[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Understanding of ipsp-xxx-mib's



On Fri, 4 Mar 2005 11:00:33 +0100 Maxim wrote:
MF> Q1. Understanding question
MF> 	After reading RFC3585, RFC3586, ipsp-ipsecpib, ipsp-spd-mib, 
MF> 	ipsp-ipsecaction-mib and ipsp-ikeaction-mib I can do the following
MF> 	statements:
MF> 	1. RFC3585 is an informational model that decsribes how an 
MF> 		IPSec SPD is to be logically constructed. This is a 
MF> 		hint for concrete implementations of IPSec SPD formats/languages.
MF> 	2. The ipsp WG has proposed two implementations of IPSec SPD based on
MF> 	RFC3585:
MF> 		a) ipsp-ipsecpib
MF> 		b) ipsp-spd-mib, ipsp-ipsecaction-mib and ipsp-ikeaction-mib
MF> 
MF>         Are these statements rougly true?

sounds about right to me.

MF> Q2. About ipsp-ikeaction-mib objects:
MF> 	How references a IpiaIkeActionEntry a IpiaIkeActionProposalsEntry?

There is no direct reference. The IpiaIkeActionProposalsTable uses the
ipaIkeActname from the IpiaIkeActionTable as the first index. So once the ike
action is created, create proposals with the same name as the first index, and
a unique priority as the second index.

MF> 	How references a IpiaIkeActionProposalsEntry one or more contained 
MF> 	IpiaIkeProposalEntry's?

There is a direct link here. The ipiaIkeActPropName contains the name of an ike
proposal in the ipiaIkeProposalTable.

MF> 	I found references to ipiaAhTransformTable, ipiaEspTransformTable and 
MF> 	ipiaIpcompTransformTable but no definitions of them. Are they from and
MF> 	shared with ipsp-ipsecaction-mib?

They are in the IPSEC-POLICY-MIB. There are 3 MIBs, and they all work together.

MF> Q3. Example of an IPsec rule.
MF> 	I would like to define a SPD rule which will have filter for some
MF> 	trafic and which should cause IKE negotation of a IPSec SA by which the
MF> 	traffic will be encrypted. To realize this I would create at first a
MF> 	spdRuleDefinitionEntry and define spdRuleDefFilter. But what action or
MF> 	actions should this rule point to? As the IPsec SA negotioation should
MF> 	be performed two actions are required: 1. IKE action to create IKE SA
MF> 	2. IPsec action to create IPsec SA
MF> 	Should the spdRuleDefAction point to a entry from
MF> 	SpdCompoundActionTable which constsis of a IpiaIpsecActionEntry and a
MF> 	IpiaIkeActionEntry?	

Sounds about right.

Here is an overview of the MIBs that I put together. It may help you out.

	http://net-policy.sourceforge.net/tutorial/mib2/index.html