IPSEC-ISAKMP-IKE-DOI-TC DEFINITIONS ::= BEGIN IMPORTS -- make this mib a temporary watchguard extension before it becomes RFC watchguard FROM WATCHGUARD-MIB -- delete next line before release experimental, MODULE-IDENTITY, Unsigned32 FROM SNMPv2-SMI -- uncomment next line before release mib-2 FROM RFC1213-MIB TEXTUAL-CONVENTION FROM SNMPv2-TC; ipsecIsakmpIkeDoiTC MODULE-IDENTITY LAST-UPDATED "9907132145Z" ORGANIZATION "Shiva" CONTACT-INFO "John Shriver Intel Corporation 28 Crosby Drive Bedford, MA 01730 Phone: +1-781-687-1329 E-mail: John.Shriver@intel.com" DESCRIPTION "The MIB module which defines the textual conventions used in IPSEC MIBs. This includes Internet DOI numbers defined in RFC 2407, ISAKMP numbers defined in RFC 2408, and IKE numbers defined in RFC 2409. These Textual Conventions are defined in a seperate MIB module since they are protocol numbers managed by the IANA. Revision control after publication will be under the authority of the IANA." REVISION "9902181705Z" DESCRIPTION "Added IsakmpDOI TEXTUAL-CONVENTION." REVISION "9903051545Z" DESCRIPTION "Changed CONTACT-INFO." REVISION "9907132145Z" DESCRIPTION "Put in real experimental branch number for module." REVISION "9910051705Z" DESCRIPTION "Added exchange types, tracked IKE standard. Split IkeNotifyMessageType off of IsakmpNotifyMessageType." REVISION "9910151950Z" DESCRIPTION "Removed stray comma in IsakmpNotifyMessageType." -- replace xxx in next line before release, uncomment before release -- ::= { mib-2 xxx } -- delete next line before release -- ::= { experimental 100 } ::= { watchguard 100 } -- The first group of textual conventions are based on definitions -- in the IPSEC DOI, RFC 2407. IpsecDoiSituation ::= TEXTUAL-CONVENTION DISPLAY-HINT "x" STATUS current DESCRIPTION "The IPSEC DOI Situation provides information that can be used by the responder to make a policy determination about how to process the incoming Security Association request. It is a four (4) octet bitmask, with the following values: sitIdentityOnly 0x01 sitSecrecy 0x02 sitIntegrity 0x04 The upper two bits (0x80000000 and 0x40000000) are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.2 and 6.2" SYNTAX Unsigned32 (0..4294967295) -- The syntax is not BITS, because we want the representation -- to be the same here as it is in the ISAKMP/IKE protocols. IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the IPSEC DOI values for the Protocol-Id field in an ISAKMP Proposal Payload, and in all Notification Payloads. They are also used as the Protocol-ID In the Notification Payload and the Delete Payload. The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 section 4.4.1" SYNTAX INTEGER { reserved(0), -- reserved in DOI protoIsakmp(1), -- message protection -- required during Phase I -- of the IKE protocol protoIpsecAh(2), -- IP packet authentication -- via Authentication Header protoIpsecEsp(3), -- IP packet confidentiality -- via Encapsulating -- Security Payload protoIpcomp(4) -- IP payload compression } IpsecDoiTransformIdent ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPSEC DOI ISAKMP Transform Identifier is an 8-bit value which identifies a key exchange protocol to be used for the negotiation. It is used in the Transform-Id field of an IKE Phase I Transform Payload. The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.2 and 6.3" SYNTAX INTEGER { reserved(0), -- reserved in DOI keyIke(1) -- the hybrid ISAKMP/Oakley -- Diffie-Hellman key -- exchange } IpsecDoiAhTransform ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPSEC DOI AH Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide integrity protection for AH. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPSEC DOI, when the Protocol-Id of the associated Proposal Payload is 2 (AH). The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.3 and 6.4" SYNTAX INTEGER { reserved(0), -- reserved in DOI reserved1(1), -- reserved ahMd5(2), -- generic AH transform -- using MD5 ahSha(3), -- generic AH transform -- using SHA-1 ahDes(4) -- generic AH transform -- using DES } IpsecDoiEspTransform ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPSEC DOI ESP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide secrecy protection for ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPSEC DOI, when the Protocol-Id of the associated Proposal Payload is 2 (AH), 3 (ESP), and 4 (IPCOMP). The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.4 and 6.5" SYNTAX INTEGER { reserved(0), -- reserved in DOI espDesIv64(1), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 64-bit IV espDes(2), -- generic DES transform -- using DES-CBC esp3Des(3), -- generic triple-DES -- transform espRc5(4), -- RC5 transform espIdea(5), -- IDEA transform espCast(6), -- CAST transform espBlowfish(7), -- BLOWFISH transform esp3Idea(8), -- reserved for triple-IDEA espDesIv32(9), -- DES-CBC transform defined -- in RFC 1827 and RFC 1829 -- using a 32-bit IV espRc4(10), -- reserved for RC4 espNull(11) -- no confidentiality -- provided by ESP } IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The ESP Authentication Algorithm used in the IPSEC DOI as a SA Attributes definition in the Transform Payload of Phase II of an IKE negotiation. This set of values defines the AH authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 2 (AH). This set of values defines the ESP authentication algorithm, when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Values 5-61439 are reserved to IANA. Values 61440-65535 are for private use. In a MIB, a value of 0 indicates that ESP has been negotiated without authentication." REFERENCE "RFC 2407 section 4.5" SYNTAX INTEGER { reserved(0), -- reserved in DOI hmacMd5(1), hmacSha(2), desMac(3), kpdk(4) } IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPSEC DOI IPCOMP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide IP-level compression before ESP. It is used in the Tranform-ID field of a ISAKMP Transform Payload for the IPSEC DOI, when the Protocol-Id of the associated Proposal Payload is 4 (IPCOMP). The values 1-47 are reserved for algorithms for which an RFC has been approved for publication. The values 48-63 are reserved for private use amongst cooperating systems. The values 64-255 are reserved for future expansion." REFERENCE "RFC 2407 sections 4.4.5 and 6.6" SYNTAX INTEGER { reserved(0), -- reserved in DOI ipcompOui(1), -- proprietary compression -- transform ipcompDeflate(2), -- "zlib" deflate algorithm ipcompLzs(3) -- Stac Electronics LZS } IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The Encapsulation Mode used as an IPSEC DOI SA Attributes definition in the Transform Payload of a Phase II IKE negotiation. This set of values defines encapsulation modes used for AH, ESP, and IPCOMP when the associated Proposal Payload has a Protocol-ID of 3 (ESP). Values 3-61439 are reserved to IANA. Values 61440-65535 are for private use." SYNTAX INTEGER { reserved(0), -- reserved in DOI tunnel(1), transport(2) } IpsecDoiIdentType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The IPSEC DOI Identification Type is an 8-bit value which is used in the ID Type field as a discriminant for interpretation of the variable-length Identification Payload. The values 249-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9" SYNTAX INTEGER { reserved(0), -- reserved in DOI idIpv4Addr(1), -- a single four (4) octet -- IPv4 address idFqdn(2), -- fully-qualified domain -- name string idUserFqdn(3), -- fully-qualified username -- string idIpv4AddrSubnet(4), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is an -- address and the second -- is a mask idIpv6Addr(5), -- a single sixteen (16) -- octet IPv6 address idIpv6AddrSubnet(6), -- a range of IPv6 addresses, -- represented by two -- sixteen (16) octet values, -- where the first is an -- address and the second -- is a mask idIpv4AddrRange(7), -- a range of IPv4 addresses, -- represented by two -- four (4) octet values, -- where the first is the -- beginning IPv4 address -- and the second is the -- ending IPv4 address idIpv6AddrRange(8), -- a range of IPv6 addresses, -- represented by two -- sixteen (16) octet values, -- where the first is the -- beginning IPv6 address -- and the second is the -- ending IPv6 address idDerAsn1Dn(9), -- the binary DER encoding of -- ASN1 X.500 -- DistinguishedName idDerAsn1Gn(10), -- the binary DER encoding of -- ASN1 X.500 GeneralName idKeyId(11) -- opaque byte stream which -- may be used to pass -- vendor-specific -- information } -- The second group of textual conventions are based on defintions -- the ISAKMP protocol, RFC 2408. IsakmpDOI ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the domain of interpretation values for the ISAKMP Protocol. They are a 32-bit value used in the Domain of Interpretation field of the Security Association Payload. Values 2-4294967295 are reserved to the IANA." REFERENCE "RFC 2048 section 3.4." SYNTAX INTEGER { isakmp(0), -- generic ISAKMP SA in -- Phase 1, which can be -- used for any protocol -- in Phase 2 ipsecDOI(1) -- the IPsec DOI as -- specified in RFC 2407 } IsakmpCertificateEncoding ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the values for the types of certificate-related information contained in the Certificate Data field of a Certificate Payload. They are used in the Cert Encoding field of the Certificate Payload. Values 11-255 are reserved." REFERENCE "RFC 2408 section 3.9" SYNTAX INTEGER { pkcs7(1), -- PKCS #7 wrapped -- X.509 certificate pgp(2), -- PGP Certificate dnsSignedKey(3), -- DNS Signed Key x509Signature(4), -- X.509 Certificate: -- Signature x509KeyExchange(5), -- X.509 Certificate: -- Key Exchange kerberosTokens(6), -- Kerberos Tokens crl(7), -- Certificate Revocation -- List (CRL) arl(8), -- Authority Revocation -- List (ARL) spki(9), -- SPKI Certificate x509Attribute(10) -- X.509 Certificate: -- Attribute } IsakmpExchangeType ::= TEXTUAL-CONVENTION -- -- When revising IsakmpExchangeType, consider revising -- IkeExchangeType as well. -- DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the values used for the exchange types in the ISAKMP header. Values up to 31 are reserved for future DOI-independent assignment for ISAKMP. The values 240-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2408 section 3.1" SYNTAX INTEGER { reserved(0), base(1), -- base mode identityProtect(2), -- identity protection authOnly(3), -- authentication only aggressive(4), -- aggressive mode informational(5) -- informational } IsakmpNotifyMessageType ::= TEXTUAL-CONVENTION -- -- If you change this, you probably want to -- change IkeNotifyMessageType. -- DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the values for the types of notification messages. They are used as the Notify Message Type field in the Notification Payload. This textual convention merges the types for error types (in the range 1-16386) and for notification types (in the range 16384-65535). The values 16001-16383 are reserved for private use as error types amongst cooperating systems. The values 24576-32767 are reserved for use in each DOI. Each DOI should have a clone of this textual convention adding local values. The values 32768-40958 are reserved for private use as notification types amongst cooperating systems." REFERENCE "RFC 2408 section 3.14.1" SYNTAX INTEGER { -- Values defined for errors in ISAKMP -- reserved(0), -- reserved in DOI invalidPayloadType(1), doiNotSupported(2), situationNotSupported(3), invalidCookie(4), invalidMajorVersion(5), invalidMinorVersion(6), invalidExchangeType(7), invalidFlags(8), invalidMessageId(9), invalidProtocolId(10), invalidSpi(11), invalidTransformId(12), attributesNotSupported(13), noProposalChosen(14), badProposalSyntax(15), payloadMalformed(16), invalidKeyInformation(17), invalidIdInformation(18), invalidCertEncoding(19), invalidCertificate(20), certTypeUnsupported(21), invalidCertAuthority(22), invalidHashInformation(23), authenticationFailed(24), invalidSignature(25), addressNotification(26), notifySaLifetime(27), certificateUnavailable(28), unsupportedExchangeType(29), unequalPayloadLengths(30) -- values defined for errors in IPSEC DOI -- (none) -- values defined for notification in ISAKMP -- (none) -- values defined for notification in -- each DOI (clone this TC) } -- The third group of textual conventions are based on defintions -- the IKE key exchange protocol, RFC 2409. IkeExchangeType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the values used for the exchange types in the ISAKMP header. The values 32-239 are DOI-specific, these values are for the IPSec DOI used by IKE. The values 240-255 are reserved for private use amongst cooperating systems." REFERENCE "RFC 2409 Appendix A, draft-ietf-ipsec-ike-01.txt appendix A" SYNTAX INTEGER { reserved(0), base(1), -- base mode mainMode(2), -- main mode authOnly(3), -- authentication only aggressive(4), -- aggressive mode informational(5), -- informational quickMode(32), -- quick mode newGroupMode(33), -- new group mode acknowledgedInfo(34) -- acknowledged informational } IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for encryption algorithms negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Encryption Algorithm (1). Values 7-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A" SYNTAX INTEGER { reserved(0), -- reserved in IKE desCbc(1), -- RFC 2405 ideaCbc(2), blowfishCbc(3), rc5R16B64Cbc(4), -- RC5 R16 B64 CBC tripleDesCbc(5), -- 3DES CBC castCbc(6) } IkeHashAlgorithm ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for hash algorithms negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Hash Algorithm (2). Values 4-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A" SYNTAX INTEGER { reserved(0), -- reserved in IKE md5(1), -- RFC 1321 sha(2), -- FIPS 180-1 tiger(3) } IkeAuthMethod ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for authentication methods negotiated for the ISAKMP SA by IKE in Phase I. These are values for SA Attrbute type Authentication Method (3). Values 6-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A, draft-ietf-ipsec-ike-01.txt appendix A" SYNTAX INTEGER { reserved(0), -- reserved in IKE preSharedKey(1), dssSignatures(2), rsaSignatures(3), encryptionWithRsa(4), revisedEncryptionWithRsa(5), encryptionWithElGamal(6), revisedEncryptionWithElGamal(7) } IkeGroupDescription ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for Oakley key computation groups for Diffie-Hellman exchange negotiated for the ISAKMP SA by IKE in Phase I. They are also used in Phase II when perfect forward secrecy is in use. These are values for SA Attrbute type Group Description (4)." REFERENCE "RFC 2409 appendix A, draft-ietf-ipsec-ike-01.txt appendix A" SYNTAX INTEGER { reserved(0), -- reserved in IKE modp768(1), -- default 768-bit MODP group modp1024(2), -- alternate 1024-bit MODP -- group ec2nGalois2P155(3), -- EC2N group on Galois -- Field GF[2^155] ec2nGalois2P185(4), -- EC2N group on Galois -- Field GF[2^185] modp1536(5) -- alternate 1536-bit MODP -- group } IkeGroupType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for Oakley key computation group types negotiated for the ISAKMP SA by IKE in Phase I. They are also used in Phase II when perfect forward secrecy is in use. These are values for SA Attribute type Group Type (5)." REFERENCE "RFC 2409 appendix A" SYNTAX INTEGER { reserved(0), -- reserved in IKE modp(1), -- modular eponentiation -- group ecp(2), -- elliptic curve group over -- Galois Field GF[P] ec2n(3) -- elliptic curve group over -- Galois Field GF[2^N] } IkePrf ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "Values for Pseudo-Random Functions used with with the hash algorithm negotiated for the ISAKMP SA by IKE in Phase I. There are currently no pseudo-random functions defined, the default HMAC is always used. These are values for SA Attribute type PRF (13). Values 1-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties." REFERENCE "RFC 2409 appendix A" SYNTAX Unsigned32 (0..65535) IkeNotifyMessageType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "These are the values for the types of notification messages. They are used as the Notify Message Type field in the Notification Payload. This textual convention merges the types for error types (in the range 1-16386) and for notification types (in the range 16384-65535). This textual convention is a merge of values defined by ISAKMP with the additional values defined in the IPSEC DOI. The values 16001-16383 are reserved for private use as error types amongst cooperating systems. The values 32001-32767 are reserved for private use as notification types amongst cooperating systems." REFERENCE "RFC 2408 section 3.14.1 and RFC 2407 sections 4.6.3 and 6.10" SYNTAX INTEGER { -- Values defined for errors in ISAKMP -- reserved(0), -- reserved in DOI invalidPayloadType(1), doiNotSupported(2), situationNotSupported(3), invalidCookie(4), invalidMajorVersion(5), invalidMinorVersion(6), invalidExchangeType(7), invalidFlags(8), invalidMessageId(9), invalidProtocolId(10), invalidSpi(11), invalidTransformId(12), attributesNotSupported(13), noProposalChosen(14), badProposalSyntax(15), payloadMalformed(16), invalidKeyInformation(17), invalidIdInformation(18), invalidCertEncoding(19), invalidCertificate(20), certTypeUnsupported(21), invalidCertAuthority(22), invalidHashInformation(23), authenticationFailed(24), invalidSignature(25), addressNotification(26), notifySaLifetime(27), certificateUnavailable(28), unsupportedExchangeType(29), unequalPayloadLengths(30), -- values defined for errors in IPSEC DOI -- (none) -- values defined for notification in ISAKMP -- (none) -- values defined for notification in IPSEC -- DOI responderLifetime(24576), -- used to communicate IPSEC -- SA lifetime chosen by the -- responder replayStatus(24577), -- used for positive -- confirmation of the -- responder's election on -- whether or not he is to -- perform anti-replay -- detection initialContact(24578) -- used when one side wishes -- to inform the other that -- this is the first SA being -- established with the -- remote system } END