMgmtAlg GdoiKeyManagementAlgorithm, gdoiKsKekEncryptAlg GdoiEncryptionAlgorithm, gdoiKsKekEncryptKeyLength Unsigned32, gdoiKsKekSigHashAlg GdoiPseudoRandomFunction, gdoiKsKekSigAlg GdoiSignatureMethod, gdoiKsKekSigKeyLength Unsigned32, gdoiKsKekOakleyGroup GdoiDiffieHellmanGroup, gdoiKsKekOriginalLifetime Unsigned32, gdoiKsKekRemainingLifetime Unsigned32, gdoiKsKekStatus GdoiKekStatus } gdoiKsKekSPI OBJECT-TYPE SYNTAX GdoiKekSPI MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the Security Parameter Index (SPI) of a KEK Policy/SA. The SPI must be the ISAKMP Header cookie pair where the first 8 octets become the 'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8 Roosta, et al. Expires August 30, 2010 [Page 38] Internet-Draft GDOI MIB module February 2010 octets become the 'Responder Cookie' in the same HDR. As described above, these cookies are assigned by the GCKS." ::= { gdoiKsKekEntry 1 } gdoiKsKekSrcIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the source of a KEK Policy/SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'SRC ID Type' of the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiKsKekEntry 2 } gdoiKsKekSrcIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the source ID of a KEK Policy/SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiKsKekSrcIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' field sent in the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 3 } gdoiKsKekSrcIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the source of a KEK Policy/SA with its type indicated by the gdoiKsKekSrcIdType. Use the gdoiKsKekSrcIdType to parse the KEK Source ID correctly. This ID value is sent as the 'SRC Identification Data' of a KEK payload." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 39] Internet-Draft GDOI MIB module February 2010 "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 4 } gdoiKsKekSrcIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the source ID of a KEK Policy/SA. A value of zero means that the port should be ignored. This port value is sent as the `SRC ID Port` field of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 5 } gdoiKsKekDstIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the dest. of a KEK Policy/SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'DST ID Type' of the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiKsKekEntry 6 } gdoiKsKekDstIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the destination ID of a KEK Policy/SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiKsKekDstIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'DST ID Data Len' field sent in the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 7 } Roosta, et al. Expires August 30, 2010 [Page 40] Internet-Draft GDOI MIB module February 2010 gdoiKsKekDstIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the destination of a KEK Policy/SA with its type indicated by the gdoiKsKekDstIdType. Use the gdoiKsKekDstIdType to parse the KEK Dest. ID correctly. This ID value is sent as the 'DST Identification Data' of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 8 } gdoiKsKekDstIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the dest. ID of a KEK Policy/SA. A value of zero means that the port should be ignored. This port value is sent as the `DST ID Port` field of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 9 } gdoiKsKekRekeyIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the multicast rekey address for this KEK and associated subsequent KEKs/TEKs. RFC 4306 defines all valid types that can be used as an identifier." REFERENCE "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange" ::= { gdoiKsKekEntry 10 } gdoiKsKekRekeyIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the multicast rekey address for this KEK and associated subsequent KEKs/TEKs. Roosta, et al. Expires August 30, 2010 [Page 41] Internet-Draft GDOI MIB module February 2010 If no length is given (i.e. it has a value of 0), the default length of its gdoiKsKekRekeyIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included." REFERENCE "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange" ::= { gdoiKsKekEntry 11 } gdoiKsKekRekeyIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the multicast rekey address of this KEK and associated subsequent KEKs/TEKs. Use the gdoiKsKekRekeyIdType to parse the multicast rekey address correctly." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 12 } gdoiKsKekIpProtocol OBJECT-TYPE SYNTAX GdoiIpProtocolId MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the IP protocol ID (e.g. UDP/TCP) being used for the rekey datagram." REFERENCE "RFC 3547 - Section: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 13 } gdoiKsKekPopAlg OBJECT-TYPE SYNTAX GdoiSignatureMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Proof of Posession (POP) payload algorithm, which is an authentication signature method. If no POP algorithm is defined by the KEK Policy/SA, the value must be zero (0). The POP payload demonstrates that the member or GCKS has used the very secret that authenticates it. Following are the POP payload algorithm values defined in the GDOI RFC 3547, however the GdoiSignatureMethod TC defines all possible values. Roosta, et al. Expires August 30, 2010 [Page 42] Internet-Draft GDOI MIB module February 2010 Algorithm Type Value --------------- ----- RESERVED 0 POP_ALG_RSA 1 POP_ALG_DSS 2 POP_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Sections: 3.2. Messages 5.3. SA KEK payload 5.7. Proof of Possession" ::= { gdoiKsKekEntry 14 } gdoiKsKekPopKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the length of the POP payload key. If no POP algorithm is defined in the KEK Policy/SA, the value must be zero (0)." REFERENCE "RFC 3547 - Section: 5.3. SA KEK payload" ::= { gdoiKsKekEntry 15 } gdoiKsKekMgmtAlg OBJECT-TYPE SYNTAX GdoiKeyManagementAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_MANAGEMENT_ALGORITHM which specifies the group KEK management algorithm used to provide forward or backward access control (i.e. used to exclude group members). KEK Management Type Value ------------------- ----- RESERVED 0 LKH 1 RESERVED 2-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM" ::= { gdoiKsKekEntry 16 } gdoiKsKekEncryptAlg OBJECT-TYPE Roosta, et al. Expires August 30, 2010 [Page 43] Internet-Draft GDOI MIB module February 2010 SYNTAX GdoiEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_ALGORITHM which specifies the encryption algorithm used with the KEK Policy/SA. A GDOI implementaiton must support KEK_ALG_3DES. Following are the KEK encryption algoritm values defined in the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC defines all possible values. Algorithm Type Value -------------- ----- RESERVED 0 KEK_ALG_DES 1 KEK_ALG_3DES 2 KEK_ALG_AES 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Section 5.3.3. KEK_ALGORITHM" ::= { gdoiKsKekEntry 17 } gdoiKsKekEncryptKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_KEY_LENGTH which specifies the KEK Algorithm key length (in bits)." REFERENCE "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH" ::= { gdoiKsKekEntry 18 } gdoiKsKekSigHashAlg OBJECT-TYPE SYNTAX GdoiPseudoRandomFunction MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_HASH_ALGORITHM which specifies the SIG payload hash algorithm. This is not required (i.e. could have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a value of zero or SIG_HASH_SHA1). Following are the Signature Hash Algorithm values defined in Roosta, et al. Expires August 30, 2010 [Page 44] Internet-Draft GDOI MIB module February 2010 the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC defines all possible values. Algorithm Type Value -------------- ----- RESERVED 0 SIG_HASH_MD5 1 SIG_HASH_SHA1 2 RESERVED 3-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM" ::= { gdoiKsKekEntry 19 } gdoiKsKekSigAlg OBJECT-TYPE SYNTAX GdoiSignatureMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_ALGORITHM which specifies the SIG payload signature algorithm. A GDOI implementation must support SIG_ALG_RSA. Following are the Signature Algorithm values defined in the GDOI RFC 3547, however the GdoiSignatureMethod TC defines all possible values. Algorithm Type Value -------------- ----- RESERVED 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM" ::= { gdoiKsKekEntry 20 } gdoiKsKekSigKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_KEY_LENGTH which specifies the length of the SIG payload key." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 45] Internet-Draft GDOI MIB module February 2010 "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH" ::= { gdoiKsKekEntry 21 } gdoiKsKekOakleyGroup OBJECT-TYPE SYNTAX GdoiDiffieHellmanGroup MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY or Diffie-Hellman Group used to compute the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL exchange." REFERENCE "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP" ::= { gdoiKsKekEntry 22 } gdoiKsKekOriginalLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_KEY_LIFETIME which specifies the maximum time for which a KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet (32-bit) number defining a valid time period in seconds." REFERENCE "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" ::= { gdoiKsKekEntry 23 } gdoiKsKekRemainingLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remaining time for which a KEK is valid. The value is a four (4) octet (32-bit) number which begins at the value of gdoiKsKekOriginalLifetime when the KEK is sent and counts down to zero in seconds. If the lifetime has already expired, this value should remain at zero (0) until the Key Server refreshes the KEK." REFERENCE "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" ::= { gdoiKsKekEntry 24 } gdoiKsKekStatus OBJECT-TYPE SYNTAX GdoiKekStatus Roosta, et al. Expires August 30, 2010 [Page 46] Internet-Draft GDOI MIB module February 2010 MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the KEK Policy/SA. When this status value is queried, one of the following is returned: inUse(1), new(2), old(3)." ::= { gdoiKsKekEntry 25 } -- #-------------------------------------------------------------- -- -- # The GDOI "Group Member (GM) KEK SA" Table -- #-------------------------------------------------------------- -- gdoiGmKekTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiGmKekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Key Encryption Key (KEK) Security Associations (SAs) currently installed for GDOI entities acting as Group Members on the network device being queried. There is one entry in this table for each KEK SA that has been installed and not yet deleted. Each KEK SA is uniquely identified by a SPI at any given time." ::= { gdoiSecAssociations 2 } gdoiGmKekEntry OBJECT-TYPE SYNTAX GdoiGmKekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the attributes associated with a GDOI KEK SA, uniquely identified by the Group ID, Group Member (GM) ID, & SPI value assigned by the GM's registered Key Server to the KEK. There will be at least one KEK SA entry for each GM & two KEK SA entries for a given GM only during a KEK rekey when a new KEK is received & installed. The KEK SPI is unique for every KEK for a given Group Member." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.2. Messages 4. GROUPKEY-PUSH Message 5.3. SA KEK Payload 5.3.1. KEK Attributes 5.5. Key Download Payload" INDEX { gdoiGroupIdType, gdoiGroupIdValue, gdoiGmIdType, Roosta, et al. Expires August 30, 2010 [Page 47] Internet-Draft GDOI MIB module February 2010 gdoiGmIdValue, gdoiGmKekSPI } ::= { gdoiGmKekTable 1 } GdoiGmKekEntry ::= SEQUENCE { gdoiGmKekSPI GdoiKekSPI, gdoiGmKekSrcIdType GdoiIdentificationType, gdoiGmKekSrcIdLength Unsigned32, gdoiGmKekSrcIdValue GdoiIdentificationValue, gdoiGmKekSrcIdPort Unsigned16, gdoiGmKekDstIdType GdoiIdentificationType, gdoiGmKekDstIdLength Unsigned32, gdoiGmKekDstIdValue GdoiIdentificationValue, gdoiGmKekDstIdPort Unsigned16, gdoiGmKekRekeyIdType GdoiIdentificationType, gdoiGmKekRekeyIdLength Unsigned32, gdoiGmKekRekeyIdValue GdoiIdentificationValue, gdoiGmKekIpProtocol GdoiIpProtocolId, gdoiGmKekPopAlg GdoiSignatureMethod, gdoiGmKekPopKeyLength Unsigned32, gdoiGmKekMgmtAlg GdoiKeyManagementAlgorithm, gdoiGmKekEncryptAlg GdoiEncryptionAlgorithm, gdoiGmKekEncryptKeyLength Unsigned32, gdoiGmKekSigHashAlg GdoiPseudoRandomFunction, gdoiGmKekSigAlg GdoiSignatureMethod, gdoiGmKekSigKeyLength Unsigned32, gdoiGmKekOakleyGroup GdoiDiffieHellmanGroup, gdoiGmKekOriginalLifetime Unsigned32, gdoiGmKekRemainingLifetime Unsigned32, gdoiGmKekStatus GdoiKekStatus } gdoiGmKekSPI OBJECT-TYPE SYNTAX GdoiKekSPI MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the Security Parameter Index (SPI) of a KEK SA. The SPI must be the ISAKMP Header cookie pair where the first 8 octets become the 'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8 octets become the 'Responder Cookie' in the same HDR. As described above, these cookies are assigned by the GCKS." ::= { gdoiGmKekEntry 1 } gdoiGmKekSrcIdType OBJECT-TYPE SYNTAX GdoiIdentificationType Roosta, et al. Expires August 30, 2010 [Page 48] Internet-Draft GDOI MIB module February 2010 MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the source of a KEK SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'SRC ID Type' of the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmKekEntry 2 } gdoiGmKekSrcIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the source ID of a KEK SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmKekSrcIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' field sent in the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 3 } gdoiGmKekSrcIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the source of a KEK SA with its type indicated by the gdoiGmKekSrcIdType. Use the gdoiGmKekSrcIdType to parse the KEK Source ID correctly. This ID value is sent as the 'SRC Identification Data' of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 4 } gdoiGmKekSrcIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only Roosta, et al. Expires August 30, 2010 [Page 49] Internet-Draft GDOI MIB module February 2010 STATUS current DESCRIPTION "The value specifying a port associated with the source ID of a KEK SA. A value of zero means that the port should be ignored. This port value is sent as the `SRC ID Port` field of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 5 } gdoiGmKekDstIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the dest. of a KEK SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'DST ID Type' of the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmKekEntry 6 } gdoiGmKekDstIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the destination ID of a KEK SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmKekDstIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'DST ID Data Len' field sent in the KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 7 } gdoiGmKekDstIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION Roosta, et al. Expires August 30, 2010 [Page 50] Internet-Draft GDOI MIB module February 2010 "The value of the identity information for the destination of a KEK SA with its type indicated by the gdoiGmKekDstIdType. Use the gdoiGmKekDstIdType to parse the KEK Dest. ID correctly. This ID value is sent as the 'DST Identification Data' of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 8 } gdoiGmKekDstIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the dest. ID of a KEK SA. A value of zero means that the port should be ignored. This port value is sent as the `DST ID Port` field of a KEK payload." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 9 } gdoiGmKekRekeyIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the multicast rekey address for this KEK and associated subsequent KEK(s)/TEK(s). RFC 4306 defines all valid types that can be used as an identifier." REFERENCE "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange" ::= { gdoiGmKekEntry 10 } gdoiGmKekRekeyIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the multicast rekey address for this KEK and associated subsequent KEK(s)/TEK(s). If no length is given (i.e. it has a value of 0), the default length of its gdoiGmKekRekeyIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included." Roosta, et al. Expires August 30, 2010 [Page 51] Internet-Draft GDOI MIB module February 2010 REFERENCE "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange" ::= { gdoiGmKekEntry 11 } gdoiGmKekRekeyIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the multicast rekey address of this KEK and associated subsequent KEK(s)/TEK(s). Use the gdoiGmKekRekeyIdType to parse the multicast rekey address correctly." REFERENCE "RFC 3547 - Sections: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 12 } gdoiGmKekIpProtocol OBJECT-TYPE SYNTAX GdoiIpProtocolId MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the IP protocol ID (e.g. UDP/TCP) being used for the rekey datagram." REFERENCE "RFC 3547 - Section: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 13 } gdoiGmKekPopAlg OBJECT-TYPE SYNTAX GdoiSignatureMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Proof of Posession (POP) payload algorithm, which is an authentication signature method. If no POP algorithm is defined by the KEK SA, this field must be zero (0). The POP payload demonstrates that the member or GCKS has used the very secret that authenticates it. Following are the POP payload algorithm values defined in the GDOI RFC 3547, however the GdoiSignatureMethod TC defines all possible values. Algorithm Type Value --------------- ----- RESERVED 0 POP_ALG_RSA 1 Roosta, et al. Expires August 30, 2010 [Page 52] Internet-Draft GDOI MIB module February 2010 POP_ALG_DSS 2 POP_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Sections: 3.2. Messages 5.3. SA KEK payload 5.7. Proof of Possession" ::= { gdoiGmKekEntry 14 } gdoiGmKekPopKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the length of the POP payload key. If no POP algorithm is defined in the KEK SA, this field must be zero (0)." REFERENCE "RFC 3547 - Section: 5.3. SA KEK payload" ::= { gdoiGmKekEntry 15 } gdoiGmKekMgmtAlg OBJECT-TYPE SYNTAX GdoiKeyManagementAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_MANAGEMENT_ALGORITHM which specifies the group KEK management algorithm used to provide forward or backward access control (i.e. used to exclude group members). KEK Management Type Value ------------------- ----- RESERVED 0 LKH 1 RESERVED 2-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM" ::= { gdoiGmKekEntry 16 } gdoiGmKekEncryptAlg OBJECT-TYPE SYNTAX GdoiEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION Roosta, et al. Expires August 30, 2010 [Page 53] Internet-Draft GDOI MIB module February 2010 "The value of the KEK_ALGORITHM which specifies the encryption algorithm used with the KEK SA. A GDOI implementaiton must support KEK_ALG_3DES. Following are the KEK encryption algoritm values defined in the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC defines all possible values. Algorithm Type Value -------------- ----- RESERVED 0 KEK_ALG_DES 1 KEK_ALG_3DES 2 KEK_ALG_AES 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Section 5.3.3. KEK_ALGORITHM" ::= { gdoiGmKekEntry 17 } gdoiGmKekEncryptKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_KEY_LENGTH which specifies the KEK Algorithm key length (in bits)." REFERENCE "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH" ::= { gdoiGmKekEntry 18 } gdoiGmKekSigHashAlg OBJECT-TYPE SYNTAX GdoiPseudoRandomFunction MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_HASH_ALGORITHM which specifies the SIG payload hash algorithm. This is not required (i.e. could have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a value of zero or SIG_HASH_SHA1). Following are the Signature Hash Algorithm values defined in the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC defines all possible values. Algorithm Type Value Roosta, et al. Expires August 30, 2010 [Page 54] Internet-Draft GDOI MIB module February 2010 -------------- ----- RESERVED 0 SIG_HASH_MD5 1 SIG_HASH_SHA1 2 RESERVED 3-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM" ::= { gdoiGmKekEntry 19 } gdoiGmKekSigAlg OBJECT-TYPE SYNTAX GdoiSignatureMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_ALGORITHM which specifies the SIG payload signature algorithm. A GDOI implementation must support SIG_ALG_RSA. Following are the Signature Algorithm values defined in the GDOI RFC 3547, however the GdoiSignatureMethod TC defines all possible values. Algorithm Type Value -------------- ----- RESERVED 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 RESERVED 4-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM" ::= { gdoiGmKekEntry 20 } gdoiGmKekSigKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SIG_KEY_LENGTH which specifies the length of the SIG payload key." REFERENCE "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH" ::= { gdoiGmKekEntry 21 } gdoiGmKekOakleyGroup OBJECT-TYPE Roosta, et al. Expires August 30, 2010 [Page 55] Internet-Draft GDOI MIB module February 2010 SYNTAX GdoiDiffieHellmanGroup MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY or Diffie-Hellman Group used to compute the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL exchange." REFERENCE "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP" ::= { gdoiGmKekEntry 22 } gdoiGmKekOriginalLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the KEK_KEY_LIFETIME which specifies the maximum time for which a KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet (32-bit) number defining a valid time period in seconds." REFERENCE "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" ::= { gdoiGmKekEntry 23 } gdoiGmKekRemainingLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remaining time for which a KEK is valid. The value is a four (4) octet (32-bit) number which begins at the value of gdoiGmKekOriginalLifetime and counts down to zero in seconds. If the lifetime has already expired, this value should remain at zero (0) until the GCKS refreshes the KEK." REFERENCE "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME" ::= { gdoiGmKekEntry 24 } gdoiGmKekStatus OBJECT-TYPE SYNTAX GdoiKekStatus MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the KEK SA. When this status value is queried, one of the following is returned: Roosta, et al. Expires August 30, 2010 [Page 56] Internet-Draft GDOI MIB module February 2010 inUse(1), new(2), old(3)." ::= { gdoiGmKekEntry 25 } -- #-------------------------------------------------------------- -- -- # The GDOI "Key Server (KS) TEK Policy" Table -- #-------------------------------------------------------------- -- gdoiKsTekTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiKsTekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Traffic Encryption Key (TEK) Policies currently configured/pushed for GDOI entities acting as Key Servers on the network device being queried. There is one entry in this table for each TEK that has been configured & pushed to Group Members registered to the given Key Server." ::= { gdoiSecAssociations 3 } gdoiKsTekEntry OBJECT-TYPE SYNTAX GdoiKsTekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the attributes associated with a GDOI TEK Policy, uniquely identified by the Group ID, Key Server ID, Source/Destination IDs & Ports, and TEK SPI. There will be one or more TEK entries for each TEK Policy sent by the given Key Server to its registered Group Members, each with a unique 5-tuple. However, due to the 255-octet constraint placed on an OID, the 4-tuple cannot be used to INDEX a TEK entry for a given Group ID & Key Server ID. Therefore, the TEK SPI for a given Group ID & Key Server ID MUST be unique unless another indexing scheme is used." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.2. Messages 4. GROUPKEY-PUSH Message 5.4. SA TEK Payload" INDEX { gdoiGroupIdType, gdoiGroupIdValue, gdoiKeyServerIdType, gdoiKeyServerIdValue, gdoiKsTekSPI Roosta, et al. Expires August 30, 2010 [Page 57] Internet-Draft GDOI MIB module February 2010 } ::= { gdoiKsTekTable 1 } GdoiKsTekEntry ::= SEQUENCE { gdoiKsTekSPI GdoiTekSPI, gdoiKsTekSrcIdType GdoiIdentificationType, gdoiKsTekSrcIdLength Unsigned32, gdoiKsTekSrcIdValue GdoiIdentificationValue, gdoiKsTekSrcIdPort Unsigned16, gdoiKsTekDstIdType GdoiIdentificationType, gdoiKsTekDstIdLength Unsigned32, gdoiKsTekDstIdValue GdoiIdentificationValue, gdoiKsTekDstIdPort Unsigned16, gdoiKsTekSecurityProtocol GdoiSecurityProtocol, gdoiKsTekEncapsulationMode GdoiEncapsulationMode, gdoiKsTekEncryptionAlgorithm GdoiEncryptionAlgorithm, gdoiKsTekEncryptionKeyLength Unsigned32, gdoiKsTekIntegrityAlgorithm GdoiIntegrityAlgorithm, gdoiKsTekIntegrityKeyLength Unsigned32, gdoiKsTekWindowSize Unsigned32, gdoiKsTekOriginalLifetime Unsigned32, gdoiKsTekRemainingLifetime Unsigned32, gdoiKsTekStatus GdoiTekStatus } gdoiKsTekSPI OBJECT-TYPE SYNTAX GdoiTekSPI MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the Security Parameter Index (SPI) of a TEK Policy. The SPI must be the SPI for ESP." REFERENCE "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 1 } gdoiKsTekSrcIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the source of a TEK Policy. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'SRC ID Type' of the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP Roosta, et al. Expires August 30, 2010 [Page 58] Internet-Draft GDOI MIB module February 2010 RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiKsTekEntry 2 } gdoiKsTekSrcIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the source ID of a TEK Policy. If no length is given (i.e. it has a value of 0), the default length of its gdoiKsTekSrcIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' field sent in the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 3 } gdoiKsTekSrcIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the source of a TEK Policy with its type indicated by the gdoiKsTekSrcIdType. Use the gdoiKsTekSrcIdType to parse the TEK Source ID correctly. This ID value is sent as the 'SRC Identification Data' of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 4 } gdoiKsTekSrcIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the source ID of a TEK Policy. A value of zero means that the port should be ignored. This port value is sent as the `SRC ID Port` field of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 5 } Roosta, et al. Expires August 30, 2010 [Page 59] Internet-Draft GDOI MIB module February 2010 gdoiKsTekDstIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the dest. of a TEK Policy. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'DST ID Type' of the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiKsTekEntry 6 } gdoiKsTekDstIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the destination ID of a TEK Policy. If no length is given (i.e. it has a value of 0), the default length of its gdoiKsTekDstIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'DST ID Data Len' field sent in the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 7 } gdoiKsTekDstIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the destination of a TEK Policy with its type indicated by the gdoiKsTekDstIdType. Use the gdoiKsTekDstIdType to parse the TEK Dest. ID correctly. This ID value is sent as the 'DST Identification Data' of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 8 } gdoiKsTekDstIdPort OBJECT-TYPE Roosta, et al. Expires August 30, 2010 [Page 60] Internet-Draft GDOI MIB module February 2010 SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the dest. ID of a TEK Policy. A value of zero means that the port should be ignored. This port value is sent as the `DST ID Port` field of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 9 } gdoiKsTekSecurityProtocol OBJECT-TYPE SYNTAX GdoiSecurityProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Protocol-ID field of a SA TEK (SAT) payload which specifies the Security Protocol for a TEK. Following are the Security Protocol values defined in the GDOI RFC 3547, however the GdoiSecurityProtocol TC defines all possible values. Protocol ID Value ---------------------- ----- RESERVED 0 GDOI_PROTO_IPSEC_ESP 1 RESERVED 2-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.4. SA TEK Payload" ::= { gdoiKsTekEntry 10 } gdoiKsTekEncapsulationMode OBJECT-TYPE SYNTAX GdoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Encapsulation Mode of a TEK (IPsec SA). Following are the Encapsulation Mode values defined in RFC 2407, however the GdoiEncapsulationMode TC defines all possible values. Encapsulation Mode Value ------------------ ----- RESERVED 0 Roosta, et al. Expires August 30, 2010 [Page 61] Internet-Draft GDOI MIB module February 2010 Tunnel 1 Transport 2" REFERENCE "RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 11 } gdoiKsTekEncryptionAlgorithm OBJECT-TYPE SYNTAX GdoiEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Transform ID field of a PROTO_IPSEC_ESP payload which specifies the ESP transform to be used. If no encryption is used, this value will be zero (0). Following are the ESP Transform values defined in RFC 2407, however the GdoiEncryptionAlgorithm TC defines all possible values. IPsec ESP Transform ID Value ------------------------ ----- RESERVED 0 ESP_DES_IV64 1 ESP_DES 2 ESP_3DES 3 ESP_RC5 4 ESP_IDEA 5 ESP_CAST 6 ESP_BLOWFISH 7 ESP_3IDEA 8 ESP_DES_IV32 9 ESP_RC4 10 ESP_NULL 11" REFERENCE "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 12 } gdoiKsTekEncryptionKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the key used for encryption in a TEK (in bits)." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 62] Internet-Draft GDOI MIB module February 2010 "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 13 } gdoiKsTekIntegrityAlgorithm OBJECT-TYPE SYNTAX GdoiIntegrityAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Authentication Algorithm for a TEK IPsec ESP SA. If no authentication is used, this value will be zero (0). Following are the Authentication Algorithm values defined in RFC 2407, however the GdoiEncryptionAlgorithm TC defines all possible values. Algorithm Type Value -------------- ----- HMAC-MD5 1 HMAC-SHA 2 DES-MAC 3 KPDK 4" REFERENCE "RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 14 } gdoiKsTekIntegrityKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the key used for integrity/authentication in a TEK (in bits)." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 15 } gdoiKsTekWindowSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "GROUPKEY-PUSH Messages" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of the Time Based Anti-Replay (TBAR) window used by Roosta, et al. Expires August 30, 2010 [Page 63] Internet-Draft GDOI MIB module February 2010 this TEK Policy." REFERENCE "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS RFC 3547 - Section: 6.3.4. Replay/Reflection Attack Protection" ::= { gdoiKsTekEntry 16 } gdoiKsTekOriginalLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SA Life Type defined in RFC 2407 which specifies the maximum time for which a TEK IPsec SA is valid. The GCKS may refresh the TEK at any time before the end of the valid period. The value is a four (4) octet (32-bit) number defining a valid time period in seconds." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 17 } gdoiKsTekRemainingLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remaining time for which a TEK is valid. The value is a four (4) octet (32-bit) number which begins at the value of gdoiKsTekOriginalLifetime when the TEK is sent and counts down to zero in seconds. If the lifetime has already expired, this value should remain at zero (0) until the Key Server refreshes the TEK." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiKsTekEntry 18 } gdoiKsTekStatus OBJECT-TYPE SYNTAX GdoiTekStatus MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the TEK Policy. When this status value is queried, one of the following is returned: inbound(1), outbound(2), notInUse(3)." Roosta, et al. Expires August 30, 2010 [Page 64] Internet-Draft GDOI MIB module February 2010 ::= { gdoiKsTekEntry 19 } -- #-------------------------------------------------------------- -- -- # The GDOI "Group Member (GM) TEK SA" Table -- #-------------------------------------------------------------- -- gdoiGmTekTable OBJECT-TYPE SYNTAX SEQUENCE OF GdoiGmTekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of information regarding GDOI Traffic Encryption Key (TEK) Security Associations (SAs/Policies) received by a Key Server & installed for GDOI entities acting as Group Members (GMs) on the network device being queried. There is one entry in this table for each TEK SA that has been installed or TEK SA/Policy that exists and has not yet been installed/deleted." ::= { gdoiSecAssociations 4 } gdoiGmTekEntry OBJECT-TYPE SYNTAX GdoiGmTekEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the attributes associated with a GDOI TEK Policy/SA, uniquely identified by the Group ID, Group Member ID, Source/Destination IDs & Ports, and TEK SPI. There will be one or more TEK entries for each TEK Policy/SA received and installed by the given Group Member from its registered Key Server, each with a unique 5-tuple. However, due to the 255-octet constraint placed on an OID, the 4-tuple cannot be used to INDEX a TEK entry for a given Group ID & Group Member ID. Therefore, the TEK SPI for a given Group ID & Group Member ID MUST be unique unless another indexing scheme is used." REFERENCE "RFC 3547 - Sections: 1. Introduction 3.2. Messages 4. GROUPKEY-PUSH Message 5.4. SA TEK Payload" INDEX { gdoiGroupIdType, gdoiGroupIdValue, gdoiGmIdType, gdoiGmIdValue, Roosta, et al. Expires August 30, 2010 [Page 65] Internet-Draft GDOI MIB module February 2010 gdoiGmTekSPI } ::= { gdoiGmTekTable 1 } GdoiGmTekEntry ::= SEQUENCE { gdoiGmTekSPI GdoiTekSPI, gdoiGmTekSrcIdType GdoiIdentificationType, gdoiGmTekSrcIdLength Unsigned32, gdoiGmTekSrcIdValue GdoiIdentificationValue, gdoiGmTekSrcIdPort Unsigned16, gdoiGmTekDstIdType GdoiIdentificationType, gdoiGmTekDstIdLength Unsigned32, gdoiGmTekDstIdValue GdoiIdentificationValue, gdoiGmTekDstIdPort Unsigned16, gdoiGmTekSecurityProtocol GdoiSecurityProtocol, gdoiGmTekEncapsulationMode GdoiEncapsulationMode, gdoiGmTekEncryptionAlgorithm GdoiEncryptionAlgorithm, gdoiGmTekEncryptionKeyLength Unsigned32, gdoiGmTekIntegrityAlgorithm GdoiIntegrityAlgorithm, gdoiGmTekIntegrityKeyLength Unsigned32, gdoiGmTekWindowSize Unsigned32, gdoiGmTekOriginalLifetime Unsigned32, gdoiGmTekRemainingLifetime Unsigned32, gdoiGmTekStatus GdoiTekStatus } gdoiGmTekSPI OBJECT-TYPE SYNTAX GdoiTekSPI MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the Security Parameter Index (SPI) of a TEK Policy/SA. The SPI must be the SPI for ESP." REFERENCE "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 1 } gdoiGmTekSrcIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the source of a TEK Policy/SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'SRC ID Type' of the TEK payload." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 66] Internet-Draft GDOI MIB module February 2010 "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmTekEntry 2 } gdoiGmTekSrcIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the source ID of a TEK Policy/SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmTekSrcIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'SRC ID Data Len' field sent in the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 3 } gdoiGmTekSrcIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the source of a TEK Policy/SA with its type indicated by the gdoiGmTekSrcIdType. Use the gdoiGmTekSrcIdType to parse the TEK Source ID correctly. This ID value is sent as the 'SRC Identification Data' of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 4 } gdoiGmTekSrcIdPort OBJECT-TYPE SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the source ID of a TEK Policy/SA. A value of zero means that the port should be ignored. This port value is sent as the `SRC ID Port` field of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 5 } Roosta, et al. Expires August 30, 2010 [Page 67] Internet-Draft GDOI MIB module February 2010 gdoiGmTekDstIdType OBJECT-TYPE SYNTAX GdoiIdentificationType MAX-ACCESS read-only STATUS current DESCRIPTION "The Identification Type Value used to parse the identity information for the dest. of a TEK Policy/SA. RFC 4306 defines all valid types that can be used as an identifier. This identification type is sent as the 'DST ID Type' of the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP RFC 4306 - Section: 3.5. Identification Payloads" ::= { gdoiGmTekEntry 6 } gdoiGmTekDstIdLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Octets" MAX-ACCESS read-only STATUS current DESCRIPTION "The length (i.e. number of octets) of the destination ID of a TEK Policy/SA. If no length is given (i.e. it has a value of 0), the default length of its gdoiGmTekDstIdType should be used as long as it is not reprsented by an ASCII string. If the value has a type that is represented by an ASCII string, a length MUST be included. If the length given is not 0, it should match the 'DST ID Data Len' field sent in the TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 7 } gdoiGmTekDstIdValue OBJECT-TYPE SYNTAX GdoiIdentificationValue MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the identity information for the destination of a TEK Policy/SA with its type indicated by the gdoiGmTekDstIdType. Use the gdoiGmTekDstIdType to parse the TEK Dest. ID correctly. This ID value is sent as the 'DST Identification Data' of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 8 } gdoiGmTekDstIdPort OBJECT-TYPE Roosta, et al. Expires August 30, 2010 [Page 68] Internet-Draft GDOI MIB module February 2010 SYNTAX Unsigned16 MAX-ACCESS read-only STATUS current DESCRIPTION "The value specifying a port associated with the dest. ID of a TEK Policy/SA. A value of zero means that the port should be ignored. This port value is sent as the `DST ID Port` field of a TEK payload." REFERENCE "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 9 } gdoiGmTekSecurityProtocol OBJECT-TYPE SYNTAX GdoiSecurityProtocol MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Protocol-ID field of a SA TEK (SAT) payload which specifies the Security Protocol for a TEK. Following are the Security Protocol values defined in the GDOI RFC 3547, however the GdoiSecurityProtocol TC defines all possible values. Protocol ID Value ---------------------- ----- RESERVED 0 GDOI_PROTO_IPSEC_ESP 1 RESERVED 2-127 Private Use 128-255" REFERENCE "RFC 3547 - Section: 5.4. SA TEK Payload" ::= { gdoiGmTekEntry 10 } gdoiGmTekEncapsulationMode OBJECT-TYPE SYNTAX GdoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Encapsulation Mode of a TEK (IPsec SA). Following are the Encapsulation Mode values defined in RFC 2407, however the GdoiEncapsulationMode TC defines all possible values. Encapsulation Mode Value ------------------ ----- RESERVED 0 Roosta, et al. Expires August 30, 2010 [Page 69] Internet-Draft GDOI MIB module February 2010 Tunnel 1 Transport 2" REFERENCE "RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 11 } gdoiGmTekEncryptionAlgorithm OBJECT-TYPE SYNTAX GdoiEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Transform ID field of a PROTO_IPSEC_ESP payload which specifies the ESP transform to be used. If no encryption is used, this value will be zero (0). Following are the ESP Transform values defined in RFC 2407, however the GdoiEncryptionAlgorithm TC defines all possible values. IPsec ESP Transform ID Value ------------------------ ----- RESERVED 0 ESP_DES_IV64 1 ESP_DES 2 ESP_3DES 3 ESP_RC5 4 ESP_IDEA 5 ESP_CAST 6 ESP_BLOWFISH 7 ESP_3IDEA 8 ESP_DES_IV32 9 ESP_RC4 10 ESP_NULL 11" REFERENCE "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 12 } gdoiGmTekEncryptionKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the key used for encryption in a TEK (in bits)." REFERENCE Roosta, et al. Expires August 30, 2010 [Page 70] Internet-Draft GDOI MIB module February 2010 "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 13 } gdoiGmTekIntegrityAlgorithm OBJECT-TYPE SYNTAX GdoiIntegrityAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the Authentication Algorithm for a TEK IPsec ESP SA. If no authentication is used, this value will be zero (0). Following are the Authentication Algorithm values defined in RFC 2407, however the GdoiEncryptionAlgorithm TC defines all possible values. Algorithm Type Value -------------- ----- HMAC-MD5 1 HMAC-SHA 2 DES-MAC 3 KPDK 4" REFERENCE "RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 14 } gdoiGmTekIntegrityKeyLength OBJECT-TYPE SYNTAX Unsigned32 UNITS "Bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the key used for integrity/authentication in a TEK (in bits)." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 15 } gdoiGmTekWindowSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "GROUPKEY-PUSH Messages" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of the Time Based Anti-Replay (TBAR) window used by Roosta, et al. Expires August 30, 2010 [Page 71] Internet-Draft GDOI MIB module February 2010 this TEK Policy/SA." REFERENCE "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS RFC 3547 - Section: 6.3.4. Replay/Reflection Attack Protection" ::= { gdoiGmTekEntry 16 } gdoiGmTekOriginalLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SA Life Type defined in RFC 2407 which specifies the maximum time for which a TEK IPsec SA is valid. The GCKS may refresh the TEK at any time before the end of the valid period. The value is a four (4) octet (32-bit) number defining a valid time period in seconds." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 17 } gdoiGmTekRemainingLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "Seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remaining time for which a TEK is valid. The value is a four (4) octet (32-bit) number which begins at the value of gdoiGmTekOriginalLifetime and counts down to zero in seconds. If the lifetime has already expired, this value should remain at zero (0) until the GCKS refreshes the TEK." REFERENCE "RFC 2407 - Section: 4.5 IPSEC Security Assoc. Attributes RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP" ::= { gdoiGmTekEntry 18 } gdoiGmTekStatus OBJECT-TYPE SYNTAX GdoiTekStatus MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the TEK Policy/SA. When this status value is queried, one of the following is returned: inbound(1), outbound(2), notInUse(3)." ::= { gdoiGmTekEntry 19 } Roosta, et al. Expires August 30, 2010 [Page 72] Internet-Draft GDOI MIB module February 2010 -- ------------------------------------------------------------------ -- -- GDOI MIB Conformance & Compliance Information -- ------------------------------------------------------------------ -- -- -- *---------------------------------------------------------------- -- -- * GDOI MIB Conformance Information -- *---------------------------------------------------------------- -- gdoiMIBGroups OBJECT IDENTIFIER ::= { gdoiMIBConformance 1 } gdoiMIBCompliances OBJECT IDENTIFIER ::= { gdoiMIBConformance 2 } -- #-------------------------------------------------------------- -- -- # GDOI MIB Units/Groups of Conformance -- #-------------------------------------------------------------- -- gdoiGroupIdGroup OBJECT-GROUP OBJECTS { gdoiGroupIdLength, gdoiGroupName } STATUS current DESCRIPTION "This group consists of: 1) GDOI Group Table" ::= { gdoiMIBGroups 1 } gdoiKeyServerGroup OBJECT-GROUP OBJECTS { gdoiKeyServerIdLength, gdoiKeyServerActiveKEK, gdoiKeyServerRekeysPushed } STATUS current DESCRIPTION "This group consists of: 1) GDOI Key Server Table" ::= { gdoiMIBGroups 2 } gdoiGmGroup OBJECT-GROUP OBJECTS { gdoiGmIdLength, gdoiGmRegKeyServerIdType, gdoiGmRegKeyServerIdLength, gdoiGmRegKeyServerIdValue, gdoiGmActiveKEK, gdoiGmRekeysReceived } Roosta, et al. Expires August 30, 2010 [Page 73] Internet-Draft GDOI MIB module February 2010 STATUS current DESCRIPTION "This group consists of: 1) GDOI GM Table" ::= { gdoiMIBGroups 3 } gdoiKsSecurityAssociationsGroup OBJECT-GROUP OBJECTS { gdoiKsKekSrcIdType, gdoiKsKekSrcIdLength, gdoiKsKekSrcIdValue, gdoiKsKekSrcIdPort, gdoiKsKekDstIdType, gdoiKsKekDstIdLength, gdoiKsKekDstIdValue, gdoiKsKekDstIdPort, gdoiKsKekRekeyIdType, gdoiKsKekRekeyIdLength, gdoiKsKekRekeyIdValue, gdoiKsKekIpProtocol, gdoiKsKekPopAlg, gdoiKsKekPopKeyLength, gdoiKsKekMgmtAlg, gdoiKsKekEncryptAlg, gdoiKsKekEncryptKeyLength, gdoiKsKekSigHashAlg, gdoiKsKekSigAlg, gdoiKsKekSigKeyLength, gdoiKsKekOakleyGroup, gdoiKsKekOriginalLifetime, gdoiKsKekRemainingLifetime, gdoiKsKekStatus, gdoiKsTekSrcIdType, gdoiKsTekSrcIdLength, gdoiKsTekSrcIdValue, gdoiKsTekSrcIdPort, gdoiKsTekDstIdType, gdoiKsTekDstIdLength, gdoiKsTekDstIdValue, gdoiKsTekDstIdPort, gdoiKsTekSecurityProtocol, gdoiKsTekEncapsulationMode, gdoiKsTekEncryptionAlgorithm, gdoiKsTekEncryptionKeyLength, gdoiKsTekIntegrityAlgorithm, gdoiKsTekIntegrityKeyLength, gdoiKsTekWindowSize, Roosta, et al. Expires August 30, 2010 [Page 74] Internet-Draft GDOI MIB module February 2010 gdoiKsTekOriginalLifetime, gdoiKsTekRemainingLifetime, gdoiKsTekStatus } STATUS current DESCRIPTION "This group consists of: 1) GDOI Key Server KEK Policy/SA Table 2) GDOI Key Server TEK Policy Table" ::= { gdoiMIBGroups 4 } gdoiGmSecurityAssociationsGroup OBJECT-GROUP OBJECTS { gdoiGmKekSrcIdType, gdoiGmKekSrcIdLength, gdoiGmKekSrcIdValue, gdoiGmKekSrcIdPort, gdoiGmKekDstIdType, gdoiGmKekDstIdLength, gdoiGmKekDstIdValue, gdoiGmKekDstIdPort, gdoiGmKekRekeyIdType, gdoiGmKekRekeyIdLength, gdoiGmKekRekeyIdValue, gdoiGmKekIpProtocol, gdoiGmKekPopAlg, gdoiGmKekPopKeyLength, gdoiGmKekMgmtAlg, gdoiGmKekEncryptAlg, gdoiGmKekEncryptKeyLength, gdoiGmKekSigHashAlg, gdoiGmKekSigAlg, gdoiGmKekSigKeyLength, gdoiGmKekOakleyGroup, gdoiGmKekOriginalLifetime, gdoiGmKekRemainingLifetime, gdoiGmKekStatus, gdoiGmTekSrcIdType, gdoiGmTekSrcIdLength, gdoiGmTekSrcIdValue, gdoiGmTekSrcIdPort, gdoiGmTekDstIdType, gdoiGmTekDstIdLength, gdoiGmTekDstIdValue, gdoiGmTekDstIdPort, gdoiGmTekSecurityProtocol, gdoiGmTekEncapsulationMode, gdoiGmTekEncryptionAlgorithm, Roosta, et al. Expires August 30, 2010 [Page 75] Internet-Draft GDOI MIB module February 2010 gdoiGmTekEncryptionKeyLength, gdoiGmTekIntegrityAlgorithm, gdoiGmTekIntegrityKeyLength, gdoiGmTekWindowSize, gdoiGmTekOriginalLifetime, gdoiGmTekRemainingLifetime, gdoiGmTekStatus } STATUS current DESCRIPTION "This group consists of: 1) GDOI Group Member KEK Policy/SA Table 2) GDOI Group Member TEK Policy/SA Table" ::= { gdoiMIBGroups 5 } gdoiKeyServerNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { gdoiKeyServerNewRegistration, gdoiKeyServerRegistrationComplete, gdoiKeyServerRekeyPushed } STATUS current DESCRIPTION "This group contains the Key Server (GCKS) notifications for the GDOI MIB." ::= { gdoiMIBGroups 6 } gdoiKeyServerErrorNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { gdoiKeyServerNoRsaKeys } STATUS current DESCRIPTION "This group contains the Key Server (GCKS) error notifications for the GDOI MIB." ::= { gdoiMIBGroups 7 } gdoiGmNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { gdoiGmRegister, gdoiGmRegistrationComplete, gdoiGmReRegister, gdoiGmRekeyReceived } STATUS current DESCRIPTION "This group contains the Group Member (GM) notifications for the GDOI MIB." Roosta, et al. Expires August 30, 2010 [Page 76] Internet-Draft GDOI MIB module February 2010 ::= { gdoiMIBGroups 8 } gdoiGmErrorNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { gdoiGmIncompleteCfg, gdoiGmNoIpSecFlows, gdoiGmRekeyFailure } STATUS current DESCRIPTION "This group contains the Group Member (GM) error notifications for the GDOI MIB." ::= { gdoiMIBGroups 9 } -- #-------------------------------------------------------------- -- -- # GDOI MIB Compliance Statements -- #-------------------------------------------------------------- -- gdoiMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "At minimum, only GDOI Group Member functionality is required so only objects associated with and needed by Group Members are mandatory to implement. If Key Server functionality is also implemented, all other objects will need to be implemented as well." MODULE -- this module MANDATORY-GROUPS { gdoiGroupIdGroup, gdoiGmSecurityAssociationsGroup, gdoiGmGroup } GROUP gdoiKeyServerGroup DESCRIPTION "Implementation of this group is for any network device that supports being the Group Controller Key Server (GCKS)." GROUP gdoiKsSecurityAssociationsGroup DESCRIPTION "Implementation of this group is for any network device that supports being the Group Controller Key Server (GCKS)." GROUP gdoiKeyServerNotificationGroup DESCRIPTION "Implementation of this group is for any network device that supports the sending of notifications & being the GCKS." Roosta, et al. Expires August 30, 2010 [Page 77] Internet-Draft GDOI MIB module February 2010 GROUP gdoiKeyServerErrorNotificationGroup DESCRIPTION "Implementation of this group is for any network device that supports the sending of notifications & being the GCKS." GROUP gdoiGmNotificationGroup DESCRIPTION "Implementation of this group is for any network device that supports the sending of notifications." GROUP gdoiGmErrorNotificationGroup DESCRIPTION "Implementation of this group is for any network device that supports the sending of notifications." ::= { gdoiMIBCompliances 1 } END 8. Security Considerations There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. The GDOI MIB deals with a security protocol and is not a general MIB, all information reported by any of the GDOI MIB queries should be considered sensitive. However, the most sensitive information dealing directly with security associations and algorithms are: o gdoiKekTable: this table includes the SPI, and source, destination, port and protocol infromation for a given SA which is sensitive information. o gdoiTekTable: this table includes the SPI for the KEK Roosta, et al. Expires August 30, 2010 [Page 78] Internet-Draft GDOI MIB module February 2010 o Notifications: sequence number for the KEK and TEK sent or received, gdoiKeyServerRegistrationComplete, gdoiKeyServerRekeyPushed, gdoiGmRegistrationComplete, and gdoiGmRekeyReceived. These notifications can give out some sensitive information about the group dynamics. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 9. IANA Considerations IANA is requested to assign OID (marked xxx) under mib-2 for GDOI- STD-MIB. 10. Contributors 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, Roosta, et al. Expires August 30, 2010 [Page 79] Internet-Draft GDOI MIB module February 2010 "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998. [RFC1155] Rose, M. and K. McCloghrie, "Structure and identification of management information for TCP/IP-based internets", STD 16, RFC 1155, May 1990. [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB definitions", STD 16, RFC 1212, March 1991. [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [RFC1903] McCloghrie, K., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, January 1996. [RFC1904] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, January 1996. [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990. [RFC2272] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [RFC2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998. [RFC2273] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2273, January 1998. [RFC2274] Blumenthal, U., "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol Roosta, et al. Expires August 30, 2010 [Page 80] Internet-Draft GDOI MIB module February 2010 (SNMPv3)", RFC 2274, January 1998. [RFC1901] Case, J., McCloghrie, K., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. 11.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC4181] Heard, C., "Guidelines for Authors and Reviewers of MIB Documents", BCP 111, RFC 4181, September 2005. Authors' Addresses Tanya Roosa (editor) Cisco Systems 510 McCarthy Blvd. Milpitas USA Phone: 510-220-0047 EMail: roosta@cisco.com Roosta, et al. Expires August 30, 2010 [Page 81] Internet-Draft GDOI MIB module February 2010 Sheela Rowles Cisco Systems 510 McCarthy Blvd Milpitas, CA USA Phone: 408-527-7677 Fax: EMail: sheela@cisco.com URI: Mike Hamada Cisco Systems 510 McCarthy Blvd Milpitas, CA USA Phone: 408-525-7473 Fax: EMail: michamad@cisco.com URI: Kavitha Kamarthy (editor) Cisco Systems 510 McCarthy Blvd Milpitas, CA USA Phone: 408-525-1209 Fax: EMail: kavithac@cisco.com URI: Preethi Sundaradevan Cisco Systems 510 McCarthy Blvd Milpitas, CA USA Phone: 408-424-4713 Fax: EMail: prsundar@cisco.com URI: Roosta, et al. Expires August 30, 2010 [Page 82]