Understanding of ipsp-xxx-mib's

[Maxim Frolov <mfr@xxxxxxxxxxxxxx>]

Hallo,

I'm evaluating IPSec SPD, IPsec action and IKE action MIBs to employ 
them as an appropriate (implementation independent) IPsec policy 
language / format for IPsec capable security devices developed by our company.


I have some questions about these MIB's.


Q1. Understanding question
	After reading RFC3585, RFC3586, ipsp-ipsecpib, ipsp-spd-mib, 
	ipsp-ipsecaction-mib and ipsp-ikeaction-mib I can do the following
	statements:
	1. RFC3585 is an informational model that decsribes how an 
		IPSec SPD is to be logically constructed. This is a 
		hint for concrete implementations of IPSec SPD formats/languages.
	2. The ipsp WG has proposed two implementations of IPSec SPD based on RFC3585:
		a) ipsp-ipsecpib
		b) ipsp-spd-mib, ipsp-ipsecaction-mib and ipsp-ikeaction-mib

        Are these statements rougly true?


Q2. About ipsp-ikeaction-mib objects:
	How references a IpiaIkeActionEntry a IpiaIkeActionProposalsEntry?
	
	How references a IpiaIkeActionProposalsEntry one or more contained 
	IpiaIkeProposalEntry's?
	
	I found references to ipiaAhTransformTable, ipiaEspTransformTable and 
	ipiaIpcompTransformTable but no definitions of them. Are they from and shared 
	with ipsp-ipsecaction-mib?


Q3. Example of an IPsec rule.
	I would like to define a SPD rule which will have filter for some trafic 
	and which should cause IKE negotation of a IPSec SA by which the traffic 
	will be encrypted. To realize this I would create at first a spdRuleDefinitionEntry
	and define spdRuleDefFilter. But what action or actions should this rule point to?
	As the IPsec SA negotioation should be performed two actions are required:
	1. IKE action to create IKE SA
	2. IPsec action to create IPsec SA
	Should the spdRuleDefAction point to a entry from SpdCompoundActionTable which
	constsis of a IpiaIpsecActionEntry and a IpiaIkeActionEntry?	
	





Maxim Frolov.