TOC 
Internet Engineering Task ForceT. Roosta, Ed.
Internet-DraftS. Rowles
Intended status: Standards TrackM. Hamada
Expires: August 31, 2010K. Kamarthy, Ed.
 P. Sundaradevan
 Cisco Systems
 February 27, 2010


Management Information Base for the Group Domain of Interpretation
draft-kamarthy-gdoi-mib-00

Abstract

This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular this document describes a high-level Management Information Base for Group Domain of Interpretation (GDOI), which is used for secure group communication in Ipsec-based networks. This draft describes managed objects used for implementations of the GDOI protocol.].

Status of This Memo

This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on August 31, 2010.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.



Table of Contents

1.  Introduction
2.  The Internet-Standard Management Framework
3.  Conventions
4.  Overview
5.  Structure of the MIB Module
    5.1.  Textual Conventions
    5.2.  The GDOI MIB Module Subtree
    5.3.  The Notifications Subtree
    5.4.  The Table Structures
6.  Relationship to Other MIB Modules
    6.1.  Relationship to Other MIB
    6.2.  MIB modules required for IMPORTS
7.  Definitions
8.  Security Considerations
9.  IANA Considerations
10.  Contributors
11.  References
    11.1.  Normative References
    11.2.  Informative References




 TOC 

1.  Introduction

This memo defines the Management Information Base (MIB) for use with network management protocols. In particular it defines objects for managing the Group Domain of Interpretation (GDOI) protocol, defined by RFC3547[RFC3547] (Baugher, M., Weis, B., Hardjono, T., and H. Harney, “The Group Domain of Interpretation,” July 2003.)used for secure group communication.



 TOC 

2.  The Internet-Standard Management Framework

For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of [RFC3410] (Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” December 2002.).

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Structure of Management Information Version 2 (SMIv2),” April 1999.), STD 58, RFC 2579 [RFC2579] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Textual Conventions for SMIv2,” April 1999.) and STD 58, RFC 2580 [RFC2580] (McCloghrie, K., Perkins, D., and J. Schoenwaelder, “Conformance Statements for SMIv2,” April 1999.).



 TOC 

3.  Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).



 TOC 

4.  Overview

To support the management needs of IPsec-based networks, we have defined the GDOI MIB (module GDOI-MIB). The MIB defines a number of objects with enumeration syntax which refer to the numbers assigned by IANA to denote specific elements. The SNMP Management Framework presently consists of five major components:

  1. An overall architecture, described in RFC 2271[RFC2271] (Harrington, D., Presuhn, R., and B. Wijnen, “An Architecture for Describing SNMP Management Frameworks,” January 1998.)
  2. Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [RFC1155] (Rose, M. and K. McCloghrie, “Structure and identification of management information for TCP/IP-based internets,” May 1990.), RFC 1212 [RFC1212] (Rose, M. and K. McCloghrie, “Concise MIB definitions,” March 1991.) and RFC 1215 [RFC1212] (Rose, M. and K. McCloghrie, “Concise MIB definitions,” March 1991.). The second version, called SMIv2, is described in RFC 1902 [RFC1902] (Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.),RFC 1903 [RFC1903] (McCloghrie, K., Case, J., Rose, M., and S. Waldbusser, “Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.) and RFC 1904 [RFC1904] (Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.).
  3. Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [RFC1157] (Case, J., Fedor, M., Schoffstall, M., and J. Davin, “Simple Network Management Protocol (SNMP),” May 1990.). A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] (Case, J., McCloghrie, K., McCloghrie, K., Rose, M., and S. Waldbusser, “Introduction to Community-based SNMPv2,” January 1996.) and RFC 1906 [RFC1906] (Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.). The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906] (Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.), RFC 2272 [RFC2272] (Case, J., Harrington, D., Presuhn, R., and B. Wijnen, “Message Processing and Dispatching for the Simple Network Management Protocol (SNMP),” January 1998.) and RFC 2274 [RFC2274] (Blumenthal, U., “User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3),” January 1998.).
  4. Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [RFC1157] (Case, J., Fedor, M., Schoffstall, M., and J. Davin, “Simple Network Management Protocol (SNMP),” May 1990.). A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905] (Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2),” January 1996.) .
  5. A set of fundamental applications described in RFC 2273 [RFC2273] (Levi, D., Meyer, P., and B. Stewart, “SNMPv3 Applications,” January 1998.) and the view-based access control mechanism described in RFC 2275 [RFC2275] (Wijnen, B., Presuhn, R., and K. McCloghrie, “View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP),” January 1998.).

The GDOI MIB module defined in this draft is used to manage network devices running a group-based key management protocol based on the GDOI standard. The MIB module supports management of two network entities, group member and key server. A GDOI group spans multiple devices in the network, and this GDOI MIB module can be used to model all the network entities that make up the GDOI group.



 TOC 

5.  Structure of the MIB Module

This section provides a view of the overall architecture, and describes the major MIB groups and table definitions.



 TOC 

5.1.  Textual Conventions

The following new textual conventions are introduced: GdoiIdentificationType, GdoiIdentificationValue, GdoiKekSPI, GdoiIpProtocolId, GdoiKeyManagementAlgorithm, GdoiEncryptionAlgorithm, GdoiPseudoRandomFunction, GdoiIntegrityAlgorithm, GdoiSignatureMethod, GdoiDiffieHellmanGroup, GdoiEncapsulationMode, GdoiSecurityProtocol, GdoiTekSPI, GdoiKekStatus, GdoiTekStatus.



 TOC 

5.2.  The GDOI MIB Module Subtree

The following figure shows the organization of the GDOI MIB module and the dependencies among various objects. The objects at the bottom of the figure depend on the objects above them. Figure 1 shows which object of the GDOI MIB will be available for query by a network manager if only the group member resides on a networks box. Figure 2 shows the object that can be queried by the SNMP manager if only the key server is available on a box. Finally, Figure 3 shows the scenario in which both a group member and a key server reside on a box, and the MIB objects that can be queried.

                                   --------------
                                   | GDOI Group |
                                   --------------
                                        |
                                        |
                                        |
                                   --------------
                                   |  Local GM  |
                                   --------------
                                        |
                                      |   |
                                    |       |
                                 |             |
                         ------------      ------------
                         |  KEK SA  |      |  TEK SA  |
                         ------------      ------------


 Figure 1: GDOI MIB objects that are used when a group member
           is on a box


                                   --------------
                                   | GDOI Group |
                                   --------------
                                        |
                                        |
                                        |
                                   --------------
                                   |  Local KS  |
                                   --------------
                                        |
                                      |   |
                                    |       |
                                 |             |
                         ------------      ------------
                         |  KEK SA  |      |  TEK SA  |
                         ------------      ------------

Figure 2: GDOI MIB objects that are used when a key server is
          on a box



                         --------------
                         | GDOI Group |
                         --------------
                               |
                             |   |
                           |       |
                        |             |
                     |                   |
              --------------       --------------
              |  Local KS  |       |  Local GM  |
              --------------       --------------
                 |                           |
               |   |                       |    |
             |       |                   |         |
          |             |               |             |
   ------------     ------------    ------------   ------------
   |  KEK SA  |     |  TEK SA  |    |  KEK SA  |   |  TEK SA  |
   ------------     ------------    ------------   ------------


Figure 3: GDOI MIB objects that are used when a key server and a group
	  member ore n a box

The GDOI MIB module object definitions will be covered in Section 6.



 TOC 

5.3.  The Notifications Subtree

Notifications are defined to inform the management station about changes that happen on the Group Member (GM) or the Key Server (KS). The gdoiKeyServerNotifs defines the KS notifications, which are sent when the following events happens on the KS:

  1. A new group member registers to a GDOI group, gdoiKeyServerNewRegistration
  2. RSA keys were not created or they are missing, gdoiKeyServerNoRsaKeys
  3. Send the rekey to the GDOI group, gdoiKeyServerRekeyPushed

The gdoiGmNotifs defines the GM notifications, which are sent after the occurrence of the following events:

  1. Registration cannot be completed because the GDOI group configuration may be missing the group ID, server ID, or both, gdoiGmIncompleteCfg
  2. Start the registration to the key server, gdoiGmRegister
  3. Hardware limitation for IPsec flow limit reached. Cannot create any more IPsec SAs, gdoiGmNoIpSecFlows
  4. Registration to the key server is completed and the SAs are downloaded properly, gdoiGmRegistrationComplete
  5. IPsec SA created for one group may have expired or been cleared. The GM needs to reregister to the key server, gdoiGmReRegister
  6. During GDOI rekey the payload parsing failed on this group member from the key server, gdoiGmRekeyFailure
  7. The GM received the multicast rekey with the sequence number displayed, gdoiGmRekeyReceived


 TOC 

5.4.  The Table Structures

The GDOI MIB module has the following tables:



 TOC 

6.  Relationship to Other MIB Modules

This GDOI MIB module does not depend on any other MIB modules.



 TOC 

6.1.  Relationship to Other MIB

NA



 TOC 

6.2.  MIB modules required for IMPORTS

The GDOI-STD-MIB module IMPORTS objects from SNMPv2-SMI [RFC2579] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Textual Conventions for SMIv2,” April 1999.), SNMPv2-TC [RFC2578] (McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Structure of Management Information Version 2 (SMIv2),” April 1999.), SNMPv2-CONF [RFC2580] (McCloghrie, K., Perkins, D., and J. Schoenwaelder, “Conformance Statements for SMIv2,” April 1999.).



 TOC 

7.  Definitions

-- *********************************************************************
--
-- GDOI-STD-MIB: MIB for Group Domain of Interpretation (GDOI)
--
-- March 2010 - Mike Hamada, Preethi Sundaradevan, Tanya Roosta
--
-- *********************************************************************

GDOI-STD-MIB DEFINITIONS ::= BEGIN

-- ------------------------------------------------------------------ --
-- GDOI MIB Imports & Decependencies
-- ------------------------------------------------------------------ --

IMPORTS
    MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP
        FROM SNMPv2-CONF

    MODULE-IDENTITY, NOTIFICATION-TYPE, OBJECT-TYPE, Counter32,
    Unsigned32, mib-2
        FROM SNMPv2-SMI

    TEXTUAL-CONVENTION, DisplayString
        FROM SNMPv2-TC;

-- ------------------------------------------------------------------ --
-- GDOI MIB Module Identity
-- ------------------------------------------------------------------ --

gdoiStdMIB MODULE-IDENTITY
    LAST-UPDATED    "201002250545Z"             -- February 25, 2010
    ORGANIZATION    "cisco Systems, Inc."
    CONTACT-INFO
        "Mike Hamada
         cisco Systems, Inc.
         Mail: 510 McCarthy Blvd.
               SJC24/2/1
               Milpitas, CA 95035
               USA
         Phone: +1 408 525 7473
         Email: michamad@cisco.com

         Preethi Sundaradevan
         cisco Systems, Inc.
         Mail: 510 McCarthy Blvd.
               SJC24/2/1
               Milpitas, CA 95035
               USA
         Phone: +1 408 424 4713
         Email: prsundar@cisco.com

         Tanya Roosta
         cisco Systems, Inc.
         Mail: 510 McCarthy Blvd.
               SJC24/2/1
               Milpitas, CA 95035
               USA
         Phone: +1 408 424 3051
         Email: roosta@cisco.com"
    DESCRIPTION
        "This MIB module defines objects for managing the GDOI protocol.

         Copyright (c) The IETF Trust (2010).  This version of this MIB
         module is part of RFC ????; see the RFC itself for full legal
         notices."

    REVISION        "201002250545Z"             -- February 25, 2010
    DESCRIPTION     "Initial version, published as RFC ????"

    ::= { mib-2 ??? }

-- ------------------------------------------------------------------ --
-- GDOI MIB Textual Conventions
-- ------------------------------------------------------------------ --

GdoiIdentificationType ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the type of value used to
         identify a GDOI entity (i.e. Group, Key Server, or Group
         Member).

         Following are the Identification Type Values:

           ID Type              Value
           -------              -----
           RESERVED               0  -- Not Used
           ID_IPV4_ADDR           1  -- ipv4Address
           ID_FQDN                2  -- domainName

           ID_RFC822_ADDR         3  -- userName
           (ID_USER_FQDN)

           ID_IPV4_ADDR_SUBNET    4  -- ipv4Subnet - Not in RFC 4306
           ID_IPV6_ADDR           5  -- ipv6Address
           ID_IPV6_ADDR_SUBNET    6  -- ipv6Subnet - Not in RFC 4306
           ID_IPV4_ADDR_RANGE     7  -- ipv4Range  - Not in RFC 4306
           ID_IPV6_ADDR_RANGE     8  -- ipv6Range  - Not in RFC 4306
           ID_DER_ASN1_DN         9  -- caDistinguishedName
           ID_DER_ASN1_GN         10 -- caGeneralName
           ID_KEY_ID              11 -- groupNumber

         Following are the mappings to the type values above:

           'ipv4Address' : a single four (4) octet IPv4 address.

           'domainName'  : a fully-qualified domain name string.  An
                example is, 'example.com'.  The string MUST not
                contain any terminators (e.g., NULL, CR, etc.).

           'userName'    : a fully-qualified RFC 822 username or email
                address string. An example is, 'jsmith@example.com'.
                The string MUST not contain any terminators.

           'ipv4Subnet'  : a range of IPv4 addresses, represented by
                two four (4) octet values concatenated together.  The
                first value is an IPv4 address.  The second is an
                IPv4 network mask.  Note that ones (1s) in the network
                mask indicate that the corresponding bit in the address
                is fixed, while zeros (0s) indicate a 'wildcard' bit.

           'ipv6Address' : a single sixteen (16) octet IPv6 address.

           'ipv6Subnet'  : a range of IPv6 addresses, represented by
                two sixteen (16) octet values concatenated together.
                The first value is an IPv6 address.  The second is an
                IPv network mask.  Note that ones (1s) in the network
                mask indicate that the corresponding bit in the address
                is fixed, while zeros (0s) indicate a 'wildcard' bit.

           'ipv4Range'   : a range of IPv4 addresses, represented by
                two four (4) octet values.  The first value is the
                beginning IPv4 address (inclusive) and the second
                value is the ending IPv4 address (inclusive).  All
                addresses falling between the two specified addresses
                are considered to be within the list.

           'ipv6Range'   : a range of IPv6 addresses, represented by
                two sixteen (16) octet values.  The first value is the
                beginning IPv6 address (inclusive) and the second
                value is the ending IPv6 address (inclusive).  All
                addresses falling between the two specified addresses
                are considered to be within the list.

           'caDistinguishedName' : the binary DER encoding of an ASN.1
                X.500 Distinguished Name [X.501].

           'caGeneralName' : the binary DER encoding of an ASN.1
                X.500 GeneralName [X.509].

           'groupNumber' : a four (4) octet group identifier."
    REFERENCE
        "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
         Section: IPSEC Identification Type
         http://www.iana.org/assignments/isakmp-registry

         RFC 4306 - Section: 3.5. Identification Payloads"
    SYNTAX          INTEGER {
                        ipv4Address(1),
                        domainName(2),
                        userName(3),
                        ipv4Subnet(4),
                        ipv6Address(5),
                        ipv6Subnet(6),
                        ipv4Range(7),
                        ipv6Range(8),
                        caDistinguishedName(9),
                        caGeneralName(10),
                        groupNumber(11)
                    }

GdoiIdentificationValue ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "255d"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the actual value of used to
         identify a GDOI entity (i.e. Group, Key Server, or Group
         Member).  The value of the GdoiIdentificationValue object can
         be parsed based on the value of the associated
         GdoiIdentificationType object.

         The following GdoiIdentificationType values indicate that the
         GdoiIdentificationValue object should be parsed as a binary
         string of octets with the given lengths if a length is not
         associated with the object:

           ipv4Address(1)   -- 4 octets
           ipv4Subnet(4)    -- 8 octets
           ipv6Address(5)   -- 16 octets
           ipv6Subnet(6)    -- 32 octets
           ipv4Range(7)     -- 8 octets
           ipv6Range(8)     -- 32 octets
           groupNumber(11)  -- 4 octets

         The following GdoiIdentificationType values indicate that the
         GdoiIdentificationValue object should be parsed as an ascii
         string of characters.  Note that a length MUST be associated
         associated with the object in these cases:

           domainName(2)
           userName(3)
           caDistinguishedName(9)
           caGeneralName(10)

         Note that the length of 48 octets was chosen because the
         gdoiKsKekEntry, gdoiGmKekEntry, gdoiKsTekEntry, &
         gdoiGmTekEntry will exceed the OID size limit of 255 octets
         if this size is any larger than 48 octets."
    REFERENCE
        "IANA ISAKMP Registry - 'Magic Numbers' for ISAKMP Protocol
         Section: IPSEC Identification Type
         http://www.iana.org/assignments/isakmp-registry

         RFC 4306 - Section: 3.5. Identification Payloads"
    SYNTAX          OCTET STRING (SIZE (0..48))

GdoiKekSPI ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "16x"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a SPI (Security Parameter
         Index) of sixteen (16) octets for a KEK.  The SPI must be the
         ISAKMP Header cookie pair where the first 8 octets become the
         'Initiator Cookie' field of the GROUPKEY-PUSH message ISAKMP
         HDR, and the second 8 octets become the 'Responder Cookie' in
         the same HDR.  These cookies are assigned by the Key Server."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          OCTET STRING (SIZE (16))

GdoiIpProtocolId ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the IP
         Protocol being used for the rekey datagram.  Some possible
         values are:

           ID Value  ID Type
           --------  -------
              06       TCP    -- ipProtocolTCP
              17       UDP    -- ipProtocolUDP"
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          INTEGER {
                        ipProtocolUnknown(0),
                        ipProtocolTCP(1),
                        ipProtocolUDP(2)
                    }

GdoiKeyManagementAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the key/KEK
         management algorithm being used to provide forward or
         backward access control (i.e. used to exclude group
         members).

         Following are the possible KEK management algorithm values &
         GdoiKeyManagementAlgorithm mappings:

           KEK Management Type  Value
           -------------------  -----
            LKH                   1  -- keyMgmtLkh"
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK Payload"
    SYNTAX          INTEGER {
                        keyMgmtNone(0),
                        keyMgmtLkh(1)
                    }

GdoiEncryptionAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         encryption algorithm being used.

         Following are the possible updated encryption algorithm
         values & GdoiEncryptionAlgorithm mappings after RFC 4306:

           Encryption Algorithm Type          Value
           ---------------------------------  -----
            ENCR_DES_IV64                       1  -- encrAlgDes64
            ENCR_DES                            2  -- encrAlgDes
            ENCR_3DES                           3  -- encrAlg3Des
            ENCR_RC5                            4  -- encrAlgRc5
            ENCR_IDEA                           5  -- encrAlgIdea
            ENCR_CAST                           6  -- encrAlgCast
            ENCR_BLOWFISH                       7  -- encrAlgBlowfish
            ENCR_3IDEA                          8  -- encrAlg3Idea
            ENCR_DES_IV32                       9  -- encrAlgDes32
            ENCR_NULL                           11 -- encrAlgNull
            ENCR_AES_CBC                        12 -- encrAlgAesCbc
            ENCR_AES_CTR                        13 -- encrAlgAesCtr
            ENCR_AES-CCM_8                      14 -- encrAlgAesCcm8
            ENCR_AES-CCM_12                     15 -- encrAlgAesCcm12
            ENCR_AES-CCM_16                     16 -- encrAlgAesCcm16
            AES-GCM (8-octet ICV)               18 -- encrAlgAesGcm8
            AES-GCM (12-octet ICV)              19 -- encrAlgAesGcm12
            AES-GCM (16-octet ICV)              20 -- encrAlgAesGcm16
            ENCR_NULL_AUTH_AES_GMAC             21
                -- encrAlgNullAuthAesGmac
            ENCR_CAMELLIA_CBC                   23
                -- encrAlgCamelliaCbc
            ENCR_CAMELLIA_CTR                   24
                -- encrAlgCamelliaCtr
            ENCR_CAMELLIA_CCM (8-octet ICV)     25
                -- encrAlgCamelliaCcm8
            ENCR_CAMELLIA_CCM (12-octet ICV)    26
                -- encrAlgCamelliaCcm12
            ENCR_CAMELLIA_CCM (16-octet ICV)    27
                -- encrAlgCamelliaCcm16

         Following are the possible ESP transform identifiers &
         GdoiEncryptionAlgorithm mappings from RFC 2407:

           IPsec ESP Transform ID    Value
           ------------------------  -----
            ESP_DES_IV64               1  -- encrAlgDes64
            ESP_DES                    2  -- encrAlgDes
            ESP_3DES                   3  -- encrAlg3Des
            ESP_RC5                    4  -- encrAlgRc5
            ESP_IDEA                   5  -- encrAlgIdea
            ESP_CAST                   6  -- encrAlgCast
            ESP_BLOWFISH               7  -- encrAlgBlowfish
            ESP_3IDEA                  8  -- encrAlg3Idea
            ESP_DES_IV32               9  -- encrAlgDes32
            ESP_RC4                    10 -- encrAlgRc4
            ESP_NULL                   11 -- encrAlgNull
            ESP_AES-CBC                12 -- encrAlgAesCbc
            ESP_AES-CTR                13 -- encrAlgAesCtr
            ESP_AES-CCM_8              14 -- encrAlgAesCcm8
            ESP_AES-CCM_12             15 -- encrAlgAesCcm12
            ESP_AES-CCM_16             16 -- encrAlgAesCcm16
            ESP_AES-GCM_8              18 -- encrAlgAesGcm8
            ESP_AES-GCM_12             19 -- encrAlgAesGcm12
            ESP_AES-GCM_16             20 -- encrAlgAesGcm16
            ESP_SEED_CBC               21 -- encrAlgSeedCbc
            ESP_CAMELLIA               22
                -- encrAlgCamelliaCbc, Ctr, Ccm8, Ccm12, Ccm16
            ESP_NULL_AUTH_AES-GMAC     23
                -- encrAlgNullAuthAesGmac

         Following are the possible KEK_ALGORITHM values specifying
         the encyption algorithm used with a KEK &
         GdoiEncryptionAlgorithm mappings from the GDOI RFC 3547:

           Algorithm Type  Value
           --------------  -----
            KEK_ALG_DES      1  -- encrAlgDes
            KEK_ALG_3DES     2  -- encrAlg3Des
            KEK_ALG_AES      3  -- encrAlgAesCbc"
    REFERENCE
        "IANA IKEv2 Parameters
         Section: Encryption Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         IANA 'Magic Numbers' for ISAMP Protocol
         Section: IPSEC ESP Transform Identifiers
         http://www.iana.org/assignments/isakmp-registry

         RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.3.3. KEK_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4106, 4309, 4543, 5282, 5529"
    SYNTAX          INTEGER {
                        encrAlgNone(0),
                        encrAlgDes64(1),
                        encrAlgDes(2),
                        encrAlg3Des(3),
                        encrAlgRc5(4),
                        encrAlgIdea(5),
                        encrAlgCast(6),
                        encrAlgBlowfish(7),
                        encrAlg3Idea(8),
                        encrAlgDes32(9),
                        encrAlgRc4(10),
                        encrAlgNull(11),
                        encrAlgAesCbc(12),
                        encrAlgAesCtr(13),
                        encrAlgAesCcm8(14),
                        encrAlgAesCcm12(15),
                        encrAlgAesCcm16(16),
                        encrAlgAesGcm8(18),
                        encrAlgAesGcm12(19),
                        encrAlgAesGcm16(20),
                        encrAlgNullAuthAesGmac(21),
                        encrAlgCamelliaCbc(23),
                        encrAlgCamelliaCtr(24),
                        encrAlgCamelliaCcm8(25),
                        encrAlgCamelliaCcm12(26),
                        encrAlgCamelliaCcm1(27),
                        encrAlgSeedCbc(28)
                    }

GdoiPseudoRandomFunction ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         pseudo-random function (PRF) being used.

         Following are the possible updated PRF values &
         GdoiPseudoRandomFunction mappings after RFC 4306:

           Pseudo-Random Function Type        Value
           ---------------------------------  -----
            PRF_HMAC_MD5                        1  -- prfMd5Hmac
            PRF_HMAC_SHA1                       2  -- prfSha1Hmac
            PRF_HMAC_TIGER                      3  -- prfTigerHmac
            PRF_AES128_XCBC                     4  -- prfAes128Xcbc
            PRF_HMAC_SHA2_256                   5  -- prfSha2Hmac256
            PRF_HMAC_SHA2_384                   6  -- prfSha2Hmac384
            PRF_HMAC_SHA2_512                   7  -- prfSha2Hmac512
            PRF_AES128_CMAC                     8  -- prfAes128Cmac

         Following are the possible SIG_HASH_ALGORITHM values &
         GdoiPseudoRandomFunction mappings from the GDOI RFC 3547:

           Algorithm Type  Value
           --------------  -----
            SIG_HASH_MD5     1  -- prfMd5Hmac
            SIG_HASH_SHA1    2  -- prfSha1Hmac"
    REFERENCE
        "IANA IKEv2 Parameters
         Section: Pseudo-random Function Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4615, 4868"
    SYNTAX          INTEGER {
                        prfNone(0),
                        prfMd5Hmac(1),
                        prfSha1Hmac(2),
                        prfTigerHmac(3),
                        prfAes128Xcbc(4),
                        prfSha2Hmac256(5),
                        prfSha2Hmac384(6),
                        prfSha2Hmac512(7),
                        prfAes128Cmac(8)
                    }

GdoiIntegrityAlgorithm ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         integirty algorithm being used.

         Following are the possible updated integrity algorithm
         values & GdoiAuthenticationAlgorithm mappings after RFC 4306:

           Integrity Algorithm Type  Value
           ------------------------  -----
            AUTH_HMAC_MD5_96           1  -- authAlgMd5Hmac96
            AUTH_HMAC_SHA1_96          2  -- authAlgSha1Hmac96
            AUTH_DES_MAC               3  -- authAlgDesMac
            AUTH_KPDK_MD5              4  -- authAlgMd5Kpdk
            AUTH_AES_XCBC_96           5  -- authAlgAesXcbc96
            AUTH_HMAC_MD5_128          6  -- authAlgMd5Hmac128
            AUTH_HMAC_SHA1_160         7  -- authAlgSha1Hmac160
            AUTH_AES_CMAC_96           8  -- authAlgAesCmac96
            AUTH_AES_128_GMAC          9  -- authAlgAes128Gmac
            AUTH_AES_192_GMAC          10 -- authAlgAes192Gmac
            AUTH_AES_256_GMAC          11 -- authAlgAes256Gmac
            AUTH_HMAC_SHA2_256_128     12 -- authAlgSha2Hmac256to128
            AUTH_HMAC_SHA2_384_192     13 -- authAlgSha2Hmac384to192
            AUTH_HMAC_SHA2_512_256     14 -- authAlgSha2Hmac512to256

         Following are the possible legacy authentication algorithm
         values & GdoiAuthenticationAlgorithm mappings from RFC 2407:

           Algorithm Type  Value
           --------------  -----
            HMAC-MD5         1  -- authAlgMd5Hmac96
            HMAC-SHA         2  -- authAlgSha1Hmac96
            DES-MAC          3  -- authAlgDesMac
            KPDK             4  -- authAlgMd5Kpdk"
    REFERENCE
        "IANA IKEv2 Parameters
         Section: Integrity Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM
         RFC 4306 - Section: 3.3.2. Transform Substructure
         RFC 4494, 4543, 4595, 4868"
    SYNTAX          INTEGER {
                        authAlgNone(0),
                        authAlgMd5Hmac96(1),
                        authAlgSha1Hmac96(2),
                        authAlgDesMac(3),
                        authAlgMd5Kpdk(4),
                        authAlgAesXcbc96(5),
                        authAlgMd5Hmac128(6),
                        authAlgSha1Hmac160(7),
                        authAlgAesCmac96(8),
                        authAlgAes128Gmac(9),
                        authAlgAes192Gmac(10),
                        authAlgAes256Gmac(11),
                        authAlgSha2Hmac256to128(12),
                        authAlgSha2Hmac384to192(13),
                        authAlgSha2Hmac512to256(14)
                    }

GdoiSignatureMethod ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         integirty algorithm being used.

         Following are the possible updated authentication method
         values & GdoiSignatureMethod mappings after RFC 4306:

           Authentication Method                Value
           -----------------------------------  -----
            RSA Digital Signature                 1  -- sigRsa
            Shared Key Message Integrity Code     2  -- sigSharedKey
            DSS Digital Signature                 3  -- sigDss
            ECDSA w/ SHA-256 (P-256 curve)        9  -- sigEcdsa256
            ECDSA w/ SHA-384 (P-384 curve)        10 -- sigEcdsa384
            ECDSA w/ SHA-512 (P-521 curve)        11 -- sigEcdsa512

         Following are the possible legacy IPsec authentication method
         values & GdoiSignatureMethod mappings from RFC 2409:

           Authentication Method             Value
           --------------------------------  -----
            Pre-Shared Key                     1  -- sigSharedKey
            DSS Signature                      2  -- sigDss
            RSA Signature                      3  -- sigRsa
            Encryption w/ RSA                  4  -- sigEncryptRsa
            Revised Encryption w/ RSA          5  -- sigRevEncryptRsa
            ECDSA w/ SHA-256 (P-256 curve)     9  -- sigEcdsa256
            ECDSA w/ SHA-384 (P-384 curve)     10 -- sigEcdsa384
            ECDSA w/ SHA-512 (P-521 curve)     11 -- sigEcdsa512

         Following are the possible POP algorithm values &
         GdoiSignatureMethod mappings from the GDOI RFC 3547:

           Algorithm Type  Value
           --------------  -----
            POP_ALG_RSA      1  -- sigRsa
            POP_ALG_DSS      2  -- sigDss
            POP_ALG_ECDSS    3  -- sigEcdsa256, 384, 512

         Following are the possible SIG_ALGORITHM values &
         GdoiSignatureMethod mappings from the GDOI RFC 3547:

           Algorithm Type  Value
           --------------  -----
            SIG_ALG_RSA      1  -- sigRsa
            SIG_ALG_DSS      2  -- sigDss
            SIG_ALG_ECDSS    3  -- sigEcdsa256, 384, 512"
    REFERENCE
        "IANA IKEv2 Parameters
         Section: Integrity Algorithm Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         RFC 2409 - Section:  Appendix A. Authentication Method
         RFC 3547 - Sections: 5.3.        SA KEK payload
                              5.3.7.      SIG_ALGORITHM
         RFC 4306 - Section:  3.8.        Authentication Payload
         RFC 4754"
    SYNTAX          INTEGER {
                        sigNone(0),
                        sigRsa(1),
                        sigSharedKey(2),
                        sigDss(3),
                        sigEncryptRsa(4),
                        sigRevEncryptRsa(5),
                        sigEcdsa256(9),
                        sigEcdsa384(10),
                        sigEcdsa512(11)
                    }

GdoiDiffieHellmanGroup ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         Diffie-Hellman Group being used.

         Following are the possible updated Diffie-Hellman Group
         values & GdoiDiffieHellmanGroup mappings after RFC 4306:

           Diffie-Hellman Group Type  Value
           -------------------------  -----
            NONE                        0  -- dhNone
            Group 1 - 768 Bit MODP      1  -- dhGroup1
            Group 2 - 1024 Bit MODP     2  -- dhGroup2
            1536-bit MODP Group         5  -- dh1536Modp
            2048-bit MODP Group         14 -- dh2048Modp
            3072-bit MODP Group         15 -- dh3072Modp
            4096-bit MODP Group         16 -- dh4096Modp
            6144-bit MODP Group         17 -- dh6144Modp
            8192-bit MODP Group         18 -- dh8192Modp
            256-bit random ECP group    19 -- dhEcp256
            84-bit random ECP group     20 -- dhEcp84
            521-bit random ECP group    21 -- dhEcp521
            1024-bit MODP w/ 160-bit    22 -- dh1024Modp160
              Prime Order Subgroup
            2048-bit MODP w/ 224-bit    23 -- dh2048Modp224
              Prime Order Subgroup
            2048-bit MODP w/ 256-bit    24 -- dh2048Modp256
              Prime Order Subgroup
            192-bit Random ECP Group    25 -- dhEcp192
            224-bit Random ECP Group    26 -- dhEcp224

         Following are the possible legacy Diffie-Hellman Group
         values & GdoiDiffieHellmanGroup mappings from RFC 2409:

           Diffie-Hellman Group Type  Value
           -------------------------  -----
            Group 1 - 768 Bit MODP      1  -- dhGroup1
            Group 2 - 1024 Bit MODP     2  -- dhGroup2
            EC2N group on GP[2^155]     3  -- dhEc2nGp155
            EC2N group on GP[2^185]     4  -- dhEc2nGp185"
    REFERENCE
        "IANA IKEv2 Parameters
         Section: Diffie-Hellman Group Transform IDs
         http://www.iana.org/assignments/ikev2-parameters

         RFC 2409 - Sections: 6.1. First Oakley Default Group
                              6.2. Second Oakley Default Group
                              6.3. Third Oakley Default Group
                              6.4. Fourth Oakley Default Group"
    SYNTAX          INTEGER {
                        dhNone(0),
                        dhGroup1(1),
                        dhGroup2(2),
                        dhEc2nGp155(3),
                        dhEc2nGp185(4),
                        dh1536Modp(5),
                        dh2048Modp(14),
                        dh3072Modp(15),
                        dh4096Modp(16),
                        dh6144Modp(17),
                        dh8192Modp(18),
                        dhEcp256(19),
                        dhEcp84(20),
                        dhEcp521(21),
                        dh1024Modp160(22),
                        dh2048Modp224(23),
                        dh2048Modp256(24),
                        dhEcp192(25),
                        dhEcp224(26)
                    }

GdoiEncapsulationMode ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         Encapsulation Mode being used.

         Following are the possible Encapsulation Mode
         values & GdoiEncapsulationMode mappings from RFC 2407:

           Encapsulation Mode            Value
           ----------------------------  -----
            Tunnel                         1  -- encapTunnel
            Transport                      2  -- encapTransport
            UDP-Encapsulated-Tunnel        3  -- encapUdpTunnel
            UDP-Encapsulated-Transport     4  -- encapUdpTransport"
    REFERENCE
        "IANA 'Magic Numbers' for ISAKMP Protocol
         Section: Encapsulation Mode
         http://www.iana.org/assignments/isakmp-registry

         RFC 2407 - Section: 4.5. IPSEC Security Assoc. Attributes
         RFC 3947"
    SYNTAX          INTEGER {
                        encapUnknown(0),
                        encapTunnel(1),
                        encapTransport(2),
                        encapUdpTunnel(3),
                        encapUdpTransport(4)
                    }

GdoiSecurityProtocol ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the identifier of the
         Security Protocol being used.

         Following are the possible Security Protocol ID
         values & GdoiSecurityProtocol mappings from the
         GDOI RFC 3547:

           Security Protocol ID    Value
           ----------------------  -----
            GDOI_PROTO_IPSEC_ESP     1  -- secProtocolIpsecEsp"
    REFERENCE
        "RFC 3547 - Section: 5.4. SA TEK Payload"
    SYNTAX          INTEGER {
                        secProtocolUnknown(0),
                        secProtocolIpsecEsp(1)
                    }

GdoiTekSPI ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "4x"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a SPI (Security Parameter
         Index) of four (4) octets for a TEK using ESP."
    REFERENCE
        "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    SYNTAX          OCTET STRING (SIZE (16))

GdoiKekStatus ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the status of a GDOI KEK and
         its corresponding Security Association (SA).

         'inUse' : KEK currently being used to encrypt new KEK/TEKs
         'new'   : KEK currently being sent to all peers
         'old'   : KEK that has expired and is no longer being used"
    SYNTAX          INTEGER {
                        inUse(1),
                        new(2),
                        old(3)
                    }

GdoiTekStatus ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "A textual convention indicating the status of a GDOI TEK and
         its corresponding Security Association (SA).

         'inbound'  : TEK is being used as inbound (receive) SA
         'outbound' : TEK is being used as outbound (transmit) SA
         'notInUse' : TEK is no longer being used"
    SYNTAX          INTEGER {
                        inbound(1),
                        outbound(2),
                        notInUse(3)
                    }

Unsigned16 ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "2d"
    STATUS          current
    DESCRIPTION
        "A textual convention indicating a 16-bit unsigned integer
         value."
    SYNTAX          OCTET STRING (SIZE (2))

-- ------------------------------------------------------------------ --
-- GDOI MIB Groups
-- ------------------------------------------------------------------ --

gdoiMIBNotifications    OBJECT IDENTIFIER ::= { gdoiStdMIB 0 }

gdoiMIBObjects          OBJECT IDENTIFIER ::= { gdoiStdMIB 1 }

gdoiMIBConformance      OBJECT IDENTIFIER ::= { gdoiStdMIB 2 }

-- ------------------------------------------------------------------ --
-- GDOI MIB Notifications
-- ------------------------------------------------------------------ --

--  *---------------------------------------------------------------- --
--  * GDOI Key Server (KS) Notifications
--  *---------------------------------------------------------------- --

gdoiKeyServerNewRegistration NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "A notification from a Key Server sent when a new Group
         Member registers to a GDOI Group.  This is equivalent to a
         Key Server receiving the first message of a GROUPKEY-PULL
         exchange from a Group Member."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.4. Receiver Operations"
    ::= { gdoiMIBNotifications 1 }

gdoiKeyServerRegistrationComplete NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "A notification from a Key Server sent when a Group Member
         has successfully registered to itself.  This is equivalent
         to a Key Server sending the last message of a GROUPKEY-PULL
         exchange to the Group Member currently registering
         containing KEKs, TEKs, and their associated policies."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.4. Receiver Operations"
    ::= { gdoiMIBNotifications 2 }

gdoiKeyServerRekeyPushed NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiKeyServerRekeysPushed
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Key Srver sent when a GROUPKEY-PUSH
         message is sent to refresh KEK(s) and or TEK(s).  A rekey
         is sent  periodically by a Key Server based on a configured
         time to the Group Members registered to its GDOI Group."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              4.   GROUPKEY-PUSH Message
                              4.7. GCKS Operations"
    ::= { gdoiMIBNotifications 3 }

gdoiKeyServerNoRsaKeys NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Key Server sent when an RSA key
         is not setup.  Each Key Server and Group Member needs to have
         an RSA key established. The Key Server signs the TEK rekeys
         using this RSA key, also called a Key Encryption Key (KEK).
         The Group Member verifies the authenticity of the TEK rekey
         using this RSA key."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              4.7. GCKS Operations"
    ::= { gdoiMIBNotifications 4 }

--  *---------------------------------------------------------------- --
--  * GDOI Group Member (GM) Notifications
--  *---------------------------------------------------------------- --

gdoiGmRegister NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it is starting to
         register with its GDOI Group's Key Server.  Registration
         includes downloading keying & security assosiation material.
         This is equivalent to a Group Member or Initiator sending the
         first message of a GROUPKEY-PULL exchange to its Group's Key
         Server."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.3. Initiator Operations"
    ::= { gdoiMIBNotifications 5 }

gdoiGmRegistrationComplete NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it has successfully
         registered with a Key Server in its GDOI Group.  This is
         equivalent to a Group Member receiving the last message of
         a GROUPKEY-PULL exchange from the Key Server containing
         KEKs, TEKs, and their associated policies."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.3. Initiator Operations"
    ::= { gdoiMIBNotifications 6 }

gdoiGmReRegister NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdValue
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it is starting to
         re-register with a Key Server in its GDOI Group.  A Group
         Member needs to re-register to the key server if its keying &
         security association material has expired and it has not
         received a rekey from the key server to refresh the material.
         This is equivalent to a Group Member sending the first
         message of a GROUPKEY-PULL exchange to the Key Server of a
         Group it is already registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.3. Initiator Operations"
    ::= { gdoiMIBNotifications 7 }

gdoiGmRekeyReceived NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdValue,
                        gdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "A notification from a Group Member when it has successfully
         received and processed a rekey from a Key Server in its GDOI
         Group.  Periodically the key server sends a rekey to refresh
         the keying & security association material.  This is
         equivalent to a Group Member receiving a GROUPKEY-PUSH
         message from the Key Server of the Group it is already
         registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              4.   GROUPKEY-PUSH Message
                              4.8. Group Member Operations"
    ::= { gdoiMIBNotifications 8 }

gdoiGmIncompleteCfg NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when there is
         necessary information missing from the policy/configuration
         of a Group Member on an interface when it tries to register
         with a Key Server in its GDOI Group.  If the GDOI Group
         configuration is not complete on a Group Member, it will not
         be able to  register to the Key Server."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.   GROUPKEY-PULL Exchange
                              3.3. Initiator Operations"
    ::= { gdoiMIBNotifications 9 }

gdoiGmNoIpSecFlows NOTIFICATION-TYPE
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when no more
         security associations can be installed after receiving its
         keying & security association material.  When the Group
         Member receives the security association materials, it has
         to install the cryptographic keys and policies.  If there
         is not enough memory to install these materials, there will
         be an error thrown."
    ::= { gdoiMIBNotifications 10 }

gdoiGmRekeyFailure NOTIFICATION-TYPE
    OBJECTS         {
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdValue,
                        gdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "An error notification from a Group Member when it is unable
         to successfully process and install a rekey (GROUPKEY-PUSH
         message) sent by the Key Server in its Group that it is
         registered with."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              4.   GROUPKEY-PUSH Message
                              4.8. Group Member Operations"
    ::= { gdoiMIBNotifications 11 }


-- ------------------------------------------------------------------ --
-- GDOI MIB Management Objects
-- ------------------------------------------------------------------ --
--
--  *---------------------------------------------------------------- --
--  * The GDOI "Group" Table
--  *---------------------------------------------------------------- --

gdoiGroupTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiGroupEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Groups in use on
         the network device being queried."
    ::= { gdoiMIBObjects 1 }

gdoiGroupEntry OBJECT-TYPE
    SYNTAX          GdoiGroupEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing GDOI Group information, uniquely
         identified by the GDOI Group ID."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
                              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue
                    }
    ::= { gdoiGroupTable 1 }

GdoiGroupEntry ::= SEQUENCE {
    gdoiGroupIdType         GdoiIdentificationType,
    gdoiGroupIdLength       Unsigned32,
    gdoiGroupIdValue        GdoiIdentificationValue,
    gdoiGroupName           DisplayString
}

gdoiGroupIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse a GDOI Group ID.
         The GDOI RFC 3547 defines the types that can be used as a
         GDOI Group ID, and RFC 4306 defines all valid types that can
         be used as an identifier.  This Group ID type is sent as the
         'ID Type' field of the Identification Payload for a GDOI
         GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
                              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads"
    ::= { gdoiGroupEntry 1 }

gdoiGroupIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Group ID.  If no
         length is given (i.e. it has a value of 0), the default
         length of its gdoiGroupIdType should be used as long as it
         is not reprsented by an ASCII string.  If the value has a
         type that is represented by an ASCII string, a length MUST
         be included.  If the length given is not 0, it should match
         the 'Payload Length' (subtracting the generic header length)
         of the Identification Payload for a GDOI GROUPKEY-PULL
         exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
                              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads"
    ::= { gdoiGroupEntry 2 }

gdoiGroupIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of a Group ID with its type indicated by the
         gdoiGroupIdType.  Use the gdoiGroupIdType to parse the Group
         ID correctly.  This Group ID value is sent as the
         'Identification Data' field of the Identification Payload
         for a GDOI GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Sections: 5.1.1.   Identification Type Values
                              5.1.1.1. ID_KEY_ID
         RFC 4306 - Section:  3.5.     Identification Payloads"
    ::= { gdoiGroupEntry 3 }

gdoiGroupName OBJECT-TYPE
    SYNTAX          DisplayString
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The string-readable name configured for or given to a GDOI
         Group."
    ::= { gdoiGroupEntry 4 }

--  *---------------------------------------------------------------- --
--  * GDOI MIB Management Object Groups
--  *---------------------------------------------------------------- --

gdoiPeers               OBJECT IDENTIFIER ::= { gdoiMIBObjects 2 }

gdoiSecAssociations     OBJECT IDENTIFIER ::= { gdoiMIBObjects 3 }

--  *---------------------------------------------------------------- --
--  * The GDOI "Peers" Group
--  *---------------------------------------------------------------- --
--
--    #-------------------------------------------------------------- --
--    # The GDOI "Key Server (KS)" Table
--    #-------------------------------------------------------------- --

gdoiKeyServerTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiKeyServerEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information for the GDOI group from the perspective
         of the Key Servers (GCKSs) on the network device being
         queried."
    ::= { gdoiPeers 1 }

gdoiKeyServerEntry OBJECT-TYPE
    SYNTAX          GdoiKeyServerEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing GDOI Key Server (KS) information,
         uniquely identified by the Group & Key Server IDs."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.4. Receiver Operations
                              4.7. GCKS Operations"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiKeyServerIdType,
                        gdoiKeyServerIdValue
                    }
    ::= { gdoiKeyServerTable 1 }

GdoiKeyServerEntry ::= SEQUENCE {
    gdoiKeyServerIdType                 GdoiIdentificationType,
    gdoiKeyServerIdLength               Unsigned32,
    gdoiKeyServerIdValue                GdoiIdentificationValue,
    gdoiKeyServerActiveKEK              GdoiKekSPI,
    gdoiKeyServerRekeysPushed           Counter32
}

gdoiKeyServerIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for a Key Server.  RFC 4306 defines all valid
         types that can be used as an identifier.  These
         identification types are sent as the 'SRC ID Type' and 'DST
         ID Type' of the KEK and TEK payloads for GDOI GROUPKEY-PULL
         and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads"
    ::= { gdoiKeyServerEntry 1 }

gdoiKeyServerIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Key Server ID.  If no
         length is given (i.e. it has a value of 0), the default
         length of its gdoiKeyServerIdType should be used as long as
         it is not reprsented by an ASCII string.  If the value has a
         type that is represented by an ASCII string, a length MUST
         be included.  If the length given is not 0, it should match
         the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
         the KEK and TEK payloads for GDOI GROUPKEY-PULL and
         GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKeyServerEntry 2 }

gdoiKeyServerIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the identity information for a Key Server with
         its type indicated by the gdoiKeyServerIdType.  Use the
         gdoiKeyServerIdType to parse the Key Server ID correctly.
         This Key Server ID value is sent as the 'SRC
         Identification Data' and 'DST Identification Data' of the
         KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
         exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKeyServerEntry 3 }

gdoiKeyServerActiveKEK OBJECT-TYPE
    SYNTAX          GdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The SPI of the Key Encryption Key (KEK) that is currently
         being used by the Key Server to encrypt the GROUPKEY-PUSH
         keying & security association material sent to the Key
         Server's registered Group Members."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK payload"
    ::= { gdoiKeyServerEntry 4 }

gdoiKeyServerRekeysPushed OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The sequence number of the last rekey sent from the Key
         Server to its registered Group Members for this GDOI group."
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
                              3.4. Receiver Operations
                              4.   GROUPKEY-PUSH Message
                              4.7. GCKS Operations
                              5.6. Sequence Number Payload"
    ::= { gdoiKeyServerEntry 5 }

--    #-------------------------------------------------------------- --
--    # The GDOI "Group Members" Table
--    #-------------------------------------------------------------- --

gdoiGmTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiGmEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Group Members (GMs)
         locally configured on the network device being queried.  Note
         that Local Group Members may or may not be registered to a
         Key Server in its GDOI Group on the same network device being
         queried."
    ::= { gdoiPeers 2 }

gdoiGmEntry OBJECT-TYPE
    SYNTAX          GdoiGmEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing Local GDOI Group Member information,
         uniquely identified by Group & GM IDs. Because the Group
         Member is Local to the network device being queried, TEKs
         installed for this Group Member can be queried as well."
    REFERENCE
        "RFC 3547 - Sections: 1.   Introduction
                              3.3. Initiator Operations
                              4.8. Group Member Operations"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiGmIdType,
                        gdoiGmIdValue
                    }
    ::= { gdoiGmTable 1 }

GdoiGmEntry ::= SEQUENCE {
    gdoiGmIdType                   GdoiIdentificationType,
    gdoiGmIdLength                 Unsigned32,
    gdoiGmIdValue                  GdoiIdentificationValue,
    gdoiGmRegKeyServerIdType       GdoiIdentificationType,
    gdoiGmRegKeyServerIdLength     Unsigned32,
    gdoiGmRegKeyServerIdValue      GdoiIdentificationValue,
    gdoiGmActiveKEK                GdoiKekSPI,
    gdoiGmRekeysReceived           Counter32
}

gdoiGmIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for a Initiator or Group Member.  RFC 4306
         defines all valid types that can be used as an identifier.
         These identification types are sent as the 'SRC ID Type' and
         'DST ID Type' of the KEK and TEK payloads for GDOI
         GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads"
    ::= { gdoiGmEntry 1 }

gdoiGmIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of a Group Member ID.  If
         no length is given (i.e. it has a value of 0), the default
         length of its gdoiGmIdType should be used as long as
         it is not reprsented by an ASCII string.  If the value has a
         type that is represented by an ASCII string, a length MUST
         be included.  If the length given is not 0, it should match
         the 'SRC ID Data Len' and 'DST ID Data Len' fields sent in
         the KEK and TEK payloads for GDOI GROUPKEY-PULL and
         GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmEntry 2 }

gdoiGmIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the identity information for a Group Member with
         its type indicated by the gdoiGmIdType.  Use the
         gdoiGmIdType to parse the Group Member ID correctly.
         This Group Member ID value is sent as the 'SRC
         Identification Data' and 'DST Identification Data' of the
         KEK and TEK payloads for GDOI GROUPKEY-PULL and GROUPKEY-PUSH
         exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmEntry 3 }

gdoiGmRegKeyServerIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information of this Group Member's registered Key Server.
         RFC 4306 defines all valid types that can be used as an
         identifier.  These identification types are sent as the 'SRC
         ID Type' and 'DST ID Type' of the KEK and TEK payloads for
         GDOI GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads"
    ::= { gdoiGmEntry 4 }

gdoiGmRegKeyServerIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the registered Key
         Server's ID.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiGmRegKeyServerIdType
         should be used as long as it is not reprsented by an ASCII
         string.  If the value has a type that is represented by an
         ASCII string, a length MUST be included.  If the length given
         is not 0, it should match the 'SRC ID Data Len' and 'DST ID
         Data Len' fields sent in the KEK and TEK payloads for GDOI
         GROUPKEY-PULL and GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmEntry 5 }

gdoiGmRegKeyServerIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for this Group Member's
         registered Key Server with its type indicated by the
         gdoiGmRegKeyServerIdType.  Use the
         gdoiGmRegKeyServerIdType to parse the registered Key
         Server's ID correctly.  This Key Server ID value is sent as
         the 'SRC Identification Data' and 'DST Identification Data'
         of the KEK and TEK payloads for GDOI GROUPKEY-PULL and
         GROUPKEY-PUSH exchanges."
    REFERENCE
        "RFC 3547 - Sections: 5.3.   SA KEK payload
                              5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmEntry 6 }

gdoiGmActiveKEK OBJECT-TYPE
    SYNTAX          GdoiKekSPI
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The SPI of the Key Encryption Key (KEK) that is currently
         being used by the Group Member to authenticate & decrypt a
         rekey from a GROUPKEY-PUSH message."
    ::= { gdoiGmEntry 7 }

gdoiGmRekeysReceived OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The sequence number of the last rekey successfully received
         from this Group Member's registered Key Server."
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
                              3.3. Initiator Operations
                              4.   GROUPKEY-PUSH Message
                              4.8. Group Member Operations
                              5.6. Sequence Number Payload"
    ::= { gdoiGmEntry 8 }

--  *---------------------------------------------------------------- --
--  * The GDOI "Security Associations (SA)" Group
--  *---------------------------------------------------------------- --
--
--    #-------------------------------------------------------------- --
--    # The GDOI "Key Server (KS) KEK Policy/SA" Table
--    #-------------------------------------------------------------- --

gdoiKsKekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiKsKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Key Encryption Key
         (KEK) Policies & Security Associations (SAs) currently
         configured/installed for GDOI entities acting as Key Servers
         on the network device being queried.  There is one entry in
         this table for each KEK Policy/SA that has been
         configured/installed.  Each KEK Policy/SA is uniquely
         identified by a SPI at any given time."
    ::= { gdoiSecAssociations 1 }

gdoiKsKekEntry OBJECT-TYPE
    SYNTAX          GdoiKsKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI KEK
         Policy/SA, uniquely identified by the Group ID, Key Server
         ID, & SPI value assigned by the given Key Server to the KEK.
         There will be at least one KEK Policy/SA entry for each Key
         Server & two KEK Policy/SA entries for a given Key Server
         only during a KEK rekey when a new KEK is created/installed.
         The KEK SPI is unique for every KEK for a given Key Server."
    REFERENCE
	"RFC 3547 - Sections: 1.     Introduction
                          3.2.   Messages
                          4.     GROUPKEY-PUSH Message
			              5.3.   SA KEK Payload
			              5.3.1. KEK Attributes
			              5.5.   Key Download Payload"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiKeyServerIdType,
                        gdoiKeyServerIdValue,
                        gdoiKsKekSPI
                    }
    ::= { gdoiKsKekTable 1 }

GdoiKsKekEntry ::= SEQUENCE {
    gdoiKsKekSPI                  GdoiKekSPI,
    gdoiKsKekSrcIdType            GdoiIdentificationType,
    gdoiKsKekSrcIdLength          Unsigned32,
    gdoiKsKekSrcIdValue           GdoiIdentificationValue,
    gdoiKsKekSrcIdPort            Unsigned16,
    gdoiKsKekDstIdType            GdoiIdentificationType,
    gdoiKsKekDstIdLength          Unsigned32,
    gdoiKsKekDstIdValue           GdoiIdentificationValue,
    gdoiKsKekDstIdPort            Unsigned16,
    gdoiKsKekRekeyIdType          GdoiIdentificationType,
    gdoiKsKekRekeyIdLength        Unsigned32,
    gdoiKsKekRekeyIdValue         GdoiIdentificationValue,
    gdoiKsKekIpProtocol           GdoiIpProtocolId,
    gdoiKsKekPopAlg               GdoiSignatureMethod,
    gdoiKsKekPopKeyLength         Unsigned32,
    gdoiKsKekMgmtAlg              GdoiKeyManagementAlgorithm,
    gdoiKsKekEncryptAlg           GdoiEncryptionAlgorithm,
    gdoiKsKekEncryptKeyLength     Unsigned32,
    gdoiKsKekSigHashAlg           GdoiPseudoRandomFunction,
    gdoiKsKekSigAlg               GdoiSignatureMethod,
    gdoiKsKekSigKeyLength         Unsigned32,
    gdoiKsKekOakleyGroup          GdoiDiffieHellmanGroup,
    gdoiKsKekOriginalLifetime     Unsigned32,
    gdoiKsKekRemainingLifetime    Unsigned32,
    gdoiKsKekStatus               GdoiKekStatus
}

gdoiKsKekSPI OBJECT-TYPE
    SYNTAX          GdoiKekSPI
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a KEK
         Policy/SA.  The SPI must be the ISAKMP Header cookie pair
         where the first 8 octets become the 'Initiator Cookie' field
         of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
         octets become the 'Responder Cookie' in the same HDR.  As
         described above, these cookies are assigned by the GCKS."
    ::= { gdoiKsKekEntry 1 }

gdoiKsKekSrcIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the source of a KEK Policy/SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'SRC ID Type' of
         the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiKsKekEntry 2 }

gdoiKsKekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
         a KEK Policy/SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiKsKekSrcIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'SRC ID Data Len' field sent in the KEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 3 }

gdoiKsKekSrcIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
         a KEK Policy/SA with its type indicated by the
         gdoiKsKekSrcIdType.  Use the gdoiKsKekSrcIdType to parse the
         KEK Source ID correctly.  This ID value is sent as the 'SRC
         Identification Data' of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 4 }

gdoiKsKekSrcIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
         a KEK Policy/SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `SRC ID Port`
         field of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 5 }

gdoiKsKekDstIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the dest. of a KEK Policy/SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'DST ID Type' of
         the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiKsKekEntry 6 }

gdoiKsKekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
         a KEK Policy/SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiKsKekDstIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'DST ID Data Len' field sent in the KEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 7 }

gdoiKsKekDstIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
         a KEK Policy/SA with its type indicated by the
         gdoiKsKekDstIdType.  Use the gdoiKsKekDstIdType to parse the
         KEK Dest. ID correctly.  This ID value is sent as the 'DST
         Identification Data' of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 8 }

gdoiKsKekDstIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
         a KEK Policy/SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `DST ID Port`
         field of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 9 }

gdoiKsKekRekeyIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the multicast rekey address for this KEK and
         associated subsequent KEKs/TEKs.  RFC 4306
         defines all valid types that can be used as an identifier."
    REFERENCE
        "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
    ::= { gdoiKsKekEntry 10 }

gdoiKsKekRekeyIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the multicast rekey
         address for this KEK and associated subsequent KEKs/TEKs.
         If no length is given (i.e. it has a value of 0), the default
         length of its gdoiKsKekRekeyIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included."
    REFERENCE
        "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
    ::= { gdoiKsKekEntry 11 }

gdoiKsKekRekeyIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the multicast rekey
         address of this KEK and associated subsequent KEKs/TEKs.
         Use the gdoiKsKekRekeyIdType to parse the multicast rekey
         address correctly."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 12 }


gdoiKsKekIpProtocol OBJECT-TYPE
    SYNTAX          GdoiIpProtocolId
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the IP protocol ID (e.g. UDP/TCP) being used
         for the rekey datagram."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 13 }

gdoiKsKekPopAlg OBJECT-TYPE
    SYNTAX          GdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Proof of Posession (POP) payload algorithm,
         which is an authentication signature method.  If no POP
         algorithm is defined by the KEK Policy/SA, the value must be
         zero (0).  The POP payload demonstrates that the member or
         GCKS has used the very secret that authenticates it.

         Following are the POP payload algorithm values defined in the
         GDOI RFC 3547, however the GdoiSignatureMethod TC defines all
         possible values.

           Algorithm Type   Value
           ---------------  -----
            RESERVED          0
            POP_ALG_RSA       1
            POP_ALG_DSS       2
            POP_ALG_ECDSS     3
            RESERVED          4-127
            Private Use       128-255"
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
                              5.3. SA KEK payload
                              5.7. Proof of Possession"
    ::= { gdoiKsKekEntry 14 }

gdoiKsKekPopKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the length of the POP payload key.  If no POP
         algorithm is defined in the KEK Policy/SA, the value must
         be zero (0)."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK payload"
    ::= { gdoiKsKekEntry 15 }

gdoiKsKekMgmtAlg OBJECT-TYPE
    SYNTAX          GdoiKeyManagementAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_MANAGEMENT_ALGORITHM which specifies
         the group KEK management algorithm used to provide forward
         or backward access control (i.e. used to exclude group
         members).

           KEK Management Type  Value
           -------------------  -----
            RESERVED              0
            LKH                   1
            RESERVED              2-127
            Private Use           128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM"
    ::= { gdoiKsKekEntry 16 }

gdoiKsKekEncryptAlg OBJECT-TYPE
    SYNTAX          GdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_ALGORITHM which specifies the
         encryption algorithm used with the KEK Policy/SA.  A GDOI
         implementaiton must support KEK_ALG_3DES.

         Following are the KEK encryption algoritm values defined in
         the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            KEK_ALG_DES      1
            KEK_ALG_3DES     2
            KEK_ALG_AES      3
            RESERVED         4-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section 5.3.3. KEK_ALGORITHM"
    ::= { gdoiKsKekEntry 17 }

gdoiKsKekEncryptKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LENGTH which specifies the KEK
         Algorithm key length (in bits)."
    REFERENCE
        "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH"
    ::= { gdoiKsKekEntry 18 }

gdoiKsKekSigHashAlg OBJECT-TYPE
    SYNTAX          GdoiPseudoRandomFunction
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_HASH_ALGORITHM which specifies the SIG
         payload hash algorithm.  This is not required (i.e. could
         have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
         SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
         value of zero or SIG_HASH_SHA1).

         Following are the Signature Hash Algorithm values defined in
         the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            SIG_HASH_MD5     1
            SIG_HASH_SHA1    2
            RESERVED         3-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM"
    ::= { gdoiKsKekEntry 19 }

gdoiKsKekSigAlg OBJECT-TYPE
    SYNTAX          GdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_ALGORITHM which specifies the SIG
         payload signature algorithm.  A GDOI implementation must
         support SIG_ALG_RSA.

         Following are the Signature Algorithm values defined in
         the GDOI RFC 3547, however the GdoiSignatureMethod TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            SIG_ALG_RSA      1
            SIG_ALG_DSS      2
            SIG_ALG_ECDSS    3
            RESERVED         4-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM"
    ::= { gdoiKsKekEntry 20 }

gdoiKsKekSigKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_KEY_LENGTH which specifies the length
         of the SIG payload key."
    REFERENCE
        "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH"
    ::= { gdoiKsKekEntry 21 }

gdoiKsKekOakleyGroup OBJECT-TYPE
    SYNTAX          GdoiDiffieHellmanGroup
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
         or Diffie-Hellman Group used to compute the PFS secret in the
         optional KE payload of the GDOI GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP"
    ::= { gdoiKsKekEntry 22 }

gdoiKsKekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LIFETIME which specifies the maximum
         time for which a KEK is valid.  The GCKS may refresh the KEK
         at any time before the end of the valid period.  The value is
         a four (4) octet (32-bit) number defining a valid time period
         in seconds."
    REFERENCE
        "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
    ::= { gdoiKsKekEntry 23 }

gdoiKsKekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a KEK is valid.
         The value is a four (4) octet (32-bit) number which begins at
         the value of gdoiKsKekOriginalLifetime when the KEK is sent
         and counts down to zero in seconds.  If the lifetime has
         already expired, this value should remain at zero (0) until
         the Key Server refreshes the KEK."
    REFERENCE
        "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
    ::= { gdoiKsKekEntry 24 }

gdoiKsKekStatus OBJECT-TYPE
    SYNTAX          GdoiKekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the KEK Policy/SA.  When this status value is
         queried, one of the following is returned:
         inUse(1), new(2), old(3)."
    ::= { gdoiKsKekEntry 25 }

--    #-------------------------------------------------------------- --
--    # The GDOI "Group Member (GM) KEK SA" Table
--    #-------------------------------------------------------------- --

gdoiGmKekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiGmKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Key Encryption Key
         (KEK) Security Associations (SAs) currently installed for
         GDOI entities acting as Group Members on the network device
         being queried.  There is one entry in this table for each
         KEK SA that has been installed and not yet deleted.  Each
         KEK SA is uniquely identified by a SPI at any given time."
    ::= { gdoiSecAssociations 2 }

gdoiGmKekEntry OBJECT-TYPE
    SYNTAX          GdoiGmKekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI KEK
         SA, uniquely identified by the Group ID, Group Member (GM)
         ID, & SPI value assigned by the GM's registered Key Server to
         the KEK.  There will be at least one KEK SA entry for each GM
         & two KEK SA entries for a given GM only during a KEK rekey
         when a new KEK is received & installed.  The KEK SPI is
         unique for every KEK for a given Group Member."
    REFERENCE
	"RFC 3547 - Sections: 1.     Introduction
                          3.2.   Messages
                          4.     GROUPKEY-PUSH Message
                          5.3.   SA KEK Payload
                          5.3.1. KEK Attributes
                          5.5.   Key Download Payload"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiGmIdType,
                        gdoiGmIdValue,
                        gdoiGmKekSPI
                    }
    ::= { gdoiGmKekTable 1 }

GdoiGmKekEntry ::= SEQUENCE {
    gdoiGmKekSPI                  GdoiKekSPI,
    gdoiGmKekSrcIdType            GdoiIdentificationType,
    gdoiGmKekSrcIdLength          Unsigned32,
    gdoiGmKekSrcIdValue           GdoiIdentificationValue,
    gdoiGmKekSrcIdPort            Unsigned16,
    gdoiGmKekDstIdType            GdoiIdentificationType,
    gdoiGmKekDstIdLength          Unsigned32,
    gdoiGmKekDstIdValue           GdoiIdentificationValue,
    gdoiGmKekDstIdPort            Unsigned16,
    gdoiGmKekRekeyIdType          GdoiIdentificationType,
    gdoiGmKekRekeyIdLength        Unsigned32,
    gdoiGmKekRekeyIdValue         GdoiIdentificationValue,
    gdoiGmKekIpProtocol           GdoiIpProtocolId,
    gdoiGmKekPopAlg               GdoiSignatureMethod,
    gdoiGmKekPopKeyLength         Unsigned32,
    gdoiGmKekMgmtAlg              GdoiKeyManagementAlgorithm,
    gdoiGmKekEncryptAlg           GdoiEncryptionAlgorithm,
    gdoiGmKekEncryptKeyLength     Unsigned32,
    gdoiGmKekSigHashAlg           GdoiPseudoRandomFunction,
    gdoiGmKekSigAlg               GdoiSignatureMethod,
    gdoiGmKekSigKeyLength         Unsigned32,
    gdoiGmKekOakleyGroup          GdoiDiffieHellmanGroup,
    gdoiGmKekOriginalLifetime     Unsigned32,
    gdoiGmKekRemainingLifetime    Unsigned32,
    gdoiGmKekStatus               GdoiKekStatus
}

gdoiGmKekSPI OBJECT-TYPE
    SYNTAX          GdoiKekSPI
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a KEK
         SA.  The SPI must be the ISAKMP Header cookie pair
         where the first 8 octets become the 'Initiator Cookie' field
         of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8
         octets become the 'Responder Cookie' in the same HDR.  As
         described above, these cookies are assigned by the GCKS."
    ::= { gdoiGmKekEntry 1 }

gdoiGmKekSrcIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the source of a KEK SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'SRC ID Type' of
         the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiGmKekEntry 2 }

gdoiGmKekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
         a KEK SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiGmKekSrcIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'SRC ID Data Len' field sent in the KEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 3 }

gdoiGmKekSrcIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
         a KEK SA with its type indicated by the
         gdoiGmKekSrcIdType.  Use the gdoiGmKekSrcIdType to parse the
         KEK Source ID correctly.  This ID value is sent as the 'SRC
         Identification Data' of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 4 }

gdoiGmKekSrcIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
         a KEK SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `SRC ID Port`
         field of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 5 }

gdoiGmKekDstIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the dest. of a KEK SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'DST ID Type' of
         the KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiGmKekEntry 6 }

gdoiGmKekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
         a KEK SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiGmKekDstIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'DST ID Data Len' field sent in the KEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 7 }

gdoiGmKekDstIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
         a KEK SA with its type indicated by the
         gdoiGmKekDstIdType.  Use the gdoiGmKekDstIdType to parse the
         KEK Dest. ID correctly.  This ID value is sent as the 'DST
         Identification Data' of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 8 }

gdoiGmKekDstIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
         a KEK SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `DST ID Port`
         field of a KEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 9 }

gdoiGmKekRekeyIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the multicast rekey address for this KEK and
         associated subsequent KEK(s)/TEK(s).  RFC 4306
         defines all valid types that can be used as an identifier."
    REFERENCE
        "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
    ::= { gdoiGmKekEntry 10 }

gdoiGmKekRekeyIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the multicast rekey
         address for this KEK and associated subsequent KEK(s)/TEK(s).
         If no length is given (i.e. it has a value of 0), the default
         length of its gdoiGmKekRekeyIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included."
    REFERENCE
        "RFC 3547 - Sections: 6.3. GROUPKEY-PUSH Exchange"
    ::= { gdoiGmKekEntry 11 }

gdoiGmKekRekeyIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the multicast rekey
         address of this KEK and associated subsequent KEK(s)/TEK(s).
         Use the gdoiGmKekRekeyIdType to parse the multicast rekey
         address correctly."
    REFERENCE
        "RFC 3547 - Sections: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 12 }


gdoiGmKekIpProtocol OBJECT-TYPE
    SYNTAX          GdoiIpProtocolId
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the IP protocol ID (e.g. UDP/TCP) being used
         for the rekey datagram."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 13 }

gdoiGmKekPopAlg OBJECT-TYPE
    SYNTAX          GdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Proof of Posession (POP) payload algorithm,
         which is an authentication signature method.  If no POP
         algorithm is defined by the KEK SA, this field must be
         zero (0).  The POP payload demonstrates that the member or
         GCKS has used the very secret that authenticates it.

         Following are the POP payload algorithm values defined in the
         GDOI RFC 3547, however the GdoiSignatureMethod TC defines all
         possible values.

           Algorithm Type   Value
           ---------------  -----
            RESERVED          0
            POP_ALG_RSA       1
            POP_ALG_DSS       2
            POP_ALG_ECDSS     3
            RESERVED          4-127
            Private Use       128-255"
    REFERENCE
        "RFC 3547 - Sections: 3.2. Messages
                              5.3. SA KEK payload
                              5.7. Proof of Possession"
    ::= { gdoiGmKekEntry 14 }

gdoiGmKekPopKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the length of the POP payload key.  If no POP
         algorithm is defined in the KEK SA, this field must
         be zero (0)."
    REFERENCE
        "RFC 3547 - Section: 5.3. SA KEK payload"
    ::= { gdoiGmKekEntry 15 }

gdoiGmKekMgmtAlg OBJECT-TYPE
    SYNTAX          GdoiKeyManagementAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_MANAGEMENT_ALGORITHM which specifies
         the group KEK management algorithm used to provide forward
         or backward access control (i.e. used to exclude group
         members).

           KEK Management Type  Value
           -------------------  -----
            RESERVED              0
            LKH                   1
            RESERVED              2-127
            Private Use           128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.2. KEK_MANAGEMENT_ALGORITHM"
    ::= { gdoiGmKekEntry 16 }

gdoiGmKekEncryptAlg OBJECT-TYPE
    SYNTAX          GdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_ALGORITHM which specifies the
         encryption algorithm used with the KEK SA.  A GDOI
         implementaiton must support KEK_ALG_3DES.

         Following are the KEK encryption algoritm values defined in
         the GDOI RFC 3547, however the GdoiEncryptionAlgorithm TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            KEK_ALG_DES      1
            KEK_ALG_3DES     2
            KEK_ALG_AES      3
            RESERVED         4-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section 5.3.3. KEK_ALGORITHM"
    ::= { gdoiGmKekEntry 17 }

gdoiGmKekEncryptKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LENGTH which specifies the KEK
         Algorithm key length (in bits)."
    REFERENCE
        "RFC 3547 - Section: 5.3.4. KEK_KEY_LENGTH"
    ::= { gdoiGmKekEntry 18 }

gdoiGmKekSigHashAlg OBJECT-TYPE
    SYNTAX          GdoiPseudoRandomFunction
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_HASH_ALGORITHM which specifies the SIG
         payload hash algorithm.  This is not required (i.e. could
         have a value of zero) if the SIG_ALGORITHM is SIG_ALG_DSS or
         SIG_ALG_ECDSS, which imply SIG_HASH_SHA1 (i.e. must have a
         value of zero or SIG_HASH_SHA1).

         Following are the Signature Hash Algorithm values defined in
         the GDOI RFC 3547, however the GdoiPseudoRandomFunction TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            SIG_HASH_MD5     1
            SIG_HASH_SHA1    2
            RESERVED         3-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.6. SIG_HASH_ALGORITHM"
    ::= { gdoiGmKekEntry 19 }

gdoiGmKekSigAlg OBJECT-TYPE
    SYNTAX          GdoiSignatureMethod
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_ALGORITHM which specifies the SIG
         payload signature algorithm.  A GDOI implementation must
         support SIG_ALG_RSA.

         Following are the Signature Algorithm values defined in
         the GDOI RFC 3547, however the GdoiSignatureMethod TC
         defines all possible values.

           Algorithm Type  Value
           --------------  -----
            RESERVED         0
            SIG_ALG_RSA      1
            SIG_ALG_DSS      2
            SIG_ALG_ECDSS    3
            RESERVED         4-127
            Private Use      128-255"
    REFERENCE
        "RFC 3547 - Section: 5.3.7. SIG_ALGORITHM"
    ::= { gdoiGmKekEntry 20 }

gdoiGmKekSigKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SIG_KEY_LENGTH which specifies the length
         of the SIG payload key."
    REFERENCE
        "RFC 3547 - Section 5.3.8. SIG_KEY_LENGTH"
    ::= { gdoiGmKekEntry 21 }

gdoiGmKekOakleyGroup OBJECT-TYPE
    SYNTAX          GdoiDiffieHellmanGroup
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KE_OAKLEY_GROUP which specifies the OAKLEY
         or Diffie-Hellman Group used to compute the PFS secret in the
         optional KE payload of the GDOI GROUPKEY-PULL exchange."
    REFERENCE
        "RFC 3547 - Section 5.3.9. KE_OAKLEY_GROUP"
    ::= { gdoiGmKekEntry 22 }

gdoiGmKekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the KEK_KEY_LIFETIME which specifies the maximum
         time for which a KEK is valid.  The GCKS may refresh the KEK
         at any time before the end of the valid period.  The value is
         a four (4) octet (32-bit) number defining a valid time period
         in seconds."
    REFERENCE
        "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
    ::= { gdoiGmKekEntry 23 }

gdoiGmKekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a KEK is valid.
         The value is a four (4) octet (32-bit) number which begins at
         the value of gdoiGmKekOriginalLifetime and counts down to zero
         in seconds.  If the lifetime has already expired, this value
         should remain at zero (0) until the GCKS refreshes the KEK."
    REFERENCE
        "RFC 3547 - Section 5.3.5. KEK_KEY_LIFETIME"
    ::= { gdoiGmKekEntry 24 }

gdoiGmKekStatus OBJECT-TYPE
    SYNTAX          GdoiKekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the KEK SA.  When this status value is
         queried, one of the following is returned:
         inUse(1), new(2), old(3)."
    ::= { gdoiGmKekEntry 25 }

--    #-------------------------------------------------------------- --
--    # The GDOI "Key Server (KS) TEK Policy" Table
--    #-------------------------------------------------------------- --

gdoiKsTekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiKsTekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
         (TEK) Policies currently configured/pushed for GDOI entities
         acting as Key Servers on the network device being queried.
         There is one entry in this table for each TEK that has been
         configured & pushed to Group Members registered to the given
         Key Server."
    ::= { gdoiSecAssociations 3 }

gdoiKsTekEntry OBJECT-TYPE
    SYNTAX          GdoiKsTekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI TEK
         Policy, uniquely identified by the Group ID, Key Server ID,
         Source/Destination IDs & Ports, and TEK SPI.  There will be
         one or more TEK entries for each TEK Policy sent by the given
         Key Server to its registered Group Members, each with
         a unique <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple.
         However, due to the 255-octet constraint placed on an OID,
         the <SRC-ID, SRC-PORT, DST-ID, DST-PORT> 4-tuple cannot be
         used to INDEX a TEK entry for a given Group ID & Key Server
         ID.  Therefore, the TEK SPI for a given Group ID & Key
         Server ID MUST be unique unless another indexing scheme is
         used."
    REFERENCE
	"RFC 3547 - Sections: 1.   Introduction
                          3.2. Messages
                          4.   GROUPKEY-PUSH Message
                          5.4. SA TEK Payload"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiKeyServerIdType,
                        gdoiKeyServerIdValue,
                        gdoiKsTekSPI
                    }
    ::= { gdoiKsTekTable 1 }

GdoiKsTekEntry ::= SEQUENCE {
    gdoiKsTekSPI                  GdoiTekSPI,
    gdoiKsTekSrcIdType            GdoiIdentificationType,
    gdoiKsTekSrcIdLength          Unsigned32,
    gdoiKsTekSrcIdValue           GdoiIdentificationValue,
    gdoiKsTekSrcIdPort            Unsigned16,
    gdoiKsTekDstIdType            GdoiIdentificationType,
    gdoiKsTekDstIdLength          Unsigned32,
    gdoiKsTekDstIdValue           GdoiIdentificationValue,
    gdoiKsTekDstIdPort            Unsigned16,
    gdoiKsTekSecurityProtocol     GdoiSecurityProtocol,
    gdoiKsTekEncapsulationMode    GdoiEncapsulationMode,
    gdoiKsTekEncryptionAlgorithm  GdoiEncryptionAlgorithm,
    gdoiKsTekEncryptionKeyLength  Unsigned32,
    gdoiKsTekIntegrityAlgorithm   GdoiIntegrityAlgorithm,
    gdoiKsTekIntegrityKeyLength   Unsigned32,
    gdoiKsTekWindowSize           Unsigned32,
    gdoiKsTekOriginalLifetime     Unsigned32,
    gdoiKsTekRemainingLifetime    Unsigned32,
    gdoiKsTekStatus               GdoiTekStatus
}

gdoiKsTekSPI OBJECT-TYPE
    SYNTAX          GdoiTekSPI
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a TEK
         Policy.  The SPI must be the SPI for ESP."
    REFERENCE
        "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 1 }

gdoiKsTekSrcIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the source of a TEK Policy.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'SRC ID Type' of
         the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads"
    ::= { gdoiKsTekEntry 2 }

gdoiKsTekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
         a TEK Policy.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiKsTekSrcIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'SRC ID Data Len' field sent in the TEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 3 }

gdoiKsTekSrcIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
         a TEK Policy with its type indicated by the
         gdoiKsTekSrcIdType.  Use the gdoiKsTekSrcIdType to parse the
         TEK Source ID correctly.  This ID value is sent as the 'SRC
         Identification Data' of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 4 }

gdoiKsTekSrcIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
         a TEK Policy.  A value of zero means that the port should
         be ignored.  This port value is sent as the `SRC ID Port`
         field of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 5 }

gdoiKsTekDstIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the dest. of a TEK Policy.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'DST ID Type' of
         the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiKsTekEntry 6 }

gdoiKsTekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
         a TEK Policy.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiKsTekDstIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'DST ID Data Len' field sent in the TEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 7 }

gdoiKsTekDstIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
         a TEK Policy with its type indicated by the
         gdoiKsTekDstIdType.  Use the gdoiKsTekDstIdType to parse the
         TEK Dest. ID correctly.  This ID value is sent as the 'DST
         Identification Data' of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 8 }

gdoiKsTekDstIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
         a TEK Policy.  A value of zero means that the port should
         be ignored.  This port value is sent as the `DST ID Port`
         field of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 9 }

gdoiKsTekSecurityProtocol OBJECT-TYPE
    SYNTAX          GdoiSecurityProtocol
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Protocol-ID field of a SA TEK (SAT) payload
         which specifies the Security Protocol for a TEK.

         Following are the Security Protocol values defined in
         the GDOI RFC 3547, however the GdoiSecurityProtocol TC
         defines all possible values.

           Protocol ID             Value
           ----------------------  -----
            RESERVED                 0
            GDOI_PROTO_IPSEC_ESP     1
            RESERVED                 2-127
            Private Use              128-255"
    REFERENCE
        "RFC 3547 - Section: 5.4. SA TEK Payload"
    ::= { gdoiKsTekEntry 10 }

gdoiKsTekEncapsulationMode OBJECT-TYPE
    SYNTAX          GdoiEncapsulationMode
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Encapsulation Mode of a TEK (IPsec SA).

         Following are the Encapsulation Mode values defined in
         RFC 2407, however the GdoiEncapsulationMode TC defines all
         possible values.

           Encapsulation Mode  Value
           ------------------  -----
            RESERVED             0
            Tunnel               1
            Transport            2"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 11 }

gdoiKsTekEncryptionAlgorithm OBJECT-TYPE
    SYNTAX          GdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Transform ID field of a PROTO_IPSEC_ESP
         payload which specifies the ESP transform to be used.  If
         no encryption is used, this value will be zero (0).

         Following are the ESP Transform values defined in RFC 2407,
         however the GdoiEncryptionAlgorithm TC defines all possible
         values.

           IPsec ESP Transform ID    Value
           ------------------------  -----
            RESERVED                   0
            ESP_DES_IV64               1
            ESP_DES                    2
            ESP_3DES                   3
            ESP_RC5                    4
            ESP_IDEA                   5
            ESP_CAST                   6
            ESP_BLOWFISH               7
            ESP_3IDEA                  8
            ESP_DES_IV32               9
            ESP_RC4                    10
            ESP_NULL                   11"
    REFERENCE
        "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 12 }

gdoiKsTekEncryptionKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for encryption in a TEK
         (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 13 }

gdoiKsTekIntegrityAlgorithm OBJECT-TYPE
    SYNTAX          GdoiIntegrityAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Authentication Algorithm for a TEK IPsec
         ESP SA.  If no authentication is used, this value will be
         zero (0).

         Following are the Authentication Algorithm values defined in
         RFC 2407, however the GdoiEncryptionAlgorithm TC defines all
         possible values.

           Algorithm Type  Value
           --------------  -----
            HMAC-MD5         1
            HMAC-SHA         2
            DES-MAC          3
            KPDK             4"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 14 }

gdoiKsTekIntegrityKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for integrity/authentication in a
         TEK (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 15 }

gdoiKsTekWindowSize OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The size of the Time Based Anti-Replay (TBAR) window used by
         this TEK Policy."
    REFERENCE
        "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
         RFC 3547 - Section: 6.3.4.   Replay/Reflection Attack
                                      Protection"
    ::= { gdoiKsTekEntry 16 }

gdoiKsTekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SA Life Type defined in RFC 2407 which
         specifies the maximum time for which a TEK IPsec SA is valid.
         The GCKS may refresh the TEK at any time before the end of
         the valid period.  The value is a four (4) octet (32-bit)
         number defining a valid time period in seconds."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 17 }

gdoiKsTekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a TEK is valid.
         The value is a four (4) octet (32-bit) number which begins at
         the value of gdoiKsTekOriginalLifetime when the TEK is sent
         and counts down to zero in seconds.  If the lifetime has
         already expired, this value should remain at zero (0) until
         the Key Server refreshes the TEK."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiKsTekEntry 18 }

gdoiKsTekStatus OBJECT-TYPE
    SYNTAX          GdoiTekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the TEK Policy.  When this status value is
         queried, one of the following is returned:
         inbound(1), outbound(2), notInUse(3)."
    ::= { gdoiKsTekEntry 19 }

--    #-------------------------------------------------------------- --
--    # The GDOI "Group Member (GM) TEK SA" Table
--    #-------------------------------------------------------------- --

gdoiGmTekTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF GdoiGmTekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A table of information regarding GDOI Traffic Encryption Key
         (TEK) Security Associations (SAs/Policies) received by a
         Key Server & installed for GDOI entities acting as Group
         Members (GMs) on the network device being queried.  There is
         one entry in this table for each TEK SA that has been
         installed or TEK SA/Policy that exists and has not yet been
         installed/deleted."
    ::= { gdoiSecAssociations 4 }

gdoiGmTekEntry OBJECT-TYPE
    SYNTAX          GdoiGmTekEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry containing the attributes associated with a GDOI TEK
         Policy/SA, uniquely identified by the Group ID, Group Member
         ID, Source/Destination IDs & Ports, and TEK SPI.  There will
         be one or more TEK entries for each TEK Policy/SA received
         and installed by the given Group Member from its registered
         Key Server, each with a unique
         <SRC-ID, SRC-PORT, DST-ID, DST-PORT, SPI> 5-tuple.
         However, due to the 255-octet constraint placed on an OID,
         the <SRC-ID, SRC-PORT, DST-ID, DST-PORT> 4-tuple cannot be
         used to INDEX a TEK entry for a given Group ID & Group
         Member ID.  Therefore, the TEK SPI for a given Group ID &
         Group Member ID MUST be unique unless another indexing
         scheme is used."
    REFERENCE
	"RFC 3547 - Sections: 1.   Introduction
                          3.2. Messages
                          4.   GROUPKEY-PUSH Message
                          5.4. SA TEK Payload"
    INDEX           {
                        gdoiGroupIdType,
                        gdoiGroupIdValue,
                        gdoiGmIdType,
                        gdoiGmIdValue,
                        gdoiGmTekSPI
                    }
    ::= { gdoiGmTekTable 1 }

GdoiGmTekEntry ::= SEQUENCE {
    gdoiGmTekSPI                  GdoiTekSPI,
    gdoiGmTekSrcIdType            GdoiIdentificationType,
    gdoiGmTekSrcIdLength          Unsigned32,
    gdoiGmTekSrcIdValue           GdoiIdentificationValue,
    gdoiGmTekSrcIdPort            Unsigned16,
    gdoiGmTekDstIdType            GdoiIdentificationType,
    gdoiGmTekDstIdLength          Unsigned32,
    gdoiGmTekDstIdValue           GdoiIdentificationValue,
    gdoiGmTekDstIdPort            Unsigned16,
    gdoiGmTekSecurityProtocol     GdoiSecurityProtocol,
    gdoiGmTekEncapsulationMode    GdoiEncapsulationMode,
    gdoiGmTekEncryptionAlgorithm  GdoiEncryptionAlgorithm,
    gdoiGmTekEncryptionKeyLength  Unsigned32,
    gdoiGmTekIntegrityAlgorithm   GdoiIntegrityAlgorithm,
    gdoiGmTekIntegrityKeyLength   Unsigned32,
    gdoiGmTekWindowSize           Unsigned32,
    gdoiGmTekOriginalLifetime     Unsigned32,
    gdoiGmTekRemainingLifetime    Unsigned32,
    gdoiGmTekStatus               GdoiTekStatus
}

gdoiGmTekSPI OBJECT-TYPE
    SYNTAX          GdoiTekSPI
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "The value of the Security Parameter Index (SPI) of a TEK
         Policy/SA.  The SPI must be the SPI for ESP."
    REFERENCE
        "RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 1 }

gdoiGmTekSrcIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the source of a TEK Policy/SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'SRC ID Type' of
         the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5.   Identification Payloads"
    ::= { gdoiGmTekEntry 2 }

gdoiGmTekSrcIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the source ID of
         a TEK Policy/SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiGmTekSrcIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'SRC ID Data Len' field sent in the TEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 3 }

gdoiGmTekSrcIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the source of
         a TEK Policy/SA with its type indicated by the
         gdoiGmTekSrcIdType.  Use the gdoiGmTekSrcIdType to parse the
         TEK Source ID correctly.  This ID value is sent as the 'SRC
         Identification Data' of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 4 }

gdoiGmTekSrcIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the source ID of
         a TEK Policy/SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `SRC ID Port`
         field of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 5 }

gdoiGmTekDstIdType OBJECT-TYPE
    SYNTAX          GdoiIdentificationType
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The Identification Type Value used to parse the identity
         information for the dest. of a TEK Policy/SA.  RFC 4306
         defines all valid types that can be used as an identifier.
         This identification type is sent as the 'DST ID Type' of
         the TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP
         RFC 4306 - Section:  3.5. Identification Payloads"
    ::= { gdoiGmTekEntry 6 }

gdoiGmTekDstIdLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Octets"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length (i.e. number of octets) of the destination ID of
         a TEK Policy/SA.  If no length is given (i.e. it has a value
         of 0), the default length of its gdoiGmTekDstIdType should be
         used as long as it is not reprsented by an ASCII string.  If
         the value has a type that is represented by an ASCII string,
         a length MUST be included.  If the length given is not 0, it
         should match the 'DST ID Data Len' field sent in the TEK
         payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 7 }

gdoiGmTekDstIdValue OBJECT-TYPE
    SYNTAX          GdoiIdentificationValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the identity information for the destination of
         a TEK Policy/SA with its type indicated by the
         gdoiGmTekDstIdType.  Use the gdoiGmTekDstIdType to parse the
         TEK Dest. ID correctly.  This ID value is sent as the 'DST
         Identification Data' of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 8 }

gdoiGmTekDstIdPort OBJECT-TYPE
    SYNTAX          Unsigned16
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value specifying a port associated with the dest. ID of
         a TEK Policy/SA.  A value of zero means that the port should
         be ignored.  This port value is sent as the `DST ID Port`
         field of a TEK payload."
    REFERENCE
        "RFC 3547 - Sections: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 9 }

gdoiGmTekSecurityProtocol OBJECT-TYPE
    SYNTAX          GdoiSecurityProtocol
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Protocol-ID field of a SA TEK (SAT) payload
         which specifies the Security Protocol for a TEK.

         Following are the Security Protocol values defined in
         the GDOI RFC 3547, however the GdoiSecurityProtocol TC
         defines all possible values.

           Protocol ID             Value
           ----------------------  -----
            RESERVED                 0
            GDOI_PROTO_IPSEC_ESP     1
            RESERVED                 2-127
            Private Use              128-255"
    REFERENCE
        "RFC 3547 - Section: 5.4. SA TEK Payload"
    ::= { gdoiGmTekEntry 10 }

gdoiGmTekEncapsulationMode OBJECT-TYPE
    SYNTAX          GdoiEncapsulationMode
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Encapsulation Mode of a TEK (IPsec SA).

         Following are the Encapsulation Mode values defined in
         RFC 2407, however the GdoiEncapsulationMode TC defines all
         possible values.

           Encapsulation Mode  Value
           ------------------  -----
            RESERVED             0
            Tunnel               1
            Transport            2"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 11 }

gdoiGmTekEncryptionAlgorithm OBJECT-TYPE
    SYNTAX          GdoiEncryptionAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Transform ID field of a PROTO_IPSEC_ESP
         payload which specifies the ESP transform to be used.  If
         no encryption is used, this value will be zero (0).

         Following are the ESP Transform values defined in RFC 2407,
         however the GdoiEncryptionAlgorithm TC defines all possible
         values.

           IPsec ESP Transform ID    Value
           ------------------------  -----
            RESERVED                   0
            ESP_DES_IV64               1
            ESP_DES                    2
            ESP_3DES                   3
            ESP_RC5                    4
            ESP_IDEA                   5
            ESP_CAST                   6
            ESP_BLOWFISH               7
            ESP_3IDEA                  8
            ESP_DES_IV32               9
            ESP_RC4                    10
            ESP_NULL                   11"
    REFERENCE
        "RFC 2407 - Section: 4.4.4. IPSEC ESP Transform Identifiers
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 12 }

gdoiGmTekEncryptionKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for encryption in a TEK
         (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 13 }

gdoiGmTekIntegrityAlgorithm OBJECT-TYPE
    SYNTAX          GdoiIntegrityAlgorithm
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the Authentication Algorithm for a TEK IPsec
         ESP SA.  If no authentication is used, this value will be
         zero (0).

         Following are the Authentication Algorithm values defined in
         RFC 2407, however the GdoiEncryptionAlgorithm TC defines all
         possible values.

           Algorithm Type  Value
           --------------  -----
            HMAC-MD5         1
            HMAC-SHA         2
            DES-MAC          3
            KPDK             4"
    REFERENCE
        "RFC 2407 - Section: 4.5.   IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 14 }

gdoiGmTekIntegrityKeyLength OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Bits"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The length of the key used for integrity/authentication in a
         TEK (in bits)."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 15 }

gdoiGmTekWindowSize OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "GROUPKEY-PUSH Messages"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The size of the Time Based Anti-Replay (TBAR) window used by
         this TEK Policy/SA."
    REFERENCE
        "RFC 2407 - Section: 4.6.3.2. REPLAY-STATUS
         RFC 3547 - Section: 6.3.4.   Replay/Reflection Attack
                                      Protection"
    ::= { gdoiGmTekEntry 16 }

gdoiGmTekOriginalLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the SA Life Type defined in RFC 2407 which
         specifies the maximum time for which a TEK IPsec SA is valid.
         The GCKS may refresh the TEK at any time before the end of
         the valid period.  The value is a four (4) octet (32-bit)
         number defining a valid time period in seconds."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 17 }

gdoiGmTekRemainingLifetime OBJECT-TYPE
    SYNTAX          Unsigned32
    UNITS           "Seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The value of the remaining time for which a TEK is valid.
         The value is a four (4) octet (32-bit) number which begins at
         the value of gdoiGmTekOriginalLifetime and counts down to zero
         in seconds.  If the lifetime has already expired, this value
         should remain at zero (0) until the GCKS refreshes the TEK."
    REFERENCE
        "RFC 2407 - Section: 4.5    IPSEC Security Assoc. Attributes
         RFC 3547 - Section: 5.4.1. PROTO_IPSEC_ESP"
    ::= { gdoiGmTekEntry 18 }

gdoiGmTekStatus OBJECT-TYPE
    SYNTAX          GdoiTekStatus
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The status of the TEK Policy/SA.  When this status value is
         queried, one of the following is returned:
         inbound(1), outbound(2), notInUse(3)."
    ::= { gdoiGmTekEntry 19 }

-- ------------------------------------------------------------------ --
-- GDOI MIB Conformance & Compliance Information
-- ------------------------------------------------------------------ --
--
--  *---------------------------------------------------------------- --
--  * GDOI MIB Conformance Information
--  *---------------------------------------------------------------- --

gdoiMIBGroups           OBJECT IDENTIFIER ::= { gdoiMIBConformance 1 }

gdoiMIBCompliances      OBJECT IDENTIFIER ::= { gdoiMIBConformance 2 }

--    #-------------------------------------------------------------- --
--    # GDOI MIB Units/Groups of Conformance
--    #-------------------------------------------------------------- --

gdoiGroupIdGroup OBJECT-GROUP
    OBJECTS         {
                        gdoiGroupIdLength,
                        gdoiGroupName
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
         1) GDOI Group Table"
    ::= { gdoiMIBGroups 1 }

gdoiKeyServerGroup OBJECT-GROUP
    OBJECTS         {
                        gdoiKeyServerIdLength,
                        gdoiKeyServerActiveKEK,
                        gdoiKeyServerRekeysPushed
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
         1) GDOI Key Server Table"
    ::= { gdoiMIBGroups 2 }

gdoiGmGroup OBJECT-GROUP
    OBJECTS         {
                        gdoiGmIdLength,
                        gdoiGmRegKeyServerIdType,
                        gdoiGmRegKeyServerIdLength,
                        gdoiGmRegKeyServerIdValue,
                        gdoiGmActiveKEK,
                        gdoiGmRekeysReceived
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
         1) GDOI GM Table"
    ::= { gdoiMIBGroups 3 }


gdoiKsSecurityAssociationsGroup OBJECT-GROUP
    OBJECTS         {
                        gdoiKsKekSrcIdType,
                        gdoiKsKekSrcIdLength,
                        gdoiKsKekSrcIdValue,
                        gdoiKsKekSrcIdPort,
                        gdoiKsKekDstIdType,
                        gdoiKsKekDstIdLength,
                        gdoiKsKekDstIdValue,
                        gdoiKsKekDstIdPort,
                        gdoiKsKekRekeyIdType,
                        gdoiKsKekRekeyIdLength,
                        gdoiKsKekRekeyIdValue,
                        gdoiKsKekIpProtocol,
                        gdoiKsKekPopAlg,
                        gdoiKsKekPopKeyLength,
                        gdoiKsKekMgmtAlg,
                        gdoiKsKekEncryptAlg,
                        gdoiKsKekEncryptKeyLength,
                        gdoiKsKekSigHashAlg,
                        gdoiKsKekSigAlg,
                        gdoiKsKekSigKeyLength,
                        gdoiKsKekOakleyGroup,
                        gdoiKsKekOriginalLifetime,
                        gdoiKsKekRemainingLifetime,
                        gdoiKsKekStatus,
                        gdoiKsTekSrcIdType,
                        gdoiKsTekSrcIdLength,
                        gdoiKsTekSrcIdValue,
                        gdoiKsTekSrcIdPort,
                        gdoiKsTekDstIdType,
                        gdoiKsTekDstIdLength,
                        gdoiKsTekDstIdValue,
                        gdoiKsTekDstIdPort,
                        gdoiKsTekSecurityProtocol,
                        gdoiKsTekEncapsulationMode,
                        gdoiKsTekEncryptionAlgorithm,
                        gdoiKsTekEncryptionKeyLength,
                        gdoiKsTekIntegrityAlgorithm,
                        gdoiKsTekIntegrityKeyLength,
                        gdoiKsTekWindowSize,
                        gdoiKsTekOriginalLifetime,
                        gdoiKsTekRemainingLifetime,
                        gdoiKsTekStatus
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
         1) GDOI Key Server KEK Policy/SA Table
         2) GDOI Key Server TEK Policy Table"
    ::= { gdoiMIBGroups 4 }

gdoiGmSecurityAssociationsGroup OBJECT-GROUP
    OBJECTS         {
                        gdoiGmKekSrcIdType,
                        gdoiGmKekSrcIdLength,
                        gdoiGmKekSrcIdValue,
                        gdoiGmKekSrcIdPort,
                        gdoiGmKekDstIdType,
                        gdoiGmKekDstIdLength,
                        gdoiGmKekDstIdValue,
                        gdoiGmKekDstIdPort,
                        gdoiGmKekRekeyIdType,
                        gdoiGmKekRekeyIdLength,
                        gdoiGmKekRekeyIdValue,
                        gdoiGmKekIpProtocol,
                        gdoiGmKekPopAlg,
                        gdoiGmKekPopKeyLength,
                        gdoiGmKekMgmtAlg,
                        gdoiGmKekEncryptAlg,
                        gdoiGmKekEncryptKeyLength,
                        gdoiGmKekSigHashAlg,
                        gdoiGmKekSigAlg,
                        gdoiGmKekSigKeyLength,
                        gdoiGmKekOakleyGroup,
                        gdoiGmKekOriginalLifetime,
                        gdoiGmKekRemainingLifetime,
                        gdoiGmKekStatus,
                        gdoiGmTekSrcIdType,
                        gdoiGmTekSrcIdLength,
                        gdoiGmTekSrcIdValue,
                        gdoiGmTekSrcIdPort,
                        gdoiGmTekDstIdType,
                        gdoiGmTekDstIdLength,
                        gdoiGmTekDstIdValue,
                        gdoiGmTekDstIdPort,
                        gdoiGmTekSecurityProtocol,
                        gdoiGmTekEncapsulationMode,
                        gdoiGmTekEncryptionAlgorithm,
                        gdoiGmTekEncryptionKeyLength,
                        gdoiGmTekIntegrityAlgorithm,
                        gdoiGmTekIntegrityKeyLength,
                        gdoiGmTekWindowSize,
                        gdoiGmTekOriginalLifetime,
                        gdoiGmTekRemainingLifetime,
                        gdoiGmTekStatus
                    }
    STATUS          current
    DESCRIPTION
        "This group consists of:
         1) GDOI Group Member KEK Policy/SA Table
         2) GDOI Group Member TEK Policy/SA Table"
    ::= { gdoiMIBGroups 5 }

gdoiKeyServerNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS   {
                        gdoiKeyServerNewRegistration,
                        gdoiKeyServerRegistrationComplete,
                        gdoiKeyServerRekeyPushed
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Key Server (GCKS) notifications
         for the GDOI MIB."
    ::= { gdoiMIBGroups 6 }

gdoiKeyServerErrorNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS   {
                        gdoiKeyServerNoRsaKeys
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Key Server (GCKS) error notifications
         for the GDOI MIB."
    ::= { gdoiMIBGroups 7 }

gdoiGmNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS   {
                        gdoiGmRegister,
                        gdoiGmRegistrationComplete,
                        gdoiGmReRegister,
                        gdoiGmRekeyReceived
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Group Member (GM) notifications
         for the GDOI MIB."
    ::= { gdoiMIBGroups 8 }

gdoiGmErrorNotificationGroup NOTIFICATION-GROUP
    NOTIFICATIONS   {
                        gdoiGmIncompleteCfg,
                        gdoiGmNoIpSecFlows,
                        gdoiGmRekeyFailure
                    }
    STATUS          current
    DESCRIPTION
        "This group contains the Group Member (GM) error notifications
         for the GDOI MIB."
    ::= { gdoiMIBGroups 9 }

--    #-------------------------------------------------------------- --
--    # GDOI MIB Compliance Statements
--    #-------------------------------------------------------------- --

gdoiMIBCompliance MODULE-COMPLIANCE
    STATUS          current
    DESCRIPTION
        "At minimum, only GDOI Group Member functionality is required
         so only objects associated with and needed by Group Members
         are mandatory to implement.  If Key Server functionality is
         also implemented, all other objects will need to be
         implemented as well."
    MODULE          -- this module
    MANDATORY-GROUPS {
                        gdoiGroupIdGroup,
                        gdoiGmSecurityAssociationsGroup,
                        gdoiGmGroup
                    }

    GROUP           gdoiKeyServerGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports being the Group Controller Key Server (GCKS)."

    GROUP           gdoiKsSecurityAssociationsGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports being the Group Controller Key Server (GCKS)."

    GROUP           gdoiKeyServerNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports the sending of notifications & being the GCKS."

    GROUP           gdoiKeyServerErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports the sending of notifications & being the GCKS."

    GROUP           gdoiGmNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports the sending of notifications."

    GROUP           gdoiGmErrorNotificationGroup
    DESCRIPTION
        "Implementation of this group is for any network device
         that supports the sending of notifications."

    ::= { gdoiMIBCompliances 1 }
END






 TOC 

8.  Security Considerations

There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.

Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. The GDOI MIB deals with a security protocol and is not a general MIB, all information reported by any of the GDOI MIB queries should be considered sensitive. However, the most sensitive information dealing directly with security associations and algorithms are:

SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.

It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410] (Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” December 2002.), section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).

Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.



 TOC 

9.  IANA Considerations

IANA is requested to assign OID (marked xxx) under mib-2 for GDOI-STD-MIB.



 TOC 

10.  Contributors



 TOC 

11.  References



 TOC 

11.1. Normative References

[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Structure of Management Information Version 2 (SMIv2),” STD 58, RFC 2578, April 1999 (TXT).
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., “Textual Conventions for SMIv2,” STD 58, RFC 2579, April 1999 (TXT).
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, “Conformance Statements for SMIv2,” STD 58, RFC 2580, April 1999 (TXT).
[RFC2271] Harrington, D., Presuhn, R., and B. Wijnen, “An Architecture for Describing SNMP Management Frameworks,” RFC 2271, January 1998 (TXT, HTML, XML).
[RFC1155] Rose, M. and K. McCloghrie, “Structure and identification of management information for TCP/IP-based internets,” STD 16, RFC 1155, May 1990 (TXT).
[RFC1212] Rose, M. and K. McCloghrie, “Concise MIB definitions,” STD 16, RFC 1212, March 1991 (TXT).
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, “The Group Domain of Interpretation,” RFC 3547, July 2003 (TXT).
[RFC1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2),” RFC 1902, January 1996 (TXT).
[RFC1903] McCloghrie, K., Case, J., Rose, M., and S. Waldbusser, “Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2),” RFC 1903, January 1996 (TXT).
[RFC1904] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2),” RFC 1904, January 1996 (TXT).
[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, “Simple Network Management Protocol (SNMP),” STD 15, RFC 1157, May 1990 (TXT).
[RFC2272] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, “Message Processing and Dispatching for the Simple Network Management Protocol (SNMP),” RFC 2272, January 1998 (TXT, HTML, XML).
[RFC2275] Wijnen, B., Presuhn, R., and K. McCloghrie, “View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP),” RFC 2275, January 1998 (TXT, HTML, XML).
[RFC2273] Levi, D., Meyer, P., and B. Stewart, “SNMPv3 Applications,” RFC 2273, January 1998 (TXT, HTML, XML).
[RFC2274] Blumenthal, U., “User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3),” RFC 2274, January 1998 (TXT, HTML, XML).
[RFC1901] Case, J., McCloghrie, K., McCloghrie, K., Rose, M., and S. Waldbusser, “Introduction to Community-based SNMPv2,” RFC 1901, January 1996 (TXT).
[RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2),” RFC 1906, January 1996 (TXT).
[RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, “Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2),” RFC 1905, January 1996 (TXT).


 TOC 

11.2. Informative References

[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, “Introduction and Applicability Statements for Internet-Standard Management Framework,” RFC 3410, December 2002 (TXT).
[RFC2629] Rose, M., “Writing I-Ds and RFCs using XML,” RFC 2629, June 1999 (TXT, HTML, XML).
[RFC4181] Heard, C., “Guidelines for Authors and Reviewers of MIB Documents,” BCP 111, RFC 4181, September 2005 (TXT).


 TOC 

Authors' Addresses

  Tanya Roosa (editor)
  Cisco Systems
  510 McCarthy Blvd.
  Milpitas
  USA
Phone:  510-220-0047
EMail:  roosta@cisco.com
  
  Sheela Rowles
  Cisco Systems
  510 McCarthy Blvd
  Milpitas, CA
  USA
Phone:  408-527-7677
Fax: 
EMail:  sheela@cisco.com
URI: 
  
  Mike Hamada
  Cisco Systems
  510 McCarthy Blvd
  Milpitas, CA
  USA
Phone:  408-525-7473
Fax: 
EMail:  michamad@cisco.com
URI: 
  
  Kavitha Kamarthy (editor)
  Cisco Systems
  510 McCarthy Blvd
  Milpitas, CA
  USA
Phone:  408-525-1209
Fax: 
EMail:  kavithac@cisco.com
URI: 
  
  Preethi Sundaradevan
  Cisco Systems
  510 McCarthy Blvd
  Milpitas, CA
  USA
Phone:  408-424-4713
Fax: 
EMail:  prsundar@cisco.com
URI: