Network Working Group M. Baer Request for Comments: 4807 Sparta, Inc. Category: Standards Track R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang ARO March 2007
Network Working Group M. Baer Request for Comments: 4807 Sparta, Inc. Category: Standards Track R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang ARO March 2007
IPsec Security Policy Database Configuration MIB
IPsec安全策略数据库配置MIB
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
This document defines a Structure of Management Information Version 2 (SMIv2) Management Information Base (MIB) module for configuring the security policy database of a device implementing the IPsec protocol. The policy-based packet filtering and the corresponding execution of actions described in this document are of a more general nature than for IPsec configuration alone, such as for configuration of a firewall. This MIB module is designed to be extensible with other enterprise or standards-based defined packet filters and actions.
本文档定义了管理信息版本2(SMIv2)管理信息库(MIB)模块的结构,用于配置实现IPsec协议的设备的安全策略数据库。本文档中描述的基于策略的数据包过滤和相应操作的执行比单独的IPsec配置(如防火墙配置)更具一般性。此MIB模块设计为可通过其他基于企业或标准的已定义数据包筛选器和操作进行扩展。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6 5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7 6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 65 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65 7.2. Protecting against Unauthenticated Access . . . . . . . . 66 7.3. Protecting against Involuntary Disclosure . . . . . . . . 66 7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68 10.1. Normative References . . . . . . . . . . . . . . . . . . . 68 10.2. Informative References . . . . . . . . . . . . . . . . . . 69
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Notational Conventions . . . . . . . . . . . . . . . . 6 5.1.2. Implementing an Example SPD Policy . . . . . . . . . . 7 6. MIB Definition . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 65 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 65 7.2. Protecting against Unauthenticated Access . . . . . . . . 66 7.3. Protecting against Involuntary Disclosure . . . . . . . . 66 7.4. Bootstrapping Your Configuration . . . . . . . . . . . . . 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 68 10.1. Normative References . . . . . . . . . . . . . . . . . . . 68 10.2. Informative References . . . . . . . . . . . . . . . . . . 69
This document defines a MIB module for configuration of an IPsec security policy database (SPD). The IPsec model this MIB is designed to configure is based on the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. The IPCP's IPsec model is, in turn, derived from the Distributed Management Task Force's (DMTF) IPsec model (see below) and from the IPsec model specified in RFC 2401 [RFC2401]. Note: RFC 2401 has been updated by RFC 4301 [RFC4301], but this implementation is based on RFC 2401. The policy-based packet filtering and the corresponding execution of actions configured by this MIB is of a more general nature than for IPsec configuration only, such as for configuration of a firewall. It is possible to extend this MIB module and add other packet-transforming actions that are performed conditionally on an interface's network traffic.
本文档定义了用于配置IPsec安全策略数据库(SPD)的MIB模块。此MIB设计用于配置的IPsec模型基于“IPsec配置策略模型”(IPCP)[RFC3585]。IPCP的IPsec模型又源自分布式管理任务组(DMTF)的IPsec模型(见下文)和RFC 2401[RFC2401]中指定的IPsec模型。注:RFC 2401已由RFC 4301[RFC4301]更新,但此实现基于RFC 2401。此MIB配置的基于策略的数据包过滤和相应的操作执行比仅针对IPsec配置(例如,针对防火墙的配置)具有更一般的性质。可以扩展此MIB模块,并添加对接口网络流量有条件执行的其他数据包转换操作。
The IPsec- and IKE-specific actions are as documented in [IPsec-ACTION] and [IKE-ACTION], respectively, and are not documented in this document.
IPsec-和IKE-特定操作分别在[IPsec-ACTION]和[IKE-ACTION]中记录,本文档中未记录。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]
有关描述当前互联网标准管理框架的文件的详细概述,请参阅RFC 3410[RFC3410]第7节
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。
The Distributed Management Task Force (DMTF) has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" (IPCP) [RFC3585] is based, in large part, on the DMTF's IPsec policy model and on RFC 2401 [RFC2401]. The IPCP document describes a model
分布式管理任务组(DMTF)创建了IPsec策略信息的面向对象模型,称为IPsec策略模型白皮书[IPPMWP]。“IPsec配置策略模型”(IPCP)[RFC3585]在很大程度上基于DMTF的IPsec策略模型和RFC 2401[RFC2401]。IPCP文件描述了一个模型
for configuring IPsec. This MIB module is a task-specific derivation (i.e., an SMIv2 instantiation) of the IPCP's IPsec configuration model for use with Simple Network Management Protocol version 3 (SNMPv3).
用于配置IPsec。此MIB模块是IPCP IPsec配置模型的特定于任务的派生(即SMIv2实例化),用于简单网络管理协议版本3(SNMPv3)。
The high-level areas where this MIB module diverges from the IPCP model are:
该MIB模块偏离IPCP模型的高级区域包括:
o Policies, Groups, Conditions, and some levels of Actions are generically named. In other words, IPsec-specific prefixes like "SA" (Security Association), or "IPsec", are not used. This naming convention is used because packet classification and the matching of conditions to actions is more general than IPsec. The tables in this document can possibly be reused by other packet-transforming actions, which need to conditionally act on packets matching filters.
o 策略、组、条件和某些级别的操作都具有通用名称。换句话说,不使用特定于IPsec的前缀,如“SA”(安全关联)或“IPsec”。之所以使用此命名约定,是因为数据包分类和条件与操作的匹配比IPsec更通用。本文档中的表可能会被其他数据包转换操作重用,这些操作需要有条件地作用于匹配筛选器的数据包。
o Filters are implemented in a more generic and scalable manner, rather than enforcing the condition/filtering pairing of the IPCP and its restrictions upon the user. This MIB module offers a compound filter object providing greater flexibility for complex filters than the IPCP.
o 过滤器以更通用和可伸缩的方式实现,而不是强制执行IPCP的条件/过滤配对及其对用户的限制。此MIB模块提供了一个复合筛选器对象,为复杂筛选器提供了比IPCP更大的灵活性。
The MIB module is modularized into several different parts: rules, filters, and actions.
MIB模块被模块化为几个不同的部分:规则、过滤器和操作。
The rules section associates endpoints and groups of rules, and consists of the spdEndpointToGroupTable, spdGroupContentsTable, and the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable connects a filter to an action. It should also be noted that by referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's filter column can indicate a set of filters to be processed. Likewise, by referencing the spdCompoundActionTable, the spdRuleDefinitionTable's action column can indicate multiple actions to be executed.
规则部分将端点和规则组关联起来,并由spdEndpointToGroupTable、spdGroupContentsTable和spdRuleDefinitionTable组成。spdRuleDefinitionTable的每一行都连接一个筛选器和一个操作。还应注意,通过引用spdCompoundFilterTable,spdRuleDefinitionTable的筛选器列可以指示要处理的一组筛选器。同样,通过引用spdCompoundActionTable,spdRuleDefinitionTable的action列可以指示要执行的多个操作。
This MIB is structured to allow for reuse through the future creation of extension tables that provide additional filters and/or actions. In fact, the companion documents to this one ([IPsec-ACTION] and [IKE-ACTION]) do just that and define IPsec- and IKE-specific actions to be used within this SPD configuration MIB. Note: it is expected that, in order to function properly, extension action MIBs may impose additional limitations on the objects in this MIB and how they can be used with the extended actions. An extension action may only support a subset of the configuration options available in this MIB.
此MIB的结构允许在将来创建扩展表时重用,扩展表提供额外的筛选器和/或操作。事实上,这篇文章的附带文档([IPsec-ACTION]和[IKE-ACTION])正是这样做的,并定义了要在此SPD配置MIB中使用的IPsec和IKE特定的操作。注意:为了正常工作,扩展操作MIB可能会对此MIB中的对象以及如何将其与扩展操作一起使用施加额外的限制。扩展操作可能仅支持此MIB中可用的配置选项的子集。
The filter section of the MIB module is composed of the different types of filters in the Policy Model. It is made up of the spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, spdIpsoHeaderFilterTable.
MIB模块的筛选器部分由策略模型中不同类型的筛选器组成。它由spdTrueFilter、spdCompoundFilterTable、SPdSubFilterTable、spdIpHeaderFilterTable、spdIpOffsetFilterTable、spdTimeFilterTable、spdIpsoHeaderFilterTable组成。
The action section of this MIB module contains only the simple static actions required for the firewall processing that an IPsec SPD implementation requires (e.g., accept, drop, log, etc.). The companion documents of this document define the complex actions necessary for IPsec and IKE negotiations.
此MIB模块的操作部分仅包含IPsec SPD实现所需的防火墙处理所需的简单静态操作(例如,接受、删除、日志等)。本文档的附带文档定义了IPsec和IKE协商所需的复杂操作。
As may have been noticed above, the MIB uses recursion in a similar manner in several different places. In particular, the spdGroupContentsTable, the spdCompoundFilterTable / spdSubfiltersTable combination, and the spdCompoundActionTable / spdSubactionsTable combination can reference themselves.
正如上面可能已经注意到的,MIB在几个不同的地方以类似的方式使用递归。特别是,spdGroupContentsTable、SPDComboundFilterTable/SPDSubfilterTable组合和SPDComboundActionTable/spdSubactionsTable组合可以引用它们自己。
In the case of the spdGroupContentsTable, a row can indicate a rule (i.e., a row in the spdRuleDefinitionTable) or a group (i.e., another set of one or more rows in the spdGroupContentsTable). This way, a group can contain a set of rules and sub-groups. Sub-groups are just other groups defined in the spdGroupContentsTable. There is no inherent MIB limit to the depth of nesting of groups.
对于spdGroupContentsTable,一行可以表示规则(即spdRuleDefinitionTable中的一行)或组(即spdGroupContentsTable中一行或多行的另一组)。这样,组可以包含一组规则和子组。子组只是spdGroupContentsTable中定义的其他组。组嵌套的深度没有固有的MIB限制。
The spdCompoundFilterTable / spdSubfiltersTable combination and spdCompoundActionTable / spdSubactionsTable combination are designed almost identically, with one being for filters and the other for actions, respectively. The following descriptions for the compound filter tables can be directly applied to the compound action tables.
spdCompoundFilterTable/SpdSubFilterTable组合和spdCompoundActionTable/spdSubactionsTable组合的设计几乎相同,一个用于过滤器,另一个用于操作。复合筛选器表的以下说明可直接应用于复合操作表。
The combination of the tables spdCompoundFilterTable and spdSubfiltersTable allow a user to create a set of filters that can be referenced from any table as a single filter. A row in the spdCompoundFilterTable has the basic configuration information for the compound filter. The index of spdCompoundFilterTable, spdCompFiltname, is also used as a partial index to reference a set of ordered rows in the spdSubfiltersTable. Each row in spdSubfiltersTable points to a row in another filter table. In this way, the set of rows in spdSubFiltersTable with a matching spdCompFiltName, together with the row in spdCompoundFilterTable indexed by spdCompFiltName, create a compound filter. Note that it is possible for a row in the spdSubfiltersTable to point to a row in the spdCompoundFilterTable. This recursion allows the creation of a filter set that includes other filter sets within it. There is no inherent MIB limit to the nesting of compound filters within compound filters.
SPDComboundFilterTable表和SPDSubFilterTable表的组合允许用户创建一组筛选器,这些筛选器可以作为单个筛选器从任何表中引用。spdCompoundFilterTable中的一行包含复合筛选器的基本配置信息。spdCompoundFilterTable的索引SpdCompFilterName也用作引用SpdSubFilterTable中一组有序行的部分索引。SPDSubfilterTable中的每一行都指向另一个筛选器表中的一行。这样,SPDSubfilterTable中具有匹配spdCompFiltName的行集合,以及spdCompFiltName索引的SPDCompFundFilterTable中的行,将创建一个复合筛选器。请注意,SPDSubfilters表中的一行可以指向SPDComboundFilterTable中的一行。这种递归允许创建一个过滤器集,其中包括其他过滤器集。复合过滤器中的复合过滤器嵌套没有固有的MIB限制。
In order to use the tables contained in this document, a general understanding of firewall processing is helpful. The processing of the security policy database (SPD) involves applying a set of SPD rules to an interface on a device. The given set of rules to apply to any given interface is defined within the spdEndpointToGroupTable table. This table maps a given interface to a group of rules. In this table, the interface itself is specified using its assigned address. There is also one group of rules per direction (ingress and egress).
为了使用本文档中包含的表格,对防火墙处理有一个全面的了解是很有帮助的。安全策略数据库(SPD)的处理涉及将一组SPD规则应用于设备上的接口。要应用于任何给定接口的给定规则集在spdEndpointToGroupTable表中定义。此表将给定接口映射到一组规则。在此表中,接口本身是使用其分配的地址指定的。每个方向也有一组规则(入口和出口)。
Notes about the following example operations:
有关以下示例操作的注释:
1. All the example operations in the following section make use of default values for all columns not listed. The operations and column values given in the examples are the minimal SNMP Varbinds that must be sent to create a row.
1. 以下部分中的所有示例操作都使用未列出的所有列的默认值。示例中给出的操作和列值是创建行必须发送的最小SNMP变量绑定。
2. The example operations are formatted such that a row (i.e., the table's Entry object) is operated on by using the indexes to that row and the column values for that row.
2. 对示例操作进行格式化,以便通过使用该行的索引和该行的列值对该行(即表的条目对象)进行操作。
3. Below is a generic example of the notation used in the following section's examples of this MIB's usage. This example indicates that the MIB row to be set is the row with the index values of value1 for index1, and value2 for index2. Within this row, column1 is set to column_value1, and column2 is set to column_value2.:
3. 下面是在下一节的这个MIB的用法示例中使用的符号的一般示例。此示例表示要设置的MIB行是索引值为value1(对于index1)和value2(对于index2)的行。在此行中,column1设置为column_value1,column2设置为column_value2:
rowEntry(index1 = value1, index2 = value2) = (column1 = column_value1, column2 = column_value2)
rowEntry(index1 = value1, index2 = value2) = (column1 = column_value1, column2 = column_value2)
4. The below is a specific example of the notation used in the following section's examples of this MIB's usage. This example represents the status column of a row in the IP-MIB::ipAddressTable table being set to deprecated. The index values for this row are IPv4 and 192.0.2.1. The example notation would look like the following:
4. 下面是下一节关于此MIB用法示例中使用的符号的具体示例。此示例表示IP-MIB::ipAddressTable表中被设置为不推荐的行的状态列。此行的索引值为IPv4和192.0.2.1。示例符号如下所示:
ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 = (ipAddressStatus = 2) -- deprecated
ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 = (ipAddressStatus = 2) -- deprecated
As an example, let us define the following administrative policy: On the network interface with IP address 192.0.2.1, all traffic from host 192.0.2.6 will be dropped and all other traffic will be accepted.
例如,让我们定义以下管理策略:在IP地址为192.0.2.1的网络接口上,来自主机192.0.2.6的所有流量将被丢弃,所有其他流量将被接受。
This policy is enforced by setting the values in the MIB to do the following:
通过将MIB中的值设置为执行以下操作来实施此策略:
o create a filter for 192.0.2.6
o 为192.0.2.6创建一个过滤器
o create a rule that connects the 192.0.2.6 filter to a packet drop action
o 创建将192.0.2.6筛选器连接到数据包丢弃操作的规则
o create a rule that always accepts packets
o 创建始终接受数据包的规则
o group these rules together in the proper order so that the 192.0.2.6 drop rule is checked first.
o 按照正确的顺序将这些规则分组,以便首先检查192.0.2.6删除规则。
o connect this group of rules to the 192.0.2.1 interface
o 将这组规则连接到192.0.2.1接口
The first step to do this is creating the filter for the IPv4 address 192.0.2.6:
执行此操作的第一步是为IPv4地址192.0.2.6创建筛选器:
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6") = (spdIpHeadFiltType = 0x80, -- sourceAddress spdIpHeadFiltIPVersion = 1, -- IPv4 spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltRowStatus = 4) -- createAndGo
SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6") = (spdIpHeadFiltType = 0x80, -- sourceAddress spdIpHeadFiltIPVersion = 1, -- IPv4 spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltRowStatus = 4) -- createAndGo
Next, a rule is created to connect the above "192.0.2.6" filter to an action to "drop" the packet, as follows:
接下来,创建一条规则,将上述“192.0.2.6”过滤器连接到“丢弃”数据包的操作,如下所示:
spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6") = (spdRuleDefFilter = spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54, spdRuleDefAction = spdDropAction.0, spdRuleDefRowStatus = 4) -- createAndGo
spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6") = (spdRuleDefFilter = spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54, spdRuleDefAction = spdDropAction.0, spdRuleDefRowStatus = 4) -- createAndGo
Next, a rule is created that accepts all packets:
接下来,将创建一个接受所有数据包的规则:
spdRuleDefinitionEntry(spdRuleDefName = "accept all") = (spdRuleDefFilter = spdTrueFilter.0, spdRuleDefAction = spdAcceptAction.0, spdRuleDefRowStatus = 4) -- createAndGo
spdRuleDefinitionEntry(spdRuleDefName = "accept all") = (spdRuleDefFilter = spdTrueFilter.0, spdRuleDefAction = spdAcceptAction.0, spdRuleDefRowStatus = 4) -- createAndGo
Next, these two rules are grouped together. Rule groups attached to an interface are processed one row at a time. The rows are processed from lowest to highest spdGroupContPriority value. Because the row that references the "accept all" rule should be processed last, it is given the higher spdGroupContPriority value.
接下来,将这两条规则分组在一起。附加到接口的规则组一次处理一行。行从最低优先级值到最高优先级值进行处理。因为引用“全部接受”规则的行应该最后处理,所以它被赋予更高的spdGroupContPriority值。
SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 65535) = (spdGroupContComponentName = "accept all", spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 65535) = (spdGroupContComponentName = "accept all", spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 1000) = (spdGroupContComponentName = "drop from 192.0.2.6", spdGroupContRowStatus = 4) -- createAndGo
SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 1000) = (spdGroupContComponentName = "drop from 192.0.2.6", spdGroupContRowStatus = 4) -- createAndGo
Finally, this group of rules is connected to the 192.0.2.1 interface as follows:
最后,这组规则连接到192.0.2.1接口,如下所示:
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress spdEndGroupIdentType = 4, -- IPv4 spdEndGroupAddress = 0xC0000001)
SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress spdEndGroupIdentType = 4, -- IPv4 spdEndGroupAddress = 0xC0000001)
= (spdEndGroupName = "ingress", spdEndGroupRowStatus = 4) -- createAndGo
= (spdEndGroupName = "ingress", spdEndGroupRowStatus = 4) -- createAndGo
This completes the necessary steps to implement the policy. Once all of these rules have been applied, the policy should take effect.
这就完成了实施策略的必要步骤。一旦所有这些规则都得到应用,政策就应该生效。
The following MIB Module imports from: [RFC2578], [RFC2579], [RFC2580], [RFC2863], [RFC3289], [RFC3411], and [RFC4001]. It also uses definitions from [RFC1108], [RFC3060], and [RFC3629].
以下MIB模块从以下位置导入:[RFC2578]、[RFC2579]、[RFC2580]、[RFC2863]、[RFC3289]、[RFC3411]和[RFC4001]。它还使用了[RFC1108]、[RFC3060]和[RFC3629]中的定义。
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IPSEC-SPD-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, mib-2 FROM SNMPv2-SMI -- [RFC2578]
从SNMPv2 SMI--[RFC2578]导入模块标识、对象类型、通知类型、整数32、无符号32、mib-2
TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType, VariablePointer FROM SNMPv2-TC -- [RFC2579]
文本约定、行状态、TruthValue、时间戳、存储类型、来自SNMPv2 TC的可变指针--[RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580]
来自SNMPv2 CONF的模块遵从性、对象组、通知组--[RFC2580]
InterfaceIndex FROM IF-MIB -- [RFC2863]
来自IF-MIB的接口索引--[RFC2863]
diffServMIBMultiFieldClfrGroup, IfDirection, diffServMultiFieldClfrNextFree FROM DIFFSERV-MIB -- [RFC3289]
diffServMIBMultiFieldClfrGroup,IfDirection,diffServMultiFieldClfrNextFree FROM DIFFSERV-MIB--[RFC3289]
InetAddressType, InetAddress FROM INET-ADDRESS-MIB -- [RFC4001]
InetAddressType,INET-ADDRESS-MIB中的InetAddress--[RFC4001]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
SNMP-FRAMEWORK-MIB中的snmpadmin安装--[RFC3411]
;
;
-- -- module identity --
----模块标识--
spdMIB MODULE-IDENTITY LAST-UPDATED "200702070000Z" -- 7 February 2007 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer P.O. Box 72682 Davis, CA 95617 Phone: +1 530 902 3131 Email: baerm@tislabs.com
spdMIB MODULE-IDENTITY上次更新的“20070207000Z”-2007年2月7日组织“IETF IP安全策略工作组”联系方式“Michael Baer邮政信箱72682 Davis,CA 95617电话:+1 530 902 3131电子邮件:baerm@tislabs.com
Ricky Charlet Email: rcharlet@alumni.calpoly.edu
Ricky Charlet电子邮件:rcharlet@alumni.calpoly.edu
Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 Phone: +1 530 792 1913 Email: hardaker@tislabs.com
韦斯·哈达克斯巴达公司,邮政信箱382戴维斯,加利福尼亚95617电话:+1 530 792 1913电子邮件:hardaker@tislabs.com
Robert Story Revelstone Software PO Box 1812
Robert Story Revelstone软件邮箱1812
Tucker, GA 30085 Phone: +1 770 617 3722 Email: rstory@ipsp.revelstone.com
塔克,佐治亚州30085电话:+1770 617 3722电子邮件:rstory@ipsp.revelstone.com
Cliff Wang ARO 4300 S. Miami Blvd. Durham, NC 27703 E-Mail: cliffwangmail@yahoo.com" DESCRIPTION "This MIB module defines configuration objects for managing IPsec Security Policies. In general, this MIB can be implemented anywhere IPsec security services exist (e.g., bump-in-the-wire, host, gateway, firewall, router, etc.).
克里夫·王·阿罗迈阿密大道南4300号。北卡罗来纳州达勒姆27703电子邮件:cliffwangmail@yahoo.com“说明”此MIB模块定义用于管理IPsec安全策略的配置对象。通常,此MIB可以在存在IPsec安全服务的任何位置实施(例如,线路中的通气、主机、网关、防火墙、路由器等)。
Copyright (C) The IETF Trust (2007). This version of this MIB module is part of RFC 4807; see the RFC itself for full legal notices."
版权所有(C)IETF信托基金(2007年)。此版本的MIB模块是RFC 4807的一部分;有关完整的法律通知,请参见RFC本身。”
-- Revision History
--修订历史
REVISION "200702070000Z" -- 7 February 2007 DESCRIPTION "Initial version, published as RFC 4807."
修订版“20070207000Z”-2007年2月7日描述“初始版本,发布为RFC 4807。”
::= { mib-2 153 }
::= { mib-2 153 }
-- -- groups of related objects --
----相关对象组--
spdConfigObjects OBJECT IDENTIFIER ::= { spdMIB 1 } spdNotificationObjects OBJECT IDENTIFIER ::= { spdMIB 2 } spdConformanceObjects OBJECT IDENTIFIER ::= { spdMIB 3 } spdActions OBJECT IDENTIFIER ::= { spdMIB 4 }
spdConfigObjects OBJECT IDENTIFIER ::= { spdMIB 1 } spdNotificationObjects OBJECT IDENTIFIER ::= { spdMIB 2 } spdConformanceObjects OBJECT IDENTIFIER ::= { spdMIB 3 } spdActions OBJECT IDENTIFIER ::= { spdMIB 4 }
-- -- Textual Conventions --
----文本约定--
SpdBooleanOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdBooleanOperator operator is used to specify whether sub-components in a decision-making process are
SpdBooleanOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdBooleanOperator operator is used to specify whether sub-components in a decision-making process are
ANDed or ORed together to decide if the resulting expression is true or false." SYNTAX INTEGER { or(1), and(2) }
and或or一起决定结果表达式是真还是假。“语法整数{or(1),and(2)}
SpdAdminStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdAdminStatus is used to specify the administrative status of an object. Objects that are disabled MUST NOT be used by the packet processing engine." SYNTAX INTEGER { enabled(1), disabled(2) }
SpdAdminStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdAdminStatus is used to specify the administrative status of an object. Objects that are disabled MUST NOT be used by the packet processing engine." SYNTAX INTEGER { enabled(1), disabled(2) }
SpdIPPacketLogging ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "SpdIPPacketLogging specifies whether an audit message SHOULD be logged if a packet is passed through a Security Association (SA) and if some of that packet is included in the log event. A value of '-1' indicates no logging. A value of '0' or greater indicates that logging SHOULD be done and indicates the number of bytes starting at the beginning of the packet to place in the log. Values greater than the size of the packet being processed indicate that the entire packet SHOULD be sent.
SpdIPPacketLogging ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "SpdIPPacketLogging specifies whether an audit message SHOULD be logged if a packet is passed through a Security Association (SA) and if some of that packet is included in the log event. A value of '-1' indicates no logging. A value of '0' or greater indicates that logging SHOULD be done and indicates the number of bytes starting at the beginning of the packet to place in the log. Values greater than the size of the packet being processed indicate that the entire packet SHOULD be sent.
Examples: '-1' no logging '0' log but do not include any of the packet in the log '20' log and include the first 20 bytes of the packet in the log."
示例:“-1”不记录“0”日志,但不在日志“20”日志中包含任何数据包,并在日志中包含数据包的前20个字节。”
SYNTAX Integer32 (-1..65535)
语法整数32(-1..65535)
SpdTimePeriod ::= TEXTUAL-CONVENTION DISPLAY-HINT "31t" STATUS current DESCRIPTION "This property identifies an overall range of calendar dates and time. In a boolean context, a value within this time range, inclusive, is considered true.
SpdTimePeriod ::= TEXTUAL-CONVENTION DISPLAY-HINT "31t" STATUS current DESCRIPTION "This property identifies an overall range of calendar dates and time. In a boolean context, a value within this time range, inclusive, is considered true.
This information is encoded as an octet string using the UTF-8 transformation format described in STD 63, RFC 3629.
该信息使用STD 63、RFC 3629中描述的UTF-8转换格式编码为八位字节字符串。
It uses the format suggested in RFC 3060. An octet string
它使用RFC 3060中建议的格式。八进制字符串
represents a start date and time and an end date and time. For example:
表示开始日期和时间以及结束日期和时间。例如:
yyyymmddThhmmss/yyyymmddThhmmss
yyyymmddThhmmss/yyymmddthhmmss
Where: yyyy = year mm = month dd = day hh = hour mm = minute ss = second
Where: yyyy = year mm = month dd = day hh = hour mm = minute ss = second
The first 'yyyymmddThhmmss' sub-string indicates the start date and time. The second 'yyyymmddThhmmss' sub-string indicates the end date and time. The character 'T' within these sub-strings indicates the beginning of the time portion of each sub-string. The solidus character '/' separates the start from the end date and time. The end date and time MUST be subsequent to the start date and time.
第一个“yyyymmddThhmmss”子字符串表示开始日期和时间。第二个“yyyymmddThhmmss”子字符串表示结束日期和时间。这些子字符串中的字符“T”表示每个子字符串时间部分的开始。索利多金币字符“/”用于分隔开始日期和结束时间。结束日期和时间必须晚于开始日期和时间。
There are also two allowed substitutes for a 'yyyymmddThhmmss' sub-string: one for the start date and time, and one for the end date and time.
“yyyymmddThhmmss”子字符串还有两个允许的替代项:一个用于开始日期和时间,另一个用于结束日期和时间。
If the start date and time are replaced with the string 'THISANDPRIOR', this sub-string would indicate the current date and time and the previous dates and time.
如果开始日期和时间替换为字符串“ThisandPrevior”,则此子字符串将指示当前日期和时间以及以前的日期和时间。
If the end date and time are replaced with the string 'THISANDFUTURE', this sub-string would indicate the current date and time and the subsequent dates and time.
如果结束日期和时间替换为字符串“THISANDFUTURE”,则此子字符串将指示当前日期和时间以及后续日期和时间。
Any of the following SHOULD be considered a 'wrongValue' error: - Setting a value with the end date and time earlier than or equal to the start date and time. - Setting the start date and time to 'THISANDFUTURE'. - Setting the end date and time to 'THISANDPRIOR'." REFERENCE "RFC 3060, 3269" SYNTAX OCTET STRING (SIZE (0..31)) -- -- Policy group definitions --
以下任何一项都应视为“错误值”错误:-设置结束日期和时间早于或等于开始日期和时间的值。-将开始日期和时间设置为“THISANDFUTURE”。-将结束日期和时间设置为“THISANDPRIOR”。“参考”RFC 3060,3269“语法八位字符串(大小(0..31))----策略组定义--
spdLocalConfigObjects OBJECT IDENTIFIER ::= { spdConfigObjects 1 }
spdLocalConfigObjects OBJECT IDENTIFIER ::= { spdConfigObjects 1 }
spdIngressPolicyGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-write STATUS current
SPDINGRESPOLICYGROUPNAME对象类型语法SnmpAdminString(大小(0..32))最大访问读写状态当前
DESCRIPTION "This object indicates the global system policy group that is to be applied on ingress packets (i.e., arriving at an interface from a network) when a given endpoint does not contain a policy definition in the spdEndpointToGroupTable. Its value can be used as an index into the spdGroupContentsTable to retrieve a list of policies. A zero length string indicates that no system-wide policy exists and the default policy of 'drop' SHOULD be executed for ingress packets until one is imposed by either this object or by the endpoint processing a given packet.
DESCRIPTION“此对象表示要应用于入口数据包的全局系统策略组(即,从网络到达接口)当给定终结点在spdEndpointToGroupTable中不包含策略定义时。其值可用作spdGroupContentsTable的索引,以检索策略列表。长度为零的字符串表示不存在系统范围的策略,应为入口数据包执行默认策略“drop”,直到此对象或由端点处理给定的数据包。
This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 1 }
This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 1 }
spdEgressPolicyGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the policy group containing the global system policy that is to be applied on egress packets (i.e., packets leaving an interface and entering a network) when a given endpoint does not contain a policy definition in the spdEndpointToGroupTable. Its value can be used as an index into the spdGroupContentsTable to retrieve a list of policies. A zero length string indicates that no system-wide policy exists and the default policy of 'drop' SHOULD be executed for egress packets until one is imposed by either this object or by the endpoint processing a given packet.
spdEgressPolicyGroupName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS读写状态当前描述“此对象表示包含要应用于出口数据包(即离开接口并进入网络的数据包)的全局系统策略的策略组当给定终结点在spdEndpointToGroupTable中不包含策略定义时。其值可用作spdGroupContentsTable的索引,以检索策略列表。长度为零的字符串表示不存在系统范围的策略,应为出口数据包执行默认策略“drop”,直到此对象或由端点处理给定的数据包。
This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 2 }
This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 2 }
spdEndpointToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table maps policies (groupings) onto an endpoint (interface). A policy group assigned to an endpoint is then used to control access to the network traffic passing through that endpoint.
spdEndpointToGroupTable对象类型语法序列SpdEndpointToGroupEntry MAX-ACCESS不可访问状态当前描述“此表将策略(分组)映射到端点(接口)。然后,分配给端点的策略组用于控制对通过该端点的网络流量的访问。
If an endpoint has been configured with a policy group and no rule within that policy group matches that packet, the default action in this case SHALL be to drop the packet.
如果端点已配置策略组,且该策略组中没有与该数据包匹配的规则,则在这种情况下的默认操作应为丢弃该数据包。
If no policy group has been assigned to an endpoint, then the policy group specified by spdIngressPolicyGroupName MUST be used on traffic inbound from the network through that endpoint, and the policy group specified by spdEgressPolicyGroupName MUST be used for traffic outbound to the network through that endpoint." ::= { spdConfigObjects 2 }
If no policy group has been assigned to an endpoint, then the policy group specified by spdIngressPolicyGroupName MUST be used on traffic inbound from the network through that endpoint, and the policy group specified by spdEgressPolicyGroupName MUST be used for traffic outbound to the network through that endpoint." ::= { spdConfigObjects 2 }
spdEndpointToGroupEntry OBJECT-TYPE SYNTAX SpdEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A mapping assigning a policy group to an endpoint."
spdEndpointToGroupEntry对象类型语法spdEndpointToGroupEntry MAX-ACCESS不可访问状态当前描述“将策略组分配给端点的映射。”
INDEX { spdEndGroupDirection, spdEndGroupInterface } ::= { spdEndpointToGroupTable 1 }
INDEX { spdEndGroupDirection, spdEndGroupInterface } ::= { spdEndpointToGroupTable 1 }
SpdEndpointToGroupEntry ::= SEQUENCE { spdEndGroupDirection IfDirection, spdEndGroupInterface InterfaceIndex, spdEndGroupName SnmpAdminString, spdEndGroupLastChanged TimeStamp, spdEndGroupStorageType StorageType, spdEndGroupRowStatus RowStatus }
SpdEndpointToGroupEntry ::= SEQUENCE { spdEndGroupDirection IfDirection, spdEndGroupInterface InterfaceIndex, spdEndGroupName SnmpAdminString, spdEndGroupLastChanged TimeStamp, spdEndGroupStorageType StorageType, spdEndGroupRowStatus RowStatus }
spdEndGroupDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates which direction of packets crossing the interface are associated with which spdEndGroupName object. Ingress packets, or packets into the device match when this value is inbound(1). Egress packets or packets out of the device match when this value is outbound(2)." ::= { spdEndpointToGroupEntry 1 }
spdEndGroupDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates which direction of packets crossing the interface are associated with which spdEndGroupName object. Ingress packets, or packets into the device match when this value is inbound(1). Egress packets or packets out of the device match when this value is outbound(2)." ::= { spdEndpointToGroupEntry 1 }
spdEndGroupInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION
spdEndGroupInterface对象类型语法InterfaceIndex MAX-ACCESS不可访问状态当前说明
"This value matches the IF-MIB's ifTable's ifIndex column and indicates the interface associated with a given endpoint. This object can be used to uniquely identify an endpoint that a set of policy groups are applied to." ::= { spdEndpointToGroupEntry 2 }
"This value matches the IF-MIB's ifTable's ifIndex column and indicates the interface associated with a given endpoint. This object can be used to uniquely identify an endpoint that a set of policy groups are applied to." ::= { spdEndpointToGroupEntry 2 }
spdEndGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The policy group name to apply at this endpoint. The value of the spdEndGroupName object is then used as an index into the spdGroupContentsTable to come up with a list of rules that MUST be applied at this endpoint." ::= { spdEndpointToGroupEntry 3 }
spdEndGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The policy group name to apply at this endpoint. The value of the spdEndGroupName object is then used as an index into the spdGroupContentsTable to come up with a list of rules that MUST be applied at this endpoint." ::= { spdEndpointToGroupEntry 3 }
spdEndGroupLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdEndGroupLastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdEndpointToGroupEntry 4 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdEndpointToGroupEntry 4 }
spdEndGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdEndGroupStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdEndpointToGroupEntry 5 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdEndpointToGroupEntry 5 }
spdEndGroupRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create
SPDENDGROUPBROWSTATUS对象类型语法RowStatus MAX-ACCESS read create
STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
状态当前描述“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
This object is considered 'notReady' and MUST NOT be set to active until one or more active rows exist within the spdGroupContentsTable for the group referenced by the spdEndGroupName object." ::= { spdEndpointToGroupEntry 6 }
This object is considered 'notReady' and MUST NOT be set to active until one or more active rows exist within the spdGroupContentsTable for the group referenced by the spdEndGroupName object." ::= { spdEndpointToGroupEntry 6 }
-- -- policy group definition table --
----策略组定义表--
spdGroupContentsTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of rules and/or subgroups contained within a given policy group. For a given value of spdGroupContName, the set of rows sharing that value forms a 'group'. The rows in a group MUST be processed according to the value of the spdGroupContPriority object in each row. The processing MUST be executed starting with the lowest value of spdGroupContPriority and in ascending order thereafter.
SpdGroupContentsEntry MAX-ACCESS的spdGroupContentsTable对象类型语法序列不可访问状态当前描述“此表包含给定策略组中包含的规则和/或子组的列表。对于给定的spdGroupContName值,共享该值的行集将形成一个“组”。组中的行必须根据每行中spdGroupContPriority对象的值进行处理。处理必须从spdGroupContPriority的最低值开始,然后按升序执行。
If an action is executed as the result of the processing of a row in a group, the processing of further rows in that group MUST stop. Iterating to the next policy group row by finding the next largest spdGroupContPriority object SHALL only be done if no actions were run while processing the current row for a given packet." ::= { spdConfigObjects 3 }
If an action is executed as the result of the processing of a row in a group, the processing of further rows in that group MUST stop. Iterating to the next policy group row by finding the next largest spdGroupContPriority object SHALL only be done if no actions were run while processing the current row for a given packet." ::= { spdConfigObjects 3 }
spdGroupContentsEntry OBJECT-TYPE SYNTAX SpdGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a given sub-component within a policy group. A sub-component is either a rule or another group as indicated by spdGroupContComponentType and referenced by spdGroupContComponentName."
spdGroupContentsEntry对象类型语法spdGroupContentsEntry MAX-ACCESS不可访问状态当前描述“定义策略组中的给定子组件。子组件是规则或由SPDGroupContentComponentType指示并由SPDGroupContentName引用的另一个组。”
INDEX { spdGroupContName, spdGroupContPriority } ::= { spdGroupContentsTable 1 }
INDEX { spdGroupContName, spdGroupContPriority } ::= { spdGroupContentsTable 1 }
SpdGroupContentsEntry ::= SEQUENCE { spdGroupContName SnmpAdminString, spdGroupContPriority Integer32, spdGroupContFilter VariablePointer, spdGroupContComponentType INTEGER, spdGroupContComponentName SnmpAdminString, spdGroupContLastChanged TimeStamp, spdGroupContStorageType StorageType, spdGroupContRowStatus RowStatus }
SpdGroupContentsEntry ::= SEQUENCE { spdGroupContName SnmpAdminString, spdGroupContPriority Integer32, spdGroupContFilter VariablePointer, spdGroupContComponentType INTEGER, spdGroupContComponentName SnmpAdminString, spdGroupContLastChanged TimeStamp, spdGroupContStorageType StorageType, spdGroupContRowStatus RowStatus }
spdGroupContName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of the group associated with this row. A 'group' is formed by all the rows in this table that have the same value of this object." ::= { spdGroupContentsEntry 1 }
spdGroupContName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of the group associated with this row. A 'group' is formed by all the rows in this table that have the same value of this object." ::= { spdGroupContentsEntry 1 }
spdGroupContPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority (sequence number) of the sub-component in a group that this row represents. This value indicates the order that each row of this table MUST be processed from low to high. For example, a row with a priority of 0 is processed before a row with a priority of 1, a 1 before a 2, etc." ::= { spdGroupContentsEntry 2 }
spdGroupContPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority (sequence number) of the sub-component in a group that this row represents. This value indicates the order that each row of this table MUST be processed from low to high. For example, a row with a priority of 0 is processed before a row with a priority of 1, a 1 before a 2, etc." ::= { spdGroupContentsEntry 2 }
spdGroupContFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "spdGroupContFilter points to a filter that is evaluated to determine whether the spdGroupContComponentName within this row is exercised. Managers can use this object to classify groups of rules, or subgroups, together in order to achieve a greater degree of control and optimization over the execution order of the items within the group. If the
spdGroupContFilter对象类型语法变量指针MAX-ACCESS读取创建状态当前描述“spdGroupContFilter指向一个筛选器,该筛选器经过计算以确定是否执行了此行中的spdGroupContComponentName。管理者可以使用此对象对规则组或子组进行分类,以便对组内项目的执行顺序实现更大程度的控制和优化。如果
filter evaluates to false, the rule or subgroup will be skipped and the next rule or subgroup will be evaluated instead. This value can be used to indicate a scalar or row in a table. When indicating a row in a table, this value MUST point to the first column instance in that row.
筛选器的计算结果为false,将跳过该规则或子组,并将计算下一个规则或子组。此值可用于指示表中的标量或行。指示表中的行时,此值必须指向该行中的第一个列实例。
An example usage of this object would be to limit a group of rules to executing only when the IP packet being processed is designated to be processed by IKE. This effectively creates a group of IKE-specific rules.
该对象的一个示例用法是将一组规则限制为仅当正在处理的IP分组被指定由IKE处理时才执行。这将有效地创建一组特定于IKE的规则。
The following tables and scalars can be pointed to by this column. All but diffServMultiFieldClfrTable are defined in this MIB:
此列可以指向以下表格和标量。除diffServMultiFieldClfrTable外,其他所有文件均在本MIB中定义:
diffServMultiFieldClfrTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter spdIpsoHeaderFilterTable
DiffServ多字段可缓存spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter spdIpsoHeaderFilterTable
Implementations MAY choose to provide support for other filter tables or scalars.
实现可以选择提供对其他过滤器表或标量的支持。
If this column is set to a VariablePointer value, which references a non-existent row in an otherwise supported table, the inconsistentName exception MUST be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception MUST be returned.
如果将此列设置为VariablePointer值,该值引用其他支持的表中不存在的行,则必须返回不一致名称异常。如果完全不支持VariablePointer指向的表或标量,则必须返回不一致值异常。
If, during packet processing, a row in this table is applied to a packet and the value of this column in that row references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" DEFVAL { spdTrueFilterInstance } ::= { spdGroupContentsEntry 3 }
If, during packet processing, a row in this table is applied to a packet and the value of this column in that row references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" DEFVAL { spdTrueFilterInstance } ::= { spdGroupContentsEntry 3 }
spdGroupContComponentType OBJECT-TYPE SYNTAX INTEGER { group(1), rule(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the spdGroupContComponentName object is the name of another group defined within the spdGroupContentsTable or is the name of a rule defined
spdGroupContComponentType对象类型语法整数{group(1),规则(2)}MAX-ACCESS read create STATUS current DESCRIPTION”表示spdGroupContComponentName对象是在spdGroupContentsTable中定义的另一个组的名称,还是定义的规则的名称
within the spdRuleDefinitionTable." DEFVAL { rule } ::= { spdGroupContentsEntry 4 }
within the spdRuleDefinitionTable." DEFVAL { rule } ::= { spdGroupContentsEntry 4 }
spdGroupContComponentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the policy rule or subgroup contained within this row, as indicated by the spdGroupContComponentType object." ::= { spdGroupContentsEntry 5 }
spdGroupContComponentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the policy rule or subgroup contained within this row, as indicated by the spdGroupContComponentType object." ::= { spdGroupContentsEntry 5 }
spdGroupContLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
SPDGroupConLastChanged对象类型语法TimeStamp MAX-ACCESS只读状态current DESCRIPTION“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdGroupContentsEntry 6 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdGroupContentsEntry 6 }
spdGroupContStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdGroupContStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdGroupContentsEntry 7 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdGroupContentsEntry 7 }
spdGroupContRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdGroupContRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
This object MUST NOT be set to active until the row to which the spdGroupContComponentName points to exists and is active.
在spdGroupContComponentName指向的行存在并处于活动状态之前,不得将此对象设置为活动。
If active, this object MUST remain active unless one of the following two conditions are met:
如果处于活动状态,此对象必须保持活动状态,除非满足以下两个条件之一:
I. No active row in spdEndpointToGroupTable exists that references this row's group (i.e., indicate this row's spdGroupContName).
I.spdEndpointToGroupTable中不存在引用此行组的活动行(即,指示此行的spdGroupContName)。
II. Or at least one other active row in this table has a matching spdGroupContName.
二、或者此表中至少有一个其他活动行具有匹配的spdGroupContName。
If neither condition is met, an attempt to set this row to something other than active MUST result in an inconsistentValue error." ::= { spdGroupContentsEntry 8 }
If neither condition is met, an attempt to set this row to something other than active MUST result in an inconsistentValue error." ::= { spdGroupContentsEntry 8 }
-- -- policy definition table --
----策略定义表--
spdRuleDefinitionTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a rule by associating a filter or a set of filters to an action to be executed." ::= { spdConfigObjects 4 }
spdRuleDefinitionTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a rule by associating a filter or a set of filters to an action to be executed." ::= { spdConfigObjects 4 }
spdRuleDefinitionEntry OBJECT-TYPE SYNTAX SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular rule definition. A rule definition binds a filter pointer to an action pointer." INDEX { spdRuleDefName } ::= { spdRuleDefinitionTable 1 }
spdRuleDefinitionEntry OBJECT-TYPE SYNTAX SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular rule definition. A rule definition binds a filter pointer to an action pointer." INDEX { spdRuleDefName } ::= { spdRuleDefinitionTable 1 }
SpdRuleDefinitionEntry ::= SEQUENCE { spdRuleDefName SnmpAdminString,
SpdRuleDefinitionEntry ::= SEQUENCE { spdRuleDefName SnmpAdminString,
spdRuleDefDescription SnmpAdminString, spdRuleDefFilter VariablePointer, spdRuleDefFilterNegated TruthValue, spdRuleDefAction VariablePointer, spdRuleDefAdminStatus SpdAdminStatus, spdRuleDefLastChanged TimeStamp, spdRuleDefStorageType StorageType, spdRuleDefRowStatus RowStatus }
spdRuleDefDescription SNMPAdministring、spdRuleDefFilter VariablePointer、spdRuleDefFilterNegated TruthValue、spdRuleDefAction VariablePointer、spdRuleDefAdminStatus、spdRuleDefLastChanged时间戳、spdRuleDefStorageType StorageType、spdRuleDefRowStatus RowStatus}
spdRuleDefName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "spdRuleDefName is the administratively assigned name of the rule referred to by the spdGroupContComponentName object." ::= { spdRuleDefinitionEntry 1 }
spdRuleDefName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "spdRuleDefName is the administratively assigned name of the rule referred to by the spdGroupContComponentName object." ::= { spdRuleDefinitionEntry 1 }
spdRuleDefDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user defined string. This field MAY be used for administrative tracking purposes." DEFVAL { "" } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user defined string. This field MAY be used for administrative tracking purposes." DEFVAL { "" } ::= { spdRuleDefinitionEntry 2 }
spdRuleDefFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "spdRuleDefFilter points to a filter that is used to evaluate whether the action associated with this row is executed or not. The action will only execute if the filter referenced by this object evaluates to TRUE after first applying any negation required by the spdRuleDefFilterNegated object.
spdRuleDefFilter对象类型语法变量指针MAX-ACCESS读取创建状态当前描述“spdRuleDefFilter指向用于评估是否执行与此行关联的操作的筛选器。仅当此对象引用的筛选器在首次应用spdRuleDefFilterNegated对象所需的任何否定后计算为TRUE时,才会执行该操作。
The following tables and scalars can be pointed to by this column. All but diffServMultiFieldClfrTable are defined in this MIB. Implementations MAY choose to provide support for other filter tables or scalars as well:
此列可以指向以下表格和标量。除diffServMultiFieldClfrTable外,其他所有字段均在此MIB中定义。实现也可以选择提供对其他筛选器表或标量的支持:
diffServMultiFieldClfrTable
DiffServMultifieldCfRTable
spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter
spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter
If this column is set to a VariablePointer value, which references a non-existent row in an otherwise supported table, the inconsistentName exception MUST be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception MUST be returned.
如果将此列设置为VariablePointer值,该值引用其他支持的表中不存在的行,则必须返回不一致名称异常。如果完全不支持VariablePointer指向的表或标量,则必须返回不一致值异常。
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" ::= { spdRuleDefinitionEntry 3 }
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" ::= { spdRuleDefinitionEntry 3 }
spdRuleDefFilterNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "spdRuleDefFilterNegated specifies whether or not the results of the filter referenced by the spdRuleDefFilter object is negated." DEFVAL { false } ::= { spdRuleDefinitionEntry 4 }
spdRuleDefFilterNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "spdRuleDefFilterNegated specifies whether or not the results of the filter referenced by the spdRuleDefFilter object is negated." DEFVAL { false } ::= { spdRuleDefinitionEntry 4 }
spdRuleDefAction OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It MAY, but is not limited to, point to a row in one of the following tables:
spdRuleDefAction对象类型语法变量POINTER MAX-ACCESS read create STATUS current DESCRIPTION“此列指向要执行的操作。它可以但不限于指向以下表格之一中的行:
spdCompoundActionTable ipsaSaPreconfiguredActionTable ipiaIkeActionTable ipiaIpsecActionTable
SPDCompondactionTable IPSAPreconfiguredActionTable ipiaIkeActionTable ipiaIpsecActionTable
It MAY also point to one of the scalar objects beneath spdStaticActions.
它还可能指向spdStaticActions下的一个标量对象。
If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue
如果将此对象设置为指向不受支持(或未知)表中的行的指针,则会显示不一致的值
error MUST be returned.
必须返回错误。
If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error MUST be returned.
如果将此对象设置为指向其他支持的表中不存在的行,则必须返回不一致的名称错误。
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." ::= { spdRuleDefinitionEntry 5 }
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." ::= { spdRuleDefinitionEntry 5 }
spdRuleDefAdminStatus OBJECT-TYPE SYNTAX SpdAdminStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the current rule definition is considered active. If the value is enabled, the rule MUST be evaluated when processing packets. If the value is disabled, the packet processing MUST continue as if this rule's filter had effectively failed." DEFVAL { enabled } ::= { spdRuleDefinitionEntry 6 }
spdRuleDefAdminStatus OBJECT-TYPE SYNTAX SpdAdminStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the current rule definition is considered active. If the value is enabled, the rule MUST be evaluated when processing packets. If the value is disabled, the packet processing MUST continue as if this rule's filter had effectively failed." DEFVAL { enabled } ::= { spdRuleDefinitionEntry 6 }
spdRuleDefLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
SPDRuleDefastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdRuleDefinitionEntry 7 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdRuleDefinitionEntry 7 }
spdRuleDefStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdRuleDefStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have
对于永久存储类型,没有任何列具有
to be writable." DEFVAL { nonVolatile } ::= { spdRuleDefinitionEntry 8 }
to be writable." DEFVAL { nonVolatile } ::= { spdRuleDefinitionEntry 8 }
spdRuleDefRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdRuleDefRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
This object MUST NOT be set to active until the containing conditions, filters, and actions have been defined. Once active, it MUST remain active until no active policyGroupContents entries are referencing it. A failed attempt to do so MUST return an inconsistentValue error." ::= { spdRuleDefinitionEntry 9 }
This object MUST NOT be set to active until the containing conditions, filters, and actions have been defined. Once active, it MUST remain active until no active policyGroupContents entries are referencing it. A failed attempt to do so MUST return an inconsistentValue error." ::= { spdRuleDefinitionEntry 9 }
-- -- Policy compound filter definition table --
----策略复合筛选器定义表--
spdCompoundFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table defining compound filters and their associated parameters. A row in this table can be pointed to by a spdRuleDefFilter object." ::= { spdConfigObjects 5 }
spdCompoundFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table defining compound filters and their associated parameters. A row in this table can be pointed to by a spdRuleDefFilter object." ::= { spdConfigObjects 5 }
spdCompoundFilterEntry OBJECT-TYPE SYNTAX SpdCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the spdCompoundFilterTable. Each entry in this table represents a compound filter. A filter defined by this table is considered to have a TRUE return value if and only if:
spdCompoundFilterEntry对象类型语法spdCompoundFilterEntry MAX-ACCESS不可访问状态当前描述“spdCompoundFilterTable中的一个条目。此表中的每个条目表示一个复合筛选器。只有在以下情况下,此表定义的筛选器才会被视为具有真返回值:
spdCompFiltLogicType is AND and all of the sub-filters associated with it, as defined in the spdSubfiltersTable, are all true themselves (after applying any required
spdCompFiltLogicType为且与之关联的所有子筛选器(如SPDSubfilterTable中所定义)本身均为真(在应用任何必需的
negation, as defined by the ficFilterIsNegated object).
否定,由ficFilterIsNegated对象定义)。
spdCompFiltLogicType is OR and at least one of the sub-filters associated with it, as defined in the spdSubfiltersTable, is true itself (after applying any required negation, as defined by the ficFilterIsNegated object." INDEX { spdCompFiltName } ::= { spdCompoundFilterTable 1 }
spdCompFiltLogicType is OR and at least one of the sub-filters associated with it, as defined in the spdSubfiltersTable, is true itself (after applying any required negation, as defined by the ficFilterIsNegated object." INDEX { spdCompFiltName } ::= { spdCompoundFilterTable 1 }
SpdCompoundFilterEntry ::= SEQUENCE { spdCompFiltName SnmpAdminString, spdCompFiltDescription SnmpAdminString, spdCompFiltLogicType SpdBooleanOperator, spdCompFiltLastChanged TimeStamp, spdCompFiltStorageType StorageType, spdCompFiltRowStatus RowStatus }
SpdCompoundFilterEntry ::= SEQUENCE { spdCompFiltName SnmpAdminString, spdCompFiltDescription SnmpAdminString, spdCompFiltLogicType SpdBooleanOperator, spdCompFiltLastChanged TimeStamp, spdCompFiltStorageType StorageType, spdCompFiltRowStatus RowStatus }
spdCompFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user definable string. This value is used as an index into this table." ::= { spdCompoundFilterEntry 1 }
spdCompFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user definable string. This value is used as an index into this table." ::= { spdCompoundFilterEntry 1 }
spdCompFiltDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. This field MAY be used for your administrative tracking purposes." DEFVAL { "" } ::= { spdCompoundFilterEntry 2 }
spdCompFiltDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. This field MAY be used for your administrative tracking purposes." DEFVAL { "" } ::= { spdCompoundFilterEntry 2 }
spdCompFiltLogicType OBJECT-TYPE SYNTAX SpdBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the sub-component filters of this compound filter are functionally ANDed or ORed together." DEFVAL { and } ::= { spdCompoundFilterEntry 3 }
spdCompFiltLogicType OBJECT-TYPE SYNTAX SpdBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the sub-component filters of this compound filter are functionally ANDed or ORed together." DEFVAL { and } ::= { spdCompoundFilterEntry 3 }
spdCompFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdCompFiltLastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdCompoundFilterEntry 4 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdCompoundFilterEntry 4 }
spdCompFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdCompFiltStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdCompoundFilterEntry 5 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdCompoundFilterEntry 5 }
spdCompFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdCompFiltRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
Once active, it MUST NOT have its value changed if any active rows in the spdRuleDefinitionTable are currently pointing at this row." ::= { spdCompoundFilterEntry 6 }
Once active, it MUST NOT have its value changed if any active rows in the spdRuleDefinitionTable are currently pointing at this row." ::= { spdCompoundFilterEntry 6 }
-- -- Policy filters in a cf table --
----cf表中的策略筛选器--
spdSubfiltersTable OBJECT-TYPE
SPDSubfilterTable对象类型
SYNTAX SEQUENCE OF SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a list of filters contained within a given compound filter defined in the spdCompoundFilterTable." ::= { spdConfigObjects 6 }
SYNTAX SEQUENCE OF SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a list of filters contained within a given compound filter defined in the spdCompoundFilterTable." ::= { spdConfigObjects 6 }
spdSubfiltersEntry OBJECT-TYPE SYNTAX SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the spdSubfiltersTable. There is an entry in this table for each sub-filter of all compound filters present in the spdCompoundFilterTable." INDEX { spdCompFiltName, spdSubFiltPriority } ::= { spdSubfiltersTable 1 }
spdSubfiltersEntry OBJECT-TYPE SYNTAX SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the spdSubfiltersTable. There is an entry in this table for each sub-filter of all compound filters present in the spdCompoundFilterTable." INDEX { spdCompFiltName, spdSubFiltPriority } ::= { spdSubfiltersTable 1 }
SpdSubfiltersEntry ::= SEQUENCE { spdSubFiltPriority Integer32, spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltLastChanged TimeStamp, spdSubFiltStorageType StorageType, spdSubFiltRowStatus RowStatus }
SpdSubfiltersEntry ::= SEQUENCE { spdSubFiltPriority Integer32, spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltLastChanged TimeStamp, spdSubFiltStorageType StorageType, spdSubFiltRowStatus RowStatus }
spdSubFiltPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given filter within a compound filter. The order of execution is from lowest to highest priority value (i.e., priority 0 before priority 1, 1 before 2, etc.). Implementations MAY choose to follow this ordering, as set by the manager that created the rows. This can allow a manager to intelligently construct filter lists such that faster filters are evaluated first." ::= { spdSubfiltersEntry 1 }
spdSubFiltPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given filter within a compound filter. The order of execution is from lowest to highest priority value (i.e., priority 0 before priority 1, 1 before 2, etc.). Implementations MAY choose to follow this ordering, as set by the manager that created the rows. This can allow a manager to intelligently construct filter lists such that faster filters are evaluated first." ::= { spdSubfiltersEntry 1 }
spdSubFiltSubfilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION
SPDSubfilter subfilter对象类型语法变量指针MAX-ACCESS读取创建状态当前描述
"The OID of the contained filter. The value of this object is a VariablePointer that references the filter to be included in this compound filter.
“包含的筛选器的OID。此对象的值是一个变量指针,它引用要包含在此复合筛选器中的筛选器。”。
The following tables and scalars can be pointed to by this column. All but diffServMultiFieldClfrTable are defined in this MIB. Implementations MAY choose to provide support for other filter tables or scalars as well:
此列可以指向以下表格和标量。除diffServMultiFieldClfrTable外,其他所有字段均在此MIB中定义。实现也可以选择提供对其他筛选器表或标量的支持:
diffServMultiFieldClfrTable spdIpsoHeaderFilterTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter
DiffServ多字段可缓存spdIpsoHeaderFilterTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter
If this column is set to a VariablePointer value that references a non-existent row in an otherwise supported table, the inconsistentName exception MUST be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception MUST be returned.
如果将此列设置为引用其他受支持表中不存在的行的VariablePointer值,则必须返回不一致名称异常。如果完全不支持VariablePointer指向的表或标量,则必须返回不一致值异常。
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" ::= { spdSubfiltersEntry 2 }
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." REFERENCE "RFC 3289" ::= { spdSubfiltersEntry 2 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether or not the result of applying this sub-filter is negated." DEFVAL { false } ::= { spdSubfiltersEntry 3 }
spdSubFiltSubfilterIsNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether or not the result of applying this sub-filter is negated." DEFVAL { false } ::= { spdSubfiltersEntry 3 }
spdSubFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdSubFiltLastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdSubfiltersEntry 4 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdSubfiltersEntry 4 }
spdSubFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
SPDSubiltStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubfiltersEntry 5 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubfiltersEntry 5 }
spdSubFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
SPDSUBILTROWSTATUS对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
This object cannot be made active until a filter referenced by the spdSubFiltSubfilter object is both defined and active. An attempt to do so MUST result in an inconsistentValue error.
在SPDSubfilter对象引用的筛选器被定义并处于活动状态之前,无法使此对象处于活动状态。尝试这样做必须导致值不一致错误。
If active, this object MUST remain active unless one of the following two conditions are met:
如果处于活动状态,此对象必须保持活动状态,除非满足以下两个条件之一:
I. No active row in the SpdCompoundFilterTable exists that has a matching spdCompFiltName.
I.SPDCompundFilterTable中不存在具有匹配SPDCompundFilterName的活动行。
II. Or, at least one other active row in this table has a matching spdCompFiltName.
二、或者,此表中至少有一个其他活动行具有匹配的spdCompFiltName。
If neither condition is met, an attempt to set this row to something other than active MUST result in an inconsistentValue error." ::= { spdSubfiltersEntry 6 }
If neither condition is met, an attempt to set this row to something other than active MUST result in an inconsistentValue error." ::= { spdSubfiltersEntry 6 }
-- -- Static Filters --
----静态过滤器--
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 }
spdTrueFilter OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates a (automatic) true result for a filter. That is, this is a filter that is always true; it is useful for adding as a default filter for a default action or a set of actions." ::= { spdStaticFilters 1 }
spdTrueFilter OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates a (automatic) true result for a filter. That is, this is a filter that is always true; it is useful for adding as a default filter for a default action or a set of actions." ::= { spdStaticFilters 1 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 }
-- -- Policy IP Offset filter definition table --
----策略IP偏移筛选器定义表--
spdIpOffsetFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of filter definitions to be used within the spdRuleDefinitionTable or the spdSubfiltersTable.
spdIpOffsetFilterTable对象类型语法序列SpdIpOffsetFilterEntry MAX-ACCESS不可访问状态当前描述“此表包含要在spdRuleDefinitionTable或SPDSubfilterTable中使用的筛选器定义列表。
This type of filter is used to compare an administrator specified octet string to the octets at a particular location in a packet." ::= { spdConfigObjects 8 }
This type of filter is used to compare an administrator specified octet string to the octets at a particular location in a packet." ::= { spdConfigObjects 8 }
spdIpOffsetFilterEntry OBJECT-TYPE SYNTAX SpdIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpOffFiltName } ::= { spdIpOffsetFilterTable 1 }
spdIpOffsetFilterEntry OBJECT-TYPE SYNTAX SpdIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpOffFiltName } ::= { spdIpOffsetFilterTable 1 }
SpdIpOffsetFilterEntry ::= SEQUENCE { spdIpOffFiltName SnmpAdminString, spdIpOffFiltOffset Unsigned32, spdIpOffFiltType INTEGER, spdIpOffFiltValue OCTET STRING, spdIpOffFiltLastChanged TimeStamp, spdIpOffFiltStorageType StorageType, spdIpOffFiltRowStatus RowStatus }
SpdIpOffsetFilterEntry ::= SEQUENCE { spdIpOffFiltName SnmpAdminString, spdIpOffFiltOffset Unsigned32, spdIpOffFiltType INTEGER, spdIpOffFiltValue OCTET STRING, spdIpOffFiltLastChanged TimeStamp, spdIpOffFiltStorageType StorageType, spdIpOffFiltRowStatus RowStatus }
spdIpOffFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpOffsetFilterEntry 1 }
spdIpOffFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpOffsetFilterEntry 1 }
spdIpOffFiltOffset OBJECT-TYPE SYNTAX Unsigned32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the byte offset from the front of the entire IP packet where the value or arithmetic comparison is done. A value of '0' indicates the first byte of the packet header. If this value is greater than the length of the packet, the filter represented by this row should be considered to fail." ::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltOffset OBJECT-TYPE SYNTAX Unsigned32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the byte offset from the front of the entire IP packet where the value or arithmetic comparison is done. A value of '0' indicates the first byte of the packet header. If this value is greater than the length of the packet, the filter represented by this row should be considered to fail." ::= { spdIpOffsetFilterEntry 2 }
spdIpOffFiltType OBJECT-TYPE SYNTAX INTEGER { equal(1), notEqual(2), arithmeticLess(3), arithmeticGreaterOrEqual(4), arithmeticGreater(5), arithmeticLessOrEqual(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter.
spdIpOffFiltType对象类型语法整数{equal(1)、notEqual(2)、arithmetricless(3)、arithmetricgreaterorequal(4)、arithmetricgreater(5)、arithmetriclessorequal(6)}MAX-ACCESS read create STATUS current DESCRIPTION“这定义了评估给定筛选器时使用的各种测试。
The various tests definable in this table are as follows:
本表中定义的各种测试如下:
equal: - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches
相等:-测试八位字节字符串“spdIpOffFiltValue”是否匹配
a value in the packet starting at the given offset in the packet and comparing the entire OCTET STRING of 'spdIpOffFiltValue'. Any values compared this way are assumed to be unsigned integer values in network byte order of the same length as 'spdIpOffFiltValue'.
数据包中的一个值,从数据包中给定的偏移量开始,比较“spdIpOffFiltValue”的整个八位字节字符串。以这种方式比较的任何值都假定为与“spdIpOffFiltValue”长度相同的网络字节顺序的无符号整数值。
notEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', does not match a value in the packet starting at the given offset in the packet and comparing to the entire OCTET STRING of 'spdIpOffFiltValue'. Any values compared this way are assumed to be unsigned integer values in network byte order of the same length as 'spdIpOffFiltValue'.
notEqual:-测试八位字节字符串“spdIpOffFiltValue”是否与数据包中的值不匹配,该值从数据包中的给定偏移量开始,并与“spdIpOffFiltValue”的整个八位字节字符串进行比较。以这种方式比较的任何值都假定为与“spdIpOffFiltValue”长度相同的网络字节顺序的无符号整数值。
arithmeticLess: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically less than ('<') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'.
arithmetricless:-测试八位字节字符串“spdIpOffFiltValue”是否在算术上小于(“<”)从数据包内给定偏移量开始的值。假定数据包中的值是一个无符号整数,按网络字节顺序排列,长度与“spdIpOffFiltValue”相同。
arithmeticGreaterOrEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically greater than or equal to ('>=') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'.
ARITHMETIGREATEROREQUAL:-测试八位字节字符串“spdIpOffFiltValue”是否在算术上大于或等于(“>=”)从数据包内给定偏移量开始的值。假定数据包中的值是一个无符号整数,按网络字节顺序排列,长度与“spdIpOffFiltValue”相同。
arithmeticGreater: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically greater than ('>') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'.
算术更大:-测试八位字节字符串“spdIpOffFiltValue”是否在算术上大于(“>”)从数据包内给定偏移量开始的值。假定数据包中的值是一个无符号整数,按网络字节顺序排列,长度与“spdIpOffFiltValue”相同。
arithmeticLessOrEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically less than or equal to ('<=') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'."
arithmeticLessOrEqual:-测试八位字节字符串“spdIpOffFiltValue”在算术上是否小于或等于(“<=”)从数据包内给定偏移量开始的值。数据包中的值假定为网络字节顺序的无符号整数,其长度与'spdIpOffFiltValue'相同。”
::= { spdIpOffsetFilterEntry 3 }
::= { spdIpOffsetFilterEntry 3 }
spdIpOffFiltValue OBJECT-TYPE
spdIpOffFiltValue对象类型
SYNTAX OCTET STRING (SIZE(1..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "spdIpOffFiltValue is used for match comparisons of a packet at spdIpOffFiltOffset." ::= { spdIpOffsetFilterEntry 4 }
SYNTAX OCTET STRING (SIZE(1..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "spdIpOffFiltValue is used for match comparisons of a packet at spdIpOffFiltOffset." ::= { spdIpOffsetFilterEntry 4 }
spdIpOffFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdIpOffFiltLastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdIpOffsetFilterEntry 5 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdIpOffsetFilterEntry 5 }
spdIpOffFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdIpOffFiltStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdIpOffsetFilterEntry 6 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdIpOffsetFilterEntry 6 }
spdIpOffFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
SPDIPOFFILTROWSTATUS对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
If active, this object MUST remain active if it is
如果处于活动状态,则该对象在处于活动状态时必须保持活动状态
referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdIpOffsetFilterEntry 7 }
referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdIpOffsetFilterEntry 7 }
-- -- Time/scheduling filter table --
----时间/计划筛选表--
spdTimeFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a table of filters that can be used to effectively enable or disable policies based on a valid time range." ::= { spdConfigObjects 9 }
spdTimeFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a table of filters that can be used to effectively enable or disable policies based on a valid time range." ::= { spdConfigObjects 9 }
spdTimeFilterEntry OBJECT-TYPE SYNTAX SpdTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row describing a given time frame for which a policy is filtered on to activate or deactivate the rule.
spdTimeFilterEntry对象类型语法spdTimeFilterEntry MAX-ACCESS不可访问状态当前描述“描述给定时间范围的行,在该时间范围内筛选策略以激活或停用规则。
If all the column objects in a row are true for the current time, the row evaluates as 'true'. More explicitly, the time matching column objects in a row MUST be logically ANDed together to form the boolean true/false for the row." INDEX { spdTimeFiltName } ::= { spdTimeFilterTable 1 }
If all the column objects in a row are true for the current time, the row evaluates as 'true'. More explicitly, the time matching column objects in a row MUST be logically ANDed together to form the boolean true/false for the row." INDEX { spdTimeFiltName } ::= { spdTimeFilterTable 1 }
SpdTimeFilterEntry ::= SEQUENCE { spdTimeFiltName SnmpAdminString, spdTimeFiltPeriod SpdTimePeriod, spdTimeFiltMonthOfYearMask BITS, spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfWeekMask BITS, spdTimeFiltTimeOfDayMask SpdTimePeriod, spdTimeFiltLastChanged TimeStamp, spdTimeFiltStorageType StorageType, spdTimeFiltRowStatus RowStatus }
SpdTimeFilterEntry ::= SEQUENCE { spdTimeFiltName SnmpAdminString, spdTimeFiltPeriod SpdTimePeriod, spdTimeFiltMonthOfYearMask BITS, spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfWeekMask BITS, spdTimeFiltTimeOfDayMask SpdTimePeriod, spdTimeFiltLastChanged TimeStamp, spdTimeFiltStorageType StorageType, spdTimeFiltRowStatus RowStatus }
spdTimeFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned name for this filter." ::= { spdTimeFilterEntry 1 }
spdTimeFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned name for this filter." ::= { spdTimeFilterEntry 1 }
spdTimeFiltPeriod OBJECT-TYPE SYNTAX SpdTimePeriod MAX-ACCESS read-create STATUS current DESCRIPTION "The valid time period for this filter. This column is considered 'true' if the current time is within the range of this object." DEFVAL { "THISANDPRIOR/THISANDFUTURE" } ::= { spdTimeFilterEntry 2 }
spdTimeFiltPeriod OBJECT-TYPE SYNTAX SpdTimePeriod MAX-ACCESS read-create STATUS current DESCRIPTION "The valid time period for this filter. This column is considered 'true' if the current time is within the range of this object." DEFVAL { "THISANDPRIOR/THISANDFUTURE" } ::= { spdTimeFilterEntry 2 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE SYNTAX BITS { january(0), february(1), march(2), april(3), may(4), june(5), july(6), august(7), september(8), october(9), november(10), december(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that indicates acceptable months of the year. This column evaluates to 'true' if the current month's bit is set." DEFVAL { { january, february, march, april, may, june, july, august, september, october, november, december } } ::= { spdTimeFilterEntry 3 }
spdTimeFiltMonthOfYearMask OBJECT-TYPE SYNTAX BITS { january(0), february(1), march(2), april(3), may(4), june(5), july(6), august(7), september(8), october(9), november(10), december(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that indicates acceptable months of the year. This column evaluates to 'true' if the current month's bit is set." DEFVAL { { january, february, march, april, may, june, july, august, september, october, november, december } } ::= { spdTimeFilterEntry 3 }
spdTimeFiltDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE(8)) MAX-ACCESS read-create STATUS current DESCRIPTION "Defines which days of the month the current time is valid for. It is a sequence of 64 BITS, where each BIT represents a corresponding day of the month in forward or reverse order. Starting from the left-most bit, the first 31 bits identify the day of the month, counting from the beginning of the month. The following 31 bits (bits 32-62) indicate the day of the month, counting from the end of the
spdTimeFiltDayOfMonthMask对象类型语法八位字符串(大小(8))最大访问读取创建状态当前说明“定义当前时间在当月的哪几天有效。它是一个由64位组成的序列,其中每一位表示一个月中相应的一天,按正向或反向顺序排列。从最左边的位开始,前31位标识月份的日期,从月初开始计数。以下31位(32-62位)表示月份的日期,从月底开始计算
month. For months with fewer than 31 days, the bits that correspond to the non-existent days of that month are ignored (e.g., for non-leap year Februarys, bits 29-31 and 60-62 are ignored).
月对于少于31天的月份,忽略与该月份不存在的天数相对应的位(例如,对于非闰年2月,忽略位29-31和60-62)。
This column evaluates to 'true' if the current day of the month's bit is set.
如果设置了月份位的当前日期,则此列的计算结果为“true”。
For example, a value of 0X'80 00 00 01 00 00 00 00' indicates that this column evaluates to true on the first and last days of the month.
例如,值0X'80 00 01 00'表示此列在每月的第一天和最后几天的计算结果为true。
The last two bits in the string MUST be zero." DEFVAL { 'fffffffffffffffe'H } ::= { spdTimeFilterEntry 4 }
The last two bits in the string MUST be zero." DEFVAL { 'fffffffffffffffe'H } ::= { spdTimeFilterEntry 4 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), saturday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that defines which days of the week that the current time is valid for. This column evaluates to 'true' if the current day of the week's bit is set." DEFVAL { { monday, tuesday, wednesday, thursday, friday, saturday, sunday } } ::= { spdTimeFilterEntry 5 }
spdTimeFiltDayOfWeekMask OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), saturday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that defines which days of the week that the current time is valid for. This column evaluates to 'true' if the current day of the week's bit is set." DEFVAL { { monday, tuesday, wednesday, thursday, friday, saturday, sunday } } ::= { spdTimeFilterEntry 5 }
spdTimeFiltTimeOfDayMask OBJECT-TYPE SYNTAX SpdTimePeriod MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates the start and end time of the day for which this filter evaluates to true. The date portions of the spdTimePeriod TC are ignored for purposes of evaluating this mask, and only the time-specific portions are used.
spdTimeFiltTimeOfDayMask对象类型语法SpdTimePeriod MAX-ACCESS read create STATUS current DESCRIPTION”表示此筛选器计算为true的一天的开始和结束时间。为计算此掩码,将忽略SpdTimePeriod TC的日期部分,仅使用特定于时间的部分。
This column evaluates to 'true' if the current time of day is within the range of the start and end times of the day indicated by this object." DEFVAL { "00000000T000000/00000000T240000" } ::= { spdTimeFilterEntry 6 }
This column evaluates to 'true' if the current time of day is within the range of the start and end times of the day indicated by this object." DEFVAL { "00000000T000000/00000000T240000" } ::= { spdTimeFilterEntry 6 }
spdTimeFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp
spdTimeFiltLastChanged对象类型语法时间戳
MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdTimeFilterEntry 7 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdTimeFilterEntry 7 }
spdTimeFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdTimeFiltStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdTimeFilterEntry 8 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdTimeFilterEntry 8 }
spdTimeFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdTimeFiltRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdTimeFilterEntry 9 }
If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdTimeFilterEntry 9 }
-- -- IPSO protection authority filtering --
----IPSO保护机构过滤--
spdIpsoHeaderFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IPSO header filter definitions to be used within the spdRuleDefinitionTable or the spdSubfiltersTable. IPSO headers and their values are described in RFC 1108." REFERENCE "RFC 1108" ::= { spdConfigObjects 10 }
spdIpsoHeaderFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IPSO header filter definitions to be used within the spdRuleDefinitionTable or the spdSubfiltersTable. IPSO headers and their values are described in RFC 1108." REFERENCE "RFC 1108" ::= { spdConfigObjects 10 }
spdIpsoHeaderFilterEntry OBJECT-TYPE SYNTAX SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpsoHeadFiltName } ::= { spdIpsoHeaderFilterTable 1 }
spdIpsoHeaderFilterEntry OBJECT-TYPE SYNTAX SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpsoHeadFiltName } ::= { spdIpsoHeaderFilterTable 1 }
SpdIpsoHeaderFilterEntry ::= SEQUENCE { spdIpsoHeadFiltName SnmpAdminString, spdIpsoHeadFiltType BITS, spdIpsoHeadFiltClassification INTEGER, spdIpsoHeadFiltProtectionAuth INTEGER, spdIpsoHeadFiltLastChanged TimeStamp, spdIpsoHeadFiltStorageType StorageType, spdIpsoHeadFiltRowStatus RowStatus }
SpdIpsoHeaderFilterEntry ::= SEQUENCE { spdIpsoHeadFiltName SnmpAdminString, spdIpsoHeadFiltType BITS, spdIpsoHeadFiltClassification INTEGER, spdIpsoHeadFiltProtectionAuth INTEGER, spdIpsoHeadFiltLastChanged TimeStamp, spdIpsoHeadFiltStorageType StorageType, spdIpsoHeadFiltRowStatus RowStatus }
spdIpsoHeadFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpsoHeaderFilterEntry 1 }
spdIpsoHeadFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpsoHeaderFilterEntry 1 }
spdIpsoHeadFiltType OBJECT-TYPE SYNTAX BITS { classificationLevel(0), protectionAuthority(1) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates which of the IPSO header field a packet is filtered on for this row. If this object is set to classification(0), the spdIpsoHeadFiltClassification
spdIpsoHeadFiltType对象类型语法位{classificationLevel(0),protectionAuthority(1)}MAX-ACCESS读取创建状态当前描述“此对象指示为此行筛选数据包的IPSO标头字段中的哪一个。如果此对象设置为classification(0),则spdIpsoHeadFiltClassification
object indicates how the packet is filtered. If this object is set to protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth object indicates how the packet is filtered." ::= { spdIpsoHeaderFilterEntry 2 }
object indicates how the packet is filtered. If this object is set to protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth object indicates how the packet is filtered." ::= { spdIpsoHeaderFilterEntry 2 }
spdIpsoHeadFiltClassification OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the IPSO classification header field value that the packet MUST have for this row to evaluate to 'true'.
spdIpsoHeadFiltClassification对象类型语法整数{topSecret(61)、secret(90)、Secretive(150)、unclassified(171)}MAX-ACCESS读取创建状态当前描述“此对象表示数据包必须具有的IPSO分类头字段值,才能使此行计算为“true”。
The values of these enumerations are defined by RFC 1108." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 3 }
The values of these enumerations are defined by RFC 1108." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 3 }
spdIpsoHeadFiltProtectionAuth OBJECT-TYPE SYNTAX INTEGER { genser(0), siopesi(1), sci(2), nsa(3), doe(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the IPSO protection authority header field value that the packet MUST have for this row to evaluate to 'true'.
spdIpsoHeadFiltProtectionAuth对象类型语法整数{genser(0)、siopesi(1)、sci(2)、nsa(3)、doe(4)}MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示数据包必须具有的IPSO保护机构头字段值,才能将此行计算为“true”。
The values of these enumerations are defined by RFC 1108. Hence the reason the SMIv2 convention of not using 0 in enumerated lists is violated here." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 4 }
The values of these enumerations are defined by RFC 1108. Hence the reason the SMIv2 convention of not using 0 in enumerated lists is violated here." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 4 }
spdIpsoHeadFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdIpsoHeadFiltLastChanged对象类型语法时间戳MAX-ACCESS只读状态当前描述“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value."
如果自上次重新初始化网络管理子系统以来未修改此行,则此对象的值应为零。”
::= { spdIpsoHeaderFilterEntry 5 }
::= { spdIpsoHeaderFilterEntry 5 }
spdIpsoHeadFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdIpsoHeadFiltStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdIpsoHeaderFilterEntry 6 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdIpsoHeaderFilterEntry 6 }
spdIpsoHeadFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdIpsoHeadFiltRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
However, this object MUST NOT be set to active if the requirements of the spdIpsoHeadFiltType object are not met. Specifically, if the spdIpsoHeadFiltType bit for classification(0) is set, the spdIpsoHeadFiltClassification column MUST have a valid value for the row status to be set to active. If the spdIpsoHeadFiltType bit for protectionAuthority(1) is set, the spdIpsoHeadFiltProtectionAuth column MUST have a valid value for the row status to be set to active.
但是,如果未满足spdIpsoHeadFiltType对象的要求,则不得将此对象设置为活动。具体而言,如果设置了分类的spdIpsoHeadFiltType位(0),则spdIpsoHeadFiltClassification列必须具有有效值,才能将行状态设置为活动。如果设置了protectionAuthority(1)的spdIpsoHeadFiltType位,则spdIpsoHeadFiltProtectionAuth列必须具有有效值,才能将行状态设置为活动。
If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdIpsoHeaderFilterEntry 7 }
If active, this object MUST remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table MUST result in an inconsistentValue error." ::= { spdIpsoHeaderFilterEntry 7 }
-- -- compound actions table --
----复合动作表--
spdCompoundActionTable OBJECT-TYPE
SPDCompondactionTable对象类型
SYNTAX SEQUENCE OF SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table used to allow multiple actions to be associated with a rule. It uses the spdSubactionsTable to do this. The rows from spdSubactionsTable that are partially indexed by spdCompActName form the set of compound actions to be performed. The spdCompActExecutionStrategy column in this table indicates how those actions are processed." ::= { spdConfigObjects 11 }
SYNTAX SEQUENCE OF SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table used to allow multiple actions to be associated with a rule. It uses the spdSubactionsTable to do this. The rows from spdSubactionsTable that are partially indexed by spdCompActName form the set of compound actions to be performed. The spdCompActExecutionStrategy column in this table indicates how those actions are processed." ::= { spdConfigObjects 11 }
spdCompoundActionEntry OBJECT-TYPE SYNTAX SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the spdCompoundActionTable." INDEX { spdCompActName } ::= { spdCompoundActionTable 1 }
spdCompoundActionEntry OBJECT-TYPE SYNTAX SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the spdCompoundActionTable." INDEX { spdCompActName } ::= { spdCompoundActionTable 1 }
SpdCompoundActionEntry ::= SEQUENCE { spdCompActName SnmpAdminString, spdCompActExecutionStrategy INTEGER, spdCompActLastChanged TimeStamp, spdCompActStorageType StorageType, spdCompActRowStatus RowStatus }
SpdCompoundActionEntry ::= SEQUENCE { spdCompActName SnmpAdminString, spdCompActExecutionStrategy INTEGER, spdCompActLastChanged TimeStamp, spdCompActStorageType StorageType, spdCompActRowStatus RowStatus }
spdCompActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned name of this compound action." ::= { spdCompoundActionEntry 1 }
spdCompActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned name of this compound action." ::= { spdCompoundActionEntry 1 }
spdCompActExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2), doUntilFailure(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates how the sub-actions are executed based on the success of the actions as they finish executing.
spdCompActExecutionStrategy对象类型语法整数{doAll(1),DOUTILSUCCESS(2),DOUTILFAILURE(3)}MAX-ACCESS read create STATUS current DESCRIPTION“此对象指示如何根据操作完成时的成功执行子操作。
doAll - run each sub-action regardless of the exit status of the previous action. This parent action is always considered to have acted successfully.
doAll-运行每个子操作,而不考虑前一个操作的退出状态。此父操作始终被视为已成功执行。
doUntilSuccess - run each sub-action until one succeeds, at which point stop processing the sub-actions within this parent compound action. If one of the sub-actions did execute successfully, this parent action is also considered to have executed successfully.
doUntilSuccess—运行每个子操作,直到其中一个操作成功,此时停止处理此父复合操作中的子操作。如果其中一个子操作成功执行,则此父操作也被视为已成功执行。
doUntilFailure - run each sub-action until one fails, at which point stop processing the sub-actions within this compound action. If any sub-action fails, the result of this parent action is considered to have failed." DEFVAL { doUntilSuccess } ::= { spdCompoundActionEntry 2 }
doUntilFailure - run each sub-action until one fails, at which point stop processing the sub-actions within this compound action. If any sub-action fails, the result of this parent action is considered to have failed." DEFVAL { doUntilSuccess } ::= { spdCompoundActionEntry 2 }
spdCompActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
spdCompActLastChanged对象类型语法TimeStamp MAX-ACCESS只读状态current DESCRIPTION“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdCompoundActionEntry 3 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdCompoundActionEntry 3 }
spdCompActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdCompActStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile }
对于永久性存储类型,任何列都不必是可写的
::= { spdCompoundActionEntry 4 }
::= { spdCompoundActionEntry 4 }
spdCompActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdCompActRowStatus对象类型语法RowStatus MAX-ACCESS读取创建状态当前描述“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
Once a row in the spdCompoundActionTable has been made active, this object MUST NOT be set to destroy without first destroying all the contained rows listed in the spdSubactionsTable." ::= { spdCompoundActionEntry 5 }
Once a row in the spdCompoundActionTable has been made active, this object MUST NOT be set to destroy without first destroying all the contained rows listed in the spdSubactionsTable." ::= { spdCompoundActionEntry 5 }
-- -- actions contained within a compound action --
----包含在复合动作中的动作--
spdSubactionsTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of the sub-actions within a given compound action. Compound actions executing these actions MUST execute them in series based on the spdSubActPriority value, with the lowest value executing first." ::= { spdConfigObjects 12 }
spdSubactionsTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of the sub-actions within a given compound action. Compound actions executing these actions MUST execute them in series based on the spdSubActPriority value, with the lowest value executing first." ::= { spdConfigObjects 12 }
spdSubactionsEntry OBJECT-TYPE SYNTAX SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row containing a reference to a given compound-action sub-action." INDEX { spdCompActName, spdSubActPriority } ::= { spdSubactionsTable 1 }
spdSubactionsEntry OBJECT-TYPE SYNTAX SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row containing a reference to a given compound-action sub-action." INDEX { spdCompActName, spdSubActPriority } ::= { spdSubactionsTable 1 }
SpdSubactionsEntry ::= SEQUENCE { spdSubActPriority Integer32, spdSubActSubActionName VariablePointer,
SpdSubactionsEntry ::= SEQUENCE { spdSubActPriority Integer32, spdSubActSubActionName VariablePointer,
spdSubActLastChanged TimeStamp, spdSubActStorageType StorageType, spdSubActRowStatus RowStatus }
spdSubActLastChanged时间戳,spdSubActStorageType存储类型,spdSubActRowStatus行状态}
spdSubActPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given sub-action within a compound action. The order in which sub-actions MUST be executed are based on the value from this column, with the lowest numeric value executing first (i.e., priority 0 before priority 1, 1 before 2, etc.)." ::= { spdSubactionsEntry 1 }
spdSubActPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given sub-action within a compound action. The order in which sub-actions MUST be executed are based on the value from this column, with the lowest numeric value executing first (i.e., priority 0 before priority 1, 1 before 2, etc.)." ::= { spdSubactionsEntry 1 }
spdSubActSubActionName OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It MAY, but is not limited to, point to a row in one of the following tables:
spdSubActSubActionName对象类型语法变量POINTER MAX-ACCESS read create STATUS current DESCRIPTION“此列指向要执行的操作。它可以但不限于指向以下表之一中的行:
spdCompoundActionTable - Allowing recursion ipsaSaPreconfiguredActionTable ipiaIkeActionTable ipiaIpsecActionTable
SPDCompondactionTable-允许递归ipsaSaPreconfiguredActionTable IPAIKEActionTable IPAIPSecActionTable
It MAY also point to one of the scalar objects beneath spdStaticActions.
它还可能指向spdStaticActions下的一个标量对象。
If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue error MUST be returned.
如果将此对象设置为指向不受支持(或未知)表中的行的指针,则必须返回不一致值错误。
If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error MUST be returned.
如果将此对象设置为指向其他支持的表中不存在的行,则必须返回不一致的名称错误。
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." ::= { spdSubactionsEntry 2 }
If, during packet processing, this column has a value that references a non-existent or non-supported object, the packet MUST be dropped." ::= { spdSubactionsEntry 2 }
spdSubActLastChanged OBJECT-TYPE
spdSubActLastChanged对象类型
SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means.
SYNTAX TimeStamp MAX-ACCESS只读状态current DESCRIPTION“上次通过SNMP集或其他外部方式修改或创建此行时的sysUpTime值。
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdSubactionsEntry 3 }
If this row has not been modified since the last re-initialization of the network management subsystem, this object SHOULD have a zero value." ::= { spdSubactionsEntry 3 }
spdSubActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table that were created through an external process MAY have a storage type of readOnly or permanent.
spdSubActStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此行的存储类型。此表中通过外部进程创建的行的存储类型可能为只读或永久。
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubactionsEntry 4 }
For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubactionsEntry 4 }
spdSubActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row.
spdSubActRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此对象表示此行的概念状态。
The value of this object has no effect on whether other objects in this conceptual row can be modified.
此对象的值对是否可以修改此概念行中的其他对象没有影响。
If active, this object MUST remain active unless one of the following two conditions are met. An attempt to set it to anything other than active while the following conditions are not met MUST result in an inconsistentValue error. The two conditions are:
如果处于活动状态,则此对象必须保持活动状态,除非满足以下两个条件之一。如果在不满足以下条件的情况下尝试将其设置为“活动”以外的任何值,则必须导致“值不一致”错误。这两个条件是:
I. No active row in the spdCompoundActionTable exists which has a matching spdCompActName.
I.spdCompoundActionTable中不存在具有匹配spdCompActName的活动行。
II. Or, at least one other active row in this table has a matching spdCompActName."
二、或者,此表中至少有一个其他活动行具有匹配的名称。“
::= { spdSubactionsEntry 5 }
::= { spdSubactionsEntry 5 }
-- -- Static Actions --
----静态作用--
-- these are static actions that can be pointed to by the -- spdRuleDefAction or the spdSubActSubActionName objects to -- drop, accept, or reject packets.
-- these are static actions that can be pointed to by the -- spdRuleDefAction or the spdSubActSubActionName objects to -- drop, accept, or reject packets.
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 }
spdDropAction OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be dropped and SHOULD NOT have action/packet logging." ::= { spdStaticActions 1 }
spdDropAction OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be dropped and SHOULD NOT have action/packet logging." ::= { spdStaticActions 1 }
spdDropActionLog OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be dropped and SHOULD have action/packet logging." ::= { spdStaticActions 2 }
spdDropActionLog OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be dropped and SHOULD have action/packet logging." ::= { spdStaticActions 2 }
spdAcceptAction OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This Scalar indicates that a packet MUST be accepted (pass-through) and SHOULD NOT have action/packet logging." ::= { spdStaticActions 3 }
spdAcceptAction OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This Scalar indicates that a packet MUST be accepted (pass-through) and SHOULD NOT have action/packet logging." ::= { spdStaticActions 3 }
spdAcceptActionLog OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be accepted (pass-through) and SHOULD have action/packet logging." ::= { spdStaticActions 4 }
spdAcceptActionLog OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet MUST be accepted (pass-through) and SHOULD have action/packet logging." ::= { spdStaticActions 4 }
-- -- -- Notification objects information -- --
----通知对象信息----
spdNotificationVariables OBJECT IDENTIFIER ::= { spdNotificationObjects 1 }
spdNotificationVariables OBJECT IDENTIFIER ::= { spdNotificationObjects 1 }
spdNotifications OBJECT IDENTIFIER ::= { spdNotificationObjects 0 }
spdNotifications OBJECT IDENTIFIER ::= { spdNotificationObjects 0 }
spdActionExecuted OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Points to the action instance that was executed that resulted in the notification being sent." ::= { spdNotificationVariables 1 }
spdActionExecuted OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Points to the action instance that was executed that resulted in the notification being sent." ::= { spdNotificationVariables 1 }
spdIPEndpointAddType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the address type for the interface that the notification triggering packet is passing through." ::= { spdNotificationVariables 2 }
spdIPEndpointAddType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the address type for the interface that the notification triggering packet is passing through." ::= { spdNotificationVariables 2 }
spdIPEndpointAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the interface address for the interface that the notification triggering packet is passing through.
spdIPEndpointAddress对象类型语法InetAddress MAX-ACCESS accessible for notify STATUS current DESCRIPTION“包含通知触发数据包正在通过的接口的接口地址。
The format of this object is specified by the spdIPEndpointAddType object." ::= { spdNotificationVariables 3 }
The format of this object is specified by the spdIPEndpointAddType object." ::= { spdNotificationVariables 3 }
spdIPSourceType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the source address type of the packet that
spdIPSourceType对象类型语法InetAddressType MAX-ACCESS可访问的通知状态当前描述”包含发送的数据包的源地址类型
triggered the notification." ::= { spdNotificationVariables 4 }
triggered the notification." ::= { spdNotificationVariables 4 }
spdIPSourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the source address of the packet that triggered the notification.
spdIPSourceAddress对象类型语法InetAddress MAX-ACCESS accessible for notify STATUS current DESCRIPTION“包含触发通知的数据包的源地址。
The format of this object is specified by the spdIPSourceType object." ::= { spdNotificationVariables 5 }
The format of this object is specified by the spdIPSourceType object." ::= { spdNotificationVariables 5 }
spdIPDestinationType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the destination address type of the packet that triggered the notification." ::= { spdNotificationVariables 6 }
spdIPDestinationType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the destination address type of the packet that triggered the notification." ::= { spdNotificationVariables 6 }
spdIPDestinationAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the destination address of the packet that triggered the notification.
spdIPDestinationAddress对象类型语法InetAddress MAX-ACCESS accessible for notify STATUS current DESCRIPTION“包含触发通知的数据包的目标地址。
The format of this object is specified by the spdIPDestinationType object." ::= { spdNotificationVariables 7 }
The format of this object is specified by the spdIPDestinationType object." ::= { spdNotificationVariables 7 }
spdPacketDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates if the packet that triggered the action in questions was ingress (inbound) or egress (outbound)." ::= { spdNotificationVariables 8 }
spdPacketDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates if the packet that triggered the action in questions was ingress (inbound) or egress (outbound)." ::= { spdNotificationVariables 8 }
spdPacketPart OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..65535)) MAX-ACCESS accessible-for-notify
spdPacketPart对象类型语法八位字符串(大小(0..65535))MAX-ACCESS可用于notify
STATUS current DESCRIPTION "spdPacketPart is the front part of the full IP packet that triggered this notification. The initial size limit is determined by the smaller of the size, indicated by:
STATUS current DESCRIPTION“spdPacketPart是触发此通知的完整IP数据包的前端部分。初始大小限制由较小的大小决定,表示为:
I. The value of the object with the TC syntax 'SpdIPPacketLogging' that indicated the packet SHOULD be logged and
I.具有TC语法“SpdIPPacketLogging”的对象的值,该语法指示应记录数据包,并且
II. The size of the triggering packet.
二、触发数据包的大小。
The final limit is determined by the SNMP packet size when sending the notification. The maximum size that can be included will be the smaller of the initial size, given the above, and the length that will fit in a single SNMP notification packet after the rest of the notification's objects and any other necessary packet data (headers encoding, etc.) have been included in the packet." ::= { spdNotificationVariables 9 }
The final limit is determined by the SNMP packet size when sending the notification. The maximum size that can be included will be the smaller of the initial size, given the above, and the length that will fit in a single SNMP notification packet after the rest of the notification's objects and any other necessary packet data (headers encoding, etc.) have been included in the packet." ::= { spdNotificationVariables 9 }
spdActionNotification NOTIFICATION-TYPE OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection } STATUS current DESCRIPTION "Notification that an action was executed by a rule. Only actions with logging enabled will result in this notification getting sent. The object includes the spdActionExecuted object, which will indicate which action was executed within the scope of the rule. Additionally, the spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, and spdIPDestinationAddress objects are included to indicate the packet source and destination of the packet that triggered the action. Finally, the spdIPEndpointAddType, spdIPEndpointAddress, and spdPacketDirection objects indicate which interface the executed action was associated with, and if the packet was ingress or egress through the endpoint.
spdActionNotification通知类型对象{spdActionExecuted,SPDIPENDPOINTADTYPE,spdIPEndpointAddress,spdIPSourceType,spdIPSourceAddress,spdIPDestinationType,spdIPDestinationAddress,spdPacketDirection}状态当前描述“由规则执行操作的通知。只有启用日志记录的操作才会发送此通知。该对象包括spdActionExecuted对象,该对象将指示在规则范围内执行的操作。此外,还包括spdIPSourceType、spdIPSourceAddress、spdIPDestinationType和spdIPDestinationAddress对象,以指示触发操作的数据包的数据包源和目标。最后,spdIPEndpointAddType、spdIPEndpointAddress和spdPacketDirection对象指示执行的操作与哪个接口关联,以及数据包是否通过端点进入或离开。
A spdActionNotification SHOULD be limited to a maximum of one notification sent per minute for any action notifications that do not have any other configuration controlling their send rate.
对于没有任何其他配置控制其发送速率的任何操作通知,spdActionNotification最多应限制为每分钟发送一个通知。
Note that compound actions with multiple executed sub-actions may result in multiple notifications being sent from a single rule execution." ::= { spdNotifications 1 }
Note that compound actions with multiple executed sub-actions may result in multiple notifications being sent from a single rule execution." ::= { spdNotifications 1 }
spdPacketNotification NOTIFICATION-TYPE OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection, spdPacketPart } STATUS current DESCRIPTION "Notification that a packet passed through a Security Association (SA). Only SAs created by actions with packet logging enabled will result in this notification getting sent. The objects sent MUST include the spdActionExecuted, which will indicate which action was executed within the scope of the rule. Additionally, the spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, and spdIPDestinationAddress objects MUST be included to indicate the packet source and destination of the packet that triggered the action. The spdIPEndpointAddType, spdIPEndpointAddress, and spdPacketDirection objects are included to indicate which endpoint the packet was associated with. Finally, spdPacketPart is included to enable sending a variable sized part of the front of the packet with the size dependent on the value of the object of TC syntax 'SpdIPPacketLogging', which indicated that logging should be done.
spdPacketNotification NOTIFICATION-TYPE对象{spdActionExecuted,spdIPEndpointAddType,spdIPEndpointAddress,spdIPSourceType,spdIPSourceAddress,spdIPDestinationType,spdIPDestinationAddress,spdPacketDirection,spdPacketPart}状态当前描述“包通过安全关联(SA)的通知”。只有由启用数据包日志记录的操作创建的SA才会发送此通知。发送的对象必须包括spdActionExecuted,这将指示在规则范围内执行的操作。此外,spdIPSourceType、spdIPSourceAddress、SPDIPSDestinationType和SPDIPSDestinationAddress对象必须包含ST以指示触发操作的数据包的数据包源和目标。包含spdIPEndpointAddType、spdIPEndpointAddress和spdPacketDirection对象以指示数据包与哪个端点关联。最后,包含spdPacketPart以允许发送p前端的可变大小部分acket,其大小取决于TC语法“SpdIPPacketLogging”的对象的值,这表示应该进行日志记录。
A spdPacketNotification SHOULD be limited to a maximum of one notification sent per minute for any action notifications that do not have any other configuration controlling their send rate.
对于没有任何其他配置控制其发送速率的任何操作通知,spdPacketNotification最多应限制为每分钟发送一个通知。
An action notification SHOULD be limited to a maximum of one notification sent per minute for any action notifications that do not have any other configuration controlling their send rate." ::= { spdNotifications 2 }
An action notification SHOULD be limited to a maximum of one notification sent per minute for any action notifications that do not have any other configuration controlling their send rate." ::= { spdNotifications 2 }
-- -- -- Conformance information
----一致性信息
-- --
-- --
spdCompliances OBJECT IDENTIFIER ::= { spdConformanceObjects 1 } spdGroups OBJECT IDENTIFIER ::= { spdConformanceObjects 2 }
spdCompliances OBJECT IDENTIFIER ::= { spdConformanceObjects 1 } spdGroups OBJECT IDENTIFIER ::= { spdConformanceObjects 2 }
-- -- Compliance statements -- -- spdRuleFilterFullCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation with Endpoint, Rules, and filters support.
----符合性声明--spdRuleFilterFullCompliance MODULE-Compliance STATUS current DESCRIPTION“包含支持端点、规则和筛选器的IPsec MIB实现的SNMP实体的符合性声明。
When this MIB is implemented with support for read-create, then such an implementation can claim full compliance. Such devices can then be both monitored and configured with this MIB."
当此MIB在支持读创建的情况下实现时,这样的实现可以声明完全符合要求。然后可以使用此MIB监控和配置此类设备。”
MODULE -- This Module MANDATORY-GROUPS { spdEndpointGroup, spdGroupContentsGroup, spdRuleDefinitionGroup, spdStaticFilterGroup, spdStaticActionGroup , diffServMIBMultiFieldClfrGroup }
MODULE--此模块是必需的-组{spdEndpointGroup,spdGroupContentsGroup,spdRuleDefinitionGroup,spdStaticFilterGroup,spdStaticActionGroup,DiffServMibMultiFieldCfRGGroup}
GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support a system policy group name."
GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION“对于支持系统策略组名称的IPsec策略实施,此组是必需的。”
GROUP spdCompoundFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support compound filters."
GROUP spdCompoundFilterGroup DESCRIPTION“此组对于支持复合筛选器的IPsec策略实现是必需的。”
GROUP spdIPOffsetFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support IP Offset filters. In general, this SHOULD be supported by a compliant IPsec
GROUP spdIPOffsetFilterGroup DESCRIPTION“对于支持IP偏移筛选器的IPsec策略实施,此组是必需的。通常,兼容的IPsec应支持此组
Policy implementation."
政策执行。”
GROUP spdTimeFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support time filters."
GROUP spdTimeFilterGroup DESCRIPTION“此组对于支持时间筛选器的IPsec策略实施是必需的。”
GROUP spdIpsoHeaderFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support IPSO Header filters."
GROUP spdIpsoHeaderFilterGroup DESCRIPTION“此组对于支持IPSO标头筛选器的IPsec策略实施是必需的。”
GROUP spdCompoundActionGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support compound actions."
GROUP spdCompoundActionGroup DESCRIPTION“此组对于支持复合操作的IPsec策略实现是必需的。”
OBJECT spdEndGroupLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdEndGroupLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdGroupContComponentType SYNTAX INTEGER { rule(2) } DESCRIPTION "Support of the value group(1) is only required for implementations that support Policy Groups within Policy Groups."
OBJECT spdGroupContComponentType SYNTAX INTEGER { rule(2) } DESCRIPTION "Support of the value group(1) is only required for implementations that support Policy Groups within Policy Groups."
OBJECT spdGroupContLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象SPDGroupConLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdRuleDefLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象SPDRuleDefastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdCompFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdCompFiltLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdSubFiltLastChanged MIN-ACCESS not-accessible
对象spdSubFiltLastChanged最小访问权限不可访问
DESCRIPTION "This object not required for compliance."
DESCRIPTION“此对象不是法规遵从性所必需的。”
OBJECT spdIpOffFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdIpOffFiltLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdTimeFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdTimeFiltLastChanged MIN-ACCESS不可访问描述“此对象不符合法规要求。”
OBJECT spdIpsoHeadFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdIpsoHeadFiltLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdCompActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdCompActLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT spdSubActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance."
对象spdSubActLastChanged MIN-ACCESS不可访问描述“此对象不符合要求。”
OBJECT diffServMultiFieldClfrNextFree MIN-ACCESS not-accessible DESCRIPTION "This object is not required for compliance."
对象diffServMultiFieldClfrNextFree最小访问不可访问描述“此对象不是法规遵从性所必需的。”
::= { spdCompliances 1 }
::= { spdCompliances 1 }
spdLoggingCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that support sending notifications when actions are invoked." MODULE -- This Module MANDATORY-GROUPS { spdActionLoggingObjectGroup, spdActionNotificationGroup }
spdLoggingCompliance MODULE-COMPLIANCE STATUS当前描述“支持在调用操作时发送通知的SNMP实体的符合性声明”。模块--此模块为必填项-组{spdActionLoggingObjectGroup,spdActionNotificationGroup}
::= { spdCompliances 2 }
::= { spdCompliances 2 }
--
--
-- ReadOnly Compliances -- spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation with Endpoint, Rules, and filters support.
--ReadOnly COMPLIANCE--SPDRuleFilterReadOnly COMPLIANCE MODULE-COMPLIANCE STATUS current DESCRIPTION“包含支持端点、规则和筛选器的IPsec MIB实现的SNMP实体的符合性声明。
If this MIB is implemented without support for read-create (i.e., in read-only), it is not in full compliance, but it can claim read-only compliance. Such a device can then be monitored, but cannot be configured with this MIB."
如果此MIB是在不支持读创建(即只读)的情况下实现的,则它不完全符合要求,但它可以声明为只读符合要求。这样就可以监视这样的设备,但不能使用此MIB进行配置。”
MODULE -- This Module MANDATORY-GROUPS { spdEndpointGroup, spdGroupContentsGroup, spdRuleDefinitionGroup, spdStaticFilterGroup, spdStaticActionGroup , diffServMIBMultiFieldClfrGroup }
MODULE--此模块是必需的-组{spdEndpointGroup,spdGroupContentsGroup,spdRuleDefinitionGroup,spdStaticFilterGroup,spdStaticActionGroup,DiffServMibMultiFieldCfRGGroup}
GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support a system policy group name."
GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION“对于支持系统策略组名称的IPsec策略实施,此组是必需的。”
GROUP spdCompoundFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support compound filters."
GROUP spdCompoundFilterGroup DESCRIPTION“此组对于支持复合筛选器的IPsec策略实现是必需的。”
GROUP spdIPOffsetFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support IP Offset filters. In general, this SHOULD be supported by a compliant IPsec Policy implementation."
GROUP spdIPOffsetFilterGroup DESCRIPTION“此组对于支持IP偏移筛选器的IPsec策略实施是必需的。通常,这应该由符合要求的IPsec策略实施支持。”
GROUP spdTimeFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support time filters."
GROUP spdTimeFilterGroup DESCRIPTION“此组对于支持时间筛选器的IPsec策略实施是必需的。”
GROUP spdIpsoHeaderFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy
组spdIpsoHeaderFilterGroup DESCRIPTION“此组对于IPsec策略是必需的
implementations that support IPSO Header filters."
支持IPSO头过滤器的实现。”
GROUP spdCompoundActionGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations that support compound actions."
GROUP spdCompoundActionGroup DESCRIPTION“此组对于支持复合操作的IPsec策略实现是必需的。”
OBJECT spdCompActExecutionStrategy MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdCompActExecutionStrategy最小访问只读描述“不需要写访问。”
OBJECT spdCompActLastChanged DESCRIPTION "This object is not required for compliance."
OBJECT spdCompActLastChanged DESCRIPTION“此对象不是法规遵从性所必需的。”
OBJECT spdCompActRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象状态最小访问只读描述“不需要写访问。”
OBJECT spdCompActStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象类型CompactStorageType MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdCompFiltDescription MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdCompFiltDescription最小访问只读描述“不需要写访问。”
OBJECT spdCompFiltLastChanged DESCRIPTION "This object is not required for compliance."
对象spdCompFiltLastChanged描述“此对象不是符合性所必需的。”
OBJECT spdCompFiltLogicType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdCompFiltLogicType最小访问只读描述“不需要写访问。”
OBJECT spdCompFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdCompFiltRowStatus最小访问只读说明“不需要写入访问权限。”
OBJECT spdCompFiltStorageType MIN-ACCESS read-only DESCRIPTION
对象spdCompFiltStorageType最小访问只读说明
"Write access is not required."
“不需要写访问权限。”
OBJECT spdEgressPolicyGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdEgressPolicyGroupName最小访问只读描述“不需要写访问。”
OBJECT spdEndGroupLastChanged DESCRIPTION "This object is not required for compliance."
对象spdEndGroupLastChanged描述“此对象不是法规遵从性所必需的。”
OBJECT spdEndGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdEndGroupName最小访问只读说明“不需要写访问。”
OBJECT spdEndGroupRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdEndGroupRowStatus最小访问只读说明“不需要写入访问权限。”
OBJECT spdEndGroupStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdEndGroupStorageType最小访问只读说明“不需要写访问。”
OBJECT spdGroupContComponentName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdGroupContComponentName最小访问只读描述“不需要写访问权限。”
OBJECT spdGroupContComponentType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdGroupContComponentType最小访问只读描述“不需要写访问权限。”
OBJECT spdGroupContFilter MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdGroupContFilter最小访问只读描述“不需要写入访问权限。”
OBJECT spdGroupContLastChanged DESCRIPTION "This object is not required for compliance."
对象SPDGroupConLastChanged描述“此对象不是法规遵从性所必需的。”
OBJECT spdGroupContRowStatus MIN-ACCESS read-only DESCRIPTION
对象spdGroupContRowStatus最小访问只读说明
"Write access is not required."
“不需要写访问权限。”
OBJECT spdGroupContStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdGroupContStorageType最小访问只读描述“不需要写访问。”
OBJECT spdIngressPolicyGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象SPDINGRESPOLICYGROUPNAME MIN-ACCESS只读描述“不需要写访问。”
OBJECT spdIpOffFiltLastChanged DESCRIPTION "This object is not required for compliance."
对象spdIpOffFiltLastChanged描述“此对象不是符合性所必需的。”
OBJECT spdIpOffFiltOffset MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpOffFiltOffset最小访问只读描述“不需要写入访问。”
OBJECT spdIpOffFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpOffFiltRowStatus最小访问只读描述“不需要写访问。”
OBJECT spdIpOffFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpOffFiltStorageType最小访问只读描述“不需要写访问。”
OBJECT spdIpOffFiltType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpOffFiltType最小访问只读说明“不需要写入访问。”
OBJECT spdIpOffFiltValue MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpOffFiltValue最小访问只读说明“不需要写入访问。”
OBJECT spdIpsoHeadFiltClassification MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpsoHeadFiltClassification最小访问只读描述“不需要写访问。”
OBJECT spdIpsoHeadFiltLastChanged DESCRIPTION
对象spdIpsoHeadFiltLastChanged描述
"This object is not required for compliance."
“此对象不是法规遵从性所必需的。”
OBJECT spdIpsoHeadFiltProtectionAuth MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpsoHeadFiltProtectionAuth最小访问只读说明“不需要写访问。”
OBJECT spdIpsoHeadFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpsoHeadFiltRowStatus最小访问只读说明“不需要写入访问权限。”
OBJECT spdIpsoHeadFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpsoHeadFiltStorageType最小访问只读描述“不需要写访问。”
OBJECT spdIpsoHeadFiltType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdIpsoHeadFiltType最小访问只读描述“不需要写访问。”
OBJECT spdRuleDefAction MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象SPDRuledAction MIN-ACCESS只读说明“不需要写访问权限。”
OBJECT spdRuleDefAdminStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefAdminStatus MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdRuleDefDescription MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefDescription MIN-ACCESS只读说明“不需要写访问权限。”
OBJECT spdRuleDefFilter MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefFilter最小访问只读说明“不需要写入访问权限。”
OBJECT spdRuleDefFilterNegated MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefFilterNegated最小访问只读说明“不需要写访问。”
OBJECT spdRuleDefLastChanged
对象spdRuleDefLastChanged
DESCRIPTION "This object is not required for compliance."
DESCRIPTION“此对象不是法规遵从性所必需的。”
OBJECT spdRuleDefRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefRowStatus MIN-ACCESS只读说明“不需要写访问权限。”
OBJECT spdRuleDefStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdRuleDefStorageType MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdSubActLastChanged DESCRIPTION "This object is not required for compliance."
对象spdSubActLastChanged描述“此对象不是符合性所必需的。”
OBJECT spdSubActRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdSubActRowStatus MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdSubActStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdSubActStorageType MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdSubActSubActionName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdSubActSubActionName最小访问只读描述“不需要写访问权限。”
OBJECT spdSubFiltLastChanged DESCRIPTION "This object is not required for compliance."
对象spdSubFiltLastChanged描述“此对象不是法规遵从性所必需的。”
OBJECT spdSubFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdSubFiltRowStatus最小访问只读描述“不需要写入访问权限。”
OBJECT spdSubFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdSubFiltStorageType MIN-ACCESS只读说明“不需要写访问。”
OBJECT spdSubFiltSubfilter MIN-ACCESS read-only
对象SPDSubfilter subfilter MIN-ACCESS只读
DESCRIPTION "Write access is not required."
说明“不需要写访问权限。”
OBJECT spdSubFiltSubfilterIsNegated MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象SPDSubfilterSubfilterIsnegated最小访问只读说明“不需要写访问。”
OBJECT spdTimeFiltDayOfMonthMask MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltDayOfMonthMask最小访问只读描述“不需要写访问。”
OBJECT spdTimeFiltDayOfWeekMask MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltDayOfWeekMask最小访问只读描述“不需要写访问。”
OBJECT spdTimeFiltLastChanged DESCRIPTION "This object is not required for compliance."
对象spdTimeFiltLastChanged描述“此对象不是法规遵从性所必需的。”
OBJECT spdTimeFiltMonthOfYearMask MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltMonthOfYearMask最小访问只读描述“不需要写访问。”
OBJECT spdTimeFiltPeriod MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltPeriod最小访问只读描述“不需要写访问。”
OBJECT spdTimeFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltRowStatus最小访问只读描述“不需要写入访问权限。”
OBJECT spdTimeFiltTimeOfDayMask MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltTimeOfDayMask最小访问只读描述“不需要写访问。”
OBJECT spdTimeFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象spdTimeFiltStorageType最小访问只读描述“不需要写访问。”
::= { spdCompliances 3 }
::= { spdCompliances 3 }
-- -- -- Compliance Groups Definitions --
----法规遵从性组定义--
-- -- Endpoint, Rule, Filter Compliance Groups --
----端点、规则、筛选器符合性组--
spdEndpointGroup OBJECT-GROUP OBJECTS { spdEndGroupName, spdEndGroupLastChanged, spdEndGroupStorageType, spdEndGroupRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Endpoint Table." ::= { spdGroups 1 }
spdEndpointGroup OBJECT-GROUP OBJECTS { spdEndGroupName, spdEndGroupLastChanged, spdEndGroupStorageType, spdEndGroupRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Endpoint Table." ::= { spdGroups 1 }
spdGroupContentsGroup OBJECT-GROUP OBJECTS { spdGroupContComponentType, spdGroupContFilter, spdGroupContComponentName, spdGroupContLastChanged, spdGroupContStorageType, spdGroupContRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Group Contents Table." ::= { spdGroups 2 }
spdGroupContentsGroup OBJECT-GROUP OBJECTS { spdGroupContComponentType, spdGroupContFilter, spdGroupContComponentName, spdGroupContLastChanged, spdGroupContStorageType, spdGroupContRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Group Contents Table." ::= { spdGroups 2 }
spdIpsecSystemPolicyNameGroup OBJECT-GROUP OBJECTS { spdIngressPolicyGroupName, spdEgressPolicyGroupName } STATUS current DESCRIPTION "This group is made up of objects represent the System Policy Group Names." ::= { spdGroups 3}
spdIpsecSystemPolicyNameGroup OBJECT-GROUP OBJECTS { spdIngressPolicyGroupName, spdEgressPolicyGroupName } STATUS current DESCRIPTION "This group is made up of objects represent the System Policy Group Names." ::= { spdGroups 3}
spdRuleDefinitionGroup OBJECT-GROUP OBJECTS { spdRuleDefDescription, spdRuleDefFilter, spdRuleDefFilterNegated, spdRuleDefAction, spdRuleDefAdminStatus, spdRuleDefLastChanged,
spdRuleDefinitionGroup对象组对象{spdRuleDefDescription,spdRuleDefFilter,spdRuleDefFilterNegated,spdRuleDefAction,spdRuleDefAdminStatus,spdRuleDefLastChanged,
spdRuleDefStorageType, spdRuleDefRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Rule Definition Table." ::= { spdGroups 4 }
spdRuleDefStorageType, spdRuleDefRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Rule Definition Table." ::= { spdGroups 4 }
spdCompoundFilterGroup OBJECT-GROUP OBJECTS { spdCompFiltDescription, spdCompFiltLogicType, spdCompFiltLastChanged, spdCompFiltStorageType, spdCompFiltRowStatus, spdSubFiltSubfilter, spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged, spdSubFiltStorageType, spdSubFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Compound Filter Table and Sub-Filter Table Group." ::= { spdGroups 5 }
spdCompoundFilterGroup OBJECT-GROUP OBJECTS { spdCompFiltDescription, spdCompFiltLogicType, spdCompFiltLastChanged, spdCompFiltStorageType, spdCompFiltRowStatus, spdSubFiltSubfilter, spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged, spdSubFiltStorageType, spdSubFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Compound Filter Table and Sub-Filter Table Group." ::= { spdGroups 5 }
spdStaticFilterGroup OBJECT-GROUP OBJECTS { spdTrueFilter } STATUS current DESCRIPTION "The static filter group. Currently this is just a true filter." ::= { spdGroups 6 }
spdStaticFilterGroup OBJECT-GROUP OBJECTS { spdTrueFilter } STATUS current DESCRIPTION "The static filter group. Currently this is just a true filter." ::= { spdGroups 6 }
spdIPOffsetFilterGroup OBJECT-GROUP OBJECTS { spdIpOffFiltOffset, spdIpOffFiltType, spdIpOffFiltValue, spdIpOffFiltLastChanged, spdIpOffFiltStorageType, spdIpOffFiltRowStatus }
spdIPOffsetFilterGroup OBJECT-GROUP OBJECTS { spdIpOffFiltOffset, spdIpOffFiltType, spdIpOffFiltValue, spdIpOffFiltLastChanged, spdIpOffFiltStorageType, spdIpOffFiltRowStatus }
STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IP Offset Filter Table." ::= { spdGroups 7 }
STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IP Offset Filter Table." ::= { spdGroups 7 }
spdTimeFilterGroup OBJECT-GROUP OBJECTS { spdTimeFiltPeriod, spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask,
spdTimeFilterGroup对象组对象{spdTimeFiltPeriod,spdTimeFiltMonthOfYearMask,spdTimeFiltDayOfMonthMask,spdTimeFiltDayOfWeekMask,spdTimeFiltTimeOfDayMask,
spdTimeFiltLastChanged, spdTimeFiltStorageType, spdTimeFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Time Filter Table." ::= { spdGroups 8 }
spdTimeFiltLastChanged, spdTimeFiltStorageType, spdTimeFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Time Filter Table." ::= { spdGroups 8 }
spdIpsoHeaderFilterGroup OBJECT-GROUP OBJECTS { spdIpsoHeadFiltType, spdIpsoHeadFiltClassification, spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged, spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IPSO Header Filter Table." ::= { spdGroups 9 }
spdIpsoHeaderFilterGroup OBJECT-GROUP OBJECTS { spdIpsoHeadFiltType, spdIpsoHeadFiltClassification, spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged, spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IPSO Header Filter Table." ::= { spdGroups 9 }
-- -- action compliance groups --
----行动合规小组--
spdStaticActionGroup OBJECT-GROUP OBJECTS { spdDropAction, spdAcceptAction, spdDropActionLog, spdAcceptActionLog } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Static Actions." ::= { spdGroups 10 }
spdStaticActionGroup OBJECT-GROUP OBJECTS { spdDropAction, spdAcceptAction, spdDropActionLog, spdAcceptActionLog } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Static Actions." ::= { spdGroups 10 }
spdCompoundActionGroup OBJECT-GROUP OBJECTS { spdCompActExecutionStrategy, spdCompActLastChanged, spdCompActStorageType,
spdCompoundActionGroup对象组对象{spdCompActExecutionStrategy,spdCompActLastChanged,spdCompActStorageType,
spdCompActRowStatus, spdSubActSubActionName, spdSubActLastChanged, spdSubActStorageType, spdSubActRowStatus } STATUS current DESCRIPTION "The IPsec Policy Compound Action Table and Actions In
SPDSCompactRowstatus、spdSubActSubActionName、spdSubActLastChanged、spdSubActStorageType、spdSubActRowStatus}状态当前描述“IPsec策略复合操作表和中的操作”
Compound Action Table Group." ::= { spdGroups 11 }
Compound Action Table Group." ::= { spdGroups 11 }
spdActionLoggingObjectGroup OBJECT-GROUP OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection, spdPacketPart } STATUS current DESCRIPTION "This group is made up of all the Notification objects for this MIB." ::= { spdGroups 12 }
spdActionLoggingObjectGroup OBJECT-GROUP OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection, spdPacketPart } STATUS current DESCRIPTION "This group is made up of all the Notification objects for this MIB." ::= { spdGroups 12 }
spdActionNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { spdActionNotification, spdPacketNotification } STATUS current DESCRIPTION "This group is made up of all the Notifications for this MIB." ::= { spdGroups 13 }
spdActionNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { spdActionNotification, spdPacketNotification } STATUS current DESCRIPTION "This group is made up of all the Notifications for this MIB." ::= { spdGroups 13 }
END
终止
This document defines a MIB module used to configure IPsec policy services. Since IPsec provides network security services, all of its configuration data (e.g., this entire MIB) SHOULD be as secure or more secure than any of the security services IPsec provides. There are two main threats you need to protect against when configuring IPsec devices.
本文档定义了用于配置IPsec策略服务的MIB模块。由于IPsec提供网络安全服务,其所有配置数据(例如,整个MIB)应与IPsec提供的任何安全服务一样安全或更安全。在配置IPsec设备时,您需要防范两种主要威胁。
1. Malicious Configuration: This MIB configures network security services. If an attacker has SET access to any part of this MIB, the network security services configured by this MIB SHOULD be considered broken. The network data sent through the associated gateway should no longer be considered as protected by IPsec (i.e., it is no longer confidential or authenticated). Therefore, only the official administrators SHOULD be allowed to configure a device. In other words, administrators' identities SHOULD be authenticated and their access rights checked before they are allowed to do device configuration. The support for SET operations to the SPD MIB in a non-secure environment, without proper protection, will invalidate the security of the network traffic affected by the SPD MIB.
1. 恶意配置:此MIB配置网络安全服务。如果攻击者设置了对此MIB任何部分的访问权限,则应认为此MIB配置的网络安全服务已断开。通过相关网关发送的网络数据不应再被视为受IPsec保护(即,它不再是机密或经过身份验证的)。因此,应该只允许官方管理员配置设备。换句话说,在允许管理员进行设备配置之前,应该对其身份进行身份验证并检查其访问权限。在不安全的环境中支持对SPD MIB的SET操作,如果没有适当的保护,将使受SPD MIB影响的网络流量的安全性失效。
2. Disclosure of Configuration: In general, malicious parties SHOULD NOT be able to read security configuration data while the data is in network transit. An attacker reading the configuration data may be able to find misconfigurations in the MIB that enable attacks to the network or to the configured node. Since this entire MIB is used for security configuration, it is highly RECOMMENDED that only authorized administrators are allowed to view data in this MIB. In particular, malicious users SHOULD be prevented from reading SNMP packets containing this MIB's data. SNMP GET data SHOULD be encrypted when sent across the network. Also, only authorized administrators SHOULD be allowed SNMP GET access to any of the MIB objects.
2. 配置披露:一般来说,恶意方在网络传输数据时不应能够读取安全配置数据。读取配置数据的攻击者可能会在MIB中发现错误配置,从而对网络或配置的节点发起攻击。由于整个MIB用于安全配置,因此强烈建议仅允许授权管理员查看此MIB中的数据。特别是,应防止恶意用户读取包含此MIB数据的SNMP数据包。SNMP GET数据在通过网络发送时应加密。此外,应该只允许授权管理员访问任何MIB对象。
SNMP versions prior to SNMPv3 do not include adequate security. Even if the network itself is secure (e.g., by using IPsec), earlier versions of SNMP have virtually no control as to who on the secure network is allowed to access (i.e., read/change/create/delete) the objects in this MIB module.
SNMPv3之前的SNMP版本没有足够的安全性。即使网络本身是安全的(例如,通过使用IPsec),早期版本的SNMP实际上无法控制安全网络上的谁可以访问(即,读取/更改/创建/删除)此MIB模块中的对象。
It is RECOMMENDED that implementers use the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
建议实施者使用SNMPv3框架提供的安全功能(参见[RFC3410],第8节),包括对SNMPv3加密机制的完全支持(用于身份验证和隐私)。
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to GET or SET (change/create/delete) them.
此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商有责任确保授予访问此MIB模块实例权限的SNMP实体正确配置为仅授予具有获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。
Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once initial establishment of IPsec configuration on a device has been achieved, it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be shown to have a use for added privacy protection below.
因此,在IPSEC-SPD-MIB中配置数据时,应使用SNMP版本3。本讨论的其余部分假设使用SNMPv3。这是一个真正的优势,因为它允许管理员在设备上加载新的IPsec配置,并在任何IPsec保护可用之前,在SNMPv3的保护下保持会话的私有性和身份验证。一旦在设备上实现IPsec配置的初始建立,就可以设置IPsec SAs,然后还可以为配置对话提供安全性和完整性服务。这在一开始似乎是多余的,但在下文中会显示出对增加隐私保护的作用。
The current SNMPv3 User Security Model provides for key-based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in Hashed Message Authentication Code (HMAC) algorithms (currently, MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so.
当前的SNMPv3用户安全模型提供了基于密钥的用户身份验证。通常,密钥是从密码派生的(但不要求是),然后在哈希消息身份验证码(HMAC)算法(目前定义了MD5和SHA-1 HMAC)中使用这些密钥对所有SNMP数据进行身份验证。每个SNMP设备都保留一个(已配置)用户和密钥列表。在SNMPv3下,只要管理员愿意让用户输入新密码,就可以随时更新用户密钥。但标准跟踪文档尚未提供SNMPv3中用户密钥的完美前向保密性,尽管RFC2786定义了这样做的实验方法。
While sending IPsec configuration data to a Policy Enforcement Point (PEP), there are a few critical parameters that MUST NOT be observed by third parties. Specifically, except for public keys, keying information MUST NOT be allowed to be observed by third parties. This includes IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate the device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the
将IPsec配置数据发送到策略实施点(PEP)时,有几个关键参数是第三方不能遵守的。特别是,除公钥外,第三方不得观察密钥信息。这包括IKE预共享密钥,可能还包括用于PKI的公钥/私钥对的私钥。如果第三方知道这些参数中的任何一个,他们就可以向其他IKE对等方模拟设备。除了这些关键参数外,策略管理员还希望不泄露他们的任何策略配置。任何关于设备配置的知识都可能帮助不友好的一方破坏该设备。SNMPv3提供隐私安全服务,但在编写本文档时,SNMPv3支持的唯一标准化加密算法是
DES encryption algorithm. Support for other (stronger) cryptographic algorithms is in the works and may be completed by the time you read this. As of October 2006, there is a stronger standards track algorithm: AES [RFC3826]. When configuring the IPsec policy using this MIB, policy administrators SHOULD use a privacy security service that is at least as strong as the desired IPsec policy, e.g., If an administrator were to use this MIB to configure an IPsec connection that utilizes a AES algorithms, the SNMP communication configuring the connection SHOULD be protected by an algorithm as strong or stronger than the AES algorithm.
DES加密算法。对其他(更强)加密算法的支持正在进行中,可能会在您阅读本文时完成。截至2006年10月,有一种更强的标准跟踪算法:AES[RFC3826]。使用此MIB配置IPsec策略时,策略管理员应使用至少与所需IPsec策略一样强大的隐私安全服务,例如,如果管理员使用此MIB配置使用AES算法的IPsec连接,配置连接的SNMP通信应采用与AES算法相同或更强的算法进行保护。
Most vendors will not ship new products with a default SNMPv3 user/ password pair, but it is possible. If a device does ship with a default user/password pair, policy administrators SHOULD either change the password or configure a new user, deleting the default user (or, at a minimum, restrict the access of the default user). Most SNMPv3 distributions should, hopefully, require an out-of-band initialization over a trusted medium, such as a local console connection.
大多数供应商不会提供带有默认SNMPv3用户/密码对的新产品,但这是可能的。如果设备附带默认用户/密码对,策略管理员应更改密码或配置新用户,删除默认用户(或至少限制默认用户的访问)。希望大多数SNMPv3发行版都需要通过可信介质(如本地控制台连接)进行带外初始化。
Only two IANA considerations exist for this document. The first is just the node number allocation of the IPSEC-SPD-MIB itself within the MIB-2 tree. This is listed in the MIB definition in Section 6.
本文件仅存在两个IANA注意事项。第一个是MIB-2树中IPSEC-SPD-MIB本身的节点号分配。这在第6节的MIB定义中列出。
The IPSEC-SPD-MIB also allows for extension action MIBs. Although additional actions are not required to use it, the node spdActions is allocated as a subtree under which IANA can assign additional actions.
IPSEC-SPD-MIB还允许扩展操作MIB。虽然使用它不需要其他操作,但节点spdActions被分配为一个子树,IANA可以在该子树下分配其他操作。
The second IANA consideration is that IANA would be responsible for creating a new subregistry for and assigning nodes under the spdActions subtree. This tree should have a prefix of iso.org.dod.internet.mgmt.mib-2.spdMIB.spdActions and be listed similar to the following:
IANA的第二个考虑因素是,IANA将负责为spdActions子树创建一个新的子区域并分配节点。此树的前缀应为iso.org.dod.internet.mgmt.mib-2.spdMIB.spdActions,并与以下内容类似:
Decimal Name Description References ------- ---- ----------- ----------
Decimal Name Description References ------- ---- ----------- ----------
A documented specification is required in order to assign a number. The action and it's meaning can be specified in an RFC or in another publicly available reference. The specification should have sufficient detail that interoperability between independent implementations is possible. The product of the IETF or of another standards body is acceptable or an assignment can be accepted under
为了分配编号,需要有文件化的规范。可以在RFC或其他公开引用中指定操作及其含义。该规范应具有足够的细节,以确保独立实现之间的互操作性是可能的。IETF或其他标准机构的产品是可接受的,或者根据本协议可以接受转让
the advice of a "designated expert". (contact IANA for the current expert)
“指定专家”的建议。(联系IANA了解当前专家)
Many people contributed thoughts and ideas that influenced this MIB module. Some special thanks are in order to the following people:
许多人贡献了影响这个MIB模块的想法和想法。特别感谢以下人士:
Lindy Foster (Sparta, Inc.) John Gillis (ADC) Roger Hartmuller (Sparta, Inc.) Harrie Hazewinkel Jamie Jason (Intel Corporation) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) Eric Vyncke (Cisco Systems)
林迪·福斯特(斯巴达公司)、约翰·吉利斯(ADC)、罗杰·哈特穆勒(斯巴达公司)、哈里·哈泽温克尔(英特尔公司)、杰米·杰森(英特尔公司)、大卫·帕坦(爱立信公司)、李·拉法洛(IBM公司)、乔恩·萨佩里亚(JDS咨询公司)埃里克·温克(思科系统公司)
[RFC1108] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991.
[RFC1108]Kent,S.,“美国国防部互联网协议的安全选项”,RFC1108,1991年11月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[RFC2401]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2578]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2579]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.
[RFC2580]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000.
[RFC2863]McCloghrie,K.和F.Kastenholz,“接口组MIB”,RFC 28632000年6月。
[RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.
[RFC3060]Moore,B.,Ellesson,E.,Strassner,J.,和A.Westerinen,“政策核心信息模型——版本1规范”,RFC 3060,2001年2月。
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002.
[RFC3289]Baker,F.,Chan,K.和A.Smith,“差异化服务体系结构的管理信息库”,RFC 3289,2002年5月。
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003.
[RFC3585]Jason,J.,Rafalow,L.,和E.Vyncke,“IPsec配置策略信息模型”,RFC 3585,2003年8月。
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005.
[RFC4001]Daniele,M.,Haberman,B.,Routhier,S.,和J.Schoenwaeld,“互联网网络地址的文本约定”,RFC 4001,2005年2月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[IPsec-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IPsec Action MIB", Work in Progress, October 2006.
[IPsec行动]Baer,M.,Charlet,R.,Hardaker,W.,Story,R.,和C.Wang,“IPsec安全策略IPsec行动MIB”,正在进行的工作,2006年10月。
[IKE-ACTION] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IKE Action MIB", Work in Progress, October 2006.
[IKE-ACTION]Baer,M.,Charlet,R.,Hardaker,W.,Story,R.,和C.Wang,“IPsec安全策略IKE-ACTION MIB”,正在进行的工作,2006年10月。
[IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", November 2000.
[IPPMWP]Lortz,V.和L.Rafalow,“IPsec政策模式白皮书”,2000年11月。
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 34102002年12月。
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, June 2004.
[RFC3826]Blumenthal,U.,Maino,F.,和K.McCloghrie,“基于SNMP用户的安全模型中的高级加密标准(AES)密码算法”,RFC 3826,2004年6月。
Authors' Addresses
作者地址
Michael Baer Sparta, Inc. P.O. Box 72682 Davis, CA 95617 US
美国加利福尼亚州戴维斯市迈克尔·贝尔·斯巴达公司邮政信箱72682,邮编95617
EMail: baerm@tislabs.com
EMail: baerm@tislabs.com
Ricky Charlet Self
里基·查尔特·赛尔夫
EMail: rcharlet@alumni.calpoly.edu
EMail: rcharlet@alumni.calpoly.edu
Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US
美国加利福尼亚州戴维斯市韦斯哈达克斯巴达公司邮政信箱382号,邮编95617
Phone: +1 530 792 1913 EMail: hardaker@tislabs.com
Phone: +1 530 792 1913 EMail: hardaker@tislabs.com
Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US
Robert Story Revelstone软件邮箱1812美国佐治亚州塔克市30085
EMail: rstory@ipsp.revelstone.com
EMail: rstory@ipsp.revelstone.com
Cliff Wang ARO 4300 S. Miami Blvd Durham, NC 27703 US
美国北卡罗来纳州达勒姆迈阿密大道南4300号克里夫王阿罗,邮编27703
EMail: cliffwangmail@yahoo.com
EMail: cliffwangmail@yahoo.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。