RFC 5324
MIB for Fibre-Channel Security Protocols (FC-SP)
Pages: 216
Proposed Standard
Proposed Standard
Part 6 of 7 – Pages 152 to 187
6.5. The T11-FC-SP-SA-MIB Module
--******************************************************************* -- FC-SP Security Associations -- T11-FC-SP-SA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, Counter32, Counter64, TimeTicks, Gauge32, mib-2 FROM SNMPv2-SMI -- [RFC2578] RowStatus, StorageType, AutonomousType, TimeStamp, TruthValue FROM SNMPv2-TC -- [RFC2579] MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580] InterfaceIndex,
InterfaceIndexOrZero FROM IF-MIB -- [RFC2863]
fcmInstanceIndex,
FcAddressIdOrZero FROM FC-MGMT-MIB -- [RFC4044]
T11FabricIndex FROM T11-TC-MIB -- [RFC4439]
T11FcSpType,
T11FcSpiIndex,
T11FcSpLifetimeLeft,
T11FcSpLifetimeLeftUnits,
T11FcSpSecurityProtocolId,
T11FcRoutingControl,
T11FcSaDirection,
T11FcSpPrecedence,
T11FcSpTransforms FROM T11-FC-SP-TC-MIB;
t11FcSpSaMIB MODULE-IDENTITY
LAST-UPDATED "200808200000Z"
ORGANIZATION "This MIB module was developed through the
coordinated effort of two organizations:
T11 began the development and the IETF (in
the IMSS Working Group) finished it."
CONTACT-INFO
" Claudio DeSanti
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
EMail: cds@cisco.com
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
Email: kzm@cisco.com"
DESCRIPTION
"This MIB module specifies the management information
required to manage Security Associations established via
Fibre Channel's FC-SP specification.
The MIB module consists of six parts:
- a per-Fabric table, t11FcSpSaIfTable, of capabilities,
parameters, status information, and counters; the counters
include non-transient aggregates of per-SA transient
counters;
- three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable,
and t11FcSpSaTransTable, specifying the proposals for an
FC-SP entity acting as an SA_Initiator to present to the
SA_Responder during the negotiation of Security
Associations. The same information is also used by an
FC-SP entity acting as an SA_Responder to decide what to
accept during the negotiation of Security Associations.
One of these tables, t11FcSpSaTransTable, is used not only
for information about security transforms to propose and
to accept, but also as agreed upon during the negotiation
of Security Associations;
- a table, t11FcSpSaTSelDrByTable, of Traffic Selectors
having the security action of 'drop' or 'bypass' to be
applied either to ingress traffic that is unprotected by
FC-SP, or to all egress traffic;
- four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable,
t11FcSpSaTSelNegOutTable, and t11FcSpSaTSelSpiTable,
containing information about active bidirectional pairs of
Security Associations; in particular, t11FcSpSaPairTable
has one row per active bidirectional SA pair,
t11FcSpSaTSelNegInTable and t11FcSpSaTSelNegOutTable
contain information on the Traffic Selectors negotiated on
the SAs, and the t11FcSpSaTSelSpiTable is an alternate
lookup table such that the Traffic Selector(s) in use on a
particular Security Association can be quickly determined
based on the (ingress) SPI value;
- a table, t11FcSpSaControlTable, of control and other
information concerning the generation of notifications for
events related to FC-SP Security Associations;
- one notification, t11FcSpSaNotifyAuthFailure, generated on
the occurrence of an Authentication failure for a received
FC-2 or CT_IU frame.
Copyright (C) The IETF Trust (2008). This version
of this MIB module is part of RFC 5324; see the RFC
itself for full legal notices."
REVISION "200808200000Z"
DESCRIPTION
"Initial version of this MIB module, published as RFC 5324."
::= { mib-2 179 }
t11FcSpSaMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpSaMIB 0 }
t11FcSpSaMIBObjects OBJECT IDENTIFIER ::= { t11FcSpSaMIB 1 }
t11FcSpSaMIBConformance OBJECT IDENTIFIER ::= { t11FcSpSaMIB 2 }
t11FcSpSaBase OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 1 }
t11FcSpSaConfig OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 2 }
t11FcSpSaActive OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 3 }
t11FcSpSaControl OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 4 }
--
-- Base-level Per-Fabric Information
--
t11FcSpSaIfTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing per-Fabric information related to
FC-SP Security Associations."
::= { t11FcSpSaBase 1 }
t11FcSpSaIfEntry OBJECT-TYPE
SYNTAX T11FcSpSaIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information related to Security
Associations on a particular Fabric, and managed as part
of the Fibre Channel management instance identified by
fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
t11FcSpSaIfFabricIndex }
::= { t11FcSpSaIfTable 1 }
T11FcSpSaIfEntry ::= SEQUENCE {
t11FcSpSaIfIndex InterfaceIndexOrZero,
t11FcSpSaIfFabricIndex T11FabricIndex,
-- capabilities
t11FcSpSaIfEspHeaderCapab T11FcSpTransforms,
t11FcSpSaIfCTAuthCapab T11FcSpTransforms,
t11FcSpSaIfIKEv2Capab T11FcSpTransforms,
t11FcSpSaIfIkev2AuthCapab TruthValue,
-- parameters and status
t11FcSpSaIfStorageType StorageType,
t11FcSpSaIfReplayPrevention TruthValue,
t11FcSpSaIfReplayWindowSize Unsigned32,
t11FcSpSaIfDeadPeerDetections Counter32,
t11FcSpSaIfTerminateAllSas INTEGER,
-- summary frame counters
t11FcSpSaIfOutDrops Counter64,
t11FcSpSaIfOutBypasses Counter64,
t11FcSpSaIfOutProcesses Counter64,
t11FcSpSaIfOutUnMatcheds Counter64,
t11FcSpSaIfInUnprotUnmtchDrops Counter64,
-- aggregates of per-SA transient counters
t11FcSpSaIfInDetReplays Counter64,
t11FcSpSaIfInUnprotMtchDrops Counter64,
t11FcSpSaIfInBadXforms Counter64,
t11FcSpSaIfInGoodXforms Counter64,
t11FcSpSaIfInProtUnmtchs Counter64
}
t11FcSpSaIfIndex OBJECT-TYPE
SYNTAX InterfaceIndexOrZero
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object has a non-zero value to identify a particular
interface, or the value zero to indicate that the
information in this row applies to all (of the management
instance's) interfaces to the particular Fabric.
If any row has a non-zero value of t11FcSpSaIfIndex, then
all rows for the same Fibre Channel management instance must
also have a non-zero value of t11FcSpSaIfIndex and thereby
be specific to a particular interface.
As and when zero values of t11FcSpSaIfIndex are used in
this table, then they must also be used in each other
table that has t11FcSpSaIfIndex in its INDEX clause."
::= { t11FcSpSaIfEntry 1 }
t11FcSpSaIfFabricIndex OBJECT-TYPE
SYNTAX T11FabricIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies a particular
Fabric."
::= { t11FcSpSaIfEntry 2 }
t11FcSpSaIfEspHeaderCapab OBJECT-TYPE
SYNTAX T11FcSpTransforms
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A list of the standardized transforms supported by this
entity on this interface for ESP_Header protection."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Appendix A.3.1, tables A.23, A.25."
::= { t11FcSpSaIfEntry 3 }
t11FcSpSaIfCTAuthCapab OBJECT-TYPE
SYNTAX T11FcSpTransforms
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A list of the standardized transforms supported by this
entity on this interface for CT_Authentication protection."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Appendix A.3.1, tables A.23, A.25."
::= { t11FcSpSaIfEntry 4 }
t11FcSpSaIfIKEv2Capab OBJECT-TYPE
SYNTAX T11FcSpTransforms
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A list of the standardized transforms supported by this
entity on this interface with IKEv2 protection."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Appendix A.3.1, tables A.23, A.24,
A.25, A.26."
::= { t11FcSpSaIfEntry 5 }
t11FcSpSaIfIkev2AuthCapab OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of whether the entity is capable of
supporting the IKEv2-AUTH protocol on this interface, i.e.,
concatenation of Authentication and SA Management
Transactions, such that an SA Management Transaction is
used to perform both the authentication function and
SA management."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.7.2, and table A.27."
::= { t11FcSpSaIfEntry 6 }
t11FcSpSaIfStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the memory realization of
information related to FC-SP Security Associations
for interface(s) to a particular Fabric; specifically,
for rows created and/or modified in these tables:
t11FcSpSaPropTable
t11FcSpSaTSelDrByTable
t11FcSpSaControlTable
and, for modified information contained in the same
row as an instance of this object.
Even if an instance of this object has the value
'permanent(4)', none of the information defined in
this MIB module for interface(s) to the given Fabric
need to be writable."
::= { t11FcSpSaIfEntry 7 }
t11FcSpSaIfReplayPrevention OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object indicates whether anti-replay protection is
enabled for frame reception on this interface.
Note that the replay-protection mechanism in FC-SP is
conceptually similar to the corresponding mechanism in
IPsec ESP."
REFERENCE
"- IP Encapsulating Security Payload (ESP),
RFC 4303, December 2005, section 3.3.3."
::= { t11FcSpSaIfEntry 8 }
t11FcSpSaIfReplayWindowSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The size of the replay window to be used when
anti-replay protection is enabled for frame reception
on this interface.
Note that the replay-protection mechanism in FC-SP is
conceptually similar to the corresponding mechanism in
IPsec ESP."
REFERENCE
"- IP Encapsulating Security Payload (ESP),
RFC 4303, December 2005, section 3.4.3."
::= { t11FcSpSaIfEntry 9 }
t11FcSpSaIfDeadPeerDetections OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a dead peer condition has been
detected on this interface.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 8.5.3.3."
::= { t11FcSpSaIfEntry 10 }
t11FcSpSaIfTerminateAllSas OBJECT-TYPE
SYNTAX INTEGER { noop(1), terminate(2) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'terminate' is a request to
terminate all outstanding Security Associations on this
interface.
When read, the value of this object is always 'noop'.
Setting this object to 'noop' has no effect."
::= { t11FcSpSaIfEntry 11 }
t11FcSpSaIfOutDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of output frames that were dropped, instead
of being transmitted on this interface, because they matched
an active (at that time) Traffic Selector with an action of
'Drop'.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 12 }
t11FcSpSaIfOutBypasses OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of output frames that were transmitted
unchanged by FC-SP on this interface because they matched
an active (at that time) Traffic Selector with an action
of 'Bypass'.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 13 }
t11FcSpSaIfOutProcesses OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of output frames that were protected by FC-SP
before being transmitted on this interface because they
matched an active (at that time) Traffic Selector with an
action of 'Process'.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 14 }
t11FcSpSaIfOutUnMatcheds OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames that were transmitted unchanged by
FC-SP on this interface because they did not match any
Traffic Selector active at that time.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 15 }
t11FcSpSaIfInUnprotUnmtchDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames received on this interface that
were dropped because they were unprotected and did not
match any Traffic Selector active at that time.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 16 }
t11FcSpSaIfInDetReplays OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a replay has been detected on
a Security Association that is currently active or was
previously active on this interface. Note that a frame
that is discarded because it is 'behind' the window,
i.e., too old, is counted as a replay.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 17 }
t11FcSpSaIfInUnprotMtchDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a frame received on this
interface was dropped because it matched with a Traffic
Selector for a Security Association that was active at
the time of receipt but the frame was not protected as
negotiated for that Security Association.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 18 }
t11FcSpSaIfInBadXforms OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a frame received on this
interface was dropped because of a failure of one of the
transforms negotiated for the Security Association on
which it was received.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 19 }
t11FcSpSaIfInGoodXforms OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames received on this interface on a
Security Association for which the transforms negotiated
for that Security Association were successfully applied,
and that matched a Traffic Selector for that Security
Association.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 20 }
t11FcSpSaIfInProtUnmtchs OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames received on this interface that
were dropped because they did not match any of the Traffic
Selectors negotiated for the Security Association on which
they were received, even though the Security Association's
transforms were successfully applied.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaIfEntry 21 }
--
-- Proposals to present in Security Association negotiation
--
t11FcSpSaPropTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaPropEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of proposals for an FC-SP entity acting as an
SA_Initiator to present to the SA_Responder during the
negotiation of Security Associations. This information
is also used by an FC-SP entity acting as an SA_Responder
to decide what to accept during the negotiation of
Security Associations."
::= { t11FcSpSaConfig 1 }
t11FcSpSaPropEntry OBJECT-TYPE
SYNTAX T11FcSpSaPropEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one proposal for
the FC-SP entity to present, or what to accept, during
the negotiation of Security Associations on one or more
interfaces (identified by t11FcSpSaIfIndex) to a
particular Fabric (identified by t11FcSpSaIfFabricIndex),
and managed as part of the Fibre Channel management
instance identified by fcmInstanceIndex.
The StorageType of a row in this table is specified by
the instance of t11FcSpSaIfStorageType that is INDEX-ed
by the same values of fcmInstanceIndex, t11FcSpSaIfIndex
and t11FcSpSaIfFabricIndex."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
t11FcSpSaIfFabricIndex,
t11FcSpSaPropIndex }
::= { t11FcSpSaPropTable 1 }
T11FcSpSaPropEntry ::= SEQUENCE {
t11FcSpSaPropIndex Unsigned32,
t11FcSpSaPropSecurityProt T11FcSpSecurityProtocolId,
t11FcSpSaPropTSelListIndex Unsigned32,
t11FcSpSaPropTransListIndex Unsigned32,
t11FcSpSaPropAcceptAlgorithm INTEGER,
t11FcSpSaPropOutMatchSucceeds Counter64,
t11FcSpSaPropRowStatus RowStatus
}
t11FcSpSaPropIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies a particular
proposal for use on one or more interfaces to a Fabric."
::= { t11FcSpSaPropEntry 1 }
t11FcSpSaPropSecurityProt OBJECT-TYPE
SYNTAX T11FcSpSecurityProtocolId
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Security Protocol identifier for this proposal, i.e.,
whether the proposal is for traffic to be protected using
ESP_Header or CT_Authentication."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.2 and table 67."
::= { t11FcSpSaPropEntry 2 }
t11FcSpSaPropTSelListIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"When the value of this object is non-zero, it points
to the proposal's list of Traffic Selectors. The value
must be non-zero in an active row of this table.
The identified list is represented by all rows in the
t11FcSpSaTSelPropTable for which t11FcSpSaTSelPropListIndex
has the same value as this object (and with corresponding
values of t11FcSpSaIfIndex and fcmInstanceIndex)."
::= { t11FcSpSaPropEntry 3 }
t11FcSpSaPropTransListIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"When the value of this object is non-zero, it points to
the proposal's list of Transforms. The value must be
non-zero in an active row of this table.
The identified list is represented by all rows in the
t11FcSpSaTransTable for which t11FcSpSaTransListIndex
has the same value as this object (and with corresponding
values of t11FcSpSaIfIndex and fcmInstanceIndex)."
::= { t11FcSpSaPropEntry 4 }
t11FcSpSaPropAcceptAlgorithm OBJECT-TYPE
SYNTAX INTEGER {
intersection(1),
union(2),
other(3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The algorithm by which an SA_Responder in an SA negotiation
decides on which Traffic Selectors to specify in a response
to an IKE_Create_Child_SA request. This algorithm is used
when the Traffic Selectors specified by an SA_Initiator in
an IKE_Create_Child_SA request overlap with this proposal's
list of Traffic Selectors:
intersection(1) - the SA_Responder specifies the largest
subset of what the SA_Initiator proposed,
which is also a subset of this proposal's
Traffic Selectors.
union(2) - the SA_Responder specifies the smallest
superset of what the SA_Initiator proposed,
which is also a superset of this proposal's
Traffic Selectors.
other(3) - the SA_Responder uses some other algorithm.
"
::= { t11FcSpSaPropEntry 5 }
t11FcSpSaPropOutMatchSucceeds OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of egress frames that have matched a Traffic
Selector that was negotiated to select traffic for an
SA based on this proposal being accepted.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaPropEntry 6 }
t11FcSpSaPropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of a row. Values of object instances
within an active row can be modified at any time.
The status cannot be set to 'active' unless and
until the instances of t11FcSpSaPropTSelListIndex
and t11FcSpSaPropTransListIndex in the row have
been set to point to active rows in the
t11FcSpSaTSelPropTable and t11FcSpSaTransTable
tables, respectively. A row in this table is
deleted if the active rows it points to are deleted."
::= { t11FcSpSaPropEntry 7 }
--
-- Traffic Selector Proposals
--
t11FcSpSaTSelPropTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTSelPropEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about Traffic Selectors
to propose and/or to accept during the negotiation of
Security Associations."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5.
- Use of IKEv2 in FC-SP, RFC 4595,
July 2006, section 4.4."
::= { t11FcSpSaConfig 2 }
t11FcSpSaTSelPropEntry OBJECT-TYPE
SYNTAX T11FcSpSaTSelPropEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one Traffic
Selector within a list of Traffic Selectors to propose,
or for use in determining what to accept during Security
Association negotiation.
One such list is configured for use on a Fabric by
configuring the list's value of t11FcSpSaTSelPropListIndex
as the value of an instance of t11FcSpSaPropTSelListIndex,
for corresponding values of t11FcSpSaIfIndex and
fcmInstanceIndex. Further, the proposing and accepting
of Traffic Selectors is only done as a part of a proposal
specified by a row of the t11FcSpSaPropTable, i.e.,
in combination with the proposing and accepting of security
transforms as specified by the combination of
t11FcSpSaPropTSelListIndex and t11FcSpSaPropTransListIndex
in one row of the t11FcSpSaPropTable.
The StorageType of a row in this table is specified by
the instance of t11FcSpSaTSelPropStorageType in that row."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
t11FcSpSaTSelPropListIndex, t11FcSpSaTSelPropPrecedence }
::= { t11FcSpSaTSelPropTable 1 }
T11FcSpSaTSelPropEntry ::= SEQUENCE {
t11FcSpSaTSelPropListIndex Unsigned32,
t11FcSpSaTSelPropPrecedence T11FcSpPrecedence,
t11FcSpSaTSelPropDirection T11FcSaDirection,
t11FcSpSaTSelPropStartSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelPropEndSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelPropStartDstAddr FcAddressIdOrZero,
t11FcSpSaTSelPropEndDstAddr FcAddressIdOrZero,
t11FcSpSaTSelPropStartRCtl T11FcRoutingControl,
t11FcSpSaTSelPropEndRCtl T11FcRoutingControl,
t11FcSpSaTSelPropStartType T11FcSpType,
t11FcSpSaTSelPropEndType T11FcSpType,
t11FcSpSaTSelPropStorageType StorageType,
t11FcSpSaTSelPropRowStatus RowStatus
}
t11FcSpSaTSelPropListIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that identifies a particular list of
Traffic Selectors."
::= { t11FcSpSaTSelPropEntry 1 }
t11FcSpSaTSelPropPrecedence OBJECT-TYPE
SYNTAX T11FcSpPrecedence
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The precedence of this Traffic Selector. Each
Traffic Selector within a particular list of
Traffic Selectors must have a different precedence.
If an egress frame matches multiple Traffic Selectors,
it should be transmitted on the SA associated with the
Traffic Selector having the numerically smallest
precedence value."
::= { t11FcSpSaTSelPropEntry 2 }
t11FcSpSaTSelPropDirection OBJECT-TYPE
SYNTAX T11FcSaDirection
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An indication of whether this Traffic Selector is
to be proposed for ingress or egress traffic."
DEFVAL { egress }
::= { t11FcSpSaTSelPropEntry 3 }
t11FcSpSaTSelPropStartSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { '000000'h }
::= { t11FcSpSaTSelPropEntry 4 }
t11FcSpSaTSelPropEndSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { 'FFFFFF'h }
::= { t11FcSpSaTSelPropEntry 5 }
t11FcSpSaTSelPropStartDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { '000000'h }
::= { t11FcSpSaTSelPropEntry 6 }
t11FcSpSaTSelPropEndDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { 'FFFFFF'h }
::= { t11FcSpSaTSelPropEntry 7 }
t11FcSpSaTSelPropStartRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { '00'h }
::= { t11FcSpSaTSelPropEntry 8 }
t11FcSpSaTSelPropEndRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { 'FF'h }
::= { t11FcSpSaTSelPropEntry 9 }
t11FcSpSaTSelPropStartType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { '0000'h }
::= { t11FcSpSaTSelPropEntry 10 }
t11FcSpSaTSelPropEndType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.4.5."
DEFVAL { 'FFFF'h }
::= { t11FcSpSaTSelPropEntry 11 }
t11FcSpSaTSelPropStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the memory realization of
the information in this row.
Even if an instance of this object has the value
'permanent(4)', none of the information in its row
needs to be writable."
::= { t11FcSpSaTSelPropEntry 12 }
t11FcSpSaTSelPropRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row. Values of object instances
within the row can be modified at any time."
::= { t11FcSpSaTSelPropEntry 13 }
--
-- Transform Proposals
--
t11FcSpSaTransTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTransEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about security transforms
to propose, to accept and/or agreed upon during the
negotiation of Security Associations."
::= { t11FcSpSaConfig 3 }
t11FcSpSaTransEntry OBJECT-TYPE
SYNTAX T11FcSpSaTransEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one proposal within a
list of security transforms to be proposed, to be accepted,
or already agreed upon, for use on a pair of Security
Associations on one or more interfaces (identified by
t11FcSpSaIfIndex), managed as part of the Fibre Channel
management instance identified by fcmInstanceIndex.
One such list is configured to be proposed or accepted for
use on a Fabric, by having the list's value of
t11FcSpSaTransListIndex be the value of an instance of
t11FcSpSaPropTransListIndex for that Fabric. Further,
the proposing and accepting of security transforms is only
done as a part of a proposal specified by a row of the
t11FcSpSaPropTable, i.e., in combination with the proposing
and accepting of Traffic Selectors as specified by the
combination of t11FcSpSaPropTSelListIndex and
t11FcSpSaPropTransListIndex in one row of the
t11FcSpSaPropTable.
The security (encryption and integrity) transform in use on
an SA pair is indicated by having the pair's values of
t11FcSpSaPairTransListIndex and t11FcSpSaPairTransIndex
contain the values of t11FcSpSaTransListIndex and
t11FcSpSaTransIndex for the transform's row in this table.
The StorageType of a row in this table is specified by
the instance of t11FcSpSaTransStorageType in that row."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
t11FcSpSaTransListIndex, t11FcSpSaTransIndex }
::= { t11FcSpSaTransTable 1 }
T11FcSpSaTransEntry ::= SEQUENCE {
t11FcSpSaTransListIndex Unsigned32,
t11FcSpSaTransIndex Unsigned32,
t11FcSpSaTransSecurityProt T11FcSpSecurityProtocolId,
t11FcSpSaTransEncryptAlg AutonomousType,
t11FcSpSaTransEncryptKeyLen Unsigned32,
t11FcSpSaTransIntegrityAlg AutonomousType,
t11FcSpSaTransStorageType StorageType,
t11FcSpSaTransRowStatus RowStatus
}
t11FcSpSaTransListIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies a particular
list of security transforms to be proposed, to be accepted,
or already agreed upon."
::= { t11FcSpSaTransEntry 1 }
t11FcSpSaTransIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies one security
transform within a list identified by
t11FcSpSaTransListIndex."
::= { t11FcSpSaTransEntry 2 }
t11FcSpSaTransSecurityProt OBJECT-TYPE
SYNTAX T11FcSpSecurityProtocolId
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Security Protocol identifier that indicates
whether this transform is for traffic to be protected
using ESP_Header or using CT_Authentication."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.2 and table 67."
::= { t11FcSpSaTransEntry 3 }
t11FcSpSaTransEncryptAlg OBJECT-TYPE
SYNTAX AutonomousType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Encryption Algorithm for this transform."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.3 and tables 69 & 70."
::= { t11FcSpSaTransEntry 4 }
t11FcSpSaTransEncryptKeyLen OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The key length in bits to be used with an encryption
algorithm that has a variable length key. This object
is ignored when the corresponding instance of
t11FcSpSaTransEncryptAlg specifies an algorithm with a
fixed length key."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.5 and table 77."
::= { t11FcSpSaTransEntry 5 }
t11FcSpSaTransIntegrityAlg OBJECT-TYPE
SYNTAX AutonomousType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Integrity Algorithm for this transform."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.3 and tables 69 & 72."
::= { t11FcSpSaTransEntry 6 }
t11FcSpSaTransStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the memory realization of
the information in this row.
Even if an instance of this object has the value
'permanent(4)', none of the information in its row
needs to be writable."
::= { t11FcSpSaTransEntry 7 }
t11FcSpSaTransRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row.
When an instance of t11FcSpSaPairTransListIndex points to
a row in this table, values of object instances in the row
cannot be modified nor can the row be deleted. Otherwise,
a row can be modified or deleted at any time."
::= { t11FcSpSaTransEntry 8 }
--
-- Traffic Selectors for Drop & Bypass
--
t11FcSpSaTSelDrByTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTSelDrByEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing Traffic Selectors to select which
traffic is to be dropped or is to bypass further
security processing."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, sections 4.6, 4.7, and 6.4.5.
- Use of IKEv2 in FC-SP, RFC 4595,
July 2006, section 4.4."
::= { t11FcSpSaConfig 4 }
t11FcSpSaTSelDrByEntry OBJECT-TYPE
SYNTAX T11FcSpSaTSelDrByEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry represents one Traffic Selector having the
security action of 'drop' or 'bypass', which is applied
based on a precedence value, either to ingress traffic
that is unprotected by FC-SP, or to all egress
traffic on one or more interfaces (identified by
t11FcSpSaIfIndex) to a particular Fabric (identified
by t11FcSpSaIfFabricIndex), and managed as part of the Fibre
Channel management instance identified by fcmInstanceIndex.
The StorageType of a row in this table is specified by
the instance of t11FcSpSaIfStorageType that is INDEX-ed
by the same values of fcmInstanceIndex, t11FcSpSaIfIndex
and t11FcSpSaIfFabricIndex."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, t11FcSpSaIfFabricIndex,
t11FcSpSaTSelDrByDirection, t11FcSpSaTSelDrByPrecedence }
::= { t11FcSpSaTSelDrByTable 1 }
T11FcSpSaTSelDrByEntry ::= SEQUENCE {
t11FcSpSaTSelDrByDirection T11FcSaDirection,
t11FcSpSaTSelDrByPrecedence T11FcSpPrecedence,
t11FcSpSaTSelDrByAction INTEGER,
t11FcSpSaTSelDrByStartSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelDrByEndSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelDrByStartDstAddr FcAddressIdOrZero,
t11FcSpSaTSelDrByEndDstAddr FcAddressIdOrZero,
t11FcSpSaTSelDrByStartRCtl T11FcRoutingControl,
t11FcSpSaTSelDrByEndRCtl T11FcRoutingControl,
t11FcSpSaTSelDrByStartType T11FcSpType,
t11FcSpSaTSelDrByEndType T11FcSpType,
t11FcSpSaTSelDrByMatches Counter64,
t11FcSpSaTSelDrByRowStatus RowStatus
}
t11FcSpSaTSelDrByDirection OBJECT-TYPE
SYNTAX T11FcSaDirection
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An indication of whether this Traffic Selector is
for ingress or egress traffic."
::= { t11FcSpSaTSelDrByEntry 1 }
t11FcSpSaTSelDrByPrecedence OBJECT-TYPE
SYNTAX T11FcSpPrecedence
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The precedence of this Traffic Selector. If and when a
frame is compared against multiple Traffic Selectors, and
multiple of them have a match with the frame, the security
action to be taken for the frame is that specified for the
matching Traffic Selector having the numerically smallest
precedence value."
::= { t11FcSpSaTSelDrByEntry 2 }
t11FcSpSaTSelDrByAction OBJECT-TYPE
SYNTAX INTEGER { drop(1), bypass(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The security action to be taken for a frame that
matches this Traffic Selector."
DEFVAL { drop }
::= { t11FcSpSaTSelDrByEntry 3 }
t11FcSpSaTSelDrByStartSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
DEFVAL { '000000'h }
::= { t11FcSpSaTSelDrByEntry 4 }
t11FcSpSaTSelDrByEndSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
DEFVAL { 'FFFFFF'h }
::= { t11FcSpSaTSelDrByEntry 5 }
t11FcSpSaTSelDrByStartDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
DEFVAL { '000000'h }
::= { t11FcSpSaTSelDrByEntry 6 }
t11FcSpSaTSelDrByEndDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
DEFVAL { 'FFFFFF'h }
::= { t11FcSpSaTSelDrByEntry 7 }
t11FcSpSaTSelDrByStartRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
DEFVAL { '00'h }
::= { t11FcSpSaTSelDrByEntry 8 }
t11FcSpSaTSelDrByEndRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
DEFVAL { 'FF'h }
::= { t11FcSpSaTSelDrByEntry 9 }
t11FcSpSaTSelDrByStartType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically smallest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
DEFVAL { '0000'h }
::= { t11FcSpSaTSelDrByEntry 10 }
t11FcSpSaTSelDrByEndType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The numerically largest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
DEFVAL { 'FFFF'h }
::= { t11FcSpSaTSelDrByEntry 11 }
t11FcSpSaTSelDrByMatches OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames for which the action specified by
the corresponding instance of t11FcSpSaTSelDrByAction was
taken because of a match with this Traffic Selector.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaTSelDrByEntry 12 }
t11FcSpSaTSelDrByRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row. Values of object instances
within the row can be modified at any time."
::= { t11FcSpSaTSelDrByEntry 13 }
--
-- Active Security Associations
--
t11FcSpSaPairTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaPairEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about active
bidirectional pairs of Security Associations."
::= { t11FcSpSaActive 1 }
t11FcSpSaPairEntry OBJECT-TYPE
SYNTAX T11FcSpSaPairEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one active
bidirectional pair of Security Associations on an
interface to a particular Fabric (identified by
t11FcSpSaIfFabricIndex), managed as part of the Fibre
Channel management instance identified by
fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
t11FcSpSaIfFabricIndex, t11FcSpSaPairInboundSpi }
::= { t11FcSpSaPairTable 1 }
T11FcSpSaPairEntry ::= SEQUENCE {
t11FcSpSaPairIfIndex InterfaceIndex,
t11FcSpSaPairInboundSpi T11FcSpiIndex,
t11FcSpSaPairSecurityProt T11FcSpSecurityProtocolId,
t11FcSpSaPairTransListIndex Unsigned32,
t11FcSpSaPairTransIndex Unsigned32,
t11FcSpSaPairLifetimeLeft T11FcSpLifetimeLeft,
t11FcSpSaPairLifetimeLeftUnits T11FcSpLifetimeLeftUnits,
t11FcSpSaPairTerminate INTEGER,
t11FcSpSaPairInProtUnMatchs Counter64,
t11FcSpSaPairInDetReplays Counter64,
t11FcSpSaPairInBadXforms Counter64,
t11FcSpSaPairInGoodXforms Counter64
}
t11FcSpSaPairIfIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object identifies the interface to the particular
Fabric on which this SA pair is active."
::= { t11FcSpSaPairEntry 1 }
t11FcSpSaPairInboundSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The SPI value that is used to indicate that an incoming
frame was received on the ingress SA of this SA pair."
::= { t11FcSpSaPairEntry 2 }
t11FcSpSaPairSecurityProt OBJECT-TYPE
SYNTAX T11FcSpSecurityProtocolId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The object indicates whether this SA uses ESP_Header to
protect FC-2 frames, or CT_Authentication to protect Common
Transport Information Units (CT_IUs)."
::= { t11FcSpSaPairEntry 3 }
t11FcSpSaPairTransListIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The combination of this value and the value of the
corresponding instance of t11FcSpSaPairTransIndex
identify the row in the t11FcSpSaTransTable that
contains the transforms that are in use on this SA pair."
::= { t11FcSpSaPairEntry 4 }
t11FcSpSaPairTransIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The combination of this value and the value of the
corresponding instance of t11FcSpSaPairTransListIndex
identify the row in the t11FcSpSaTransTable that
contains the transforms that are in use on this SA pair."
::= { t11FcSpSaPairEntry 5 }
t11FcSpSaPairLifetimeLeft OBJECT-TYPE
SYNTAX T11FcSpLifetimeLeft
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remaining lifetime of this SA pair, given in the
units specified by the value of the corresponding
instance of t11FcSpSaPairLifetimeLeft."
::= { t11FcSpSaPairEntry 6 }
t11FcSpSaPairLifetimeLeftUnits OBJECT-TYPE
SYNTAX T11FcSpLifetimeLeftUnits
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The units in which the value of the corresponding
instance of t11FcSpSaPairLifetimeLeft specifies the
remaining lifetime of this SA pair."
::= { t11FcSpSaPairEntry 7 }
t11FcSpSaPairTerminate OBJECT-TYPE
SYNTAX INTEGER { noop(1), terminate(2) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'terminate' is a request
to terminate this pair of Security Associations.
When read, the value of this object is always 'noop'.
Setting this object to 'noop' has no effect."
::= { t11FcSpSaPairEntry 8 }
t11FcSpSaPairInProtUnMatchs OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of frames received on this SA for which the
SA's transforms were successfully applied to the frame,
but the frame was still dropped because it did not match
any of the SA's ingress Traffic Selectors.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaPairEntry 9 }
t11FcSpSaPairInDetReplays OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a replay has been detected on
this Security Association. Note that a frame that is
discarded because it is 'behind' the window, i.e., too old,
is counted as a replay.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaPairEntry 10 }
t11FcSpSaPairInBadXforms OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a received frame was dropped
because one of the transforms negotiated for this Security
Association failed.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaPairEntry 11 }
t11FcSpSaPairInGoodXforms OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of received frames for which the transforms
negotiated for this Security Association, were
successfully applied.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaPairEntry 12 }
--
-- Negotiated Ingress Traffic Selectors
--
t11FcSpSaTSelNegInTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTSelNegInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about ingress Traffic
Selectors that are in use on active Security
Associations."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, sections 4.6, 4.7, and 6.4.5.
- Use of IKEv2 in FC-SP, RFC 4595,
July 2006, section 4.4."
::= { t11FcSpSaActive 2 }
t11FcSpSaTSelNegInEntry OBJECT-TYPE
SYNTAX T11FcSpSaTSelNegInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one ingress Traffic
Selector that is in use on an active Security Association
on an interface (identified by t11FcSpSaPairIfIndex) to
a particular Fabric (identified by t11FcSpSaIfFabricIndex),
managed as part of the Fibre Channel management instance
identified by fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegInIndex }
::= { t11FcSpSaTSelNegInTable 1 }
T11FcSpSaTSelNegInEntry ::= SEQUENCE {
t11FcSpSaTSelNegInIndex Unsigned32,
t11FcSpSaTSelNegInInboundSpi T11FcSpiIndex,
t11FcSpSaTSelNegInStartSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelNegInEndSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelNegInStartDstAddr FcAddressIdOrZero,
t11FcSpSaTSelNegInEndDstAddr FcAddressIdOrZero,
t11FcSpSaTSelNegInStartRCtl T11FcRoutingControl,
t11FcSpSaTSelNegInEndRCtl T11FcRoutingControl,
t11FcSpSaTSelNegInStartType T11FcSpType,
t11FcSpSaTSelNegInEndType T11FcSpType,
t11FcSpSaTSelNegInUnpMtchDrops Counter64
}
t11FcSpSaTSelNegInIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value to distinguish an ingress Traffic Selector
from all others currently in use by Security Associations
on the same interface to a particular Fabric."
::= { t11FcSpSaTSelNegInEntry 1 }
t11FcSpSaTSelNegInInboundSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI of the ingress SA on which this Traffic Selector
is in use.
This value can be used to find the SA pair's row in the
t11FcSpSaPairTable."
::= { t11FcSpSaTSelNegInEntry 2 }
t11FcSpSaTSelNegInStartSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegInEntry 3 }
t11FcSpSaTSelNegInEndSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegInEntry 4 }
t11FcSpSaTSelNegInStartDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
::= { t11FcSpSaTSelNegInEntry 5 }
t11FcSpSaTSelNegInEndDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
::= { t11FcSpSaTSelNegInEntry 6 }
t11FcSpSaTSelNegInStartRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
::= { t11FcSpSaTSelNegInEntry 7 }
t11FcSpSaTSelNegInEndRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
::= { t11FcSpSaTSelNegInEntry 8 }
t11FcSpSaTSelNegInStartType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegInEntry 9 }
t11FcSpSaTSelNegInEndType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegInEntry 10 }
t11FcSpSaTSelNegInUnpMtchDrops OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times that a received frame was dropped
because it matched with this Traffic Selector but the
frame was not protected as negotiated for the Security
Association identified by t11FcSpSaTSelNegInInboundSpi.
This counter has no discontinuities other than those
that all Counter64's have when sysUpTime=0."
::= { t11FcSpSaTSelNegInEntry 11 }
--
-- Negotiated Egress Traffic Selectors
--
t11FcSpSaTSelNegOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTSelNegOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about egress Traffic
Selectors that are in use on active Security
Associations."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, sections 4.6, 4.7, and 6.4.5.
- Use of IKEv2 in FC-SP, RFC 4595,
July 2006, section 4.4."
::= { t11FcSpSaActive 3 }
t11FcSpSaTSelNegOutEntry OBJECT-TYPE
SYNTAX T11FcSpSaTSelNegOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information about one egress Traffic
Selector that is in use on an active Security Association
on an interface (identified by t11FcSpSaPairIfIndex) to
a particular Fabric (identified by t11FcSpSaIfFabricIndex),
managed as part of the Fibre Channel management instance
identified by fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegOutPrecedence }
::= { t11FcSpSaTSelNegOutTable 1 }
T11FcSpSaTSelNegOutEntry ::= SEQUENCE {
t11FcSpSaTSelNegOutPrecedence T11FcSpPrecedence,
t11FcSpSaTSelNegOutInboundSpi T11FcSpiIndex,
t11FcSpSaTSelNegOutStartSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelNegOutEndSrcAddr FcAddressIdOrZero,
t11FcSpSaTSelNegOutStartDstAddr FcAddressIdOrZero,
t11FcSpSaTSelNegOutEndDstAddr FcAddressIdOrZero,
t11FcSpSaTSelNegOutStartRCtl T11FcRoutingControl,
t11FcSpSaTSelNegOutEndRCtl T11FcRoutingControl,
t11FcSpSaTSelNegOutStartType T11FcSpType,
t11FcSpSaTSelNegOutEndType T11FcSpType
}
t11FcSpSaTSelNegOutPrecedence OBJECT-TYPE
SYNTAX T11FcSpPrecedence
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The precedence of this Traffic Selector. If and when a
frame is compared against multiple Traffic Selectors, and
multiple of them have a match with the frame, the security
action to be taken for the frame is that specified for the
matching Traffic Selector having the numerically smallest
precedence value."
::= { t11FcSpSaTSelNegOutEntry 1 }
t11FcSpSaTSelNegOutInboundSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI of the ingress SA of the SA pair for which this
Traffic Selector is in use on the egress SA.
This value can be used to find the SA pair's row in the
t11FcSpSaPairTable."
::= { t11FcSpSaTSelNegOutEntry 2 }
t11FcSpSaTSelNegOutStartSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegOutEntry 3 }
t11FcSpSaTSelNegOutEndSrcAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a source address
(S_ID) of a frame that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegOutEntry 4 }
t11FcSpSaTSelNegOutStartDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
::= { t11FcSpSaTSelNegOutEntry 5 }
t11FcSpSaTSelNegOutEndDstAddr OBJECT-TYPE
SYNTAX FcAddressIdOrZero (SIZE (3))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 24-bit value of a destination
address (D_ID) of a frame that will match with this
Traffic Selector."
::= { t11FcSpSaTSelNegOutEntry 6 }
(next page on part 7)