| a3IPsecureParamPortIndex |
.1.3.6.1.4.1.43.2.12.3.1.1 |
|
This identifies the IP port to which the security
parameters in this entry apply.
|
| a3IPsecureParamCtl |
.1.3.6.1.4.1.43.2.12.3.1.2 |
|
This object controls a number of parameters associated
with IP security. Each parameter is represented by
a specific bit. If the bit is set, the parameter is
turned on. If the bit is not set, the parameter is
turned off. The state of all the parameters is represented
by a sum of all the bits, the value of each bit being
multiplied by 2 raised to the power of the position
of the bit in the integer.
With bit 0 being the least significant bit, the table
below defines the mapping of security parameters to bits.
bit # Parameter
0 Extended
1 BasicFirst
2 LabelAdd
3 LabelStrip
If bit 0 is set, the Extended parameter is turned on.
This allows datagrams with extended security options to be
received and/or transmitted from this port.
If bit 1 is set, the BasicFirst parameter is turned on. This
indicates that the basic security option is always transmitted
as the first option in the datagram, even if the packet
has to be rearranged. If this bit is not set, the datagram
options are sent as is.
If bit 2 is set, the LabelAdd parameter is turned on. This
ensures that all datagrams leaving this port have a label
attached to them. If an outgoing datagram does not have
a label, the default label, computed for the datagram
on receipt, is attached to it before transmission. If this
parameter is turned off, then datagrams without labels are
allowed to be transmitted, and the default label is not
attached to the datagram.
If bit 3 is set, the LabelStrip parameter is turned on. In
this case, any basic security option present in the datagram
is stripped before transmission through this port. The
stripping is done after all the security processing has been
done. If this parameter is turned off, the label is transmitted
as is.
|
| a3IPsecureLabelDefaultLevel |
.1.3.6.1.4.1.43.2.12.3.1.3 |
|
This parameter applies to packets received over this port
that have no classification level or authority flags.
When such packets are received, the value of this parameter
determines the IP security level that is attached to the
packet before any processing is done.
If this is set to none (1), any packet that is received
without a security level defined in the IP header options
is discarded.
If this is set to any other value, any packet received
without a security level defined in the IP header options
will have one added according to the value of this object.
A Protection Authority field will also be added to these
packets. The contents of the field is determined by the
value of a3IPsecureLabelDefaultAuth.
Note, this does not imply that the label will be automatically
attached to the packet on transmission. This is controlled
by the value of a3IPsecureParamCtl -- specifically, the value
of the LabelAdd bit
|
| a3IPsecureLabelDefaultAuth |
.1.3.6.1.4.1.43.2.12.3.1.4 |
|
Like a3IPsecureLabelDefaultLevel, this parameter applies
only to packets received over this port that have no
classification level or authority flags. When such
packets are received, the value of this parameter determines
the Protection Authority flag field that is attached to
the packet before any processing is done.
The individual Protection Authority flags that are included
are determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object will be placed in the Protection Authority field of
received packets with no IP security options present. (note:
this is conditioned on a3IPsecureLabelDefaultLevel for this
port having a value other than none (1).)
If this object has the value 0, then no Protection Authority
field will be added to any received packets, regardless of the
value of a3IPsecureLabelDefaultLevel.
|
| a3IPsecureLabelSysLevel |
.1.3.6.1.4.1.43.2.12.3.1.5 |
|
This parameter applies to packets originated by this system
and sent over this port. When such packets are sent, the
value of this parameter determines the IP security level that
is attached to the packet before any processing is done.
If this is set to none (1), no IP security information
is added to these packets.
If this is set to any other value, any packet originated
by this system and sent over this port will have an IP security
level added according to the value of this object.
A Protection Authority field will also be added to these
packets. The contents of the field is determined by the
value of a3IPsecureLabelSysAuth.
The security level and Protection Authority flag field
must form a label which is legal for transmission on this
port. The range of legal values for the security level is
defined by a3IPsecureMaxLevel and a3IPsecureMinLevel.
The set of legal Protection Authority flags is determined
by the entries in a3IPsecureAuthOutTable.
|
| a3IPsecureLabelSysAuth |
.1.3.6.1.4.1.43.2.12.3.1.6 |
|
Like a3IPsecureLabelSysLevel, this parameter applies
only to packets originated by this system and sent over
this port. When such packets are sent, the value of this
parameter determines the Protection Authority flag field
that is attached to the packet before any processing is
done. Note, this is assuming a3IPsecureLabelSysLevel has
a value other than none (1).
The individual Protection Authority flags that are included
are determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object will be placed in the Protection Authority field of
received packets with no IP security options present. (note:
this is conditioned on a3IPsecureLabelDefaultLevel for this
port having a value other than none (1).)
If this object has the value 0, then no Protection Authority
field will be added to any received packets, regardless of the
value of a3IPsecureLabelDefaultLevel.
|
| a3IPsecureMinLevel |
.1.3.6.1.4.1.43.2.12.3.1.7 |
|
This defines the minimum classification level which
is acceptable by this port. This applies to any packet
which is entering or leaving this port. If the
classification level is outside the range defined by
the value of this object and the value of a3IPsecureMaxLevel,
the packet is discarded.
If a3IPsecureMaxLevel is set to level less than the level
indicated by this object, the value of this object will
be shifted so it is equal to a3IPsecureMaxLevel. This
will ensure that the range of security levels identified
by these two objects makes sense.
|
| a3IPsecureMaxLevel |
.1.3.6.1.4.1.43.2.12.3.1.8 |
|
This define the maximum classification level which
is acceptable by this port. This applies to any packet
which is entering or leaving this port. If the
classification level is outside the range defined by
the value of this object and the value of a3IPsecureMinLevel,
the packet is discarded.
If a3IPsecureMinLevel is set to a level greater than the
level identified by this object, the value of this object
will be shifted so it is equal to a3IPsecureMinLevel.
|
| a3IPsecureAuthInPort |
.1.3.6.1.4.1.43.2.12.4.1.1 |
|
This identifies the port to which this entry applies.
|
| a3IPsecureAuthInFlags |
.1.3.6.1.4.1.43.2.12.4.1.2 |
|
This identifies one combination of Protection Authority
flags that is allowed to be present in any packet
received by this port.
The combination of Protection Authority flags that is
allowed is determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object must be present in any received IP packet.
If the value of this object is zero, packets with no
Protection Authority flags are accepted by this port.
|
| a3IPsecureAuthInMatch |
.1.3.6.1.4.1.43.2.12.4.1.3 |
|
The value of this object determines whether the
Protection Authority flags in a received packet
must match the flags identified by the corresponding
instance of a3IPsecureAuthInFlags exactly, or if they
only have to match a subset of those flags.
If the value of this object is exact (1), the match must
be exact. If this object has the value any (2), only
a subset of the flags has to match.
|
| a3IPsecureAuthInStatus |
.1.3.6.1.4.1.43.2.12.4.1.4 |
|
This object is used to add and delete entries
in this table. See the notes describing
RowStatus at the beginning of this MIB.
|
| a3IPsecureAuthOutPort |
.1.3.6.1.4.1.43.2.12.5.1.1 |
|
This identifies the port to which this entry applies.
|
| a3IPsecureAuthOutFlags |
.1.3.6.1.4.1.43.2.12.5.1.2 |
|
This identifies one combination of Protection Authority
flags that is allowed to be present in any packet
transmitted by this port.
The combination of Protection Authority flags that is
allowed is determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object is allowed to be present in any transmitted IP packet.
If the value of this object is zero, packets with no
Protection Authority flags are allowed to be transmitted
by this port.
|
| a3IPsecureAuthOutMatch |
.1.3.6.1.4.1.43.2.12.5.1.3 |
|
The value of this object determines whether the
Protection Authority flags in a received packet
must match the flags identified by the corresponding
instance of a3IPsecureAuthOutFlags exactly, or if they
only have to match a subset of those flags.
If the value of this object is exact (1), the match must
be exact. If this object has the value any (2), only
a subset of the flags have to match.
|
| a3IPsecureAuthOutStatus |
.1.3.6.1.4.1.43.2.12.5.1.4 |
|
This object is used to add and delete entries
in this table. See the notes describing
RowStatus at the beginning of this MIB.
|
