-- Copyright 1995 by 3Com Corporation. All rights reserved. -- MIB file name: a3Com-ipso -- available in these 3Com devices: NETBuilder bridge/routers -- For support or more info, check 3Com's web page at http://www.3com.com A3Com-IPSO-r1-MIB DEFINITIONS ::= BEGIN IMPORTS enterprises FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212; -- -- This MIB is for 3Com systems that support IP security options -- -- a3Com OBJECT IDENTIFIER ::= { enterprises 43 } brouterMIB OBJECT IDENTIFIER ::= { a3Com 2 } a3ComIPSO OBJECT IDENTIFIER ::= { brouterMIB 12 } RowStatus ::= INTEGER { -- the following two values are states -- these values can be read or written active(1), notInService(2), -- the following value is a state: -- this value may be read, but not written notReady(3), -- the following three values are actions -- these values can be written, but are never read createAndGo(4), createAndWait(5), destroy(6) } --This data type, which has the same semantics as the RowStatus --textual convention used in SNMPv2, is used to add and --delete entries from a table. -- --The tables in this MIB allow a subset of the functionality --provided by the RowStatus textual convention. In particular --row creation is allowed using only the createAndGo method. -- --That is, when adding entries to this table, this object --must be set to createAndGo(4). The instance identifier --for this object will define the values of the columns --that make up the index. -- --In the same PDU, the appropriate remaining columns --of that row must be set as well. The agent --will immediately set the value of this object to --active(1) if the row is correct. If not, the agent --will refuse the SET request and return an --error code. -- --To modify an existing entry, it must be removed --an another entry with the desired changes added. -- --To remove an entry, set the value of this object --to destroy(6). a3IPsecureCtl OBJECT-TYPE SYNTAX INTEGER { security1108 (1), security1038 (2), noSecurity (3) } ACCESS read-write STATUS mandatory DESCRIPTION "This object determines whether this system checks for IP security options. If this object has the value security1108 (1), then the system checks for IP security options (per rfc1108) in each received IP packet and handles them accordingly. If this object has the value security1038 (2), then the system checks and acts on IP security options per rfc1038. If this object has the value noSecurity (3), the system does not check for IP security options." DEFVAL { noSecurity } ::= { a3ComIPSO 1 } a3IPsecureFileServer OBJECT-TYPE SYNTAX INTEGER { yes (1), no (2) } ACCESS read-write STATUS mandatory DESCRIPTION "This determines whether security options are processed when talking to the host identified by the UI parameter FileServerAddr. If set to yes (1), the File Server is treated like any other host on the network. If set to no (2), the File Server is treated specially. Any security options received from this IP address are ignored. Also, all basic security options are stripped before sending a packet to the File Server." DEFVAL { no } ::= { a3ComIPSO 2 } -- -- This next table contains port specific IP security parameters -- a3IPsecureParamTable OBJECT-TYPE SYNTAX SEQUENCE OF A3IPsecureParamEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table contains a set of parameters relating to the configuration of IP security options." REFERENCE "RFC 1108, Security Options for the Internet Protocol." ::= { a3ComIPSO 3 } a3IPsecureParamEntry OBJECT-TYPE SYNTAX A3IPsecureParamEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Each entry in this table contains a set of IP security parameters specific to a particular port." INDEX { a3IPsecureParamPortIndex } ::= { a3IPsecureParamTable 1 } A3IPsecureParamEntry ::= SEQUENCE { a3IPsecureParamPortIndex INTEGER, a3IPsecureParamCtl INTEGER, a3IPsecureLabelDefaultLevel INTEGER, a3IPsecureLabelDefaultAuth INTEGER, a3IPsecureLabelSysLevel INTEGER, a3IPsecureLabelSysAuth INTEGER, a3IPsecureMinLevel INTEGER, a3IPsecureMaxLevel INTEGER } a3IPsecureParamPortIndex OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This identifies the IP port to which the security parameters in this entry apply." ::= { a3IPsecureParamEntry 1 } a3IPsecureParamCtl OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "This object controls a number of parameters associated with IP security. Each parameter is represented by a specific bit. If the bit is set, the parameter is turned on. If the bit is not set, the parameter is turned off. The state of all the parameters is represented by a sum of all the bits, the value of each bit being multiplied by 2 raised to the power of the position of the bit in the integer. With bit 0 being the least significant bit, the table below defines the mapping of security parameters to bits. bit # Parameter 0 Extended 1 BasicFirst 2 LabelAdd 3 LabelStrip If bit 0 is set, the Extended parameter is turned on. This allows datagrams with extended security options to be received and/or transmitted from this port. If bit 1 is set, the BasicFirst parameter is turned on. This indicates that the basic security option is always transmitted as the first option in the datagram, even if the packet has to be rearranged. If this bit is not set, the datagram options are sent as is. If bit 2 is set, the LabelAdd parameter is turned on. This ensures that all datagrams leaving this port have a label attached to them. If an outgoing datagram does not have a label, the default label, computed for the datagram on receipt, is attached to it before transmission. If this parameter is turned off, then datagrams without labels are allowed to be transmitted, and the default label is not attached to the datagram. If bit 3 is set, the LabelStrip parameter is turned on. In this case, any basic security option present in the datagram is stripped before transmission through this port. The stripping is done after all the security processing has been done. If this parameter is turned off, the label is transmitted as is." DEFVAL { 0 } ::= { a3IPsecureParamEntry 2 } a3IPsecureLabelDefaultLevel OBJECT-TYPE SYNTAX INTEGER { none (1), topSecret (2), secret (3), confidential (4), unclassified (5) } ACCESS read-write STATUS mandatory DESCRIPTION "This parameter applies to packets received over this port that have no classification level or authority flags. When such packets are received, the value of this parameter determines the IP security level that is attached to the packet before any processing is done. If this is set to none (1), any packet that is received without a security level defined in the IP header options is discarded. If this is set to any other value, any packet received without a security level defined in the IP header options will have one added according to the value of this object. A Protection Authority field will also be added to these packets. The contents of the field is determined by the value of a3IPsecureLabelDefaultAuth. Note, this does not imply that the label will be automatically attached to the packet on transmission. This is controlled by the value of a3IPsecureParamCtl -- specifically, the value of the LabelAdd bit" DEFVAL { none } ::= { a3IPsecureParamEntry 3 } a3IPsecureLabelDefaultAuth OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Like a3IPsecureLabelDefaultLevel, this parameter applies only to packets received over this port that have no classification level or authority flags. When such packets are received, the value of this parameter determines the Protection Authority flag field that is attached to the packet before any processing is done. The individual Protection Authority flags that are included are determined by the individual bits that are set in the value of this object, with the two least significant bytes being of interest. Starting from bit 7 of the INTEGER (with the least significant bit being numbered 0), the mapping of bits to Protection Authority flags is as follows (note: rfc1108 labels the most significant bit '0', the next most significant bit '1', etc), bit# Prot. Auth. Flag 7 GENSER 6 SIOP 5 SCI 4 NSA 3 DOE While only bits 7 through 3 have specific Protection Authority flags assigned to them, any 2 byte combination of bits may be set as long as that combination is allowed by rfc1108. The same 1 or 2 byte pattern of bits identified by the value of this object will be placed in the Protection Authority field of received packets with no IP security options present. (note: this is conditioned on a3IPsecureLabelDefaultLevel for this port having a value other than none (1).) If this object has the value 0, then no Protection Authority field will be added to any received packets, regardless of the value of a3IPsecureLabelDefaultLevel." DEFVAL { 0 } ::= { a3IPsecureParamEntry 4 } a3IPsecureLabelSysLevel OBJECT-TYPE SYNTAX INTEGER { none (1), topSecret (2), secret (3), confidential (4), unclassified (5) } ACCESS read-write STATUS mandatory DESCRIPTION "This parameter applies to packets originated by this system and sent over this port. When such packets are sent, the value of this parameter determines the IP security level that is attached to the packet before any processing is done. If this is set to none (1), no IP security information is added to these packets. If this is set to any other value, any packet originated by this system and sent over this port will have an IP security level added according to the value of this object. A Protection Authority field will also be added to these packets. The contents of the field is determined by the value of a3IPsecureLabelSysAuth. The security level and Protection Authority flag field must form a label which is legal for transmission on this port. The range of legal values for the security level is defined by a3IPsecureMaxLevel and a3IPsecureMinLevel. The set of legal Protection Authority flags is determined by the entries in a3IPsecureAuthOutTable." DEFVAL { unclassified } ::= { a3IPsecureParamEntry 5 } a3IPsecureLabelSysAuth OBJECT-TYPE SYNTAX INTEGER ACCESS read-write STATUS mandatory DESCRIPTION "Like a3IPsecureLabelSysLevel, this parameter applies only to packets originated by this system and sent over this port. When such packets are sent, the value of this parameter determines the Protection Authority flag field that is attached to the packet before any processing is done. Note, this is assuming a3IPsecureLabelSysLevel has a value other than none (1). The individual Protection Authority flags that are included are determined by the individual bits that are set in the value of this object, with the two least significant bytes being of interest. Starting from bit 7 of the INTEGER (with the least significant bit being numbered 0), the mapping of bits to Protection Authority flags is as follows (note: rfc1108 labels the most significant bit '0', the next most significant bit '1', etc), bit# Prot. Auth. Flag 7 GENSER 6 SIOP 5 SCI 4 NSA 3 DOE While only bits 7 through 3 have specific Protection Authority flags assigned to them, any 2 byte combination of bits may be set as long as that combination is allowed by rfc1108. The same 1 or 2 byte pattern of bits identified by the value of this object will be placed in the Protection Authority field of received packets with no IP security options present. (note: this is conditioned on a3IPsecureLabelDefaultLevel for this port having a value other than none (1).) If this object has the value 0, then no Protection Authority field will be added to any received packets, regardless of the value of a3IPsecureLabelDefaultLevel." DEFVAL { 128 } ::= { a3IPsecureParamEntry 6 } a3IPsecureMinLevel OBJECT-TYPE SYNTAX INTEGER { topSecret (1), secret (2), confidential (3), unclassified (4) } ACCESS read-write STATUS mandatory DESCRIPTION "This defines the minimum classification level which is acceptable by this port. This applies to any packet which is entering or leaving this port. If the classification level is outside the range defined by the value of this object and the value of a3IPsecureMaxLevel, the packet is discarded. If a3IPsecureMaxLevel is set to level less than the level indicated by this object, the value of this object will be shifted so it is equal to a3IPsecureMaxLevel. This will ensure that the range of security levels identified by these two objects makes sense." DEFVAL { unclassified } ::= { a3IPsecureParamEntry 7 } a3IPsecureMaxLevel OBJECT-TYPE SYNTAX INTEGER { topSecret (1), secret (2), confidential (3), unclassified (4) } ACCESS read-write STATUS mandatory DESCRIPTION "This define the maximum classification level which is acceptable by this port. This applies to any packet which is entering or leaving this port. If the classification level is outside the range defined by the value of this object and the value of a3IPsecureMinLevel, the packet is discarded. If a3IPsecureMinLevel is set to a level greater than the level identified by this object, the value of this object will be shifted so it is equal to a3IPsecureMinLevel." DEFVAL { unclassified } ::= { a3IPsecureParamEntry 8 } -- -- This next table defines all combinations of Protection Authority flags which -- are allowed to be present in any packet received by a particular port. -- a3IPsecureAuthInTable OBJECT-TYPE SYNTAX SEQUENCE OF A3IPsecureAuthInEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table enumerates all the combinations of Protection Authority flags that may be present in packets received over any of this system's ports." ::= { a3ComIPSO 4 } a3IPsecureAuthInEntry OBJECT-TYPE SYNTAX A3IPsecureAuthInEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Each entry in this table contains a specific combination of Protection Authority flags that are acceptable in packets received over a specific port." INDEX { a3IPsecureAuthInPort, a3IPsecureAuthInFlags } ::= { a3IPsecureAuthInTable 1 } A3IPsecureAuthInEntry ::= SEQUENCE { a3IPsecureAuthInPort INTEGER, a3IPsecureAuthInFlags INTEGER, a3IPsecureAuthInMatch INTEGER, a3IPsecureAuthInStatus RowStatus } a3IPsecureAuthInPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This identifies the port to which this entry applies." ::= { a3IPsecureAuthInEntry 1 } a3IPsecureAuthInFlags OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This identifies one combination of Protection Authority flags that is allowed to be present in any packet received by this port. The combination of Protection Authority flags that is allowed is determined by the individual bits that are set in the value of this object, with the two least significant bytes being of interest. Starting from bit 7 of the INTEGER (with the least significant bit being numbered 0), the mapping of bits to Protection Authority flags is as follows (note: rfc1108 labels the most significant bit '0', the next most significant bit '1', etc), bit# Prot. Auth. Flag 7 GENSER 6 SIOP 5 SCI 4 NSA 3 DOE While only bits 7 through 3 have specific Protection Authority flags assigned to them, any 2 byte combination of bits may be set as long as that combination is allowed by rfc1108. The same 1 or 2 byte pattern of bits identified by the value of this object must be present in any received IP packet. If the value of this object is zero, packets with no Protection Authority flags are accepted by this port." ::= { a3IPsecureAuthInEntry 2 } a3IPsecureAuthInMatch OBJECT-TYPE SYNTAX INTEGER { exact (1), any (2) } ACCESS read-write STATUS mandatory DESCRIPTION "The value of this object determines whether the Protection Authority flags in a received packet must match the flags identified by the corresponding instance of a3IPsecureAuthInFlags exactly, or if they only have to match a subset of those flags. If the value of this object is exact (1), the match must be exact. If this object has the value any (2), only a subset of the flags has to match." DEFVAL { any } ::= { a3IPsecureAuthInEntry 3 } a3IPsecureAuthInStatus OBJECT-TYPE SYNTAX RowStatus ACCESS read-write STATUS mandatory DESCRIPTION "This object is used to add and delete entries in this table. See the notes describing RowStatus at the beginning of this MIB." ::= { a3IPsecureAuthInEntry 4 } -- -- This next table defines all combinations of Protection Authority flags which -- are allowed to be present in any packet sent by a particular port. -- a3IPsecureAuthOutTable OBJECT-TYPE SYNTAX SEQUENCE OF A3IPsecureAuthOutEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "This table enumerates all the combinations of Protection Authority flags that are allowed to be present in packets transmitted over any of this system's ports. This does not apply to packets generated by this system." ::= { a3ComIPSO 5 } a3IPsecureAuthOutEntry OBJECT-TYPE SYNTAX A3IPsecureAuthOutEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Each entry in this table contains a specific combination of Protection Authority flags that are acceptable in packets transmitted over a specific port." INDEX { a3IPsecureAuthOutPort, a3IPsecureAuthOutFlags } ::= { a3IPsecureAuthOutTable 1 } A3IPsecureAuthOutEntry ::= SEQUENCE { a3IPsecureAuthOutPort INTEGER, a3IPsecureAuthOutFlags INTEGER, a3IPsecureAuthOutMatch INTEGER, a3IPsecureAuthOutStatus RowStatus } a3IPsecureAuthOutPort OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This identifies the port to which this entry applies." ::= { a3IPsecureAuthOutEntry 1 } a3IPsecureAuthOutFlags OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION "This identifies one combination of Protection Authority flags that is allowed to be present in any packet transmitted by this port. The combination of Protection Authority flags that is allowed is determined by the individual bits that are set in the value of this object, with the two least significant bytes being of interest. Starting from bit 7 of the INTEGER (with the least significant bit being numbered 0), the mapping of bits to Protection Authority flags is as follows (note: rfc1108 labels the most significant bit '0', the next most significant bit '1', etc), bit# Prot. Auth. Flag 7 GENSER 6 SIOP 5 SCI 4 NSA 3 DOE While only bits 7 through 3 have specific Protection Authority flags assigned to them, any 2 byte combination of bits may be set as long as that combination is allowed by rfc1108. The same 1 or 2 byte pattern of bits identified by the value of this object is allowed to be present in any transmitted IP packet. If the value of this object is zero, packets with no Protection Authority flags are allowed to be transmitted by this port." ::= { a3IPsecureAuthOutEntry 2 } a3IPsecureAuthOutMatch OBJECT-TYPE SYNTAX INTEGER { exact (1), any (2) } ACCESS read-write STATUS mandatory DESCRIPTION "The value of this object determines whether the Protection Authority flags in a received packet must match the flags identified by the corresponding instance of a3IPsecureAuthOutFlags exactly, or if they only have to match a subset of those flags. If the value of this object is exact (1), the match must be exact. If this object has the value any (2), only a subset of the flags have to match." DEFVAL { any } ::= { a3IPsecureAuthOutEntry 3 } a3IPsecureAuthOutStatus OBJECT-TYPE SYNTAX RowStatus ACCESS read-write STATUS mandatory DESCRIPTION "This object is used to add and delete entries in this table. See the notes describing RowStatus at the beginning of this MIB." ::= { a3IPsecureAuthOutEntry 4 } END