-- extracted from draft-yacine-pana-snmp-00.txt -- at Wed Dec 24 06:16:17 2003 PANA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE FROM SNMPv2-SMI RowStatus, PhysAddress FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF IpspMib, ipspActionExecuted, ipspIPInterfaceType, ipspIPInterfaceAddress, ipspIPSourceType, ipspIPSourceAddress, ipspIPDestinationType, ipspIPDestinationAddress, ipspPacketDirection FROM IPSEC-POLICY-MIB; -- -- Module identity -- panaMIB MODULE-IDENTITY LAST-UPDATED "200210310000Z" -- 31 October 2003 ORGANIZATION "IETF PANA Working Group" CONTACT-INFO "Yacine El Mghazli Alcatel 91460 Marcoussis, France Phone: +33 1 69 63 41 87 Email: yacine.el_mghazli@alcatel.fr" DESCRIPTION "The MIB module for defining additional PANA-specific objects to the IPSec Configuration MIB. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC XXXX, see the RFC itself for full legal notices." -- Revision History REVISION "200210310000Z" -- 31 October 2003 DESCRIPTION "Initial version, published as draft-yacine-pana- paa2ep-snmp-00.txt" ::= { ipspMib XXX } -- XXX to be assigned by IANA -- -- groups of related objects -- panaConfigObjects OBJECT IDENTIFIER ::= { panaMIB 1 } panaNotificationObjects OBJECT IDENTIFIER ::= { panaMIB 2 } panaConformanceObjects OBJECT IDENTIFIER ::= { panaMIB 3 } -- -- Textual Conventions -- -- TBD. -- -- PANA Additional Filters Objects -- -- -- The IEEE 802 Filter Table -- pana802FilterTable OBJECT-TYPE SYNTAX SEQUENCE OF Pana802FilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " IEEE 802-based filter definitions. A class that contains attributes of IEEE 802 (e.g., 802.3) traffic that form filters that are used to perform traffic classification." ::= { panaConfigObjects 1 } pana802FilterEntry OBJECT-TYPE SYNTAX Pana802FilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " IEEE 802-based filter definitions. An entry specifies (potentially) several distinct matching components. Each component is tested against the data in a frame individually. An overall match occurs when all of the individual components match the data they are compared against in the frame being processed. A failure of any one test causes the overall match to fail. Wildcards may be specified for those fields that are not relevant." INDEX { pana802FilterName } ::= { pana802FilterTable 1 } Pana802FilterEntry ::= SEQUENCE { pana802FilterName SnmpAdminString, pana802FilterType BITS, pana802FilterDstAddr PhysAddress, pana802FilterDstAddrMask PhysAddress, pana802FilterSrcAddr PhysAddress, pana802FilterSrcAddrMask PhysAddress, pana802FilterVlanId Integer32, pana802FilterVlanTagRequired INTEGER, pana802FilterEtherType Integer32, pana802FilterUserPriority BITS, pana802FiltLastChanged TimeStamp, pana802FiltStorageType StorageType, pana802FiltRowStatus RowStatus } pana802FilterNamer OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter. " := { pana802FilterEntry 1 } pana802FilterType OBJECT-TYPE SYNTAX BITS { srcAddress(0), dstAddress(1), vlanId(4), etherType(5), userPriority(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter. The results of each test are ANDed together to produce the result of the entire filter. When processing this filter, it is recommended for efficiency reasons that the filter halt processing the instant any of the specified tests fail. Once a row is 'active', this object's value may not be changed unless all the appropriate columns needed by the new value to be imposed on this object have been appropriately configured. . " := { pana802FilterEntry 2 } pana802FilterDstAddr OBJECT-TYPE SYNTAX PhysAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The 802 address against which the 802 DA of incoming traffic streams will be compared. Frames whose 802 DA matches the physical address specified by this object, taking into account address wildcarding as specified by the pana802FilterDstAddrMask object, are potentially subject to the processing guidelines that are associated with this entry through the related action class." := { pana802FilterEntry 3 } pana802FilterDstAddrMask OBJECT-TYPE SYNTAX PhysAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the bits in a 802 destination address that should be considered when performing a 802 DA comparison against the address specified in the pana802FilterDstAddr object. The value of this object represents a mask that is logically and'ed with the 802 DA in received frames to derive the value to be compared against the pana802FilterDstAddr address. A zero bit in the mask thus means that the corresponding bit in the address always matches. The pana802FilterDstAddr value must also be masked using this value prior to any comparisons. The length of this object in octets must equal the length in octets of the pana802FilterDstAddr. Note that a mask with no bits set (i.e., all zeroes) effectively wildcards the pana802FilterDstAddr object." ::= { pana802FilterEntry 4 } pana802FilterSrcAddr OBJECT-TYPE SYNTAX PhysAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The 802 MAC address against which the 802 MAC SA of incoming traffic streams will be compared. Frames whose 802 MAC SA matches the physical address specified by this object, taking into account address wildcarding as specified by the pana802FilterSrcAddrMask object, are potentially subject to the processing guidelines that are associated with this entry through the related action class." ::= { pana802FilterEntry 5 } pana802FilterSrcAddrMask OBJECT-TYPE SYNTAX PhysAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the bits in a 802 MAC source address that should be considered when performing a 802 MAC SA comparison against the address specified in the pana802FilterSrcAddr object. The value of this object represents a mask that is logically and'ed with the 802 MAC SA in received frames to derive the value to be compared against the pana802FilterSrcAddr address. A zero bit in the mask thus means that the corresponding bit in the address always matches. The pana802FilterSrcAddr value must also be masked using this value prior to any comparisons. The length of this object in octets must equal the length in octets of the pana802FilterSrcAddr. Note that a mask with no bits set (i.e., all zeroes) effectively wildcards the pana802FilterSrcAddr object." ::= { pana802FilterEntry 6 } pana802FilterVlanId OBJECT-TYPE SYNTAX Integer32 (-1 | 1..4094) MAX-ACCESS read-create STATUS current DESCRIPTION "The VLAN ID (VID) that uniquely identifies a VLAN within the device. This VLAN may be known or unknown (i.e., traffic associated with this VID has not yet been seen by the device) at the time this entry is instantiated. Setting the pana802FilterVlanId object to -1 indicates that VLAN data should not be considered during traffic classification." ::= { pana802FilterEntry 7 } pana802FilterVlanTagRequired OBJECT-TYPE SYNTAX INTEGER { taggedOnly(1), priorityTaggedPlus(2), untaggedOnly(3), ignoreTag(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates whether the presence of an IEEE 802.1Q VLAN tag in data link layer frames must be considered when determining if a given frame matches this 802 filter entry. A value of 'taggedOnly(1)' means that only frames containing a VLAN tag with a non-Null VID (i.e., a VID in the range 1..4094) will be considered a match. A value of 'priorityTaggedPlus(2)' means that only frames containing a VLAN tag, regardless of the value of the VID, will be considered a match. A value of 'untaggedOnly(3)' indicates that only untagged frames will match this filter component. The presence of a VLAN tag is not taken into consideration in terms of a match if the value is 'ignoreTag(4)'." ::= { pana802FilterEntry 8 } pana802FilterEtherType OBJECT-TYPE SYNTAX Integer32 (-1 | 0..'ffff'h) MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the value that will be compared against the value contained in the EtherType field of an IEEE 802 frame. Example settings would include 'IP' (0x0800), 'ARP' (0x0806) and 'IPX' (0x8137). Setting the pana802FilterEtherTypeMin object to -1 indicates that EtherType data should not be considered during traffic classification. Note that the position of the EtherType field depends on the underlying frame format. For Ethernet-II encapsulation, the EtherType field follows the 802 MAC source address. For 802.2 LLC/SNAP encapsulation, the EtherType value follows the Organization Code field in the 802.2 SNAP header. The value that is tested with regard to this filter component therefore depends on the data link layer frame format being used. If this 802 filter component is active when there is no EtherType field in a frame (e.g., 802.2 LLC), a match is implied." ::= { pana802FilterEntry 9 } pana802FilterUserPriority OBJECT-TYPE SYNTAX BITS { matchPriority0(0), matchPriority1(1), matchPriority2(2), matchPriority3(3), matchPriority4(4), matchPriority5(5), matchPriority6(6), matchPriority7(7) } MAX-ACCESS read-create STATUS current DESCRIPTION "The set of values, representing the potential range of user priority values, against which the value contained in the user priority field of a tagged 802.1 frame is compared. A test for equality is performed when determining if a match exists between the data in a data link layer frame and the value of this 802 filter component. Multiple values may be set at one time such that potentially several different user priority values may match this 802 filter component. Setting all of the bits that are associated with this object causes all user priority values to match this attribute. This essentially makes any comparisons with regard to user priority values unnecessary. Untagged frames are treated as an implicit match." ::= { pana802FilterEntry 10 } pana802FiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { pana802FilterEntry 11 } pana802FiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { pana802FilterEntry 12 } pana802FiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object may not be set to active if the requirements of the pana802FilterType object are not met. In other words, if the associated value columns needed by a particular test have not been set, then attempting to change this row to an active state will result in an inconsistentValue error. See the pana802FilterType object description for further details." ::= { pana802FilterEntry 13 } -- -- -- Notification objects information -- -- panaNotifications OBJECT IDENTIFIER ::= { panaNotificationObjects 0 } panaNewPacNotification NOTIFICATION-TYPE OBJECTS { ipspActionExecuted, ipspIPInterfaceType, ipspIPInterfaceAddress, ipspIPSourceType, ipspIPSourceAddress, ipspIPDestinationType, ipspIPDestinationAddress, ipspPacketDirection } STATUS current DESCRIPTION "Notification that AP detected traffic coming from an unauthorized source. The objects sent must include the ipspActionExecuted which will indicate which action was executed within the scope of the rule. Additionally, the ipspIPSourceType, ipspIPSourceAddress, ipspIPDestinationType, and ipspIPDestinationAddress, objects must be included to indicate the packet source and destination of the packet that triggered the action. The ipspIPInterfaceType, ipspIPInterfaceAddress, and ipspPacketDirection objects are included to indicate which endpoint the packet was associated with." ::= { panaNotifications 1 } -- -- -- Conformance information -- -- -- TBD. END -- -- "Copyright (C) The Internet Society (2003). All Rights Reserved. -- -- This document and translations of it may be copied and furnished to -- others, and derivative works that comment on or otherwise explain it -- or assist in its implementation may be prepared, copied, published -- and distributed, in whole or in part, without restriction of any -- kind, provided that the above copyright notice and this paragraph are -- included on all such copies and derivative works. However, this -- document itself may not be modified in any way, such as by removing -- the copyright notice or references to the Internet Society or other -- Internet organizations, except as needed for the purpose of -- developing Internet standards in which case the procedures for -- copyrights defined in the Internet Standards process must be -- followed, or as required to translate it into languages other than -- English. -- -- The limited permissions granted above are perpetual and will not be -- revoked by the Internet Society or its successors or assigns. -- -- This document and the information contained herein is provided on an -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.