Internet DRAFT - draft-shriver-doi-tc-mib

draft-shriver-doi-tc-mib








Internet Engineering Task Force                             John Shriver
IP Security Working Group                              Shiva Corporation
Internet Draft                                          February 3, 1999



                   IPSec DOI Textual Conventions MIB
                  <draft-shriver-doi-tc-mib-00.txt>



Status of this Memo

   This document is a submission to the IETF Internet Protocol Security
   (IPSEC) Working Group.  Comments are solicited and should be
   addressed to the working group mailing list (ipsec@tis.com) or to the
   editor.

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or made obsolete by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Distribution of this memo is unlimited.

Copyright Notice

   This document is a product of the IETF's IPSec Working Group.
   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Table of Contents

   1 Introduction ..............................................    2
   2 The SNMP Network Management Framework .....................    2
   3 Discussion ................................................    3


IPSec Working Group                                             [Page 1]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


   4 MIB Definitions ...........................................    4
   5 Security Considerations ...................................   15
   6 IANA Considerations .......................................   15
   7 Acknowledgements ..........................................   16
   8 Revision History ..........................................   16
   9 References ................................................   16
   10 Author's Address .........................................   17


1.  Introduction

   This memo defines textual conventions for use in monitoring, status,
   and configuration MIBs for IPSec.  It includes a MIB module that
   defines those textual conventions.

2.  The SNMPv2 Network Management Framework

   The SNMP Network Management Framework presently consists of three
   major components.  They are:

   o    An overall architecture, described in RFC 2271 [2271].

   o    Mechanisms for describing and naming objects and events for the
        purpose of management. The first version of this Structure of
        Management Information (SMI) is called SMIv1 and described in
        RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
        version, called SMIv2, is described in RFC 1902 [1902], RFC 1903
        [1903] and RFC 1904 [1904].

   o    Message protocols for transferring management information. The
        first version of the SNMP message protocol is called SNMPv1 and
        described in RFC 1157 [1157]. A second version of the SNMP
        message protocol, which is not an Internet standards track
        protocol, is called SNMPv2c and described in RFC 1901 [1901] and
        RFC 1906 [1906]. The third version of the message protocol is
        called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272]
        and RFC 2274 [2274].

   o    Protocol operations for accessing management information. The
        first set of protocol operations and associated PDU formats is
        described in RFC 1157 [1157]. A second set of protocol
        operations and associated PDU formats is described in RFC 1905
        [1905].

   o    A set of fundamental applications described in RFC 2273 [2273]
        and the view-based access control mechanism described in RFC
        2275 [2275].


IPSec Working Group                                             [Page 2]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2. A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations. The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64). Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process. However, this loss of machine
   readable information is not considered to change the semantics of the
   MIB.

3.  Discussion

   The IPSec architecture [SECARCH] defines protocols for dynamic key
   management.  These are based on the Internet Security Association and
   Key Management Protocol [ISAKMP].

   ISAKMP defines the concept of Domains of Interpretation (DOI).  The
   IPSec architecture has defined the Internet IP Security Domain of
   Interptetation for ISAKMP [IPDOI].

   The IPSec architecture defines the Internet Key Exchange [IKE].  The
   use of this protocol is indicated by one of the constants in the
   IPSec DOI.

   This MIB defines textual conventions for the constants defined in
   ISAKMP, the IPSec DOI, and IKE.

   These are defined in a seperate MIB for two reasons.

   o    There will be variables with a syntax corresponding to these
        textual conventions in numberous MIBs that will be defined for
        the IPSec architecture.

   o    All of the numbers defined in these textual conventions are in
        "magic number" spaces that are managed by the IANA.

   If these conventions were part of the relevant MIBs, those MIBs would
   be constantly out of date.  By placing them in a seperate MIB, that
   MIB can be maintained by the IANA simultaneously with assigning new
   values.





IPSec Working Group                                             [Page 3]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


4.  MIB Definitions

   IPSEC-ISAKMP-IKE-DOI-TC DEFINITIONS ::= BEGIN

   IMPORTS
   -- delete next line before release
      experimental,
      MODULE-IDENTITY, Unsigned32         FROM SNMPv2-SMI
   -- uncomment next line before release
   -- mib-2                               FROM RFC1213-MIB
      TEXTUAL-CONVENTION                  FROM SNMPv2-TC;

   ipsecIsakmpIkeDoiTC MODULE-IDENTITY
      LAST-UPDATED "9902021915Z"
      ORGANIZATION "Shiva"
      CONTACT-INFO "John Shriver
                   Shiva Corporation
                   28 Crosby Drive
                   Bedford, MA 01730

                   Phone:
                   +1-781-687-1329

                   E-mail:
                   jas@shiva.com"

      DESCRIPTION  "The MIB module which defines the textual conventions
                   used in IPSEC MIBs.  This includes Internet DOI
                   numbers defined in RFC 2407, ISAKMP numbers defined
                   in RFC 2408, and IKE numbers defined in RFC 2409.

                   These Textual Conventions are defined in a seperate
                   MIB module since they are protocol numbers managed
                   by the IANA.  Revision control after publication
                   will be under the authority of the IANA."
   -- replace xxx in next line before release, uncomment before release
   -- ::= { mib-2 xxx }
   -- delete next line before release
      ::= { experimental 2407 } -- BOGUS!

   -- The first group of textual conventions are based on definitions
   -- in the IPSEC DOI, RFC 2407.

   IpsecDoiSituation ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "x"
       STATUS      current
       DESCRIPTION "The IPSEC DOI Situation provides information that


IPSec Working Group                                             [Page 4]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                   can be used by the responder to make a policy
                   determination about how to process the incoming
                   Security Association request.

                   It is a four (4) octet bitmask, with the following
                   values:

                   sitIdentityOnly            0x01
                   sitSecrecy                 0x02
                   sitIntegrity               0x04

                   The upper two bits (0x80000000 and 0x40000000) are
                   reserved for private use amongst cooperating
                   systems."
       REFERENCE   "RFC 2407 sections 4.2 and 6.2"
       SYNTAX      Unsigned32 (0..4294967295)
       -- The syntax is not BITS, because we want the representation
       -- to be the same here as it is in the ISAKMP/IKE protocols.


   IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "These are the IPSEC DOI values for the Protocol-Id
                   field in an ISAKMP Proposal Payload, and in all
                   Notification Payloads.

                   They are also used as the Protocol-ID In the
                   Notification Payload and the Delete Payload.

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 section 4.4.1"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       protoIsakmp(1),     -- message protection
                                           -- required during Phase I
                                           -- of the IKE protocol
                       protoIpsecAh(2),    -- IP packet authentication
                                           -- via Authentication Header
                       protoIpsecEsp(3),   -- IP packet confidentiality
                                           -- via Encapsulating
                                           -- Security Payload
                       protoIpcomp(4)      -- IP payload compression
                   }

   IpsecDoiTransformIdent ::= TEXTUAL-CONVENTION


IPSec Working Group                                             [Page 5]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The IPSEC DOI ISAKMP Transform Identifier is an
                   8-bit value which identifies a key exchange protocol
                   to be used for the negotiation.  It is used in the
                   Transform-Id field of an IKE Phase I Transform
                   Payload.

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 sections 4.4.2 and 6.3"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       keyIke(1)           -- the hybrid ISAKMP/Oakley
                                           -- Diffie-Hellman key
                                           -- exchange
                   }

   IpsecDoiAhTransform ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The IPSEC DOI AH Transform Identifier is an 8-bit
                   value which identifies a particular algorithm to be
                   used to provide integrity protection for AH.  It is
                   used in the Tranform-ID field of a ISAKMP Transform
                   Payload for the IPSEC DOI, when the Protocol-Id of
                   the associated Proposal Payload is 2 (AH).

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 sections 4.4.3 and 6.4"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       reserved1(1),       -- reserved
                       ahMd5(2),           -- generic AH transform
                                           -- using MD5
                       ahSha(3),           -- generic AH transform
                                           -- using SHA-1
                       ahDes(4)            -- generic AH transform
                                           -- using DES
                   }

   IpsecDoiEspTransform ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The IPSEC DOI ESP Transform Identifier is an 8-bit
                   value which identifies a particular algorithm to be


IPSec Working Group                                             [Page 6]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                   used to provide secrecy protection for ESP.  It is
                   used in the Tranform-ID field of a ISAKMP Transform
                   Payload for the IPSEC DOI, when the Protocol-Id of
                   the associated Proposal Payload is 2 (AH), 3 (ESP),
                   and 4 (IPCOMP).

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 sections 4.4.4 and 6.5"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       espDesIv64(1),      -- DES-CBC transform defined
                                           -- in RFC 1827 and RFC 1829
                                           -- using a 64-bit IV
                       espDes(2),          -- generic DES transform
                                           -- using DES-CBC
                       esp3Des(3),         -- generic triple-DES
                                           -- transform
                       espRc5(4),          -- RC5 transform
                       espIdea(5),         -- IDEA transform
                       espCast(6),         -- CAST transform
                       espBlowfish(7),     -- BLOWFISH transform
                       esp3Idea(8),        -- reserved for triple-IDEA
                       espDesIv32(9),      -- DES-CBC transform defined
                                           -- in RFC 1827 and RFC 1829
                                           -- using a 32-bit IV
                       espRc4(10),         -- reserved for RC4
                       espNull(11)         -- no confidentiality
                                           -- provided by ESP
                   }

   IpsecDoiAuthAlgorithm ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The ESP Authentication Algorithm used in the IPSEC
                   DOI as a SA Attributes definition in the Transform
                   Payload of Phase II of an IKE negotiation.  This
                   set of values defines the AH authentication
                   algorithm, when the associated Proposal Payload has
                   a Protocol-ID of 2 (AH).  This set of values
                   defines the ESP authentication algorithm, when the
                   associated Proposal Payload has a Protocol-ID
                   of 3 (ESP).

                   Values 5-61439 are reserved to IANA.

                   Values 61440-65535 are for private use.


IPSec Working Group                                             [Page 7]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                   In a MIB, a value of 0 indicates that ESP
                   has been negotiated without authentication."
       REFERENCE   "RFC 2407 section 4.5"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       hmacMd5(1),
                       hmacSha(2),
                       desMac(3),
                       kpdk(4)
                   }

   IpsecDoiIpcompTransform ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The IPSEC DOI IPCOMP Transform Identifier is an
                   8-bit value which identifies a particular algorithm
                   to be used to provide IP-level compression before
                   ESP.  It is used in the Tranform-ID field of a ISAKMP
                   Transform Payload for the IPSEC DOI, when the
                   Protocol-Id of the associated Proposal Payload
                   is 4 (IPCOMP).

                   The values 1-47 are reserved for algorithms for which
                   an RFC has been approved for publication.

                   The values 48-63 are reserved for private use amongst
                   cooperating systems.

                   The values 64-255 are reserved for future expansion."
       REFERENCE   "RFC 2407 sections 4.4.5 and 6.6"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       ipcompOui(1),       -- proprietary compression
                                           -- transform
                       ipcompDeflate(2),   -- "zlib" deflate algorithm
                       ipcompLzs(3)        -- Stac Electronics LZS
                   }

   IpsecDoiEncapsulationMode ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The Encapsulation Mode used as an IPSEC DOI
                   SA Attributes definition in the Transform Payload
                   of a Phase II IKE negotiation.  This set of
                   values defines encapsulation modes used for AH,
                   ESP, and IPCOMP when the associated Proposal Payload
                   has a Protocol-ID of 3 (ESP).


IPSec Working Group                                             [Page 8]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                   Values 3-61439 are reserved to IANA.

                   Values 61440-65535 are for private use."
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       tunnel(1),
                       transport(2)
                   }

   IpsecDoiIdentType ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "The IPSEC DOI Identification Type is an 8-bit value
                   which is used in the ID Type field as a discriminant
                   for interpretation of the variable-length
                   Identification Payload.

                   The values 249-255 are reserved for private use
                   amongst cooperating systems."
       REFERENCE   "RFC 2407 sections 4.4.5, 4.6.2.1, and 6.9"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in DOI
                       idIpv4Addr(1),      -- a single four (4) octet
                                           -- IPv4 address
                       idFqdn(2),          -- fully-qualified domain
                                           -- name string
                       idUserFqdn(3),      -- fully-qualified username
                                           -- string
                       idIpv4AddrSubnet(4),
                                           -- a range of IPv4 addresses,
                                           -- represented by two
                                           -- four (4) octet values,
                                           -- where the first is an
                                           -- address and the second
                                           -- is a mask
                       idIpv6Addr(5),      -- a single sixteen (16)
                                           -- octet IPv6 address
                       idIpv6AddrSubnet(6),
                                           -- a range of IPv6 addresses,
                                           -- represented by two
                                           -- sixteen (16) octet values,
                                           -- where the first is an
                                           -- address and the second
                                           -- is a mask
                       idIpv4AddrRange(7), -- a range of IPv4 addresses,
                                           -- represented by two
                                           -- four (4) octet values,


IPSec Working Group                                             [Page 9]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                                           -- where the first is the
                                           -- beginning IPv4 address
                                           -- and the second is the
                                           -- ending IPv4 address
                       idIpv6AddrRange(8), -- a range of IPv6 addresses,
                                           -- represented by two
                                           -- sixteen (16) octet values,
                                           -- where the first is the
                                           -- beginning IPv6 address
                                           -- and the second is the
                                           -- ending IPv6 address
                       idDerAsn1Dn(9),     -- the binary DER encoding of
                                           -- ASN1 X.500
                                           -- DistinguishedName
                       idDerAsn1Gn(10),    -- the binary DER encoding of
                                           -- ASN1 X.500 GeneralName
                       idKeyId(11)         -- opaque byte stream which
                                           -- may be used to pass
                                           -- vendor-specific
                                           -- information
                   }

   -- The second group of textual conventions are based on defintions
   -- the ISAKMP protocol, RFC 2408.

   IsakmpCertificateEncoding ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "These are the values for the types of
                   certificate-related information contained in the
                   Certificate Data field of a Certificate Payload.
                   They are used in the Cert Encoding field of the
                   Certificate Payload.

                   Values 11-255 are reserved."
       REFERENCE   "RFC 2408 section 3.9"
       SYNTAX      INTEGER {
                       pkcs7(1),           -- PKCS #7 wrapped
                                           -- X.509 certificate
                       pgp(2),             -- PGP Certificate
                       dnsSignedKey(3),    -- DNS Signed Key
                       x509Signature(4),   -- X.509 Certificate:
                                           -- Signature
                       x509KeyExchange(5), -- X.509 Certificate:
                                           -- Key Exchange
                       kerberosTokens(6),  -- Kerberos Tokens
                       crl(7),             -- Certificate Revocation


IPSec Working Group                                            [Page 10]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                                           -- List (CRL)
                       arl(8),             -- Authority Revocation
                                           -- List (ARL)
                       spki(9),            -- SPKI Certificate
                       x509Attribute(10)   -- X.509 Certificate:
                                           -- Attribute
                   }

   IsakmpNotifyMessageType ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "These are the values for the types of notification
                   messages.  They are used as the Notify Message Type
                   field in the Notification Payload.

                   This textual convention merges the types
                   for error types (in the range 1-16386) and for
                   notification types (in the range 16384-65535).

                   This textual convention is also a merge of values
                   defined by ISAKMP with additional values defined
                   in the IPSEC DOI.

                   The values 16001-16383 are reserved for private use
                   as error types amongst cooperating systems.

                   The values 32001-32767 are reserved for private use
                   as notification types amongst cooperating systems."
       REFERENCE   "RFC 2408 section 3.14.1 and RFC 2407 sections 4.6.3
                   and 6.10"
       SYNTAX      INTEGER {

                       -- Values defined for errors in ISAKMP
                       --
                       reserved(0),        -- reserved in DOI
                       invalidPayloadType(1),
                       doiNotSupported(2),
                       situationNotSupported(3),
                       invalidCookie(4),
                       invalidMajorVersion(5),
                       invalidMinorVersion(6),
                       invalidExchangeType(7),
                       invalidFlags(8),
                       invalidMessageId(9),
                       invalidProtocolId(10),
                       invalidSpi(11),
                       invalidTransformId(12),


IPSec Working Group                                            [Page 11]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


                       attributesNotSupported(13),
                       noProposalChosen(14),
                       badProposalSyntax(15),
                       payloadMalformed(16),
                       invalidKeyInformation(17),
                       invalidIdInformation(18),
                       invalidCertEncoding(19),
                       invalidCertificate(20),
                       certTypeUnsupported(21),
                       invalidCertAuthority(22),
                       invalidHashInformation(23),
                       authenticationFailed(24),
                       invalidSignature(25),
                       addressNotification(26),
                       notifySaLifetime(27),
                       certificateUnavailable(28),
                       unsupportedExchangeType(29),
                       unequalPayloadLengths(30),

                       -- values defined for errors in IPSEC DOI
                       -- (none)

                       -- values defined for notification in ISAKMP
                       -- (none)

                       -- values defined for notification in IPSEC
                       -- DOI
                       responderLifetime(24576),
                                           -- used to communicate IPSEC
                                           -- SA lifetime chosen by the
                                           -- responder

                       replayStatus(24577),
                                           -- used for positive
                                           -- confirmation of the
                                           -- responder's election on
                                           -- whether or not he is to
                                           -- perform anti-replay
                                           -- detection

                       initialContact(24578)
                                           -- used when one side wishes
                                           -- to inform the other that
                                           -- this is the first SA being
                                           -- established with the
                                           -- remote system
                   }


IPSec Working Group                                            [Page 12]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


   -- The third group of textual conventions are based on defintions
   -- the IKE key exchange protocol, RFC 2409.

   IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for encryption algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Encryption
                   Algorithm (1).

                   Values 7-65000 are reserved to IANA.

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in IKE
                       desCbc(1),          -- RFC 2405
                       ideaCbc(2),
                       blowfishCbc(3),
                       rc5R16B64Cbc(4),    -- RC5 R16 B64 CBC
                       tripleDesCbc(5),    -- 3DES CBC
                       castCbc(6)
                   }

   IkeHashAlgorithm ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for hash algorithms negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Hash Algorithm (2).

                   Values 4-65000 are reserved to IANA.

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in IKE
                       md5(1),             -- RFC 1321
                       sha(2),             -- FIPS 180-1
                       tiger(3)
                   }

   IkeAuthMethod ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"


IPSec Working Group                                            [Page 13]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


       STATUS      current
       DESCRIPTION "Values for authentication methods negotiated
                   for the ISAKMP SA by IKE in Phase I.  These are
                   values for SA Attrbute type Authentication
                   Method (3).

                   Values 6-65000 are reserved to IANA.

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A,
                   draft-ietf-ipsec-dhless-enc-mode-00.txt
                   Appendix A"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in IKE
                       preSharedKey(1),
                       dssSignatures(2),
                       rsaSignatures(3),
                       encryptionWithRsa(4),
                       revisedEncryptionWithRsa(5),
                       dhLessRsaEncryption(6)
                   }

   IkeGroupDescription ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for Oakley key computation groups for
                   Diffie-Hellman exchange negotiated for the ISAKMP
                   SA by IKE in Phase I.  They are also used in Phase II
                   when perfect forward secrecy is in use.  These are
                   values for SA Attrbute type Group Description (4)."
       REFERENCE   "RFC 2409 appendix A,
                   http://www.lounge.org/ike_doi_errata.html"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in IKE
                       modp768(1),         -- default 768-bit MODP group
                       modp1024(2),        -- alternate 1024-bit MODP
                                           -- group
                       ec2nGalois2P155(3), -- EC2N group on Galois
                                           -- Field GF[2^155]
                       ec2nGalois2P185(4), -- EC2N group on Galois
                                           -- Field GF[2^185]
                       modp1536(5)         -- alternate 1536-bit MODP
                                           -- group
                   }

   IkeGroupType ::= TEXTUAL-CONVENTION


IPSec Working Group                                            [Page 14]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for Oakley key computation group types
                   negotiated for the ISAKMP SA by IKE in Phase I.
                   They are also used in Phase II when perfect forward
                   secrecy is in use.  These are values for SA Attribute
                   type Group Type (5)."
       REFERENCE   "RFC 2409 appendix A"
       SYNTAX      INTEGER {
                       reserved(0),        -- reserved in IKE
                       modp(1),            -- modular eponentiation

                                           -- group
                       ecp(2),             -- elliptic curve group over
                                           -- Galois Field GF[P]
                       ec2n(3)             -- elliptic curve group over
                                           -- Galois Field GF[2^N]
                   }

   IkePrf ::= TEXTUAL-CONVENTION
       DISPLAY-HINT "d"
       STATUS      current
       DESCRIPTION "Values for Pseudo-Random Functions used with
                   with the hash algorithm negotiated for the ISAKMP SA
                   by IKE in Phase I.  There are currently no
                   pseudo-random functions defined, the default HMAC is
                   always used.  These are values for SA Attribute type
                   PRF (13).

                   Values 1-65000 are reserved to IANA.

                   Values 65001-65535 are for private use among
                   mutually consenting parties."
       REFERENCE   "RFC 2409 appendix A"
       SYNTAX      Unsigned32 (0..65535)

   END



5.  Security Considerations

   Since this MIB defines only textual conventions, there are no
   security considerations.  Security considerations exist only when
   managed objects are defined with these textual conventions.




IPSec Working Group                                            [Page 15]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


6.  IANA Considerations

   This document is the MIB definitions corresponding to a group of
   "magic numberes" that are maintained by the IANA.  The IANA will
   maintain the MIB in this document as they assign new values of these
   magic numbers.

   This MIB will be maintained in the same manner as the IANAifType-MIB.

7.  Acknowledgements

   Thanks are extended to Tim Jenkins for modifying his MIBs to use
   these textual conventions.

8.  Revision History

   This section will be removed before publication.

   February 3, 1999.  Initial release.

9.  References

   [IPDOI]   Piper, D., "The Internet IP Security Domain of
             Interpretation for ISAKMP", RFC2407, November 1998

   [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
             Internet Protocol", RFC2401, November 1998

   [IKE]     Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
             RFC2409, November 1998

   [ISAKMP]  Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
             "Internet Security Association and Key Management Protocol
             (ISAKMP)", RFC2408, November 1998

   [1902]    Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
             "Structure of Management Information for version 2 of the
             Simple Network Management Protocol (SNMPv2)", RFC 1902,
             January 1996.

   [2271]    Harrington, D., Presuhn, R., and B. Wijnen, "An
             Architecture for Describing SNMP Management Frameworks",
             RFC 2271, January 1998

   [1155]    Rose, M., and K. McCloghrie, "Structure and Identification
             of Management Information for TCP/IP-based Internets", RFC
             1155, May 1990


IPSec Working Group                                            [Page 16]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


   [1212]    Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
             1212, March 1991

   [1215]    M. Rose, "A Convention for Defining Traps for use with the
             SNMP", RFC 1215, March 1991

   [1903]    SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
             and S. Waldbusser, "Textual Conventions for Version 2 of
             the Simple Network Management Protocol (SNMPv2)", RFC 1903,
             January 1996.

   [1904]    SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
             and S. Waldbusser, "Conformance Statements for Version 2 of
             the Simple Network Management Protocol (SNMPv2)", RFC 1904,
             January 1996.

   [1157]    Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
             Network Management Protocol", RFC 1157, May 1990.

   [1901]    SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
             and S. Waldbusser, "Introduction to Community-based
             SNMPv2", RFC 1901, January 1996.

   [1906]    SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
             and S. Waldbusser, "Transport Mappings for Version 2 of the
             Simple Network Management Protocol (SNMPv2)", RFC 1906,
             January 1996.

   [2272]    Case, J., Harrington D., Presuhn R., and B. Wijnen,
             "Message Processing and Dispatching for the Simple Network
             Management Protocol (SNMP)", RFC 2272, January 1998.

   [2274]    Blumenthal, U., and B. Wijnen, "User-based Security Model
             (USM) for version 3 of the Simple Network Management
             Protocol (SNMPv3)", RFC 2274, January 1998.

   [1905]    SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
             and S. Waldbusser, "Protocol Operations for Version 2 of
             the Simple Network Management Protocol (SNMPv2)", RFC 1905,
             January 1996.

   [2273]    Levi, D., Meyer, P., and B. Stewart, MPv3 Applications",
             RFC 2273, SNMP Research, Inc., Secure Computing
             Corporation, Cisco Systems, January 1998.

   [2275]    Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
             Access Control Model (VACM) for the Simple Network


IPSec Working Group                                            [Page 17]

Internet Draft     IPSec DOI Textual Conventions MIB       February 1999


             Management Protocol (SNMP)", RFC 2275, January 1998.

10.  Author's Address

   John Shriver
   Shiva Corporation
   28 Crosby Drive
   Bedford, MA  01730

   Phone: 781-687-1329
   EMail: jas@shiva.com






































IPSec Working Group                                            [Page 18]