RFC 5324
MIB for Fibre-Channel Security Protocols (FC-SP)
Pages: 216
Proposed Standard
Proposed Standard
Part 7 of 7 – Pages 188 to 216
t11FcSpSaTSelNegOutStartRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
::= { t11FcSpSaTSelNegOutEntry 7 }
t11FcSpSaTSelNegOutEndRCtl OBJECT-TYPE
SYNTAX T11FcRoutingControl
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest 8-bit value contained within a
Routing Control (R_CTL) field of a frame that will match
with this Traffic Selector."
::= { t11FcSpSaTSelNegOutEntry 8 }
t11FcSpSaTSelNegOutStartType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically smallest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegOutEntry 9 }
t11FcSpSaTSelNegOutEndType OBJECT-TYPE
SYNTAX T11FcSpType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The numerically largest of a range of possible 'type'
values of frames that will match with this Traffic
Selector."
::= { t11FcSpSaTSelNegOutEntry 10 }
--
-- Traffic Selectors index-ed by SPI
--
t11FcSpSaTSelSpiTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaTSelSpiEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table identifying the Traffic Selectors in use on
particular Security Associations, INDEX-ed by their
(ingress) SPI values."
::= { t11FcSpSaActive 4 }
t11FcSpSaTSelSpiEntry OBJECT-TYPE
SYNTAX T11FcSpSaTSelSpiEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry identifies one Traffic Selector in use on an SA
pair on the interface (identified by t11FcSpSaPairIfIndex)
to a particular Fabric (identified by
t11FcSpSaIfFabricIndex), and managed as part of the Fibre
Channel management instance identified by fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex,
t11FcSpSaIfFabricIndex,
t11FcSpSaTSelSpiInboundSpi, t11FcSpSaTSelSpiTrafSelIndex }
::= { t11FcSpSaTSelSpiTable 1 }
T11FcSpSaTSelSpiEntry ::= SEQUENCE {
t11FcSpSaTSelSpiInboundSpi T11FcSpiIndex,
t11FcSpSaTSelSpiTrafSelIndex Unsigned32,
t11FcSpSaTSelSpiDirection T11FcSaDirection,
t11FcSpSaTSelSpiTrafSelPtr Unsigned32
}
t11FcSpSaTSelSpiInboundSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An SPI value that identifies the ingress Security
Association of a particular SA pair."
::= { t11FcSpSaTSelSpiEntry 1 }
t11FcSpSaTSelSpiTrafSelIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that distinguishes between the
(potentially multiple) Traffic Selectors in use on
this Security Association pair."
::= { t11FcSpSaTSelSpiEntry 2 }
t11FcSpSaTSelSpiDirection OBJECT-TYPE
SYNTAX T11FcSaDirection
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates whether this Traffic Selector
is being used for ingress or for egress traffic."
::= { t11FcSpSaTSelSpiEntry 3 }
t11FcSpSaTSelSpiTrafSelPtr OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object contains a pointer into another table that
can be used to obtain more information about this Traffic
Selector.
If the corresponding instance of t11FcSpSaTSelSpiDirection
has the value 'egress', then this object contains the
value of t11FcSpSaTSelNegOutPrecedence in the row of
t11FcSpSaTSelNegOutTable, which contains more information.
If the corresponding instance of t11FcSpSaTSelSpiDirection
has the value 'ingress', then this object contains the
value of t11FcSpSaTSelNegInIndex that identifies the row
in t11FcSpSaTSelNegInTable containing more information."
::= { t11FcSpSaTSelSpiEntry 4 }
--
-- Notification information & control
--
t11FcSpSaControlTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpSaControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of control and other information concerning
the generation of notifications for events related
to FC-SP Security Associations."
::= { t11FcSpSaControl 1 }
t11FcSpSaControlEntry OBJECT-TYPE
SYNTAX T11FcSpSaControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry identifies information for the one or more
interfaces (identified by t11FcSpSaIfIndex) to a
particular Fabric (identified by t11FcSpSaIfFabricIndex),
and managed as part of the Fibre Channel management
instance identified by fcmInstanceIndex.
The StorageType of a row in this table is specified by
the instance of t11FcSpSaIfStorageType that is INDEX-ed
by the same values of fcmInstanceIndex, t11FcSpSaIfIndex,
and t11FcSpSaIfFabricIndex."
INDEX { fcmInstanceIndex, t11FcSpSaIfIndex,
t11FcSpSaIfFabricIndex }
::= { t11FcSpSaControlTable 1 }
T11FcSpSaControlEntry ::= SEQUENCE {
t11FcSpSaControlAuthFailEnable TruthValue,
t11FcSpSaControlInboundSpi T11FcSpiIndex,
t11FcSpSaControlSource FcAddressIdOrZero,
t11FcSpSaControlDestination FcAddressIdOrZero,
t11FcSpSaControlFrame OCTET STRING,
t11FcSpSaControlElapsed TimeTicks,
t11FcSpSaControlSuppressed Gauge32,
t11FcSpSaControlWindow Unsigned32,
t11FcSpSaControlMaxNotifs Unsigned32,
t11FcSpSaControlLifeExcdEnable TruthValue,
t11FcSpSaControlLifeExcdSpi T11FcSpiIndex,
t11FcSpSaControlLifeExcdDir T11FcSaDirection,
t11FcSpSaControlLifeExcdTime TimeStamp
}
t11FcSpSaControlAuthFailEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether a t11FcSpSaNotifyAuthFailure
notification should be generated for the first occurrence
of an Authentication failure within a time window for this
Fabric."
::= { t11FcSpSaControlEntry 1 }
t11FcSpSaControlInboundSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI value of the ingress Security Association on
which was received the last frame for which a
t11FcSpSaNotifyAuthFailure was generated.
If no t11FcSpSaNotifyAuthFailure notifications have
been generated, the value of this object is zero."
::= { t11FcSpSaControlEntry 2 }
t11FcSpSaControlSource OBJECT-TYPE
SYNTAX FcAddressIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The S_ID contained in the last frame for which a
t11FcSpSaNotifyAuthFailure was generated.
If no t11FcSpSaNotifyAuthFailure notifications have
been generated, the value of this object is the
zero-length string."
::= { t11FcSpSaControlEntry 3 }
t11FcSpSaControlDestination OBJECT-TYPE
SYNTAX FcAddressIdOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The D_ID contained in the last frame for which a
t11FcSpSaNotifyAuthFailure was generated.
If no t11FcSpSaNotifyAuthFailure notifications have
been generated, the value of this object is the
zero-length string."
::= { t11FcSpSaControlEntry 4 }
t11FcSpSaControlFrame OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..256))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The binary content of the last frame for which a
t11FcSpSaNotifyAuthFailure was generated. If more than
256 bytes of the frame are available, then this object
contains the first 256 bytes. If less than 256 bytes of
the frame are available, then this object contains the
first N bytes, where N is greater or equal to zero.
If no t11FcSpSaNotifyAuthFailure notifications have
been generated, the value of this object is the
zero-length string."
::= { t11FcSpSaControlEntry 5 }
t11FcSpSaControlElapsed OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The elapsed time since the last generation of a
t11FcSpSaNotifyAuthFailure notification on the same
Fabric, or the value of sysUpTime if no
t11FcSpSaNotifyAuthFailure notifications have been
generated since the last restart."
::= { t11FcSpSaControlEntry 6 }
t11FcSpSaControlSuppressed OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of occurrences of an Authentication failure
on a Fabric that were suppressed because they occurred
on the same Fabric within the same time window as a
previous Authentication failure for which a
t11FcSpSaNotifyAuthFailure notification was generated.
The value of this object is reset to zero on a restart
of the network management subsystem, and whenever a
t11FcSpSaNotifyAuthFailure notification is generated.
In the event that the value of this object reaches its
maximum value, it remains at that value until it is
reset on the generation of the next
t11FcSpSaNotifyAuthFailure notification."
::= { t11FcSpSaControlEntry 7 }
t11FcSpSaControlWindow OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The length of a time window that begins when a
t11FcSpSaNotifyAuthFailure notification is generated for
any Security Association on a particular Fabric. For the
duration of the time window, further Authentication failures
occurring for the same Security Association are counted but
no t11FcSpSaNotifyAuthFailure notification is generated.
When this object is modified before the end of a time
window, that time window is immediately terminated, i.e.,
the next Authentication failure on the relevant Fabric
after the modification will cause a new time window to
begin with the new length."
DEFVAL { 300 }
::= { t11FcSpSaControlEntry 8 }
t11FcSpSaControlMaxNotifs OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum number of t11FcSpSaNotifyAuthFailure
notifications to be generated per Fabric within a
t11FcSpSaControlWindow time window. Subsequent
Authentication failures occurring on the same Fabric
in the same time window are counted, but no
t11FcSpSaNotifyAuthFailure notification is generated.
When this object is modified before the end of a time
window, that time window is immediately terminated, i.e.,
the next Authentication failure on the relevant Fabric
after the modification will cause a new time window to
begin with the new length."
DEFVAL { 16 }
::= { t11FcSpSaControlEntry 9 }
t11FcSpSaControlLifeExcdEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether t11FcSpSaNotifyLifeExceeded
notifications should be generated for this Fabric."
DEFVAL { true }
::= { t11FcSpSaControlEntry 10 }
t11FcSpSaControlLifeExcdSpi OBJECT-TYPE
SYNTAX T11FcSpiIndex
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SPI of the SA that was most recently terminated
because its lifetime (in seconds or in passed bytes)
was exceeded. Such terminations include those due to
a failed attempt to renew an SA after its lifetime was
exceeded."
::= { t11FcSpSaControlEntry 11 }
t11FcSpSaControlLifeExcdDir OBJECT-TYPE
SYNTAX T11FcSaDirection
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The direction of frame transmission on the SA that was
most recently terminated because its lifetime (in seconds
or in passed bytes) was exceeded."
::= { t11FcSpSaControlEntry 12 }
t11FcSpSaControlLifeExcdTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time of the most recent termination of an SA
due to its lifetime (in seconds or in passed bytes)
being exceeded. Such terminations include those
due to a failed attempt to renew an SA after its
lifetime was exceeded."
::= { t11FcSpSaControlEntry 13 }
--
-- Notification definitions
--
t11FcSpSaNotifyAuthFailure NOTIFICATION-TYPE
OBJECTS { t11FcSpSaControlInboundSpi,
t11FcSpSaControlSource,
t11FcSpSaControlDestination,
t11FcSpSaControlFrame,
t11FcSpSaControlElapsed,
t11FcSpSaControlSuppressed }
STATUS current
DESCRIPTION
"When this notification is generated, it indicates the
occurrence of an Authentication failure for a received
FC-2 or CT_IU frame. The t11FcSpSaControlInboundSpi,
t11FcSpSaControlSource, and t11FcSpSaControlDestination
objects in the varbindlist are the frame's SPI, source and
destination addresses, respectively. t11FcSpSaControlFrame
provides the (beginning of the) frame's content if such is
available.
This notification is generated only for the first
occurrence of an Authentication failure on a Fabric within
a time window. Subsequent occurrences of an Authentication
Failure on the same Fabric within the same time window
are counted but suppressed.
The value of t11FcSpSaControlElapsed contains (a lower bound
on) the elapsed time since the last generation of this
notification for the same Fabric. The value of
t11FcSpSaControlSuppressed contains the number of
generations which were suppressed in the time window after
that last generation, or zero if unknown."
::= { t11FcSpSaMIBNotifications 1 }
t11FcSpSaNotifyLifeExceeded NOTIFICATION-TYPE
OBJECTS { t11FcSpSaControlLifeExcdSpi,
t11FcSpSaControlLifeExcdDir }
STATUS current
DESCRIPTION
"This notification is generated when the lifetime (in
seconds or in passed bytes) of an SA is exceeded, and the
SA is either immediately terminated or is terminated
because an attempt to renew the SA fails. The values of
t11FcSpSaControlLifeExcdSpi and t11FcSpSaControlLifeExcdDir
contain the SPI and direction of the terminated SA."
::= { t11FcSpSaMIBNotifications 2 }
--
-- Conformance
--
t11FcSpSaMIBCompliances
OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 1 }
t11FcSpSaMIBGroups OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 2 }
t11FcSpSaMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities that implement
FC-SP Security Associations."
MODULE -- this module
MANDATORY-GROUPS
{ t11FcSpSaCapabilityGroup,
t11FcSpSaParamStatusGroup,
t11FcSpSaSummaryCountGroup,
t11FcSpSaProposalGroup,
t11FcSpSaDropBypassGroup,
t11FcSpSaActiveGroup,
t11FcSpSaNotifInfoGroup,
t11FcSpSaNotificationGroup
}
-- The following is an auxiliary (listed in an INDEX clause)
-- object for which the SMIv2 does not allow an OBJECT clause
-- to be specified, but for which this MIB has the following
-- compliance requirement:
-- OBJECT t11FcSpSaIfIndex
-- DESCRIPTION
-- Compliance requires support for either one of:
-- - individual interfaces using ifIndex values, or
-- - the use of the zero value.
-- Write access is not required for any objects in this MIB module:
OBJECT t11FcSpSaIfStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaIfReplayPrevention
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaIfReplayWindowSize
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaIfTerminateAllSas
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPropSecurityProt
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPropTSelListIndex
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPropTransListIndex
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPropAcceptAlgorithm
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPropRowStatus
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropDirection
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropStartSrcAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropEndSrcAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropStartDstAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropEndDstAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropStartRCtl
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropEndRCtl
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropStartType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropEndType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelPropRowStatus
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransSecurityProt
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransEncryptAlg
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransEncryptKeyLen
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransIntegrityAlg
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTransRowStatus
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByAction
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByStartSrcAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByEndSrcAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByStartDstAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByEndDstAddr
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByStartRCtl
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByEndRCtl
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByStartType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByEndType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaTSelDrByRowStatus
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaPairTerminate
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaControlAuthFailEnable
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaControlWindow
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaControlMaxNotifs
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT t11FcSpSaControlLifeExcdEnable
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
::= { t11FcSpSaMIBCompliances 1 }
-- Units of Conformance
t11FcSpSaCapabilityGroup OBJECT-GROUP
OBJECTS { t11FcSpSaIfEspHeaderCapab,
t11FcSpSaIfCTAuthCapab,
t11FcSpSaIfIKEv2Capab,
t11FcSpSaIfIkev2AuthCapab
}
STATUS current
DESCRIPTION
"A collection of objects containing information
related to capabilities of FC-SP entities."
::= { t11FcSpSaMIBGroups 1 }
t11FcSpSaParamStatusGroup OBJECT-GROUP
OBJECTS { t11FcSpSaIfStorageType,
t11FcSpSaIfReplayPrevention,
t11FcSpSaIfReplayWindowSize,
t11FcSpSaIfDeadPeerDetections,
t11FcSpSaIfTerminateAllSas
}
STATUS current
DESCRIPTION
"A collection of objects containing parameters
and status information related to FC-SP entities."
::= { t11FcSpSaMIBGroups 2 }
t11FcSpSaSummaryCountGroup OBJECT-GROUP
OBJECTS { t11FcSpSaIfOutDrops,
t11FcSpSaIfOutBypasses,
t11FcSpSaIfOutProcesses,
t11FcSpSaIfOutUnMatcheds,
t11FcSpSaIfInUnprotUnmtchDrops,
t11FcSpSaIfInDetReplays,
t11FcSpSaIfInUnprotMtchDrops,
t11FcSpSaIfInBadXforms,
t11FcSpSaIfInGoodXforms,
t11FcSpSaIfInProtUnmtchs
}
STATUS current
DESCRIPTION
"A collection of objects containing summary
counters for FC-SP Security Associations."
::= { t11FcSpSaMIBGroups 3 }
t11FcSpSaProposalGroup OBJECT-GROUP
OBJECTS { t11FcSpSaPropSecurityProt,
t11FcSpSaPropTSelListIndex,
t11FcSpSaPropTransListIndex,
t11FcSpSaPropAcceptAlgorithm,
t11FcSpSaPropOutMatchSucceeds,
t11FcSpSaPropRowStatus,
t11FcSpSaTSelPropDirection,
t11FcSpSaTSelPropStartSrcAddr,
t11FcSpSaTSelPropEndSrcAddr,
t11FcSpSaTSelPropStartDstAddr,
t11FcSpSaTSelPropEndDstAddr,
t11FcSpSaTSelPropStartRCtl,
t11FcSpSaTSelPropEndRCtl,
t11FcSpSaTSelPropStartType,
t11FcSpSaTSelPropEndType,
t11FcSpSaTSelPropStorageType,
t11FcSpSaTSelPropRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects containing information
related to making and accepting proposals for
FC-SP Security Associations."
::= { t11FcSpSaMIBGroups 4 }
t11FcSpSaDropBypassGroup OBJECT-GROUP
OBJECTS { t11FcSpSaTSelDrByAction,
t11FcSpSaTSelDrByStartSrcAddr,
t11FcSpSaTSelDrByEndSrcAddr,
t11FcSpSaTSelDrByStartDstAddr,
t11FcSpSaTSelDrByEndDstAddr,
t11FcSpSaTSelDrByStartRCtl,
t11FcSpSaTSelDrByEndRCtl,
t11FcSpSaTSelDrByStartType,
t11FcSpSaTSelDrByEndType,
t11FcSpSaTSelDrByMatches,
t11FcSpSaTSelDrByRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects containing information
about Traffic Selectors of traffic to drop or bypass
for FC-SP Security."
::= { t11FcSpSaMIBGroups 5 }
t11FcSpSaActiveGroup OBJECT-GROUP
OBJECTS { t11FcSpSaPairSecurityProt,
t11FcSpSaPairTransListIndex,
t11FcSpSaPairTransIndex,
t11FcSpSaPairLifetimeLeft,
t11FcSpSaPairLifetimeLeftUnits,
t11FcSpSaPairTerminate,
t11FcSpSaPairInProtUnMatchs,
t11FcSpSaPairInDetReplays,
t11FcSpSaPairInBadXforms,
t11FcSpSaPairInGoodXforms,
t11FcSpSaTransSecurityProt,
t11FcSpSaTransEncryptAlg,
t11FcSpSaTransEncryptKeyLen,
t11FcSpSaTransIntegrityAlg,
t11FcSpSaTransStorageType,
t11FcSpSaTransRowStatus,
t11FcSpSaTSelNegInInboundSpi,
t11FcSpSaTSelNegInStartSrcAddr,
t11FcSpSaTSelNegInEndSrcAddr,
t11FcSpSaTSelNegInStartDstAddr,
t11FcSpSaTSelNegInEndDstAddr,
t11FcSpSaTSelNegInStartRCtl,
t11FcSpSaTSelNegInEndRCtl,
t11FcSpSaTSelNegInStartType,
t11FcSpSaTSelNegInEndType,
t11FcSpSaTSelNegInUnpMtchDrops,
t11FcSpSaTSelNegOutInboundSpi,
t11FcSpSaTSelNegOutStartSrcAddr,
t11FcSpSaTSelNegOutEndSrcAddr,
t11FcSpSaTSelNegOutStartDstAddr,
t11FcSpSaTSelNegOutEndDstAddr,
t11FcSpSaTSelNegOutStartRCtl,
t11FcSpSaTSelNegOutEndRCtl,
t11FcSpSaTSelNegOutStartType,
t11FcSpSaTSelNegOutEndType,
t11FcSpSaTSelSpiDirection,
t11FcSpSaTSelSpiTrafSelPtr
}
STATUS current
DESCRIPTION
"A collection of objects containing information related
to currently active FC-SP Security Associations."
::= { t11FcSpSaMIBGroups 6 }
t11FcSpSaNotifInfoGroup OBJECT-GROUP
OBJECTS { t11FcSpSaControlAuthFailEnable,
t11FcSpSaControlInboundSpi,
t11FcSpSaControlSource,
t11FcSpSaControlDestination,
t11FcSpSaControlFrame,
t11FcSpSaControlElapsed,
t11FcSpSaControlSuppressed,
t11FcSpSaControlWindow,
t11FcSpSaControlMaxNotifs,
t11FcSpSaControlLifeExcdEnable,
t11FcSpSaControlLifeExcdSpi,
t11FcSpSaControlLifeExcdDir,
t11FcSpSaControlLifeExcdTime
}
STATUS current
DESCRIPTION
"A collection of objects containing information
related to notifications of events concerning
FC-SP Security Associations."
::= { t11FcSpSaMIBGroups 7 }
t11FcSpSaNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { t11FcSpSaNotifyAuthFailure,
t11FcSpSaNotifyLifeExceeded
}
STATUS current
DESCRIPTION
"A collection of notifications of events concerning
FC-SP Security Associations."
::= { t11FcSpSaMIBGroups 8 }
END
7. IANA Considerations
IANA has made one MIB OID assignment, under the appropriate subtree,
for each of the five MIB modules defined in this document.
8. Security Considerations
In this section, the first sub-section explains why this document
does not define MIB objects for particular items of (management)
information. This is followed by one sub-section for each of the MIB
modules defined in section 6, listing their individual Security
Considerations. The section concludes with Security Considerations
common to all of these MIB modules.
The key word "RECOMMENDED" contained in this section is to be
interpreted as described in BCP 14 [RFC2119].
8.1. Information Not Defined in This Document
This document doesn't define any MIB objects for the secrets that
need to be known/determined by FC-SP entities in order to use DH-CHAP
to authenticate each other. Such secrets are "highly sensitive" and
need to be "strong secrets" (e.g., randomly generated and/or from an
external source, see section 5.4.8 of [FC-SP]) rather than just
passwords. Thus, such secrets need to be managed by mechanisms other
than the MIB modules defined here.
8.2. The T11-FC-SP-TC-MIB Module
This MIB module defines some data types and assigns some Object
Identifiers, for use as the syntax and as values of MIB objects,
respectively, but it itself defines no MIB objects. Thus, there is
no direct read or write access via a management protocol, such as
SNMP, to these definitions. Nevertheless, it does include the
assignment of enumerations and OIDs to represent cryptographic
algorithms/transforms, and it is appropriate for such assignments to
be augmented with new assignments as and when new algorithms/transforms are available.8.3. The T11-FC-SP-AUTHENTICATION-MIB Module
There are several management objects defined in this MIB module with a MAX-ACCESS clause of read-write. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These objects and their sensitivity/vulnerability are: t11FcSpAuStorageType - could cause changes in the configuration to be retained or not retained over restarts, against the wishes of management. t11FcSpAuSendRejNotifyEnable t11FcSpAuRcvRejNotifyEnable - could cause the suppression of SNMP notifications (e.g., of authentication failures or protocol failures), or the disruption of network operations due to the generation of unwanted notifications. t11FcSpAuDefaultLifetime t11FcSpAuDefaultLifetimeUnits - could cause the lifetimes of Security Associations to be extended longer than might be secure, or shortened to cause an increase in the overhead of using security. t11FcSpAuRejectMaxRows - could cause a smaller audit trail of Authentication rejects, thereby hiding the tracks of an attacker, or a larger audit trail of Authentication rejects causing resources to be wasted. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: t11FcSpAuEntityTable - the capabilities of FC-SP Authentication entities in terms of what cryptographic algorithms they support, and various configuration parameters of FC-SP Authentication entities.
t11FcSpAuIfStatTable
- the mapping of which FC-SP Authentication entities operate on
which interfaces.
t11FcSpAuRejectTable
- an audit trail of authentication failures and other
Authentication Protocol failures.
8.4. The T11-FC-SP-ZONING-MIB Module
There are several management objects defined in this MIB module with
a MAX-ACCESS clause of read-write and/or read-create. Such objects
may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These objects and their
sensitivity/vulnerability are:
t11FcSpZsServerEnabled
- could cause FC-SP Zoning mode to be enabled or not enabled,
against the wishes of management.
t11FcSpZoneSetHashStatus
- could cause an FC-SP implementation to recalculate the values
of the Active Zone Set Hash and the Zone Set Database Hash
more frequently than is required by management.
t11FcSpZsNotifyJoinSuccessEnable
t11FcSpZsNotifyJoinFailureEnable
- could cause the suppression of SNMP notifications that a
Switch in one Fabric has successfully joined/failed to join
with a Switch in another Fabric, or the disruption of network
operations due to the generation of unwanted notifications.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the objects and their
sensitivity/vulnerability:
t11FcSpZsServerCapabilityObject
t11FcSpZsServerEnabled
- the FC-SP Zoning capabilities and status of the FC-SP
implementation.
t11FcSpZoneSetHashStatus
t11FcSpActiveZoneSetHashType
t11FcSpActiveZoneSetHash
t11FcSpZoneSetDatabaseHashType
t11FcSpZoneSetDatabaseHash
- the current values of the Active Zone Set Hash and the Zone
Set Database Hash.
8.5. The T11-FC-SP-POLICY-MIB Module
There are many management objects defined in this MIB module with a
MAX-ACCESS clause of read-write and/or read-create. Such objects may
be considered sensitive or vulnerable in some network environments.
The support for SET operations in a non-secure environment without
proper protection can have a negative effect on network operations.
The objects and tables and their sensitivity/vulnerability are:
t11FcSpPoNaSummaryTable
t11FcSpPoNaSwListTable
t11FcSpPoNaSwMembTable
t11FcSpPoNaNoMembTable
t11FcSpPoNaCtDescrTable
t11FcSpPoNaSwConnTable
t11FcSpPoNaIpMgmtTable
- could change the currently inactive FC-SP Fabric Policies, so
as to allow unauthorized connectivity of Switches and/or
Nodes to the network, or between Switches in the network, or,
to prohibit such connectivity even when authorized.
t11FcSpPoNaIpMgmtTable
t11FcSpPoNaWkpDescrTable
- could change the currently inactive FC-SP Fabric Policies, so
as to allow unauthorized management access to Switches, or
prohibit authorized management access to Switches.
t11FcSpPoNaSummaryTable
t11FcSpPoNaSwMembTable
t11FcSpPoNaNoMembTable
t11FcSpPoNaAttribTable
t11FcSpPoNaAuthProtTable
- could change the currently inactive FC-SP Fabric Policies, so
as to allow Security Associations with reduced security or
require Security Associations that are unnecessarily secure.
t11FcSpPoOperActivate
t11FcSpPoOperDeActivate
- could cause the currently active FC-SP Fabric Policies to be
de-activated and currently inactive FC-SP Fabric Policies
(e.g., those modified as above) to be activated instead.
t11FcSpPoStorageType
- could cause changes in the configuration and/or in FC-SP
Fabric Policies to be retained or not retained over restarts,
against the wishes of management.
t11FcSpPoNotificationEnable
- could cause the suppression of SNMP notifications on the
successful/unsuccessful activation/deactivation of Fabric
Policies, and thereby hide successful/failed attempts to make
unauthorized changes, or cause the disruption of network
operations due to the generation of unwanted notifications.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and their
sensitivity/vulnerability:
t11FcSpPoTable
t11FcSpPoSummaryTable
t11FcSpPoSwMembTable
t11FcSpPoNoMembTable
t11FcSpPoCtDescrTable
t11FcSpPoSwConnTable
t11FcSpPoIpMgmtTable
t11FcSpPoWkpDescrTable
t11FcSpPoAttribTable
t11FcSpPoAuthProtTable
- the currently active FC-SP Fabric Policies that can be
examined by an attacker looking for possible security
vulnerabilities in the active policies.
8.6. The T11-FC-SP-SA-MIB Module
There are several management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These objects and their sensitivity/vulnerability are: t11FcSpSaIfStorageType t11FcSpSaTSelPropStorageType t11FcSpSaTransStorageType - could cause changes in configuration information related to FC-SP Security Associations to be retained or not retained over restarts, against the wishes of management. t11FcSpSaIfReplayPrevention t11FcSpSaIfReplayWindowSize - could cause changes in the operation of anti-replay protection, thereby permitting an attacker to conduct replay attacks, or requiring FC-SP implementations to engage in unnecessary protection against replay. t11FcSpSaIfTerminateAllSas t11FcSpSaPairTerminate - could cause FC-SP Security Associations to be aborted unnecessarily. t11FcSpSaControlAuthFailEnable - could cause the suppression of SNMP notifications on the occurrence of Authentication failures for received FC-2 or CT_IU frames, thereby hiding attempts to subvert security measures, or cause the disruption of network operations due to the generation of unwanted notifications. t11FcSpSaControlLifeExcdEnable - could cause the suppression of SNMP notifications on the occurrence of an FC-SP Security Association exceeding its lifetime, thereby possibly causing disruption to network usage due to a delay in determining the problem and/or re- establishing the Security Association.
t11FcSpSaControlWindow
- could cause the suppression of second and subsequent SNMP
notifications on the occurrence of Authentication failures
for received FC-2 or CT_IU frames, thereby masking repeated
attempts to subvert security measures, or cause the
disruption of network operations due to the generation of
unwanted notifications.
t11FcSpSaControlMaxNotifs
- could cause the suppression of all SNMP notifications on the
occurrence of Authentication failures for received FC-2 or
CT_IU frames, thereby masking attempts to subvert security
measures, or cause the disruption of network operations due
to the generation of unwanted notifications.
t11FcSpSaPropTable
t11FcSpSaTSelPropTable
t11FcSpSaTransTable
- could cause an FC-SP entity to propose the setup of Security
Associations that apply to a different selection of traffic
and/or using different security transforms, such that some
traffic has a reduced level of security that might improve an
attacker's chance of subverting security, or an increased
level of security that would involve unnecessary security
processing, or cause the negotiation of Security Associations
to fail to find commonly acceptable parameters such that no
Security Associations can be established.
t11FcSpSaTSelDrByTable
- could cause an FC-SP entity to select different sets of
traffic which are: a) to be sent/received without being
protected by FC-SP security, thereby providing an attacker
with access to read authentic traffic or the ability to
introduce unauthentic traffic; or b) to be dropped instead of
being sent/after being received, thereby causing disruption
to network usage.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
t11FcSpSaIfTable
- information concerning the capabilities, parameters and
status of an FC-SP entity's support for Security
Associations.
t11FcSpSaPropTable
t11FcSpSaTSelPropTable
t11FcSpSaTransTable
- information on the proposals that will be used by an FC-SP
entity to negotiate Security Associations.
t11FcSpSaTSelDrByTable
- information on which subsets of traffic an FC-SP entity will
send or receive without being protected by FC-SP security, or
will drop before sending/after receiving.
t11FcSpSaPairTable
t11FcSpSaTSelNegInTable
t11FcSpSaTSelNegOutTable
t11FcSpSaTSelSpiTable
- information on which Security Associations are currently
active, what subsets of traffic they are carrying, and what
security protection is being given to them.
8.7. Recommendations Common to All MIB Modules
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementors consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Because the two algorithms currently specified for
T11FcSpPolicyHashFormat are SHA-1 and SHA-256, the definition of
T11FcSpHashCalculationStatus expresses a concern in regard to not
incrementally recomputing the hashes after each change when a series of multiple related changes are being made. This method of reducing computation is intended as a responsiveness measure (i.e., cooperating SNMP managers and agents can get things done faster), not as a Denial-of-Service (DoS) countermeasure. Nevertheless, implementations should also consider the DoS possibilities in these scenarios; potential countermeasures include: requiring authentication for SETs and the rate-limiting of SET operations if they can cause significant computation.9. Normative References
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044, May 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.
[RFC4438] DeSanti, C., Gaonkar, V., Vivek, H., McCloghrie, K., and S. Gai, "Fibre-Channel Name Server MIB", RFC 4438, April 2006. [RFC4439] DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai, "Fibre Channel Fabric Address Manager MIB", RFC 4439, March 2006. [RFC4936] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre Channel Zone Server MIB", RFC 4936, August 2007. [FC-FS-2] "Fibre Channel - Framing and Signaling-2 (FC-FS-2)", ANSI INCITS 424-2007, February 2007. [FC-GS-5] "Fibre Channel - Generic Services-5 (FC-GS-5)", ANSI INCITS 427-2006, December 2006. [FC-SP] "Fibre Channel - Security Protocols (FC-SP)", ANSI INCITS 426-2007, T11/Project 1570-D, February 2007. [FC-SW-4] "Fibre Channel - Switch Fabric-4 (FC-SW-4)", ANSI INCITS 418-2006, April 2006. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.10. Informative References
[RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called TACACS", RFC 1492, July 1993. [RFC2741] Daniele, M., Wijnen, B., Ellison, M., and D. Francisco, "Agent Extensibility (AgentX) Protocol Version 1", RFC 2741, January 2000. [RFC2837] Teow, K., "Definitions of Managed Objects for the Fabric Element in Fibre Channel Standard", RFC 2837, May 2000. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC4595] Maino, F. and D. Black, "Use of IKEv2 in the Fibre Channel Security Association Management Protocol", RFC 4595, July 2006. [RFC4625] DeSanti, C., McCloghrie, K., Kode, S., and S. Gai, "Fibre Channel Routing Information MIB", RFC 4625, September 2006. [RFC4626] DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai, "MIB for Fibre Channel's Fabric Shortest Path First (FSPF) Protocol", RFC 4626, September 2006. [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6", RFC 4668, August 2006. [RFC4747] Kipp, S., Ramkumar, G., and K. McCloghrie, "The Virtual Fabrics MIB", RFC 4747, November 2006. [RFC4935] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre Channel Fabric Configuration Server MIB", RFC 4935, August 2007. [RFC4983] DeSanti, C., Vivek, H., McCloghrie, K., and S. Gai, "Fibre Channel Registered State Change Notification (RSCN) MIB", RFC 4983, August 2007.
11. Acknowledgements
This document was initially developed and approved by the INCITS Task Group T11.5 (http://www.t11.org) as the SM-FSM project. We wish to acknowledge the contributions and comments from the INCITS Technical Committee T11, including the following: T11 Chair: Robert Snively, Brocade T11 Vice Chair: Claudio DeSanti, Cisco Systems T11.5 Chair: Roger Cummings, Symantec T11.5 members: David Black, EMC Don Fraser, HP Larry Hofer, Brocade Scott Kipp, Brocade Ralph Weber, ENDL The document was subsequently a work item of the IMSS Working Group (of the IETF), chaired by David Black (EMC Corporation). Bert Wijnen (Alcatel-Lucent) deserves many thanks for his thorough review of all five MIB modules in this (large!) document. We also wish to acknowledge Dan Romascanu (Avaya), the IETF Area Director, for his comments and assistance.Authors' Addresses
Claudio DeSanti Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Phone: +1 408 853-9172 EMail: cds@cisco.com Fabio Maino Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Phone: +1 408 853-7530 EMail: fmaino@cisco.com Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA 95134 Phone: +1 408-526-5260 EMail: kzm@cisco.com
Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.