[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IP Sec Conf MIB so far
Howdy,
The status of the IPsec Configuration MIB development is
'in-progress' (about 20% of the way to a -00 draft). This is pretty
early to publish such an unfinished document, but I said I would at the
IPSP meeting, so I will.
Ricky Charlet
=========================================
Internet Engineering Task Force Ricky Charlet
INTERNET DRAFT (well not yet really)
RedCreek
Communications
18-November-2000 <Other Contributers>
Long Name of this MIB thing for configuring IPsec devices
ShortName
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
Table of Contents
1. Introduction
This memo defines a portion of the Management Information Base (MIB)
for
use with network management protocols in the Internet community. In
particular, it defines objects for configuring IPsec devices.
This memo also includes a MIB module. This MIB module extends the list
of managed objects specified in the earlier version of this MIB:RFC 2239
[21].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [20].
IPsec devices need to be configured. This MIB provides one way in which
to provide configuration information to IPsec devices. This MIB strives
to maintain strong compliance with
draft-ietf-ipsp-config-policy-model-XX.txt. At the highest level, IPsec
configuration must be able to specify parameters sufficient to handle
the generic statement, "If this IP packet meets some listed condition,
then perform the associated action on the packet."
IETF work on representing IP traffic matching conditions is in progress
in the Policy Working Group. This MIB seeks to adhere to their general
architectural layout in terms of its representation of conditions.
This MIB also provides specification for configuring actions. Each
condition references an action or a named set of actions.
IPsec actions may be cryptographic transforms which require
cryptographic keys and trustable identities. To that end, this MIB also
provides capability to configure a manual keying system, to configure
the Internet Key Exchange protocol, and richly identify entities for
which IPsec will provide services.
2. The SNMP Management Framework
<the standard cut-and-paste thing here about how this is standard SMI.
and where that stuff is defined>
<<QUESTION: should we also add some statements here about how this is a
SNMPCONF mib?>>
3. Textual Conventions
This section describes any SNMP Textual Conventions we decide to
introduce.
4. Discussion
<OK, now were getting down to business. This is where we lay out the
overall architecture of the MIB and describe the major sections. I'll
kick off an incomplete starter proposal here>
This MIB is divided into a Condition Group and an Action Group. The
condition group provides capabilities to identify IP packets as they
pass an interface on an IP device. The Action Group contains some tables
to configure simple actions like pass and block, but also contains a
Secure Action Group which is further divided into an Identities Group,
Key Management Group, and an IPsec Group.
IPsecPolicyConfigMib
+ Condition Group
| + <stuff for naming endpoints and identifying IP packets>
+ Action Group
| + <stuff for simple actions like pass and block>
| + Secure Group
| | +Identities Group
| | | + <stuff to hold certificates and cert filters and PSKs>
| | +KeyMgmtGroup
| | | + DH Group
| | | | + <stuff to generate new DH groups>
| | | + <stuff to config manual keys>
| | | + IKE Group
| | | | + <stuff to config IKE>
| | | | + IKE Transform Table
| | | +Kerberose Group (?? do we want to go here)
| | +IPsec Group
| | | + <stuff to config IPsec SAs and SAbundles>
| | | + ESP Transform Table
| | | + AH Transform Table
5. Security Concerns
This entire document discusses a mechanism used to configure IPsec
devices. The mechanism proposed here also provides security services of
its own apart from IPsec.
5.1 Bootstrapping configuration
<<Threats and defenses when a device is unconfigured, and you wish to
securely send initial configuration information>>
5.2 ...
5.3 ...
-- MIB
SOME-KIND-OF-SHORT-MIB-NAME ::= BEGIN
-- Module Identity Section Here
camelBackSpellingOfShortName ::= OBJECT-IDENTITY { nodeName number }
-- Imports Section Here
ConditionGroup OBJECT IDENTIFIER ::= { camelBackSpellingOfShortName
1 }
-- ================
-- Condition Group
-- Concerned With: representing and identifying IPsec endpoints for use
with
-- IPsec selectors.
-- Holds: .......
-- ================
ActionGroup OBJECT IDENTIFIER ::= { camelBackSpellingOfShortName
2 }
-- ================
-- Action Group
-- Concerend With: names and specifies actions. Some actions are simple
(like
-- pass and block) and belong in a table at this level.
But
-- secure actions are complex and require another group
to hold
-- them.
-- Holds: some tables and SecureGroup
-- ===============
SecureGroup OBJECT IDENTIFIER ::= { ActionGroup 2 }
-- ================
-- Secure Group
--
-- Holds: some tables, IdentitiesGroup, KMGroup, IPsecGroup
-- ================
IdentitiesGroup OBJECT IDENTIFIER ::= { SecureGroup 1 }
-- ================
-- IdentitiesGroup
-- Concerned With: Holding the credentials of prospective end points,
peers
-- and CAs.
-- Holds: tables to hold Pre Shared Keys, certificates representing
endpoints,
-- certificates representing CAs, RSA public keys of peers,
-- and certificate filters
-- ================
-- ================
-- IkeTransformTable
-- holds the parameters to implement a particular IKE SA
-- ================
IkeTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF RcV4IkeTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IkeTransformTable holds all the possible implementation
variations (which have been configured on this device)
of a Phase I SA. "
::= { KeyMgmtGroup 4 }
IkeTransformEntry OBJECT-TYPE
SYNTAX RcV4IkeTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IkeTransformEntry represents the parameters necessary to
implement a particular Phase I SA."
INDEX { IkeTransformCN }
::= { IkeTransformTable 1 }
RcV4IkeTransformEntry ::= SEQUENCE {
IkeTransformCN CommonName,
IkeAuthMethod INTEGER,
IkeIntegrityAlgorithm INTEGER,
IkeCipherAlgorithm INTEGER,
IkeCipherKeyLength Unsigned32,
IkeCipherKeyRounds Unsigned32,
IkeDHGroupType INTEGER,
IkeDHGroupRef CommonName,
IkeLifetimeSec Unsigned32,
IkeLifetimeCount Unsigned32,
IkeTransformRowStatus RowStatus
}
IkeTransformCN OBJECT-TYPE
SYNTAX CommonName
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"IkeTransformCN indexes IkeTransformTable. It provides a human
readable name for an IKE Transform."
::= { IkeTransformEntry 1 }
IkeAuthMethod OBJECT-TYPE
SYNTAX INTEGER {
preSharedKey (1),
dssSignature (2),
rsaSignature (3),
encryptWithRsa (4),
revisedEncryptWithRsa (5)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Ike2048AuthMethod selects a methodology to used to authenticate
IKE exchanges."
::= { IkeTransformEntry 2 }
IkeIntegrityAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
md5 (1),
sha (2)
-- tiger (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"IkeIntegrityAlgorithm selects which algorithm will be used
for integrity."
::= { IkeTransformEntry 3 }
IkeCipherAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
desCbc (1),
-- ideaCbc (2),
-- blowfishCbc (3),
-- rc5Rc16B64Cbc (4),
tripleDesCbc (5)
-- castCbs (6)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"IkeCipherAlgorithm selects which algorithm will be used
for encryption/privacy."
::= { IkeTransformEntry 4 }
IkeCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Since different cipher algorithms require different lengths
of keys, IkeCipherKeyLength clarifies how long the required
key in bits will be for the cipher algorithm mentioned in
this row's IkeCipherAlgorithm field."
::= { IkeTransformEntry 5 }
IkeCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"."
::= { IkeTransformEntry 6 }
IkeDHGroupType OBJECT-TYPE
SYNTAX INTEGER {
standard (1)
-- manual (2),
-- generated (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"IkeDHGroupType specifies if the DH group is to come from
the standard 4 groups listed in rc2409 or from a private
group. If DH groups are private, then they may either be
manually entered or algorithmicly generated."
DEFVAL { standard }
::= { IkeTransformEntry 7 }
IkeDHGroupRef OBJECT-TYPE
SYNTAX CommonName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If IkeDHGroupType is 'standard', then IkeDHRef should be
one of the following strings: 'group1', 'group2',
'group3', 'group4' or 'group5'. These strings indicate
which of the five standard groups from rc2409 and the
son-of-ike Internet draft is to be used.
If IkeDHGroupType is 'manual' then IkeDHRef should be a
common name reference to the PrivateDHGroupsTable.
If IkeDHGroupType is 'generated' then IkeDHRef should be
common name reference to the
PrivateDHGroupsGenerationTable."
DEFVAL { "group2" }
::= { IkeTransformEntry 8 }
IkeLifetimeSec OBJECT-TYPE
SYNTAX Unsigned32 (180..4294967296)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"IkeLifetimeSec is the number of seconds which this Phase I
SA is allowed to live for before re-keying."
DEFVAL { 28800 } -- 8 hrs.
::= { IkeTransformEntry 9 }
IkeLifetimeCount OBJECT-TYPE
SYNTAX Unsigned32 (2..4294967296)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"IkeLifetimeCount represents the number of Kilo- Bytes this
Phase I SA is allowed to carry before re-keying. This object
is currently unsupported. And may change in the future to
by the number of key-exchanges which have occurred on this
SA."
::= { IkeTransformEntry 10 }
IkeTransformRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Row Status. See RFC1903 SNMPv2-TC"
::= { IkeTransformEntry 99 }
IpsecActionGroup OBJECT IDENTIFIER ::= { SecureGroup 4 }
-- ================
-- IpsecActionGroup
-- Concerend With: Constructing SA and SA bundle proposals.
-- Holds: tables to configure suites of IPsec proposals, and ESP and AH
-- transforms.
-- ================
-- ================
-- EspTransformTable
-- This table sets the parameters of particular ESP transforms.
-- ================
EspTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF RcV4EspTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"EspTransformTable holds all the ways that the ESP protocol
has been configured on this device."
::= { IpsecActionGroup 3 }
EspTransformEntry OBJECT-TYPE
SYNTAX RcV4EspTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"EspTransformEntry holds the particular parameters of how to
implement an ESP transform."
INDEX { EspCN }
::= { EspTransformTable 1 }
RcV4EspTransformEntry ::= SEQUENCE {
EspCN CommonName,
EspCipherAlg INTEGER,
EspIntegrityAlg INTEGER,
EspCipherKeyLength Unsigned32,
EspCipherKeyRounds Unsigned32,
EspAntiReplay INTEGER,
EspTransformRowStatus RowStatus
}
EspCN OBJECT-TYPE
SYNTAX CommonName
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"EspCN indexes the EspTransform Table. It provides a human
readable name for an ESP Tansform."
::= { EspTransformEntry 1 }
EspCipherAlg OBJECT-TYPE
SYNTAX INTEGER {
-- esp-DES-IV64 (1),
esp-DES (2),
esp-3DES (3),
-- esp-RC5 (4),
-- esp-IDEA (5),
-- esp-CAST (6),
-- esp-BLOWFISH (7),
-- esp-3IDEA (8),
-- esp-DES-IV32 (9),
-- esp-RC4 (10),
esp-NULL (11)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"EspCipherAlg specifies which algorithm will provide
encryption / privacy services for this transform.
Note, it is an error to attempt setting EspIntegrityAlg
to 'no-AUTH' and EspCipherAlg to 'esp-NULL' in the same
transform proposal."
::= { EspTransformEntry 2 }
EspIntegrityAlg OBJECT-TYPE
SYNTAX INTEGER {
hmac-MD5 (1),
hmac-SHA (2),
-- des-MAC (3),
-- kpdk (4),
no-AUTH (61440)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"EspIntegrityAlg selects which algorithm will provide
integrity services for this transform. Note, it is an
error to attempt setting EspIntegrityAlg to 'no-AUTH'
and EspCipherAlg to 'esp-NULL' in the same transform
proposal."
::= { EspTransformEntry 3 }
EspCipherKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"EspCipherKeyLength specifies the length of the key in bits
required by the cipher algorithm named in EspCipherAlg."
::= { EspTransformEntry 4 }
EspCipherKeyRounds OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"."
::= { EspTransformEntry 5 }
EspAntiReplay OBJECT-TYPE
SYNTAX INTEGER {
off (0),
standard (32),
large (64),
huge (128)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"EspAntiReplay specifies whether or not anti-Replay services are
provided by this transform and if so, what the window size is.
off - anti replay services are not provided by this transform
standard - anti replay is on and window size is 32 packets
large - anti replay is on and window size is 64 packets
huge - anti replay is on and window size is 128 packet
Choosing large or huge window size is a compromize to relax
security a bit in order to accomodate very low latency networks.
"
DEFVAL { standard }
::= { EspTransformEntry 6 }
EspTransformRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Row Status. See RFC1903 SNMPv2-TC"
::= { EspTransformEntry 99 }
-- ================
-- AhTransformTable
-- This table sets the parameters of particular AH transforms.
-- ================
AhTransformTable OBJECT-TYPE
SYNTAX SEQUENCE OF RcV4AhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"AhTransformTable holds all the ways that the AH protocol
has been configured on this device."
::= { IpsecActionGroup 4 }
AhTransformEntry OBJECT-TYPE
SYNTAX RcV4AhTransformEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"AhTransformEntry holds the particular parameters needed
to implement this AH transform."
INDEX { AhEntryCN }
::= { AhTransformTable 1 }
RcV4AhTransformEntry ::= SEQUENCE {
AhEntryCN CommonName,
AhAuthAlg INTEGER,
AhAntiReplay INTEGER,
AhTransformRowStatus RowStatus
}
AhEntryCN OBJECT-TYPE
SYNTAX CommonName
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"AhEntryCN indexes AhTransformTable. It provides a human
readable name for an AH Transform."
::= { AhTransformEntry 1 }
AhAuthAlg OBJECT-TYPE
SYNTAX INTEGER {
ah-MD5 (2),
ah-SHA (3),
ah-DES (4)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"AhAuthAlg selects which algorithm will provide
authentication services for this transform."
::= { AhTransformEntry 2 }
AhAntiReplay OBJECT-TYPE
SYNTAX INTEGER {
off (0),
standard (32),
large (64),
huge (128)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"AhAntiReplay specifies whether or not anti-Replay service