idnits 2.17.00 (12 Aug 2021) /tmp/idnits47388/draft-kzm-imss-fc-fcsp-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 10467. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 10478. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 10485. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 10491. ** The document seems to lack an RFC 3978 Section 5.4 (updated by RFC 4748) Copyright Line. ** The document seems to lack an RFC 3978 Section 5.4 Reference to BCP 78. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 4405 has weird spacing: '...ribType t11...' == Line 6263 has weird spacing: '...ribType t11...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (12 June 2007) is 5457 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4306 (Obsoleted by RFC 5996) -- No information found for draft-ietf-imss-fc-zs-mib-nn - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'FC-ZS-MIB' -- No information found for draft-ietf-ipsp-ikeaction-mib-nn - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'IPSP-IKE-ACTION' -- No information found for draft-ietf-ipsp-ipsecaction-mib-nn - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'IPSP-IPSEC-ACTION' -- Possible downref: Non-RFC (?) normative reference: ref. 'FC-FS-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'FC-GS-5' -- Possible downref: Non-RFC (?) normative reference: ref. 'FC-SP' -- Possible downref: Non-RFC (?) normative reference: ref. 'FC-SW-4' -- Obsolete informational reference (is this intentional?): RFC 2837 (Obsoleted by RFC 4044) -- Obsolete informational reference (is this intentional?): RFC 3588 (Obsoleted by RFC 6733) -- No information found for draft-ietf-imss-fc-rscn-mib-nn - is the name correct? -- No information found for draft-ietf-imss-fc-fcs-mib-nn - is the name correct? Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 21 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT C. DeSanti 2 F. Maino 3 K. McCloghrie 4 Cisco Systems 5 12 June 2007 7 MIB for Fibre-Channel Security Protocols (FC-SP) 8 draft-kzm-imss-fc-fcsp-mib-00.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress". 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 Abstract 35 This memo defines a portion of the Management Information Base (MIB) 36 for use with network management protocols in the Internet community. 37 In particular, it describes managed objects for information related 38 to FC-SP, the Security Protocols defined for Fibre Channel. 40 Table of Contents 42 1 Introduction ................................................. 3 43 1.1 Change Log ................................................. 3 44 2 The Internet-Standard Management Framework ................... 7 45 3 Overview of Fibre Channel .................................... 8 46 3.1 Introduction ............................................... 8 47 3.2 Zoning ..................................................... 9 48 3.3 Virtual Fabrics ............................................ 9 49 3.4 Security ................................................... 10 50 3.5 Authentication ............................................. 10 51 3.6 Security Associations ...................................... 11 52 3.7 Fabric Security Policies ................................... 12 53 3.8 Policy Model ............................................... 13 54 3.9 Policy Objects ............................................. 13 55 3.9.1 Policy Object Names ...................................... 14 56 3.10 Three Kinds of Switches ................................... 15 57 3.11 Security Policy Management ................................ 15 58 3.12 FC-SP Zoning .............................................. 16 59 4 Document Overview ............................................ 17 60 4.1 Fibre Channel management instance .......................... 17 61 4.2 Entity Name ................................................ 17 62 4.3 Fabric Index ............................................... 18 63 4.4 Interface Index ............................................ 18 64 4.5 Syntax for Policy Object Names ............................. 18 65 4.6 Certificates, CAs and CRLs ................................. 19 66 4.7 Traffic Selectors .......................................... 20 67 4.8 The MIB Modules ............................................ 20 68 4.9 Rate Control for Notifications ............................. 23 69 5 Relationship to Other MIB Modules ............................ 24 70 6 MIB Module Definitions ....................................... 26 71 6.1 The T11-FC-SP-TC-MIB Module ................................ 26 72 6.2 The T11-FC-SP-AUTHENTICATION-MIB Module .................... 40 73 6.3 The T11-FC-SP-ZONING-MIB Module ............................ 61 74 6.4 The T11-FC-SP-POLICY-MIB Module ............................ 74 75 6.5 The T11-FC-SP-SA-MIB Module ................................ 173 76 6.6 The T11-FC-SP-CERTS-MIB Module ............................. 230 77 7 Acknowledgements ............................................. 235 78 8 Normative References ......................................... 236 79 9 Informative References ....................................... 238 80 10 IANA Considerations ......................................... 239 81 11 Security Considerations ..................................... 240 82 12 Authors' Addresses .......................................... 248 84 1. Introduction 86 This memo defines a portion of the Management Information Base (MIB) 87 for use with network management protocols in the Internet community. 88 In particular, it describes managed objects for information 89 concerning the Fibre Channel Security Protocols (FC-SP), as specified 90 in [FC-SP]. The FC-SP standard includes the definition of protocols 91 to authenticate Fibre Channel entities, protocols to set up session 92 keys, protocols to negotiate the parameters required to ensure frame- 93 by-frame integrity and confidentiality, and protocols to establish 94 and distribute policies across a Fibre Channel Fabric. 96 This memo was initially developed by the INCITS T11 committee 97 (http://www.t11.org) who subsequently approved it for forwarding to 98 the IETF for consideration as an "Intended status: Proposed" Internet 99 Standard. Thus, this Internet-Draft is being submitted to the 100 IETF's IMSS working group. 102 This memo uses one of the following terms: 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 105 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" 106 in this document are to be interpreted as described in BCP 14, RFC 107 2119 [RFC2119]. 109 1.1. Change Log 111 This section to be deleted before publication as an RFC. 113 1.1.1. Initial version 115 The initial version was submitted to T11.5 as T11/06-554v0 on 4 116 August 2006. 118 1.1.2. September 2006 version 120 The following changes were made for the version was submitted to 121 T11.5 on 29 September 2006 as T11/06-554v1.txt. 123 - Added t11FcSpZoneSetHashStatus. 125 - Modified t11FcSpAuSendRejNotifyEnable to be just for sending 126 AUTH_Reject messages, and added t11FcSpAuRcvRejNotifyEnable. 128 - Added note in the Security Considerations section to say that DH- 129 CHAP secrets need to be managed by mechanisms other than the MIB 130 modules defined here because they are "highly sensitive". 132 - Added definitions for T11FcSpPolicyObjectType T11FcSpPolicyNameType 133 T11FcSpPolicyName T11FcSpAlphaNumName T11FcSpAlphaNumNameOrNull in 134 the T11-FC-SP-TC-MIB module. 136 - Began defining the T11-FC-SP-POLICY-MIB module. 138 1.1.3. December 2006 version 140 The following changes were made for the version was submitted to 141 T11.5 on 4 December 2006 as T11/06-554v2.txt. 143 - Added Fibre Channel Overview sub-sections on Zoning, Security, 144 Authentication, Security Associations, Fabric Security Policies, 145 Policy Model, Policy Objects, Three Kinds of Switches, Security 146 Policy Management and FC-SP Zoning. 148 - Added a MIB Overview sub-section on Entity Names. 150 - Added the t11FcSpAuServerProtocol object, and defined 151 t11FcSpAuServerProtocolRadius, t11FcSpAuServerProtocolDiameter and 152 t11FcSpAuServerProtocolTacacs as possible values. 154 - Clarified the value of t11FcSpAuEntityName as being either the 155 value of fcmSwitchWWN (for Switches) or the appropriate value of 156 fcmInstanceWwn (otherwise). 158 - Added Compliance section for T11-FC-SP-AUTHENTICATION-MIB. 160 - Added T11FcSpAlphaNumNameOrNull as a new TC. 162 - Moved the t11FcSpAuIkev2Auth object to the T11-FC-SP-SA-MIB. 164 - Completed most of the T11-FC-SP-POLICY-MIB module. 166 1.1.4. 2 February 2007 version 168 The following changes were made for the version was submitted to 169 T11.5 on 2 February 2007 as T11/07-037v0.txt. 171 - Added the generic t11FcSpPoAttribExtension object to point to 172 objects for specific information extracted out of Attribute Policy 173 Objects, and the t11FcSpPoAuthProtTable table to hold 174 Authentication Protocol Identifiers & Parameters extracted out of 175 an Attribute Policy Object containing a 'AUTH_Negotiate Message 176 Payload'. 178 - Changed the syntax of the Names of IP Management Entries, to use 179 one InetAddressType object and two InetAddress objects instead of 180 using one T11FcSpPolicyNameType object and one T11FcSpPolicyName 181 object. 183 - Changed the semantics of the t11FcSpPoTmpSummryTable to be non- 184 volatile and part of the Non-Active Policy Objects, and 185 correspondingly renamed it to be the t11FcSpPoNaSummaryTable. 187 - Defined the t11FcSpPoStatsTable. 189 - Defined the syntax for t11FcSpPoRejectReasonCode and 190 t11FcSpPoRejectReasonCodeExp in the TC-MIB. 192 - Completed the Fibre Channel Overview section. Updated the Document 193 Overview section. 195 - Added Compliance section in the T11-FC-SP-POLICY-MIB. 197 - Wrote the T11-FC-SP-SA-MIB and T11-FC-SP-CERTS-MIB modules. 199 - Edited all six MIB modules to get them to compile. 201 1.1.5. 26 February 2007 version 203 The following changes were made for the version was submitted to 204 T11.5 on 26 February 2007 as T11/07-037v1.txt. 206 - Added an overview section on Policy Object names to explain when 207 their syntax is (T11FcSpPolicyNameType, T11FcSpPolicyName) versus 208 when it is (InetAddressType, InetAddress, InetAddress). 210 - Clarified t11FcSpPoIpMgmtEntry's DESCRIPTION to explain that an 211 address range is specified as two addresses: the low and high ends 212 of the range. 214 - Added the t11FcSpPoNaAttribExtension object and the 215 t11FcSpPoNaAuthProtTable table as the non-active Policy 216 counterparts to the t11FcSpPoAttribExtension object and the 217 t11FcSpPoAuthProtTable table. 219 - Added the t11FcSpSaNotifyLifeExceeded notification and its related 220 objects: t11FcSpSaControlLifeExcdEnable, 221 t11FcSpSaControlLifeExcdSpi, t11FcSpSaControlLifeExcdDir and 222 t11FcSpSaControlLifeExcdTime. 224 - Added text to DESCRIPTIONs of t11FcSpSaTSelPropEntry and 225 t11FcSpSaTransEntry to explain that they are proposed or accepted 226 only as a combination pointed to by a row in the 227 t11FcSpSaPropTable. 229 - Corrected the MAX-ACCESS of t11FcSpActiveZoneSetHash and 230 t11FcSpZoneSetDatabaseHash to be read-only. 232 - Changed the statistics table in the T11-FC-SP-AUTHENTICATION-MIB 233 module so that it provides a mapping of Authentication entities 234 onto interfaces, as well as statistics for each such mapping. 235 Changed its name to be t11FcSpAuIfStatsTable to reflect the 236 additional purpose. Changed the t11FcSpAuStatTimeouts object to be 237 mandatory so that implementation of this table is mandatory, so 238 that management applications can reliably use it to determine which 239 Authentication Entity is operating on which interfaces. 241 - Extended the t11FcSpAuRejectSentNotify and 242 t11FcSpAuRejectReceivedNotify notifications so that are also used 243 in the case of terminating an Authentication Transaction via an 244 SW_RJT or LS_RJT. 246 - Added the Authentication Entity's name in the INDEX clause of the 247 t11FcSpCertsTable table. 249 - Completed the Security Considerations section. 251 - Many editorial changes. 253 1.1.6. 11 April 2007 version 255 The following changes were made for the version was submitted to 256 T11.5 on 11 April 2007 as T11/07-037v2.txt. 258 - The term "lifesize" was changed to "lifetime in passed bytes". 259 Also, since 2^^32 is not a large enough range for the number of 260 passed bytes, the "number of passed bytes" is now specified as two 261 objects: one object for the value and another object for the units 262 of that value. This units object is now also used to distinguish 263 between a time interval in passed bytes and a time interval in 264 units of seconds. 266 - Many editorial changes. 268 1.1.7. 3 May 2007 version 270 The following changes were made for the version was submitted to 271 T11.5 on 3 May 2007 as T11/07-037v3.txt. 273 - Added FCAP in t11FcSpPoAuthProtIdentifier's DESCRIPTION. 275 - Editorial changes. 277 1.1.8. 12 June 2007 version 279 The following changes were made for the version was submitted to IETF 280 on 12 June 2007 as draft-kzm-imss-fc-fcsp-mib-00.txt : 282 - The Introduction section was changed to reflect the submission of 283 this memo to the IETF's IMSS Working Group. 285 2. The Internet-Standard Management Framework 287 For a detailed overview of the documents that describe the current 288 Internet-Standard Management Framework, please refer to section 7 of 289 RFC 3410 [RFC3410]. 291 Managed objects are accessed via a virtual information store, termed 292 the Management Information Base or MIB. MIB objects are generally 293 accessed through the Simple Network Management Protocol (SNMP). 294 Objects in the MIB are defined using the mechanisms defined in the 295 Structure of Management Information (SMI). This memo specifies a MIB 296 module that is compliant to the SMIv2, which is described in STD 58, 297 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 298 [RFC2580]. 300 3. Overview of Fibre Channel 302 3.1. Introduction 304 The Fibre Channel (FC) is logically a bidirectional point-to-point 305 serial data channel, structured for high performance. Fibre Channel 306 provides a general transport vehicle for higher level protocols such 307 as Small Computer System Interface (SCSI) command sets, the High- 308 Performance Parallel Interface (HIPPI) data framing, IP (Internet 309 Protocol), IEEE 802.2, and others. 311 Physically, Fibre Channel is an interconnection of multiple 312 communication points, called N_Ports, interconnected either by a 313 switching network, called a Fabric, or by a point-to-point link. A 314 Fibre Channel "Node" consists of one or more N_Ports. A Fabric may 315 consist of multiple Interconnect Elements, some of which are 316 Switches. An N_Port connects to the Fabric via a port on a Switch 317 called an F_Port. When multiple FC Nodes are connected to a single 318 port on a Switch via an "Arbitrated Loop" topology, the Switch port 319 is called an FL_Port, and the Nodes' ports are called NL_Ports. The 320 term Nx_Port is used to refer to either an N_Port or an NL_Port. The 321 term Fx_Port is used to refer to either an F_Port or an FL_Port. A 322 Switch port, which is interconnected to another Switch port via an 323 Inter-Switch Link (ISL), is called an E_Port. A B_Port connects a 324 bridge device with an E_Port on a Switch; a B_Port provides a subset 325 of E_Port functionality. 327 Many Fibre Channel components, including the Fabric, each Node, and 328 most ports, have globally-unique names. These globally-unique names 329 are typically formatted as World Wide Names (WWNs). More information 330 on WWNs can be found in [FC-FS-2]. WWNs are expected to be 331 persistent across agent and unit resets. 333 Fibre Channel frames contain 24-bit address identifiers which 334 identify the frame's source and destination ports. Each FC port has 335 both an address identifier and a WWN. When a Fabric is in use, the 336 FC address identifiers are dynamic and are assigned by a Switch. 337 Each octet of a 24-bit address represents a level in an address 338 hierarchy, with a Domain_ID being the highest level of the hierarchy. 340 3.2. Zoning 342 Zones within a Fabric provide a mechanism to control frame delivery 343 between Nx_Ports ("Hard Zoning") or to expose selected views of Name 344 Server information ("Soft Zoning"). 346 Communication is only possible when the communicating endpoints are 347 members of a common zone. This technique is similar to virtual 348 private networks in that the Fabric has the ability to group devices 349 into Zones. 351 Hard zoning and soft zoning are two different means of realizing 352 this. Hard zoning is enforced in the Fabric (i.e., Switches) whereas 353 soft zoning is enforced at the endpoints (e.g., HBAs) by relying on 354 the endpoints to not send traffic to an N_Port_ID not obtained from 355 the Name Server with a few exceptions for well known Addresses (e.g., 356 the Name Server). 358 Administrators create Zones to increase network security, and prevent 359 data loss or corruption, by controlling access between devices or 360 user groups. 362 3.3. Virtual Fabrics 364 The standard for an interconnecting Fabric containing multiple Fabric 365 Switch elements is [FC-SW-4]. [FC-SW-4] carries forward the earlier 366 specification for the operation of a single Fabric in a physical 367 infrastructure, and augments it with the definition of Virtual 368 Fabrics and with the specification of how multiple Virtual Fabrics 369 can operate within one (or more) physical infrastructures. The use 370 of Virtual Fabrics provides for each frame to be tagged in its header 371 to indicate which one of several Virtual Fabrics that frame is being 372 transmitted on. All frames entering a particular "Core Switch" [FC- 373 SW-4] (i.e., a physical Switch) on the same Virtual Fabric are 374 processed by the same "Virtual Switch" within that Core Switch. 376 3.4. Security 378 The Fibre Channel Security Protocols (FC-SP) standard [FC-SP] 379 describes the protocols used to implement security in a Fibre Channel 380 Fabric, including the definition of: 382 - protocols to authenticate Fibre Channel entities, 383 - protocols to set up session keys, 384 - protocols to negotiate the parameters required to ensure frame- 385 by-frame integrity and confidentiality, and 386 - protocols to establish and distribute (security) policies across 387 a Fibre Channel Fabric. 389 3.5. Authentication 391 Two entities may negotiate whether authentication is required and 392 which Authentication Protocol is to be used. Authentication can be 393 used in Switch to Switch, Node to Switch, and Node to Node 394 communication. The defined Authentication Protocols are able to 395 perform mutual authentication with optional shared key establishment. 396 The shared key computed at the end of an Authentication Transaction 397 may be used to establish Security Associations. 399 The Fabric security architecture is defined for several 400 authentication infrastructures. Secret-based, certificate-based, and 401 password-based authentication infrastructures are accommodated. 402 Specific authentication protocols that directly leverage these three 403 authentication infrastructures are defined. 405 With a secret-based infrastructure, entities within the Fabric 406 environment that establish a security relationship share a common 407 secret or centralize the secret administration in an external (e.g., 408 RADIUS [RFC2865], Diameter [RFC3588] or TACACS [RFC1492]) server. 409 Entities may mutually authenticate with other entities by using the 410 Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) 411 [FC-SP]. Security Associations may be set up using the session key 412 computed at the end of the DH-CHAP transaction. 414 With a certificate-based infrastructure, entities within the Fabric 415 environment are certified by a trusted Certificate Authority (CA). 416 The resulting certificates bind each entity to a public-private key 417 pair that may be used to mutually authenticate with other certified 418 entities via the Fibre Channel Certificate Authentication Protocol 419 (FCAP) [FC-SP]. Security Associations may be set up by using these 420 entity certificates and associated keys or by using the session key 421 computed at the end of the FCAP transaction. 423 With a password-based infrastructure, entities within the Fabric 424 environment that establish a security relationship have knowledge of 425 the password-based credential material of other entities. Entities 426 may use this credential material to mutually authenticate with other 427 entities using the Fibre Channel Password Authentication Protocol 428 (FCPAP) [FC-SP]. Security Associations may be set up using the 429 session key computed at the end of the FCPAP transaction. 431 In addition to DH-CHAP, FCAP and FCPAP, one other Authentication 432 Protocol is defined: IKEv2-AUTH, which refers to the use of an SA 433 Management Transaction of the Security Association Management 434 Protocol (see below) to perform two functions: not only SA management 435 but also authentication. The credentials used in an IKEv2-AUTH 436 transaction are either strong shared secrets or certificates. 438 3.6. Security Associations 440 A subset of the IKEv2 protocol [RFC4306] suitable for Fibre Channel 441 is defined as the (Fibre Channel) Security Association Management 442 protocol [RFC4595]. This protocol provides the means to establish 443 Security Associations (SAs) between Fibre Channel entities. Traffic 444 Selectors are defined to specify which type of traffic has to be 445 protected by which SA, and what the characteristics of the protection 446 are. Two mechanisms are available to protect specific classes of 447 traffic: ESP_Header is used to protect FC-2 frames (see [FC-FS-2] and 448 [RFC4303]), and CT_Authentication is used to protect CT_IUs (Common 449 Transport Information Units) [FC-GS-5]. 451 An entity protecting specific classes of traffic maintains an 452 internal Security Association Database (SADB) that contains the 453 currently active Security Associations and Traffic Selectors. 455 Each active SA has a Security Association entry in the SADB. Each SA 456 entry includes the SA's SPI (the Security Parameters Index which is 457 included in frames transmitted on the SA), a Sequence Number counter, 458 and the parameters for the selected transforms (e.g., encryption 459 algorithm, integrity algorithm, mode of operation of the algorithms, 460 keys). 462 Each active Traffic Selector has an entry in the SADB which indicates 463 whether it is used for ingress traffic or for egress traffic. These 464 Traffic Selector entries are ordered such that they are searched 465 (when checking for a match) in the given order. Two types of Traffic 466 Selector entries may be present: 468 - Traffic Selectors entries identifying FC-2 frames or CT_IUs to be 469 bypassed or discarded; and 471 - Traffic Selectors entries identifying FC-2 frames or CT_IUs to be 472 protected or verified. These entries point to the corresponding SA 473 entry defining the parameters and the security processing to be 474 performed. 476 SAs are unidirectional but they always exist as an SA pair of the 477 same type, one in each direction. 479 3.7. Fabric Security Policies 481 Two separate approaches to defining Policies are adopted in FC-SP, 482 but both approaches follow the same general concept for their Policy 483 model. One is the definition of a Policy Model for Fabric Policies 484 which focus on Security. These Security Policies specify the 485 membership and connectivity allowed within a Fabric, and also which 486 IP hosts are allowed to manage a Fabric. 488 The other approach is to define a variant of the Enhanced Zoning 489 model defined in [FC-SW-4] and [FC-GS-5], such that the variant 490 specifies extensions for use in a secure environment. This variant 491 of Zoning, denoted as "FC-SP Zoning", follows the same general 492 concepts of the Policy model for Security Policies, but keeps Zoning 493 management and enforcement completely independent from the management 494 and enforcement of other policies. 496 3.8. Policy Model 498 Figure 25 of [FC-SP] depicts FC-SP's policy management model like 499 this: 501 ***** ************************ 502 * * * Policy * ********************* 503 * M * Add, * Configuration * * Policy * 504 * A * Get, * Entity * * Enforcement * 505 * N * Remove * * * Entity * 506 * A * Policy * +----------------+ * * * 507 * G * Objects * | Non-Active | * * +-------------+ * 508 * I *<-------->* | Policy Objects |==*====*=>| Active | * 509 * N * * +----------------+ * * | Policy | * 510 * G * ************************ * | Objects | * 511 * * * +-------------+ * 512 * * Activate Policy Summary * * 513 * E *=====================================>* +-------------+ * 514 * N * Deactivate Policy Summary * | Policy | * 515 * T *=====================================>* | Summary | * 516 * I * * | Object | * 517 * T * Get Policy Summary * +-------------+ * 518 * Y *<-------------------------------------* * 519 * * Get Policy Objects * * 520 * *<-------------------------------------* * 521 ***** ********************* 523 3.9. Policy Objects 525 The Policies to be enforced by a Fabric are specified in a set of 526 Policy Objects. The various types of Policy Objects are: 528 - The Policy Summary Object is a list of pointers to other Policy 529 Objects, one pointer per each other active Policy Object. Each 530 pointer in a Policy Summary Object is paired with a cryptographic 531 hash of the referenced Policy Object. 533 - The Switch Membership List Object is a Fabric-wide Policy Object 534 that defines which Switches are allowed to be part of a Fabric. 536 - The Node Membership List Object is a Fabric-wide Policy Object that 537 defines which Nodes are allowed to be connected to a Fabric. 539 - The IP Management List Object is a Fabric-wide Policy Object that 540 describes which IP hosts are allowed to manage a Fabric. 542 - A Switch Connectivity Object is a per-Switch Policy Object that 543 describes the topology restrictions for a specific Switch; it 544 specifies the other Switches or Nodes to which the particular 545 Switch may be connected at the Node level and/or at the Port level. 547 - Attribute Objects are Fabric-wide Policy Objects that define 548 optional attributes to be associated with Switches or Nodes. They 549 allow the extension of this policy model by defining new attributes 550 as required. 552 When FC-SP is in use, each Fabric has a set of active Policy Objects: 554 - one Policy Summary Object, 555 - one Switch Membership List Object, 556 - one Node Membership List Object, 557 - one IP Management List Object, 558 - zero or more Switch Connectivity Objects, and 559 - zero or more Attribute Objects. 561 The active Policy Objects specify the Policies currently being 562 enforced. In addition, policies not currently being enforced are 563 contained in non-active Policy Objects. To change the active Policy 564 Objects, the non-active Policy Objects are edited as necessary and a 565 new Policy Summary Object which includes/references the changed 566 Policy Objects is activated. 568 3.9.1. Policy Object Names 570 Every Policy Object has a name. In a Fabric's database of Policy 571 Objects, a Policy Object Name is specified as a type/length/value 572 (see section 7.2 of [FC-SP]). The possible types are: 574 - Node_Name 575 - Restricted Node_Name 576 - Port_Name 577 - Restricted Port_Name 578 - Wildcard 579 - Negated Wildcard 580 - Alphanumeric Name 581 - IPv6 Address Range 582 - IPv4 Address Range 584 3.10. Three Kinds of Switches 586 For a Fabric composed of n Switches and m Nodes, the potential 587 complexity of Switch Connectivity Objects is O(n**2) to describe 588 Switch to Switch connections, and O(n*m) for Switch to Node 589 connections. To provide better scaling, the Switch Connectivity 590 Objects are not Fabric-wide information such that they are 591 distributed only to where they are needed. To support this, the 592 policy model supports three kinds of Switches in a Fabric: 594 - Server Switches, that maintain the Fabric-wide Policy Objects, all 595 the Switch Connectivity Objects, and a full copy of the FC-SP 596 Zoning Database; 598 - Autonomous Switches, that maintain the Fabric-wide Policy Objects, 599 their own Switch Connectivity Object, and a full copy of the FC-SP 600 Zoning Database; and 602 - Client Switches, that maintain the Fabric-wide Policy Objects, 603 their own Switch Connectivity Object, and a subset of the FC-SP 604 Active Zone Set. 606 3.11. Security Policy Management 608 Security Policy can be changed in a server session [FC-GS-5] with a 609 Security Policy Server. All write access to a Security Policy Server 610 occurs within a server session. While read access to a Security 611 Policy Server may occur at any time, the consistency of the returned 612 data is guaranteed only inside a server session. 614 The Enhanced Commit Service [FC-SW-4] is used to perform Fabric 615 operations as and when necessary (see table 144 of [FC-SP]). Each 616 server session begins and ends, with a SSB request and a SSE request 617 respectively, sent to a Security Policy Server. In the Fabric, the 618 SSB requests a lock of the Fabric via an EACA SW_ILS, while the SSE 619 requests a release of the lock via the ERCA SW_ILS [FC-SW-4]. Active 620 and non-active Policy Objects are persistent in that they survive 621 after the end of a server session. 623 3.12. FC-SP Zoning 625 To preserve backward compatibility with existing Zoning definitions 626 and implementations, FC-SP Zoning is defined as a variant of the 627 Enhanced Zoning model defined in [FC-SW-4] and [FC-GS-5] that follows 628 the general concepts of the Policy model for Security Policy 629 Management, but keeps Zoning management and enforcement completely 630 independent. 632 FC-SP Zoning allows for some Switches to retain less than a complete 633 replicated copy of the Zoning Database, as follows: 635 - Server Switches maintain the policies data structures for all 636 Switches in the Fabric plus a replica of the Zoning data 637 structures; 639 - Autonomous Switches maintain only the subset of policies data 640 structures relevant for their operations plus a replica of the 641 Zoning Database; and 643 - Client Switches maintain only the subset of policies data 644 structures and the subset of the Active Zone Set relevant for their 645 operations. 647 When Client Switches are deployed in a Fabric, at least one Server 648 Switch must also be deployed in the same Fabric. A client-server 649 protocol allows Client Switches to dynamically retrieve the Zoning 650 information they may require from the Server Switches. 652 A management application manages the Fabric Zoning configuration 653 through the Fabric Zone Server, while other policies are managed 654 through the Security Policy Server. A new Zoning Check Protocol 655 replaces the Zone Merge Protocol [FC-SW-4], and new command codes are 656 defined for the SFC SW_ILS to distribute the FC-SP Zoning 657 configuration on a Fabric. The Zoning definitions are ordered to 658 allow for the computation of a hash of the Active Zone Set and a hash 659 of the Zone Set Database, plus other optional security data (e.g., 660 for integrity protection of Zoning information). 662 4. Document Overview 664 This document defines six MIB modules which together provide the 665 means for monitoring the operation of, and configuring some 666 parameters of, one or more instances of the FC-SP protocols. 668 4.1. Fibre Channel management instance 670 A Fibre Channel management instance is defined in [RFC4044] as a 671 separable managed instance of Fibre Channel functionality. Fibre 672 Channel functionality may be grouped into Fibre Channel management 673 instances in whatever way is most convenient for the 674 implementation(s). For example, one such grouping accommodates a 675 single SNMP agent having multiple AgentX [RFC2741] sub-agents, with 676 each sub-agent implementing a different Fibre Channel management 677 instance. 679 The object, fcmInstanceIndex, is IMPORTed from the FC-MGMT-MIB 680 [RFC4044] as the index value to uniquely identify each Fibre Channel 681 management instance, for example within the same SNMP context 682 ([RFC3411] section 3.3.1). 684 4.2. Entity Name 686 A central capability of FC-SP is the use of an Authentication 687 Protocol. The purpose of each of the possible Authentication 688 Protocols is to allow a Fibre Channel entity to be assured of the 689 identity of each entity with which it is communicating. Examples of 690 such entities are Fibre Channel Switches and Fibre Channel Nx_Ports. 691 Each entity is identified by a name. The FC-MGMT-MIB [RFC4044] 692 defines MIB objects for such names: 694 - for entities which are Fibre Channel Switches, the definition of a 695 Fibre Channel management instance allows multiple Switches to be 696 managed by the same Fibre Channel management instance. In this 697 case, each entity is a Switch and has the name given by the MIB 698 object, fcmSwitchWWN. 700 - for entities other than Fibre Channel Switches, a Fibre Channel 701 management instance can manage only one entity, and the name of the 702 entity is given by the MIB object, fcmInstanceWwn. 704 4.3. Fabric Index 706 With multiple Fabrics, each Fabric has its own instances of the 707 Fabric-related management instrumentation. Thus, these MIB modules 708 define all Fabric-related information in tables which are INDEX-ed by 709 an arbitrary integer, named a "Fabric Index". The syntax of a Fabric 710 Index is T11FabricIndex, imported from T11-TC-MIB [RFC4439]. When a 711 device is connected to a single physical Fabric, without use of any 712 virtual Fabrics, the value of this Fabric Index will always be 1. In 713 an environment of multiple virtual and/or physical Fabrics, this 714 index provides a means to distinguish one Fabric from another. 716 4.4. Interface Index 718 Several of the MIB modules defined in this document use the 719 InterfaceIndexOrZero syntax in order to allow information to be 720 specified/instantiated on a per-port/interface basis, e.g., for: 721 statistics, Traffic Selectors, Security Associations, etc. This 722 allows the same object to be used either when there is a separate row 723 for each of multiple ports/interfaces, or when multiple interfaces 724 are represented by a single row. The use of a zero value supports 725 the simpler cases of: a) when there is only one port/interface, b) 726 where the implementation chooses to aggregate the information for 727 multiple ports/interfaces. The minimum (for compliance) requirement 728 is to implement any one of the above cases. 730 When a Fabric Index and an object with the InterfaceIndexOrZero 731 syntax are used together in a single INDEX clause, the 732 InterfaceIndexOrZero object is listed before the Fabric Index in 733 order to simplify management queries which retrieve information 734 concerning multiple Fabrics connected to the same port/interface. 736 4.5. Syntax for Policy Object Names 738 T11FcSpPolicyNameType and T11FcSpPolicyName are two Textual 739 Conventions defined in this document (in the T11-FC-SP-TC-MIB module) 740 to represent the types and values of Policy Object Names (see section 741 3.9.1 above). However, two of the nine possible types are IPv4 742 Address Range and IPv6 Address Range. It is standard practice in MIB 743 modules to represent all IP addresses using the standard Textual 744 Conventions defined in [RFC4001] for IP addresses, specifically: 745 InetAddressType and InetAddress. This document adheres to such 746 standard practice to the following extent: 748 - for MIB objects representing a Policy Object Name which can *only* 749 be an IPv4 address range or an IPv6 address range, then those MIB 750 objects are defined as a 3-tuple: (InetAddressType, InetAddress, 751 InetAddress), in which the first address is the low end of the 752 range, the second address is the high end of the range, and both 753 addresses are of the type given by InetAddressType. 755 - for MIB objects representing a Policy Object Name which is 756 (possibly) of a different type, i.e., it is not (necessarily) an 757 IPv4 or IPv6 address range, then those MIB objects are defined as a 758 2-tuple: (T11FcSpPolicyNameType, T11FcSpPolicyName), in which the 759 first object represents the type of Policy Object Name and the 760 second object represents the value of the Policy Object Name. For 761 MIB objects defined in this manner, if and when they represent a 762 range of IP addresses: a) the value of T11FcSpPolicyNameType 763 differentiates between an IPv4 Address Range and an IPv6 Address 764 Range; and b) the value of T11FcSpPolicyName is one string 765 containing the concatenation of the two addresses which are the low 766 and high addresses of the range. This is the same format as used 767 within FC-SP Policy Objects [FC-SP]. 769 4.6. Certificates, CAs and CRLs 771 In order to authenticate with the FCAP protocol, each entity, 772 identified by a unique Name, is provided with: a digital certificate 773 associated with that Name, the private/public key pair that 774 corresponds to the certificate, and with the Root Certificate (the 775 certificate of the signing Certification Authority). To authenticate 776 another entity, an entity is required to be provided with the 777 certificate of the associated Certification Authority. 779 FCAP requires entities to support at least four Root Certificates 780 against which received corresponding certificates can be validated. 781 Support for certificate chains and verification of certificate chains 782 containing more than one certificate is optional. Entities need to 783 be able to access a Certificate Revocation List (CRL) for each 784 configured Root Certificate, if one is available from the CA. 785 Certificates on the CRL are considered invalid. 787 Only a few MIB objects are defined in this document to support 788 certificates, Certification Authorities and Certificate Revocation 789 Lists. This is because there is very little about the management of 790 them which is Fibre Channel-specific. Instead, this document 791 leverages the MIB tables defined in [IPSP-IPSEC-ACTION} and [IPSP- 792 IKE-ACTION}. Specifically, the ipsaCredentialTable and the 793 ipsaCredentialSegmentTable defined in [IPSP-IPSEC-ACTION} provide for 794 the management of certificates; the ipiaIpsecCredMngServiceTable and 795 the ipiaCredMngCRLTable defined in [IPSP-IKE-ACTION} provide for the 796 management of CAs and CRLs. 798 4.7. Traffic Selectors 800 When Traffic Selectors are compared against an ingress or egress 801 frame in order to determine the security processing to be applied to 802 that frame, there are circumstances in which multiple Traffic 803 Selectors, specifying different actions, can match with the frame; 804 specifically, when matching against an egress frame to decide which 805 active Security Association to transmit on, or, against an ingress 806 frame unprotected by FC-SP, i.e., without an SPI value in it, to 807 decide which action ('drop' or 'bypass') to apply. For these cases, 808 the MIB includes a precedence value for each Traffic Selector such 809 that the one with the numerically lowest precedence value is 810 determined to be the one that matches. In contrast, ingress frames 811 on active Security Associations (i.e., protected by FC-SP) are 812 compared against the set of traffic selectors negotiated when the 813 Security Association was setup and identified by the SPI value 814 contained in the frame; the action taken depends on whether any 815 Traffic Selector matches, but not on which one. 817 This difference between ingress and egress Traffic Selectors on 818 active Security Associations is reflected in having separate MIB 819 tables defined for them: the table for Traffic Selectors on egress 820 SAs, t11FcSpSaTSelNegOutTable, has a precedence value in its INDEX 821 clause, whereas the table for Traffic Selectors on ingress SAs, 822 t11FcSpSaTSelNegInTable, has an arbitrary integer value in its INDEX 823 clause. For 'drop' and 'bypass' Traffic Selectors, one table, 824 t11FcSpSaTSelDrByTable, having a precedence value in its INDEX 825 clause, is sufficient for both ingress and egress traffic. 827 4.8. The MIB Modules 829 4.8.1. The T11-FC-SP-TC-MIB Module 831 This MIB module defines Textual Conventions which are being, or have 832 the potential to be, used in more than one MIB module. The module 833 also defines Object Identifiers to identify the Cryptographic 834 Algorithms listed in [FC-SP] so that they can be used as the value of 835 various MIB objects which specify the algorithms being/to be used by 836 an FC-SP implementation. 838 4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module 840 This MIB module specifies the management information required to 841 manage FC-SP Authentication Protocols. It defines three tables: 843 - t11FcSpAuEntityTable -- a table of Fibre Channel entities which can 844 be authenticated using FC-SP's Authentication Protocols, including 845 the names, capabilities and basic configuration parameters of the 846 entities. 848 - t11FcSpAuIfStatTable -- this table has two purposes: to be a list 849 of the mappings of a FC-SP Authentication entity onto an interface, 850 and to contain Authentication Protocol per-interface statistics. 852 - t11FcSpAuRejectTable -- a table of FC-SP Authentication Protocol 853 transactions which were recently rejected. 855 It also defines two notifications: one for sending a reject in 856 response to an AUTH message, and another for receiving a reject in 857 response to an AUTH message. 859 4.8.3. The T11-FC-SP-ZONING-MIB Module 861 This MIB module specifies the extensions to the T11-FC-ZONE-SERVER- 862 MIB module [FC-ZS-MIB] for the management of FC-SP Zoning Servers. 863 Specifically, it augments three tables defined in T11-FC-ZONE-SERVER- 864 MIB: 866 - t11FcSpZsServerTable -- to this table, it adds FC-SP Zoning 867 information defined for Zone Servers. 869 - t11ZsStatsTable -- to this table, it adds FC-SP Zoning statistics 870 for Zone Servers. 872 - t11ZsNotifyControlTable -- to this table, it adds control 873 information for FC-SP Zoning notifications. 875 It also defines two FC-SP Zoning notifications: one for success and 876 one for failure in the joining of two Fabrics. 878 4.8.4. The T11-FC-SP-POLICY-MIB Module 880 This MIB module specifies management information which is used to 881 manage FC-SP policies. The MIB module has five parts: 883 - Active Policy Objects - read-only MIB objects representing the set 884 of active Policy Objects for each Fabric; 886 - Activate/Deactivate Operations - read-write MIB objects for 887 invoking operations, either 1) to activate policies which are 888 specified as a set of non-active Policy Objects, or 2) to 889 deactivate the currently-active policies; also included are objects 890 giving the status of invoked operations; 892 - Non-active Policy Objects - read-create MIB objects to create and 893 modify non-active Policy Objects; 895 - Statistics for FC-SP Security Policy Servers; 897 - The definition and control of notifications for the success or 898 failure of the activation or deactivation of FC-SP policies. 900 4.8.5. The T11-FC-SP-SA-MIB Module 902 This MIB module specifies the management information required to 903 manage Security Associations established via FC-SP. All of the 904 tables in this MIB module are INDEX-ed by t11FcSpSaIfIndex, with 905 syntax InterfaceIndexOrZero, which is either non-zero for a specific 906 interface or zero for all (of the management instance's) interfaces 907 to the particular Fabric. 909 The MIB module consists of six parts: 911 - a per-Fabric table, t11FcSpSaIfTable, of capabilities, parameters, 912 status information and counters; the counters include non-transient 913 aggregates of per-SA transient counters; 915 - three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable and 916 t11FcSpSaTransTable, specifying the proposals for an FC-SP entity 917 acting as an SA_Initiator to present to the SA_Responder during the 918 negotiation of Security Associations. The same information is also 919 used by an FC-SP entity acting as an SA_Responder to decide what to 920 accept during the negotiation of Security Associations. One of 921 these tables, t11FcSpSaTransTable, is used not only for information 922 about security transforms to propose and to accept, but also as 923 agreed upon during the negotiation of Security Associations; 925 - a table, t11FcSpSaTSelDrByTable, of Traffic Selectors having the 926 security action of 'drop' or 'bypass' to be applied either to 927 ingress traffic which is unprotected by FC-SP, or to all egress 928 traffic; 930 - four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable, 931 t11FcSpSaTSelNegOutTable and t11FcSpSaTSelSpiTable, containing 932 information about active bidirectional pairs of Security 933 Associations; in particular, t11FcSpSaPairTable has one row per 934 active bidirectional SA pair, t11FcSpSaTSelNegInTable and 935 t11FcSpSaTSelNegOutTable contain information on the Traffic 936 Selectors negotiated on the SAs, and the t11FcSpSaTSelSpiTable is 937 an alternate lookup table such that the Traffic Selector(s) in use 938 on a particular Security Association can be quickly determined 939 based on its (ingress) SPI value; 941 - a table, t11FcSpSaControlTable, of control and other information 942 concerning the generation of notifications for events related to 943 FC-SP Security Associations; 945 - one notification, t11FcSpSaNotifyAuthFailure, generated on the 946 occurrence of an Authentication failure for a received FC-2 or 947 CT_IU frame. 949 4.8.6. The T11-FC-SP-CERTS-MIB Module 951 This MIB module specifies extensions to IPSP MIBs [IPSP-IPSEC-ACTION] 952 and [IPSP-IKE-ACTION] which are specific to Fibre Channel. In 953 particular, it specifies one table, t11FcSpCertsTable, with a row per 954 certificate indicating how that certificate is being used, and 955 containing the "name" of the certificate. This "name" can be used to 956 obtain information, which is independent of FC-SP, about the 957 certificate from the ipsaCredentialTable (and from the 958 ipsaCredentialSegmentTable if the certificate is longer than 1024 959 bytes). 961 4.9. Rate Control for Notifications 963 All but one of the notifications defined in the six MIB modules in 964 this document are notifications which are generated based on events 965 occurring in the "control plane", e.g., notifications which are 966 generated at the frequency of operator-initiated activities. The one 967 exception is t11FcSpSaNotifyAuthFailure, which is generated based on 968 an event occurring in the "data plane", and could (in a worst case 969 scenario) occur for every received ingress frame. Therefore, a 970 method of rate controlling the generation of notifications is needed 971 for t11FcSpSaNotifyAuthFailure, but not for any of the other 972 notifications. 974 For t11FcSpSaNotifyAuthFailure, rate control is achieved by 975 specifying that it is generated only for the first occurrence of an 976 Authentication failure on a particular Fabric within a time window. 977 Subsequent occurrences of an Authentication Failure on the same 978 Fabric within the same time window are counted but the generation and 979 transmission of SNMP notifications for them is suppressed. 981 The length of the time window is given by t11FcSpSaControlWindow, a 982 read-write object in the t11FcSpSaControlTable. If the last 983 generation of the notification occurred more recently than the value 984 of sysUpTime (i.e., since the last re-initialization of the 985 management system), then t11FcSpSaControlElapsed and 986 t11FcSpSaControlSuppressed contain the elapsed time since the last 987 notification and the number of notifications suppressed in the window 988 after sending the last one, respectively. Otherwise, 989 t11FcSpSaControlElapsed contains the value of sysUpTime and 990 t11FcSpSaControlSuppressed has the value zero. 992 5. Relationship to Other MIB Modules 994 The first standardized MIB module for Fibre Channel [RFC2837] was 995 focussed on Fibre Channel Switches. It was obsoleted by the more 996 generic Fibre Channel Management MIB [RFC4044] which defines basic 997 information for Fibre Channel Nodes and Switches, including 998 extensions to the standard IF-MIB [RFC2863] for Fibre Channel 999 interfaces. Several other MIB modules have since been defined to 1000 extend [RFC4044] for various specific Fibre Channel functionality, 1001 (e.g., [RFC4438], [RFC4439], [RFC4625], [RFC4626], [RFC4747], 1002 [FC-ZS-MIB], [FC-RSCN-MIB], [FC-FCS-MIB]). 1004 The MIB modules defined in this memo further extend [RFC4044] to 1005 cover the operation of Fibre Channel Security Protocols, as specified 1006 in [FC-SP]. 1008 One part of the FC-SP specification is "FC-SP Zoning" which is an 1009 extension/variant of the Fibre Channel Zoning defined in [FC-GS-5]. 1010 Management information for the latter is defined in the T11-FC-ZONE- 1011 SERVER-MIB module [FC-ZS-MIB]. Consequently, the T11-FC-SP-ZONING- 1012 MIB module defined in this document defines the extensions to the 1013 T11-FC-ZONE-SERVER-MIB module which are needed to manage FC-SP 1014 Zoning. 1016 The MIB modules in this memo import some common Textual Conventions 1017 from T11-TC-MIB defined in [RFC4439] and from INET-ADDRESS-MIB 1018 defined in [RFC4001]. 1020 The T11-FC-SP-CERTS-MIB module leverages [IPSP-IPSEC-ACTION] and 1021 [IPSP-IKE-ACTION] for the management of certificates, CAs and CRLs. 1023 If the RADIUS protocol is used for access to an external server, 1024 information about RADIUS Servers is likely to be available from the 1025 RADIUS-AUTH-CLIENT-MIB [RFC4668]. 1027 6. MIB Module Definitions 1029 6.1. The T11-FC-SP-TC-MIB Module 1031 T11-FC-SP-TC-MIB DEFINITIONS ::= BEGIN 1033 IMPORTS 1034 MODULE-IDENTITY, OBJECT-IDENTITY, mib-2, 1035 Unsigned32 FROM SNMPv2-SMI -- [RFC2578] 1036 TEXTUAL-CONVENTION FROM SNMPv2-TC; -- [RFC2579] 1038 t11FcTcMIB MODULE-IDENTITY 1039 LAST-UPDATED "200702190000Z" 1040 ORGANIZATION "T11" 1041 CONTACT-INFO 1042 " Claudio DeSanti 1043 Cisco Systems, Inc. 1044 170 West Tasman Drive 1045 San Jose, CA 95134 USA 1046 EMail: cds@cisco.com 1048 Keith McCloghrie 1049 Cisco Systems, Inc. 1050 170 West Tasman Drive 1051 San Jose, CA 95134 USA 1052 Email: kzm@cisco.com" 1053 DESCRIPTION 1054 "This MIB module defines Textual Conventions for use in 1055 the multiple MIB modules which together define the 1056 instrumentation for an implementation of the Fibre Channel 1057 Security Protocols (FC-SP) specification. 1059 This MIB module also defines Object Identities (for use as 1060 possible values of MIB objects with syntax AutonomousType), 1061 including OIDs for the Cryptographic Algorithms defined 1062 in FC-SP. 1064 Copyright (C) The IETF Trust (2007). This version 1065 of this MIB module is part of RFC yyyy; see the RFC 1066 itself for full legal notices." 1067 -- RFC Editor: replace yyyy with actual RFC number & remove this note 1068 REVISION "200702190000Z" 1069 DESCRIPTION 1070 "Initial version of this MIB module, published as RFCyyyy." 1071 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 1072 ::= { mib-2 nnn } -- to be assigned by IANA 1073 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 1075 t11FcSpIdentities OBJECT IDENTIFIER ::= { t11FcTcMIB 1 } 1076 t11FcSpAlgorithms OBJECT IDENTIFIER ::= { t11FcSpIdentities 1 } 1078 -- 1079 -- Textual Conventions 1080 -- 1082 T11FcSpPolicyHashFormat ::= TEXTUAL-CONVENTION 1083 STATUS current 1084 DESCRIPTION 1085 "Identifies a cryptographic hash function used to create 1086 a hash value which summarizes an FC-SP Policy Object. 1088 Each definition of an object with this TC as its syntax 1089 must be accompanied by a corresponding definition of an 1090 object with T11FcSpPolicyHashValue as its syntax, and 1091 containing the hash value. 1093 The first two cryptographic hash functions are: 1095 Hash Type Hash Tag Hash Length (Bytes) 1096 SHA-1 '00000001'h 20 1097 SHA-256 '00000002'h 32 1098 " 1099 REFERENCE 1100 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1101 Fibre Channel - Security Protocols (FC-SP), 1102 13 June 2006, section 7.1.3.1. 1103 - FIPS PUB 180-2." 1104 SYNTAX OCTET STRING (SIZE (4)) 1106 T11FcSpPolicyHashValue ::= TEXTUAL-CONVENTION 1107 STATUS current 1108 DESCRIPTION 1109 "Represents the value of the cryptographic hash function 1110 of an FC-SP Policy Object. 1112 Each definition of an object with this TC as its syntax 1113 must be accompanied by a corresponding definition of an 1114 object with T11FcSpPolicyHashFormat as its syntax. 1115 The corresponding object identifies the cryptographic 1116 hash function used to create the hash value." 1117 REFERENCE 1118 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1119 Fibre Channel - Security Protocols (FC-SP), 1120 13 June 2006, section 7.1.3.1." 1121 SYNTAX OCTET STRING (SIZE (0..64)) 1123 T11FcSpAuthRejectReasonCode ::= TEXTUAL-CONVENTION 1124 STATUS current 1125 DESCRIPTION 1126 "A reason code contained in an AUTH_Reject message, or 1127 in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT 1128 (rejecting an AUTH-ELS)." 1129 REFERENCE 1130 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1131 Fibre Channel - Security Protocols (FC-SP), 1132 13 June 2006, Table 17, 48, 52." 1133 SYNTAX INTEGER { 1134 authFailure(1), 1135 logicalError(2), 1136 logicalBusy(3), 1137 authILSNotSupported(4), 1138 authELSNotSupported(5), 1139 notLoggedIn(6) 1140 } 1142 T11FcSpAuthRejReasonCodeExp ::= TEXTUAL-CONVENTION 1143 STATUS current 1144 DESCRIPTION 1145 "A reason code explanation contained in an AUTH_Reject 1146 message, or in an SW_RJT (rejecting an AUTH_ILS), or in 1147 an LS_RJT (rejecting an AUTH-ELS)." 1148 REFERENCE 1149 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1150 Fibre Channel - Security Protocols (FC-SP), 1151 13 June 2006, Tables 18, 48, 52." 1152 SYNTAX INTEGER { 1153 authMechanismNotUsable(1), 1154 dhGroupNotUsable(2), 1155 hashFunctionNotUsable(3), 1156 authTransactionAlreadyStarted(4), 1157 authenticationFailed(5), 1158 incorrectPayload(6), 1159 incorrectAuthProtocolMessage(7), 1160 restartAuthProtocol(8), 1161 authConcatNotSupported(9), 1162 unsupportedProtocolVersion(10), 1163 logicalBusy(11), 1164 authILSNotSupported(12), 1165 authELSNotSupported(13), 1166 notLoggedIn(14) 1167 } 1169 T11FcSpHashFunctions ::= TEXTUAL-CONVENTION 1170 STATUS current 1171 DESCRIPTION 1172 "A set of zero, one or more hash functions defined for 1173 use in FC-SP." 1174 REFERENCE 1175 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1176 Fibre Channel - Security Protocols (FC-SP), 1177 13 June 2006, Table 14." 1178 SYNTAX BITS { 1179 md5(0), 1180 sha1(1) 1181 } 1183 T11FcSpSignFunctions ::= TEXTUAL-CONVENTION 1184 STATUS current 1185 DESCRIPTION 1186 "A set of zero, one or more signature functions defined 1187 for signing certificates for use with FCAP in FC-SP." 1188 REFERENCE 1189 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1190 Fibre Channel - Security Protocols (FC-SP), 1191 13 June 2006, tables 38 & 39." 1192 SYNTAX BITS { 1193 rsaSha1(0) 1194 } 1196 T11FcSpDhGroups ::= TEXTUAL-CONVENTION 1197 STATUS current 1198 DESCRIPTION 1199 "A set of zero, one or more DH Groups defined for use 1200 in FC-SP." 1201 REFERENCE 1202 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1203 Fibre Channel - Security Protocols (FC-SP), 1204 13 June 2006, Table 15." 1205 SYNTAX BITS { 1206 null(0), 1207 group1024(1), 1208 group1280(2), 1209 group1536(3), 1210 group2048(4), 1211 group3072(5), 1212 group4096(6), 1213 group6144(7), 1214 group8192(8) 1215 } 1217 T11FcSpPolicyObjectType ::= TEXTUAL-CONVENTION 1218 STATUS current 1219 DESCRIPTION 1220 "A value which identifies the type of an FC-SP Policy 1221 Object." 1222 REFERENCE 1223 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1224 Fibre Channel - Security Protocols (FC-SP), 1225 13 June 2006, Table 102." 1226 SYNTAX INTEGER { 1227 summary(1), 1228 switchMemberList(2), 1229 nodeMemberList(3), 1230 switchConnectivity(4), 1231 ipMgmtList(5), 1232 attribute(6) 1233 } 1235 T11FcSpPolicyNameType ::= TEXTUAL-CONVENTION 1236 STATUS current 1237 DESCRIPTION 1238 "The format and usage of a companion object having 1239 T11FcSpPolicyName as its syntax. 1241 Six of the values indicate the same format, i.e., they 1242 differ only in semantics. That common format is a Fibre 1243 Channel 'Name_Identifier', i.e., the same syntax as 1244 'FcNameIdOrZero (SIZE(8))'. 1246 These six are three pairs of one restricted and one 1247 unrestricted. Each usage of this syntax must specify 1248 whether restricted names are allowed, and if so, how the 1249 usage of restricted names differ from unrestricted names. 1251 The six are: 1253 'nodeName' - a Node_Name, which is the 1254 Name_Identifier associated 1255 with a Fibre Channel Node. 1257 'restrictedNodeName' - a Restricted Node_Name. 1259 'portName' - the Name_Identifier associated 1260 with a Fibre Channel Port. 1262 'restrictedPortName' - a Restricted Port_Name. 1264 'wildcard' - a Wildcard value which is used to 1265 identify 'all others' (typically, 1266 all other members of a Policy 1267 Object, not all other Policy 1268 Objects). 1270 'restrictedWildcard' - a Restricted Wildcard value. 1272 Other possible values are: 1274 'alphaNumericName' - the value begins with an ASCII 1275 letter (upper or lower case) followed by (0 ... 63) 1276 characters from the set: lower case letters, upper case 1277 letters, digits, and the four symbols: dollar-sign ($), 1278 dash (-), caret (^), and underscore (_). 1280 'ipv6AddressRange' - two IPv6 addresses in network 1281 byte order, the numerically smallest first and the 1282 numerically largest second; total length is 32 bytes. 1284 'ipv4AddressRange' - two IPv4 addresses in network 1285 byte order, the numerically smallest first and the 1286 numerically largest second; total length is 8 bytes." 1287 REFERENCE 1288 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1289 Fibre Channel - Security Protocols (FC-SP), 1290 13 June 2006, Table 103." 1291 SYNTAX INTEGER { 1292 nodeName(1), 1293 restrictedNodeName(2), 1294 portName(3), 1295 restrictedPortName(4), 1296 wildcard(5), 1297 restrictedWildcard(6), 1298 alphaNumericName(7), 1299 ipv6AddressRange(8), 1300 ipv4AddressRange(9) 1301 } 1303 T11FcSpPolicyName ::= TEXTUAL-CONVENTION 1304 STATUS current 1305 DESCRIPTION 1306 "A syntax used, when defining Policy Objects, for the 1307 name of something. 1309 An object which uses this syntax always identifies a 1310 a companion object with syntax T11FcSpPolicyNameType 1311 such that the companion object specifies the format 1312 and usage of the object with this syntax. 1314 When the companion object has the value 'wildcard' or 1315 'restrictedWildcard', the value of the T11FcSpPolicyName 1316 object is: '0000000000000000'h." 1317 REFERENCE 1318 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1319 Fibre Channel - Security Protocols (FC-SP), 1320 13 June 2006, Table 103." 1321 SYNTAX OCTET STRING (SIZE (1..64)) 1323 T11FcSpAlphaNumName ::= TEXTUAL-CONVENTION 1324 STATUS current 1325 DESCRIPTION 1326 "A syntax used when defining Policy Objects for the 1327 name of something, where the name is always in the format 1328 specified by: 1330 T11FcSpPolicyNameType = 'alphaNumericName' 1331 " 1332 REFERENCE 1333 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1334 Fibre Channel - Security Protocols (FC-SP), 1335 13 June 2006, Table 103." 1336 SYNTAX OCTET STRING (SIZE (1..64)) 1338 T11FcSpAlphaNumNameOrNull ::= TEXTUAL-CONVENTION 1339 STATUS current 1340 DESCRIPTION 1341 "An extension of the T11FcSpAlphaNumName TC which 1342 one additional possible value: the zero-length string 1343 to indicate the absence of a name." 1344 SYNTAX OCTET STRING (SIZE (0..64)) 1346 T11FcSaDirection ::= TEXTUAL-CONVENTION 1347 STATUS current 1348 DESCRIPTION 1349 "The direction of frame transmission on a Security 1350 Association. Note that Security Associations are 1351 unidirectional but they always exist as part of an 1352 SA pair of the same type in opposite directions." 1353 SYNTAX INTEGER { ingress(1), egress(2) } 1355 T11FcSpiIndex ::= TEXTUAL-CONVENTION 1356 STATUS current 1357 DESCRIPTION 1358 "An SPI (Security Parameter Index) value is carried in the 1359 SPI field of a frame protected by the ESP_Header. An SPI 1360 is also carried in the SAID field of a Common Transport 1361 Information Unit (CT_IU) protected by CT_Authentication. 1362 An SPI value identifies the Security Association on which 1363 the frame is being transmitted." 1364 REFERENCE 1365 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1366 Fibre Channel - Security Protocols (FC-SP), 1367 13 June 2006, section 4.7.2 and 4.7.3." 1368 SYNTAX Unsigned32 -- the default range: (0..4294967295) 1370 T11FcSpPrecedence ::= TEXTUAL-CONVENTION 1371 DISPLAY-HINT "d" 1372 STATUS current 1373 DESCRIPTION 1374 "The precedence of a Traffic Selector. If a frame 1375 matches with two or more Traffic Selectors, then the match 1376 which takes precedence is the one with the Traffic Selector 1377 having the numerically smallest precedence value. Note that 1378 precedence values are not necessarily contiguous." 1379 SYNTAX Unsigned32 -- the default range: (0..4294967295) 1381 T11FcRoutingControl ::= TEXTUAL-CONVENTION 1382 DISPLAY-HINT "1x" 1383 STATUS current 1384 DESCRIPTION 1385 "A value stored in the R_CTL (Routing Control) 8-bit field 1386 of an FC-2 frame containing routing and information bits to 1387 categorize the frame function. 1389 For FC-2 frames, an R_CTL value typically distinguishes 1390 between control versus data frames, and/or solicited versus 1391 unsolicited frames, and in combination with the TYPE field 1392 (see T11FcSpType) identifies a particular link layer 1393 service/protocol using FC-2. 1395 For CT_Authentication, the information field in the R_CTL 1396 field contains '02'h for Request CT_IUs, and '03'h for 1397 Response CT_IUs. 1399 The comparison of two values having this syntax is done 1400 by treating each string as an 8-bit numeric value." 1401 REFERENCE 1402 " - Fibre Channel - Framing and Signaling-2 (FC-FS-2), 1403 INCITS xxx/200x, Project T11/1619-D Rev 1.01, 1404 8 August 2006, section 9.3. 1405 - Fibre Channel - Generic Services-5 (FC-GS-5), 1406 ANSI INCITS 427-2006, sections 4.5.2.4.2, 4.5.2.4.3 1407 and table 12." 1408 SYNTAX OCTET STRING (SIZE(1)) 1410 T11FcSpType ::= TEXTUAL-CONVENTION 1411 DISPLAY-HINT "2x" 1412 STATUS current 1413 DESCRIPTION 1414 "A value, or combination of values, contained in a frame 1415 header used in identifying the link layer service/protocol 1416 of a frame. 1418 The value is always two octets: 1420 - for FC-2 frames, the first octet is zero and the second 1421 octet contains the Data structure type (TYPE) value 1422 defined by FC-FS-2. The TYPE value is used in 1423 combination with T11FcRoutingControl to identify a link 1424 layer service/protocol. 1426 - for Common Transport Information Units (CT_IUs), the 1427 first octet contains a GS_Type value and the second 1428 octet contains a GS_Subtype value, defined by FC-GS-5. 1430 The comparison of two values having this syntax is done 1431 by treating each string as the numeric value obtained by 1432 numerically combining the individual octet's value as 1433 follows: 1435 (256 * 1st-octet) + 2nd-octet 1436 " 1437 REFERENCE 1438 " - Fibre Channel - Framing and Signaling-2 (FC-FS-2), 1439 INCITS xxx/200x, Project T11/1619-D Rev 1.01, 1440 8 August 2006, section 9.6. 1441 - Fibre Channel - Generic Services-5 (FC-GS-5), 1442 ANSI INCITS 427-2006, sections 4.3.2.4 and 4.3.2.5." 1443 SYNTAX OCTET STRING (SIZE(2)) 1445 T11FcSpTransforms ::= TEXTUAL-CONVENTION 1446 STATUS current 1447 DESCRIPTION 1448 "A list of the standardized transforms which are defined 1449 by FC-SP for use with ESP_Header, CT_Authentication and/or 1450 IKEv2 Support." 1451 REFERENCE 1452 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1453 Fibre Channel - Security Protocols (FC-SP), 1454 13 June 2006, Appendix A.3.1, tables A.23, A.24, A.25, A.26." 1455 SYNTAX BITS { 1456 encrNull(0), 1457 encrAesCbc(1), 1458 encrAesCtr(2), 1459 encrAesGcm(3), 1460 encr3Des(4), 1461 prfHmacMd5(5), 1462 prfHmacSha1(6), 1463 prfAesCbc(7), 1464 authHmacMd5L96(8), 1465 authHmacSha1L96(9), 1466 authHmacMd5L128(10), 1467 authHmacSha1L160(11), 1468 encrNullAuthAesGmac(12), 1469 dhGroups1024bit(13), 1470 dhGroups2048bit(14) 1471 } 1473 -- 1474 -- Object Identities to identify the Cryptographic Algorithms 1475 -- listed in FC-SP. 1476 -- 1478 t11FcSpEncryptAlgorithms 1479 OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 1 } 1481 t11FcSpEncrNull OBJECT-IDENTITY 1482 STATUS current 1483 DESCRIPTION "The ENCR_NULL algorithm." 1484 ::= { t11FcSpEncryptAlgorithms 1 } 1485 t11FcSpEncrAesCbc OBJECT-IDENTITY 1486 STATUS current 1487 DESCRIPTION "The ENCR_AES_CBC algorithm." 1488 ::= { t11FcSpEncryptAlgorithms 2 } 1489 t11FcSpEncrAesCtr OBJECT-IDENTITY 1490 STATUS current 1491 DESCRIPTION "The ENCR_AES_CTR algorithm." 1492 ::= { t11FcSpEncryptAlgorithms 3 } 1493 t11FcSpEncrAesGcm OBJECT-IDENTITY 1494 STATUS current 1495 DESCRIPTION "The ENCR_AES_GCM algorithm." 1496 ::= { t11FcSpEncryptAlgorithms 4 } 1497 t11FcSpEncr3Des OBJECT-IDENTITY 1498 STATUS current 1499 DESCRIPTION "The ENCR_3DES algorithm." 1500 ::= { t11FcSpEncryptAlgorithms 5 } 1502 t11FcSpAuthAlgorithms 1503 OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 2 } 1505 t11FcSpAuthNull OBJECT-IDENTITY 1506 STATUS current 1507 DESCRIPTION "The AUTH_NONE algorithm." 1508 ::= { t11FcSpAuthAlgorithms 1 } 1509 t11FcSpAuthHmacMd5L96 OBJECT-IDENTITY 1510 STATUS current 1511 DESCRIPTION "The AUTH_HMAC_MD5_96 algorithm." 1512 ::= { t11FcSpAuthAlgorithms 2 } 1513 t11FcSpAuthHmacSha1L96 OBJECT-IDENTITY 1514 STATUS current 1515 DESCRIPTION "The AUTH_HMAC_SHA1_96 algorithm." 1516 ::= { t11FcSpAuthAlgorithms 3 } 1517 t11FcSpAuthHmacMd5L128 OBJECT-IDENTITY 1518 STATUS current 1519 DESCRIPTION "The AUTH_HMAC_MD5_128 algorithm." 1520 ::= { t11FcSpAuthAlgorithms 4 } 1521 t11FcSpAuthHmacSha1L160 OBJECT-IDENTITY 1522 STATUS current 1523 DESCRIPTION "The AUTH_HMAC_SHA1_160 algorithm." 1524 ::= { t11FcSpAuthAlgorithms 5 } 1525 t11FcSpEncrNullAuthAesGmac OBJECT-IDENTITY 1526 STATUS current 1527 DESCRIPTION "The ENCR_NULL_AUTH_AES_GMAC algorithm." 1528 ::= { t11FcSpEncryptAlgorithms 6 } 1530 END 1531 6.2. The T11-FC-SP-AUTHENTICATION-MIB Module 1533 --******************************************************************** 1534 -- FC-SP Authentication Protocols 1535 -- 1537 T11-FC-SP-AUTHENTICATION-MIB DEFINITIONS ::= BEGIN 1539 IMPORTS 1540 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 1541 NOTIFICATION-TYPE, 1542 mib-2, Counter32, Unsigned32 1543 FROM SNMPv2-SMI -- [RFC2578] 1544 MODULE-COMPLIANCE, OBJECT-GROUP, 1545 NOTIFICATION-GROUP 1546 FROM SNMPv2-CONF -- [RFC2580] 1547 StorageType, AutonomousType, 1548 TruthValue, TimeStamp FROM SNMPv2-TC -- [RFC2579] 1549 InterfaceIndex FROM IF-MIB -- [RFC2863] 1550 fcmInstanceIndex, 1551 FcNameIdOrZero FROM FC-MGMT-MIB -- [RFC4044] 1552 t11FamLocalSwitchWwn 1553 FROM T11-FC-FABRIC-ADDR-MGR-MIB -- [RFC4439] 1554 T11FabricIndex FROM T11-TC-MIB -- [RFC4439] 1555 T11FcSpDhGroups, 1556 T11FcSpHashFunctions, 1557 T11FcSpSignFunctions, 1558 T11FcSpAuthRejectReasonCode, 1559 T11FcSpAuthRejReasonCodeExp FROM T11-FC-SP-TC-MIB; 1561 t11FcSpAuthenticationMIB MODULE-IDENTITY 1562 LAST-UPDATED "200702190000Z" 1563 ORGANIZATION "T11" 1564 CONTACT-INFO 1565 " Claudio DeSanti 1566 Cisco Systems, Inc. 1567 170 West Tasman Drive 1568 San Jose, CA 95134 USA 1569 EMail: cds@cisco.com 1571 Keith McCloghrie 1572 Cisco Systems, Inc. 1573 170 West Tasman Drive 1574 San Jose, CA 95134 USA 1575 Email: kzm@cisco.com" 1576 DESCRIPTION 1577 "This MIB module specifies the management information 1578 required to manage the Authentication Protocols defined by 1579 Fibre Channel's FC-SP specification. 1581 This MIB module defines three tables: 1583 - t11FcSpAuEntityTable is a table of Fibre Channel 1584 entities which can be authenticated using FC-SP's 1585 Authentication Protocols. 1587 - t11FcSpAuIfStatTable is a table with one row for each 1588 mapping of an Authentication entity onto an interface, 1589 containing statistics information. 1591 - t11FcSpAuRejectTable is a table of volatile information 1592 about FC-SP Authentication Protocol transactions 1593 which were most recently rejected. 1595 Copyright (C) The IETF Trust (2007). This version 1596 of this MIB module is part of RFC yyyy; see the RFC 1597 itself for full legal notices." 1598 -- RFC Editor: replace yyyy with actual RFC number & remove this note 1599 REVISION "200702190000Z" 1600 DESCRIPTION 1601 "Initial version of this MIB module, published as RFCyyyy." 1602 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 1603 ::= { mib-2 nnn } -- to be assigned by IANA 1604 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 1606 t11FcSpAuMIBIdentities 1607 OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 1 } 1608 t11FcSpAuMIBObjects 1609 OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 2 } 1610 t11FcSpAuMIBConformance 1611 OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 3 } 1612 t11FcSpAuMIBNotifications 1613 OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 0 } 1615 -- 1616 -- OIDs defined for use as values of t11FcSpAuServerProtocol 1617 -- 1619 t11FcSpAuServerProtocolRadius OBJECT-IDENTITY 1620 STATUS current 1621 DESCRIPTION 1622 "This OID identifies RADIUS as the protocol used 1623 to communicate with an External Server as part of 1624 the process by which identities are verified. 1625 In this case, information about the RADIUS Servers 1626 is likely to be provided in radiusAuthServerExtTable 1627 defined in the RADIUS-AUTH-CLIENT-MIB." 1628 REFERENCE 1629 "radiusAuthServerExtTable in 'RADIUS Authentication 1630 Client MIB', RFC 4668, August 2006." 1631 ::= { t11FcSpAuMIBIdentities 1 } 1633 t11FcSpAuServerProtocolDiameter OBJECT-IDENTITY 1634 STATUS current 1635 DESCRIPTION 1636 "This OID identifies Diameter as the protocol used 1637 to communicate with an External Server as part of 1638 the process by which identities are verified." 1639 REFERENCE 1640 "RFC 3588, September 2003." 1641 ::= { t11FcSpAuMIBIdentities 2 } 1643 t11FcSpAuServerProtocolTacacs OBJECT-IDENTITY 1644 STATUS current 1645 DESCRIPTION 1646 "This OID identifies TACACS as the protocol used 1647 to communicate with an External Server as part of 1648 the process by which identities are verified." 1649 REFERENCE 1650 "RFC 1492, July 1993." 1651 ::= { t11FcSpAuMIBIdentities 3 } 1653 -- 1654 -- Configuration for the Authentication Protocols 1655 -- 1657 t11FcSpAuEntityTable OBJECT-TYPE 1658 SYNTAX SEQUENCE OF T11FcSpAuEntityEntry 1659 MAX-ACCESS not-accessible 1660 STATUS current 1661 DESCRIPTION 1662 "A table of Fibre Channel entities which can be authenticated 1663 using FC-SP's Authentication Protocols. 1665 The purpose of an FC-SP Authentication Protocol is to verify 1666 that a claimed name is associated with the claiming entity. 1667 The Authentication Protocols can be used to authenticate 1668 Nx_Ports, B_Ports, or Switches." 1669 REFERENCE 1670 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1671 Fibre Channel - Security Protocols (FC-SP), 1672 13 June 2006, section 3.2.25." 1673 ::= { t11FcSpAuMIBObjects 1 } 1675 t11FcSpAuEntityEntry OBJECT-TYPE 1676 SYNTAX T11FcSpAuEntityEntry 1677 MAX-ACCESS not-accessible 1678 STATUS current 1679 DESCRIPTION 1680 "Information about the configuration and capabilities of an 1681 FC-SP entity (which is managed within the Fibre Channel 1682 management instance identified by fcmInstanceIndex) on a 1683 particular Fabric with respect to FC-SP's Authentication 1684 Protocols." 1685 INDEX { fcmInstanceIndex, t11FcSpAuEntityName, 1686 t11FcSpAuFabricIndex } 1687 ::= { t11FcSpAuEntityTable 1 } 1689 T11FcSpAuEntityEntry ::= SEQUENCE { 1690 t11FcSpAuEntityName FcNameIdOrZero, 1691 t11FcSpAuFabricIndex T11FabricIndex, 1692 t11FcSpAuServerProtocol AutonomousType, 1693 -- Config parameters 1694 t11FcSpAuStorageType StorageType, 1695 t11FcSpAuSendRejNotifyEnable TruthValue, 1696 t11FcSpAuRcvRejNotifyEnable TruthValue, 1697 t11FcSpAuDefaultLifetime Unsigned32, 1698 t11FcSpAuDefaultLifetimeUnits INTEGER, 1699 t11FcSpAuRejectMaxRows Unsigned32, 1700 -- Capabilities 1701 t11FcSpAuDhChapHashFunctions T11FcSpHashFunctions, 1702 t11FcSpAuDhChapDhGroups T11FcSpDhGroups, 1703 t11FcSpAuFcapHashFunctions T11FcSpHashFunctions, 1704 t11FcSpAuFcapCertsSignFunctions T11FcSpSignFunctions, 1705 t11FcSpAuFcapDhGroups T11FcSpDhGroups, 1706 t11FcSpAuFcpapHashFunctions T11FcSpHashFunctions, 1707 t11FcSpAuFcpapDhGroups T11FcSpDhGroups 1708 } 1710 t11FcSpAuEntityName OBJECT-TYPE 1711 SYNTAX FcNameIdOrZero (SIZE (8)) 1712 MAX-ACCESS not-accessible 1713 STATUS current 1714 DESCRIPTION 1715 "The name used to identify the FC-SP entity. 1717 For entities which are Fibre Channel Switches, this value 1718 corresponds to the Switch's value of fcmSwitchWWN. For 1719 entities other than Fibre Channel Switches, this value 1720 corresponds to the value of fcmInstanceWwn for the 1721 corresponding Fibre Channel management instance." 1722 REFERENCE 1723 "fcmInstanceWwn & fcmSwitchWWN, 1724 'Fibre Channel Management MIB', RFC 4044, May 2005." 1725 ::= { t11FcSpAuEntityEntry 1 } 1727 t11FcSpAuFabricIndex OBJECT-TYPE 1728 SYNTAX T11FabricIndex 1729 MAX-ACCESS not-accessible 1730 STATUS current 1731 DESCRIPTION 1732 "An index value which uniquely identifies a 1733 particular Fabric to which the entity is attached." 1734 ::= { t11FcSpAuEntityEntry 2 } 1736 t11FcSpAuServerProtocol OBJECT-TYPE 1737 SYNTAX AutonomousType 1738 MAX-ACCESS read-only 1739 STATUS current 1740 DESCRIPTION 1741 "The protocol, if any, used by the entity to communicate 1742 with a third party (i.e., an External Server) as part of 1743 the process by which it verifies DH-CHAP responses. For 1744 example, if the entity is using an external RADIUS server 1745 to verify DH-CHAP responses, then this object will have 1746 the value t11FcSpAuServerProtocolRadius. 1748 The value, zeroDotZero, is used to indicate that no 1749 protocol is being used to communicate with a third 1750 party to verify DH-CHAP responses. 1752 When no protocol is being used, or if the third party is 1753 unreachable via the specified protocol, then locally 1754 configured information (if any) may be used instead." 1755 ::= { t11FcSpAuEntityEntry 3 } 1757 t11FcSpAuStorageType OBJECT-TYPE 1758 SYNTAX StorageType 1759 MAX-ACCESS read-write 1760 STATUS current 1761 DESCRIPTION 1762 "This object specifies the memory realization of 1763 configuration information related to an FC-SP 1764 Entity on a particular Fabric; specifically, for 1765 MIB objects in the row containing this object. 1767 Even if an instance of this object has the value 1768 'permanent(4)', none of the information in the 1769 corresponding row of this table needs to be writable." 1770 ::= { t11FcSpAuEntityEntry 4 } 1772 t11FcSpAuSendRejNotifyEnable OBJECT-TYPE 1773 SYNTAX TruthValue 1774 MAX-ACCESS read-write 1775 STATUS current 1776 DESCRIPTION 1777 "An indication of whether or not the entity should issue 1778 t11FcSpAuRejectSentNotify notifications when sending 1779 AUTH_Reject/SW_RJT/LS_RJT to reject an AUTH message. 1781 If the value of the object is 'true', then this type of 1782 notification is generated. If the value is 'false', 1783 this type of notification is not generated." 1784 DEFVAL { false } 1785 ::= { t11FcSpAuEntityEntry 5 } 1787 t11FcSpAuRcvRejNotifyEnable OBJECT-TYPE 1788 SYNTAX TruthValue 1789 MAX-ACCESS read-write 1790 STATUS current 1791 DESCRIPTION 1792 "An indication of whether or not the entity should issue 1793 t11FcSpAuRejectReceivedNotify notifications on the receipt 1794 of AUTH_Reject/SW_RJT/LS_RJT messages. 1796 If the value of the object is 'true', then this type of 1797 notification is generated. If the value is 'false', 1798 this type of notification is not generated." 1799 DEFVAL { false } 1800 ::= { t11FcSpAuEntityEntry 6 } 1802 t11FcSpAuDefaultLifetime OBJECT-TYPE 1803 SYNTAX Unsigned32 (0..4294967295) 1804 MAX-ACCESS read-write 1805 STATUS current 1806 DESCRIPTION 1807 "When the value of this object is non-zero, it specifies the 1808 default value of a lifetime, specified in units given by 1809 the corresponding instance of t11FcSpAuDefaultLifetimeUnits. 1810 This default lifetime is to be used for any Security 1811 Association which has no explicitly-specified value for its 1812 lifetime. 1814 An SA's lifetime is either the time interval or the number 1815 of passed bytes, after which the SA has to be terminated and 1816 (if necessary) replaced with a new SA. 1818 If this object is zero, then there is no default value for 1819 lifetime." 1820 DEFVAL { 28800 } -- 8 hours (in units of seconds) 1821 ::= { t11FcSpAuEntityEntry 7 } 1823 t11FcSpAuDefaultLifetimeUnits OBJECT-TYPE 1824 SYNTAX INTEGER { 1825 seconds(1), -- seconds 1826 kiloBytes(2), -- 10^^3 bytes 1827 megaBytes(3), -- 10^^6 bytes 1828 gigaBytes(4), -- 10^^9 bytes 1829 teraBytes(5), -- 10^^12 bytes 1830 petaBytes(6), -- 10^^15 bytes 1831 exaBytes(7), -- 10^^18 bytes 1832 zettaBytes(8), -- 10^^21 bytes 1833 yottaBytes(9) -- 10^^24 bytes 1834 } 1835 MAX-ACCESS read-write 1836 STATUS current 1837 DESCRIPTION 1838 "The units in which the value of the corresponding 1839 instance of t11FcSpAuDefaultLifetime specifies a 1840 default lifetime for a Security Association which has 1841 no explicitly-specified value for its lifetime." 1842 DEFVAL { seconds } 1843 ::= { t11FcSpAuEntityEntry 8 } 1845 t11FcSpAuRejectMaxRows OBJECT-TYPE 1846 SYNTAX Unsigned32 (0..1000) 1847 MAX-ACCESS read-write 1848 STATUS current 1849 DESCRIPTION 1850 "The maximum number of rows in the t11FcSpAuRejectTable for 1851 this entity on this Fabric. If and when an AUTH message is 1852 rejected and the t11FcSpAuRejectTable already contains this 1853 maximum number of rows for the specific entity and Fabric, 1854 the row containing the oldest information is discarded and 1855 replaced by a row containing information about the new 1856 rejection. 1858 There will be less than this maximum number of rows in 1859 the t11FcSpAuRejectTable in exceptional circumstances, 1860 e.g., after an agent restart. 1862 In an implementation which does not support the 1863 t11FcSpAuRejectTable, this object will always be zero." 1864 ::= { t11FcSpAuEntityEntry 9 } 1866 t11FcSpAuDhChapHashFunctions OBJECT-TYPE 1867 SYNTAX T11FcSpHashFunctions 1868 MAX-ACCESS read-only 1869 STATUS current 1870 DESCRIPTION 1871 "The hash functions which the entity supports when using 1872 the DH-CHAP algorithm." 1873 ::= { t11FcSpAuEntityEntry 10 } 1875 t11FcSpAuDhChapDhGroups OBJECT-TYPE 1876 SYNTAX T11FcSpDhGroups 1877 MAX-ACCESS read-only 1878 STATUS current 1879 DESCRIPTION 1880 "The DH Groups which the entity supports when using the 1881 DH-CHAP algorithm in FC-SP." 1882 ::= { t11FcSpAuEntityEntry 11 } 1884 t11FcSpAuFcapHashFunctions OBJECT-TYPE 1885 SYNTAX T11FcSpHashFunctions 1886 MAX-ACCESS read-only 1887 STATUS current 1888 DESCRIPTION 1889 "The hash functions which the entity supports when 1890 specified as Protocol Parameters in the AUTH_Negotiate 1891 message for FCAP in FC-SP." 1892 REFERENCE 1893 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1894 Fibre Channel - Security Protocols (FC-SP), 1895 13 June 2006, section 5.5.2.1 and table 28." 1896 ::= { t11FcSpAuEntityEntry 12 } 1898 t11FcSpAuFcapCertsSignFunctions OBJECT-TYPE 1899 SYNTAX T11FcSpSignFunctions 1900 MAX-ACCESS read-only 1901 STATUS current 1902 DESCRIPTION 1903 "The signature functions used within certificates which 1904 the entity supports when using FCAP in FC-SP." 1905 REFERENCE 1906 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 1907 Fibre Channel - Security Protocols (FC-SP), 1908 13 June 2006, section 5.5.4.2 and tables 38 & 39." 1909 ::= { t11FcSpAuEntityEntry 13 } 1911 t11FcSpAuFcapDhGroups OBJECT-TYPE 1912 SYNTAX T11FcSpDhGroups 1913 MAX-ACCESS read-only 1914 STATUS current 1915 DESCRIPTION 1916 "The DH Groups which the entity supports when using the 1917 FCAP algorithm in FC-SP." 1918 ::= { t11FcSpAuEntityEntry 14 } 1920 t11FcSpAuFcpapHashFunctions OBJECT-TYPE 1921 SYNTAX T11FcSpHashFunctions 1922 MAX-ACCESS read-only 1923 STATUS current 1924 DESCRIPTION 1925 "The hash functions which the entity supports when using 1926 the FCPAP algorithm in FC-SP." 1927 ::= { t11FcSpAuEntityEntry 15 } 1929 t11FcSpAuFcpapDhGroups OBJECT-TYPE 1930 SYNTAX T11FcSpDhGroups 1931 MAX-ACCESS read-only 1932 STATUS current 1933 DESCRIPTION 1934 "The DH Groups which the entity supports when using the 1935 FCPAP algorithm in FC-SP." 1936 ::= { t11FcSpAuEntityEntry 16 } 1938 -- 1939 -- The Mapping of Authentication Entities onto Interfaces 1940 -- and Statistics 1941 -- 1943 t11FcSpAuIfStatTable OBJECT-TYPE 1944 SYNTAX SEQUENCE OF T11FcSpAuIfStatEntry 1945 MAX-ACCESS not-accessible 1946 STATUS current 1947 DESCRIPTION 1948 "Each FC-SP Authentication entity can operate on one or more 1949 interfaces, but at most one of them can operate on each 1950 interface. A row in this table exists for each interface 1951 to each Fabric on which each Authentication entity operates. 1953 The objects within this table contain statistics information 1954 related to FC-SP's Authentication Protocols." 1955 ::= { t11FcSpAuMIBObjects 2 } 1957 t11FcSpAuIfStatEntry OBJECT-TYPE 1958 SYNTAX T11FcSpAuIfStatEntry 1959 MAX-ACCESS not-accessible 1960 STATUS current 1961 DESCRIPTION 1962 "A set of Authentication Protocols statistics for an FC-SP 1963 Authentication entity (identified by t11FcSpAuEntityName) on 1964 one of its interfaces to a particular Fabric, which is 1965 managed within the Fibre Channel management instance 1966 identified by fcmInstanceIndex." 1968 INDEX { fcmInstanceIndex, t11FcSpAuEntityName, 1969 t11FcSpAuIfStatInterfaceIndex, 1970 t11FcSpAuIfStatFabricIndex } 1971 ::= { t11FcSpAuIfStatTable 1 } 1973 T11FcSpAuIfStatEntry ::= SEQUENCE { 1974 t11FcSpAuIfStatInterfaceIndex InterfaceIndex, 1975 t11FcSpAuIfStatFabricIndex T11FabricIndex, 1976 t11FcSpAuIfStatTimeouts Counter32, 1977 t11FcSpAuIfStatInAcceptedMsgs Counter32, 1978 t11FcSpAuIfStatInLsSwRejectedMsgs Counter32, 1979 t11FcSpAuIfStatInAuthRejectedMsgs Counter32, 1980 t11FcSpAuIfStatOutAcceptedMsgs Counter32, 1981 t11FcSpAuIfStatOutLsSwRejectedMsgs Counter32, 1982 t11FcSpAuIfStatOutAuthRejectedMsgs Counter32 1983 } 1985 t11FcSpAuIfStatInterfaceIndex OBJECT-TYPE 1986 SYNTAX InterfaceIndex 1987 MAX-ACCESS not-accessible 1988 STATUS current 1989 DESCRIPTION 1990 "The interface on which the FC-SP Authentication entity 1991 operates and for which the statistics are collected." 1992 ::= { t11FcSpAuIfStatEntry 1 } 1994 t11FcSpAuIfStatFabricIndex OBJECT-TYPE 1995 SYNTAX T11FabricIndex 1996 MAX-ACCESS not-accessible 1997 STATUS current 1998 DESCRIPTION 1999 "A index value identifying the particular Fabric for 2000 which the statistics are collected." 2001 ::= { t11FcSpAuIfStatEntry 2 } 2003 t11FcSpAuIfStatTimeouts OBJECT-TYPE 2004 SYNTAX Counter32 2005 MAX-ACCESS read-only 2006 STATUS current 2007 DESCRIPTION 2008 "The number of FC-SP Authentication Protocol messages sent 2009 by the particular entity on the particular Fabric on the 2010 particular interface, for which no response was received 2011 within a timeout period. 2013 This counter has no discontinuities other than those 2014 which all Counter32's have when sysUpTime=0." 2015 REFERENCE 2016 "Fibre Channel - Security Protocols (FC-SP), 2017 T11/Project 1570-D/Rev 1.8, June 2006, section 5.11." 2018 ::= { t11FcSpAuIfStatEntry 3 } 2020 t11FcSpAuIfStatInAcceptedMsgs OBJECT-TYPE 2021 SYNTAX Counter32 2022 MAX-ACCESS read-only 2023 STATUS current 2024 DESCRIPTION 2025 "The number of FC-SP Authentication Protocol messages 2026 received and accepted by the particular entity on the 2027 particular Fabric on the particular interface. 2029 This counter has no discontinuities other than those 2030 which all Counter32's have when sysUpTime=0." 2031 REFERENCE 2032 "Fibre Channel - Security Protocols (FC-SP), 2033 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2034 ::= { t11FcSpAuIfStatEntry 4 } 2036 t11FcSpAuIfStatInLsSwRejectedMsgs OBJECT-TYPE 2037 SYNTAX Counter32 2038 MAX-ACCESS read-only 2039 STATUS current 2040 DESCRIPTION 2041 "The number of FC-SP Authentication Protocol messages 2042 received by the particular entity on the particular Fabric 2043 on particular interface, and rejected by a lower-level 2044 (SW_RJT or LS_RJT) reject. 2046 This counter has no discontinuities other than those 2047 which all Counter32's have when sysUpTime=0." 2048 REFERENCE 2049 "Fibre Channel - Security Protocols (FC-SP), 2050 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2051 ::= { t11FcSpAuIfStatEntry 5 } 2053 t11FcSpAuIfStatInAuthRejectedMsgs OBJECT-TYPE 2054 SYNTAX Counter32 2055 MAX-ACCESS read-only 2056 STATUS current 2057 DESCRIPTION 2058 "The number of FC-SP Authentication Protocol messages 2059 received by the particular entity on the particular Fabric 2060 on particular interface, and rejected by an AUTH_Reject 2061 message. 2063 This counter has no discontinuities other than those 2064 which all Counter32's have when sysUpTime=0." 2065 REFERENCE 2066 "Fibre Channel - Security Protocols (FC-SP), 2067 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2068 ::= { t11FcSpAuIfStatEntry 6 } 2070 t11FcSpAuIfStatOutAcceptedMsgs OBJECT-TYPE 2071 SYNTAX Counter32 2072 MAX-ACCESS read-only 2073 STATUS current 2074 DESCRIPTION 2075 "The number of FC-SP Authentication Protocol messages sent 2076 by the particular entity on the particular Fabric on the 2077 particular interface, which were accepted by the 2078 neighbouring entity, i.e., not rejected by an AUTH_Reject 2079 message, nor by a lower-level (SW_RJT or LS_RJT) reject. 2081 This counter has no discontinuities other than those 2082 which all Counter32's have when sysUpTime=0." 2083 REFERENCE 2084 "Fibre Channel - Security Protocols (FC-SP), 2085 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2086 ::= { t11FcSpAuIfStatEntry 7 } 2088 t11FcSpAuIfStatOutLsSwRejectedMsgs OBJECT-TYPE 2089 SYNTAX Counter32 2090 MAX-ACCESS read-only 2091 STATUS current 2092 DESCRIPTION 2093 "The number of FC-SP Authentication Protocol messages sent 2094 by the particular entity on the particular Fabric on the 2095 particular interface, which were rejected by a lower-level 2096 (SW_RJT or LS_RJT) reject. 2098 This counter has no discontinuities other than those 2099 which all Counter32's have when sysUpTime=0." 2100 REFERENCE 2101 "Fibre Channel - Security Protocols (FC-SP), 2102 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2104 ::= { t11FcSpAuIfStatEntry 8 } 2106 t11FcSpAuIfStatOutAuthRejectedMsgs OBJECT-TYPE 2107 SYNTAX Counter32 2108 MAX-ACCESS read-only 2109 STATUS current 2110 DESCRIPTION 2111 "The number of FC-SP Authentication Protocol messages sent 2112 by the particular entity on the particular Fabric on the 2113 particular interface, which were rejected by an 2114 AUTH_Reject message. 2116 This counter has no discontinuities other than those 2117 which all Counter32's have when sysUpTime=0." 2118 REFERENCE 2119 "Fibre Channel - Security Protocols (FC-SP), 2120 T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." 2121 ::= { t11FcSpAuIfStatEntry 9 } 2123 -- 2124 -- Information about Authentication Protocol Transactions 2125 -- which were recently rejected 2126 -- 2128 t11FcSpAuRejectTable OBJECT-TYPE 2129 SYNTAX SEQUENCE OF T11FcSpAuRejectEntry 2130 MAX-ACCESS not-accessible 2131 STATUS current 2132 DESCRIPTION 2133 "A table of volatile information about FC-SP Authentication 2134 Protocol transactions which were recently rejected with 2135 an AUTH_Reject message, or with an SW_RJT/LS_RJT. 2137 The maximum number of rows in this table for a specific 2138 entity on a specific Fabric is given by the value of the 2139 corresponding instance of t11FcSpAuRejectMaxRows. 2141 The syntax of t11FcSpAuRejTimestamp is TimeStamp, and thus 2142 its value rolls-over to zero after approximately 497 days. 2143 To avoid any confusion due to such a roll-over, rows should 2144 be deleted from this table before they are 497 days old. 2146 This table will be empty if no AUTH_Reject messages, 2147 nor any SW_RJT/LS_RJT's rejecting an AUTH message, 2148 have been sent or received since the last 2149 re-initialization of the agent." 2150 ::= { t11FcSpAuMIBObjects 3 } 2152 t11FcSpAuRejectEntry OBJECT-TYPE 2153 SYNTAX T11FcSpAuRejectEntry 2154 MAX-ACCESS not-accessible 2155 STATUS current 2156 DESCRIPTION 2157 "Information about one AUTH message (either an 2158 AUTH_ELS or an AUTH_ILS) which was rejected with an 2159 AUTH_Reject, SW_RJT or LS_RJT message, sent/received by 2160 the entity identified by values of fcmInstanceIndex and 2161 t11FcSpAuEntityName, on an interface to a particular 2162 Fabric." 2163 INDEX { fcmInstanceIndex, t11FcSpAuEntityName, 2164 t11FcSpAuRejInterfaceIndex, t11FcSpAuRejFabricIndex, 2165 t11FcSpAuRejTimestamp } 2166 ::= { t11FcSpAuRejectTable 1 } 2168 T11FcSpAuRejectEntry ::= SEQUENCE { 2169 t11FcSpAuRejInterfaceIndex InterfaceIndex, 2170 t11FcSpAuRejFabricIndex T11FabricIndex, 2171 t11FcSpAuRejTimestamp TimeStamp, 2172 t11FcSpAuRejDirection INTEGER, 2173 t11FcSpAuRejType INTEGER, 2174 t11FcSpAuRejAuthMsgString OCTET STRING, 2175 t11FcSpAuRejReasonCode T11FcSpAuthRejectReasonCode, 2176 t11FcSpAuRejReasonCodeExp T11FcSpAuthRejReasonCodeExp 2177 } 2179 t11FcSpAuRejInterfaceIndex OBJECT-TYPE 2180 SYNTAX InterfaceIndex 2181 MAX-ACCESS not-accessible 2182 STATUS current 2183 DESCRIPTION 2184 "The interface on which the rejected AUTH message was 2185 sent or received." 2186 ::= { t11FcSpAuRejectEntry 1 } 2188 t11FcSpAuRejFabricIndex OBJECT-TYPE 2189 SYNTAX T11FabricIndex 2190 MAX-ACCESS not-accessible 2191 STATUS current 2192 DESCRIPTION 2193 "A index value identifying the particular Fabric on 2194 which the rejected AUTH message was sent or received." 2195 ::= { t11FcSpAuRejectEntry 2 } 2197 t11FcSpAuRejTimestamp OBJECT-TYPE 2198 SYNTAX TimeStamp 2199 MAX-ACCESS not-accessible 2200 STATUS current 2201 DESCRIPTION 2202 "The time at which the AUTH message was rejected. If two 2203 rows have the same value of this object for the same 2204 entity on the same interface and Fabric, the value of 2205 this object for the later one is incremented by one." 2206 ::= { t11FcSpAuRejectEntry 3 } 2208 t11FcSpAuRejDirection OBJECT-TYPE 2209 SYNTAX INTEGER { sent(1), received(2) } 2210 MAX-ACCESS read-only 2211 STATUS current 2212 DESCRIPTION 2213 "An indication of whether the the rejection was sent or 2214 received by the identified entity. 2216 The value 'sent(1)' corresponds to a notification of 2217 type t11FcSpAuRejectSentNotify; the value 'received(2)' 2218 corresponds to t11FcSpAuRejectReceivedNotify." 2219 ::= { t11FcSpAuRejectEntry 4 } 2221 t11FcSpAuRejType OBJECT-TYPE 2222 SYNTAX INTEGER { 2223 authReject(1), 2224 swRjt(2), 2225 lsRjt(3) 2226 } 2227 MAX-ACCESS read-only 2228 STATUS current 2229 DESCRIPTION 2230 "An indication of whether the rejection was an 2231 AUTH_Reject, an SW_RJT or an LS_RJT." 2232 ::= { t11FcSpAuRejectEntry 5 } 2234 t11FcSpAuRejAuthMsgString OBJECT-TYPE 2235 SYNTAX OCTET STRING (SIZE(0..255)) 2236 MAX-ACCESS read-only 2237 STATUS current 2238 DESCRIPTION 2239 "The binary content of the AUTH message which was 2240 rejected, formatted as an octet string (in network 2241 byte order) containing the content of the message. 2243 If the binary content is unavailable, then the 2244 length is zero. Otherwise, the first octet of the 2245 message identifies the type of message: 2247 '90'h - an AUTH_ELS, see Table 6 in FC-SP, 2248 '40'h - an AUTH_ILS, see Table 3 in FC-SP, or 2249 '41'h - an B_AUTH_ILS, see Table 5 in FC-SP. 2251 and the remainder of the message may be truncated." 2252 REFERENCE 2253 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 2254 Fibre Channel - Security Protocols (FC-SP), 2255 13 June 2006, Tables 3, 5 and 6." 2256 ::= { t11FcSpAuRejectEntry 6 } 2258 t11FcSpAuRejReasonCode OBJECT-TYPE 2259 SYNTAX T11FcSpAuthRejectReasonCode 2260 MAX-ACCESS read-only 2261 STATUS current 2262 DESCRIPTION 2263 "The reason code with which this AUTH message was 2264 rejected." 2265 REFERENCE 2266 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 2267 Fibre Channel - Security Protocols (FC-SP), 2268 13 June 2006, Table 17, 48, 52." 2269 ::= { t11FcSpAuRejectEntry 7 } 2271 t11FcSpAuRejReasonCodeExp OBJECT-TYPE 2272 SYNTAX T11FcSpAuthRejReasonCodeExp 2273 MAX-ACCESS read-only 2274 STATUS current 2275 DESCRIPTION 2276 "The reason code explanation with which this AUTH 2277 message was rejected." 2278 REFERENCE 2279 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 2280 Fibre Channel - Security Protocols (FC-SP), 2281 13 June 2006, Table 17, 48, 52." 2282 ::= { t11FcSpAuRejectEntry 8 } 2284 -- 2285 -- Notifications 2286 -- 2288 t11FcSpAuRejectSentNotify NOTIFICATION-TYPE 2289 OBJECTS { t11FamLocalSwitchWwn, 2290 t11FcSpAuRejAuthMsgString, 2291 t11FcSpAuRejType, 2292 t11FcSpAuRejReasonCode, 2293 t11FcSpAuRejReasonCodeExp } 2294 STATUS current 2295 DESCRIPTION 2296 "This notification indicates that a Switch (identified 2297 by the value of t11FamLocalSwitchWwn) has sent a reject 2298 message of the type indicated by t11FcSpAuRejType in 2299 response to an AUTH message. 2301 The content of the rejected AUTH message is given by the 2302 value of t11FcSpAuRejAuthMsgString. The values of the 2303 Reason Code and Reason Code Explanation in the 2304 AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of 2305 t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp." 2306 ::= { t11FcSpAuMIBNotifications 1 } 2308 t11FcSpAuRejectReceivedNotify NOTIFICATION-TYPE 2309 OBJECTS { t11FamLocalSwitchWwn, 2310 t11FcSpAuRejAuthMsgString, 2311 t11FcSpAuRejType, 2312 t11FcSpAuRejReasonCode, 2313 t11FcSpAuRejReasonCodeExp } 2314 STATUS current 2315 DESCRIPTION 2316 "This notification indicates that a Switch (identified 2317 by the value of t11FamLocalSwitchWwn) has received a 2318 reject message of the type indicated by t11FcSpAuRejType 2319 in response to an AUTH message. 2321 The content of the rejected AUTH message is given by the 2322 value of t11FcSpAuRejAuthMsgString. The values of the 2323 Reason Code and Reason Code Explanation in the 2324 AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of 2325 t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp." 2326 ::= { t11FcSpAuMIBNotifications 2 } 2328 -- 2329 -- Conformance 2330 -- 2332 t11FcSpAuMIBCompliances 2333 OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 1 } 2334 t11FcSpAuMIBGroups 2335 OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 2 } 2337 t11FcSpAuMIBCompliance MODULE-COMPLIANCE 2338 STATUS current 2339 DESCRIPTION 2340 "The compliance statement for entities which 2341 implement one or more of the Authentication Protocols 2342 defined in FC-SP." 2344 MODULE -- this module 2345 MANDATORY-GROUPS { t11FcSpAuGeneralGroup, 2346 t11FcSpAuRejectedGroup, 2347 t11FcSpAuNotificationGroup } 2349 GROUP t11FcSpAuIfStatsGroup 2350 DESCRIPTION 2351 "These counters, of particular FC-SP messages and 2352 events, are mandatory only for those systems that 2353 count such messages/events." 2355 -- Write access is not required for any objects in this MIB module: 2357 OBJECT t11FcSpAuStorageType 2358 MIN-ACCESS read-only 2359 DESCRIPTION 2360 "Write access is not required." 2362 OBJECT t11FcSpAuSendRejNotifyEnable 2363 MIN-ACCESS read-only 2364 DESCRIPTION 2365 "Write access is not required." 2367 OBJECT t11FcSpAuRcvRejNotifyEnable 2368 MIN-ACCESS read-only 2369 DESCRIPTION 2370 "Write access is not required." 2372 OBJECT t11FcSpAuDefaultLifetime 2373 MIN-ACCESS read-only 2374 DESCRIPTION 2375 "Write access is not required." 2377 OBJECT t11FcSpAuDefaultLifetimeUnits 2378 MIN-ACCESS read-only 2379 DESCRIPTION 2380 "Write access is not required." 2382 OBJECT t11FcSpAuRejectMaxRows 2383 MIN-ACCESS read-only 2384 DESCRIPTION 2385 "Write access is not required." 2387 ::= { t11FcSpAuMIBCompliances 1 } 2389 -- Units of Conformance 2391 t11FcSpAuGeneralGroup OBJECT-GROUP 2392 OBJECTS { t11FcSpAuServerProtocol, 2393 t11FcSpAuStorageType, 2394 t11FcSpAuSendRejNotifyEnable, 2395 t11FcSpAuRcvRejNotifyEnable, 2396 t11FcSpAuDefaultLifetime, 2397 t11FcSpAuDefaultLifetimeUnits, 2398 t11FcSpAuRejectMaxRows, 2399 t11FcSpAuDhChapHashFunctions, 2400 t11FcSpAuDhChapDhGroups, 2401 t11FcSpAuFcapHashFunctions, 2402 t11FcSpAuFcapCertsSignFunctions, 2403 t11FcSpAuFcapDhGroups, 2404 t11FcSpAuFcpapHashFunctions, 2405 t11FcSpAuFcpapDhGroups, 2406 t11FcSpAuIfStatTimeouts } 2407 STATUS current 2408 DESCRIPTION 2409 "A collection of objects for the capabilities and 2410 configuration parameters of FC-SP's Authentication 2411 Protocols. The inclusion of t11FcSpAuIfStatTimeouts 2412 in this group provides information on mappings of 2413 Authentication entities onto interfaces." 2414 ::= { t11FcSpAuMIBGroups 1 } 2416 t11FcSpAuIfStatsGroup OBJECT-GROUP 2417 OBJECTS { t11FcSpAuIfStatInAcceptedMsgs, 2418 t11FcSpAuIfStatInLsSwRejectedMsgs, 2419 t11FcSpAuIfStatInAuthRejectedMsgs, 2420 t11FcSpAuIfStatOutAcceptedMsgs, 2421 t11FcSpAuIfStatOutLsSwRejectedMsgs, 2422 t11FcSpAuIfStatOutAuthRejectedMsgs } 2423 STATUS current 2424 DESCRIPTION 2425 "A collection of objects for monitoring the 2426 operations of FC-SP's Authentication Protocols." 2427 ::= { t11FcSpAuMIBGroups 2 } 2429 t11FcSpAuRejectedGroup OBJECT-GROUP 2430 OBJECTS { t11FcSpAuRejDirection, 2431 t11FcSpAuRejType, 2432 t11FcSpAuRejAuthMsgString, 2433 t11FcSpAuRejReasonCode, 2434 t11FcSpAuRejReasonCodeExp } 2435 STATUS current 2436 DESCRIPTION 2437 "A collection of objects holding information concerning 2438 FC-SP Authentication Protocol transactions which were 2439 recently rejected with an AUTH_Reject, with an SW_RJT, 2440 or with an LS_RJT." 2441 ::= { t11FcSpAuMIBGroups 3 } 2443 t11FcSpAuNotificationGroup NOTIFICATION-GROUP 2444 NOTIFICATIONS { t11FcSpAuRejectSentNotify, 2445 t11FcSpAuRejectReceivedNotify } 2446 STATUS current 2447 DESCRIPTION 2448 "A collection of notifications for use in the management 2449 of FC-SP's Authentication Protocols." 2450 ::= { t11FcSpAuMIBGroups 4 } 2452 END 2453 6.3. The T11-FC-SP-ZONING-MIB Module 2455 --******************************************************************* 2456 -- FC-SP Zoning 2457 -- 2459 T11-FC-SP-ZONING-MIB DEFINITIONS ::= BEGIN 2461 IMPORTS 2462 MODULE-IDENTITY, OBJECT-TYPE, 2463 NOTIFICATION-TYPE, mib-2, 2464 Counter32 2465 FROM SNMPv2-SMI -- [RFC2578] 2466 TruthValue FROM SNMPv2-TC -- [RFC2579] 2467 MODULE-COMPLIANCE, OBJECT-GROUP, 2468 NOTIFICATION-GROUP 2469 FROM SNMPv2-CONF -- [RFC2580] 2470 ifIndex FROM IF-MIB -- [RFC2863] 2471 t11ZsServerEntry, 2472 t11ZsStatsEntry, 2473 t11ZsNotifyControlEntry, 2474 t11ZsFabricIndex FROM T11-FC-ZONE-SERVER-MIB -- [FC-ZS-MIB] 2475 T11FcSpPolicyHashValue, 2476 T11FcSpPolicyHashFormat 2477 FROM T11-FC-SP-TC-MIB; 2479 t11FcSpZoningMIB MODULE-IDENTITY 2480 LAST-UPDATED "200702190000Z" 2481 ORGANIZATION "T11" 2482 CONTACT-INFO 2483 " Claudio DeSanti 2484 Cisco Systems, Inc. 2485 170 West Tasman Drive 2486 San Jose, CA 95134 USA 2487 EMail: cds@cisco.com 2489 Keith McCloghrie 2490 Cisco Systems, Inc. 2491 170 West Tasman Drive 2492 San Jose, CA 95134 USA 2493 Email: kzm@cisco.com" 2494 DESCRIPTION 2495 "This MIB module specifies the extensions to the 2496 T11-FC-ZONE-SERVER-MIB module which are necessary for the 2497 management of Fibre Channel's FC-SP Zoning Servers, as 2498 defined in the FC-SP specification. 2500 The persistence of values written to these MIB objects is 2501 the same as the persistence of the objects they extend, 2502 i.e., it is given by the value of the relevant instance of 2503 t11ZsServerDatabaseStorageType (defined in the 2504 T11-FC-ZONE-SERVER-MIB module). 2506 Copyright (C) The IETF Trust (2007). This version 2507 of this MIB module is part of RFC yyyy; see the RFC 2508 itself for full legal notices." 2509 -- RFC Editor: replace yyyy with actual RFC number & remove this note 2510 REVISION "200702190000Z" 2511 DESCRIPTION 2512 "Initial version of this MIB module, published as RFCyyyy." 2513 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 2514 ::= { mib-2 nnn } -- to be assigned by IANA 2515 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 2517 t11FcSpZsMIBObjects OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 1 } 2518 t11FcSpZsMIBConformance OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 2 } 2519 t11FcSpZsMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 0 } 2520 t11FcSpZsConfiguration OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 1 } 2521 t11FcSpZsStatistics OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 2 } 2522 -- 2523 -- Augmenting the table of Zone Servers 2524 -- 2526 t11FcSpZsServerTable OBJECT-TYPE 2527 SYNTAX SEQUENCE OF T11FcSpZsServerEntry 2528 MAX-ACCESS not-accessible 2529 STATUS current 2530 DESCRIPTION 2531 "A table which provides FC-SP-specific information about 2532 the Zone Servers on each Fabric in one or more Switches." 2533 ::= { t11FcSpZsConfiguration 1 } 2535 t11FcSpZsServerEntry OBJECT-TYPE 2536 SYNTAX T11FcSpZsServerEntry 2537 MAX-ACCESS not-accessible 2538 STATUS current 2539 DESCRIPTION 2540 "Each entry contains information relevant to FC-SP 2541 for a particular Zone Server for a particular Fabric 2542 on a particular Switch. The Fabric and Switch are 2543 identified in the same manner as in t11ZsServerEntry." 2544 AUGMENTS { t11ZsServerEntry } 2545 ::= { t11FcSpZsServerTable 1 } 2547 T11FcSpZsServerEntry ::= SEQUENCE { 2548 t11FcSpZsServerCapabilityObject BITS, 2549 t11FcSpZsServerEnabled TruthValue, 2550 t11FcSpZoneSetHashStatus INTEGER, 2551 t11FcSpActiveZoneSetHashType T11FcSpPolicyHashFormat, 2552 t11FcSpActiveZoneSetHash T11FcSpPolicyHashValue, 2553 t11FcSpZoneSetDatabaseHashType T11FcSpPolicyHashFormat, 2554 t11FcSpZoneSetDatabaseHash T11FcSpPolicyHashValue 2555 } 2557 t11FcSpZsServerCapabilityObject OBJECT-TYPE 2558 SYNTAX BITS { 2559 fcSpZoning(0) 2560 } 2561 MAX-ACCESS read-only 2562 STATUS current 2563 DESCRIPTION 2564 "Capabilities of the Zone Server for the particular Fabric 2565 on the particular Switch, with respect to FC-SP Zoning: 2567 fcSpZoning -- set to 1 to indicate the Switch is 2568 capable of supporting FC-SP Zoning. 2569 " 2570 REFERENCE 2571 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel 2572 - Security Protocols (FC-SP), 13 June 2006, Table 184." 2573 ::= { t11FcSpZsServerEntry 1 } 2575 t11FcSpZsServerEnabled OBJECT-TYPE 2576 SYNTAX TruthValue 2577 MAX-ACCESS read-write 2578 STATUS current 2579 DESCRIPTION 2580 "This object indicates whether the Zone Server for the 2581 particular Fabric on the particular Switch, is operating in 2582 FC-SP Zoning mode." 2583 REFERENCE 2584 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel 2585 - Security Protocols (FC-SP), 13 June 2006, Table 185." 2586 ::= { t11FcSpZsServerEntry 2 } 2588 t11FcSpZoneSetHashStatus OBJECT-TYPE 2589 SYNTAX INTEGER { 2590 calculate(1), 2591 correct(2), 2592 stale(3) 2593 } 2594 MAX-ACCESS read-write 2595 STATUS current 2596 DESCRIPTION 2597 "When read, the value of this object is either: 2599 correct -- the corresponding instances of both 2600 t11FcSpActiveZoneSetHash and 2601 t11FcSpZoneSetDatabaseHash contain 2602 the correct hash values; or 2603 stale -- the corresponding instances of 2604 t11FcSpActiveZoneSetHash and 2605 t11FcSpZoneSetDatabaseHash contain 2606 stale (possibly incorrect) values; 2608 Writing a value of 'calculate' is a request to re-calculate 2609 and update the values of the corresponding instances of both 2610 t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash. 2611 Writing a value of 'correct' or 'stale' to this object 2612 is an error ('wrongValue'). 2614 When the Active Zone Set and/or the Zone Set Database are 2615 updated, it is common that multiple changes need to be made 2616 at the same time. In such circumstances, the use of this 2617 object allows the hash values to be updated only once after 2618 all changes, rather than repeatedly/after each individual 2619 change." 2620 DEFVAL { stale } 2621 ::= { t11FcSpZsServerEntry 3 } 2623 t11FcSpActiveZoneSetHashType OBJECT-TYPE 2624 SYNTAX T11FcSpPolicyHashFormat 2625 MAX-ACCESS read-only 2626 STATUS current 2627 DESCRIPTION 2628 "The format used for the hash value contained in the 2629 corresponding instance of t11FcSpActiveZoneSetHash." 2630 ::= { t11FcSpZsServerEntry 4 } 2632 t11FcSpActiveZoneSetHash OBJECT-TYPE 2633 SYNTAX T11FcSpPolicyHashValue 2634 MAX-ACCESS read-only 2635 STATUS current 2636 DESCRIPTION 2637 "The value of the hash for the current Active Zone Set. 2638 The format of this value is given by the corresponding 2639 instance of t11FcSpActiveZoneSetHashType." 2640 REFERENCE 2641 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel 2642 - Security Protocols (FC-SP), 13 June 2006, Table 187." 2643 ::= { t11FcSpZsServerEntry 5 } 2645 t11FcSpZoneSetDatabaseHashType OBJECT-TYPE 2646 SYNTAX T11FcSpPolicyHashFormat 2647 MAX-ACCESS read-only 2648 STATUS current 2649 DESCRIPTION 2650 "The format used for the hash value contained in the 2651 corresponding instance of t11FcSpZoneSetDatabaseHash." 2652 ::= { t11FcSpZsServerEntry 6 } 2654 t11FcSpZoneSetDatabaseHash OBJECT-TYPE 2655 SYNTAX T11FcSpPolicyHashValue 2656 MAX-ACCESS read-only 2657 STATUS current 2658 DESCRIPTION 2659 "The value of the hash for the current Zone Set Database. 2660 The format of this value is given by the corresponding 2661 instance of t11FcSpZoneSetDatabaseHashType." 2662 REFERENCE 2663 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel 2664 - Security Protocols (FC-SP), 13 June 2006, Table 187." 2665 ::= { t11FcSpZsServerEntry 7 } 2667 -- 2668 -- Additional Statistics for FC-SP Zoning 2669 -- 2671 t11FcSpZsStatsTable OBJECT-TYPE 2672 SYNTAX SEQUENCE OF T11FcSpZsStatsEntry 2673 MAX-ACCESS not-accessible 2674 STATUS current 2675 DESCRIPTION 2676 "A table of statistics specific to FC-SP which are 2677 maintained by Zone Servers." 2678 ::= { t11FcSpZsStatistics 1 } 2680 t11FcSpZsStatsEntry OBJECT-TYPE 2681 SYNTAX T11FcSpZsStatsEntry 2682 MAX-ACCESS not-accessible 2683 STATUS current 2684 DESCRIPTION 2685 "A set of statistics specific to FC-SP for a particular 2686 Zone Server for a particular Fabric on a particular Switch. 2687 The Fabric and Switch are identified in the same manner as 2688 in t11ZsStatsEntry." 2689 AUGMENTS { t11ZsStatsEntry } 2690 ::= { t11FcSpZsStatsTable 1 } 2692 T11FcSpZsStatsEntry ::= SEQUENCE { 2693 t11FcSpZsSPCMITrequestsSent Counter32, 2694 t11FcSpZsSPCMITrequestsAccepted Counter32, 2695 t11FcSpZsSPCMITrequestsRejected Counter32, 2696 t11FcSpZsZcpRequestsSent Counter32, 2697 t11FcSpZsZcpRequestsAccepted Counter32, 2698 t11FcSpZsZcpRequestsRejected Counter32, 2699 t11FcSpZsZirRequestsAccepted Counter32, 2700 t11FcSpZsZirRequestsRejected Counter32 2701 } 2702 t11FcSpZsSPCMITrequestsSent OBJECT-TYPE 2703 SYNTAX Counter32 2704 MAX-ACCESS read-only 2705 STATUS current 2706 DESCRIPTION 2707 "The number of SP Commit Zone Changes (SPCMIT) operation 2708 requests sent by the Zone Server. 2710 This counter has no discontinuities other than those 2711 which all Counter32's have when sysUpTime=0." 2712 ::= { t11FcSpZsStatsEntry 1 } 2714 t11FcSpZsSPCMITrequestsAccepted OBJECT-TYPE 2715 SYNTAX Counter32 2716 MAX-ACCESS read-only 2717 STATUS current 2718 DESCRIPTION 2719 "The number of SP Commit Zone Changes (SPCMIT) operation 2720 requests received and accepted by the Zone Server. 2722 This counter has no discontinuities other than those 2723 which all Counter32's have when sysUpTime=0." 2724 ::= { t11FcSpZsStatsEntry 2 } 2726 t11FcSpZsSPCMITrequestsRejected OBJECT-TYPE 2727 SYNTAX Counter32 2728 MAX-ACCESS read-only 2729 STATUS current 2730 DESCRIPTION 2731 "The number of SP Commit Zone Changes (SPCMIT) operation 2732 requests received but rejected by the Zone Server. 2734 This counter has no discontinuities other than those 2735 which all Counter32's have when sysUpTime=0." 2736 ::= { t11FcSpZsStatsEntry 3 } 2738 t11FcSpZsZcpRequestsSent OBJECT-TYPE 2739 SYNTAX Counter32 2740 MAX-ACCESS read-only 2741 STATUS current 2742 DESCRIPTION 2743 "The number of Zoning Check Protocol (ZCP) requests sent 2744 by the Zone Server. 2746 This counter has no discontinuities other than those 2747 which all Counter32's have when sysUpTime=0." 2748 ::= { t11FcSpZsStatsEntry 4 } 2750 t11FcSpZsZcpRequestsAccepted OBJECT-TYPE 2751 SYNTAX Counter32 2752 MAX-ACCESS read-only 2753 STATUS current 2754 DESCRIPTION 2755 "The number of Zoning Check Protocol (ZCP) requests received 2756 and accepted by the Zone Server. 2758 This counter has no discontinuities other than those 2759 which all Counter32's have when sysUpTime=0." 2760 ::= { t11FcSpZsStatsEntry 5 } 2762 t11FcSpZsZcpRequestsRejected OBJECT-TYPE 2763 SYNTAX Counter32 2764 MAX-ACCESS read-only 2765 STATUS current 2766 DESCRIPTION 2767 "The number of Zoning Check Protocol (ZCP) requests received 2768 but rejected by the Zone Server. 2770 This counter has no discontinuities other than those 2771 which all Counter32's have when sysUpTime=0." 2772 ::= { t11FcSpZsStatsEntry 6 } 2774 t11FcSpZsZirRequestsAccepted OBJECT-TYPE 2775 SYNTAX Counter32 2776 MAX-ACCESS read-only 2777 STATUS current 2778 DESCRIPTION 2779 "The number of Zoning Information Request (ZIR) requests 2780 received and accepted by the Zone Server. 2782 This counter has no discontinuities other than those 2783 which all Counter32's have when sysUpTime=0." 2784 ::= { t11FcSpZsStatsEntry 7 } 2786 t11FcSpZsZirRequestsRejected OBJECT-TYPE 2787 SYNTAX Counter32 2788 MAX-ACCESS read-only 2789 STATUS current 2790 DESCRIPTION 2791 "The number of Zoning Information Request (ZIR) requests 2792 received but rejected by the Zone Server. 2794 This counter has no discontinuities other than those 2795 which all Counter32's have when sysUpTime=0." 2796 ::= { t11FcSpZsStatsEntry 8 } 2798 -- 2799 -- Enable/Disable for Notifications 2800 -- 2802 t11FcSpZsNotifyControlTable OBJECT-TYPE 2803 SYNTAX SEQUENCE OF T11FcSpZsNotifyControlEntry 2804 MAX-ACCESS not-accessible 2805 STATUS current 2806 DESCRIPTION 2807 "A table of control information for notifications 2808 generated due to Zone Server events related to 2809 FC-SP Zoning." 2810 ::= { t11FcSpZsConfiguration 2 } 2812 t11FcSpZsNotifyControlEntry OBJECT-TYPE 2813 SYNTAX T11FcSpZsNotifyControlEntry 2814 MAX-ACCESS not-accessible 2815 STATUS current 2816 DESCRIPTION 2817 "Each entry is an augmentation of the notification control 2818 information for a Zone Server for a particular Fabric on a 2819 particular Switch. The Fabric and Switch are identified in 2820 the same manner as in t11ZsNotifyControlEntry." 2821 AUGMENTS { t11ZsNotifyControlEntry } 2822 ::= { t11FcSpZsNotifyControlTable 1 } 2824 T11FcSpZsNotifyControlEntry ::= SEQUENCE { 2825 t11FcSpZsNotifyJoinSuccessEnable TruthValue, 2826 t11FcSpZsNotifyJoinFailureEnable TruthValue 2827 } 2829 t11FcSpZsNotifyJoinSuccessEnable OBJECT-TYPE 2830 SYNTAX TruthValue 2831 MAX-ACCESS read-write 2832 STATUS current 2833 DESCRIPTION 2834 "This object specifies whether 2835 t11FcSpZsFabricJoinFailureNotify notifications should be 2836 generated by the Zone Server for this Fabric." 2838 ::= { t11FcSpZsNotifyControlEntry 1 } 2840 t11FcSpZsNotifyJoinFailureEnable OBJECT-TYPE 2841 SYNTAX TruthValue 2842 MAX-ACCESS read-write 2843 STATUS current 2844 DESCRIPTION 2845 "This object specifies whether 2846 t11FcSpZsFabricJoinSuccessNotify notifications should be 2847 generated by the Zone Server for this Fabric." 2848 ::= { t11FcSpZsNotifyControlEntry 2 } 2850 -- 2851 -- Notifications 2852 -- 2854 t11FcSpZsFabricJoinSuccessNotify NOTIFICATION-TYPE 2855 OBJECTS { ifIndex, t11ZsFabricIndex } 2856 STATUS current 2857 DESCRIPTION 2858 "This notification indicates that a Switch which is part 2859 of one Fabric (indicated by the value of t11ZsFabricIndex) 2860 has successfully joined (on the interface indicated by the 2861 value of ifIndex) with a Switch which is part of another 2862 Fabric. 2864 If multiple Virtual Fabrics are configured on an interface, 2865 and all are successfully joined at the same time, and if 2866 the agent so chooses, then it can generate just one 2867 notification in which t11ZsFabricIndex has the value 4096." 2868 ::= { t11FcSpZsMIBNotifications 1 } 2870 t11FcSpZsFabricJoinFailureNotify NOTIFICATION-TYPE 2871 OBJECTS { ifIndex, t11ZsFabricIndex } 2872 STATUS current 2873 DESCRIPTION 2874 "This notification indicates that an E_Port on the local 2875 Switch has entered the Isolated state because a join 2876 between two Fabrics failed. The failure occurred on the 2877 local Fabric indicated by the value of t11ZsFabricIndex, 2878 on the interface indicated by the value of ifIndex. 2880 If multiple Virtual Fabrics are configured on an interface, 2881 and all have a failure to join at the same time, and if the 2882 agent so chooses, then it can generate just one notification 2883 in which t11ZsFabricIndex has the value 4096." 2884 ::= { t11FcSpZsMIBNotifications 2 } 2886 -- 2887 -- Conformance 2888 -- 2890 t11FcSpZsMIBCompliances 2891 OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 1 } 2892 t11FcSpZsMIBGroups OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 2 } 2894 t11FcSpZsMIBCompliance MODULE-COMPLIANCE 2895 STATUS current 2896 DESCRIPTION 2897 "The compliance statement for entities which 2898 implement the extensions specified in FC-SP for 2899 Fibre Channel's Zone Server." 2901 MODULE -- this module 2902 MANDATORY-GROUPS { t11FcSpZsObjectsGroup, 2903 t11FcSpZsNotificationControlGroup, 2904 t11FcSpZsNotificationGroup } 2906 GROUP t11FcSpZsStatisticsGroup 2907 DESCRIPTION 2908 "These counters, containing Zone Server statistics, 2909 are mandatory only for those systems which count 2910 such events." 2912 -- Write access is not required for any objects in this MIB module: 2914 OBJECT t11FcSpZsServerEnabled 2915 MIN-ACCESS read-only 2916 DESCRIPTION 2917 "Write access is not required." 2919 OBJECT t11FcSpZoneSetHashStatus 2920 MIN-ACCESS read-only 2921 DESCRIPTION 2922 "Write access is not required." 2924 OBJECT t11FcSpZsNotifyJoinSuccessEnable 2925 MIN-ACCESS read-only 2926 DESCRIPTION 2927 "Write access is not required." 2929 OBJECT t11FcSpZsNotifyJoinFailureEnable 2930 MIN-ACCESS read-only 2931 DESCRIPTION 2932 "Write access is not required." 2934 ::= { t11FcSpZsMIBCompliances 1 } 2936 -- Units of Conformance 2938 t11FcSpZsObjectsGroup OBJECT-GROUP 2939 OBJECTS { t11FcSpZsServerCapabilityObject, 2940 t11FcSpZsServerEnabled, 2941 t11FcSpZoneSetHashStatus, 2942 t11FcSpActiveZoneSetHashType, 2943 t11FcSpActiveZoneSetHash, 2944 t11FcSpZoneSetDatabaseHashType, 2945 t11FcSpZoneSetDatabaseHash 2946 } 2947 STATUS current 2948 DESCRIPTION 2949 "A collection of objects for Zone configuration 2950 information of a Zone Server capable of 2951 operating in FC-SP Zoning mode." 2952 ::= { t11FcSpZsMIBGroups 1 } 2954 t11FcSpZsNotificationControlGroup OBJECT-GROUP 2955 OBJECTS { t11FcSpZsNotifyJoinSuccessEnable, 2956 t11FcSpZsNotifyJoinFailureEnable 2957 } 2958 STATUS current 2959 DESCRIPTION 2960 "A collection of notification control objects for 2961 monitoring Zone Server failures specific to FC-SP." 2962 ::= { t11FcSpZsMIBGroups 2 } 2964 t11FcSpZsStatisticsGroup OBJECT-GROUP 2965 OBJECTS { t11FcSpZsSPCMITrequestsSent, 2966 t11FcSpZsSPCMITrequestsAccepted, 2967 t11FcSpZsSPCMITrequestsRejected, 2968 t11FcSpZsZcpRequestsSent, 2969 t11FcSpZsZcpRequestsAccepted, 2970 t11FcSpZsZcpRequestsRejected, 2971 t11FcSpZsZirRequestsAccepted, 2972 t11FcSpZsZirRequestsRejected 2973 } 2975 STATUS current 2976 DESCRIPTION 2977 "A collection of objects for collecting Zone Server 2978 statistics which are specific to FC-SP." 2979 ::= { t11FcSpZsMIBGroups 3 } 2981 t11FcSpZsNotificationGroup NOTIFICATION-GROUP 2982 NOTIFICATIONS { t11FcSpZsFabricJoinSuccessNotify, 2983 t11FcSpZsFabricJoinFailureNotify 2984 } 2985 STATUS current 2986 DESCRIPTION 2987 "A collection of notification(s) for monitoring 2988 Zone Server events which are specific to FC-SP." 2989 ::= { t11FcSpZsMIBGroups 4 } 2991 END 2992 6.4. The T11-FC-SP-POLICY-MIB Module 2994 --******************************************************************* 2995 -- FC-SP Policy 2996 -- 2998 T11-FC-SP-POLICY-MIB DEFINITIONS ::= BEGIN 3000 IMPORTS 3001 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, mib-2, 3002 Counter32, Unsigned32 3003 FROM SNMPv2-SMI -- [RFC2578] 3004 RowStatus, StorageType, TimeStamp, 3005 TruthValue FROM SNMPv2-TC -- [RFC2579] 3006 MODULE-COMPLIANCE, OBJECT-GROUP, 3007 NOTIFICATION-GROUP 3008 FROM SNMPv2-CONF -- [RFC2580] 3009 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 3010 InetAddress, 3011 InetAddressType FROM INET-ADDRESS-MIB -- [RFC4001] 3012 fcmInstanceIndex, 3013 FcNameIdOrZero, 3014 FcDomainIdOrZero FROM FC-MGMT-MIB -- [RFC4044] 3015 T11NsGs4RejectReasonCode 3016 FROM T11-FC-NAME-SERVER-MIB -- [RFC4438] 3017 T11FabricIndex FROM T11-TC-MIB -- [RFC4439] 3018 T11FcSpAlphaNumName, 3019 T11FcSpAlphaNumNameOrNull, 3020 T11FcSpPolicyName, 3021 T11FcSpPolicyNameType, 3022 T11FcSpPolicyObjectType, 3023 T11FcSpPolicyHashFormat, 3024 T11FcSpPolicyHashValue FROM T11-FC-SP-TC-MIB; 3026 t11FcSpPolicyMIB MODULE-IDENTITY 3027 LAST-UPDATED "200702190000Z" 3028 ORGANIZATION "T11" 3029 CONTACT-INFO 3030 " Claudio DeSanti 3031 Cisco Systems, Inc. 3032 170 West Tasman Drive 3033 San Jose, CA 95134 USA 3034 EMail: cds@cisco.com 3035 Keith McCloghrie 3036 Cisco Systems, Inc. 3037 170 West Tasman Drive 3038 San Jose, CA 95134 USA 3039 Email: kzm@cisco.com" 3040 DESCRIPTION 3041 "This MIB module specifies the management information 3042 required to manage Fabric Policies as defined by Fibre 3043 Channel's FC-SP specification. 3045 FC-SP uses the term 'Policy Objects', sometimes abbreviated 3046 to just 'Objects', to refer to containers used to hold the 3047 data by which Fabric Policies are specified/stored. This 3048 obviously has the potential to cause confusion between 3049 'Policy Objects' and 'MIB objects'. The DESCRIPTIONs in 3050 this MIB module attempt to avoid such confusion by the use 3051 of different adjectives and capitalization, even though such 3052 mechanisms are less effective when used in descriptors. 3054 Some types of Policy Objects contain multiple items of 3055 information, each of which are held in the same format 3056 within the Policy Object. In such cases, FC-SP uses the 3057 term 'Entry' to describe each instance of the common format. 3058 For example, FC-SP defines an Attribute Policy Object as 3059 containing one or more 'Attribute Entries'. Again, this MIB 3060 module attempts to avoid confusion by the use of adjectives 3061 and capitalization to distinguish an Entry within a Policy 3062 Object from an entry within a MIB table. 3064 A Fabric's database of Policy Objects consists of a set of 3065 active Objects which are to be enforced by that Fabric, as 3066 well as non-active Objects which are not enforced. 3067 Operations defined (in FC-SP) for Policy Management are: 3069 - Add/Get/Remove operations on individual non-active 3070 Policy Objects, 3071 - Activate/Deactivate operations on a Policy Summary 3072 Object, and 3073 - Get operations on the active Policy Summary Object 3074 and/or on individual active Policy Objects. 3076 This MIB module has five parts: 3078 1) Active Policy Objects - read-only MIB objects 3079 representing the set of active Policy Objects for 3080 each Fabric, 3082 2) Activate/Deactivate Operations 3083 - a read-write MIB object to invoke an Activate 3084 operation of the policies specified via a non-active 3085 Policy Summary Object, and 3086 - a read-write MIB object to invoke a Deactivate 3087 operation. 3089 3) Non-active Policy Objects 3090 - read-create MIB objects to allow the creation of 3091 non-active Policy Summary Objects (which reference 3092 non-active Policy Objects), and 3093 - read-create MIB objects representing non-active 3094 Policy Objects. 3096 4) Statistics 3098 5) Control information and Notifications 3100 Copyright (C) The IETF Trust (2007). This version 3101 of this MIB module is part of RFC yyyy; see the RFC 3102 itself for full legal notices." 3103 -- RFC Editor: replace yyyy with actual RFC number & remove this note 3104 REVISION "200702190000Z" 3105 DESCRIPTION 3106 "Initial version of this MIB module, published as RFCyyyy." 3107 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 3108 ::= { mib-2 nnn } -- to be assigned by IANA 3109 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 3111 t11FcSpPoMIBObjects OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 1 } 3112 t11FcSpPoMIBConformance OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 2 } 3113 t11FcSpPoMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpPolicyMIB 0 } 3114 t11FcSpPoActive OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 1 } 3115 t11FcSpPoOperations OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 2 } 3116 t11FcSpPoNonActive OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 3 } 3117 t11FcSpPoStatistics OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 4 } 3118 t11FcSpPoControl OBJECT IDENTIFIER ::= { t11FcSpPoMIBObjects 5 } 3119 -- 3120 -- Part 1 - Active Policy Objects 3121 -- 3123 t11FcSpPoTable OBJECT-TYPE 3124 SYNTAX SEQUENCE OF T11FcSpPoEntry 3125 MAX-ACCESS not-accessible 3126 STATUS current 3127 DESCRIPTION 3128 "A table containing top-level information about active 3129 FC-SP policies on various Fabrics." 3130 ::= { t11FcSpPoActive 1 } 3132 t11FcSpPoEntry OBJECT-TYPE 3133 SYNTAX T11FcSpPoEntry 3134 MAX-ACCESS not-accessible 3135 STATUS current 3136 DESCRIPTION 3137 "Each entry contains information about active FC-SP policies 3138 for a particular Fabric, managed as part of the Fibre 3139 Channel management instance identified by fcmInstanceIndex." 3140 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex } 3141 ::= { t11FcSpPoTable 1 } 3143 T11FcSpPoEntry ::= SEQUENCE { 3144 t11FcSpPoFabricIndex T11FabricIndex, 3145 t11FcSpPoPolicySummaryObjName T11FcSpAlphaNumName, 3146 t11FcSpPoAdminFabricName FcNameIdOrZero, 3147 t11FcSpPoActivatedTimeStamp TimeStamp 3148 } 3150 t11FcSpPoFabricIndex OBJECT-TYPE 3151 SYNTAX T11FabricIndex 3152 MAX-ACCESS not-accessible 3153 STATUS current 3154 DESCRIPTION 3155 "An index value which uniquely identifies a particular 3156 Fabric." 3157 ::= { t11FcSpPoEntry 1 } 3159 t11FcSpPoPolicySummaryObjName OBJECT-TYPE 3160 SYNTAX T11FcSpAlphaNumName 3161 MAX-ACCESS read-only 3162 STATUS current 3163 DESCRIPTION 3164 "The name of this Fabric's (active) Policy Summary Object." 3165 REFERENCE 3166 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3167 Fibre Channel - Security Protocols (FC-SP), 3168 13 June 2006, section 7.1.3 and table 104." 3169 ::= { t11FcSpPoEntry 2 } 3171 t11FcSpPoAdminFabricName OBJECT-TYPE 3172 SYNTAX FcNameIdOrZero (SIZE (8)) 3173 MAX-ACCESS read-only 3174 STATUS current 3175 DESCRIPTION 3176 "The administratively-specified name for this Fabric, as 3177 specified in the active Switch Membership List Object. 3178 This value is meaningful only when Static Domain_IDs are 3179 in use in a Fabric (see FC-SW-4). Static Domain_IDs are 3180 administratively enabled by a setting of the Switch Flags 3181 in each Switch Entry in the Switch Membership List Object. 3182 If Static Domain_IDs are not in use, this value might be 3183 '0000000000000000'h. 3185 The t11FamEnable, t11FamFabricName and 3186 t11FamConfigDomainIdType objects defined in the 3187 T11-FC-FABRIC-ADDR-MGR-MIB module are also concerned with 3188 the use of an administratively-specified name for a Fabric 3189 and Static Domain_IDs. When FC-SP Policy is in use in a 3190 Fabric, the values of t11FamEnable, t11FamFabricName and 3191 t11FamConfigDomainIdType must be read-only and reflect the 3192 active Policy Objects. For example, the value of 3193 t11FamFabricName must reflect the value of 3194 t11FcSpPoAdminFabricName." 3195 REFERENCE 3196 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3197 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 3198 section 7.1.4.1 and table 108. 3199 - Fibre Channel - Switch Fabric-4 (FC-SW-4), 3200 ANSI INCITS 418-2006, April 2006, section 7.1. 3201 - Fibre Channel Fabric Address Manager MIB', RFC 4439, 3202 March 2006." 3203 ::= { t11FcSpPoEntry 3 } 3205 t11FcSpPoActivatedTimeStamp OBJECT-TYPE 3206 SYNTAX TimeStamp 3207 MAX-ACCESS read-only 3208 STATUS current 3209 DESCRIPTION 3210 "The value of sysUpTime at which this Fabric's Policy 3211 Summary Object was last activated, or zero if the same 3212 Policy Summary Object has been active since the last 3213 restart of the management system." 3214 ::= { t11FcSpPoEntry 4 } 3216 -- 3217 -- The table of Policy Summary Objects 3218 -- 3220 t11FcSpPoSummaryTable OBJECT-TYPE 3221 SYNTAX SEQUENCE OF T11FcSpPoSummaryEntry 3222 MAX-ACCESS not-accessible 3223 STATUS current 3224 DESCRIPTION 3225 "A table of information about active Policy Objects listed 3226 within FC-SP Policy Summary Objects." 3227 ::= { t11FcSpPoActive 2 } 3229 t11FcSpPoSummaryEntry OBJECT-TYPE 3230 SYNTAX T11FcSpPoSummaryEntry 3231 MAX-ACCESS not-accessible 3232 STATUS current 3233 DESCRIPTION 3234 "Each entry contains information about one of the active 3235 Policy Objects listed within the Policy Summary Object for 3236 the Fabric identified by t11FcSpPoFabricIndex and managed 3237 within the Fibre Channel management instance identified by 3238 fcmInstanceIndex. 3240 How many Policy Objects of a given type can be active at 3241 any one time for a given Fabric depends on the type, as 3242 specified in FC-SP. For some types, it is one per Fabric; 3243 for other types, more than one can be active per Fabric. 3244 In both of these cases, the absence of any entries in this 3245 table for a particular type is equivalent to there being one 3246 Policy Object of that type which is empty, e.g., a Switch 3247 Membership List Object which identifies zero Switches." 3248 REFERENCE 3249 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3250 Fibre Channel - Security Protocols (FC-SP), 3251 13 June 2006, section 7.1.3 and table 104." 3252 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 3253 t11FcSpPoSummaryPolicyNameType, 3254 t11FcSpPoSummaryPolicyName } 3255 ::= { t11FcSpPoSummaryTable 1 } 3257 T11FcSpPoSummaryEntry ::= SEQUENCE { 3258 t11FcSpPoSummaryPolicyNameType T11FcSpPolicyNameType, 3259 t11FcSpPoSummaryPolicyName T11FcSpPolicyName, 3260 t11FcSpPoSummaryPolicyType T11FcSpPolicyObjectType, 3261 t11FcSpPoSummaryHashFormat T11FcSpPolicyHashFormat, 3262 t11FcSpPoSummaryHashValue T11FcSpPolicyHashValue 3263 } 3265 t11FcSpPoSummaryPolicyNameType OBJECT-TYPE 3266 SYNTAX T11FcSpPolicyNameType { 3267 nodeName(1), 3268 alphaNumericName(7) 3269 } 3270 MAX-ACCESS not-accessible 3271 STATUS current 3272 DESCRIPTION 3273 "The combination of t11FcSpPoSummaryPolicyNameType and 3274 t11FcSpPoSummaryPolicyName specify the name of the Policy 3275 Object contained in the Policy Summary Object. 3277 The type of name is 'nodeName' if the value of the 3278 corresponding instance of t11FcSpPoSummaryPolicyType is 3279 'switchConnectivity', or 'alphaNumericName' otherwise." 3280 ::= { t11FcSpPoSummaryEntry 1 } 3282 t11FcSpPoSummaryPolicyName OBJECT-TYPE 3283 SYNTAX T11FcSpPolicyName 3284 MAX-ACCESS not-accessible 3285 STATUS current 3286 DESCRIPTION 3287 "The combination of t11FcSpPoSummaryPolicyNameType and 3288 t11FcSpPoSummaryPolicyName specify the name of the Policy 3289 Object contained in the Policy Summary Object." 3290 ::= { t11FcSpPoSummaryEntry 2 } 3292 t11FcSpPoSummaryPolicyType OBJECT-TYPE 3293 SYNTAX T11FcSpPolicyObjectType 3294 MAX-ACCESS read-only 3295 STATUS current 3296 DESCRIPTION 3297 "The 'Identifier' which specifies the type of this 3298 Policy Object." 3300 REFERENCE 3301 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3302 Fibre Channel - Security Protocols (FC-SP), 3303 13 June 2006, section 7.1.3.1 and table 104." 3304 ::= { t11FcSpPoSummaryEntry 3 } 3306 t11FcSpPoSummaryHashFormat OBJECT-TYPE 3307 SYNTAX T11FcSpPolicyHashFormat 3308 MAX-ACCESS read-only 3309 STATUS current 3310 DESCRIPTION 3311 "The format of this Policy Object's hash value as 3312 contained in the corresponding instance of the 3313 t11FcSpPoSummaryHashValue object." 3314 ::= { t11FcSpPoSummaryEntry 4 } 3316 t11FcSpPoSummaryHashValue OBJECT-TYPE 3317 SYNTAX T11FcSpPolicyHashValue 3318 MAX-ACCESS read-only 3319 STATUS current 3320 DESCRIPTION 3321 "The hash value of this Policy Object, in the format 3322 identified by the corresponding instance of the 3323 t11FcSpPoSummaryHashFormat object." 3324 ::= { t11FcSpPoSummaryEntry 5 } 3326 -- 3327 -- Switch Entries in Active Switch Membership List Objects 3328 -- 3330 t11FcSpPoSwMembTable OBJECT-TYPE 3331 SYNTAX SEQUENCE OF T11FcSpPoSwMembEntry 3332 MAX-ACCESS not-accessible 3333 STATUS current 3334 DESCRIPTION 3335 "A table of Switch Entries in active Switch Membership List 3336 Objects. 3338 One Switch Membership List Object is represented by all 3339 of the rows of this table which have the same values 3340 of fcmInstanceIndex and t11FcSpPoFabricIndex." 3341 REFERENCE 3342 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3343 Fibre Channel - Security Protocols (FC-SP), 3344 13 June 2006, section 7.1.4.1 and table 110." 3345 ::= { t11FcSpPoActive 3 } 3347 t11FcSpPoSwMembEntry OBJECT-TYPE 3348 SYNTAX T11FcSpPoSwMembEntry 3349 MAX-ACCESS not-accessible 3350 STATUS current 3351 DESCRIPTION 3352 "Each entry contains information about one Switch Entry 3353 within the active Switch Membership List Object for the 3354 Fabric identified by t11FcSpPoFabricIndex and managed 3355 within the Fibre Channel management instance identified 3356 by fcmInstanceIndex." 3357 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 3358 t11FcSpPoSwMembSwitchNameType, t11FcSpPoSwMembSwitchName } 3359 ::= { t11FcSpPoSwMembTable 1 } 3361 T11FcSpPoSwMembEntry ::= SEQUENCE { 3362 t11FcSpPoSwMembSwitchNameType T11FcSpPolicyNameType, 3363 t11FcSpPoSwMembSwitchName FcNameIdOrZero, 3364 t11FcSpPoSwMembSwitchFlags BITS, 3365 t11FcSpPoSwMembDomainID FcDomainIdOrZero, 3366 t11FcSpPoSwMembPolicyDataRole INTEGER, 3367 t11FcSpPoSwMembAuthBehaviour BITS, 3368 t11FcSpPoSwMembAttribute T11FcSpAlphaNumNameOrNull 3369 } 3370 t11FcSpPoSwMembSwitchNameType OBJECT-TYPE 3371 SYNTAX T11FcSpPolicyNameType { 3372 nodeName(1), 3373 restrictedNodeName(2), 3374 wildcard(5), 3375 restrictedWildcard(6) 3376 } 3377 MAX-ACCESS not-accessible 3378 STATUS current 3379 DESCRIPTION 3380 "If the value of this object is 'nodeName' or 3381 'restrictedNodeName', then the combination of 3382 this object and t11FcSpPoSwMembSwitchName specify the 3383 Switch Name of this Switch Entry. 3385 The membership is restricted or unrestricted based on the 3386 name type. Restricted membership means that the Switch is 3387 not allowed to be part of the Fabric unless allowed by a 3388 specific Switch Connectivity Object. Unrestricted 3389 membership means that the Switch is allowed to be part of 3390 the Fabric unless disallowed by a specific Switch 3391 Connectivity Object. 3393 The values of 'wildcard' and 'restrictedWildcard' provide 3394 the means to specify whether to allow/deny membership for 3395 Switches not explicitly named in the Switch Membership 3396 List Object." 3397 REFERENCE 3398 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3399 Fibre Channel - Security Protocols (FC-SP), 3400 13 June 2006, section 7.1.4.1 and table 110." 3401 ::= { t11FcSpPoSwMembEntry 1 } 3403 t11FcSpPoSwMembSwitchName OBJECT-TYPE 3404 SYNTAX FcNameIdOrZero (SIZE (8)) 3405 MAX-ACCESS not-accessible 3406 STATUS current 3407 DESCRIPTION 3408 "When the value of t11FcSpPoSwMembSwitchNameType is 3409 'wildcard' or 'restrictedWildcard', this object has the 3410 value '0000000000000000'h. 3412 Otherwise, the combination of t11FcSpPoSwMembSwitchNameType 3413 and this object specify the Switch Name of this Switch 3414 Entry." 3416 REFERENCE 3417 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3418 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 3419 section 7.1.4.1 and table 110." 3420 ::= { t11FcSpPoSwMembEntry 2 } 3422 t11FcSpPoSwMembSwitchFlags OBJECT-TYPE 3423 SYNTAX BITS { 3424 staticDomainID(0), 3425 insistentDomainID(1), 3426 serialPortsAccess(2), 3427 physicalPortsAccess(3), 3428 managerRole(4) 3429 } 3430 MAX-ACCESS read-only 3431 STATUS current 3432 DESCRIPTION 3433 "Configurable options in respect to the administration 3434 of Policy Objects at this Switch: 3436 'staticDomainID' - if this bit is set, the Switch 3437 uses the 'Static Domain_IDs behavior' (as defined in 3438 FC-SW-4). This bit needs to have the same setting for all 3439 Switches in a Fabric's Switch Membership List Object, or 3440 else the Fabric will partition. If this bit is set, the 3441 Domain_ID for the Switch is given by the corresponding 3442 instance of t11FcSpPoSwMembDomainID. 3444 'insistentDomainID' - if this bit is set, the 3445 Switch uses the 'Insistent Domain_ID behavior' (see 3446 t11FamConfigDomainId of T11-FC-FABRIC-ADDR-MGR-MIB), the 3447 Domain_ID for the Switch is given by the corresponding 3448 instance of t11FcSpPoSwMembDomainID. 3450 'serialPortsAccess' - the Switch allows management 3451 through serial ports when and only when this bit is set. 3453 'physicalPortsAccess' - the Switch allows management 3454 through the physical panel when and only when this bit 3455 is set. 3457 'managerRole' - the Switch is allowed to change 3458 the Fabric Policy configuration (on receipt of any of the 3459 EACA, ESFC, EUFC, ACA, SFC, or UFC SW_ILSs) if and only if 3460 this bit is set. 3462 Whenever a Fabric has Active Policy Objects, the value of 3463 the t11FamConfigDomainIdType object defined in the 3464 T11-FC-FABRIC-ADDR-MGR-MIB module must be read-only and 3465 reflect the values of the 'staticDomainID' and 3466 'insistentDomainID' bits of this object." 3467 REFERENCE 3468 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3469 Fibre Channel - Security Protocols (FC-SP), 3470 13 June 2006, section 7.1.4.1 and table 112. 3471 - Fibre Channel - Switch Fabric-4 (FC-SW-4), 3472 ANSI INCITS 418-2006, April 2006, section 7.1. 3473 - t11FamConfigDomainIdType, T11-FC-FABRIC-ADDR-MGR-MIB, 3474 Fibre Channel Fabric Address Manager MIB, RFC 4439." 3475 ::= { t11FcSpPoSwMembEntry 3 } 3477 t11FcSpPoSwMembDomainID OBJECT-TYPE 3478 SYNTAX FcDomainIdOrZero 3479 MAX-ACCESS read-only 3480 STATUS current 3481 DESCRIPTION 3482 "The specified Domain_ID value when either of the 3483 'staticDomainID' or 'insistentDomainID' bits are set in 3484 the corresponding instance of t11FcSpPoSwMembSwitchFlags. 3486 Whenever a Fabric has Active Policy Objects, the value 3487 of the t11FamConfigDomainId object defined in the 3488 T11-FC-FABRIC-ADDR-MGR-MIB module must be read-only and 3489 reflect the value of this object." 3490 REFERENCE 3491 " - INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3492 Fibre Channel - Security Protocols (FC-SP), 3493 13 June 2006, section 7.1.4.1 and tables 111 and 112. 3494 - t11FamConfigDomainId, T11-FC-FABRIC-ADDR-MGR-MIB, 3495 Fibre Channel Fabric Address Manager MIB, RFC 4439." 3496 ::= { t11FcSpPoSwMembEntry 4 } 3498 t11FcSpPoSwMembPolicyDataRole OBJECT-TYPE 3499 SYNTAX INTEGER { 3500 client(1), 3501 autonomous(2), 3502 server(3) 3503 } 3504 MAX-ACCESS read-only 3505 STATUS current 3506 DESCRIPTION 3507 "The role of the Switch in terms of which Policy data 3508 it retains/maintains: 3510 'client' - the Switch operates as a Client Switch. 3511 A Client Switch maintains its own Switch Connectivity 3512 Object and all Fabric-wide List Objects. If FC-SP 3513 Zoning is used, a Client Switch maintains only the 3514 subset of the Active Zone Set that it requires to 3515 enforce the current Fabric Zoning configuration. 3517 'autonomous' - the Switch operates as an Autonomous 3518 Switch. An Autonomous Switch maintains its own Switch 3519 Connectivity Object and all Fabric-wide List Objects. 3520 This is the same as 'client' except that if FC-SP Zoning 3521 is used, an Autonomous Switch maintains a complete copy 3522 of the Fabric Zoning Database. 3524 'server' - the Switch operates as a Server Switch. 3525 A Server Switch maintains all Fabric-wide List Objects 3526 and the Switch Connectivity Objects of each Switch in 3527 the Fabric. If FC-SP Zoning is used, a Server Switch 3528 maintains a complete copy of the Fabric Zoning Database." 3529 REFERENCE 3530 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3531 Fibre Channel - Security Protocols (FC-SP), 3532 13 June 2006, section 7.1.4.1 and table 113." 3533 ::= { t11FcSpPoSwMembEntry 5 } 3535 t11FcSpPoSwMembAuthBehaviour OBJECT-TYPE 3536 SYNTAX BITS { 3537 mustAuthenticate(0), 3538 rejectIsFailure(1) 3539 } 3540 MAX-ACCESS read-only 3541 STATUS current 3542 DESCRIPTION 3543 "The authentication behaviour of the Switch: 3545 'mustAuthenticate' - if this bit is set, all connections 3546 between this Switch and neighbour Switches must be 3547 authenticated. 3549 'rejectIsFailure' - if this bit is set, the rejection of 3550 an AUTH_Negotiate message must be considered as an 3551 authentication failure by this Switch." 3553 REFERENCE 3554 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3555 Fibre Channel - Security Protocols (FC-SP), 3556 13 June 2006, section 7.1.4.1 and table 114." 3557 ::= { t11FcSpPoSwMembEntry 6 } 3559 t11FcSpPoSwMembAttribute OBJECT-TYPE 3560 SYNTAX T11FcSpAlphaNumNameOrNull 3561 MAX-ACCESS read-only 3562 STATUS current 3563 DESCRIPTION 3564 "The name of an active Attribute Policy Object which is 3565 defined for this Switch, or the zero-length string. The 3566 zero-length string indicates that no Attribute Policy 3567 Object is defined for this Switch." 3568 REFERENCE 3569 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3570 Fibre Channel - Security Protocols (FC-SP), 3571 13 June 2006, section 7.1.4.1 and table 110." 3572 ::= { t11FcSpPoSwMembEntry 7 } 3574 -- 3575 -- Node Entries in Active Node Membership List Objects 3576 -- 3578 t11FcSpPoNoMembTable OBJECT-TYPE 3579 SYNTAX SEQUENCE OF T11FcSpPoNoMembEntry 3580 MAX-ACCESS not-accessible 3581 STATUS current 3582 DESCRIPTION 3583 "A table of Node Entries in active Node Membership List 3584 Objects. 3586 One Node Membership List Object is represented by all 3587 of the rows of this table which have the same values 3588 of fcmInstanceIndex and t11FcSpPoFabricIndex." 3589 ::= { t11FcSpPoActive 4 } 3591 t11FcSpPoNoMembEntry OBJECT-TYPE 3592 SYNTAX T11FcSpPoNoMembEntry 3593 MAX-ACCESS not-accessible 3594 STATUS current 3595 DESCRIPTION 3596 "Each entry contains information about one Node Entry 3597 within the active Node Membership List Object for the 3598 Fabric identified by t11FcSpPoFabricIndex and managed 3599 within the Fibre Channel management instance identified 3600 by fcmInstanceIndex." 3601 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 3602 t11FcSpPoNoMembNodeNameType, t11FcSpPoNoMembNodeName } 3603 ::= { t11FcSpPoNoMembTable 1 } 3605 T11FcSpPoNoMembEntry ::= SEQUENCE { 3606 t11FcSpPoNoMembNodeNameType T11FcSpPolicyNameType, 3607 t11FcSpPoNoMembNodeName FcNameIdOrZero, 3608 t11FcSpPoNoMembFlags BITS, 3609 t11FcSpPoNoMembCtAccessIndex Unsigned32, 3610 t11FcSpPoNoMembAttribute T11FcSpAlphaNumNameOrNull 3611 } 3613 t11FcSpPoNoMembNodeNameType OBJECT-TYPE 3614 SYNTAX T11FcSpPolicyNameType { 3615 nodeName(1), 3616 restrictedNodeName(2), 3617 portName(3), 3618 restrictedPortName(4), 3619 wildcard(5), 3620 restrictedWildcard(6) 3621 } 3622 MAX-ACCESS not-accessible 3623 STATUS current 3624 DESCRIPTION 3625 "If the value of this object is 'wildcard' or 3626 'restrictedWildcard', this Node Entry applies to Nodes not 3627 explicitly named in the Node Membership List Object. 3629 Otherwise, the combination of this object and 3630 t11FcSpPoNoMembNodeName specify the name of this Node Entry 3631 in the active Node Membership List Object. A Node is 3632 identified by its Node Name or by one or more of its Port 3633 Names. 3635 Restricted membership means that a Node is not allowed to be 3636 connected to the Fabric unless allowed by a specific Switch 3637 Connectivity Object. Unrestricted membership means that a 3638 Node is allowed to be connected to the Fabric unless 3639 disallowed by a specific Switch Connectivity Object." 3640 REFERENCE 3641 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3642 Fibre Channel - Security Protocols (FC-SP), 3643 13 June 2006, section 7.1.4.1 and table 116." 3644 ::= { t11FcSpPoNoMembEntry 1 } 3646 t11FcSpPoNoMembNodeName OBJECT-TYPE 3647 SYNTAX FcNameIdOrZero (SIZE (8)) 3648 MAX-ACCESS not-accessible 3649 STATUS current 3650 DESCRIPTION 3651 "If the value of t11FcSpPoNoMembNodeNameType is 3652 'wildcard' or 'restrictedWildcard', this object has the 3653 value '0000000000000000'h. 3655 Otherwise, the combination of t11FcSpPoNoMembNodeNameType 3656 and this object specify the name of this Node Entry is the 3657 active Node Membership List Object." 3658 REFERENCE 3659 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3660 Fibre Channel - Security Protocols (FC-SP), 3661 13 June 2006, section 7.1.4.1 and table 116." 3662 ::= { t11FcSpPoNoMembEntry 2 } 3664 t11FcSpPoNoMembFlags OBJECT-TYPE 3665 SYNTAX BITS { 3666 scsiEnclosureAccess(0), 3667 authenticationRequired(1) 3668 } 3669 MAX-ACCESS read-only 3670 STATUS current 3671 DESCRIPTION 3672 "Configurable options in respect to the administration 3673 of Policy Objects at this Node: 3675 'scsiEnclosureAccess' - the Node is allowed to 3676 control any Switch through SCSI Enclosure Services if this 3677 bit is set. If a Switch does not support SCSI Enclosure 3678 Services, this bit is ignored. 3680 'authenticationRequired' - the Node is required to 3681 authenticate itself to any Switch to which it is connected 3682 if and only if this bit is set." 3683 REFERENCE 3684 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3685 Fibre Channel - Security Protocols (FC-SP), 3686 13 June 2006, section 7.1.4.1 and table 118." 3688 ::= { t11FcSpPoNoMembEntry 3 } 3690 t11FcSpPoNoMembCtAccessIndex OBJECT-TYPE 3691 SYNTAX Unsigned32 (0..4294967295) 3692 MAX-ACCESS read-only 3693 STATUS current 3694 DESCRIPTION 3695 "If the value of this object is zero, then access by this 3696 Node to Generic Services is not limited by a Common 3697 Transport Access Specifier. 3699 Otherwise, the limits are specified by the set of Common 3700 Transport Access Descriptors contained in those rows of 3701 the t11FcSpPoCtDescrTable for the same Fabric and for which 3702 the value of t11FcSpPoCtDescrSpecifierIndex is the same as 3703 the value of this object." 3704 REFERENCE 3705 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3706 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 3707 section 7.1.4.1 and tables 118/119/120/121." 3708 ::= { t11FcSpPoNoMembEntry 4 } 3710 t11FcSpPoNoMembAttribute OBJECT-TYPE 3711 SYNTAX T11FcSpAlphaNumNameOrNull 3712 MAX-ACCESS read-only 3713 STATUS current 3714 DESCRIPTION 3715 "The name of an active Attribute Policy Object which is 3716 defined for this Node, or the zero-length string. The 3717 zero-length string indicates that no Attribute Policy 3718 Object is defined for this Node." 3719 REFERENCE 3720 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3721 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 3722 section 7.1.4.1 and table 116." 3723 ::= { t11FcSpPoNoMembEntry 5 } 3725 -- 3726 -- 3727 -- Common Transport Access Descriptors 3728 -- 3730 t11FcSpPoCtDescrTable OBJECT-TYPE 3731 SYNTAX SEQUENCE OF T11FcSpPoCtDescrEntry 3732 MAX-ACCESS not-accessible 3733 STATUS current 3734 DESCRIPTION 3735 "A table of Common Transport Access Descriptors being used 3736 within active Policy Objects. 3738 A Common Transport Access Specifier is a list of Common 3739 Transport Access Descriptors which specify whether a Node 3740 is allowed to access a Generic Service or Sub-Server. 3742 An active Common Transport Access Specifier is represented 3743 by all rows of this table which have the same values of 3744 fcmInstanceIndex, t11FcSpPoFabricIndex, and 3745 t11FcSpPoCtDescrSpecifierIndex." 3746 ::= { t11FcSpPoActive 5 } 3748 t11FcSpPoCtDescrEntry OBJECT-TYPE 3749 SYNTAX T11FcSpPoCtDescrEntry 3750 MAX-ACCESS not-accessible 3751 STATUS current 3752 DESCRIPTION 3753 "Each entry contains information about one Common 3754 Transport Access Descriptor of an active Common Transport 3755 Access Specifier used within the Fabric identified by 3756 t11FcSpPoFabricIndex and managed within the Fibre Channel 3757 management instance identified by fcmInstanceIndex." 3758 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 3759 t11FcSpPoCtDescrSpecifierIndex, t11FcSpPoCtDescrIndex } 3760 ::= { t11FcSpPoCtDescrTable 1 } 3762 T11FcSpPoCtDescrEntry ::= SEQUENCE { 3763 t11FcSpPoCtDescrSpecifierIndex Unsigned32, 3764 t11FcSpPoCtDescrIndex Unsigned32, 3765 t11FcSpPoCtDescrFlags BITS, 3766 t11FcSpPoCtDescrGsType OCTET STRING, 3767 t11FcSpPoCtDescrGsSubType OCTET STRING 3768 } 3770 t11FcSpPoCtDescrSpecifierIndex OBJECT-TYPE 3771 SYNTAX Unsigned32 (1..4294967295) 3772 MAX-ACCESS not-accessible 3773 STATUS current 3774 DESCRIPTION 3775 "An index value which uniquely identifies a particular 3776 Common Transport Access Specifier within a Fabric." 3777 ::= { t11FcSpPoCtDescrEntry 1 } 3779 t11FcSpPoCtDescrIndex OBJECT-TYPE 3780 SYNTAX Unsigned32 (1..4294967295) 3781 MAX-ACCESS not-accessible 3782 STATUS current 3783 DESCRIPTION 3784 "An index value which uniquely identifies a particular 3785 Common Transport Access Descriptor within a Common Transport 3786 Access Specifier." 3787 ::= { t11FcSpPoCtDescrEntry 2 } 3789 t11FcSpPoCtDescrFlags OBJECT-TYPE 3790 SYNTAX BITS { 3791 allow(0), 3792 gsTypeWildcard(1), 3793 gsSubTypeWildcard(2), 3794 readOnly(3) 3795 } 3796 MAX-ACCESS read-only 3797 STATUS current 3798 DESCRIPTION 3799 "The flag bits which specify how access is to be limited by 3800 this Common Transport Access Descriptor: 3802 - allow -- access to the specified Generic Service and 3803 Server is allowed if this bit is set, and to be denied if 3804 this bit is not set. 3806 - gsTypeWildcard -- if this bit is set, the Generic Service 3807 to be allowed/denied is specified by the value of 3808 t11FcSpPoCtDescrGsType. If this bit is set, then the 3809 gsSubTypeWildcard bit must not be set. 3811 - gsSubTypeWildcard -- if this bit is set, the Generic 3812 Service to be allowed/denied is specified by the value of 3813 t11FcSpPoCtDescrGsSubType. If this bit is set, then the 3814 gsTypeWildcard bit must not be set. 3816 - readOnly -- if this bit is set then access is to be 3817 granted only for reading." 3818 ::= { t11FcSpPoCtDescrEntry 3 } 3820 t11FcSpPoCtDescrGsType OBJECT-TYPE 3821 SYNTAX OCTET STRING (SIZE (1)) 3822 MAX-ACCESS read-only 3823 STATUS current 3824 DESCRIPTION 3825 "The GS_Type of the Generic Service (e.g., the FC-GS-5 3826 Management Service) which is subject to access control. 3827 This value is ignored if the gsTypeWildcard bit is not set 3828 in the corresponding value of t11FcSpPoCtDescrFlags." 3829 REFERENCE 3830 "Fibre Channel - Generic Services-5 (FC-GS-5), 3831 ANSI INCITS 427-2006, section 4.3.2.4." 3832 ::= { t11FcSpPoCtDescrEntry 4 } 3834 t11FcSpPoCtDescrGsSubType OBJECT-TYPE 3835 SYNTAX OCTET STRING (SIZE (1)) 3836 MAX-ACCESS read-only 3837 STATUS current 3838 DESCRIPTION 3839 "The GS_Subtype of the Generic Server (e.g., the Fabric Zone 3840 Server) which is subject to access control. This value is 3841 ignored if the gsSubTypeWildcard bit is not set in the 3842 corresponding value of t11FcSpPoCtDescrFlags." 3843 REFERENCE 3844 "Fibre Channel - Generic Services-5 (FC-GS-5), 3845 ANSI INCITS 427-2006, section 4.3.2.5." 3846 ::= { t11FcSpPoCtDescrEntry 5 } 3848 -- 3849 -- 3850 -- Switches/Nodes in Active Switch Connectivity Objects 3851 -- 3853 t11FcSpPoSwConnTable OBJECT-TYPE 3854 SYNTAX SEQUENCE OF T11FcSpPoSwConnEntry 3855 MAX-ACCESS not-accessible 3856 STATUS current 3857 DESCRIPTION 3858 "A table of active Switch Connectivity Objects. 3860 A Switch Connectivity Object defines to which other 3861 Switches or Nodes a particular Switch may/may not be 3862 connected at the Node level and/or at the Port level." 3863 REFERENCE 3864 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3865 Fibre Channel - Security Protocols (FC-SP), 3866 13 June 2006, section 7.1.6.1, tables 123/124." 3867 ::= { t11FcSpPoActive 6 } 3869 t11FcSpPoSwConnEntry OBJECT-TYPE 3870 SYNTAX T11FcSpPoSwConnEntry 3871 MAX-ACCESS not-accessible 3872 STATUS current 3873 DESCRIPTION 3874 "Each entry contains the name of either a Switch or a Node 3875 with which any port of a particular Switch, or a particular 3876 port of that Switch, is allowed or not allowed to be 3877 connected. 3879 The particular Switch is on the Fabric identified by 3880 t11FcSpPoFabricIndex and managed within the Fibre Channel 3881 management instance identified by fcmInstanceIndex." 3882 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 3883 t11FcSpPoSwConnSwitchName, t11FcSpPoSwConnAllowedType, 3884 t11FcSpPoSwConnPortNameOrAll, 3885 t11FcSpPoSwConnAllowedIndex } 3886 ::= { t11FcSpPoSwConnTable 1 } 3888 T11FcSpPoSwConnEntry ::= SEQUENCE { 3889 t11FcSpPoSwConnSwitchName FcNameIdOrZero, 3890 t11FcSpPoSwConnAllowedType INTEGER, 3891 t11FcSpPoSwConnPortNameOrAll FcNameIdOrZero, 3892 t11FcSpPoSwConnAllowedIndex Unsigned32, 3893 t11FcSpPoSwConnAllowedNameType T11FcSpPolicyNameType, 3894 t11FcSpPoSwConnAllowedName T11FcSpPolicyName 3895 } 3897 t11FcSpPoSwConnSwitchName OBJECT-TYPE 3898 SYNTAX FcNameIdOrZero (SIZE (8)) 3899 MAX-ACCESS not-accessible 3900 STATUS current 3901 DESCRIPTION 3902 "The name of the particular Switch for which this Switch 3903 Connectivity Object specifies topology restrictions." 3904 ::= { t11FcSpPoSwConnEntry 1 } 3906 t11FcSpPoSwConnAllowedType OBJECT-TYPE 3907 SYNTAX INTEGER { switch(1), node(2) } 3908 MAX-ACCESS not-accessible 3909 STATUS current 3910 DESCRIPTION 3911 "This object specifies whether this row refers to 3912 Switch-to-Switch or Switch-to-Node connectivity, i.e., 3913 whether the corresponding instance of 3914 t11FcSpPoSwConnAllowedName specifies the name of a Switch 3915 or the name of a Node." 3916 ::= { t11FcSpPoSwConnEntry 2 } 3918 t11FcSpPoSwConnPortNameOrAll OBJECT-TYPE 3919 SYNTAX FcNameIdOrZero (SIZE(0 | 8)) 3920 MAX-ACCESS not-accessible 3921 STATUS current 3922 DESCRIPTION 3923 "This object specifies either the particular port to which 3924 this topology restriction applies, or if the value is the 3925 zero-length string, that the topology restriction applies 3926 to all ports on the particular Switch. 3928 In the FC-SP Policy Database, restrictions for a particular 3929 port are formatted within a Port Connectivity Entry of a 3930 Switch Connectivity Object, whereas restrictions for all 3931 ports on the Switch are specified in the main part of a 3932 Switch Connectivity Object, i.e., not in a Port Connectivity 3933 Entry." 3934 REFERENCE 3935 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 3936 Fibre Channel - Security Protocols (FC-SP), 3937 13 June 2006, section 7.1.6.1, tables 123/124." 3938 ::= { t11FcSpPoSwConnEntry 3 } 3940 t11FcSpPoSwConnAllowedIndex OBJECT-TYPE 3941 SYNTAX Unsigned32 (1..4294967295) 3942 MAX-ACCESS not-accessible 3943 STATUS current 3944 DESCRIPTION 3945 "When multiple rows in this table apply to the same 3946 port(s) in the same Switch's Switch Connectivity Object, 3947 this object provides a unique index value to distinguish 3948 between such rows." 3949 ::= { t11FcSpPoSwConnEntry 4 } 3951 t11FcSpPoSwConnAllowedNameType OBJECT-TYPE 3952 SYNTAX T11FcSpPolicyNameType { 3953 nodeName(1), 3954 restrictedNodeName(2), 3955 portName(3), 3956 restrictedPortName(4), 3957 wildcard(5), 3958 restrictedWildcard(6) 3959 } 3960 MAX-ACCESS read-only 3961 STATUS current 3962 DESCRIPTION 3963 "If the value of this object is 'wildcard' or 3964 'restrictedWildcard', this row specifies whether 3965 connectivity is allowed/not allowed with entities not 3966 explicitly named by other rows. 3968 Otherwise, the combination of t11FcSpPoSwConnAllowedNameType 3969 and t11FcSpPoSwConnAllowedName specify the name of: 3971 - a Switch (if t11FcSpPoSwConnAllowedType = 'switch'), or 3972 - a Node (if t11FcSpPoSwConnAllowedType = 'node') 3974 to which connectivity is: 3976 - allowed by 'nodeName' and 'portname', 3977 - not allowed by 'restrictedNodeName' and 3978 'restrictedPortName'." 3979 ::= { t11FcSpPoSwConnEntry 5 } 3981 t11FcSpPoSwConnAllowedName OBJECT-TYPE 3982 SYNTAX T11FcSpPolicyName 3983 MAX-ACCESS read-only 3984 STATUS current 3985 DESCRIPTION 3986 "If the value of t11FcSpPoSwConnAllowedNameType is 3987 'wildcard' or 'restrictedWildcard', this object has the 3988 value '0000000000000000'h. 3990 Otherwise, the combination of t11FcSpPoSwConnAllowedNameType 3991 and t11FcSpPoSwConnAllowedName specify the name of: 3993 - a Switch (if t11FcSpPoSwConnAllowedType = 'switch'), or 3994 - a Node (if t11FcSpPoSwConnAllowedType = 'node') 3996 to which connectivity is allowed/restricted." 3997 ::= { t11FcSpPoSwConnEntry 6 } 3999 -- 4000 -- IP Management Entries in Active IP Management List Objects 4001 -- 4003 t11FcSpPoIpMgmtTable OBJECT-TYPE 4004 SYNTAX SEQUENCE OF T11FcSpPoIpMgmtEntry 4005 MAX-ACCESS not-accessible 4006 STATUS current 4007 DESCRIPTION 4008 "A table of IP Management Entries in active IP Management 4009 List Objects. A IP Management List Object is a 4010 Fabric-wide Policy Object that describes which IP hosts 4011 are allowed to manage a Fabric. 4013 One IP Management List Object is represented by all 4014 of the rows of this table which have the same values 4015 of fcmInstanceIndex and t11FcSpPoFabricIndex." 4016 REFERENCE 4017 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4018 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4019 section 7.1.7" 4020 ::= { t11FcSpPoActive 7 } 4022 t11FcSpPoIpMgmtEntry OBJECT-TYPE 4023 SYNTAX T11FcSpPoIpMgmtEntry 4024 MAX-ACCESS not-accessible 4025 STATUS current 4026 DESCRIPTION 4027 "Each entry contains information about one IP Management 4028 Entry within the active IP Management List Object for the 4029 Fabric identified by t11FcSpPoFabricIndex and managed 4030 within the Fibre Channel management instance identified 4031 by fcmInstanceIndex. 4033 The Policy Object Name of an IP Management Entry Policy 4034 Object is either an IPv6 Address Range or an IPv4 Address 4035 Range, where in each case, the range is specified as two 4036 addresses: the low and high ends of the range. In 4037 particular, since the Policy Object Name in this situation 4038 can only be an IPv6 Address Range or an IPv4 Address Range, 4039 it is represented here by three MIB objects defined as a 4040 (InetAddressType, InetAddress, InetAddress) tuple, in which 4041 the first address is the low end of the range, the second 4042 address is the high end of the range, and both addresses are 4043 of the type designated by InetAddressType. 4045 In theory, the use of t11FcSpPoIpMgmtEntryNameLow and 4046 t11FcSpPoIpMgmtEntryNameHigh (which both have the syntax 4047 of InetAddress) in the INDEX could cause the need for 4048 excessively-long OIDs. In practice, this can't happen 4049 because FC-SP doesn't allow these objects to be specified 4050 as DNS names." 4051 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4052 t11FcSpPoIpMgmtEntryNameType, 4053 t11FcSpPoIpMgmtEntryNameLow, 4054 t11FcSpPoIpMgmtEntryNameHigh } 4055 ::= { t11FcSpPoIpMgmtTable 1 } 4057 T11FcSpPoIpMgmtEntry ::= SEQUENCE { 4058 t11FcSpPoIpMgmtEntryNameType InetAddressType, 4059 t11FcSpPoIpMgmtEntryNameLow InetAddress, 4060 t11FcSpPoIpMgmtEntryNameHigh InetAddress, 4061 t11FcSpPoIpMgmtWkpIndex Unsigned32, 4062 t11FcSpPoIpMgmtAttribute T11FcSpAlphaNumNameOrNull 4063 } 4065 t11FcSpPoIpMgmtEntryNameType OBJECT-TYPE 4066 SYNTAX InetAddressType 4067 MAX-ACCESS not-accessible 4068 STATUS current 4069 DESCRIPTION 4070 "The combination of t11FcSpPoIpMgmtNameType, 4071 t11FcSpPoIpMgmtNameLow and t11FcSpPoIpMgmtNameHigh 4072 specify the IP Address range of this IP Management 4073 Entry in the IP Management List Object. 4075 The FC-SP specification does not allow the use of a 4076 DNS domain name to specify the address at the lower end 4077 or at the higher end of the IP Address range, nor does it 4078 allow the specification of a zone index. Therefore, the 4079 type of address must be one of: 'ipv4', or 'ipv6'." 4080 REFERENCE 4081 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4082 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4083 sections 7.1.7.1 & 7.1.2, tables 103/126." 4084 ::= { t11FcSpPoIpMgmtEntry 1 } 4086 t11FcSpPoIpMgmtEntryNameLow OBJECT-TYPE 4087 SYNTAX InetAddress (SIZE(4 | 16)) 4088 MAX-ACCESS not-accessible 4089 STATUS current 4090 DESCRIPTION 4091 "The lower end of an Internet address range. The type 4092 of this address is given by the corresponding instance 4093 of t11FcSpPoIpMgmtEntryNameType. 4095 The combination of t11FcSpPoIpMgmtNameType, 4096 t11FcSpPoIpMgmtNameLow and t11FcSpPoIpMgmtNameHigh 4097 specify the IP Address range of this IP Management 4098 Entry in the IP Management List Object." 4099 REFERENCE 4100 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4101 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4102 sections 7.1.7.1 & 7.1.2, tables 103/126." 4103 ::= { t11FcSpPoIpMgmtEntry 2 } 4105 t11FcSpPoIpMgmtEntryNameHigh OBJECT-TYPE 4106 SYNTAX InetAddress (SIZE(4 | 16)) 4107 MAX-ACCESS not-accessible 4108 STATUS current 4109 DESCRIPTION 4110 "The higher end of an Internet address range. The type 4111 of this address is given by the corresponding instance 4112 of t11FcSpPoIpMgmtEntryNameType. 4114 The combination of t11FcSpPoIpMgmtNameType, 4115 t11FcSpPoIpMgmtNameLow and t11FcSpPoIpMgmtNameHigh 4116 specify the IP Address range of this IP Management 4117 Entry in the IP Management List Object." 4118 REFERENCE 4119 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4120 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4121 sections 7.1.7.1 & 7.1.2, tables 103/126." 4122 ::= { t11FcSpPoIpMgmtEntry 3 } 4124 t11FcSpPoIpMgmtWkpIndex OBJECT-TYPE 4125 SYNTAX Unsigned32 (0..4294967295) 4126 MAX-ACCESS read-only 4127 STATUS current 4128 DESCRIPTION 4129 "This object identifies the restrictions for IP management 4130 access by IP hosts in this range of IP addresses, specified 4131 as the set of Well Known Protocols Access Descriptors 4132 contained in those rows of the t11FcSpPoWkpDescrTable for 4133 which the value of t11FcSpPoWkpDescrSpecifierIndex is the 4134 same as the value of this object. A value of zero indicates 4135 that this IP Management Entry does not identify a Well Known 4136 Protocols Access Specifier." 4137 REFERENCE 4138 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4139 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4140 section 7.1.7.1 and tables 127/129." 4141 ::= { t11FcSpPoIpMgmtEntry 4 } 4143 t11FcSpPoIpMgmtAttribute OBJECT-TYPE 4144 SYNTAX T11FcSpAlphaNumNameOrNull 4145 MAX-ACCESS read-only 4146 STATUS current 4147 DESCRIPTION 4148 "The name of an active Attribute Policy Object which is 4149 defined for this IP Management entry, or the zero-length 4150 string. The zero-length string indicates that no Attribute 4151 Policy Object is defined for this IP Management entry." 4152 REFERENCE 4153 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4154 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4155 section 7.1.7.1 and table 128." 4156 ::= { t11FcSpPoIpMgmtEntry 5 } 4158 -- 4159 -- Well-Known Protocol Access Descriptors 4160 -- 4162 t11FcSpPoWkpDescrTable OBJECT-TYPE 4163 SYNTAX SEQUENCE OF T11FcSpPoWkpDescrEntry 4164 MAX-ACCESS not-accessible 4165 STATUS current 4166 DESCRIPTION 4167 "A table of the Well-Known Protocol Access Descriptors 4168 being used within active Policy Objects. 4170 A Well-Known Protocol Access Specifier is a list of 4171 Well-Known Protocol Access Descriptors each of which 4172 specifies a protocol number, a port number and/or various 4173 flags specifying how IP management access is restricted. 4175 A Well-Known Protocol Transport Access Specifier is 4176 represented by all rows of this table which have the 4177 same values of fcmInstanceIndex, t11FcSpPoFabricIndex, 4178 and t11FcSpPoWkpDescrSpecifierIndex." 4179 ::= { t11FcSpPoActive 8 } 4181 t11FcSpPoWkpDescrEntry OBJECT-TYPE 4182 SYNTAX T11FcSpPoWkpDescrEntry 4183 MAX-ACCESS not-accessible 4184 STATUS current 4185 DESCRIPTION 4186 "Each entry contains information about one Well-Known 4187 Protocol Access Descriptor of a Well-Known Protocol 4188 Access Specifier used within the Fabric identified by 4189 t11FcSpPoFabricIndex and managed within the Fibre Channel 4190 management instance identified by fcmInstanceIndex." 4191 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4192 t11FcSpPoWkpDescrSpecifierIndex, t11FcSpPoWkpDescrIndex } 4193 ::= { t11FcSpPoWkpDescrTable 1 } 4195 T11FcSpPoWkpDescrEntry ::= SEQUENCE { 4196 t11FcSpPoWkpDescrSpecifierIndex Unsigned32, 4197 t11FcSpPoWkpDescrIndex Unsigned32, 4198 t11FcSpPoWkpDescrFlags BITS, 4199 t11FcSpPoWkpDescrWkpNumber Unsigned32, 4200 t11FcSpPoWkpDescrDestPort Unsigned32 4201 } 4202 t11FcSpPoWkpDescrSpecifierIndex OBJECT-TYPE 4203 SYNTAX Unsigned32 (1..4294967295) 4204 MAX-ACCESS not-accessible 4205 STATUS current 4206 DESCRIPTION 4207 "An index value which uniquely identifies a particular 4208 Well-Known Protocol Access Specifier within a Fabric." 4209 ::= { t11FcSpPoWkpDescrEntry 1 } 4211 t11FcSpPoWkpDescrIndex OBJECT-TYPE 4212 SYNTAX Unsigned32 (1..4294967295) 4213 MAX-ACCESS not-accessible 4214 STATUS current 4215 DESCRIPTION 4216 "An index value which uniquely identifies a particular 4217 Well-Known Protocol Access Descriptor within a Well-Known 4218 Protocol Access Specifier." 4219 ::= { t11FcSpPoWkpDescrEntry 2 } 4221 t11FcSpPoWkpDescrFlags OBJECT-TYPE 4222 SYNTAX BITS { 4223 allow(0), 4224 wkpWildcard(1), 4225 destPortWildcard(2), 4226 readOnly(3) 4227 } 4228 MAX-ACCESS read-only 4229 STATUS current 4230 DESCRIPTION 4231 "The flag bits which specify how access is to be limited by 4232 this Well-Known Protocol Access Descriptor: 4234 - allow -- IP management access using this protocol/port 4235 is allowed if this bit is set, and to be denied if this 4236 bit is not set. 4238 - wkpWildcard -- if this bit is set, the IP Protocol number 4239 of the Well-Known Protocol to be allowed/denied is 4240 specified by the value of t11FcSpPoWkpDescrWkpNumber. 4242 - destPortWildcard -- if this bit is set, the Destination 4243 (TCP/UDP) Port number of the Well-Known Protocol to be 4244 allowed/denied is specified by the value of 4245 t11FcSpPoWkpDescrDestPort. 4247 - readOnly -- if this bit is set then access is to be 4248 granted only for reading." 4249 REFERENCE 4250 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4251 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4252 section 7.1.7.1 and table 131." 4253 ::= { t11FcSpPoWkpDescrEntry 3 } 4255 t11FcSpPoWkpDescrWkpNumber OBJECT-TYPE 4256 SYNTAX Unsigned32 (0..255) 4257 MAX-ACCESS read-only 4258 STATUS current 4259 DESCRIPTION 4260 "When the 'wkpWildcard' bit is set in the corresponding 4261 instance of t11FcSpPoWkpDescrFlags, this object specifies 4262 the IP protocol number of the Well-Known Protocol." 4263 REFERENCE 4264 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4265 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4266 section 7.1.7.1 and table 131. 4267 - http://www.iana.org/assignments/protocol-numbers." 4268 ::= { t11FcSpPoWkpDescrEntry 4 } 4270 t11FcSpPoWkpDescrDestPort OBJECT-TYPE 4271 SYNTAX Unsigned32 (0..65535) 4272 MAX-ACCESS read-only 4273 STATUS current 4274 DESCRIPTION 4275 "When the 'destPortWildcard' bit is set in the corresponding 4276 instance of t11FcSpPoWkpDescrFlags, this object specifies 4277 the Destination (TCP/UDP) Port number of the Well-Known 4278 Protocol." 4279 REFERENCE 4280 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4281 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4282 section 7.1.7.1 and table 131. 4283 - http://www.iana.org/assignments/port-numbers." 4284 ::= { t11FcSpPoWkpDescrEntry 5 } 4286 -- 4287 -- Attribute Entries in Active Attribute Policy Objects 4288 -- 4290 t11FcSpPoAttribTable OBJECT-TYPE 4291 SYNTAX SEQUENCE OF T11FcSpPoAttribEntry 4292 MAX-ACCESS not-accessible 4293 STATUS current 4294 DESCRIPTION 4295 "A table of the Attribute Policy Objects being used within 4296 active Policy Objects. In the FC-SP Policy Database, each 4297 Attribute Policy Object consists of an Attribute Object Name 4298 and a set of Attribute Entries. 4300 An active Attribute Policy Object is represented by all the 4301 Attribute Entries in this table which have the same value 4302 of t11FcSpPoAttribName." 4303 ::= { t11FcSpPoActive 9 } 4305 t11FcSpPoAttribEntry OBJECT-TYPE 4306 SYNTAX T11FcSpPoAttribEntry 4307 MAX-ACCESS not-accessible 4308 STATUS current 4309 DESCRIPTION 4310 "Each row contains information specific to an Attribute 4311 Entry contained within an Attribute Policy Object which is 4312 active within the Fabric identified by t11FcSpPoFabricIndex 4313 and managed within the Fibre Channel management instance 4314 identified by fcmInstanceIndex. 4316 For some types of Attribute Policy Objects, it is valuable 4317 to break-out some semantically-significant parts of the 4318 Policy Object's value into their own individual MIB 4319 objects; for example, to extract the one or more individual 4320 Authentication Protocol Identifiers and associated 4321 Authentication Protocol Parameters out of an Attribute 4322 Object containing a 'AUTH_Negotiate Message Payload'. 4323 For such types, another MIB table is defined to hold the 4324 extracted values in MIB objects specific to the Attribute 4325 Policy Object's type. In such cases, the 4326 t11FcSpPoAttribExtension object in this table points to the 4327 other MIB table. 4329 If the value of one Attribute Entry is too large (more than 4330 256 bytes) to be contained within the value of one instance 4331 of t11FcSpPoAttribValue, then one row in this table contains 4332 the first 256 bytes, and one (or more) other row(s) in this 4333 table contain the rest of the value." 4334 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4335 t11FcSpPoAttribName, t11FcSpPoAttribEntryIndex, 4336 t11FcSpPoAttribPartIndex } 4337 ::= { t11FcSpPoAttribTable 1 } 4339 T11FcSpPoAttribEntry ::= SEQUENCE { 4340 t11FcSpPoAttribName T11FcSpAlphaNumName, 4341 t11FcSpPoAttribEntryIndex Unsigned32, 4342 t11FcSpPoAttribPartIndex Unsigned32, 4343 t11FcSpPoAttribType Unsigned32, 4344 t11FcSpPoAttribValue OCTET STRING, 4345 t11FcSpPoAttribExtension OBJECT IDENTIFIER 4346 } 4348 t11FcSpPoAttribName OBJECT-TYPE 4349 SYNTAX T11FcSpAlphaNumName 4350 MAX-ACCESS not-accessible 4351 STATUS current 4352 DESCRIPTION 4353 "The name of the Attribute Policy Object containing one 4354 or more Attribute Entries." 4355 REFERENCE 4356 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4357 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4358 section 7.1.8.1 and table 133." 4359 ::= { t11FcSpPoAttribEntry 1 } 4361 t11FcSpPoAttribEntryIndex OBJECT-TYPE 4362 SYNTAX Unsigned32 (1..4294967295) 4363 MAX-ACCESS not-accessible 4364 STATUS current 4365 DESCRIPTION 4366 "A unique value to distinguish this Attribute Entry 4367 from other Attribute Entries contained in the same 4368 Attribute Policy Object." 4369 REFERENCE 4370 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4371 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4372 section 7.1.8.1, tables 133/134." 4373 ::= { t11FcSpPoAttribEntry 2 } 4375 t11FcSpPoAttribPartIndex OBJECT-TYPE 4376 SYNTAX Unsigned32 (1..4294967295) 4377 MAX-ACCESS not-accessible 4378 STATUS current 4379 DESCRIPTION 4380 "When the value of an Attribute Entry is shorter than 257 4381 bytes, the whole value is contained in one instance of 4382 t11FcSpPoAttribValue, and the value of this object is 1. 4384 If the value of an Attribute Entry is longer than 256 bytes, 4385 then that value is divided up on 256 byte boundaries such 4386 that all parts are 256 bytes long except the last part which 4387 is shorter if necessary, with each such part contained in 4388 a separate row of this table, and the value of this object 4389 is set to the part number. That is, this object has the 4390 value of 1 for bytes 0-255, the value of 2 for bytes 4391 256-511, ... etc." 4392 REFERENCE 4393 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4394 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4395 section 7.1.8.1, tables 134/135." 4396 ::= { t11FcSpPoAttribEntry 3 } 4398 t11FcSpPoAttribType OBJECT-TYPE 4399 SYNTAX Unsigned32 (1..4294967295) 4400 MAX-ACCESS read-only 4401 STATUS current 4402 DESCRIPTION 4403 "The type of attribute. The first type to be defined is: 4405 t11FcSpPoAttribType t11FcSpPoAttribValue 4406 =================== ==================== 4407 '00000001'h The AUTH_Negotiate Message Payload 4408 " 4409 REFERENCE 4410 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4411 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4412 section 7.1.8.1, tables 134/135 and table 10." 4413 ::= { t11FcSpPoAttribEntry 4 } 4415 t11FcSpPoAttribValue OBJECT-TYPE 4416 SYNTAX OCTET STRING (SIZE (0..256)) 4417 MAX-ACCESS read-only 4418 STATUS current 4419 DESCRIPTION 4420 "The value of an Attribute Entry is divided up on 256 byte 4421 boundaries such that all parts are 256 bytes long except the 4422 last part which is shorter if necessary, and each such part 4423 is contained in a separate instance of this object. 4425 The value of this object is independent of whether some 4426 parts of its value are broken-out into separate MIB objects 4427 pointed to by the corresponding instance of 4428 t11FcSpPoAttribExtension." 4429 REFERENCE 4430 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4431 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4432 section 7.1.8.1, tables 134/135 and table 10." 4433 ::= { t11FcSpPoAttribEntry 5 } 4435 t11FcSpPoAttribExtension OBJECT-TYPE 4436 SYNTAX OBJECT IDENTIFIER 4437 MAX-ACCESS read-only 4438 STATUS current 4439 DESCRIPTION 4440 "For some types of Attribute Policy Object, the value of 4441 this MIB object points to type-specific MIB objects which 4442 contain individual/broken-out parts of the Attribute Policy 4443 Object's value. If this object doesn't point to such 4444 type-specific MIB objects, then it contains the value: 4445 zeroDotZero. 4447 In particular, when the value of t11FcSpPoAttribType 4448 indicates 'AUTH_Negotiate Message Payload', one or more 4449 Authentication Protocol Identifiers and their associated 4450 Authentication Protocol Parameters are embedded within the 4451 value of the corresponding instance of t11FcSpPoAttribValue; 4452 MIB objects to contain these individual values are defined 4453 in the t11FcSpPoAuthProtTable. Thus, for an 'AUTH_Negotiate 4454 Message Payload' Attribute, the value of this object 4455 contains the OID of t11FcSpPoAuthProtTable." 4456 ::= { t11FcSpPoAttribEntry 6 } 4458 -- 4459 -- Auth. Protocol Parameters in Active Attribute Policy Objects 4460 -- 4462 t11FcSpPoAuthProtTable OBJECT-TYPE 4463 SYNTAX SEQUENCE OF T11FcSpPoAuthProtEntry 4464 MAX-ACCESS not-accessible 4465 STATUS current 4466 DESCRIPTION 4467 "A table of Authentication Protocol Identifier and 4468 Authentication Protocol Parameters which are embedded in 4469 Attribute Policy Objects being used within active Policy 4470 Objects. 4472 This table is used for Attribute Entries of Attribute Policy 4473 Objects for which the value of t11FcSpPoAttribType indicates 4474 'AUTH_Negotiate Message Payload' and the value of 4475 t11FcSpPoAttribExtension contains the OID of this table." 4476 REFERENCE 4477 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4478 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4479 sections 5.3.2 & 7.1.8.1, tables 134/135 and tables 10/11." 4480 ::= { t11FcSpPoActive 10 } 4482 t11FcSpPoAuthProtEntry OBJECT-TYPE 4483 SYNTAX T11FcSpPoAuthProtEntry 4484 MAX-ACCESS not-accessible 4485 STATUS current 4486 DESCRIPTION 4487 "Each entry contains information about an Authentication 4488 Protocol which is extracted out of the Attribute Entry 4489 (identified by t11FcSpPoAttribEntryIndex) of the Policy 4490 Attribute Object (identified by t11FcSpPoAttribName) which is 4491 active within the Fabric identified by t11FcSpPoFabricIndex 4492 and managed within the Fibre Channel management instance 4493 identified by fcmInstanceIndex. 4495 If the value of one Attribute Protocol Parameters string is 4496 too large (more than 256 bytes) to be contained within the 4497 value of one instance of t11FcSpPoAuthProtParams, then one 4498 row in this table contains the first 256 bytes, and one (or 4499 more) other row(s) in this table contain the rest of the 4500 value." 4501 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4502 t11FcSpPoAttribName, t11FcSpPoAttribEntryIndex, 4503 t11FcSpPoAuthProtIdentifier, 4504 t11FcSpPoAuthProtPartIndex } 4505 ::= { t11FcSpPoAuthProtTable 1 } 4507 T11FcSpPoAuthProtEntry ::= SEQUENCE { 4508 t11FcSpPoAuthProtIdentifier Unsigned32, 4509 t11FcSpPoAuthProtPartIndex Unsigned32, 4510 t11FcSpPoAuthProtParams OCTET STRING 4511 } 4513 t11FcSpPoAuthProtIdentifier OBJECT-TYPE 4514 SYNTAX Unsigned32 4515 MAX-ACCESS not-accessible 4516 STATUS current 4517 DESCRIPTION 4518 "The Authentication Protocol Identifier: 4520 1 = DH-CHAP 4521 2 = FCAP 4522 3 = FCPAP 4523 4 = IKEv2 4524 5 = IKEv2-AUTH 4525 240 thru 255 = Vendor Specific Protocols 4527 all other values are 'Reserved' (by T11)." 4528 REFERENCE 4529 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4530 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4531 section 5.3.2, table 11." 4532 ::= { t11FcSpPoAuthProtEntry 1 } 4534 t11FcSpPoAuthProtPartIndex OBJECT-TYPE 4535 SYNTAX Unsigned32 (1..4294967295) 4536 MAX-ACCESS not-accessible 4537 STATUS current 4538 DESCRIPTION 4539 "When the value of an Attribute Protocol Parameters string 4540 is shorter than 257 bytes, the whole value is contained in 4541 one instance of t11FcSpPoAuthProtParams, and the value of 4542 this object is 1. (This includes the case when the Attribute 4543 Protocol Parameters string is zero bytes in length.) 4545 If the value of an Authentication Protocol Parameters string 4546 is longer than 256 bytes, then that value is divided up on 4547 256 byte boundaries such that all parts are 256 bytes long 4548 except the last part which is shorter if necessary, with 4549 each such part contained in a separate row of this table, 4550 and the value of this object is set to the part number. 4551 That is, this object has the value of 1 for bytes 0-255, 4552 the value of 2 for bytes 256-511, ... etc." 4553 REFERENCE 4554 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4555 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4556 section 5.3.2, table 10." 4557 ::= { t11FcSpPoAuthProtEntry 2 } 4559 t11FcSpPoAuthProtParams OBJECT-TYPE 4560 SYNTAX OCTET STRING (SIZE (0..256)) 4561 MAX-ACCESS read-only 4562 STATUS current 4563 DESCRIPTION 4564 "The value of an Authentication Protocol Parameters string 4565 is divided up on 256 byte boundaries such that all parts 4566 are 256 bytes long except the last part which is shorter 4567 if necessary, and each such part is contained in a 4568 separate instance of this object." 4569 REFERENCE 4570 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4571 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 4572 section 5.3.2, table 10." 4573 ::= { t11FcSpPoAuthProtEntry 3 } 4575 -- 4576 -- Part 2 - Activate/De-Activate Operations 4577 -- 4579 -- 4580 -- Objects to Invoke Activate/De-Activate Operations 4581 -- 4583 t11FcSpPoOperTable OBJECT-TYPE 4584 SYNTAX SEQUENCE OF T11FcSpPoOperEntry 4585 MAX-ACCESS not-accessible 4586 STATUS current 4587 DESCRIPTION 4588 "A table which allows Activate and Deactivate operations 4589 to be invoked for FC-SP Policies on various Fabrics. 4591 Activating a new policy configuration is a two-step 4592 process: 4594 1) create a single Policy Summary Object as a set of rows 4595 in the t11FcSpPoNaSummaryTable specifying a set of 4596 Policy Objects which describe the new configuration; and 4597 2) activate that Policy Summary Object using the 4598 t11FcSpPoOperActivate object defined in this table. 4600 Deactivating the current policy configuration is a one step 4601 process: the current Policy Summary Object is deactivated 4602 using the t11FcSpPoOperDeActivate object." 4603 ::= { t11FcSpPoOperations 1 } 4605 t11FcSpPoOperEntry OBJECT-TYPE 4606 SYNTAX T11FcSpPoOperEntry 4607 MAX-ACCESS not-accessible 4608 STATUS current 4609 DESCRIPTION 4610 "Each entry allows an Activate and/or Deactivate operation 4611 to be invoked on a particular Fabric, which is managed as 4612 part of the Fibre Channel management instance identified 4613 by fcmInstanceIndex." 4614 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex } 4615 ::= { t11FcSpPoOperTable 1 } 4617 T11FcSpPoOperEntry ::= SEQUENCE { 4618 t11FcSpPoOperActivate T11FcSpAlphaNumName, 4619 t11FcSpPoOperDeActivate T11FcSpAlphaNumName, 4620 t11FcSpPoOperResult INTEGER, 4621 t11FcSpPoOperFailCause SnmpAdminString 4622 } 4624 t11FcSpPoOperActivate OBJECT-TYPE 4625 SYNTAX T11FcSpAlphaNumName 4626 MAX-ACCESS read-write 4627 STATUS current 4628 DESCRIPTION 4629 "Writing the name of a Policy Summary Object into this 4630 object is a request to activate the policy configuration 4631 described by the combination of all rows in 4632 t11FcSpPoNaSummaryTable which have that name as their 4633 value of t11FcSpPoNaSummaryName and are for the same 4634 Fabric. 4636 Before issuing such a request, the relevant rows in the 4637 t11FcSpPoNaSummaryTable must exist and represent a complete 4638 and consistent Policy Summary Object. If they do not, the 4639 request will fail with t11FcSpPoOperResult having the 4640 'badSummaryObject' value. 4642 When read, the value of this object is always the zero- 4643 length string. 4645 Writing to this object does not delete (or in any way 4646 affect) any rows in the MIB tables for non-active 4647 Policy Objects." 4648 REFERENCE 4649 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4650 Fibre Channel - Security Protocols (FC-SP), 4651 13 June 2006, section 7.3.6.2" 4652 ::= { t11FcSpPoOperEntry 1 } 4654 t11FcSpPoOperDeActivate OBJECT-TYPE 4655 SYNTAX T11FcSpAlphaNumName 4656 MAX-ACCESS read-write 4657 STATUS current 4658 DESCRIPTION 4659 "Writing the current value of i11FcSpPoPolicySummaryObjName 4660 into this object (for a particular Fabric) is a request 4661 to deactivate that Fabric's current policy configuration. 4662 Writing any other value into this object is a 4663 ('wrongValue') error. 4665 When read, the value of this object is always the zero- 4666 length string." 4667 REFERENCE 4668 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4669 Fibre Channel - Security Protocols (FC-SP), 4670 13 June 2006, section 7.3.6.3" 4671 ::= { t11FcSpPoOperEntry 2 } 4673 t11FcSpPoOperResult OBJECT-TYPE 4674 SYNTAX INTEGER { 4675 activateSuccess(1), 4676 badSummaryObject(2), 4677 activateFailure(3), 4678 deactivateSuccess(4), 4679 deactivateFailure(5), 4680 inProgress(6), 4681 none(7) 4682 } 4683 MAX-ACCESS read-only 4684 STATUS current 4685 DESCRIPTION 4686 "This object indicates the status/result of the last 4687 activation/deactivation which was invoked via the 4688 corresponding instance of t11FcSpPoOperActivate or 4689 t11FcSpPoOperDeActivate. 4691 When the value of this object is 'inProgress', the 4692 values of the corresponding instances of 4693 t11FcSpPoOperActivate and t11FcSpPoOperDeActivate 4694 cannot be modified. 4696 The value 'badSummaryObject' indicates an activation 4697 request which did not name a complete and consistent 4698 Policy Summary Object. 4700 The value 'none' indicates activation/de-activation 4701 has not been attempted since the last restart of 4702 the management system." 4703 ::= { t11FcSpPoOperEntry 3 } 4705 t11FcSpPoOperFailCause OBJECT-TYPE 4706 SYNTAX SnmpAdminString (SIZE (0..64)) 4707 MAX-ACCESS read-only 4708 STATUS current 4709 DESCRIPTION 4710 "A textual message indicating the reason for the 4711 most recent activation/de-activation failure, or the 4712 zero-length string if no information is available 4713 (e.g., because the corresponding instance of 4714 t11FcSpPoOperResult has the value 'none'). 4716 When the corresponding instance of 4717 t11FcSpPoOperResult is either 'activateFailure' 4718 or 'deactivateFailure', the value of this object 4719 indicates the reason for that failure." 4720 ::= { t11FcSpPoOperEntry 4 } 4722 -- 4723 -- Part 3 - Non-Active Policy Objects 4724 -- 4726 -- 4727 -- Non-Active Policy Summary Objects Available for Activation 4728 -- 4730 t11FcSpPoNaSummaryTable OBJECT-TYPE 4731 SYNTAX SEQUENCE OF T11FcSpPoNaSummaryEntry 4732 MAX-ACCESS not-accessible 4733 STATUS current 4734 DESCRIPTION 4735 "A table of non-active Policy Summary Objects available 4736 to be activated. 4738 The functionality of this table deviates slightly from FC-SP 4739 in that FC-SP specifies that the only Policy Summary Object 4740 is the Active one, i.e., FC-SP does not store non-active 4741 Policy Summary Objects in the Policy Database. Instead, 4742 FC-SP requires a new Policy Summary Object to be created 4743 for, and embedded within, every Activate (APS) request. 4744 Thus, the newly-created Policy Summary Object outlasts the 4745 APS request only as the new active Policy Summary Object and 4746 only if the APS succeeds. In contrast, the Activate 4747 operation provided by this MIB module consists of two steps: 4749 1) create a non-active Policy Summary Object as a set of 4750 entries in this table describing a new configuration; 4751 2) activate a Policy Summary Object (stored as a set of 4752 entries in this table) using t11FcSpPoOperActivate. 4754 These two steps are only loosely connected, i.e., the result 4755 of the first operation is a non-active Policy Summary Object 4756 which is retained (in this table) even if it isn't 4757 immediately activated. Even after an attempt to activate 4758 it succeeds or fails, a non-active Policy Summary Object 4759 is not deleted, but is retained and still available for 4760 subsequent modification/re-use." 4761 ::= { t11FcSpPoNonActive 1 } 4763 t11FcSpPoNaSummaryEntry OBJECT-TYPE 4764 SYNTAX T11FcSpPoNaSummaryEntry 4765 MAX-ACCESS not-accessible 4766 STATUS current 4767 DESCRIPTION 4768 "Each entry contains information about one non-active 4769 Policy Object within a non-active Policy Summary Object 4770 defined for potential use on the Fabric identified by 4771 t11FcSpPoFabricIndex, and managed within the Fibre Channel 4772 management instance identified by fcmInstanceIndex. 4774 A non-active Policy Summary Object is described by a set 4775 of entries in this table which have the same value of 4776 t11FcSpPoNaSummaryName. 4778 As and when a Policy Summary Object is activated using the 4779 t11FcSpPoOperActivate object, if the activation is 4780 successful, existing rows (if any) in MIB tables for active 4781 Policy Objects are deleted and replaced by the appropriate 4782 new set of rows. Existing rows in this table and/or in 4783 other tables for non-active Policy Objects are not 4784 affected by the activate operation. 4786 The StorageType of a row in this table is specified by the 4787 instance of t11FcSpPoStorageType which is INDEX-ed by the 4788 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 4789 REFERENCE 4790 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4791 Fibre Channel - Security Protocols (FC-SP), 4792 13 June 2006, section 7.1.3 and table 104." 4793 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4794 t11FcSpPoNaSummaryName, t11FcSpPoNaSummaryPolicyType, 4795 t11FcSpPoNaSummaryPolicyIndex } 4796 ::= { t11FcSpPoNaSummaryTable 1 } 4798 T11FcSpPoNaSummaryEntry ::= SEQUENCE { 4799 t11FcSpPoNaSummaryName T11FcSpAlphaNumName, 4800 t11FcSpPoNaSummaryPolicyType T11FcSpPolicyObjectType, 4801 t11FcSpPoNaSummaryPolicyIndex Unsigned32, 4802 t11FcSpPoNaSummaryPolicyNameType T11FcSpPolicyNameType, 4803 t11FcSpPoNaSummaryPolicyName T11FcSpPolicyName, 4804 t11FcSpPoNaSummaryHashStatus INTEGER, 4805 t11FcSpPoNaSummaryHashFormat T11FcSpPolicyHashFormat, 4806 t11FcSpPoNaSummaryHashValue T11FcSpPolicyHashValue, 4807 t11FcSpPoNaSummaryRowStatus RowStatus 4808 } 4810 t11FcSpPoNaSummaryName OBJECT-TYPE 4811 SYNTAX T11FcSpAlphaNumName 4812 MAX-ACCESS not-accessible 4813 STATUS current 4814 DESCRIPTION 4815 "The name of the non-active Policy Summary Object which 4816 contains this Policy Object." 4817 ::= { t11FcSpPoNaSummaryEntry 1 } 4819 t11FcSpPoNaSummaryPolicyType OBJECT-TYPE 4820 SYNTAX T11FcSpPolicyObjectType 4821 MAX-ACCESS not-accessible 4822 STATUS current 4823 DESCRIPTION 4824 "The 'Identifier' which specifies the type of this Policy 4825 Object." 4826 REFERENCE 4827 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4828 Fibre Channel - Security Protocols (FC-SP), 4829 13 June 2006, section 7.1.3.1 and table 104." 4830 ::= { t11FcSpPoNaSummaryEntry 2 } 4832 t11FcSpPoNaSummaryPolicyIndex OBJECT-TYPE 4833 SYNTAX Unsigned32 (1..4294967295) 4834 MAX-ACCESS not-accessible 4835 STATUS current 4836 DESCRIPTION 4837 "A unique integer value to distinguish this Policy Object 4838 from any others which have the same type and which are 4839 contained in the same Policy Summary Object." 4840 ::= { t11FcSpPoNaSummaryEntry 3 } 4842 t11FcSpPoNaSummaryPolicyNameType OBJECT-TYPE 4843 SYNTAX T11FcSpPolicyNameType { 4844 nodeName(1), 4845 alphaNumericName(7) 4846 } 4847 MAX-ACCESS read-create 4848 STATUS current 4849 DESCRIPTION 4850 "The combination of t11FcSpPoNaSummaryPolicyNameType and 4851 t11FcSpPoNaSummaryPolicyName specify the name of the 4852 non-active Policy Object identified by this row. 4854 The type of name must be 'nodeName' if the value of the 4855 corresponding instance of t11FcSpPoNaSummaryPolicyType is 4856 'switchConnectivity', or 'alphaNumericName' otherwise." 4858 ::= { t11FcSpPoNaSummaryEntry 4 } 4860 t11FcSpPoNaSummaryPolicyName OBJECT-TYPE 4861 SYNTAX T11FcSpPolicyName 4862 MAX-ACCESS read-create 4863 STATUS current 4864 DESCRIPTION 4865 "The combination of t11FcSpPoNaSummaryPolicyNameType and 4866 t11FcSpPoNaSummaryPolicyName specify the name of the 4867 non-active Policy Object identified by this row." 4868 ::= { t11FcSpPoNaSummaryEntry 5 } 4870 t11FcSpPoNaSummaryHashStatus OBJECT-TYPE 4871 SYNTAX INTEGER { 4872 calculate(1), 4873 correct(2), 4874 stale(3) 4875 } 4876 MAX-ACCESS read-create 4877 STATUS current 4878 DESCRIPTION 4879 "When read, the value of this object is either: 4881 correct -- the corresponding instance of 4882 t11FcSpPoNaSummaryHashValue contains 4883 the correct value; or 4884 stale -- the corresponding instance of 4885 t11FcSpPoNaSummaryHashValue contains 4886 a stale (possibly incorrect) value; 4888 Writing a value of 'calculate' is a request to re-calculate 4889 and update the value of the corresponding instance of 4890 t11FcSpPoNaSummaryHashValue. Writing a value of 'correct' 4891 or 'stale' to this object is a ('wrongValue') error." 4892 DEFVAL { stale } 4893 ::= { t11FcSpPoNaSummaryEntry 6 } 4895 t11FcSpPoNaSummaryHashFormat OBJECT-TYPE 4896 SYNTAX T11FcSpPolicyHashFormat 4897 MAX-ACCESS read-only 4898 STATUS current 4899 DESCRIPTION 4900 "The format of this Policy Object's hash value as 4901 contained in the corresponding instance of the 4902 t11FcSpPoNaSummaryHashValue object." 4904 DEFVAL { '00000001'h } 4905 ::= { t11FcSpPoNaSummaryEntry 7 } 4907 t11FcSpPoNaSummaryHashValue OBJECT-TYPE 4908 SYNTAX T11FcSpPolicyHashValue 4909 MAX-ACCESS read-only 4910 STATUS current 4911 DESCRIPTION 4912 "The hash value of this Policy Object, in the format 4913 identified by the corresponding instance of the 4914 t11FcSpPoNaSummaryHashFormat object." 4915 DEFVAL { "" } 4916 ::= { t11FcSpPoNaSummaryEntry 8 } 4918 t11FcSpPoNaSummaryRowStatus OBJECT-TYPE 4919 SYNTAX RowStatus 4920 MAX-ACCESS read-create 4921 STATUS current 4922 DESCRIPTION 4923 "The status of this row. 4925 Before a row in this table can have 'active' status, 4926 a non-Active Policy Object must already be represented 4927 in the table corresponding to the value of 4928 t11FcSpPoNaSummaryPolicyType with the name given by the 4929 combination of t11FcSpPoNaSummaryPolicyNameType and 4930 t11FcSpPoNaSummaryPolicyName. If such Policy Object gets 4931 deleted from the relevant table, the row in this table must 4932 also get deleted. 4934 When a row has 'active' status, the only write-able MIB 4935 objects in this table are t11FcSpPoNaSummaryHashStatus and 4936 t11FcSpPoNaSummaryRowStatus." 4937 ::= { t11FcSpPoNaSummaryEntry 9 } 4939 -- 4940 -- Non-Active Switch Membership List Objects 4941 -- 4943 t11FcSpPoNaSwListTable OBJECT-TYPE 4944 SYNTAX SEQUENCE OF T11FcSpPoNaSwListEntry 4945 MAX-ACCESS not-accessible 4946 STATUS current 4947 DESCRIPTION 4948 "A table of non-active Switch Membership List Objects." 4949 REFERENCE 4950 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4951 Fibre Channel - Security Protocols (FC-SP), 4952 13 June 2006, section 7.1.4.1 and table 108." 4953 ::= { t11FcSpPoNonActive 2 } 4955 t11FcSpPoNaSwListEntry OBJECT-TYPE 4956 SYNTAX T11FcSpPoNaSwListEntry 4957 MAX-ACCESS not-accessible 4958 STATUS current 4959 DESCRIPTION 4960 "Each entry contains information about one non-active 4961 Switch Membership List Object for the Fabric identified 4962 by t11FcSpPoFabricIndex and managed within the Fibre 4963 Channel management instance identified by 4964 fcmInstanceIndex. 4966 The StorageType of a row in this table is specified by the 4967 instance of t11FcSpPoStorageType which is INDEX-ed by the 4968 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 4969 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 4970 t11FcSpPoNaSwListName } 4971 ::= { t11FcSpPoNaSwListTable 1 } 4973 T11FcSpPoNaSwListEntry ::= SEQUENCE { 4974 t11FcSpPoNaSwListName T11FcSpAlphaNumName, 4975 t11FcSpPoNaSwListFabricName FcNameIdOrZero, 4976 t11FcSpPoNaSwListRowStatus RowStatus 4977 } 4979 t11FcSpPoNaSwListName OBJECT-TYPE 4980 SYNTAX T11FcSpAlphaNumName 4981 MAX-ACCESS not-accessible 4982 STATUS current 4983 DESCRIPTION 4984 "The name of the Switch Membership List Object." 4985 REFERENCE 4986 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 4987 Fibre Channel - Security Protocols (FC-SP), 4988 13 June 2006, section 7.1.4.1 and table 108." 4989 ::= { t11FcSpPoNaSwListEntry 1 } 4991 t11FcSpPoNaSwListFabricName OBJECT-TYPE 4992 SYNTAX FcNameIdOrZero 4993 MAX-ACCESS read-create 4994 STATUS current 4995 DESCRIPTION 4996 "The administratively-specified Fabric_Name. This value 4997 is meaningful only when static Domain_IDs are used in a 4998 Fabric. If Static Domain_IDs are not used, the Fabric_Name 4999 is dynamically determined, in which case the value of this 5000 object can be '0000000000000000'h or the zero-length 5001 string." 5002 REFERENCE 5003 "- t11FamConfigDomainId, T11-FC-FABRIC-ADDR-MGR-MIB, 5004 Fibre Channel Fabric Address Manager MIB, RFC 4439; 5005 - INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5006 Fibre Channel - Security Protocols (FC-SP), 5007 13 June 2006, table 108." 5008 ::= { t11FcSpPoNaSwListEntry 2 } 5010 t11FcSpPoNaSwListRowStatus OBJECT-TYPE 5011 SYNTAX RowStatus 5012 MAX-ACCESS read-create 5013 STATUS current 5014 DESCRIPTION 5015 "The status of this row. Values of object instances 5016 within the row can be modified at any time. 5018 If a row in this table is deleted, any row in the 5019 t11FcSpPoNaSwMembTable for the same Switch Membership 5020 List Object will also get deleted." 5021 ::= { t11FcSpPoNaSwListEntry 3 } 5023 -- 5024 -- Switch Entries in Non-Active Switch Membership List Objects 5025 -- 5027 t11FcSpPoNaSwMembTable OBJECT-TYPE 5028 SYNTAX SEQUENCE OF T11FcSpPoNaSwMembEntry 5029 MAX-ACCESS not-accessible 5030 STATUS current 5031 DESCRIPTION 5032 "A table of Switch Entries in non-active Switch Membership 5033 List Objects." 5034 REFERENCE 5035 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5036 Fibre Channel - Security Protocols (FC-SP), 5037 13 June 2006, section 7.1.4.1 and table 110." 5038 ::= { t11FcSpPoNonActive 3 } 5040 t11FcSpPoNaSwMembEntry OBJECT-TYPE 5041 SYNTAX T11FcSpPoNaSwMembEntry 5042 MAX-ACCESS not-accessible 5043 STATUS current 5044 DESCRIPTION 5045 "Each entry contains information about one Switch which 5046 is listed in a Switch Entry of a non-active Switch Membership 5047 List Object for the Fabric identified by t11FcSpPoFabricIndex 5048 and managed within the Fibre Channel management instance 5049 identified by fcmInstanceIndex. 5051 A row cannot exist unless there is a row in 5052 t11FcSpPoNaSwListTable for the given Switch Membership List 5053 Object, i.e., the row in t11FcSpPoNaSwListTable for a 5054 Switch Membership List Object must be created before (or 5055 simultaneously) with a row in this table for a Switch 5056 Entry in that Switch Membership List Object, and when a 5057 row in t11FcSpPoNaSwListTable is deleted all rows in this 5058 table for Switch Entries in that Switch Membership List 5059 Object also get deleted. 5061 The StorageType of a row in this table is specified by the 5062 instance of t11FcSpPoStorageType which is INDEX-ed by the 5063 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 5064 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 5065 t11FcSpPoNaSwListName, 5066 t11FcSpPoNaSwMembSwitchNameType, 5067 t11FcSpPoNaSwMembSwitchName } 5069 ::= { t11FcSpPoNaSwMembTable 1 } 5071 T11FcSpPoNaSwMembEntry ::= SEQUENCE { 5072 t11FcSpPoNaSwMembSwitchNameType T11FcSpPolicyNameType, 5073 t11FcSpPoNaSwMembSwitchName FcNameIdOrZero, 5074 t11FcSpPoNaSwMembFlags BITS, 5075 t11FcSpPoNaSwMembDomainID FcDomainIdOrZero, 5076 t11FcSpPoNaSwMembPolicyDataRole INTEGER, 5077 t11FcSpPoNaSwMembAuthBehaviour BITS, 5078 t11FcSpPoNaSwMembAttribute T11FcSpAlphaNumNameOrNull, 5079 t11FcSpPoNaSwMembRowStatus RowStatus 5080 } 5082 t11FcSpPoNaSwMembSwitchNameType OBJECT-TYPE 5083 SYNTAX T11FcSpPolicyNameType { 5084 nodeName(1), 5085 restrictedNodeName(2), 5086 wildcard(5), 5087 restrictedWildcard(6) 5088 } 5089 MAX-ACCESS not-accessible 5090 STATUS current 5091 DESCRIPTION 5092 "If the value of this object is 'nodeName' or 5093 'restrictedNodeName', then the combination of 5094 this object and t11FcSpPoNaSwMembSwitchName specify the 5095 Switch Name of this Switch Entry. 5097 The membership is restricted or unrestricted based on the 5098 name type. Restricted membership means that the Switch is 5099 not allowed to be part of the Fabric unless allowed by a 5100 specific Switch Connectivity Object. Unrestricted 5101 membership means that the Switch is allowed to be part of 5102 the Fabric unless disallowed by a specific Switch 5103 Connectivity Object. 5105 The values of 'wildcard' and 'restrictedWildcard' provide 5106 the means to specify whether to allow/deny membership for 5107 Switches not explicitly named in the Switch Membership 5108 List Object." 5109 REFERENCE 5110 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5111 Fibre Channel - Security Protocols (FC-SP), 5112 13 June 2006, section 7.1.4.1 and table 110." 5113 ::= { t11FcSpPoNaSwMembEntry 1 } 5115 t11FcSpPoNaSwMembSwitchName OBJECT-TYPE 5116 SYNTAX FcNameIdOrZero (SIZE (8)) 5117 MAX-ACCESS not-accessible 5118 STATUS current 5119 DESCRIPTION 5120 "If the value of t11FcSpPoSwMembSwitchNameType is 5121 'wildcard' or 'restrictedWildcard', this object has the 5122 value '0000000000000000'h. 5124 Otherwise, the combination of 5125 t11FcSpPoNaSwMembSwitchNameType and this object specify the 5126 Switch Name of this Switch Entry." 5127 REFERENCE 5128 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5129 Fibre Channel - Security Protocols (FC-SP), 5130 13 June 2006, section 7.1.4.1 and table 110." 5131 ::= { t11FcSpPoNaSwMembEntry 2 } 5133 t11FcSpPoNaSwMembFlags OBJECT-TYPE 5134 SYNTAX BITS { 5135 staticDomainID(0), 5136 insistentDomainID(1), 5137 serialPortsAccess(2), 5138 physicalPortsAccess(3), 5139 managerRole(4) 5140 } 5141 MAX-ACCESS read-create 5142 STATUS current 5143 DESCRIPTION 5144 "Configurable options in respect to the administration 5145 of Policy Objects at this Switch: 5147 'staticDomainID' - the Switch uses the 'Static 5148 Domain_IDs behavior' (as defined in FC-SW-4) when this bit 5149 is set. This bit should have the same setting for all 5150 Switches in a Fabric's Switch Membership List Object, or 5151 else the Fabric will partition. If this bit is set, 5152 the 'insistentDomainID' bit must not be set. 5154 'insistentDomainID' - if this bit is set, the Switch 5155 uses the 'Insistent Domain_IDs behavior' (as defined in 5156 FC-SW-4), and the 'staticDomainID' bit must not be set. 5158 'serialPortsAccess' - the Switch allows management 5159 through serial ports when and only when this bit is set. 5161 'physicalPortsAccess' - the Switch allows management 5162 through the physical panel when and only when this bit 5163 is set. 5165 'managerRole' - the Switch is allowed to change 5166 the Fabric Policy configuration (on receipt of any of the 5167 EACA, ESFC, EUFC, ACA, SFC, or UFC SW_ILSs) if this bit is 5168 set." 5169 REFERENCE 5170 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5171 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5172 section 7.1.4.1 and table 112." ::= { 5173 t11FcSpPoNaSwMembEntry 3 } 5175 t11FcSpPoNaSwMembDomainID OBJECT-TYPE 5176 SYNTAX FcDomainIdOrZero 5177 MAX-ACCESS read-create 5178 STATUS current 5179 DESCRIPTION 5180 "The Domain_ID to be used when either the 'staticDomainID' 5181 bit or the 'insistentDomainID' bit is set in the 5182 corresponding value of t11FcSpPoNaSwMembFlags." 5183 REFERENCE 5184 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5185 Fibre Channel - Security Protocols (FC-SP), 5186 13 June 2006, section 7.1.4.1 and tables 111 and 112." 5187 ::= { t11FcSpPoNaSwMembEntry 4 } 5189 t11FcSpPoNaSwMembPolicyDataRole OBJECT-TYPE 5190 SYNTAX INTEGER { 5191 client(1), 5192 autonomous(2), 5193 server(3) 5194 } 5195 MAX-ACCESS read-create 5196 STATUS current 5197 DESCRIPTION 5198 "The role of the Switch in terms of which Policy data 5199 it retains/maintains: 5201 'client' - the Switch operates as a Client Switch. 5202 A Client Switch maintains its own Switch Connectivity 5203 Object and all Fabric-wide List Objects. If FC-SP 5204 Zoning is used, a Client Switch maintains only the 5205 subset of the Active Zone Set that it requires to 5206 enforce the current Fabric Zoning configuration. 5208 'autonomous' - the Switch operates as an Autonomous 5209 Switch. An Autonomous Switch maintains its own Switch 5210 Connectivity Object and all Fabric-wide List Objects. 5211 This is the same as 'client' except that if FC-SP Zoning 5212 is used, an Autonomous Switch maintains a complete copy 5213 of the Fabric Zoning Database. 5215 'server' - the Switch operates as a Server Switch. 5216 A Server Switch maintains all Fabric-wide List Objects 5217 and the Switch Connectivity Objects of each Switch in 5218 the Fabric. If FC-SP Zoning is used, a Server Switch 5219 maintains a complete copy of the Fabric Zoning Database." 5220 REFERENCE 5221 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5222 Fibre Channel - Security Protocols (FC-SP), 5223 13 June 2006, section 7.1.4.1 and table 113." 5224 ::= { t11FcSpPoNaSwMembEntry 5 } 5226 t11FcSpPoNaSwMembAuthBehaviour OBJECT-TYPE 5227 SYNTAX BITS { 5228 mustAuthenticate(0), 5229 rejectIsFailure(1) 5230 } 5231 MAX-ACCESS read-create 5232 STATUS current 5233 DESCRIPTION 5234 "The authentication behaviour of the Switch: 5236 'mustAuthenticate' - if this bit is set, all connections 5237 between this Switch and neighbour Switches must be 5238 authenticated. 5240 'rejectIsFailure' - if this bit is set, the rejection of 5241 an AUTH_Negotiate message must be considered as an 5242 authentication failure by this Switch." 5243 REFERENCE 5244 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5245 Fibre Channel - Security Protocols (FC-SP), 5246 13 June 2006, section 7.1.4.1 and table 114." 5247 ::= { t11FcSpPoNaSwMembEntry 6 } 5249 t11FcSpPoNaSwMembAttribute OBJECT-TYPE 5250 SYNTAX T11FcSpAlphaNumNameOrNull 5251 MAX-ACCESS read-create 5252 STATUS current 5253 DESCRIPTION 5254 "The name of a non-active Attribute Policy Object which 5255 is defined for this Switch. The zero-length string 5256 indicates that no non-active Attribute Policy Object is 5257 defined for this Switch. 5259 The effect of having no rows in the t11FcSpPoNaAttribTable 5260 for which the value of t11FcSpPoNaAttribName is the 5261 same as the value of this object, is the same as 5262 this object's value being the zero-length string." 5263 REFERENCE 5264 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5265 Fibre Channel - Security Protocols (FC-SP), 5266 13 June 2006, section 7.1.4.1 and table 110." 5267 ::= { t11FcSpPoNaSwMembEntry 7 } 5269 t11FcSpPoNaSwMembRowStatus OBJECT-TYPE 5270 SYNTAX RowStatus 5271 MAX-ACCESS read-create 5272 STATUS current 5273 DESCRIPTION 5274 "The status of this row. Values of object instances 5275 within the row can be modified at any time. 5277 A row cannot exist unless there is a row in the 5278 t11FcSpPoNaSwListTable for the Switch Membership List 5279 Object containing the Switch Entry for this Switch, i.e., 5280 the row in t11FcSpPoNaSwListTable for a Switch Membership 5281 List Object must be created before (or simultaneously) 5282 with a row in this table for a Switch Entry in that 5283 Switch Membership List Object; and when a row in 5284 t11FcSpPoNaSwListTable is deleted, any row in this 5285 table for a Switch Entry in that Switch Membership 5286 List Object also gets deleted." 5287 ::= { t11FcSpPoNaSwMembEntry 8 } 5289 -- 5290 -- Node Entries in Non-Active Node Membership List Objects 5291 -- 5293 t11FcSpPoNaNoMembTable OBJECT-TYPE 5294 SYNTAX SEQUENCE OF T11FcSpPoNaNoMembEntry 5295 MAX-ACCESS not-accessible 5296 STATUS current 5297 DESCRIPTION 5298 "A table of Node Entries in non-active Node Membership List 5299 Objects. 5301 One Node Membership List Object is represented by all 5302 the rows in this table which have the same value of 5303 t11FcSpPoNaNoMembListName." 5304 ::= { t11FcSpPoNonActive 4 } 5306 t11FcSpPoNaNoMembEntry OBJECT-TYPE 5307 SYNTAX T11FcSpPoNaNoMembEntry 5308 MAX-ACCESS not-accessible 5309 STATUS current 5310 DESCRIPTION 5311 "Each entry contains information about one Node Entry of 5312 a non-active Node Membership List Object for the Fabric 5313 identified by t11FcSpPoFabricIndex and managed within 5314 the Fibre Channel management instance identified by 5315 fcmInstanceIndex. 5317 The StorageType of a row in this table is specified by the 5318 instance of t11FcSpPoStorageType which is INDEX-ed by the 5319 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 5320 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 5321 t11FcSpPoNaNoMembListName, 5322 t11FcSpPoNaNoMembNodeNameType, 5323 t11FcSpPoNaNoMembNodeName } 5324 ::= { t11FcSpPoNaNoMembTable 1 } 5326 T11FcSpPoNaNoMembEntry ::= SEQUENCE { 5327 t11FcSpPoNaNoMembListName T11FcSpAlphaNumName, 5328 t11FcSpPoNaNoMembNodeNameType T11FcSpPolicyNameType, 5329 t11FcSpPoNaNoMembNodeName FcNameIdOrZero, 5330 t11FcSpPoNaNoMembFlags BITS, 5331 t11FcSpPoNaNoMembCtAccessIndex Unsigned32, 5332 t11FcSpPoNaNoMembAttribute T11FcSpAlphaNumNameOrNull, 5333 t11FcSpPoNaNoMembRowStatus RowStatus 5335 } 5337 t11FcSpPoNaNoMembListName OBJECT-TYPE 5338 SYNTAX T11FcSpAlphaNumName 5339 MAX-ACCESS not-accessible 5340 STATUS current 5341 DESCRIPTION 5342 "The name of the non-active Node Membership List Object." 5343 REFERENCE 5344 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5345 Fibre Channel - Security Protocols (FC-SP), 5346 13 June 2006, section 7.1.4.1 and table 116." 5347 ::= { t11FcSpPoNaNoMembEntry 1 } 5349 t11FcSpPoNaNoMembNodeNameType OBJECT-TYPE 5350 SYNTAX T11FcSpPolicyNameType { 5351 nodeName(1), 5352 restrictedNodeName(2), 5353 portName(3), 5354 restrictedPortName(4), 5355 wildcard(5), 5356 restrictedWildcard(6) 5357 } 5358 MAX-ACCESS not-accessible 5359 STATUS current 5360 DESCRIPTION 5361 "If the value of this object is 'wildcard' or 5362 'restrictedWildcard', this Node Entry applies to Nodes not 5363 explicitly named in the Node Membership List Object. 5365 Otherwise, the combination of this object and 5366 t11FcSpPoNaNoMembNodeName specify the name of this Node Entry 5367 in the active Node Membership List Object. A Node is 5368 identified by its Node Name or by one or more of its Port 5369 Names. 5371 Restricted membership means that a Node is not allowed to be 5372 connected to the Fabric unless allowed by a specific Switch 5373 Connectivity Object. Unrestricted membership means that a 5374 Node is allowed to be connected to the Fabric unless 5375 disallowed by a specific Switch Connectivity Object." 5376 REFERENCE 5377 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5378 Fibre Channel - Security Protocols (FC-SP), 5379 13 June 2006, section 7.1.4.1 and table 116." 5381 ::= { t11FcSpPoNaNoMembEntry 2 } 5383 t11FcSpPoNaNoMembNodeName OBJECT-TYPE 5384 SYNTAX FcNameIdOrZero (SIZE (8)) 5385 MAX-ACCESS not-accessible 5386 STATUS current 5387 DESCRIPTION 5388 "If the value of t11FcSpPoNaNoMembNodeNameType is 5389 'wildcard' or 'restrictedWildcard', this object has the 5390 value '0000000000000000'h. 5392 Otherwise, the combination of t11FcSpPoNaNoMembNodeNameType 5393 and this object specify the name of this Node Entry is the 5394 active Node Membership List Object." 5395 REFERENCE 5396 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5397 Fibre Channel - Security Protocols (FC-SP), 5398 13 June 2006, section 7.1.4.1 and table 116." 5399 ::= { t11FcSpPoNaNoMembEntry 3 } 5401 t11FcSpPoNaNoMembFlags OBJECT-TYPE 5402 SYNTAX BITS { 5403 scsiEnclosureAccess(0), 5404 authenticationRequired(1) 5405 } 5406 MAX-ACCESS read-create 5407 STATUS current 5408 DESCRIPTION 5409 "Configurable options in respect to the administration 5410 of Policy Objects at this Node: 5412 'scsiEnclosureAccess' - the Node is allowed to 5413 control any Switch through SCSI Enclosure Services if this 5414 bit is set. If a Switch does not support SCSI Enclosure 5415 Services, this bit is ignored. 5417 'authenticationRequired' - the Node is required to 5418 authenticate itself to any Switch to which it is connected 5419 if and only if this bit is set." 5420 REFERENCE 5421 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5422 Fibre Channel - Security Protocols (FC-SP), 5423 13 June 2006, section 7.1.4.1 and table 118." 5424 ::= { t11FcSpPoNaNoMembEntry 4 } 5426 t11FcSpPoNaNoMembCtAccessIndex OBJECT-TYPE 5427 SYNTAX Unsigned32 (0..4294967295) 5428 MAX-ACCESS read-create 5429 STATUS current 5430 DESCRIPTION 5431 "If the value of this object is zero, then access by this 5432 Node to Generic Services is not limited by a Common 5433 Transport Access Specifier. 5435 Otherwise, the limits are specified by the set of Common 5436 Transport Access Descriptors contained in those rows of 5437 the t11FcSpPoNaCtDescrTable for which the value of 5438 t11FcSpPoNaCtDescrSpecifierIndex is the same as the value 5439 of this object. No such rows in t11FcSpPoNaCtDescrTable 5440 has the same effect as this object's value being zero." 5441 REFERENCE 5442 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5443 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5444 section 7.1.4.1 and tables 118/119/120/121." 5445 ::= { t11FcSpPoNaNoMembEntry 5 } 5447 t11FcSpPoNaNoMembAttribute OBJECT-TYPE 5448 SYNTAX T11FcSpAlphaNumNameOrNull 5449 MAX-ACCESS read-create 5450 STATUS current 5451 DESCRIPTION 5452 "The name of a non-active Attribute Policy Object which 5453 is defined for this Node. The zero-length string indicates 5454 that no non-active Attribute Policy Object is defined for 5455 this Node. 5457 The effect of having no rows in the t11FcSpPoNaAttribTable 5458 for which the value of t11FcSpPoNaAttribName is the 5459 same as the value of this object, is the same as 5460 this object's value being the zero-length string." 5461 REFERENCE 5462 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5463 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5464 section 7.1.4.1 and table 116." 5465 ::= { t11FcSpPoNaNoMembEntry 6 } 5467 t11FcSpPoNaNoMembRowStatus OBJECT-TYPE 5468 SYNTAX RowStatus 5469 MAX-ACCESS read-create 5470 STATUS current 5471 DESCRIPTION 5472 "The status of this row. Values of object instances 5473 within the row can be modified at any time." 5474 ::= { t11FcSpPoNaNoMembEntry 7 } 5476 -- 5477 -- 5478 -- Non-Active Common Transport Access Descriptors 5479 -- 5481 t11FcSpPoNaCtDescrTable OBJECT-TYPE 5482 SYNTAX SEQUENCE OF T11FcSpPoNaCtDescrEntry 5483 MAX-ACCESS not-accessible 5484 STATUS current 5485 DESCRIPTION 5486 "A table of Common Transport Access Descriptors referenced 5487 by non-active Policy Objects. 5489 A Common Transport Access Specifier is a list of Common 5490 Transport Access Descriptors which specify whether a Node 5491 is allowed to access a Generic Service or Sub-Server. 5493 A non-active Common Transport Access Specifier is 5494 represented by all rows of this table which have the same 5495 values of fcmInstanceIndex, t11FcSpPoFabricIndex, and 5496 t11FcSpPoNaCtDescrSpecifierIndex." 5497 REFERENCE 5498 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5499 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5500 section 7.1.5" 5501 ::= { t11FcSpPoNonActive 5 } 5503 t11FcSpPoNaCtDescrEntry OBJECT-TYPE 5504 SYNTAX T11FcSpPoNaCtDescrEntry 5505 MAX-ACCESS not-accessible 5506 STATUS current 5507 DESCRIPTION 5508 "Each entry contains information about one Common Transport 5509 Access Descriptor of an non-active Common Transport Access 5510 Specifier used within the Fabric identified by 5511 t11FcSpPoFabricIndex and managed within the Fibre Channel 5512 management instance identified by fcmInstanceIndex. 5514 The StorageType of a row in this table is specified by the 5515 instance of t11FcSpPoStorageType which is INDEX-ed by the 5516 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 5517 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 5518 t11FcSpPoNaCtDescrSpecifierIndex, t11FcSpPoNaCtDescrIndex } 5519 ::= { t11FcSpPoNaCtDescrTable 1 } 5521 T11FcSpPoNaCtDescrEntry ::= SEQUENCE { 5522 t11FcSpPoNaCtDescrSpecifierIndex Unsigned32, 5523 t11FcSpPoNaCtDescrIndex Unsigned32, 5524 t11FcSpPoNaCtDescrFlags BITS, 5525 t11FcSpPoNaCtDescrGsType OCTET STRING, 5526 t11FcSpPoNaCtDescrGsSubType OCTET STRING, 5527 t11FcSpPoNaCtDescrRowStatus RowStatus 5528 } 5530 t11FcSpPoNaCtDescrSpecifierIndex OBJECT-TYPE 5531 SYNTAX Unsigned32 (1..4294967295) 5532 MAX-ACCESS not-accessible 5533 STATUS current 5534 DESCRIPTION 5535 "An index value which uniquely identifies a particular 5536 Common Transport Access Specifier within a Fabric." 5537 ::= { t11FcSpPoNaCtDescrEntry 1 } 5539 t11FcSpPoNaCtDescrIndex OBJECT-TYPE 5540 SYNTAX Unsigned32 (1..4294967295) 5541 MAX-ACCESS not-accessible 5542 STATUS current 5543 DESCRIPTION 5544 "An index value which uniquely identifies a particular 5545 Common Transport Access Descriptor within a Common Transport 5546 Access Specifier." 5547 ::= { t11FcSpPoNaCtDescrEntry 2 } 5549 t11FcSpPoNaCtDescrFlags OBJECT-TYPE 5550 SYNTAX BITS { 5551 allow(0), 5552 gsTypeWildcard(1), 5553 gsSubTypeWildcard(2), 5554 readOnly(3) 5555 } 5556 MAX-ACCESS read-create 5557 STATUS current 5558 DESCRIPTION 5559 "The flag bits which specify how access is to be limited by 5560 this Common Transport Access Descriptor: 5562 - allow -- access to the specified Generic Service and 5563 Server is allowed if this bit is set, and to be denied if 5564 this bit is not set. 5566 - gsTypeWildcard -- if this bit is set, the Generic Service 5567 to be allowed/denied is specified by the value of 5568 t11FcSpPoNaCtDescrGsType, and the gsSubTypeWildcard bit 5569 must not also be set. 5571 - gsSubTypeWildcard -- if this bit is set, the Generic 5572 Service to be allowed/denied is specified by the value of 5573 t11FcSpPoNaCtDescrGsSubType, and the gsTypeWildcard bit 5574 must not also be set. 5576 - readOnly -- if this bit is set then access is to be 5577 granted only for reading." 5578 REFERENCE 5579 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5580 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5581 section 7.1.5.1, and tables 117, 118, and 120." 5582 ::= { t11FcSpPoNaCtDescrEntry 3 } 5584 t11FcSpPoNaCtDescrGsType OBJECT-TYPE 5585 SYNTAX OCTET STRING (SIZE (1)) 5586 MAX-ACCESS read-create 5587 STATUS current 5588 DESCRIPTION 5589 "The GS_Type of the Generic Service (e.g., the FC-GS-5 5590 Management Service) which is subject to access control. 5591 This value is ignored if the gsTypeWildcard bit is not set 5592 in the corresponding value of t11FcSpPoNaCtDescrFlags." 5593 REFERENCE 5594 "- ANSI INCITS 427-2006, 5595 Fibre Channel - Generic Services-5 (FC-GS-5), 5596 section 4.3.2.4. 5597 - INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5598 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5599 section 7.1.5.1 and table 120." 5600 ::= { t11FcSpPoNaCtDescrEntry 4 } 5602 t11FcSpPoNaCtDescrGsSubType OBJECT-TYPE 5603 SYNTAX OCTET STRING (SIZE (1)) 5604 MAX-ACCESS read-create 5605 STATUS current 5606 DESCRIPTION 5607 "The GS_Subtype of the Generic Server (e.g., the Fabric Zone 5608 Server) which is subject to access control. This value is 5609 ignored if the gsSubTypeWildcard bit is not set in the 5610 corresponding value of t11FcSpPoNaCtDescrFlags." 5611 REFERENCE 5612 "- ANSI INCITS 427-2006, 5613 Fibre Channel - Generic Services-5 (FC-GS-5), 5614 section 4.3.2.5. 5615 - INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5616 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5617 section 7.1.5.1 and table 120." 5618 ::= { t11FcSpPoNaCtDescrEntry 5 } 5620 t11FcSpPoNaCtDescrRowStatus OBJECT-TYPE 5621 SYNTAX RowStatus 5622 MAX-ACCESS read-create 5623 STATUS current 5624 DESCRIPTION 5625 "The status of this row. Values of object instances 5626 within the row can be modified at any time." 5627 ::= { t11FcSpPoNaCtDescrEntry 6 } 5629 -- 5630 -- Switches/Nodes in Non-Active Switch Connectivity Objects 5631 -- 5633 t11FcSpPoNaSwConnTable OBJECT-TYPE 5634 SYNTAX SEQUENCE OF T11FcSpPoNaSwConnEntry 5635 MAX-ACCESS not-accessible 5636 STATUS current 5637 DESCRIPTION 5638 "A table of non-active Switch Connectivity Objects. 5640 A Switch Connectivity Object defines to which other 5641 Switches or Nodes a particular Switch may/may not be 5642 connected at the Node level and/or at the Port level." 5643 REFERENCE 5644 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5645 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5646 section 7.1.6." 5647 ::= { t11FcSpPoNonActive 6 } 5649 t11FcSpPoNaSwConnEntry OBJECT-TYPE 5650 SYNTAX T11FcSpPoNaSwConnEntry 5651 MAX-ACCESS not-accessible 5652 STATUS current 5653 DESCRIPTION 5654 "Each entry contains the name of a Switch/Node with which 5655 any port of a particular Switch on a particular Fabric, or 5656 a particular port on that Switch, is allowed or not allowed 5657 to be connected. 5659 The particular Fabric is identified by t11FcSpPoFabricIndex 5660 and managed within the Fibre Channel management instance 5661 identified by fcmInstanceIndex. 5663 The StorageType of a row in this table is specified by the 5664 instance of t11FcSpPoStorageType which is INDEX-ed by the 5665 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 5666 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 5667 t11FcSpPoNaSwConnSwitchName, 5668 t11FcSpPoNaSwConnAllowedType, 5669 t11FcSpPoNaSwConnPortNameOrAll, 5670 t11FcSpPoNaSwConnAllowedIndex } 5671 ::= { t11FcSpPoNaSwConnTable 1 } 5673 T11FcSpPoNaSwConnEntry ::= SEQUENCE { 5674 t11FcSpPoNaSwConnSwitchName FcNameIdOrZero, 5675 t11FcSpPoNaSwConnAllowedType INTEGER, 5676 t11FcSpPoNaSwConnPortNameOrAll FcNameIdOrZero, 5677 t11FcSpPoNaSwConnAllowedIndex Unsigned32, 5678 t11FcSpPoNaSwConnAllowedNameType T11FcSpPolicyNameType, 5679 t11FcSpPoNaSwConnAllowedName FcNameIdOrZero, 5680 t11FcSpPoNaSwConnRowStatus RowStatus 5681 } 5683 t11FcSpPoNaSwConnSwitchName OBJECT-TYPE 5684 SYNTAX FcNameIdOrZero (SIZE (8)) 5685 MAX-ACCESS not-accessible 5686 STATUS current 5687 DESCRIPTION 5688 "The name of the Switch for which this Switch Connectivity 5689 Object specifies topology restrictions." 5690 REFERENCE 5691 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5692 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5693 section 7.1.6.1 and table 123." 5694 ::= { t11FcSpPoNaSwConnEntry 1 } 5696 t11FcSpPoNaSwConnAllowedType OBJECT-TYPE 5697 SYNTAX INTEGER { switch(1), node(2) } 5698 MAX-ACCESS not-accessible 5699 STATUS current 5700 DESCRIPTION 5701 "This object specifies whether this row refers to an 5702 'Allowed Switch' which concerns Switch-to-Switch 5703 connectivity, or an 'Allowed Node' which concerns 5704 Switch-to-Node connectivity. Consequently, this object's 5705 value indicates whether the corresponding instance of 5706 t11FcSpPoNaSwConnAllowedName specifies the name of a Switch 5707 or the name of a Node." 5708 REFERENCE 5709 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5710 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5711 section 7.1.6.1 and table 123." 5712 ::= { t11FcSpPoNaSwConnEntry 2 } 5714 t11FcSpPoNaSwConnPortNameOrAll OBJECT-TYPE 5715 SYNTAX FcNameIdOrZero (SIZE(0 | 8)) 5716 MAX-ACCESS not-accessible 5717 STATUS current 5718 DESCRIPTION 5719 "This object specifies either the particular port on which 5720 this topology restriction applies, or if the value is the 5721 zero-length string, that the topology restriction applies 5722 to all ports of the Switch. 5724 In other words, if this object's value contains the name of 5725 a port, then this row represents a 'Port Connectivity Entry' 5726 (as described in FC-SP) within a Switch Connectivity Object." 5727 REFERENCE 5728 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5729 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5730 section 7.1.6.1 and tables 123/124." 5731 ::= { t11FcSpPoNaSwConnEntry 3 } 5733 t11FcSpPoNaSwConnAllowedIndex OBJECT-TYPE 5734 SYNTAX Unsigned32 (1..4294967295) 5735 MAX-ACCESS not-accessible 5736 STATUS current 5737 DESCRIPTION 5738 "When multiple rows in this table refer to different 5739 'Allowed Switches' or to different 'Allowed Nodes' for the 5740 same port(s) in the same Switch Connectivity Object, this 5741 object provides a unique index value to distinguish between 5742 such rows." 5743 ::= { t11FcSpPoNaSwConnEntry 4 } 5745 t11FcSpPoNaSwConnAllowedNameType OBJECT-TYPE 5746 SYNTAX T11FcSpPolicyNameType { 5747 nodeName(1), 5748 restrictedNodeName(2), 5749 portName(3), 5750 restrictedPortName(4), 5751 wildcard(5), 5752 restrictedWildcard(6) 5753 } 5754 MAX-ACCESS read-create 5755 STATUS current 5756 DESCRIPTION 5757 "If the value of this object is 'wildcard' or 5758 'restrictedWildcard', this row specifies whether 5759 connectivity is allowed/not allowed with entities not 5760 explicitly named by other rows. 5762 Otherwise, the combination of 5763 t11FcSpPoNaSwConnAllowedNameType and 5764 t11FcSpPoNaSwConnAllowedName specify the name of: 5766 - a Switch (if t11FcSpPoNaSwConnAllowedType = 'switch'), or 5767 - a Node (if t11FcSpPoNaSwConnAllowedType = 'node') 5769 to which connectivity is allowed/not allowed." 5770 REFERENCE 5771 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5772 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5773 section 7.1.6.1 and tables 123/124." 5774 ::= { t11FcSpPoNaSwConnEntry 5 } 5776 t11FcSpPoNaSwConnAllowedName OBJECT-TYPE 5777 SYNTAX FcNameIdOrZero (SIZE (8)) 5778 MAX-ACCESS read-create 5779 STATUS current 5780 DESCRIPTION 5781 "If t11FcSpPoNaSwConnAllowedNameType has the value 5782 'wildcard' or 'restrictedWildcard', this object has the 5783 value '0000000000000000'h. 5785 Otherwise, the combination of 5786 t11FcSpPoNaSwConnAllowedNameType and 5787 t11FcSpPoNaSwConnAllowedName specify the name of: 5789 - a Switch (if t11FcSpPoNaSwConnAllowedType = 'switch'), or 5790 - a Node (if t11FcSpPoNaSwConnAllowedType = 'node') 5792 to which connectivity is allowed/not allowed." 5793 REFERENCE 5794 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5795 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5796 section 7.1.6.1 and tables 123/124." 5797 ::= { t11FcSpPoNaSwConnEntry 6 } 5799 t11FcSpPoNaSwConnRowStatus OBJECT-TYPE 5800 SYNTAX RowStatus 5801 MAX-ACCESS read-create 5802 STATUS current 5803 DESCRIPTION 5804 "The status of this row. Values of object instances 5805 within the row can be modified at any time." 5806 ::= { t11FcSpPoNaSwConnEntry 7 } 5808 -- 5809 -- IP Management Entries in Non-Active IP Management List Objects 5810 -- 5812 t11FcSpPoNaIpMgmtTable OBJECT-TYPE 5813 SYNTAX SEQUENCE OF T11FcSpPoNaIpMgmtEntry 5814 MAX-ACCESS not-accessible 5815 STATUS current 5816 DESCRIPTION 5817 "A table of IP Management Entries in non-active IP 5818 Management List Objects. The IP Management List Object is a 5819 Fabric-wide Policy Object that describes which IP hosts are 5820 allowed to manage a Fabric. 5822 One non-active IP Management List Object is represented by 5823 all rows of this table which have the same values of 5824 fcmInstanceIndex and t11FcSpPoFabricIndex." 5825 ::= { t11FcSpPoNonActive 7 } 5827 t11FcSpPoNaIpMgmtEntry OBJECT-TYPE 5828 SYNTAX T11FcSpPoNaIpMgmtEntry 5829 MAX-ACCESS not-accessible 5830 STATUS current 5831 DESCRIPTION 5832 "Each entry contains information about one IP Management 5833 entry within a non-active IP Management List Object for the 5834 Fabric identified by t11FcSpPoFabricIndex and managed 5835 within the Fibre Channel management instance identified 5836 by fcmInstanceIndex. 5838 The Policy Object Name of an IP Management Entry Policy 5839 Object is either an IPv6 Address Range or an IPv4 Address 5840 Range. In a Fabric's database of Policy Objects, every 5841 Policy Object Name, including these IP address ranges, is 5842 represented as a (T11FcSpPolicyNameType, T11FcSpPolicyName) 5843 tuple. In contrast, this MIB module uses the conventional 5844 MIB syntax for IP addresses, and therefore represents the 5845 Policy Object Name of an IP Management Entry Policy Object 5846 as a (InetAddressType, InetAddress, InetAddress) tuple. 5848 In theory, the use of t11FcSpPoNaIpMgmtEntryNameLow and 5849 t11FcSpPoNaIpMgmtEntryNameHigh, which have the syntax of 5850 InetAddress, in the INDEX could cause the need for 5851 excessively-long OIDs. In practice, this can't happen 5852 because FC-SP doesn't allow these objects to be specified 5853 as DNS names. 5855 The StorageType of a row in this table is specified by the 5856 instance of t11FcSpPoStorageType which is INDEX-ed by the 5857 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 5858 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 5859 t11FcSpPoNaIpMgmtListName, 5860 t11FcSpPoNaIpMgmtEntryNameType, 5861 t11FcSpPoNaIpMgmtEntryNameLow, 5862 t11FcSpPoNaIpMgmtEntryNameHigh } 5863 ::= { t11FcSpPoNaIpMgmtTable 1 } 5865 T11FcSpPoNaIpMgmtEntry ::= SEQUENCE { 5866 t11FcSpPoNaIpMgmtListName T11FcSpAlphaNumName, 5867 t11FcSpPoNaIpMgmtEntryNameType InetAddressType, 5868 t11FcSpPoNaIpMgmtEntryNameLow InetAddress, 5869 t11FcSpPoNaIpMgmtEntryNameHigh InetAddress, 5870 t11FcSpPoNaIpMgmtWkpIndex Unsigned32, 5871 t11FcSpPoNaIpMgmtAttribute T11FcSpAlphaNumNameOrNull, 5872 t11FcSpPoNaIpMgmtRowStatus RowStatus 5873 } 5874 t11FcSpPoNaIpMgmtListName OBJECT-TYPE 5875 SYNTAX T11FcSpAlphaNumName 5876 MAX-ACCESS not-accessible 5877 STATUS current 5878 DESCRIPTION 5879 "The name of a non-active Node Membership List Object." 5880 REFERENCE 5881 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5882 Fibre Channel - Security Protocols (FC-SP), 5883 13 June 2006, section 7.1.7.1 and table 125." 5884 ::= { t11FcSpPoNaIpMgmtEntry 1 } 5886 t11FcSpPoNaIpMgmtEntryNameType OBJECT-TYPE 5887 SYNTAX InetAddressType 5888 -- INTEGER { ipv4(1), ipv6(2) } 5889 MAX-ACCESS not-accessible 5890 STATUS current 5891 DESCRIPTION 5892 "The combination of t11FcSpPoNaIpMgmtEntryNameType, 5893 t11FcSpPoNaIpMgmtNameLow and t11FcSpPoNaIpMgmtNameHigh 5894 specify the IP Address range of this IP Management 5895 Entry in the IP Management List Object. 5897 The FC-SP specification does not allow this address to 5898 be specified using a DNS domain name, nor does it allow 5899 the specification of zone indexes. Therefore, the 5900 type of address must be one of: 'ipv4', or 'ipv6'." 5901 REFERENCE 5902 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5903 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5904 sections 7.1.7.1 and table 126." 5905 ::= { t11FcSpPoNaIpMgmtEntry 2 } 5907 t11FcSpPoNaIpMgmtEntryNameLow OBJECT-TYPE 5908 SYNTAX InetAddress (SIZE(4 | 16)) 5909 MAX-ACCESS not-accessible 5910 STATUS current 5911 DESCRIPTION 5912 "The lower end of an Internet address range. The type 5913 of this address is given by the corresponding instance 5914 of t11FcSpPoNaIpMgmtEntryNameType. 5916 The combination of t11FcSpPoNaIpMgmtEntryNameType, 5917 t11FcSpPoNaIpMgmtNameLow and t11FcSpPoIpMgmtNameHigh 5918 specify the IP Address range of this IP Management 5919 Entry in the IP Management List Object." 5920 REFERENCE 5921 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5922 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5923 sections 7.1.7.1 and table 126." 5924 ::= { t11FcSpPoNaIpMgmtEntry 3 } 5926 t11FcSpPoNaIpMgmtEntryNameHigh OBJECT-TYPE 5927 SYNTAX InetAddress (SIZE(4 | 16)) 5928 MAX-ACCESS not-accessible 5929 STATUS current 5930 DESCRIPTION 5931 "The higher end of an Internet address range. The type 5932 of this address is given by the corresponding instance 5933 of t11FcSpPoNaIpMgmtEntryNameType. 5935 The combination of t11FcSpPoNaIpMgmtEntryNameType, 5936 t11FcSpPoNaIpMgmtNameLow and t11FcSpPoNaIpMgmtNameHigh 5937 specify the IP Address range of this IP Management 5938 Entry in the IP Management List Object." 5939 REFERENCE 5940 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5941 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5942 sections 7.1.7.1 and table 126." 5943 ::= { t11FcSpPoNaIpMgmtEntry 4 } 5945 t11FcSpPoNaIpMgmtWkpIndex OBJECT-TYPE 5946 SYNTAX Unsigned32 (0..4294967295) 5947 MAX-ACCESS read-create 5948 STATUS current 5949 DESCRIPTION 5950 "This object identifies the restrictions for IP management 5951 access by IP hosts in this range of IP addresses. 5953 The restrictions are specified as the set of Well Known 5954 Protocols Access Descriptors contained in those rows of the 5955 t11FcSpPoNaWkpDescrTable for which the value of 5956 t11FcSpPoNaWkpDescrSpecifierIndx is the same as the value 5957 of this object. If there are no such rows or if the value 5958 of this object is zero, then this IP Management Entry does 5959 not identify any Well Known Protocols Access restrictions." 5960 REFERENCE 5961 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5962 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5963 section 7.1.7.1 and tables 127/129." 5965 ::= { t11FcSpPoNaIpMgmtEntry 5 } 5967 t11FcSpPoNaIpMgmtAttribute OBJECT-TYPE 5968 SYNTAX T11FcSpAlphaNumNameOrNull 5969 MAX-ACCESS read-create 5970 STATUS current 5971 DESCRIPTION 5972 "The name of a non-active Attribute Policy Object which 5973 is defined for this IP Management entry. The zero-length 5974 string indicates that no non-active Attribute Policy Object 5975 is defined for it. 5977 The effect of having no rows in the t11FcSpPoNaAttribTable 5978 for which the value of t11FcSpPoNaAttribName is the same 5979 as the value of this object, is the same as this object's 5980 value being the zero-length string." 5981 REFERENCE 5982 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 5983 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 5984 section 7.1.7.1 and table 128." 5985 ::= { t11FcSpPoNaIpMgmtEntry 6 } 5987 t11FcSpPoNaIpMgmtRowStatus OBJECT-TYPE 5988 SYNTAX RowStatus 5989 MAX-ACCESS read-create 5990 STATUS current 5991 DESCRIPTION 5992 "The status of this row. Values of object instances 5993 within the row can be modified at any time." 5994 ::= { t11FcSpPoNaIpMgmtEntry 7 } 5996 -- 5997 -- Non-Active Well-Known Protocol Access Descriptors 5998 -- 6000 t11FcSpPoNaWkpDescrTable OBJECT-TYPE 6001 SYNTAX SEQUENCE OF T11FcSpPoNaWkpDescrEntry 6002 MAX-ACCESS not-accessible 6003 STATUS current 6004 DESCRIPTION 6005 "A table of the Well-Known Protocol Access Descriptors 6006 referenced from non-active Policy Objects. 6008 A Well-Known Protocol Access Specifier is a list of 6009 Well-Known Protocol Access Descriptors each of which 6010 specifies a protocol number, a port number and/or various 6011 flags specifying how IP management access is restricted. 6013 A non-active Well-Known Protocol Transport Access Specifier 6014 is represented by all rows of this table which have the same 6015 values of fcmInstanceIndex, t11FcSpPoFabricIndex, and 6016 t11FcSpPoNaWkpDescrSpecifierIndx." 6017 ::= { t11FcSpPoNonActive 8 } 6019 t11FcSpPoNaWkpDescrEntry OBJECT-TYPE 6020 SYNTAX T11FcSpPoNaWkpDescrEntry 6021 MAX-ACCESS not-accessible 6022 STATUS current 6023 DESCRIPTION 6024 "Each entry contains information about one Well-Known 6025 Protocol Access Descriptor of a non-active Well-Known 6026 Protocol Access Specifier used within the Fabric identified 6027 by t11FcSpPoFabricIndex and managed within the Fibre Channel 6028 management instance identified by fcmInstanceIndex. 6030 The StorageType of a row in this table is specified by the 6031 instance of t11FcSpPoStorageType which is INDEX-ed by the 6032 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 6033 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 6034 t11FcSpPoNaWkpDescrSpecifierIndx, 6035 t11FcSpPoNaWkpDescrIndex } 6036 ::= { t11FcSpPoNaWkpDescrTable 1 } 6038 T11FcSpPoNaWkpDescrEntry ::= SEQUENCE { 6039 t11FcSpPoNaWkpDescrSpecifierIndx Unsigned32, 6040 t11FcSpPoNaWkpDescrIndex Unsigned32, 6041 t11FcSpPoNaWkpDescrFlags BITS, 6042 t11FcSpPoNaWkpDescrWkpNumber Unsigned32, 6043 t11FcSpPoNaWkpDescrDestPort Unsigned32, 6044 t11FcSpPoNaWkpDescrRowStatus RowStatus 6045 } 6047 t11FcSpPoNaWkpDescrSpecifierIndx OBJECT-TYPE 6048 SYNTAX Unsigned32 (1..4294967295) 6049 MAX-ACCESS not-accessible 6050 STATUS current 6051 DESCRIPTION 6052 "An index value which uniquely identifies a particular 6053 non-active Well-Known Protocol Access Specifier within 6054 a Fabric." 6055 ::= { t11FcSpPoNaWkpDescrEntry 1 } 6057 t11FcSpPoNaWkpDescrIndex OBJECT-TYPE 6058 SYNTAX Unsigned32 (1..4294967295) 6059 MAX-ACCESS not-accessible 6060 STATUS current 6061 DESCRIPTION 6062 "An index value which uniquely identifies a particular 6063 Well-Known Protocol Access Descriptor within a 6064 non-active Well-Known Protocol Access Specifier." 6065 ::= { t11FcSpPoNaWkpDescrEntry 2 } 6067 t11FcSpPoNaWkpDescrFlags OBJECT-TYPE 6068 SYNTAX BITS { 6069 allow(0), 6070 wkpWildcard(1), 6071 destPortWildcard(2), 6072 readOnly(3) 6073 } 6074 MAX-ACCESS read-create 6075 STATUS current 6076 DESCRIPTION 6077 "The flag bits which specify how access is to be limited by 6078 this Well-Known Protocol Access Descriptor: 6080 - allow -- IP management access using this protocol/port 6081 is allowed if this bit is set, and to be denied if this 6082 bit is not set. 6084 - wkpWildcard -- if this bit is set, the IP Protocol number 6085 of the Well-Known Protocol to be allowed/denied is 6086 specified by the value of t11FcSpPoNaWkpDescrWkpNumber. 6088 - destPortWildcard -- if this bit is set, the Destination 6089 (TCP/UDP) Port number of the Well-Known Protocol to be 6090 allowed/denied is specified by the value of 6091 t11FcSpPoNaWkpDescrDestPort. 6093 - readOnly -- if this bit is set then access is to be 6094 granted only for reading." 6095 REFERENCE 6096 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6097 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6098 section 7.1.7.1 and table 131." 6099 ::= { t11FcSpPoNaWkpDescrEntry 3 } 6101 t11FcSpPoNaWkpDescrWkpNumber OBJECT-TYPE 6102 SYNTAX Unsigned32 (0..255) 6103 MAX-ACCESS read-create 6104 STATUS current 6105 DESCRIPTION 6106 "When the 'wkpWildcard' bit is set in the corresponding 6107 instance of t11FcSpPoNaWkpDescrFlags, this object specifies 6108 the IP protocol number of the Well-Known Protocol." 6109 REFERENCE 6110 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6111 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6112 section 7.1.7.1 and table 131. 6113 - http://www.iana.org/assignments/protocol-numbers." 6114 ::= { t11FcSpPoNaWkpDescrEntry 4 } 6116 t11FcSpPoNaWkpDescrDestPort OBJECT-TYPE 6117 SYNTAX Unsigned32 (0..65535) 6118 MAX-ACCESS read-create 6119 STATUS current 6120 DESCRIPTION 6121 "When the 'destPortWildcard' bit is set in the corresponding 6122 instance of t11FcSpPoNaWkpDescrFlags, this object specifies 6123 the Destination (TCP/UDP) Port number of the Well-Known 6124 Protocol." 6125 REFERENCE 6126 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6127 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6128 section 7.1.7.1 and table 131. 6129 - http://www.iana.org/assignments/port-numbers." 6130 ::= { t11FcSpPoNaWkpDescrEntry 5 } 6132 t11FcSpPoNaWkpDescrRowStatus OBJECT-TYPE 6133 SYNTAX RowStatus 6134 MAX-ACCESS read-create 6135 STATUS current 6136 DESCRIPTION 6137 "The status of this row. Values of object instances 6138 within the row can be modified at any time." 6139 ::= { t11FcSpPoNaWkpDescrEntry 6 } 6141 -- 6142 -- Attribute Entries in Non-Active Attribute Policy Objects 6143 -- 6145 t11FcSpPoNaAttribTable OBJECT-TYPE 6146 SYNTAX SEQUENCE OF T11FcSpPoNaAttribEntry 6147 MAX-ACCESS not-accessible 6148 STATUS current 6149 DESCRIPTION 6150 "A table of the Attribute Policy Objects being used within 6151 non-active Policy Objects. 6153 A non-active Attribute Policy Object is represented by all 6154 the Attribute Entries in this table which have the same 6155 value of t11FcSpPoNaAttribName." 6156 ::= { t11FcSpPoNonActive 9 } 6158 t11FcSpPoNaAttribEntry OBJECT-TYPE 6159 SYNTAX T11FcSpPoNaAttribEntry 6160 MAX-ACCESS not-accessible 6161 STATUS current 6162 DESCRIPTION 6163 "Each entry contains information about one Attribute 6164 Entry contained within an Attribute Policy Object 6165 which is non-active within the Fabric identified by 6166 t11FcSpPoFabricIndex and managed within the Fibre Channel 6167 management instance identified by fcmInstanceIndex. 6169 For some types of Attribute Policy Objects, it is valuable 6170 to break-out some semantically-significant parts of the 6171 Policy Object's value into their own individual MIB 6172 objects; for example, to extract the one or more individual 6173 Authentication Protocol Identifiers and associated 6174 Authentication Protocol Parameters out of an Attribute 6175 containing a 'AUTH_Negotiate Message Payload'. For such 6176 types, another MIB table is defined to hold the extracted 6177 values in MIB objects specific to the Attribute Policy 6178 Object's type. In such cases, the 6179 t11FcSpPoNaAttribExtension object in this table points to 6180 the other MIB table. 6182 If the value of one Attribute Entry is too large (more than 6183 256 bytes) to be contained within the value of one instance 6184 of t11FcSpPoNaAttribValue, then one row in this table 6185 contains the first 256 bytes, and one (or more) other row(s) 6186 in this table contain the rest of the value. 6188 The StorageType of a row in this table is specified by the 6189 instance of t11FcSpPoStorageType which is INDEX-ed by the 6190 same values of fcmInstanceIndex and t11FcSpPoFabricIndex." 6191 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 6192 t11FcSpPoNaAttribName, t11FcSpPoNaAttribEntryIndex, 6193 t11FcSpPoNaAttribPartIndex } 6194 ::= { t11FcSpPoNaAttribTable 1 } 6196 T11FcSpPoNaAttribEntry ::= SEQUENCE { 6197 t11FcSpPoNaAttribName T11FcSpAlphaNumName, 6198 t11FcSpPoNaAttribEntryIndex Unsigned32, 6199 t11FcSpPoNaAttribPartIndex Unsigned32, 6200 t11FcSpPoNaAttribType Unsigned32, 6201 t11FcSpPoNaAttribValue OCTET STRING, 6202 t11FcSpPoNaAttribExtension OBJECT IDENTIFIER, 6203 t11FcSpPoNaAttribRowStatus RowStatus 6204 } 6206 t11FcSpPoNaAttribName OBJECT-TYPE 6207 SYNTAX T11FcSpAlphaNumName 6208 MAX-ACCESS not-accessible 6209 STATUS current 6210 DESCRIPTION 6211 "The name of the Attribute Policy Object containing one 6212 or more Attribute Entries." 6213 REFERENCE 6214 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6215 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6216 section 7.1.8.1 and table 133." 6217 ::= { t11FcSpPoNaAttribEntry 1 } 6219 t11FcSpPoNaAttribEntryIndex OBJECT-TYPE 6220 SYNTAX Unsigned32 (1..4294967295) 6221 MAX-ACCESS not-accessible 6222 STATUS current 6223 DESCRIPTION 6224 "A unique value to distinguish this Attribute Entry 6225 from other Attribute Entries contained in the same 6226 Attribute Policy Object." 6227 REFERENCE 6228 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6229 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6230 section 7.1.8.1, tables 133/134." 6231 ::= { t11FcSpPoNaAttribEntry 2 } 6233 t11FcSpPoNaAttribPartIndex OBJECT-TYPE 6234 SYNTAX Unsigned32 (1..4294967295) 6235 MAX-ACCESS not-accessible 6236 STATUS current 6237 DESCRIPTION 6238 "When the value of an Attribute Entry is shorter than 257 6239 bytes, the whole value is contained in one instance of 6240 t11FcSpPoNaAttribValue, and the value of this object is 1. 6242 If the value of an Attribute Entry is longer than 256 bytes, 6243 then that value is divided up on 256 byte boundaries such 6244 that all parts are 256 bytes long except the last part which 6245 is shorter if necessary, with each such part contained in 6246 a separate row of this table, and the value of this object 6247 is set to the part number. That is, this object has the 6248 value of 1 for bytes 0-255, the value of 2 for bytes 6249 256-511, ... etc." 6250 REFERENCE 6251 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6252 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6253 section 7.1.8.1, tables 134/135." 6254 ::= { t11FcSpPoNaAttribEntry 3 } 6256 t11FcSpPoNaAttribType OBJECT-TYPE 6257 SYNTAX Unsigned32 (1..4294967295) 6258 MAX-ACCESS read-create 6259 STATUS current 6260 DESCRIPTION 6261 "The type of attribute. The first type to be defined is: 6263 t11FcSpPoNaAttribType t11FcSpPoNaAttribValue 6264 =================== ==================== 6265 '00000001'h The AUTH_Negotiate Message Payload 6267 " 6268 REFERENCE 6269 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6270 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6271 section 7.1.8.1, tables 134/135 and table 10." 6272 ::= { t11FcSpPoNaAttribEntry 4 } 6274 t11FcSpPoNaAttribValue OBJECT-TYPE 6275 SYNTAX OCTET STRING (SIZE (0..256)) 6276 MAX-ACCESS read-create 6277 STATUS current 6278 DESCRIPTION 6279 "The value of an Attribute Entry is divided up on 256 byte 6280 boundaries such that all parts are 256 bytes long except the 6281 last part which is shorter if necessary, and each such part 6282 is contained in a separate instance of this object. 6284 When the value of the corresponding instance of 6285 t11FcSpPoNaAttribExtension is not zeroDotZero, then the same 6286 underlying management data has its value contained both in 6287 this object and in the individual/broken-out parts pointed 6288 to by t11FcSpPoNaAttribExtension. Thus, after any 6289 modification of the underlying management data, e.g., after 6290 a Set operation to the value of either MIB representation, 6291 then that modification is reflected in the values of both 6292 MIB representations." 6293 REFERENCE 6294 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6295 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6296 section 7.1.8.1, tables 134/135 and table 10." 6297 ::= { t11FcSpPoNaAttribEntry 5 } 6299 t11FcSpPoNaAttribExtension OBJECT-TYPE 6300 SYNTAX OBJECT IDENTIFIER 6301 MAX-ACCESS read-only 6302 STATUS current 6303 DESCRIPTION 6304 "For some types of Attribute Policy Object, the value of 6305 this MIB object points to type-specific MIB objects which 6306 contain individual/broken-out parts of the Attribute Policy 6307 Object's value. If this object doesn't point to such 6308 type-specific MIB objects, then it contains the value: 6309 zeroDotZero. 6311 In particular, when the value of t11FcSpPoNaAttribType 6312 indicates 'AUTH_Negotiate Message Payload', one or more 6313 Authentication Protocol Identifiers and their associated 6314 Authentication Protocol Parameters are embedded within 6315 the value of the corresponding instance of 6316 t11FcSpPoNaAttribValue; MIB objects to contain these 6317 individual values are defined in the 6318 t11FcSpPoAuthProtTable. Thus, for an 'AUTH_Negotiate 6319 Message Payload' Attribute, the value of this object would 6320 contain the OID of t11FcSpPoNaAuthProtTable. 6322 When the value of this object is not zeroDotZero, then the 6323 same underlying management data has its value contained in 6324 both the individual/broken-out parts pointed to by this 6325 object and in the corresponding instance of 6326 t11FcSpPoNaAttribValue. Thus, after any modification of the 6327 underlying management data, e.g., after a Set operation to 6328 the value of either MIB representation, then that 6329 modification is reflected in the values of both MIB 6330 representations." 6331 ::= { t11FcSpPoNaAttribEntry 6 } 6333 t11FcSpPoNaAttribRowStatus OBJECT-TYPE 6334 SYNTAX RowStatus 6335 MAX-ACCESS read-create 6336 STATUS current 6337 DESCRIPTION 6338 "The status of this row. Values of object instances 6339 within the row can be modified at any time." 6340 ::= { t11FcSpPoNaAttribEntry 7 } 6342 -- 6343 -- Auth. Protocol Parameters in Non-Active Attribute Policy Objects 6344 -- 6346 t11FcSpPoNaAuthProtTable OBJECT-TYPE 6347 SYNTAX SEQUENCE OF T11FcSpPoNaAuthProtEntry 6348 MAX-ACCESS not-accessible 6349 STATUS current 6350 DESCRIPTION 6351 "A table of Authentication Protocol Identifier and 6352 Authentication Protocol Parameters which are embedded in 6353 Attribute Policy Objects being used within non-active 6354 Policy Objects. 6356 This table is used for Attribute Entries of Attribute Policy 6357 Objects for which the value of t11FcSpPoNaAttribType 6358 indicates 'AUTH_Negotiate Message Payload' and the value of 6359 t11FcSpPoNaAttribExtension contains the OID of this table." 6360 REFERENCE 6361 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6362 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6363 sections 5.3.2 & 7.1.8.1, tables 134/135 and tables 10/11." 6364 ::= { t11FcSpPoNonActive 10 } 6366 t11FcSpPoNaAuthProtEntry OBJECT-TYPE 6367 SYNTAX T11FcSpPoNaAuthProtEntry 6368 MAX-ACCESS not-accessible 6369 STATUS current 6370 DESCRIPTION 6371 "Each row contains information about an Authentication 6372 Protocol which is extracted out of the Attribute Entry 6373 (identified by t11FcSpPoNaAttribEntryIndex) of the 6374 non-active Policy Attribute Object (identified by 6375 t11FcSpPoNaAttribName) for the Fabric identified by 6376 t11FcSpPoFabricIndex and managed within the Fibre Channel 6377 management instance identified by fcmInstanceIndex. 6379 If the value of one Attribute Protocol Parameters string is 6380 too large (more than 256 bytes) to be contained within the 6381 value of one instance of t11FcSpPoNaAuthProtParams, then 6382 one row in this table contains the first 256 bytes, and 6383 one (or more) other row(s) in this table contain the rest 6384 of the value. 6386 The same underlying management data which is represented in 6387 rows of this table is also represented by the corresponding 6388 instances of t11FcSpPoNaAttribValue. Thus, after any 6389 modification of the underlying management data, e.g., after 6390 a Set operation to the value of either MIB representation, 6391 then that modification is reflected in the values of both 6392 MIB representations." 6393 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex, 6394 t11FcSpPoNaAttribName, t11FcSpPoNaAttribEntryIndex, 6395 t11FcSpPoNaAuthProtIdentifier, 6396 t11FcSpPoNaAuthProtPartIndex } 6397 ::= { t11FcSpPoNaAuthProtTable 1 } 6399 T11FcSpPoNaAuthProtEntry ::= SEQUENCE { 6400 t11FcSpPoNaAuthProtIdentifier Unsigned32, 6401 t11FcSpPoNaAuthProtPartIndex Unsigned32, 6402 t11FcSpPoNaAuthProtParams OCTET STRING, 6403 t11FcSpPoNaAuthProtRowStatus RowStatus 6404 } 6406 t11FcSpPoNaAuthProtIdentifier OBJECT-TYPE 6407 SYNTAX Unsigned32 6408 MAX-ACCESS not-accessible 6409 STATUS current 6410 DESCRIPTION 6411 "The Authentication Protocol Identifier: 6413 1 = DH-CHAP 6414 3 = FCPAP 6415 4 = IKEv2 6416 5 = IKEv2-AUTH 6417 240 thru 255 = Vendor Specific Protocols 6419 all other values are 'Reserved' (by T11)." 6420 REFERENCE 6421 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6422 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6423 section 5.3.2, table 11." 6424 ::= { t11FcSpPoNaAuthProtEntry 1 } 6426 t11FcSpPoNaAuthProtPartIndex OBJECT-TYPE 6427 SYNTAX Unsigned32 (1..4294967295) 6428 MAX-ACCESS not-accessible 6429 STATUS current 6430 DESCRIPTION 6431 "When the value of an Attribute Protocol Parameters string 6432 is shorter than 257 bytes, the whole value is contained in 6433 one instance of t11FcSpPoNaAuthProtParams, and the value of 6434 this object is 1. (This includes the case when the Attribute 6435 Protocol Parameters string is zero bytes in length.) 6437 If the value of an Authentication Protocol Parameters string 6438 is longer than 256 bytes, then that value is divided up on 6439 256 byte boundaries such that all parts are 256 bytes long 6440 except the last part which is shorter if necessary, with 6441 each such part contained in a separate row of this table, 6442 and the value of this object is set to the part number. 6443 That is, this object has the value of 1 for bytes 0-255, 6444 the value of 2 for bytes 256-511, ... etc." 6445 REFERENCE 6446 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6447 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6448 section 5.3.2, table 10." 6449 ::= { t11FcSpPoNaAuthProtEntry 2 } 6451 t11FcSpPoNaAuthProtParams OBJECT-TYPE 6452 SYNTAX OCTET STRING (SIZE (0..256)) 6453 MAX-ACCESS read-create 6454 STATUS current 6455 DESCRIPTION 6456 "The value of an Authentication Protocol Parameters string 6457 is divided up on 256 byte boundaries such that all parts 6458 are 256 bytes long except the last part which is shorter 6459 if necessary, and each such part is contained in a 6460 separate instance of this object." 6461 REFERENCE 6462 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6463 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6464 section 5.3.2, table 10." 6465 ::= { t11FcSpPoNaAuthProtEntry 3 } 6467 t11FcSpPoNaAuthProtRowStatus OBJECT-TYPE 6468 SYNTAX RowStatus 6469 MAX-ACCESS read-create 6470 STATUS current 6471 DESCRIPTION 6472 "The status of this row. Values of object instances 6473 within the row can be modified at any time." 6474 ::= { t11FcSpPoNaAuthProtEntry 4 } 6476 -- 6477 -- Part 4 - Statistics 6478 -- 6480 t11FcSpPoStatsTable OBJECT-TYPE 6481 SYNTAX SEQUENCE OF T11FcSpPoStatsEntry 6482 MAX-ACCESS not-accessible 6483 STATUS current 6484 DESCRIPTION 6485 "A table of statistics maintained by FC-SP Security 6486 Policy Servers." 6487 ::= { t11FcSpPoStatistics 1 } 6489 t11FcSpPoStatsEntry OBJECT-TYPE 6490 SYNTAX T11FcSpPoStatsEntry 6491 MAX-ACCESS not-accessible 6492 STATUS current 6493 DESCRIPTION 6494 "A set of statistics for the FC-SP Security Policy Server on 6495 the Fabric identified by the value of t11FcSpPoFabricIndex, 6496 and managed within the Fibre Channel management instance 6497 identified by fcmInstanceIndex." 6498 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex } 6499 ::= { t11FcSpPoStatsTable 1 } 6501 T11FcSpPoStatsEntry ::= SEQUENCE { 6502 t11FcSpPoInRequests Counter32, 6503 t11FcSpPoInAccepts Counter32, 6504 t11FcSpPoInRejects Counter32 6505 } 6507 t11FcSpPoInRequests OBJECT-TYPE 6508 SYNTAX Counter32 6509 MAX-ACCESS read-only 6510 STATUS current 6511 DESCRIPTION 6512 "The number of FC-SP Policy Management Requests 6513 (e.g., GPS, APS, etc.) received by this FC-SP 6514 Security Policy Server on this Fabric. 6516 This counter has no discontinuities other than those 6517 which all Counter32's have when sysUpTime=0." 6518 REFERENCE 6519 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6520 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6521 section 7.3." 6522 ::= { t11FcSpPoStatsEntry 1 } 6524 t11FcSpPoInAccepts OBJECT-TYPE 6525 SYNTAX Counter32 6526 MAX-ACCESS read-only 6527 STATUS current 6528 DESCRIPTION 6529 "The number of times that this FC-SP Security Policy Server 6530 sent an Accept CT_IU on this Fabric in response to a 6531 received FC-SP Policy Management Request (e.g., GPS, APS, 6532 etc.). 6534 This counter has no discontinuities other than those 6535 which all Counter32's have when sysUpTime=0." 6536 REFERENCE 6537 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6538 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6539 section 7.3." 6540 ::= { t11FcSpPoStatsEntry 2 } 6542 t11FcSpPoInRejects OBJECT-TYPE 6543 SYNTAX Counter32 6544 MAX-ACCESS read-only 6545 STATUS current 6546 DESCRIPTION 6547 "The number of times that this FC-SP Security Policy Server 6548 sent a Reject CT_IU on this Fabric in response to a 6549 received FC-SP Policy Management Request (e.g., GPS, APS, 6550 etc.). 6552 This counter has no discontinuities other than those 6553 which all Counter32's have when sysUpTime=0." 6554 REFERENCE 6555 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6556 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 6557 section 7.3." 6558 ::= { t11FcSpPoStatsEntry 3 } 6560 -- 6561 -- Part 5 - Control Information & Notifications 6562 -- 6564 -- 6565 -- Control Information 6566 -- 6568 t11FcSpPoServerAddress OBJECT-TYPE 6569 SYNTAX FcNameIdOrZero 6570 MAX-ACCESS accessible-for-notify 6571 STATUS current 6572 DESCRIPTION 6573 "The WWN of the FC-SP Security Policy Server which 6574 received a request which is referenced in a 6575 notification." 6576 ::= { t11FcSpPoControl 1 } 6578 t11FcSpPoControlTable OBJECT-TYPE 6579 SYNTAX SEQUENCE OF T11FcSpPoControlEntry 6580 MAX-ACCESS not-accessible 6581 STATUS current 6582 DESCRIPTION 6583 "A table of control information, including the memory 6584 realization of FC-SP Policy Databases, and concerning 6585 the generation of notifications due to FC-SP 6586 Policy-related events." 6587 ::= { t11FcSpPoControl 2 } 6589 t11FcSpPoControlEntry OBJECT-TYPE 6590 SYNTAX T11FcSpPoControlEntry 6591 MAX-ACCESS not-accessible 6592 STATUS current 6593 DESCRIPTION 6594 "Each entry contains control information specific to FC-SP 6595 Policy and Policy-related events for the Fabric identified 6596 by the value of t11FcSpPoFabricIndex, and managed within 6597 the Fibre Channel management instance identified by 6598 fcmInstanceIndex." 6599 INDEX { fcmInstanceIndex, t11FcSpPoFabricIndex } 6600 ::= { t11FcSpPoControlTable 1 } 6602 T11FcSpPoControlEntry ::= SEQUENCE { 6603 t11FcSpPoStorageType StorageType, 6604 t11FcSpPoNotificationEnable TruthValue, 6605 t11FcSpPoLastNotifyType INTEGER, 6606 t11FcSpPoRequestSource FcNameIdOrZero, 6607 t11FcSpPoReasonCode T11NsGs4RejectReasonCode, 6608 t11FcSpPoCtCommandString OCTET STRING, 6609 t11FcSpPoReasonCodeExp Unsigned32, 6610 t11FcSpPoReasonVendorCode OCTET STRING 6611 } 6613 t11FcSpPoStorageType OBJECT-TYPE 6614 SYNTAX StorageType 6615 MAX-ACCESS read-write 6616 STATUS current 6617 DESCRIPTION 6618 "This object specifies the memory realization of FC-SP 6619 Policy Objects and related information for a particular 6620 Fabric; specifically, for: 6622 - rows created and/or modified for the particular 6623 Fabric in these tables: 6625 t11FcSpPoNaSummaryTable 6626 t11FcSpPoNaSwListTable 6627 t11FcSpPoNaSwMembTable 6628 t11FcSpPoNaNoMembTable 6629 t11FcSpPoNaCtDescrTable 6630 t11FcSpPoNaSwConnTable 6631 t11FcSpPoNaIpMgmtTable 6632 t11FcSpPoNaWkpDescrTable 6633 t11FcSpPoNaAttribTable 6635 - the activate and deactivate actions invoked through 6636 the t11FcSpPoOperActivate and t11FcSpPoOperDeActivate 6637 objects for the particular Fabric; and 6639 - modified information contained in the same row 6640 as an instance of this object. 6642 Even if an instance of this object has the value 6643 'permanent(4)', none of the information defined in 6644 this MIB module for the given Fabric needs to be 6645 writable." 6646 ::= { t11FcSpPoControlEntry 1 } 6648 t11FcSpPoNotificationEnable OBJECT-TYPE 6649 SYNTAX TruthValue 6650 MAX-ACCESS read-write 6651 STATUS current 6652 DESCRIPTION 6653 "This object specifies whether the following types of 6654 notifications: 6656 t11FcSpPoNotifyActivation, 6657 t11FcSpPoNotifyActivateFail, 6658 t11FcSpPoNotifyDeactivation and 6659 t11FcSpPoNotifyDeactivateFail 6661 should be generated for this Fabric." 6662 ::= { t11FcSpPoControlEntry 2 } 6664 t11FcSpPoLastNotifyType OBJECT-TYPE 6665 SYNTAX INTEGER { 6666 none(1), 6667 activation(2), 6668 activateFail(3), 6669 deactivation(4), 6670 deactivateFail(5) 6671 } 6672 MAX-ACCESS read-only 6673 STATUS current 6674 DESCRIPTION 6675 "An indication of which of the following types of 6676 notification is currently being/was most recently 6677 generated for the Fabric: 6679 'activation' -- t11FcSpPoNotifyActivation 6680 'activateFail' -- t11FcSpPoNotifyActivateFail 6681 'deactivation' -- t11FcSpPoNotifyDeactivation 6682 'deactivateFail' -- t11FcSpPoNotifyDeactivateFail 6684 The value 'none' indicates that none of these types of 6685 notifications have been generated since the last restart 6686 of the network management system, and therefore that the 6687 corresponding instances of: t11FcSpPoRequestSource, 6688 t11FcSpPoReasonCode, t11FcSpPoCtCommandString, 6689 t11FcSpPoReasonCodeExp and 6690 t11FcSpPoReasonVendorCode are irrelevant." 6691 ::= { t11FcSpPoControlEntry 3 } 6693 t11FcSpPoRequestSource OBJECT-TYPE 6694 SYNTAX FcNameIdOrZero 6695 MAX-ACCESS read-only 6696 STATUS current 6697 DESCRIPTION 6698 "The WWN of the source of the (Activate Policy Summary 6699 or Deactivate Policy Summary) request for which the 6700 current/most recent notification of the type indicated by 6701 the corresponding instance of t11FcSpPoLastNotifyType 6702 is being/was generated. 6704 If no source is available, the value of this object is 6705 the zero-length string." 6706 DEFVAL { "" } 6707 ::= { t11FcSpPoControlEntry 4 } 6709 t11FcSpPoReasonCode OBJECT-TYPE 6710 SYNTAX T11NsGs4RejectReasonCode 6711 MAX-ACCESS read-only 6712 STATUS current 6713 DESCRIPTION 6714 "The reason code associated with the failure which is 6715 indicated when the value of the corresponding instance 6716 of t11FcSpPoLastNotifyType is 'activateFail' or 6717 'deactivateFail'. 6719 For other values of t11FcSpPoLastNotifyType, the value 6720 of this object is 'none(1)'." 6721 REFERENCE 6722 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6723 Fibre Channel - Security Protocols (FC-SP), 6724 13 June 2006, section 7.3.6.2 & 7.3.6.3" 6725 ::= { t11FcSpPoControlEntry 5 } 6727 t11FcSpPoCtCommandString OBJECT-TYPE 6728 SYNTAX OCTET STRING (SIZE (0..255)) 6729 MAX-ACCESS read-only 6730 STATUS current 6731 DESCRIPTION 6732 "The binary content of the failed request which is 6733 indicated when the value of the corresponding instance of 6734 t11FcSpPoLastNotifyType is 'activateFail' or 6735 'deactivateFail'. The content of the request is formatted 6736 as an octet string (in network byte order) containing the 6737 CT_IU, as described in Table 2 of [FC-GS-5] (including the 6738 preamble). 6740 For other values of t11FcSpPoLastNotifyType, or if the 6741 CT_IU's content is unavailable, the value of this object 6742 is the zero-length string. 6744 When the length of this object is 255 octets, it 6745 contains the first 255 octets of the CT_IU (in 6746 network-byte order)." 6747 ::= { t11FcSpPoControlEntry 6 } 6749 t11FcSpPoReasonCodeExp OBJECT-TYPE 6750 SYNTAX Unsigned32 (0..255) 6751 MAX-ACCESS read-only 6752 STATUS current 6753 DESCRIPTION 6754 "The reason code explanation associated with the failure 6755 which is indicated when the value of the corresponding 6756 instance of t11FcSpPoLastNotifyType is 'activateFail' or 6757 'deactivateFail'. 6759 For other values of t11FcSpPoLastNotifyType, the value 6760 of this object is zero." 6761 REFERENCE 6762 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6763 Fibre Channel - Security Protocols (FC-SP), 6764 13 June 2006, section 7.3.6.2 & 7.3.6.3" 6765 ::= { t11FcSpPoControlEntry 7 } 6767 t11FcSpPoReasonVendorCode OBJECT-TYPE 6768 SYNTAX OCTET STRING (SIZE (0 | 1)) 6769 MAX-ACCESS read-only 6770 STATUS current 6771 DESCRIPTION 6772 "The vendor-specific reason code associated with the failure 6773 which is indicated when the value of the corresponding 6774 instance of t11FcSpPoLastNotifyType is 'activateFail' or 6775 'deactivateFail'. 6777 For other values of t11FcSpPoLastNotifyType, or if no 6778 vendor-specific reason code is available, the value 6779 of this object is the zero-length string." 6780 REFERENCE 6781 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6782 Fibre Channel - Security Protocols (FC-SP), 6783 13 June 2006, section 7.3.6.2 & 7.3.6.3" 6784 ::= { t11FcSpPoControlEntry 8 } 6786 -- 6787 -- Notification definitions 6788 -- 6790 t11FcSpPoNotifyActivation NOTIFICATION-TYPE 6791 OBJECTS { t11FcSpPoServerAddress, 6792 t11FcSpPoPolicySummaryObjName, 6793 t11FcSpPoRequestSource } 6794 STATUS current 6795 DESCRIPTION 6796 "This notification is generated whenever a Security 6797 Policy Server (indicated by the value of 6798 t11FcSpPoServerAddress) successfully completes the 6799 execution of an Activate Policy Summary request. 6800 The value of t11FcSpPoRequestSource indicates 6801 the source of the APS request. The value of 6802 t11FcSpPoPolicySummaryObjName indicates the name of 6803 the activated Policy Summary Object." 6804 ::= { t11FcSpPoMIBNotifications 1 } 6806 t11FcSpPoNotifyActivateFail NOTIFICATION-TYPE 6807 OBJECTS { t11FcSpPoServerAddress, 6808 t11FcSpPoRequestSource, 6809 t11FcSpPoCtCommandString, 6810 t11FcSpPoReasonCode, 6811 t11FcSpPoReasonCodeExp, 6812 t11FcSpPoReasonVendorCode } 6813 STATUS current 6814 DESCRIPTION 6815 "This notification is generated whenever a Security Policy 6816 Server (indicated by the value of t11FcSpPoServerAddress) 6817 fails to complete the execution of an Activate Policy 6818 Summary request. 6820 The value of t11FcSpPoCtCommandString indicates the 6821 rejected request, and the values of t11FcSpPoReasonCode, 6822 t11FcSpPoReasonCodeExp and t11FcSpPoReasonVendorCode 6823 indicate the reason for the rejection. The value of 6824 t11FcSpPoRequestSource indicates the source of the 6825 request." 6826 REFERENCE 6827 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6828 Fibre Channel - Security Protocols (FC-SP), 6829 13 June 2006, section 7.3.6.2." 6830 ::= { t11FcSpPoMIBNotifications 2 } 6832 t11FcSpPoNotifyDeactivation NOTIFICATION-TYPE 6833 OBJECTS { t11FcSpPoServerAddress, 6834 t11FcSpPoRequestSource } 6835 STATUS current 6836 DESCRIPTION 6837 "This notification is generated whenever a Security 6838 Policy Server (indicated by the value of 6839 t11FcSpPoServerAddress) successfully completes the 6840 execution of a Deactivate Policy Summary request. 6841 The value of t11FcSpPoRequestSource indicates 6842 the source of the DPS request." 6843 REFERENCE 6844 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 6845 Fibre Channel - Security Protocols (FC-SP), 6846 13 June 2006, section 7.3.6.3." 6847 ::= { t11FcSpPoMIBNotifications 3 } 6849 t11FcSpPoNotifyDeactivateFail NOTIFICATION-TYPE 6850 OBJECTS { t11FcSpPoServerAddress, 6851 t11FcSpPoRequestSource, 6852 t11FcSpPoCtCommandString, 6853 t11FcSpPoReasonCode, 6854 t11FcSpPoReasonCodeExp, 6855 t11FcSpPoReasonVendorCode } 6856 STATUS current 6857 DESCRIPTION 6858 "This notification is generated whenever a Security Policy 6859 Server (indicated by the value of t11FcSpPoServerAddress) 6860 fails to complete the execution of a Deactivate Policy 6861 Summary request. 6863 The value of t11FcSpPoCtCommandString indicates the 6864 rejected request, and the values of t11FcSpPoReasonCode, 6865 t11FcSpPoReasonCodeExp and t11FcSpPoReasonVendorCode 6866 indicate the reason for the rejection. The value of 6867 t11FcSpPoRequestSource indicates the source of the 6868 request." 6869 ::= { t11FcSpPoMIBNotifications 4 } 6871 -- 6872 -- Conformance 6873 -- 6875 t11FcSpPoMIBCompliances 6876 OBJECT IDENTIFIER ::= { t11FcSpPoMIBConformance 1 } 6877 t11FcSpPoMIBGroups OBJECT IDENTIFIER ::= { t11FcSpPoMIBConformance 2 } 6879 t11FcSpPoMIBCompliance MODULE-COMPLIANCE 6880 STATUS current 6881 DESCRIPTION 6882 "The compliance statement for entities which 6883 support the Fabric Policies defined in FC-SP," 6885 MODULE -- this module 6886 MANDATORY-GROUPS { t11FcSpPoActiveObjectsGroup } 6888 GROUP t11FcSpPoNonActiveObjectsGroup 6889 DESCRIPTION 6890 "These objects are mandatory for FC-SP Security Policy 6891 Servers." 6893 GROUP t11FcSpPoNotifyObjectsGroup 6894 DESCRIPTION 6895 "These objects are mandatory for FC-SP Security Policy 6896 Servers." 6898 GROUP t11FcSpPoNotificationGroup 6899 DESCRIPTION 6900 "These notifications are mandatory for FC-SP Security 6901 Policy Servers." 6903 GROUP t11FcSpPoOperationsObjectsGroup 6904 DESCRIPTION 6905 "These objects are mandatory only for FC-SP Security 6906 Policy Servers which support the activation/deactivation 6907 of policies via SNMP." 6909 GROUP t11FcSpPoStatsObjectsGroup 6910 DESCRIPTION 6911 "These objects are optional." 6913 -- Write access is not required for any objects in this MIB module: 6915 OBJECT t11FcSpPoOperActivate 6916 MIN-ACCESS read-only 6917 DESCRIPTION 6918 "Write access is not required." 6920 OBJECT t11FcSpPoOperDeActivate 6921 MIN-ACCESS read-only 6922 DESCRIPTION 6923 "Write access is not required." 6925 OBJECT t11FcSpPoStorageType 6926 MIN-ACCESS read-only 6927 DESCRIPTION 6928 "Write access is not required." 6930 OBJECT t11FcSpPoNotificationEnable 6931 MIN-ACCESS read-only 6932 DESCRIPTION 6933 "Write access is not required." 6935 OBJECT t11FcSpPoNaSummaryPolicyNameType 6936 MIN-ACCESS read-only 6937 DESCRIPTION 6938 "Write access is not required." 6940 OBJECT t11FcSpPoNaSummaryPolicyName 6941 MIN-ACCESS read-only 6942 DESCRIPTION 6943 "Write access is not required." 6945 OBJECT t11FcSpPoNaSummaryHashStatus 6946 MIN-ACCESS read-only 6947 DESCRIPTION 6948 "Write access is not required." 6950 OBJECT t11FcSpPoNaSummaryRowStatus 6951 MIN-ACCESS read-only 6952 DESCRIPTION 6953 "Write access is not required." 6955 OBJECT t11FcSpPoNaSwListFabricName 6956 MIN-ACCESS read-only 6957 DESCRIPTION 6958 "Write access is not required." 6960 OBJECT t11FcSpPoNaSwListRowStatus 6961 MIN-ACCESS read-only 6962 DESCRIPTION 6963 "Write access is not required." 6965 OBJECT t11FcSpPoNaSwMembFlags 6966 MIN-ACCESS read-only 6967 DESCRIPTION 6968 "Write access is not required." 6970 OBJECT t11FcSpPoNaSwMembDomainID 6971 MIN-ACCESS read-only 6972 DESCRIPTION 6973 "Write access is not required." 6975 OBJECT t11FcSpPoNaSwMembPolicyDataRole 6976 MIN-ACCESS read-only 6977 DESCRIPTION 6978 "Write access is not required." 6980 OBJECT t11FcSpPoNaSwMembAuthBehaviour 6981 MIN-ACCESS read-only 6982 DESCRIPTION 6983 "Write access is not required." 6985 OBJECT t11FcSpPoNaSwMembAttribute 6986 MIN-ACCESS read-only 6987 DESCRIPTION 6988 "Write access is not required." 6990 OBJECT t11FcSpPoNaSwMembRowStatus 6991 MIN-ACCESS read-only 6992 DESCRIPTION 6993 "Write access is not required." 6995 OBJECT t11FcSpPoNaNoMembFlags 6996 MIN-ACCESS read-only 6997 DESCRIPTION 6998 "Write access is not required." 7000 OBJECT t11FcSpPoNaNoMembCtAccessIndex 7001 MIN-ACCESS read-only 7002 DESCRIPTION 7003 "Write access is not required." 7005 OBJECT t11FcSpPoNaNoMembAttribute 7006 MIN-ACCESS read-only 7007 DESCRIPTION 7008 "Write access is not required." 7010 OBJECT t11FcSpPoNaNoMembRowStatus 7011 MIN-ACCESS read-only 7012 DESCRIPTION 7013 "Write access is not required." 7015 OBJECT t11FcSpPoNaCtDescrFlags 7016 MIN-ACCESS read-only 7017 DESCRIPTION 7018 "Write access is not required." 7020 OBJECT t11FcSpPoNaCtDescrGsType 7021 MIN-ACCESS read-only 7022 DESCRIPTION 7023 "Write access is not required." 7025 OBJECT t11FcSpPoNaCtDescrGsSubType 7026 MIN-ACCESS read-only 7027 DESCRIPTION 7028 "Write access is not required." 7030 OBJECT t11FcSpPoNaCtDescrRowStatus 7031 MIN-ACCESS read-only 7032 DESCRIPTION 7033 "Write access is not required." 7035 OBJECT t11FcSpPoNaSwConnAllowedNameType 7036 MIN-ACCESS read-only 7037 DESCRIPTION 7038 "Write access is not required." 7040 OBJECT t11FcSpPoNaSwConnAllowedName 7041 MIN-ACCESS read-only 7042 DESCRIPTION 7043 "Write access is not required." 7045 OBJECT t11FcSpPoNaSwConnRowStatus 7046 MIN-ACCESS read-only 7047 DESCRIPTION 7048 "Write access is not required." 7050 OBJECT t11FcSpPoNaIpMgmtWkpIndex 7051 MIN-ACCESS read-only 7052 DESCRIPTION 7053 "Write access is not required." 7055 OBJECT t11FcSpPoNaIpMgmtAttribute 7056 MIN-ACCESS read-only 7057 DESCRIPTION 7058 "Write access is not required." 7060 OBJECT t11FcSpPoNaIpMgmtRowStatus 7061 MIN-ACCESS read-only 7062 DESCRIPTION 7063 "Write access is not required." 7065 OBJECT t11FcSpPoNaWkpDescrFlags 7066 MIN-ACCESS read-only 7067 DESCRIPTION 7068 "Write access is not required." 7070 OBJECT t11FcSpPoNaWkpDescrWkpNumber 7071 MIN-ACCESS read-only 7072 DESCRIPTION 7073 "Write access is not required." 7075 OBJECT t11FcSpPoNaWkpDescrDestPort 7076 MIN-ACCESS read-only 7077 DESCRIPTION 7078 "Write access is not required." 7080 OBJECT t11FcSpPoNaWkpDescrRowStatus 7081 MIN-ACCESS read-only 7082 DESCRIPTION 7083 "Write access is not required." 7085 OBJECT t11FcSpPoNaAttribType 7086 MIN-ACCESS read-only 7087 DESCRIPTION 7088 "Write access is not required." 7090 OBJECT t11FcSpPoNaAttribValue 7091 MIN-ACCESS read-only 7092 DESCRIPTION 7093 "Write access is not required." 7095 OBJECT t11FcSpPoNaAttribRowStatus 7096 MIN-ACCESS read-only 7097 DESCRIPTION 7098 "Write access is not required." 7100 OBJECT t11FcSpPoNaAuthProtParams 7101 MIN-ACCESS read-only 7102 DESCRIPTION 7103 "Write access is not required." 7105 OBJECT t11FcSpPoNaAuthProtRowStatus 7106 MIN-ACCESS read-only 7107 DESCRIPTION 7108 "Write access is not required." 7110 ::= { t11FcSpPoMIBCompliances 1 } 7112 -- Units of Conformance 7114 t11FcSpPoActiveObjectsGroup OBJECT-GROUP 7115 OBJECTS { t11FcSpPoPolicySummaryObjName, 7116 t11FcSpPoAdminFabricName, 7117 t11FcSpPoActivatedTimeStamp, 7118 t11FcSpPoSummaryPolicyType, 7119 t11FcSpPoSummaryHashFormat, 7120 t11FcSpPoSummaryHashValue, 7121 t11FcSpPoSwMembSwitchFlags, 7122 t11FcSpPoSwMembDomainID, 7123 t11FcSpPoSwMembPolicyDataRole, 7124 t11FcSpPoSwMembAuthBehaviour, 7125 t11FcSpPoSwMembAttribute, 7126 t11FcSpPoNoMembFlags, 7127 t11FcSpPoNoMembCtAccessIndex, 7128 t11FcSpPoNoMembAttribute, 7129 t11FcSpPoCtDescrFlags, 7130 t11FcSpPoCtDescrGsType, 7131 t11FcSpPoCtDescrGsSubType, 7132 t11FcSpPoSwConnAllowedNameType, 7133 t11FcSpPoSwConnAllowedName, 7134 t11FcSpPoIpMgmtWkpIndex, 7135 t11FcSpPoIpMgmtAttribute, 7136 t11FcSpPoWkpDescrFlags, 7137 t11FcSpPoWkpDescrWkpNumber, 7138 t11FcSpPoWkpDescrDestPort, 7139 t11FcSpPoAttribType, 7140 t11FcSpPoAttribValue, 7141 t11FcSpPoAttribExtension, 7142 t11FcSpPoAuthProtParams 7143 } 7144 STATUS current 7145 DESCRIPTION 7146 "A collection of MIB objects which contain information 7147 about active Policy Objects which express Fibre Channel 7148 Security (FC-SP) policy." 7149 ::= { t11FcSpPoMIBGroups 1 } 7151 t11FcSpPoOperationsObjectsGroup OBJECT-GROUP 7152 OBJECTS { t11FcSpPoOperActivate, 7153 t11FcSpPoOperDeActivate, 7154 t11FcSpPoOperResult, 7155 t11FcSpPoOperFailCause 7156 } 7157 STATUS current 7158 DESCRIPTION 7159 "A collection of MIB objects which allow a new set of 7160 Fibre Channel Security (FC-SP) policies to be activated 7161 or an existing set to be deactivated." 7162 ::= { t11FcSpPoMIBGroups 2 } 7164 t11FcSpPoNonActiveObjectsGroup OBJECT-GROUP 7165 OBJECTS { t11FcSpPoStorageType, 7166 t11FcSpPoNaSummaryPolicyNameType, 7167 t11FcSpPoNaSummaryPolicyName, 7168 t11FcSpPoNaSummaryHashStatus, 7169 t11FcSpPoNaSummaryHashFormat, 7170 t11FcSpPoNaSummaryHashValue, 7171 t11FcSpPoNaSummaryRowStatus, 7172 t11FcSpPoNaSwListFabricName, 7173 t11FcSpPoNaSwListRowStatus, 7174 t11FcSpPoNaSwMembFlags, 7175 t11FcSpPoNaSwMembDomainID, 7176 t11FcSpPoNaSwMembPolicyDataRole, 7177 t11FcSpPoNaSwMembAuthBehaviour, 7178 t11FcSpPoNaSwMembAttribute, 7179 t11FcSpPoNaSwMembRowStatus, 7180 t11FcSpPoNaNoMembFlags, 7181 t11FcSpPoNaNoMembCtAccessIndex, 7182 t11FcSpPoNaNoMembAttribute, 7183 t11FcSpPoNaNoMembRowStatus, 7184 t11FcSpPoNaCtDescrFlags, 7185 t11FcSpPoNaCtDescrGsType, 7186 t11FcSpPoNaCtDescrGsSubType, 7187 t11FcSpPoNaCtDescrRowStatus, 7188 t11FcSpPoNaSwConnAllowedNameType, 7189 t11FcSpPoNaSwConnAllowedName, 7190 t11FcSpPoNaSwConnRowStatus, 7191 t11FcSpPoNaIpMgmtWkpIndex, 7192 t11FcSpPoNaIpMgmtAttribute, 7193 t11FcSpPoNaIpMgmtRowStatus, 7194 t11FcSpPoNaWkpDescrFlags, 7195 t11FcSpPoNaWkpDescrWkpNumber, 7196 t11FcSpPoNaWkpDescrDestPort, 7197 t11FcSpPoNaWkpDescrRowStatus, 7198 t11FcSpPoNaAttribType, 7199 t11FcSpPoNaAttribValue, 7200 t11FcSpPoNaAttribExtension, 7201 t11FcSpPoNaAttribRowStatus, 7202 t11FcSpPoNaAuthProtParams, 7203 t11FcSpPoNaAuthProtRowStatus 7204 } 7205 STATUS current 7206 DESCRIPTION 7207 "A collection of MIB objects which contain information 7208 about non-active Policy Objects available for activation 7209 in order to change Fibre Channel Security (FC-SP) policy." 7210 ::= { t11FcSpPoMIBGroups 3 } 7212 t11FcSpPoStatsObjectsGroup OBJECT-GROUP 7213 OBJECTS { t11FcSpPoInRequests, 7214 t11FcSpPoInAccepts, 7215 t11FcSpPoInRejects 7216 } 7217 STATUS current 7218 DESCRIPTION 7219 "A collection of MIB objects which contain statistics 7220 which can be maintained by FC-SP Security Policy Servers." 7221 ::= { t11FcSpPoMIBGroups 4 } 7223 t11FcSpPoNotifyObjectsGroup OBJECT-GROUP 7224 OBJECTS { t11FcSpPoNotificationEnable, 7225 t11FcSpPoServerAddress, 7226 t11FcSpPoLastNotifyType, 7227 t11FcSpPoRequestSource, 7228 t11FcSpPoReasonCode, 7229 t11FcSpPoCtCommandString, 7230 t11FcSpPoReasonCodeExp, 7231 t11FcSpPoReasonVendorCode 7232 } 7233 STATUS current 7234 DESCRIPTION 7235 "A collection of MIB objects to control the generation of 7236 notifications concerning Fibre Channel Security (FC-SP) 7237 policy, and to hold information contained in such 7238 notifications." 7239 ::= { t11FcSpPoMIBGroups 5 } 7241 t11FcSpPoNotificationGroup NOTIFICATION-GROUP 7242 NOTIFICATIONS { t11FcSpPoNotifyActivation, 7243 t11FcSpPoNotifyActivateFail, 7244 t11FcSpPoNotifyDeactivation, 7245 t11FcSpPoNotifyDeactivateFail 7246 } 7247 STATUS current 7248 DESCRIPTION 7249 "A collection of notifications of events concerning 7250 Fibre Channel Security (FC-SP) policy." 7251 ::= { t11FcSpPoMIBGroups 6 } 7253 END 7254 6.5. The T11-FC-SP-SA-MIB Module 7256 --******************************************************************* 7257 -- FC-SP Security Associations 7258 -- 7260 T11-FC-SP-SA-MIB DEFINITIONS ::= BEGIN 7262 IMPORTS 7263 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, 7264 Unsigned32, Counter32, Counter64, TimeTicks, Gauge32, 7265 mib-2 FROM SNMPv2-SMI -- [RFC2578] 7266 RowStatus, StorageType, AutonomousType, TimeStamp, 7267 TruthValue FROM SNMPv2-TC -- [RFC2579] 7268 MODULE-COMPLIANCE, OBJECT-GROUP, 7269 NOTIFICATION-GROUP 7270 FROM SNMPv2-CONF -- [RFC2580] 7271 InterfaceIndex, 7272 InterfaceIndexOrZero FROM IF-MIB -- [RFC2863] 7273 fcmInstanceIndex, 7274 FcAddressIdOrZero FROM FC-MGMT-MIB -- [RFC4044] 7275 T11FabricIndex FROM T11-TC-MIB -- [RFC4439] 7276 T11FcSpType, 7277 T11FcSpiIndex, 7278 T11FcRoutingControl, 7279 T11FcSaDirection, 7280 T11FcSpPrecedence, 7281 T11FcSpTransforms FROM T11-FC-SP-TC-MIB; 7283 t11FcSpSaMIB MODULE-IDENTITY 7284 LAST-UPDATED "200702190000Z" 7285 ORGANIZATION "T11" 7286 CONTACT-INFO 7287 " Claudio DeSanti 7288 Cisco Systems, Inc. 7289 170 West Tasman Drive 7290 San Jose, CA 95134 USA 7291 EMail: cds@cisco.com 7293 Keith McCloghrie 7294 Cisco Systems, Inc. 7295 170 West Tasman Drive 7296 San Jose, CA 95134 USA 7297 Email: kzm@cisco.com" 7299 DESCRIPTION 7300 "This MIB module specifies the management information 7301 required to manage Security Associations established via 7302 Fibre Channel's FC-SP specification. 7304 The MIB module consists of six parts: 7306 - a per-Fabric table, t11FcSpSaIfTable, of capabilities, 7307 parameters, status information and counters; the counters 7308 include non-transient aggregates of per-SA transient 7309 counters; 7311 - three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable 7312 and t11FcSpSaTransTable, specifying the proposals for an 7313 FC-SP entity acting as an SA_Initiator to present to the 7314 SA_Responder during the negotiation of Security 7315 Associations. The same information is also used by an 7316 FC-SP entity acting as an SA_Responder to decide what to 7317 accept during the negotiation of Security Associations. 7318 One of these tables, t11FcSpSaTransTable, is used not only 7319 for information about security transforms to propose and 7320 to accept, but also as agreed upon during the negotiation 7321 of Security Associations; 7323 - a table, t11FcSpSaTSelDrByTable, of Traffic Selectors 7324 having the security action of 'drop' or 'bypass' to be 7325 applied either to ingress traffic which is unprotected by 7326 FC-SP, or to all egress traffic; 7328 - four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable, 7329 t11FcSpSaTSelNegOutTable and t11FcSpSaTSelSpiTable, 7330 containing information about active bidirectional pairs of 7331 Security Associations; in particular, t11FcSpSaPairTable 7332 has one row per active bidirectional SA pair, 7333 t11FcSpSaTSelNegInTable and t11FcSpSaTSelNegOutTable 7334 contain information on the Traffic Selectors negotiated on 7335 the SAs, and the t11FcSpSaTSelSpiTable is an alternate 7336 lookup table such that the Traffic Selector(s) in use on a 7337 particular Security Association can be quickly determined 7338 based on the (ingress) SPI value; 7340 - a table, t11FcSpSaControlTable, of control and other 7341 information concerning the generation of notifications for 7342 events related to FC-SP Security Associations; 7344 - one notification, t11FcSpSaNotifyAuthFailure, generated on 7345 the occurrence of an Authentication failure for a received 7346 FC-2 or CT_IU frame. 7348 Copyright (C) The IETF Trust (2007). This version 7349 of this MIB module is part of RFC yyyy; see the RFC 7350 itself for full legal notices." 7351 -- RFC Editor: replace yyyy with actual RFC number & remove this note 7352 REVISION "200702190000Z" 7353 DESCRIPTION 7354 "Initial version of this MIB module, published as RFCyyyy." 7355 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 7356 ::= { mib-2 nnn } -- to be assigned by IANA 7357 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 7359 t11FcSpSaMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpSaMIB 0 } 7360 t11FcSpSaMIBObjects OBJECT IDENTIFIER ::= { t11FcSpSaMIB 1 } 7361 t11FcSpSaMIBConformance OBJECT IDENTIFIER ::= { t11FcSpSaMIB 2 } 7362 t11FcSpSaBase OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 1 } 7363 t11FcSpSaConfig OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 2 } 7364 t11FcSpSaActive OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 3 } 7365 t11FcSpSaControl OBJECT IDENTIFIER ::= { t11FcSpSaMIBObjects 4 } 7367 -- 7368 -- Base-level Per-Fabric Information 7369 -- 7371 t11FcSpSaIfTable OBJECT-TYPE 7372 SYNTAX SEQUENCE OF T11FcSpSaIfEntry 7373 MAX-ACCESS not-accessible 7374 STATUS current 7375 DESCRIPTION 7376 "A table containing per-Fabric information related to 7377 FC-SP Security Associations." 7378 ::= { t11FcSpSaBase 1 } 7380 t11FcSpSaIfEntry OBJECT-TYPE 7381 SYNTAX T11FcSpSaIfEntry 7382 MAX-ACCESS not-accessible 7383 STATUS current 7384 DESCRIPTION 7385 "Each entry contains information related to Security 7386 Associations on a particular Fabric, and managed as part 7387 of the Fibre Channel management instance identified by 7388 fcmInstanceIndex." 7389 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, 7390 t11FcSpSaIfFabricIndex } 7391 ::= { t11FcSpSaIfTable 1 } 7393 T11FcSpSaIfEntry ::= SEQUENCE { 7394 t11FcSpSaIfIndex InterfaceIndexOrZero, 7395 t11FcSpSaIfFabricIndex T11FabricIndex, 7396 -- capabilities 7397 t11FcSpSaIfEspHeaderCapab T11FcSpTransforms, 7398 t11FcSpSaIfCTAuthCapab T11FcSpTransforms, 7399 t11FcSpSaIfIKEv2Capab T11FcSpTransforms, 7400 t11FcSpSaIfIkev2AuthCapab TruthValue, 7401 -- parameters and status 7402 t11FcSpSaIfStorageType StorageType, 7403 t11FcSpSaIfReplayPrevention TruthValue, 7404 t11FcSpSaIfReplayWindowSize Unsigned32, 7405 t11FcSpSaIfDeadPeerDetections Counter32, 7406 t11FcSpSaIfTerminateAllSas INTEGER, 7407 -- summary frame counters 7408 t11FcSpSaIfOutDrops Counter64, 7409 t11FcSpSaIfOutBypasses Counter64, 7410 t11FcSpSaIfOutProcesses Counter64, 7411 t11FcSpSaIfOutUnMatcheds Counter64, 7412 t11FcSpSaIfInUnprotUnmtchDrops Counter64, 7413 -- aggregates of per-SA transient counters 7414 t11FcSpSaIfInDetReplays Counter64, 7415 t11FcSpSaIfInUnprotMtchDrops Counter64, 7416 t11FcSpSaIfInBadXforms Counter64, 7417 t11FcSpSaIfInGoodXforms Counter64, 7418 t11FcSpSaIfInProtUnmtchs Counter64 7419 } 7421 t11FcSpSaIfIndex OBJECT-TYPE 7422 SYNTAX InterfaceIndexOrZero 7423 MAX-ACCESS not-accessible 7424 STATUS current 7425 DESCRIPTION 7426 "This object has a non-zero value to identify a particular 7427 interface, or the value zero to indicate that the 7428 information in this row applies to all (of the management 7429 instance's) interfaces to the particular Fabric. 7431 If any row has a non-zero value of t11FcSpSaIfIndex, then 7432 all rows for the same Fibre Channel management instance must 7433 also have a non-zero value of t11FcSpSaIfIndex and thereby 7434 be specific to a particular interface. 7436 As and when zero values of t11FcSpSaIfIndex are used in 7437 this table, then they must also be used in each other 7438 table which has t11FcSpSaIfIndex in its INDEX clause." 7439 ::= { t11FcSpSaIfEntry 1 } 7441 t11FcSpSaIfFabricIndex OBJECT-TYPE 7442 SYNTAX T11FabricIndex 7443 MAX-ACCESS not-accessible 7444 STATUS current 7445 DESCRIPTION 7446 "An index value which uniquely identifies a particular 7447 Fabric." 7448 ::= { t11FcSpSaIfEntry 2 } 7450 t11FcSpSaIfEspHeaderCapab OBJECT-TYPE 7451 SYNTAX T11FcSpTransforms 7452 MAX-ACCESS read-only 7453 STATUS current 7454 DESCRIPTION 7455 "A list of the standardized transforms supported by this 7456 entity on this interface for ESP_Header protection." 7457 REFERENCE 7458 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7459 Fibre Channel - Security Protocols (FC-SP), 7460 13 June 2006, Appendix A.3.1, tables A.23, A.25." 7461 ::= { t11FcSpSaIfEntry 3 } 7463 t11FcSpSaIfCTAuthCapab OBJECT-TYPE 7464 SYNTAX T11FcSpTransforms 7465 MAX-ACCESS read-only 7466 STATUS current 7467 DESCRIPTION 7468 "A list of the standardized transforms supported by this 7469 entity on this interface for CT_Authentication protection." 7470 REFERENCE 7471 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7472 Fibre Channel - Security Protocols (FC-SP), 7473 13 June 2006, Appendix A.3.1, tables A.23, A.25." 7474 ::= { t11FcSpSaIfEntry 4 } 7476 t11FcSpSaIfIKEv2Capab OBJECT-TYPE 7477 SYNTAX T11FcSpTransforms 7478 MAX-ACCESS read-only 7479 STATUS current 7480 DESCRIPTION 7481 "A list of the standardized transforms supported by this 7482 entity on this interface with IKEv2 protection." 7483 REFERENCE 7484 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7485 Fibre Channel - Security Protocols (FC-SP), 7486 13 June 2006, Appendix A.3.1, tables A.23, A.24, A.25, A.26." 7487 ::= { t11FcSpSaIfEntry 5 } 7489 t11FcSpSaIfIkev2AuthCapab OBJECT-TYPE 7490 SYNTAX TruthValue 7491 MAX-ACCESS read-only 7492 STATUS current 7493 DESCRIPTION 7494 "An indication of whether the entity is capable of 7495 supporting the IKEv2-AUTH protocol on this interface, i.e., 7496 concatenation of Authentication and SA Management 7497 Transactions, such that an SA Management Transaction is 7498 used to perform both the authentication function and 7499 SA management." 7500 REFERENCE 7501 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7502 Fibre Channel - Security Protocols (FC-SP), 13 June 2006, 7503 section 6.7.2, and table A.27." 7504 ::= { t11FcSpSaIfEntry 6 } 7506 t11FcSpSaIfStorageType OBJECT-TYPE 7507 SYNTAX StorageType 7508 MAX-ACCESS read-write 7509 STATUS current 7510 DESCRIPTION 7511 "This object specifies the memory realization of 7512 information related to FC-SP Security Associations 7513 for interface(s) to a particular Fabric; specifically, 7514 for rows created and/or modified in these tables: 7516 t11FcSpSaPropTable 7517 t11FcSpSaTSelPropTable 7518 t11FcSpSaTransTable 7519 t11FcSpSaTSelDrByTable 7520 t11FcSpSaControlTable 7522 and, for modified information contained in the same 7523 row as an instance of this object. 7525 Even if an instance of this object has the value 7526 'permanent(4)', none of the information defined in 7527 this MIB module for interface(s) to the given Fabric 7528 need to be writable." 7529 ::= { t11FcSpSaIfEntry 7 } 7531 t11FcSpSaIfReplayPrevention OBJECT-TYPE 7532 SYNTAX TruthValue 7533 MAX-ACCESS read-write 7534 STATUS current 7535 DESCRIPTION 7536 "This object indicates whether anti-replay protection is 7537 enabled for frame reception on this interface." 7538 REFERENCE 7539 "IP Encapsulating Security Payload (ESP), 7540 RFC 4303, December 2005, section 3.3.3." 7541 ::= { t11FcSpSaIfEntry 8 } 7543 t11FcSpSaIfReplayWindowSize OBJECT-TYPE 7544 SYNTAX Unsigned32 7545 MAX-ACCESS read-write 7546 STATUS current 7547 DESCRIPTION 7548 "The size of the replay window to be used when 7549 anti-replay protection is enabled for frame reception 7550 on this interface." 7551 REFERENCE 7552 "IP Encapsulating Security Payload (ESP), 7553 RFC 4303, December 2005, section 3.4.3." 7554 ::= { t11FcSpSaIfEntry 9 } 7556 t11FcSpSaIfDeadPeerDetections OBJECT-TYPE 7557 SYNTAX Counter32 7558 MAX-ACCESS read-only 7559 STATUS current 7560 DESCRIPTION 7561 "The number of times that a dead peer condition has been 7562 detected on this interface. 7564 This counter has no discontinuities other than those 7565 which all Counter32's have when sysUpTime=0." 7566 REFERENCE 7567 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7568 Fibre Channel - Security Protocols (FC-SP), 7569 13 June 2006, section 8.5.3.3." 7570 ::= { t11FcSpSaIfEntry 10 } 7572 t11FcSpSaIfTerminateAllSas OBJECT-TYPE 7573 SYNTAX INTEGER { noop(1), terminate(2) } 7574 MAX-ACCESS read-write 7575 STATUS current 7576 DESCRIPTION 7577 "Setting this object to 'terminate' is a request to 7578 terminate all outsanding Security Associations on this 7579 interface. 7581 When read, the value of this object is always 'noop'. 7582 Setting this object to 'noop' has no effect." 7583 ::= { t11FcSpSaIfEntry 11 } 7585 t11FcSpSaIfOutDrops OBJECT-TYPE 7586 SYNTAX Counter64 7587 MAX-ACCESS read-only 7588 STATUS current 7589 DESCRIPTION 7590 "The number of output frames which were dropped, instead 7591 of being transmitted on this interface, because they matched 7592 an active (at that time) Traffic Selector with an action of 7593 'Drop'. 7595 This counter has no discontinuities other than those 7596 which all Counter64's have when sysUpTime=0." 7597 ::= { t11FcSpSaIfEntry 12 } 7599 t11FcSpSaIfOutBypasses OBJECT-TYPE 7600 SYNTAX Counter64 7601 MAX-ACCESS read-only 7602 STATUS current 7603 DESCRIPTION 7604 "The number of output frames which were transmitted 7605 unchanged by FC-SP on this interface because they matched 7606 an active (at that time) Traffic Selector with an action 7607 of 'Bypass'. 7609 This counter has no discontinuities other than those 7610 which all Counter64's have when sysUpTime=0." 7611 ::= { t11FcSpSaIfEntry 13 } 7613 t11FcSpSaIfOutProcesses OBJECT-TYPE 7614 SYNTAX Counter64 7615 MAX-ACCESS read-only 7616 STATUS current 7617 DESCRIPTION 7618 "The number of output frames which were protected by FC-SP 7619 before being transmitted on this interface because they 7620 matched an active (at that time) Traffic Selector with an 7621 action of 'Process'. 7623 This counter has no discontinuities other than those 7624 which all Counter64's have when sysUpTime=0." 7625 ::= { t11FcSpSaIfEntry 14 } 7627 t11FcSpSaIfOutUnMatcheds OBJECT-TYPE 7628 SYNTAX Counter64 7629 MAX-ACCESS read-only 7630 STATUS current 7631 DESCRIPTION 7632 "The number of frames which were transmitted unchanged by 7633 FC-SP on this interface because they did not match any 7634 Traffic Selector active at that time. 7636 This counter has no discontinuities other than those 7637 which all Counter64's have when sysUpTime=0." 7638 ::= { t11FcSpSaIfEntry 15 } 7640 t11FcSpSaIfInUnprotUnmtchDrops OBJECT-TYPE 7641 SYNTAX Counter64 7642 MAX-ACCESS read-only 7643 STATUS current 7644 DESCRIPTION 7645 "The number of frames received on this interface which 7646 were dropped because they were unprotected and did not 7647 match any Traffic Selector active at that time. 7649 This counter has no discontinuities other than those 7650 which all Counter64's have when sysUpTime=0." 7651 ::= { t11FcSpSaIfEntry 16 } 7653 t11FcSpSaIfInDetReplays OBJECT-TYPE 7654 SYNTAX Counter64 7655 MAX-ACCESS read-only 7656 STATUS current 7657 DESCRIPTION 7658 "The number of times that a replay has been detected on 7659 a Security Association which is currently active or was 7660 previously active on this interface. Note that a frame 7661 which is discarded because it is 'behind' the window, 7662 i.e., too old, is counted as a replay. 7664 This counter has no discontinuities other than those 7665 which all Counter64's have when sysUpTime=0." 7666 ::= { t11FcSpSaIfEntry 17 } 7668 t11FcSpSaIfInUnprotMtchDrops OBJECT-TYPE 7669 SYNTAX Counter64 7670 MAX-ACCESS read-only 7671 STATUS current 7672 DESCRIPTION 7673 "The number of times that a frame received on this 7674 interface was dropped because it matched with a Traffic 7675 Selector for a Security Association which was active at 7676 the time of receipt but the frame was not protected as 7677 negotiated for that Security Association. 7679 This counter has no discontinuities other than those 7680 which all Counter64's have when sysUpTime=0." 7681 ::= { t11FcSpSaIfEntry 18 } 7683 t11FcSpSaIfInBadXforms OBJECT-TYPE 7684 SYNTAX Counter64 7685 MAX-ACCESS read-only 7686 STATUS current 7687 DESCRIPTION 7688 "The number of times that a frame received on this 7689 interface was dropped because of a failure of one of the 7690 transforms negotiated for the Security Association on 7691 which it was received. 7693 This counter has no discontinuities other than those 7694 which all Counter64's have when sysUpTime=0." 7695 ::= { t11FcSpSaIfEntry 19 } 7697 t11FcSpSaIfInGoodXforms OBJECT-TYPE 7698 SYNTAX Counter64 7699 MAX-ACCESS read-only 7700 STATUS current 7701 DESCRIPTION 7702 "The number of frames received on this interface on a 7703 Security Association for which the transforms negotiated 7704 for that Security Association were successfully applied, 7705 and which matched a Traffic Selector for that Security 7706 Association. 7708 This counter has no discontinuities other than those 7709 which all Counter64's have when sysUpTime=0." 7710 ::= { t11FcSpSaIfEntry 20 } 7712 t11FcSpSaIfInProtUnmtchs OBJECT-TYPE 7713 SYNTAX Counter64 7714 MAX-ACCESS read-only 7715 STATUS current 7716 DESCRIPTION 7717 "The number of frames received on this interface which 7718 were dropped because they did not match any of the Traffic 7719 Selectors negotiated for the Security Association on which 7720 they were received, even though the Security Association's 7721 transforms were successfully applied. 7723 This counter has no discontinuities other than those 7724 which all Counter64's have when sysUpTime=0." 7725 ::= { t11FcSpSaIfEntry 21 } 7727 -- 7728 -- Proposals to present in Security Association negotiation 7729 -- 7731 t11FcSpSaPropTable OBJECT-TYPE 7732 SYNTAX SEQUENCE OF T11FcSpSaPropEntry 7733 MAX-ACCESS not-accessible 7734 STATUS current 7735 DESCRIPTION 7736 "A table of proposals for an FC-SP entity acting as an 7737 SA_Initiator to present to the SA_Responder during the 7738 negotiation of Security Associations. This information 7739 is also used by an FC-SP entity acting as an SA_Responder 7740 to decide what to accept during the negotiation of 7741 Security Associations." 7742 ::= { t11FcSpSaConfig 1 } 7744 t11FcSpSaPropEntry OBJECT-TYPE 7745 SYNTAX T11FcSpSaPropEntry 7746 MAX-ACCESS not-accessible 7747 STATUS current 7748 DESCRIPTION 7749 "Each entry contains information about one proposal for 7750 the FC-SP entity to present, or what to accept, during 7751 the negotiation of Security Associations on one or more 7752 interfaces (identified by t11FcSpSaIfIndex) to a 7753 particular Fabric (identified by t11FcSpSaIfFabricIndex), 7754 and managed as part of the Fibre Channel management 7755 instance identified by fcmInstanceIndex. 7757 The StorageType of a row in this table is specified by 7758 the instance of t11FcSpSaIfStorageType which is INDEX-ed 7759 by the same values of fcmInstanceIndex, t11FcSpSaIfIndex 7760 and t11FcSpSaIfFabricIndex." 7761 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, 7762 t11FcSpSaIfFabricIndex, 7763 t11FcSpSaPropIndex } 7764 ::= { t11FcSpSaPropTable 1 } 7766 T11FcSpSaPropEntry ::= SEQUENCE { 7767 t11FcSpSaPropIndex Unsigned32, 7768 t11FcSpSaPropSecurityProt INTEGER, 7769 t11FcSpSaPropTSelListIndex Unsigned32, 7770 t11FcSpSaPropTransListIndex Unsigned32, 7771 t11FcSpSaPropAcceptAlgorithm INTEGER, 7772 t11FcSpSaPropOutMatchSucceeds Counter64, 7773 t11FcSpSaPropRowStatus RowStatus 7774 } 7776 t11FcSpSaPropIndex OBJECT-TYPE 7777 SYNTAX Unsigned32 7778 MAX-ACCESS not-accessible 7779 STATUS current 7780 DESCRIPTION 7781 "An index value which uniquely identifies a particular 7782 proposal for use on one or more interfaces to a Fabric." 7783 ::= { t11FcSpSaPropEntry 1 } 7785 t11FcSpSaPropSecurityProt OBJECT-TYPE 7786 SYNTAX INTEGER { espHeader(1), ctAuth(2) } 7787 MAX-ACCESS read-create 7788 STATUS current 7789 DESCRIPTION 7790 "The Security Protocol identifier for this proposal, i.e., 7791 whether the proposal is for traffic to be protected using 7792 ESP_Header or CT_Authentication." 7794 REFERENCE 7795 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7796 Fibre Channel - Security Protocols (FC-SP), 7797 13 June 2006, section 6.3.2.2 and table 67." 7798 ::= { t11FcSpSaPropEntry 2 } 7800 t11FcSpSaPropTSelListIndex OBJECT-TYPE 7801 SYNTAX Unsigned32 7802 MAX-ACCESS read-create 7803 STATUS current 7804 DESCRIPTION 7805 "A pointer to the proposal's list of Traffic Selectors. 7807 The identified list is represented by all rows in the 7808 t11FcSpSaTSelPropTable for which t11FcSpSaTSelPropListIndex 7809 has the same value as this object (and with corresponding 7810 values of t11FcSpSaIfIndex and fcmInstanceIndex)." 7811 ::= { t11FcSpSaPropEntry 3 } 7813 t11FcSpSaPropTransListIndex OBJECT-TYPE 7814 SYNTAX Unsigned32 7815 MAX-ACCESS read-create 7816 STATUS current 7817 DESCRIPTION 7818 "A pointer to the proposal's list of Transforms. 7820 The identified list is represented by all rows in the 7821 t11FcSpSaTransTable for which t11FcSpSaTransListIndex 7822 has the same value as this object (and with corresponding 7823 values of t11FcSpSaIfIndex and fcmInstanceIndex)." 7824 ::= { t11FcSpSaPropEntry 4 } 7826 t11FcSpSaPropAcceptAlgorithm OBJECT-TYPE 7827 SYNTAX INTEGER { 7828 intersection(1), 7829 union(2), 7830 other(3) 7831 } 7832 MAX-ACCESS read-create 7833 STATUS current 7834 DESCRIPTION 7835 "The algorithm by which an SA_Responder in an SA negotiation 7836 decides on which Traffic Selectors to specify in a response 7837 to an IKE_Create_Child_SA request. This algorithm is used 7838 when the Traffic Selectors specified by an SA_Initiator in 7839 an IKE_Create_Child_SA request overlap with this proposal's 7840 list of Traffic Selectors: 7842 intersection(1) - the SA_Responder specifies the largest 7843 subset of what the SA_Initiator proposed 7844 which is also a subset of this proposal's 7845 Traffic Selectors. 7847 union(2) - the SA_Responder specifies the smallest 7848 superset of what the SA_Initiator proposed 7849 which is also a superset of this proposal's 7850 Traffic Selectors. 7852 other(3) - the SA_Responder uses some other algorithm. 7853 " 7854 ::= { t11FcSpSaPropEntry 5 } 7856 t11FcSpSaPropOutMatchSucceeds OBJECT-TYPE 7857 SYNTAX Counter64 7858 MAX-ACCESS read-only 7859 STATUS current 7860 DESCRIPTION 7861 "The number of egress frames that have matched a Traffic 7862 Selector which was negotiated to select traffic for an 7863 SA based on this proposal being accepted. 7865 This counter has no discontinuities other than those 7866 which all Counter64's have when sysUpTime=0." 7867 ::= { t11FcSpSaPropEntry 6 } 7869 t11FcSpSaPropRowStatus OBJECT-TYPE 7870 SYNTAX RowStatus 7871 MAX-ACCESS read-create 7872 STATUS current 7873 DESCRIPTION 7874 "The status of a row. Values of object instances 7875 within an active row can be modified at any time. 7877 The status cannot be set to 'active' unless and 7878 until the instances of t11FcSpSaPropTSelListIndex 7879 and t11FcSpSaPropTransListIndex in the row have 7880 been set to point to active rows in the 7881 t11FcSpSaTSelPropTable and t11FcSpSaTransTable 7882 tables, respectively. A row in this table is 7883 deleted if the active rows it points to are deleted." 7885 ::= { t11FcSpSaPropEntry 7 } 7887 -- 7888 -- Traffic Selector Proposals 7889 -- 7891 t11FcSpSaTSelPropTable OBJECT-TYPE 7892 SYNTAX SEQUENCE OF T11FcSpSaTSelPropEntry 7893 MAX-ACCESS not-accessible 7894 STATUS current 7895 DESCRIPTION 7896 "A table containing information about Traffic Selectors 7897 to propose and/or to accept during the negotiation of 7898 Security Associations." 7899 REFERENCE 7900 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 7901 Fibre Channel - Security Protocols (FC-SP), 7902 13 June 2006, section 6.4.5. 7903 - Use of IKEv2 in FC-SP, RFC 4595, 7904 July 2006, section 4.4." 7905 ::= { t11FcSpSaConfig 2 } 7907 t11FcSpSaTSelPropEntry OBJECT-TYPE 7908 SYNTAX T11FcSpSaTSelPropEntry 7909 MAX-ACCESS not-accessible 7910 STATUS current 7911 DESCRIPTION 7912 "Each entry contains information about one Traffic 7913 Selector within a list of Traffic Selectors to propose, 7914 or for use in determining what to accept during Security 7915 Association negotiation. 7917 One such list is configured for use on a Fabric by 7918 configuring the list's value of t11FcSpSaTSelPropListIndex 7919 as the value of an instance of t11FcSpSaPropTSelListIndex, 7920 for corresponding values of t11FcSpSaIfIndex and 7921 fcmInstanceIndex. Further, the proposing and accepting 7922 of Traffic Selectors is only done as a part of a proposal 7923 specified by a row of the t11FcSpSaPropTable, i.e., 7924 in combination with the proposing and accepting of security 7925 transforms as specified by the combination of 7926 t11FcSpSaPropTSelListIndex and t11FcSpSaPropTransListIndex 7927 in one row of the t11FcSpSaPropTable. 7929 The StorageType of a row in this table is specified by 7930 the instance of t11FcSpSaIfStorageType which is INDEX-ed 7931 by the same values of fcmInstanceIndex, t11FcSpSaIfIndex 7932 and t11FcSpSaIfFabricIndex." 7933 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, 7934 t11FcSpSaTSelPropListIndex, t11FcSpSaTSelPropIndex } 7935 ::= { t11FcSpSaTSelPropTable 1 } 7937 T11FcSpSaTSelPropEntry ::= SEQUENCE { 7938 t11FcSpSaTSelPropListIndex Unsigned32, 7939 t11FcSpSaTSelPropIndex Unsigned32, 7940 t11FcSpSaTSelPropDirection T11FcSaDirection, 7941 t11FcSpSaTSelPropPrecedence T11FcSpPrecedence, 7942 t11FcSpSaTSelPropStartSrcAddr FcAddressIdOrZero, 7943 t11FcSpSaTSelPropEndSrcAddr FcAddressIdOrZero, 7944 t11FcSpSaTSelPropStartDstAddr FcAddressIdOrZero, 7945 t11FcSpSaTSelPropEndDstAddr FcAddressIdOrZero, 7946 t11FcSpSaTSelPropStartRCtl T11FcRoutingControl, 7947 t11FcSpSaTSelPropEndRCtl T11FcRoutingControl, 7948 t11FcSpSaTSelPropStartType T11FcSpType, 7949 t11FcSpSaTSelPropEndType T11FcSpType, 7950 t11FcSpSaTSelPropRowStatus RowStatus 7951 } 7953 t11FcSpSaTSelPropListIndex OBJECT-TYPE 7954 SYNTAX Unsigned32 7955 MAX-ACCESS not-accessible 7956 STATUS current 7957 DESCRIPTION 7958 "An index value which identifies a particular list of 7959 Traffic Selectors." 7960 ::= { t11FcSpSaTSelPropEntry 1 } 7962 t11FcSpSaTSelPropIndex OBJECT-TYPE 7963 SYNTAX Unsigned32 7964 MAX-ACCESS not-accessible 7965 STATUS current 7966 DESCRIPTION 7967 "An index value which identifies one Traffic Selector 7968 within of a list of Traffic Selectors." 7969 ::= { t11FcSpSaTSelPropEntry 2 } 7971 t11FcSpSaTSelPropDirection OBJECT-TYPE 7972 SYNTAX T11FcSaDirection 7973 MAX-ACCESS read-create 7974 STATUS current 7975 DESCRIPTION 7976 "An indication of whether this Traffic Selector is 7977 to be proposed for ingress or egress traffic." 7978 DEFVAL { egress } 7979 ::= { t11FcSpSaTSelPropEntry 3 } 7981 t11FcSpSaTSelPropPrecedence OBJECT-TYPE 7982 SYNTAX T11FcSpPrecedence 7983 MAX-ACCESS read-create 7984 STATUS current 7985 DESCRIPTION 7986 "The precedence of this Traffic Selector. 7988 If an egress frame matches multiple Traffic Selectors, 7989 it should be transmitted on the SA associated with the 7990 Traffic Selector having the numerically smallest 7991 precedence value." 7992 ::= { t11FcSpSaTSelPropEntry 4 } 7994 t11FcSpSaTSelPropStartSrcAddr OBJECT-TYPE 7995 SYNTAX FcAddressIdOrZero (SIZE (3)) 7996 MAX-ACCESS read-create 7997 STATUS current 7998 DESCRIPTION 7999 "The numerically smallest 24-bit value of a source address 8000 (S_ID) of a frame which will match with this Traffic 8001 Selector." 8002 REFERENCE 8003 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8004 Fibre Channel - Security Protocols (FC-SP), 8005 13 June 2006, section 6.4.5." 8006 DEFVAL { '000000'h } 8007 ::= { t11FcSpSaTSelPropEntry 5 } 8009 t11FcSpSaTSelPropEndSrcAddr OBJECT-TYPE 8010 SYNTAX FcAddressIdOrZero (SIZE (3)) 8011 MAX-ACCESS read-create 8012 STATUS current 8013 DESCRIPTION 8014 "The numerically largest 24-bit value of a source address 8015 (S_ID) of a frame which will match with this Traffic 8016 Selector." 8017 REFERENCE 8018 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8019 Fibre Channel - Security Protocols (FC-SP), 8020 13 June 2006, section 6.4.5." 8021 DEFVAL { 'FFFFFF'h } 8022 ::= { t11FcSpSaTSelPropEntry 6 } 8024 t11FcSpSaTSelPropStartDstAddr OBJECT-TYPE 8025 SYNTAX FcAddressIdOrZero (SIZE (3)) 8026 MAX-ACCESS read-create 8027 STATUS current 8028 DESCRIPTION 8029 "The numerically smallest 24-bit value of a destination 8030 address (D_ID) of a frame which will match with this 8031 Traffic Selector." 8032 REFERENCE 8033 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8034 Fibre Channel - Security Protocols (FC-SP), 8035 13 June 2006, section 6.4.5." 8036 DEFVAL { '000000'h } 8037 ::= { t11FcSpSaTSelPropEntry 7 } 8039 t11FcSpSaTSelPropEndDstAddr OBJECT-TYPE 8040 SYNTAX FcAddressIdOrZero (SIZE (3)) 8041 MAX-ACCESS read-create 8042 STATUS current 8043 DESCRIPTION 8044 "The numerically largest 24-bit value of a destination 8045 address (D_ID) of a frame which will match with this 8046 Traffic Selector." 8047 REFERENCE 8048 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8049 Fibre Channel - Security Protocols (FC-SP), 8050 13 June 2006, section 6.4.5." 8051 DEFVAL { 'FFFFFF'h } 8052 ::= { t11FcSpSaTSelPropEntry 8 } 8054 t11FcSpSaTSelPropStartRCtl OBJECT-TYPE 8055 SYNTAX T11FcRoutingControl 8056 MAX-ACCESS read-create 8057 STATUS current 8058 DESCRIPTION 8059 "The numerically smallest 8-bit value contained within a 8060 Routing Control (R_CTL) field of a frame which will match 8061 with this Traffic Selector." 8062 REFERENCE 8063 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8064 Fibre Channel - Security Protocols (FC-SP), 8065 13 June 2006, section 6.4.5." 8066 DEFVAL { '00'h } 8067 ::= { t11FcSpSaTSelPropEntry 9 } 8069 t11FcSpSaTSelPropEndRCtl OBJECT-TYPE 8070 SYNTAX T11FcRoutingControl 8071 MAX-ACCESS read-create 8072 STATUS current 8073 DESCRIPTION 8074 "The numerically largest 8-bit value contained within a 8075 Routing Control (R_CTL) field of a frame which will match 8076 with this Traffic Selector." 8077 REFERENCE 8078 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8079 Fibre Channel - Security Protocols (FC-SP), 8080 13 June 2006, section 6.4.5." 8081 DEFVAL { 'FF'h } 8082 ::= { t11FcSpSaTSelPropEntry 10 } 8084 t11FcSpSaTSelPropStartType OBJECT-TYPE 8085 SYNTAX T11FcSpType 8086 MAX-ACCESS read-create 8087 STATUS current 8088 DESCRIPTION 8089 "The numerically smallest of a range of possible 'type' 8090 values of frames which will match with this Traffic 8091 Selector." 8092 REFERENCE 8093 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8094 Fibre Channel - Security Protocols (FC-SP), 8095 13 June 2006, section 6.4.5." 8096 DEFVAL { '0000'h } 8097 ::= { t11FcSpSaTSelPropEntry 11 } 8099 t11FcSpSaTSelPropEndType OBJECT-TYPE 8100 SYNTAX T11FcSpType 8101 MAX-ACCESS read-create 8102 STATUS current 8103 DESCRIPTION 8104 "The numerically largest of a range of possible 'type' 8105 values of frames which will match with this Traffic 8106 Selector." 8107 REFERENCE 8108 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8109 Fibre Channel - Security Protocols (FC-SP), 8110 13 June 2006, section 6.4.5." 8111 DEFVAL { 'FFFF'h } 8112 ::= { t11FcSpSaTSelPropEntry 12 } 8114 t11FcSpSaTSelPropRowStatus OBJECT-TYPE 8115 SYNTAX RowStatus 8116 MAX-ACCESS read-create 8117 STATUS current 8118 DESCRIPTION 8119 "The status of this row. Values of object instances 8120 within the row can be modified at any time." 8121 ::= { t11FcSpSaTSelPropEntry 13 } 8123 -- 8124 -- Transform Proposals 8125 -- 8127 t11FcSpSaTransTable OBJECT-TYPE 8128 SYNTAX SEQUENCE OF T11FcSpSaTransEntry 8129 MAX-ACCESS not-accessible 8130 STATUS current 8131 DESCRIPTION 8132 "A table containing information about security transforms 8133 to propose, to accept and/or agreed upon during the 8134 negotiation of Security Associations." 8135 ::= { t11FcSpSaConfig 3 } 8137 t11FcSpSaTransEntry OBJECT-TYPE 8138 SYNTAX T11FcSpSaTransEntry 8139 MAX-ACCESS not-accessible 8140 STATUS current 8141 DESCRIPTION 8142 "Each entry contains information about one proposal within a 8143 list of security transforms to be proposed, to be accepted, 8144 or already agreed upon, for use on a pair of Security 8145 Associations on one or more interfaces (identified by 8146 t11FcSpSaIfIndex), managed as part of the Fibre Channel 8147 management instance identified by fcmInstanceIndex. 8149 One such list is configured to be proposed or accepted for 8150 use on a Fabric, by having the list's value of 8151 t11FcSpSaTransListIndex be the value of an instance of 8152 t11FcSpSaPropTransListIndex for that Fabric. Further, 8153 the proposing and accepting of security transforms is only 8154 done as a part of a proposal specified by a row of the 8155 t11FcSpSaPropTable, i.e., in combination with the proposing 8156 and accepting of Traffic Selectors as specified by the 8157 combination of t11FcSpSaPropTSelListIndex and 8158 t11FcSpSaPropTransListIndex in one row of the 8159 t11FcSpSaPropTable. 8161 The security (encryption and integrity) transform in use on 8162 an SA pair is indicated by having the pair's values of 8163 t11FcSpSaPairTransListIndex and t11FcSpSaPairTransIndex 8164 contain the values of t11FcSpSaTransListIndex and 8165 t11FcSpSaTransListIndex for the transform's row in this 8166 table. 8168 The StorageType of a row in this table is specified by 8169 the instance of t11FcSpSaIfStorageType which is INDEX-ed 8170 by the same values of fcmInstanceIndex, t11FcSpSaIfIndex 8171 and t11FcSpSaIfFabricIndex." 8172 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, 8173 t11FcSpSaTransListIndex, t11FcSpSaTransIndex } 8174 ::= { t11FcSpSaTransTable 1 } 8176 T11FcSpSaTransEntry ::= SEQUENCE { 8177 t11FcSpSaTransListIndex Unsigned32, 8178 t11FcSpSaTransIndex Unsigned32, 8179 t11FcSpSaTransSecurityProt INTEGER, 8180 t11FcSpSaTransEncryptAlg AutonomousType, 8181 t11FcSpSaTransEncryptKeyLen Unsigned32, 8182 t11FcSpSaTransIntegrityAlg AutonomousType, 8183 t11FcSpSaTransRowStatus RowStatus 8184 } 8186 t11FcSpSaTransListIndex OBJECT-TYPE 8187 SYNTAX Unsigned32 8188 MAX-ACCESS not-accessible 8189 STATUS current 8190 DESCRIPTION 8191 "An index value which uniquely identifies a particular 8192 list of security transforms to be proposed, to be accepted, 8193 or already agreed upon." 8194 ::= { t11FcSpSaTransEntry 1 } 8196 t11FcSpSaTransIndex OBJECT-TYPE 8197 SYNTAX Unsigned32 8198 MAX-ACCESS not-accessible 8199 STATUS current 8200 DESCRIPTION 8201 "An index value which uniquely identifies one security 8202 transform within a list identified by 8203 t11FcSpSaTransListIndex." 8204 ::= { t11FcSpSaTransEntry 2 } 8206 t11FcSpSaTransSecurityProt OBJECT-TYPE 8207 SYNTAX INTEGER { espHeader(1), ctAuth(2) } 8208 MAX-ACCESS read-create 8209 STATUS current 8210 DESCRIPTION 8211 "The Security Protocol identifier which indicates 8212 whether this transform is for traffic to be protected 8213 using ESP_Header or using CT_Authentication." 8214 REFERENCE 8215 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8216 Fibre Channel - Security Protocols (FC-SP), 8217 13 June 2006, section 6.3.2.2 and table 67." 8218 ::= { t11FcSpSaTransEntry 3 } 8220 t11FcSpSaTransEncryptAlg OBJECT-TYPE 8221 SYNTAX AutonomousType 8222 MAX-ACCESS read-create 8223 STATUS current 8224 DESCRIPTION 8225 "The Encryption Algorithm for this transform." 8226 REFERENCE 8227 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8228 Fibre Channel - Security Protocols (FC-SP), 8229 13 June 2006, section 6.3.2.3 and tables 69 & 70." 8230 ::= { t11FcSpSaTransEntry 4 } 8232 t11FcSpSaTransEncryptKeyLen OBJECT-TYPE 8233 SYNTAX Unsigned32 8234 MAX-ACCESS read-create 8235 STATUS current 8236 DESCRIPTION 8237 "The key length in bits to be used with an encryption 8238 algorithm which has a variable length key. This object 8239 is ignored when the corresponding instance of 8240 t11FcSpSaTransEncryptAlg specifies an algorithm with a 8241 fixed length key." 8242 REFERENCE 8243 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8244 Fibre Channel - Security Protocols (FC-SP), 8245 13 June 2006, section 6.3.2.5 and table 77." 8246 ::= { t11FcSpSaTransEntry 5 } 8248 t11FcSpSaTransIntegrityAlg OBJECT-TYPE 8249 SYNTAX AutonomousType 8250 MAX-ACCESS read-create 8251 STATUS current 8252 DESCRIPTION 8253 "The Integrity Algorithm for this transform." 8254 REFERENCE 8255 "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8256 Fibre Channel - Security Protocols (FC-SP), 8257 13 June 2006, section 6.3.2.3 and tables 69 & 72." 8258 ::= { t11FcSpSaTransEntry 6 } 8260 t11FcSpSaTransRowStatus OBJECT-TYPE 8261 SYNTAX RowStatus 8262 MAX-ACCESS read-create 8263 STATUS current 8264 DESCRIPTION 8265 "The status of this row. 8267 When an instance of t11FcSpSaPairTransListIndex points to 8268 a row in this table, values of object instances in the row 8269 cannot be modified nor can the row be deleted. Otherwise, 8270 a row can be modified or deleted at any time." 8271 ::= { t11FcSpSaTransEntry 7 } 8273 -- 8274 -- Traffic Selectors for Drop & Bypass 8275 -- 8277 t11FcSpSaTSelDrByTable OBJECT-TYPE 8278 SYNTAX SEQUENCE OF T11FcSpSaTSelDrByEntry 8279 MAX-ACCESS not-accessible 8280 STATUS current 8281 DESCRIPTION 8282 "A table containing Traffic Selectors to select which 8283 traffic is to be dropped or is to bypass further 8284 security processing." 8285 REFERENCE 8286 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8287 Fibre Channel - Security Protocols (FC-SP), 8288 13 June 2006, sections 4.6, 4.7, and 6.4.5. 8289 - Use of IKEv2 in FC-SP, RFC 4595, 8290 July 2006, section 4.4." 8291 ::= { t11FcSpSaConfig 4 } 8293 t11FcSpSaTSelDrByEntry OBJECT-TYPE 8294 SYNTAX T11FcSpSaTSelDrByEntry 8295 MAX-ACCESS not-accessible 8296 STATUS current 8297 DESCRIPTION 8298 "Each entry represents one Traffic Selector having the 8299 security action of 'drop' or 'bypass' which is applied 8300 based on a precedence value, either to ingress traffic 8301 which is unprotected by FC-SP, or to all egress 8302 traffic on one or more interfaces (identified by 8303 t11FcSpSaIfIndex) to a particular Fabric (identified 8304 by t11FcSpSaIfFabricIndex), and managed as part of the Fibre 8305 Channel management instance identified by fcmInstanceIndex. 8307 The StorageType of a row in this table is specified by 8308 the instance of t11FcSpSaIfStorageType which is INDEX-ed 8309 by the same values of fcmInstanceIndex, t11FcSpSaIfIndex 8310 and t11FcSpSaIfFabricIndex." 8311 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, t11FcSpSaIfFabricIndex, 8312 t11FcSpSaTSelDrByDirection, t11FcSpSaTSelDrByPrecedence } 8313 ::= { t11FcSpSaTSelDrByTable 1 } 8315 T11FcSpSaTSelDrByEntry ::= SEQUENCE { 8316 t11FcSpSaTSelDrByDirection T11FcSaDirection, 8317 t11FcSpSaTSelDrByPrecedence T11FcSpPrecedence, 8318 t11FcSpSaTSelDrByAction INTEGER, 8319 t11FcSpSaTSelDrByStartSrcAddr FcAddressIdOrZero, 8320 t11FcSpSaTSelDrByEndSrcAddr FcAddressIdOrZero, 8321 t11FcSpSaTSelDrByStartDstAddr FcAddressIdOrZero, 8322 t11FcSpSaTSelDrByEndDstAddr FcAddressIdOrZero, 8323 t11FcSpSaTSelDrByStartRCtl T11FcRoutingControl, 8324 t11FcSpSaTSelDrByEndRCtl T11FcRoutingControl, 8325 t11FcSpSaTSelDrByStartType T11FcSpType, 8326 t11FcSpSaTSelDrByEndType T11FcSpType, 8327 t11FcSpSaTSelDrByMatches Counter64, 8328 t11FcSpSaTSelDrByRowStatus RowStatus 8329 } 8331 t11FcSpSaTSelDrByDirection OBJECT-TYPE 8332 SYNTAX T11FcSaDirection 8333 MAX-ACCESS not-accessible 8334 STATUS current 8335 DESCRIPTION 8336 "An indication of whether this Traffic Selector is 8337 for ingress or egress traffic." 8338 ::= { t11FcSpSaTSelDrByEntry 1 } 8340 t11FcSpSaTSelDrByPrecedence OBJECT-TYPE 8341 SYNTAX T11FcSpPrecedence 8342 MAX-ACCESS not-accessible 8343 STATUS current 8344 DESCRIPTION 8345 "The precedence of this Traffic Selector. If and when a 8346 frame is compared against multiple Traffic Selectors, and 8347 multiple of them have a match with the frame, the security 8348 action to be taken for the frame is that specified for the 8349 matching Traffic Selector having the numerically smallest 8350 precedence value." 8351 ::= { t11FcSpSaTSelDrByEntry 2 } 8353 t11FcSpSaTSelDrByAction OBJECT-TYPE 8354 SYNTAX INTEGER { drop(1), bypass(2) } 8355 MAX-ACCESS read-create 8356 STATUS current 8357 DESCRIPTION 8358 "The security action to be taken for a frame which 8359 matches this Traffic Selector." 8360 DEFVAL { drop } 8361 ::= { t11FcSpSaTSelDrByEntry 3 } 8363 t11FcSpSaTSelDrByStartSrcAddr OBJECT-TYPE 8364 SYNTAX FcAddressIdOrZero (SIZE (3)) 8365 MAX-ACCESS read-create 8366 STATUS current 8367 DESCRIPTION 8368 "The numerically smallest 24-bit value of a source address 8369 (S_ID) of a frame which will match with this Traffic 8370 Selector." 8371 DEFVAL { '000000'h } 8372 ::= { t11FcSpSaTSelDrByEntry 4 } 8374 t11FcSpSaTSelDrByEndSrcAddr OBJECT-TYPE 8375 SYNTAX FcAddressIdOrZero (SIZE (3)) 8376 MAX-ACCESS read-create 8377 STATUS current 8378 DESCRIPTION 8379 "The numerically largest 24-bit value of a source address 8380 (S_ID) of a frame which will match with this Traffic 8381 Selector." 8382 DEFVAL { 'FFFFFF'h } 8383 ::= { t11FcSpSaTSelDrByEntry 5 } 8385 t11FcSpSaTSelDrByStartDstAddr OBJECT-TYPE 8386 SYNTAX FcAddressIdOrZero (SIZE (3)) 8387 MAX-ACCESS read-create 8388 STATUS current 8389 DESCRIPTION 8390 "The numerically smallest 24-bit value of a destination 8391 address (D_ID) of a frame which will match with this 8392 Traffic Selector." 8393 DEFVAL { '000000'h } 8394 ::= { t11FcSpSaTSelDrByEntry 6 } 8396 t11FcSpSaTSelDrByEndDstAddr OBJECT-TYPE 8397 SYNTAX FcAddressIdOrZero (SIZE (3)) 8398 MAX-ACCESS read-create 8399 STATUS current 8400 DESCRIPTION 8401 "The numerically largest 24-bit value of a destination 8402 address (D_ID) of a frame which will match with this 8403 Traffic Selector." 8404 DEFVAL { 'FFFFFF'h } 8405 ::= { t11FcSpSaTSelDrByEntry 7 } 8407 t11FcSpSaTSelDrByStartRCtl OBJECT-TYPE 8408 SYNTAX T11FcRoutingControl 8409 MAX-ACCESS read-create 8410 STATUS current 8411 DESCRIPTION 8412 "The numerically smallest 8-bit value contained within a 8413 Routing Control (R_CTL) field of a frame which will match 8414 with this Traffic Selector." 8415 DEFVAL { '00'h } 8416 ::= { t11FcSpSaTSelDrByEntry 8 } 8418 t11FcSpSaTSelDrByEndRCtl OBJECT-TYPE 8419 SYNTAX T11FcRoutingControl 8420 MAX-ACCESS read-create 8421 STATUS current 8422 DESCRIPTION 8423 "The numerically largest 8-bit value contained within a 8424 Routing Control (R_CTL) field of a frame which will match 8425 with this Traffic Selector." 8426 DEFVAL { 'FF'h } 8427 ::= { t11FcSpSaTSelDrByEntry 9 } 8429 t11FcSpSaTSelDrByStartType OBJECT-TYPE 8430 SYNTAX T11FcSpType 8431 MAX-ACCESS read-create 8432 STATUS current 8433 DESCRIPTION 8434 "The numerically smallest of a range of possible 'type' 8435 values of frames which will match with this Traffic 8436 Selector." 8437 DEFVAL { '0000'h } 8438 ::= { t11FcSpSaTSelDrByEntry 10 } 8440 t11FcSpSaTSelDrByEndType OBJECT-TYPE 8441 SYNTAX T11FcSpType 8442 MAX-ACCESS read-create 8443 STATUS current 8444 DESCRIPTION 8445 "The numerically largest of a range of possible 'type' 8446 values of frames which will match with this Traffic 8447 Selector." 8448 DEFVAL { 'FFFF'h } 8449 ::= { t11FcSpSaTSelDrByEntry 11 } 8451 t11FcSpSaTSelDrByMatches OBJECT-TYPE 8452 SYNTAX Counter64 8453 MAX-ACCESS read-only 8454 STATUS current 8455 DESCRIPTION 8456 "The number of frames for which the action specified by 8457 the corresponding instance of t11FcSpSaTSelDrByAction was 8458 taken because of a match with this Traffic Selector. 8460 This counter has no discontinuities other than those 8461 which all Counter64's have when sysUpTime=0." 8462 ::= { t11FcSpSaTSelDrByEntry 12 } 8464 t11FcSpSaTSelDrByRowStatus OBJECT-TYPE 8465 SYNTAX RowStatus 8466 MAX-ACCESS read-create 8467 STATUS current 8468 DESCRIPTION 8469 "The status of this row. Values of object instances 8470 within the row can be modified at any time." 8471 ::= { t11FcSpSaTSelDrByEntry 13 } 8473 -- 8474 -- Active Security Associations 8475 -- 8477 t11FcSpSaPairTable OBJECT-TYPE 8478 SYNTAX SEQUENCE OF T11FcSpSaPairEntry 8479 MAX-ACCESS not-accessible 8480 STATUS current 8481 DESCRIPTION 8482 "A table containing information about active 8483 bidirectional pairs of Security Associations." 8484 ::= { t11FcSpSaActive 1 } 8486 t11FcSpSaPairEntry OBJECT-TYPE 8487 SYNTAX T11FcSpSaPairEntry 8488 MAX-ACCESS not-accessible 8489 STATUS current 8490 DESCRIPTION 8491 "Each entry contains information about one active 8492 bidirectional pair of Security Associations on an 8493 interface to a particular Fabric (identified by 8494 t11FcSpSaIfFabricIndex), managed as part of the Fibre 8495 Channel management instance identified by 8496 fcmInstanceIndex." 8497 INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex, 8498 t11FcSpSaIfFabricIndex, t11FcSpSaPairInboundSpi } 8499 ::= { t11FcSpSaPairTable 1 } 8501 T11FcSpSaPairEntry ::= SEQUENCE { 8502 t11FcSpSaPairIfIndex InterfaceIndex, 8503 t11FcSpSaPairInboundSpi T11FcSpiIndex, 8504 t11FcSpSaPairSecurityProt INTEGER, 8505 t11FcSpSaPairTransListIndex Unsigned32, 8506 t11FcSpSaPairTransIndex Unsigned32, 8507 t11FcSpSaPairLifetimeLeft Unsigned32, 8508 t11FcSpSaPairLifetimeLeftUnits INTEGER, 8509 t11FcSpSaPairTerminate INTEGER, 8510 t11FcSpSaPairInProtUnMatchs Counter64, 8511 t11FcSpSaPairInDetReplays Counter64, 8512 t11FcSpSaPairInBadXforms Counter64, 8513 t11FcSpSaPairInGoodXforms Counter64 8514 } 8516 t11FcSpSaPairIfIndex OBJECT-TYPE 8517 SYNTAX InterfaceIndex 8518 MAX-ACCESS not-accessible 8519 STATUS current 8520 DESCRIPTION 8521 "This object identifies the interface to the particular 8522 Fabric on which this SA pair is active." 8523 ::= { t11FcSpSaPairEntry 1 } 8525 t11FcSpSaPairInboundSpi OBJECT-TYPE 8526 SYNTAX T11FcSpiIndex 8527 MAX-ACCESS not-accessible 8528 STATUS current 8529 DESCRIPTION 8530 "The SPI value which is used to indicate that an incoming 8531 frame was received on the ingress SA of this SA pair." 8532 ::= { t11FcSpSaPairEntry 2 } 8534 t11FcSpSaPairSecurityProt OBJECT-TYPE 8535 SYNTAX INTEGER { espHeader(1), ctAuth(2) } 8536 MAX-ACCESS read-only 8537 STATUS current 8538 DESCRIPTION 8539 "The object indicates whether this SA uses ESP_Header to 8540 protect FC-2 frames, or CT_Authentication to protect Common 8541 Transport Information Units (CT_IUs)." 8542 ::= { t11FcSpSaPairEntry 3 } 8544 t11FcSpSaPairTransListIndex OBJECT-TYPE 8545 SYNTAX Unsigned32 8546 MAX-ACCESS read-only 8547 STATUS current 8548 DESCRIPTION 8549 "The combination of this value and the value of the 8550 corresponding instance of t11FcSpSaPairTransIndex 8551 identify the row in the t11FcSpSaTransTable which 8552 contains the transforms which are in use on this SA pair." 8553 ::= { t11FcSpSaPairEntry 4 } 8555 t11FcSpSaPairTransIndex OBJECT-TYPE 8556 SYNTAX Unsigned32 8557 MAX-ACCESS read-only 8558 STATUS current 8559 DESCRIPTION 8560 "The combination of this value and the value of the 8561 corresponding instance of t11FcSpSaPairTransListIndex 8562 identify the row in the t11FcSpSaTransTable which 8563 contains the transforms which are in use on this SA pair." 8564 ::= { t11FcSpSaPairEntry 5 } 8566 t11FcSpSaPairLifetimeLeft OBJECT-TYPE 8567 SYNTAX Unsigned32 8568 MAX-ACCESS read-only 8569 STATUS current 8570 DESCRIPTION 8571 "The remaining lifetime of this SA pair, given in the 8572 units specified by the value of the corresponding 8573 instance of t11FcSpSaPairLifetimeLeft." 8574 ::= { t11FcSpSaPairEntry 6 } 8576 t11FcSpSaPairLifetimeLeftUnits OBJECT-TYPE 8577 SYNTAX INTEGER { 8578 seconds(1), -- seconds 8579 kiloBytes(2), -- 10^^3 bytes 8580 megaBytes(3), -- 10^^6 bytes 8581 gigaBytes(4), -- 10^^9 bytes 8582 teraBytes(5), -- 10^^12 bytes 8583 petaBytes(6), -- 10^^15 bytes 8584 exaBytes(7), -- 10^^18 bytes 8585 zettaBytes(8), -- 10^^21 bytes 8586 yottaBytes(9) -- 10^^24 bytes 8587 } 8588 MAX-ACCESS read-only 8589 STATUS current 8590 DESCRIPTION 8591 "The units in which the value of the corresponding 8592 instance of t11FcSpSaPairLifetimeLeft specifies the 8593 remaining lifetime of this SA pair." 8594 ::= { t11FcSpSaPairEntry 7 } 8596 t11FcSpSaPairTerminate OBJECT-TYPE 8597 SYNTAX INTEGER { noop(1), terminate(2) } 8598 MAX-ACCESS read-write 8599 STATUS current 8600 DESCRIPTION 8601 "Setting this object to 'terminate' is a request 8602 to terminate this pair of Security Associations. 8604 When read, the value of this object is always 'noop'. 8605 Setting this object to 'noop' has no effect." 8606 ::= { t11FcSpSaPairEntry 8 } 8608 t11FcSpSaPairInProtUnMatchs OBJECT-TYPE 8609 SYNTAX Counter64 8610 MAX-ACCESS read-only 8611 STATUS current 8612 DESCRIPTION 8613 "The number of frames received on this SA for which the 8614 SA's transforms were successfully applied to the frame, 8615 but the frame was still dropped because it did not match 8616 any of the SA's ingress Traffic Selectors. 8618 This counter has no discontinuities other than those 8619 which all Counter64's have when sysUpTime=0." 8620 ::= { t11FcSpSaPairEntry 9 } 8622 t11FcSpSaPairInDetReplays OBJECT-TYPE 8623 SYNTAX Counter64 8624 MAX-ACCESS read-only 8625 STATUS current 8626 DESCRIPTION 8627 "The number of times that a replay has been detected on 8628 this Security Association. Note that a frame which is 8629 discarded because it is 'behind' the window, i.e., too old, 8630 is counted as a replay. 8632 This counter has no discontinuities other than those 8633 which all Counter64's have when sysUpTime=0." 8635 ::= { t11FcSpSaPairEntry 10 } 8637 t11FcSpSaPairInBadXforms OBJECT-TYPE 8638 SYNTAX Counter64 8639 MAX-ACCESS read-only 8640 STATUS current 8641 DESCRIPTION 8642 "The number of times that a received frame was dropped 8643 because one of the transforms negotiated for this Security 8644 Association failed. 8646 This counter has no discontinuities other than those 8647 which all Counter64's have when sysUpTime=0." 8648 ::= { t11FcSpSaPairEntry 11 } 8650 t11FcSpSaPairInGoodXforms OBJECT-TYPE 8651 SYNTAX Counter64 8652 MAX-ACCESS read-only 8653 STATUS current 8654 DESCRIPTION 8655 "The number of received frames for which the transforms 8656 negotiated for this Security Association, were 8657 successfully applied. 8659 This counter has no discontinuities other than those 8660 which all Counter64's have when sysUpTime=0." 8661 ::= { t11FcSpSaPairEntry 12 } 8663 -- 8664 -- Negotiated Ingress Traffic Selectors 8665 -- 8667 t11FcSpSaTSelNegInTable OBJECT-TYPE 8668 SYNTAX SEQUENCE OF T11FcSpSaTSelNegInEntry 8669 MAX-ACCESS not-accessible 8670 STATUS current 8671 DESCRIPTION 8672 "A table containing information about ingress Traffic 8673 Selectors which are in use on active Security 8674 Associations." 8675 REFERENCE 8676 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8677 Fibre Channel - Security Protocols (FC-SP), 8678 13 June 2006, sections 4.6, 4.7, and 6.4.5. 8679 - Use of IKEv2 in FC-SP, RFC 4595, 8680 July 2006, section 4.4." 8681 ::= { t11FcSpSaActive 2 } 8683 t11FcSpSaTSelNegInEntry OBJECT-TYPE 8684 SYNTAX T11FcSpSaTSelNegInEntry 8685 MAX-ACCESS not-accessible 8686 STATUS current 8687 DESCRIPTION 8688 "Each entry contains information about one ingress Traffic 8689 Selector which is in use on an active Security Association 8690 on an interface (identified by t11FcSpSaPairIfIndex) to 8691 a particular Fabric (identified by t11FcSpSaIfFabricIndex), 8692 managed as part of the Fibre Channel management instance 8693 identified by fcmInstanceIndex." 8694 INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex, 8695 t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegInIndex } 8696 ::= { t11FcSpSaTSelNegInTable 1 } 8698 T11FcSpSaTSelNegInEntry ::= SEQUENCE { 8699 t11FcSpSaTSelNegInIndex Unsigned32, 8700 t11FcSpSaTSelNegInInboundSpi T11FcSpiIndex, 8701 t11FcSpSaTSelNegInStartSrcAddr FcAddressIdOrZero, 8702 t11FcSpSaTSelNegInEndSrcAddr FcAddressIdOrZero, 8703 t11FcSpSaTSelNegInStartDstAddr FcAddressIdOrZero, 8704 t11FcSpSaTSelNegInEndDstAddr FcAddressIdOrZero, 8705 t11FcSpSaTSelNegInStartRCtl T11FcRoutingControl, 8706 t11FcSpSaTSelNegInEndRCtl T11FcRoutingControl, 8707 t11FcSpSaTSelNegInStartType T11FcSpType, 8708 t11FcSpSaTSelNegInEndType T11FcSpType, 8709 t11FcSpSaTSelNegInUnpMtchDrops Counter64 8710 } 8712 t11FcSpSaTSelNegInIndex OBJECT-TYPE 8713 SYNTAX Unsigned32 8714 MAX-ACCESS not-accessible 8715 STATUS current 8716 DESCRIPTION 8717 "An index value to distinguish an ingress Traffic Selector 8718 from all others currently in use by Security Associations 8719 on the same interface to a particular Fabric." 8720 ::= { t11FcSpSaTSelNegInEntry 1 } 8722 t11FcSpSaTSelNegInInboundSpi OBJECT-TYPE 8723 SYNTAX T11FcSpiIndex 8724 MAX-ACCESS read-only 8725 STATUS current 8726 DESCRIPTION 8727 "The SPI of the ingress SA on which this Traffic Selector 8728 is in use. 8730 This value can be used to find the SA pair's row in the 8731 t11FcSpSaPairTable." 8732 ::= { t11FcSpSaTSelNegInEntry 2 } 8734 t11FcSpSaTSelNegInStartSrcAddr OBJECT-TYPE 8735 SYNTAX FcAddressIdOrZero (SIZE (3)) 8736 MAX-ACCESS read-only 8737 STATUS current 8738 DESCRIPTION 8739 "The numerically smallest 24-bit value of a source address 8740 (S_ID) of a frame which will match with this Traffic 8741 Selector." 8742 ::= { t11FcSpSaTSelNegInEntry 3 } 8744 t11FcSpSaTSelNegInEndSrcAddr OBJECT-TYPE 8745 SYNTAX FcAddressIdOrZero (SIZE (3)) 8746 MAX-ACCESS read-only 8747 STATUS current 8748 DESCRIPTION 8749 "The numerically largest 24-bit value of a source address 8750 (S_ID) of a frame which will match with this Traffic 8751 Selector." 8752 ::= { t11FcSpSaTSelNegInEntry 4 } 8754 t11FcSpSaTSelNegInStartDstAddr OBJECT-TYPE 8755 SYNTAX FcAddressIdOrZero (SIZE (3)) 8756 MAX-ACCESS read-only 8757 STATUS current 8758 DESCRIPTION 8759 "The numerically smallest 24-bit value of a destination 8760 address (D_ID) of a frame which will match with this 8761 Traffic Selector." 8762 ::= { t11FcSpSaTSelNegInEntry 5 } 8764 t11FcSpSaTSelNegInEndDstAddr OBJECT-TYPE 8765 SYNTAX FcAddressIdOrZero (SIZE (3)) 8766 MAX-ACCESS read-only 8767 STATUS current 8768 DESCRIPTION 8769 "The numerically largest 24-bit value of a destination 8770 address (D_ID) of a frame which will match with this 8771 Traffic Selector." 8772 ::= { t11FcSpSaTSelNegInEntry 6 } 8774 t11FcSpSaTSelNegInStartRCtl OBJECT-TYPE 8775 SYNTAX T11FcRoutingControl 8776 MAX-ACCESS read-only 8777 STATUS current 8778 DESCRIPTION 8779 "The numerically smallest 8-bit value contained within a 8780 Routing Control (R_CTL) field of a frame which will match 8781 with this Traffic Selector." 8782 ::= { t11FcSpSaTSelNegInEntry 7 } 8784 t11FcSpSaTSelNegInEndRCtl OBJECT-TYPE 8785 SYNTAX T11FcRoutingControl 8786 MAX-ACCESS read-only 8787 STATUS current 8788 DESCRIPTION 8789 "The numerically largest 8-bit value contained within a 8790 Routing Control (R_CTL) field of a frame which will match 8791 with this Traffic Selector." 8792 ::= { t11FcSpSaTSelNegInEntry 8 } 8794 t11FcSpSaTSelNegInStartType OBJECT-TYPE 8795 SYNTAX T11FcSpType 8796 MAX-ACCESS read-only 8797 STATUS current 8798 DESCRIPTION 8799 "The numerically smallest of a range of possible 'type' 8800 values of frames which will match with this Traffic 8801 Selector." 8802 ::= { t11FcSpSaTSelNegInEntry 9 } 8804 t11FcSpSaTSelNegInEndType OBJECT-TYPE 8805 SYNTAX T11FcSpType 8806 MAX-ACCESS read-only 8807 STATUS current 8808 DESCRIPTION 8809 "The numerically largest of a range of possible 'type' 8810 values of frames which will match with this Traffic 8811 Selector." 8812 ::= { t11FcSpSaTSelNegInEntry 10 } 8814 t11FcSpSaTSelNegInUnpMtchDrops OBJECT-TYPE 8815 SYNTAX Counter64 8816 MAX-ACCESS read-only 8817 STATUS current 8818 DESCRIPTION 8819 "The number of times that a received frame was dropped 8820 because it matched with this Traffic Selector but the 8821 frame was not protected as negotiated for the Security 8822 Association identified by t11FcSpSaTSelNegInInboundSpi. 8824 This counter has no discontinuities other than those 8825 which all Counter64's have when sysUpTime=0." 8826 ::= { t11FcSpSaTSelNegInEntry 11 } 8828 -- 8829 -- Negotiated Egress Traffic Selectors 8830 -- 8832 t11FcSpSaTSelNegOutTable OBJECT-TYPE 8833 SYNTAX SEQUENCE OF T11FcSpSaTSelNegOutEntry 8834 MAX-ACCESS not-accessible 8835 STATUS current 8836 DESCRIPTION 8837 "A table containing information about egress Traffic 8838 Selectors which are in use on active Security 8839 Associations." 8840 REFERENCE 8841 "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, 8842 Fibre Channel - Security Protocols (FC-SP), 8843 13 June 2006, sections 4.6, 4.7, and 6.4.5. 8844 - Use of IKEv2 in FC-SP, RFC 4595, 8845 July 2006, section 4.4." 8846 ::= { t11FcSpSaActive 3 } 8848 t11FcSpSaTSelNegOutEntry OBJECT-TYPE 8849 SYNTAX T11FcSpSaTSelNegOutEntry 8850 MAX-ACCESS not-accessible 8851 STATUS current 8852 DESCRIPTION 8853 "Each entry contains information about one egress Traffic 8854 Selector which is in use on an active Security Association 8855 on an interface (identified by t11FcSpSaPairIfIndex) to 8856 a particular Fabric (identified by t11FcSpSaIfFabricIndex), 8857 managed as part of the Fibre Channel management instance 8858 identified by fcmInstanceIndex." 8859 INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex, 8860 t11FcSpSaIfFabricIndex, t11FcSpSaTSelNegOutPrecedence } 8861 ::= { t11FcSpSaTSelNegOutTable 1 } 8863 T11FcSpSaTSelNegOutEntry ::= SEQUENCE { 8864 t11FcSpSaTSelNegOutPrecedence T11FcSpPrecedence, 8865 t11FcSpSaTSelNegOutInboundSpi T11FcSpiIndex, 8866 t11FcSpSaTSelNegOutStartSrcAddr FcAddressIdOrZero, 8867 t11FcSpSaTSelNegOutEndSrcAddr FcAddressIdOrZero, 8868 t11FcSpSaTSelNegOutStartDstAddr FcAddressIdOrZero, 8869 t11FcSpSaTSelNegOutEndDstAddr FcAddressIdOrZero, 8870 t11FcSpSaTSelNegOutStartRCtl T11FcRoutingControl, 8871 t11FcSpSaTSelNegOutEndRCtl T11FcRoutingControl, 8872 t11FcSpSaTSelNegOutStartType T11FcSpType, 8873 t11FcSpSaTSelNegOutEndType T11FcSpType 8874 } 8876 t11FcSpSaTSelNegOutPrecedence OBJECT-TYPE 8877 SYNTAX T11FcSpPrecedence 8878 MAX-ACCESS not-accessible 8879 STATUS current 8880 DESCRIPTION 8881 "The precedence of this Traffic Selector. If and when a 8882 frame is compared against multiple Traffic Selectors, and 8883 multiple of them have a match with the frame, the security 8884 action to be taken for the frame is that specified for the 8885 matching Traffic Selector having the numerically smallest 8886 precedence value." 8887 ::= { t11FcSpSaTSelNegOutEntry 1 } 8889 t11FcSpSaTSelNegOutInboundSpi OBJECT-TYPE 8890 SYNTAX T11FcSpiIndex 8891 MAX-ACCESS read-only 8892 STATUS current 8893 DESCRIPTION 8894 "The SPI of the ingress SA of the SA pair for which this 8895 Traffic Selector is in use on the egress SA. 8897 This value can be used to find the SA pair's row in the 8898 t11FcSpSaPairTable." 8899 ::= { t11FcSpSaTSelNegOutEntry 2 } 8901 t11FcSpSaTSelNegOutStartSrcAddr OBJECT-TYPE 8902 SYNTAX FcAddressIdOrZero (SIZE (3)) 8903 MAX-ACCESS read-only 8904 STATUS current 8905 DESCRIPTION 8906 "The numerically smallest 24-bit value of a source address 8907 (S_ID) of a frame which will match with this Traffic 8908 Selector." 8909 ::= { t11FcSpSaTSelNegOutEntry 3 } 8911 t11FcSpSaTSelNegOutEndSrcAddr OBJECT-TYPE 8912 SYNTAX FcAddressIdOrZero (SIZE (3)) 8913 MAX-ACCESS read-only 8914 STATUS current 8915 DESCRIPTION 8916 "The numerically largest 24-bit value of a source address 8917 (S_ID) of a frame which will match with this Traffic 8918 Selector." 8919 ::= { t11FcSpSaTSelNegOutEntry 4 } 8921 t11FcSpSaTSelNegOutStartDstAddr OBJECT-TYPE 8922 SYNTAX FcAddressIdOrZero (SIZE (3)) 8923 MAX-ACCESS read-only 8924 STATUS current 8925 DESCRIPTION 8926 "The numerically smallest 24-bit value of a destination 8927 address (D_ID) of a frame which will match with this 8928 Traffic Selector." 8929 ::= { t11FcSpSaTSelNegOutEntry 5 } 8931 t11FcSpSaTSelNegOutEndDstAddr OBJECT-TYPE 8932 SYNTAX FcAddressIdOrZero (SIZE (3)) 8933 MAX-ACCESS read-only 8934 STATUS current 8935 DESCRIPTION 8936 "The numerically largest 24-bit value of a destination 8937 address (D_ID) of a frame which will match with this 8938 Traffic Selector." 8939 ::= { t11FcSpSaTSelNegOutEntry 6 } 8941 t11FcSpSaTSelNegOutStartRCtl OBJECT-TYPE 8942 SYNTAX T11FcRoutingControl 8943 MAX-ACCESS read-only 8944 STATUS current 8945 DESCRIPTION 8946 "The numerically smallest 8-bit value contained within a 8947 Routing Control (R_CTL) field of a frame which will match 8948 with this Traffic Selector." 8949 ::= { t11FcSpSaTSelNegOutEntry 7 } 8951 t11FcSpSaTSelNegOutEndRCtl OBJECT-TYPE 8952 SYNTAX T11FcRoutingControl 8953 MAX-ACCESS read-only 8954 STATUS current 8955 DESCRIPTION 8956 "The numerically largest 8-bit value contained within a 8957 Routing Control (R_CTL) field of a frame which will match 8958 with this Traffic Selector." 8959 ::= { t11FcSpSaTSelNegOutEntry 8 } 8961 t11FcSpSaTSelNegOutStartType OBJECT-TYPE 8962 SYNTAX T11FcSpType 8963 MAX-ACCESS read-only 8964 STATUS current 8965 DESCRIPTION 8966 "The numerically smallest of a range of possible 'type' 8967 values of frames which will match with this Traffic 8968 Selector." 8969 ::= { t11FcSpSaTSelNegOutEntry 9 } 8971 t11FcSpSaTSelNegOutEndType OBJECT-TYPE 8972 SYNTAX T11FcSpType 8973 MAX-ACCESS read-only 8974 STATUS current 8975 DESCRIPTION 8976 "The numerically largest of a range of possible 'type' 8977 values of frames which will match with this Traffic 8978 Selector." 8979 ::= { t11FcSpSaTSelNegOutEntry 10 } 8981 -- 8982 -- Traffic Selectors index-ed by SPI 8983 -- 8985 t11FcSpSaTSelSpiTable OBJECT-TYPE 8986 SYNTAX SEQUENCE OF T11FcSpSaTSelSpiEntry 8987 MAX-ACCESS not-accessible 8988 STATUS current 8989 DESCRIPTION 8990 "A table identifying the Traffic Selectors in use on 8991 particular Security Associations, index-ed by their 8992 (ingress) SPI values." 8993 ::= { t11FcSpSaActive 4 } 8995 t11FcSpSaTSelSpiEntry OBJECT-TYPE 8996 SYNTAX T11FcSpSaTSelSpiEntry 8997 MAX-ACCESS not-accessible 8998 STATUS current 8999 DESCRIPTION 9000 "Each entry identifies one Traffic Selector in use on an SA 9001 pair on the interface (identified by t11FcSpSaPairIfIndex) 9002 to a particular Fabric (identified by 9003 t11FcSpSaIfFabricIndex), and managed as part of the Fibre 9004 Channel management instance identified by fcmInstanceIndex." 9005 INDEX { fcmInstanceIndex, t11FcSpSaPairIfIndex, 9006 t11FcSpSaIfFabricIndex, 9007 t11FcSpSaTSelSpiInboundSpi, t11FcSpSaTSelSpiTrafSelIndex } 9009 ::= { t11FcSpSaTSelSpiTable 1 } 9011 T11FcSpSaTSelSpiEntry ::= SEQUENCE { 9012 t11FcSpSaTSelSpiInboundSpi T11FcSpiIndex, 9013 t11FcSpSaTSelSpiTrafSelIndex Unsigned32, 9014 t11FcSpSaTSelSpiDirection INTEGER, 9015 t11FcSpSaTSelSpiTrafSelPtr Unsigned32 9016 } 9018 t11FcSpSaTSelSpiInboundSpi OBJECT-TYPE 9019 SYNTAX T11FcSpiIndex 9020 MAX-ACCESS not-accessible 9021 STATUS current 9022 DESCRIPTION 9023 "An SPI value which identifies the ingress Security 9024 Association of a particular SA pair." 9025 ::= { t11FcSpSaTSelSpiEntry 1 } 9027 t11FcSpSaTSelSpiTrafSelIndex OBJECT-TYPE 9028 SYNTAX Unsigned32 9029 MAX-ACCESS not-accessible 9030 STATUS current 9031 DESCRIPTION 9032 "An index value which distinguishes between the 9033 (potentially multiple) Traffic Selectors in use on 9034 this Security Association pair." 9035 ::= { t11FcSpSaTSelSpiEntry 2 } 9037 t11FcSpSaTSelSpiDirection OBJECT-TYPE 9038 SYNTAX T11FcSaDirection 9039 MAX-ACCESS read-only 9040 STATUS current 9041 DESCRIPTION 9042 "This object indicates whether this Traffic Selector 9043 is being used for ingress or for egress traffic." 9044 ::= { t11FcSpSaTSelSpiEntry 3 } 9046 t11FcSpSaTSelSpiTrafSelPtr OBJECT-TYPE 9047 SYNTAX Unsigned32 9048 MAX-ACCESS read-only 9049 STATUS current 9050 DESCRIPTION 9051 "This object contains a pointer into another table which 9052 can be used to obtain more information about this Traffic 9053 Selector. 9055 If the corresponding instance of t11FcSpSaTSelSpiDirection 9056 has the value 'egress', then this object contains the 9057 the value of t11FcSpSaTSelNegOutPrecedence in the row of 9058 t11FcSpSaTSelNegOutTable which contains more information. 9060 If the corresponding instance of t11FcSpSaTSelSpiDirection 9061 has the value 'ingress', then this object contains the 9062 value of t11FcSpSaTSelNegInIndex which identifies the row 9063 in t11FcSpSaTSelNegInTable containing more information." 9064 ::= { t11FcSpSaTSelSpiEntry 4 } 9066 -- 9067 -- Notification information & control 9068 -- 9070 t11FcSpSaControlTable OBJECT-TYPE 9071 SYNTAX SEQUENCE OF T11FcSpSaControlEntry 9072 MAX-ACCESS not-accessible 9073 STATUS current 9074 DESCRIPTION 9075 "A table of control and other information concerning 9076 the generation of notifications for events related 9077 to FC-SP Security Associations." 9078 ::= { t11FcSpSaControl 1 } 9080 t11FcSpSaControlEntry OBJECT-TYPE 9081 SYNTAX T11FcSpSaControlEntry 9082 MAX-ACCESS not-accessible 9083 STATUS current 9084 DESCRIPTION 9085 "Each entry identifies information for the one or more 9086 interfaces (identified by t11FcSpSaIfIndex) to a 9087 particular Fabric (identified by t11FcSpSaIfFabricIndex), 9088 and managed as part of the Fibre Channel management 9089 instance identified by fcmInstanceIndex. 9091 The StorageType of a row in this table is specified by 9092 the instance of t11FcSpSaIfStorageType which is INDEX-ed 9093 by the same values of fcmInstanceIndex, t11FcSpSaIfIndex 9094 and t11FcSpSaIfFabricIndex." 9095 INDEX { fcmInstanceIndex, t11FcSpSaIfIndex, 9096 t11FcSpSaIfFabricIndex } 9097 ::= { t11FcSpSaControlTable 1 } 9099 T11FcSpSaControlEntry ::= SEQUENCE { 9100 t11FcSpSaControlAuthFailEnable TruthValue, 9101 t11FcSpSaControlInboundSpi T11FcSpiIndex, 9102 t11FcSpSaControlSource FcAddressIdOrZero, 9103 t11FcSpSaControlDestination FcAddressIdOrZero, 9104 t11FcSpSaControlFrame OCTET STRING, 9105 t11FcSpSaControlElapsed TimeTicks, 9106 t11FcSpSaControlSuppressed Gauge32, 9107 t11FcSpSaControlWindow Unsigned32, 9108 t11FcSpSaControlLifeExcdEnable TruthValue, 9109 t11FcSpSaControlLifeExcdSpi T11FcSpiIndex, 9110 t11FcSpSaControlLifeExcdDir T11FcSaDirection, 9111 t11FcSpSaControlLifeExcdTime TimeStamp 9112 } 9114 t11FcSpSaControlAuthFailEnable OBJECT-TYPE 9115 SYNTAX TruthValue 9116 MAX-ACCESS read-write 9117 STATUS current 9118 DESCRIPTION 9119 "This object specifies whether a t11FcSpSaNotifyAuthFailure 9120 notification should be generated for the first occurrence 9121 of an Authentication failure within a time window for this 9122 Fabric." 9123 ::= { t11FcSpSaControlEntry 1 } 9125 t11FcSpSaControlInboundSpi OBJECT-TYPE 9126 SYNTAX T11FcSpiIndex 9127 MAX-ACCESS read-only 9128 STATUS current 9129 DESCRIPTION 9130 "The SPI value of the ingress Security Association on 9131 which was received the last frame for which a 9132 t11FcSpSaNotifyAuthFailure was generated. 9134 If no t11FcSpSaNotifyAuthFailure notifications have 9135 been generated, the value of this object is zero." 9136 ::= { t11FcSpSaControlEntry 2 } 9138 t11FcSpSaControlSource OBJECT-TYPE 9139 SYNTAX FcAddressIdOrZero 9140 MAX-ACCESS read-only 9141 STATUS current 9142 DESCRIPTION 9143 "The S_ID contained in the last frame for which a 9144 t11FcSpSaNotifyAuthFailure was generated. 9146 If no t11FcSpSaNotifyAuthFailure notifications have 9147 been generated, the value of this object is the 9148 zero-length string." 9149 ::= { t11FcSpSaControlEntry 3 } 9151 t11FcSpSaControlDestination OBJECT-TYPE 9152 SYNTAX FcAddressIdOrZero 9153 MAX-ACCESS read-only 9154 STATUS current 9155 DESCRIPTION 9156 "The D_ID contained in the last frame for which a 9157 t11FcSpSaNotifyAuthFailure was generated. 9159 If no t11FcSpSaNotifyAuthFailure notifications have 9160 been generated, the value of this object is the 9161 zero-length string." 9162 ::= { t11FcSpSaControlEntry 4 } 9164 t11FcSpSaControlFrame OBJECT-TYPE 9165 SYNTAX OCTET STRING (SIZE (0..256)) 9166 MAX-ACCESS read-only 9167 STATUS current 9168 DESCRIPTION 9169 "The binary content of the last frame for which a 9170 t11FcSpSaNotifyAuthFailure was generated. If more than 9171 256 bytes of the frame are available, then this object 9172 contains the first 256 bytes. If less than 256 bytes of 9173 the frame are available, then this object contains the 9174 first N bytes, where N is greater or equal to zero. 9176 If no t11FcSpSaNotifyAuthFailure notifications have 9177 been generated, the value of this object is the 9178 zero-length string." 9179 ::= { t11FcSpSaControlEntry 5 } 9181 t11FcSpSaControlElapsed OBJECT-TYPE 9182 SYNTAX TimeTicks 9183 MAX-ACCESS read-only 9184 STATUS current 9185 DESCRIPTION 9186 "The elapsed time since the last generation of a 9187 t11FcSpSaNotifyAuthFailure notification on the same 9188 Fabric, or the value of sysUpTime if no 9189 t11FcSpSaNotifyAuthFailure notifications have been 9190 generated since the last restart." 9191 ::= { t11FcSpSaControlEntry 6 } 9193 t11FcSpSaControlSuppressed OBJECT-TYPE 9194 SYNTAX Gauge32 9195 MAX-ACCESS read-only 9196 STATUS current 9197 DESCRIPTION 9198 "The number of occurrences of an Authentication failure 9199 on a Fabric which were suppressed because they occurred 9200 on the same Fabric within the same time window as a 9201 previous Authentication failure for which a 9202 t11FcSpSaNotifyAuthFailure notification was generated. 9204 The value of this object is reset to zero on a restart 9205 of the network management subsystem, and whenever a 9206 t11FcSpSaNotifyAuthFailure notification is generated. 9207 In the event that the value of this object reaches its 9208 maximum value, it remains at that value until it is 9209 reset on the generation of the next 9210 t11FcSpSaNotifyAuthFailure notification." 9211 ::= { t11FcSpSaControlEntry 7 } 9213 t11FcSpSaControlWindow OBJECT-TYPE 9214 SYNTAX Unsigned32 9215 UNITS "seconds" 9216 MAX-ACCESS read-write 9217 STATUS current 9218 DESCRIPTION 9219 "The length of a time window which begins when a 9220 t11FcSpSaNotifyAuthFailure notification is generated. 9221 Subsequent Authentication failures occurring on the 9222 same Fabric in the same time window are counted but no 9223 t11FcSpSaNotifyAuthFailure notification is generated. 9225 When this object is modified before the end of a time 9226 window, that time window is immediately terminated, i.e., 9227 the next Authentication failure on the relevant Fabric 9228 after the modification will cause a new time window to 9229 begin with the new length." 9230 DEFVAL { 300 } 9231 ::= { t11FcSpSaControlEntry 8 } 9233 t11FcSpSaControlLifeExcdEnable OBJECT-TYPE 9234 SYNTAX TruthValue 9235 MAX-ACCESS read-write 9236 STATUS current 9237 DESCRIPTION 9238 "This object specifies whether t11FcSpSaNotifyLifeExceeded 9239 notifications should be generated for this Fabric." 9240 DEFVAL { true } 9241 ::= { t11FcSpSaControlEntry 9 } 9243 t11FcSpSaControlLifeExcdSpi OBJECT-TYPE 9244 SYNTAX T11FcSpiIndex 9245 MAX-ACCESS read-only 9246 STATUS current 9247 DESCRIPTION 9248 "The SPI of the SA which was most recently terminated 9249 because its lifetime (in seconds or in passed bytes) 9250 was exceeded. Such terminations include those due to 9251 a failed attempt to renew an SA after its lifetime was 9252 exceeded." 9253 ::= { t11FcSpSaControlEntry 10 } 9255 t11FcSpSaControlLifeExcdDir OBJECT-TYPE 9256 SYNTAX T11FcSaDirection 9257 MAX-ACCESS read-only 9258 STATUS current 9259 DESCRIPTION 9260 "The direction of frame transmission on the SA which was 9261 most recently terminated because its lifetime (in seconds 9262 or in passed bytes) was exceeded." 9263 ::= { t11FcSpSaControlEntry 11 } 9265 t11FcSpSaControlLifeExcdTime OBJECT-TYPE 9266 SYNTAX TimeStamp 9267 MAX-ACCESS read-only 9268 STATUS current 9269 DESCRIPTION 9270 "The time of the most recent termination of an SA 9271 due to its lifetime (in seconds or in passed bytes) 9272 being exceeded. Such terminations include those 9273 due to a failed attempt to renew an SA after its 9274 lifetime was exceeded." 9275 ::= { t11FcSpSaControlEntry 12 } 9277 -- 9278 -- Notification definitions 9279 -- 9281 t11FcSpSaNotifyAuthFailure NOTIFICATION-TYPE 9282 OBJECTS { t11FcSpSaControlInboundSpi, 9283 t11FcSpSaControlSource, 9284 t11FcSpSaControlDestination, 9285 t11FcSpSaControlFrame, 9286 t11FcSpSaControlElapsed, 9287 t11FcSpSaControlSuppressed } 9288 STATUS current 9289 DESCRIPTION 9290 "When this notification is generated, it indicates the 9291 occurrence of an Authentication failure for a received 9292 FC-2 or CT_IU frame. The t11FcSpSaControlInboundSpi, 9293 t11FcSpSaControlSource and t11FcSpSaControlDestination 9294 objects in the varbindlist are the frame's SPI, source and 9295 destination addresses, respectively. t11FcSpSaControlFrame 9296 provides the (beginning of the) frame's content if such is 9297 available. 9299 This notification is generated only for the first 9300 occurrence of an Authentication failure on a Fabric within 9301 a time window. Subsequent occurrences of an Authentication 9302 Failure on the same Fabric within the same time window 9303 are counted but suppressed. 9305 The value of t11FcSpSaControlElapsed contains (a lower bound 9306 on) the elapsed time since the last generation of this 9307 notification for the same Fabric. The value of 9308 t11FcSpSaControlSuppressed contains the number of 9309 generations which were suppressed in the time window after 9310 that last generation, or zero if unknown." 9311 ::= { t11FcSpSaMIBNotifications 1 } 9313 t11FcSpSaNotifyLifeExceeded NOTIFICATION-TYPE 9314 OBJECTS { t11FcSpSaControlLifeExcdSpi, 9315 t11FcSpSaControlLifeExcdDir } 9316 STATUS current 9317 DESCRIPTION 9318 "This notification is generated when the lifetime (in 9319 seconds or in passed bytes) of an SA is exceeded, and the 9320 SA is either immediately terminated or is terminated 9321 because an attempt to renew the SA fails. The values of 9322 t11FcSpSaControlLifeExcdSpi and t11FcSpSaControlLifeExcdDir 9323 contain the SPI and direction of the terminated SA." 9324 ::= { t11FcSpSaMIBNotifications 2 } 9326 -- 9327 -- Conformance 9328 -- 9330 t11FcSpSaMIBCompliances 9331 OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 1 } 9332 t11FcSpSaMIBGroups OBJECT IDENTIFIER ::= { t11FcSpSaMIBConformance 2 } 9334 t11FcSpSaMIBCompliance MODULE-COMPLIANCE 9335 STATUS current 9336 DESCRIPTION 9337 "The compliance statement for entities which implement 9338 FC-SP Security Associations." 9340 MODULE -- this module 9341 MANDATORY-GROUPS 9342 { t11FcSpSaCapabilityGroup, 9343 t11FcSpSaParamStatusGroup, 9344 t11FcSpSaSummaryCountGroup, 9345 t11FcSpSaProposalGroup, 9346 t11FcSpSaDropBypassGroup, 9347 t11FcSpSaActiveGroup, 9348 t11FcSpSaNotifInfoGroup, 9349 t11FcSpSaNotificationGroup 9350 } 9352 -- The following is an auxiliary (listed in an INDEX clause) 9353 -- object for which the SMIv2 does not allow an OBJECT clause 9354 -- to be specified, but for which this MIB has the following 9355 -- compliance requirement: 9356 -- OBJECT t11FcSpSaIfIndex 9357 -- DESCRIPTION 9358 -- Compliance requires support for either one of: 9359 -- - individual interfaces using ifIndex values, or 9360 -- - the use of the zero value. 9362 -- Write access is not required for any objects in this MIB module: 9364 OBJECT t11FcSpSaIfStorageType 9365 MIN-ACCESS read-only 9366 DESCRIPTION "Write access is not required." 9368 OBJECT t11FcSpSaIfReplayPrevention 9369 MIN-ACCESS read-only 9370 DESCRIPTION "Write access is not required." 9372 OBJECT t11FcSpSaIfReplayWindowSize 9373 MIN-ACCESS read-only 9374 DESCRIPTION "Write access is not required." 9376 OBJECT t11FcSpSaIfTerminateAllSas 9377 MIN-ACCESS read-only 9378 DESCRIPTION "Write access is not required." 9380 OBJECT t11FcSpSaPropSecurityProt 9381 MIN-ACCESS read-only 9382 DESCRIPTION "Write access is not required." 9384 OBJECT t11FcSpSaPropTSelListIndex 9385 MIN-ACCESS read-only 9386 DESCRIPTION "Write access is not required." 9388 OBJECT t11FcSpSaPropTransListIndex 9389 MIN-ACCESS read-only 9390 DESCRIPTION "Write access is not required." 9392 OBJECT t11FcSpSaPropAcceptAlgorithm 9393 MIN-ACCESS read-only 9394 DESCRIPTION "Write access is not required." 9396 OBJECT t11FcSpSaPropRowStatus 9397 MIN-ACCESS read-only 9398 DESCRIPTION "Write access is not required." 9400 OBJECT t11FcSpSaTSelPropDirection 9401 MIN-ACCESS read-only 9402 DESCRIPTION "Write access is not required." 9404 OBJECT t11FcSpSaTSelPropPrecedence 9405 MIN-ACCESS read-only 9406 DESCRIPTION "Write access is not required." 9408 OBJECT t11FcSpSaTSelPropStartSrcAddr 9409 MIN-ACCESS read-only 9410 DESCRIPTION "Write access is not required." 9411 OBJECT t11FcSpSaTSelPropEndSrcAddr 9412 MIN-ACCESS read-only 9413 DESCRIPTION "Write access is not required." 9415 OBJECT t11FcSpSaTSelPropStartDstAddr 9416 MIN-ACCESS read-only 9417 DESCRIPTION "Write access is not required." 9419 OBJECT t11FcSpSaTSelPropEndDstAddr 9420 MIN-ACCESS read-only 9421 DESCRIPTION "Write access is not required." 9423 OBJECT t11FcSpSaTSelPropStartRCtl 9424 MIN-ACCESS read-only 9425 DESCRIPTION "Write access is not required." 9427 OBJECT t11FcSpSaTSelPropEndRCtl 9428 MIN-ACCESS read-only 9429 DESCRIPTION "Write access is not required." 9431 OBJECT t11FcSpSaTSelPropStartType 9432 MIN-ACCESS read-only 9433 DESCRIPTION "Write access is not required." 9435 OBJECT t11FcSpSaTSelPropEndType 9436 MIN-ACCESS read-only 9437 DESCRIPTION "Write access is not required." 9439 OBJECT t11FcSpSaTSelPropRowStatus 9440 MIN-ACCESS read-only 9441 DESCRIPTION "Write access is not required." 9443 OBJECT t11FcSpSaTransSecurityProt 9444 MIN-ACCESS read-only 9445 DESCRIPTION "Write access is not required." 9447 OBJECT t11FcSpSaTransEncryptAlg 9448 MIN-ACCESS read-only 9449 DESCRIPTION "Write access is not required." 9451 OBJECT t11FcSpSaTransEncryptKeyLen 9452 MIN-ACCESS read-only 9453 DESCRIPTION "Write access is not required." 9455 OBJECT t11FcSpSaTransIntegrityAlg 9456 MIN-ACCESS read-only 9457 DESCRIPTION "Write access is not required." 9459 OBJECT t11FcSpSaTransRowStatus 9460 MIN-ACCESS read-only 9461 DESCRIPTION "Write access is not required." 9463 OBJECT t11FcSpSaTSelDrByAction 9464 MIN-ACCESS read-only 9465 DESCRIPTION "Write access is not required." 9467 OBJECT t11FcSpSaTSelDrByStartSrcAddr 9468 MIN-ACCESS read-only 9469 DESCRIPTION "Write access is not required." 9471 OBJECT t11FcSpSaTSelDrByEndSrcAddr 9472 MIN-ACCESS read-only 9473 DESCRIPTION "Write access is not required." 9475 OBJECT t11FcSpSaTSelDrByStartDstAddr 9476 MIN-ACCESS read-only 9477 DESCRIPTION "Write access is not required." 9479 OBJECT t11FcSpSaTSelDrByEndDstAddr 9480 MIN-ACCESS read-only 9481 DESCRIPTION "Write access is not required." 9483 OBJECT t11FcSpSaTSelDrByStartRCtl 9484 MIN-ACCESS read-only 9485 DESCRIPTION "Write access is not required." 9487 OBJECT t11FcSpSaTSelDrByEndRCtl 9488 MIN-ACCESS read-only 9489 DESCRIPTION "Write access is not required." 9491 OBJECT t11FcSpSaTSelDrByStartType 9492 MIN-ACCESS read-only 9493 DESCRIPTION "Write access is not required." 9495 OBJECT t11FcSpSaTSelDrByEndType 9496 MIN-ACCESS read-only 9497 DESCRIPTION "Write access is not required." 9499 OBJECT t11FcSpSaTSelDrByRowStatus 9500 MIN-ACCESS read-only 9501 DESCRIPTION "Write access is not required." 9503 OBJECT t11FcSpSaPairTerminate 9504 MIN-ACCESS read-only 9505 DESCRIPTION "Write access is not required." 9507 OBJECT t11FcSpSaControlAuthFailEnable 9508 MIN-ACCESS read-only 9509 DESCRIPTION "Write access is not required." 9511 OBJECT t11FcSpSaControlWindow 9512 MIN-ACCESS read-only 9513 DESCRIPTION "Write access is not required." 9515 OBJECT t11FcSpSaControlLifeExcdEnable 9516 MIN-ACCESS read-only 9517 DESCRIPTION "Write access is not required." 9519 ::= { t11FcSpSaMIBCompliances 1 } 9521 -- Units of Conformance 9523 t11FcSpSaCapabilityGroup OBJECT-GROUP 9524 OBJECTS { t11FcSpSaIfEspHeaderCapab, 9525 t11FcSpSaIfCTAuthCapab, 9526 t11FcSpSaIfIKEv2Capab, 9527 t11FcSpSaIfIkev2AuthCapab 9528 } 9529 STATUS current 9530 DESCRIPTION 9531 "A collection of objects containing information 9532 related to capabilities of FC-SP entities." 9533 ::= { t11FcSpSaMIBGroups 1 } 9535 t11FcSpSaParamStatusGroup OBJECT-GROUP 9536 OBJECTS { t11FcSpSaIfStorageType, 9537 t11FcSpSaIfReplayPrevention, 9538 t11FcSpSaIfReplayWindowSize, 9539 t11FcSpSaIfDeadPeerDetections, 9540 t11FcSpSaIfTerminateAllSas 9541 } 9542 STATUS current 9543 DESCRIPTION 9544 "A collection of objects containing parameters 9545 and status information related to FC-SP entities." 9547 ::= { t11FcSpSaMIBGroups 2 } 9549 t11FcSpSaSummaryCountGroup OBJECT-GROUP 9550 OBJECTS { t11FcSpSaIfOutDrops, 9551 t11FcSpSaIfOutBypasses, 9552 t11FcSpSaIfOutProcesses, 9553 t11FcSpSaIfOutUnMatcheds, 9554 t11FcSpSaIfInUnprotUnmtchDrops, 9555 t11FcSpSaIfInDetReplays, 9556 t11FcSpSaIfInUnprotMtchDrops, 9557 t11FcSpSaIfInBadXforms, 9558 t11FcSpSaIfInGoodXforms, 9559 t11FcSpSaIfInProtUnmtchs 9560 } 9561 STATUS current 9562 DESCRIPTION 9563 "A collection of objects containing summary 9564 counters for FC-SP Security Associations." 9565 ::= { t11FcSpSaMIBGroups 3 } 9567 t11FcSpSaProposalGroup OBJECT-GROUP 9568 OBJECTS { t11FcSpSaPropSecurityProt, 9569 t11FcSpSaPropTSelListIndex, 9570 t11FcSpSaPropTransListIndex, 9571 t11FcSpSaPropAcceptAlgorithm, 9572 t11FcSpSaPropOutMatchSucceeds, 9573 t11FcSpSaPropRowStatus, 9574 t11FcSpSaTSelPropDirection, 9575 t11FcSpSaTSelPropPrecedence, 9576 t11FcSpSaTSelPropStartSrcAddr, 9577 t11FcSpSaTSelPropEndSrcAddr, 9578 t11FcSpSaTSelPropStartDstAddr, 9579 t11FcSpSaTSelPropEndDstAddr, 9580 t11FcSpSaTSelPropStartRCtl, 9581 t11FcSpSaTSelPropEndRCtl, 9582 t11FcSpSaTSelPropStartType, 9583 t11FcSpSaTSelPropEndType, 9584 t11FcSpSaTSelPropRowStatus 9585 } 9586 STATUS current 9587 DESCRIPTION 9588 "A collection of objects containing information 9589 related to making and accepting proposals for 9590 FC-SP Security Associations." 9591 ::= { t11FcSpSaMIBGroups 4 } 9593 t11FcSpSaDropBypassGroup OBJECT-GROUP 9594 OBJECTS { t11FcSpSaTSelDrByAction, 9595 t11FcSpSaTSelDrByStartSrcAddr, 9596 t11FcSpSaTSelDrByEndSrcAddr, 9597 t11FcSpSaTSelDrByStartDstAddr, 9598 t11FcSpSaTSelDrByEndDstAddr, 9599 t11FcSpSaTSelDrByStartRCtl, 9600 t11FcSpSaTSelDrByEndRCtl, 9601 t11FcSpSaTSelDrByStartType, 9602 t11FcSpSaTSelDrByEndType, 9603 t11FcSpSaTSelDrByMatches, 9604 t11FcSpSaTSelDrByRowStatus 9605 } 9606 STATUS current 9607 DESCRIPTION 9608 "A collection of objects containing information 9609 about Traffic Selectors of traffic to drop or bypass 9610 for FC-SP Security." 9611 ::= { t11FcSpSaMIBGroups 5 } 9613 t11FcSpSaActiveGroup OBJECT-GROUP 9614 OBJECTS { t11FcSpSaPairSecurityProt, 9615 t11FcSpSaPairTransListIndex, 9616 t11FcSpSaPairTransIndex, 9617 t11FcSpSaPairLifetimeLeft, 9618 t11FcSpSaPairLifetimeLeftUnits, 9619 t11FcSpSaPairTerminate, 9620 t11FcSpSaPairInProtUnMatchs, 9621 t11FcSpSaPairInDetReplays, 9622 t11FcSpSaPairInBadXforms, 9623 t11FcSpSaPairInGoodXforms, 9624 t11FcSpSaTransSecurityProt, 9625 t11FcSpSaTransEncryptAlg, 9626 t11FcSpSaTransEncryptKeyLen, 9627 t11FcSpSaTransIntegrityAlg, 9628 t11FcSpSaTransRowStatus, 9629 t11FcSpSaTSelNegInInboundSpi, 9630 t11FcSpSaTSelNegInStartSrcAddr, 9631 t11FcSpSaTSelNegInEndSrcAddr, 9632 t11FcSpSaTSelNegInStartDstAddr, 9633 t11FcSpSaTSelNegInEndDstAddr, 9634 t11FcSpSaTSelNegInStartRCtl, 9635 t11FcSpSaTSelNegInEndRCtl, 9636 t11FcSpSaTSelNegInStartType, 9637 t11FcSpSaTSelNegInEndType, 9638 t11FcSpSaTSelNegInUnpMtchDrops, 9639 t11FcSpSaTSelNegOutInboundSpi, 9640 t11FcSpSaTSelNegOutStartSrcAddr, 9641 t11FcSpSaTSelNegOutEndSrcAddr, 9642 t11FcSpSaTSelNegOutStartDstAddr, 9643 t11FcSpSaTSelNegOutEndDstAddr, 9644 t11FcSpSaTSelNegOutStartRCtl, 9645 t11FcSpSaTSelNegOutEndRCtl, 9646 t11FcSpSaTSelNegOutStartType, 9647 t11FcSpSaTSelNegOutEndType, 9648 t11FcSpSaTSelSpiDirection, 9649 t11FcSpSaTSelSpiTrafSelPtr 9650 } 9651 STATUS current 9652 DESCRIPTION 9653 "A collection of objects containing information related 9654 to currently active FC-SP Security Associations." 9655 ::= { t11FcSpSaMIBGroups 6 } 9657 t11FcSpSaNotifInfoGroup OBJECT-GROUP 9658 OBJECTS { t11FcSpSaControlAuthFailEnable, 9659 t11FcSpSaControlInboundSpi, 9660 t11FcSpSaControlSource, 9661 t11FcSpSaControlDestination, 9662 t11FcSpSaControlFrame, 9663 t11FcSpSaControlElapsed, 9664 t11FcSpSaControlSuppressed, 9665 t11FcSpSaControlWindow, 9666 t11FcSpSaControlLifeExcdEnable, 9667 t11FcSpSaControlLifeExcdSpi, 9668 t11FcSpSaControlLifeExcdDir, 9669 t11FcSpSaControlLifeExcdTime 9670 } 9671 STATUS current 9672 DESCRIPTION 9673 "A collection of objects containing information 9674 related to notifications of events concerning 9675 FC-SP Security Associations." 9676 ::= { t11FcSpSaMIBGroups 7 } 9678 t11FcSpSaNotificationGroup NOTIFICATION-GROUP 9679 NOTIFICATIONS { t11FcSpSaNotifyAuthFailure, 9680 t11FcSpSaNotifyLifeExceeded 9681 } 9682 STATUS current 9683 DESCRIPTION 9684 "A collection of notifications of events concerning 9685 FC-SP Security Associations." 9686 ::= { t11FcSpSaMIBGroups 8 } 9688 END 9689 6.6. The T11-FC-SP-CERTS-MIB Module 9691 --******************************************************************* 9692 -- FC-SP Certificate Information 9693 -- 9695 T11-FC-SP-CERTS-MIB DEFINITIONS ::= BEGIN 9697 IMPORTS 9698 MODULE-IDENTITY, OBJECT-TYPE, 9699 mib-2, Unsigned32 9700 FROM SNMPv2-SMI -- [RFC2578] 9701 MODULE-COMPLIANCE, 9702 OBJECT-GROUP FROM SNMPv2-CONF -- [RFC2580] 9703 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 9704 fcmInstanceIndex FROM FC-MGMT-MIB -- [RFC4044] 9705 T11FabricIndex FROM T11-TC-MIB -- [RFC4439] 9706 t11FcSpAuEntityName FROM T11-FC-SP-AUTHENTICATION-MIB; 9708 t11FcSpCertsMIB MODULE-IDENTITY 9709 LAST-UPDATED "200702190000Z" 9710 ORGANIZATION "T11" 9711 CONTACT-INFO 9712 " Claudio DeSanti 9713 Cisco Systems, Inc. 9714 170 West Tasman Drive 9715 San Jose, CA 95134 USA 9716 EMail: cds@cisco.com 9718 Keith McCloghrie 9719 Cisco Systems, Inc. 9720 170 West Tasman Drive 9721 San Jose, CA 95134 USA 9722 Email: kzm@cisco.com" 9723 DESCRIPTION 9724 "This MIB module defines management information specific to 9725 the use of certificates in conjunction with Fibre Channel's 9726 FC-SP specification. 9728 Since FC-SP leverages a subset of IPsec and IKEv2 (see RFC 9729 4595), a subset of the management information defined for 9730 the use of certificates with IPsec/IKEv2 is also applicable 9731 to FC-SP. Thus, this MIB module leverages RFC wwww and 9732 RFC xxxx for the management of certificates, CAs and CRLs. 9733 -- RFC Editor: replace wwww with actual RFC number for 9734 -- [IPSP-IPSEC-ACTION], and replace xxxx with actual RFC number for 9735 -- [IPSP-IKE-ACTION] & remove this note 9737 Specifically, the information defined in this MIB module 9738 consists of a pointer into the IPsec/IKEv2 MIB modules, 9739 plus minimal additional item(s) of information which are 9740 considered to be important in a Fibre Channel environment. 9742 Copyright (C) The IETF Trust (2007). This version 9743 of this MIB module is part of RFC yyyy; see the RFC 9744 itself for full legal notices." 9745 -- RFC Editor: replace yyyy with actual RFC number & remove this note 9746 REVISION "200702190000Z" 9747 DESCRIPTION 9748 "Initial version of this MIB module, published as RFCyyyy." 9749 -- RFC-Editor, replace yyyy with actual RFC number & remove this note 9750 ::= { mib-2 nnn } -- to be assigned by IANA 9751 -- RFC Editor: replace nnn with IANA-assigned number & remove this note 9753 t11FcSpCertsMIBObjects OBJECT IDENTIFIER ::= { t11FcSpCertsMIB 1 } 9754 t11FcSpCertsMIBConformance OBJECT IDENTIFIER ::= { t11FcSpCertsMIB 2 } 9755 -- 9756 -- Certificate Information 9757 -- 9759 t11FcSpCertsTable OBJECT-TYPE 9760 SYNTAX SEQUENCE OF T11FcSpCertsEntry 9761 MAX-ACCESS not-accessible 9762 STATUS current 9763 DESCRIPTION 9764 "A table containing information on the use of certificates 9765 in FC-SP, including (but not limited to) the use of 9766 certificates with the Fibre Channel Certificate 9767 Authentication Protocol (FCAP) defined by FC-SP, or with 9768 FC-SP's use of IKEv2." 9769 ::= { t11FcSpCertsMIBObjects 1 } 9771 t11FcSpCertsEntry OBJECT-TYPE 9772 SYNTAX T11FcSpCertsEntry 9773 MAX-ACCESS not-accessible 9774 STATUS current 9775 DESCRIPTION 9776 "Each entry contains information related to one certificate 9777 for use by the FC-SP Authentication entity identified by 9778 t11FcSpAuEntityName, on a particular Fabric, which is managed 9779 as part of the Fibre Channel management instance identified 9780 by fcmInstanceIndex." 9781 INDEX { fcmInstanceIndex, t11FcSpAuEntityName, 9782 t11FcSpCertFabricIndex, t11FcSpCertIndex } 9783 ::= { t11FcSpCertsTable 1 } 9785 T11FcSpCertsEntry ::= SEQUENCE { 9786 t11FcSpCertFabricIndex T11FabricIndex, 9787 t11FcSpCertIndex Unsigned32, 9788 t11FcSpCertPointer SnmpAdminString, 9789 t11FcSpCertUsage INTEGER 9790 } 9792 t11FcSpCertFabricIndex OBJECT-TYPE 9793 SYNTAX T11FabricIndex 9794 MAX-ACCESS not-accessible 9795 STATUS current 9796 DESCRIPTION 9797 "An index value which uniquely identifies a particular 9798 Fabric where the certificate is available for use." 9799 ::= { t11FcSpCertsEntry 1 } 9801 t11FcSpCertIndex OBJECT-TYPE 9802 SYNTAX Unsigned32 9803 MAX-ACCESS not-accessible 9804 STATUS current 9805 DESCRIPTION 9806 "This object distinguishes between the multiple certificates 9807 available for use with FC-SP on a particular Fabric." 9808 ::= { t11FcSpCertsEntry 2 } 9810 t11FcSpCertPointer OBJECT-TYPE 9811 SYNTAX SnmpAdminString (SIZE(0..32)) 9812 MAX-ACCESS read-only 9813 STATUS current 9814 DESCRIPTION 9815 "This object contains the 'name' of a row in the 9816 ipsaCredentialTable, i.e., it points to the certificate which 9817 is represented by the row of the ipsaCredentialTable for 9818 which the value of ipsaCredName has the same value as the 9819 value of this object. Further information about the 9820 certificate is available in that row. 9822 If and when there is no row in the psaCredentialTable for 9823 this certificate, the value of this object is the zero-length 9824 string." 9825 ::= { t11FcSpCertsEntry 3 } 9827 t11FcSpCertUsage OBJECT-TYPE 9828 SYNTAX INTEGER { 9829 other(1), 9830 ownDefaultCert(2), 9831 ownCert(3), 9832 rootCert(4) 9833 } 9834 MAX-ACCESS read-only 9835 STATUS current 9836 DESCRIPTION 9837 "This object identifies how this certificate can be used: 9839 other -- none of the below; 9841 ownDefaultCert -- the certificate which the local entity 9842 uses as its default certificate; the local entity 9843 has at most one default certificate; 9845 ownCert -- a certificate which the local entity can use 9846 for itself, but which is not its default 9847 certificate; 9849 rootCert -- a root certificate. 9850 " 9851 ::= { t11FcSpCertsEntry 4 } 9853 -- 9854 -- Conformance 9855 -- 9857 t11FcSpCertMIBCompliances 9858 OBJECT IDENTIFIER ::= { t11FcSpCertsMIBConformance 1 } 9859 t11FcSpCertMIBGroups 9860 OBJECT IDENTIFIER ::= { t11FcSpCertsMIBConformance 2 } 9862 t11FcSpCertMIBCompliance MODULE-COMPLIANCE 9863 STATUS current 9864 DESCRIPTION 9865 "The compliance statement for entities which use 9866 certificates with FC-SP." 9868 MODULE -- this module 9869 MANDATORY-GROUPS 9870 { t11FcSpCertInfoGroup } 9872 ::= { t11FcSpCertMIBCompliances 1 } 9874 -- Units of Conformance 9876 t11FcSpCertInfoGroup OBJECT-GROUP 9877 OBJECTS { 9878 t11FcSpCertPointer, 9879 t11FcSpCertUsage 9880 } 9881 STATUS current 9882 DESCRIPTION 9883 "A collection of objects containing information 9884 related to certificates available for use with FC-SP." 9885 ::= { t11FcSpCertMIBGroups 1 } 9887 END 9889 7. Acknowledgements 9891 This document is initially being developed by the INCITS Task Group 9892 T11.5 (http://www.t11.org) as the SM-FSM project. We wish to 9893 acknowledge the contributions and comments from the INCITS Technical 9894 Committee T11, including the following: 9896 T11 Chair: Robert Snively, Brocade 9897 T11 Vice Chair: Claudio DeSanti, Cisco Systems 9898 T11.5 Chair: Roger Cummings, Symantec 9899 T11.5 members: 9900 David Black, EMC 9901 Don Fraser, HP 9902 Larry Hofer, Brocade 9903 Scott Kipp, Brocade 9904 Ralph Weber, ENDL 9906 After approval by T11, the document is expected to become a work item 9907 of by the IETF's IMSS Working Group, chaired by David Black (EMC 9908 Corporation). We expect that we will also wish to acknowledge the 9909 IETF MIB Doctor (name to be supplied) as and when he/she reviews this 9910 document. 9912 8. Normative References 9914 [RFC2578] 9915 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. 9916 and S. Waldbusser, "Structure of Management Information Version 2 9917 (SMIv2)", STD 58, RFC 2578, April 1999. 9919 [RFC2579] 9920 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. 9921 and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 9922 2579, April 1999. 9924 [RFC2580] 9925 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. 9926 and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 9927 2580, April 1999. 9929 [RFC2863] 9930 McCloghrie, K., and F. Kastenholz, "The Interface$ Group MIB", RFC 9931 2863, June 2000. 9933 [RFC3411] 9934 Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 9935 Describing Simple Network Management Protocol (SNMP) Management 9936 Frameworks", STD 58, RFC 3411, December 2002. 9938 [RFC4001] 9939 Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, 9940 "Textual Conventions for Internet Network Addresses", RFC 4001, 9941 February 2005. 9943 [RFC4044] 9944 K. McCloghrie, "Fibre Channel Management MIB", RFC 4044, May 2005. 9946 [RFC4303] 9947 S. Kent, "IP Encapsulating Security Payload (ESP)", RFC 4303, 9948 December 2005. 9950 [RFC4306] 9951 C. Kaufman, "Internet Key Exchange (IKEv2) Protocol", RFC 4306, 9952 December 2005. 9954 [RFC4438] 9955 "Fibre-Channel Name Server MIB", DeSanti, C., Gaonkar, V., Vivek, 9956 H.K., McCloghrie, K., and S. Gai, RFC 4438, April 2006. 9958 [RFC4439] 9959 DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai, "Fibre 9960 Channel Fabric Address Manager MIB", RFC 4439, March 2006. 9962 [FC-ZS-MIB] 9963 DeSanti, C., Vivek, H.K., McCloghrie, K., and S. Gai, "Fibre- 9964 Channel Zone Server MIB", draft-ietf-imss-fc-zs-mib-nn.txt, work- 9965 in-progress, January 2007. 9967 [IPSP-IKE-ACTION] 9968 Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec 9969 Security Policy IKE Action MIB", draft-ietf-ipsp-ikeaction-mib- 9970 nn.txt, work-in-progress, 19 October 2006. 9972 [IPSP-IPSEC-ACTION] 9973 Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec 9974 Security Policy IPsec Action MIB", draft-ietf-ipsp-ipsecaction-mib- 9975 nn.txt, work-in-progress, 19 October 2006. 9977 [FC-FS-2] 9978 "Fibre Channel - Framing and Signaling-2 (FC-FS-2)", ANSI INCITS 9979 424:2007, http://www.t11.org/t11/stat.nsf/upnum/1619-d, August 9980 2006. 9982 [FC-GS-5] 9983 "Fibre Channel - Generic Services - 5 (FC-GS-5)", ANSI INCITS 9984 427-2006, http://www.t11.org/t11/stat.nsf/upnum/1677-d, December 9985 2006. 9987 [FC-SP] 9988 "Fibre Channel - Security Protocols (FC-SP)", ANSI INCITS xxx-200x, 9989 http://www.t11.org/t11/stat.nsf/upnum/1570-d, T11/Project 9990 1570-D/Rev 1.8, 13 June 2003. 9992 [FC-SW-4] 9993 "Fibre Channel - Switch Fabric-4 (FC-SW-4)", 9994 http://www.t11.org/t11/stat.nsf/upnum/1674-d, ANSI INCITS 418-2006, 9995 April 2006. 9997 [RFC2119] 9998 S. Bradner, "Key words for use in RFCs to Indicate Requirement 9999 Levels", RFC 2119, BCP 0014, March 1997. 10001 9. Informative References 10003 [RFC1492] 10004 C. Finseth, "An Access Control Protocol, Sometimes Called TACACS", 10005 RFC 1492, July 1993. 10007 [RFC2741] 10008 Daniele, M., Wijnen, B., Ellison, M., and D. Francisco, "Agent 10009 Extensibility (AgentX) Protocol Version 1", RFC 2741, January 2000. 10011 [RFC2837] 10012 K. Teow, "Definitions of Managed Objects for the Fabric Element in 10013 Fibre Channel Standard", RFC 2837, May 2000. 10015 [RFC2865] 10016 Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 10017 Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. 10019 [RFC3410] 10020 Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and 10021 Applicability Statements for Internet- Standard Management 10022 Framework", RFC 3410, December 2002. 10024 [RFC3588] 10025 Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, 10026 "Diameter Base Protocol", RFC 3588, September 2003. 10028 [RFC4595] 10029 Maino, F., and D. Black, "Use of IKEv2 in the Fibre Channel 10030 Security Association Management Protocol", RFC 4595, July 2006. 10032 [RFC4625] 10033 DeSanti, C., McCloghrie, K., Kode, S., and S. Gai, "Fibre Channel 10034 Routing Information MIB", RFC 4625, August 2006. 10036 [RFC4626] 10037 DeSanti, C., Gaonkar, V., McCloghrie, K., and S. Gai, "MIB for 10038 Fibre Channel's Fabric Shortest Path First (FSPF) Protocol", RFC 10039 4626, August 2006. 10041 [RFC4668] 10042 D. Nelson, "RADIUS Authentication Client MIB for IPv6", RFC 4668, 10043 August 2006. 10045 [RFC4747] 10046 Kipp, S., Ramkumar, G., and K. McCloghrie, "The Virtual Fabrics 10047 MIB", RFC 4747, November 2006. 10049 [FC-RSCN-MIB] 10050 DeSanti, C., Vivek, H.K., McCloghrie, K., and S. Gai, "Fibre 10051 Channel Registered State Change Notification (RSCN) MIB", draft- 10052 ietf-imss-fc-rscn-mib-nn.txt, work-in-progress, November 2006. 10054 [FC-FCS-MIB] 10055 DeSanti, C., Vivek, H.K., McCloghrie, K., and S. Gai, "Fibre- 10056 Channel Fabric Configuration Server MIB", draft-ietf-imss-fc-fcs- 10057 mib-nn.txt, work-in-progress, January 2007. 10059 10. IANA Considerations 10061 IANA is requested to make one MIB OID assignment, under the 10062 appropriate subtree, for each of the six MIB modules defined in this 10063 document. 10065 11. Security Considerations 10067 In this section, the first sub-section states some Security 10068 Considerations due to which information was excluded from this 10069 document. This is followed by one sub-section for each of the MIB 10070 modules defined in section 6, listing their individual Security 10071 Considerations. The section concludes with Security Considerations 10072 common to all of these MIB modules. 10074 The key word "RECOMMENDED" contained in this section is to be 10075 interpreted as described in BCP 14 [RFC2119]. 10077 11.1. Information not defined in this document 10079 This document doesn't define any MIB objects for the secrets which 10080 need to be known/determined by FC-SP entities in order to use DH-CHAP 10081 to authenticate each other. Such secrets are "highly sensitive" and 10082 need to be "strong secrets" (e.g., randomly generated and/or from an 10083 external source, see section 5.4.8 of [FC-SP]) rather than just 10084 passwords. Thus, such secrets need to be managed by mechanisms other 10085 than the MIB modules defined here. 10087 11.2. The T11-FC-SP-TC-MIB Module 10089 This MIB module defines some data types and assigns some Object 10090 Identifiers, for use as the syntax and as values of MIB objects 10091 respectively, but it itself defines no MIB objects. Thus, there is 10092 no direct read or write access via a management protocol, such as 10093 SNMP, to these definitions. Nevertheless, it does include the 10094 assignment of enumerations and OIDs to represent cryptographic 10095 algorithms/transforms, and it is appropriate for such assignments to 10096 be augmented with new assignments as and when new 10097 algorithms/transforms are available. 10099 11.3. The T11-FC-SP-AUTHENTICATION-MIB Module 10101 There are several management objects defined in this MIB module with 10102 a MAX-ACCESS clause of read-write. Such objects may be considered 10103 sensitive or vulnerable in some network environments. The support 10104 for SET operations in a non-secure environment without proper 10105 protection can have a negative effect on network operations. These 10106 objects and their sensitivity/vulnerability are: 10108 t11FcSpAuStorageType 10109 - could cause changes in the configuration to be retained or 10110 not retained over restarts, against the wishes of management. 10112 t11FcSpAuSendRejNotifyEnable 10113 t11FcSpAuRcvRejNotifyEnable 10114 - could cause the suppression of SNMP notifications (e.g., of 10115 authentication failures or protocol failures), or the 10116 disruption of network operations due to the generation of 10117 unwanted notifications. 10119 t11FcSpAuDefaultLifetime 10120 t11FcSpAuDefaultLifetimeUnits 10121 - could cause the lifetimes of Security Associations to be 10122 extended longer than might be secure, or shortened to cause 10123 an increase in the overhead of using security. 10125 t11FcSpAuRejectMaxRows 10126 - could cause a smaller audit trail of Authentication rejects, 10127 thereby hiding the tracks of an attacker, or a larger audit 10128 trail of Authentication rejects causing resources to be 10129 wasted. 10131 The support for SET operations in a non-secure environment without 10132 proper protection can have a negative effect on network operations. 10134 Some of the readable objects in this MIB module (i.e., objects with a 10135 MAX-ACCESS other than not-accessible) may be considered sensitive or 10136 vulnerable in some network environments. It is thus important to 10137 control even GET and/or NOTIFY access to these objects and possibly 10138 to even encrypt the values of these objects when sending them over 10139 the network via SNMP. These are the tables and objects and their 10140 sensitivity/vulnerability: 10142 t11FcSpAuEntityTable 10143 - the capabilities of FC-SP Authentication entities in terms of 10144 what cryptographic algorithms they support, and various 10145 configuration parameters of FC-SP Authentication entities. 10147 t11FcSpAuIfStatTable 10148 - the mapping of which FC-SP Authentication entities operate on 10149 which interfaces. 10151 t11FcSpAuRejectTable 10152 - an audit trail of authentication failures and other 10153 Authentication Protocol failures. 10155 11.4. The T11-FC-SP-ZONING-MIB Module 10157 There are several management objects defined in this MIB module with 10158 a MAX-ACCESS clause of read-write and/or read-create. Such objects 10159 may be considered sensitive or vulnerable in some network 10160 environments. The support for SET operations in a non-secure 10161 environment without proper protection can have a negative effect on 10162 network operations. These objects and their 10163 sensitivity/vulnerability are: 10165 t11FcSpZsServerEnabled 10166 - could cause FC-SP Zoning mode to be enabled or not enabled, 10167 against the wishes of management. 10169 t11FcSpZoneSetHashStatus 10170 - could cause an FC-SP implementation to recalculate the values 10171 of the Active Zone Set Hash and the Zone Set Database Hash 10172 more frequently than is required by management. 10174 t11FcSpZsNotifyJoinSuccessEnable 10175 t11FcSpZsNotifyJoinFailureEnable 10176 - could cause the suppression of SNMP notifications that a 10177 Switch in one Fabric has successfully joined/failed to join 10178 with a Switch in another Fabric, or the disruption of network 10179 operations due to the generation of unwanted notifications. 10181 The support for SET operations in a non-secure environment without 10182 proper protection can have a negative effect on network operations. 10184 Some of the readable objects in this MIB module (i.e., objects with a 10185 MAX-ACCESS other than not-accessible) may be considered sensitive or 10186 vulnerable in some network environments. It is thus important to 10187 control even GET and/or NOTIFY access to these objects and possibly 10188 to even encrypt the values of these objects when sending them over 10189 the network via SNMP. These are the objects and their 10190 sensitivity/vulnerability: 10192 t11FcSpZsServerCapabilityObject 10193 t11FcSpZsServerEnabled 10194 - the FC-SP Zoning capabilities and status of the FC-SP 10195 implementation. 10197 t11FcSpZoneSetHashStatus 10198 t11FcSpActiveZoneSetHashType 10199 t11FcSpActiveZoneSetHash 10200 t11FcSpZoneSetDatabaseHashType 10201 t11FcSpZoneSetDatabaseHash 10202 - the current values of the Active Zone Set Hash and the Zone 10203 Set Database Hash. 10205 11.5. The T11-FC-SP-POLICY-MIB Module 10207 There are many management objects defined in this MIB module with a 10208 MAX-ACCESS clause of read-write and/or read-create. Such objects may 10209 be considered sensitive or vulnerable in some network environments. 10210 The support for SET operations in a non-secure environment without 10211 proper protection can have a negative effect on network operations. 10212 The objects and tables and their sensitivity/vulnerability are: 10214 t11FcSpPoNaSummaryTable 10215 t11FcSpPoNaSwListTable 10216 t11FcSpPoNaSwMembTable 10217 t11FcSpPoNaNoMembTable 10218 t11FcSpPoNaCtDescrTable 10219 t11FcSpPoNaSwConnTable 10220 t11FcSpPoNaIpMgmtTable 10221 - could change the currently inactive FC-SP Fabric Policies, so 10222 as to allow unauthorized connectivity of Switches and/or 10223 Nodes to the network, or between Switches in the network, or, 10224 to prohibit such connectivity even when authorized. 10226 t11FcSpPoNaIpMgmtTable 10227 t11FcSpPoNaWkpDescrTable 10228 - could change the currently inactive FC-SP Fabric Policies, so 10229 as to allow unauthorized management access to Switches, or 10230 prohibit authorized management access to Switches. 10232 t11FcSpPoNaSummaryTable 10233 t11FcSpPoNaSwMembTable 10234 t11FcSpPoNaNoMembTable 10235 t11FcSpPoNaAttribTable 10236 t11FcSpPoNaAuthProtTable 10237 - could change the currently inactive FC-SP Fabric Policies, so 10238 as to allow Security Associations with reduced security or 10239 require Security Associations which are unnecessarily-secure. 10241 t11FcSpPoOperActivate 10242 t11FcSpPoOperDeActivate 10243 - could cause the currently active FC-SP Fabric Policies to be 10244 de-activated and currently inactive FC-SP Fabric Policies 10245 (e.g., those modified as above) to be activated instead. 10247 t11FcSpPoStorageType 10248 - could cause changes in the configuration and/or in FC-SP 10249 Fabric Policies to be retained or not retained over restarts, 10250 against the wishes of management. 10252 t11FcSpPoNotificationEnable 10253 - could cause the suppression of SNMP notifications on the 10254 successful/unsuccessful activation/de-activation of Fabric 10255 Policies, and thereby hide successful/failed attempts to make 10256 unauthorized changes, or cause the disruption of network 10257 operations due to the generation of unwanted notifications. 10259 The support for SET operations in a non-secure environment without 10260 proper protection can have a negative effect on network operations. 10262 Some of the readable objects in this MIB module (i.e., objects with a 10263 MAX-ACCESS other than not-accessible) may be considered sensitive or 10264 vulnerable in some network environments. It is thus important to 10265 control even GET and/or NOTIFY access to these objects and possibly 10266 to even encrypt the values of these objects when sending them over 10267 the network via SNMP. These are the tables and their 10268 sensitivity/vulnerability: 10270 t11FcSpPoTable 10271 t11FcSpPoSummaryTable 10272 t11FcSpPoSwMembTable 10273 t11FcSpPoNoMembTable 10274 t11FcSpPoCtDescrTable 10275 t11FcSpPoSwConnTable 10276 t11FcSpPoIpMgmtTable 10277 t11FcSpPoWkpDescrTable 10278 t11FcSpPoAttribTable 10279 t11FcSpPoAuthProtTable 10280 - the currently active FC-SP Fabric Policies which can be 10281 examined by an attacker looking for possible security 10282 vulnerabilities in the active policies. 10284 11.6. The T11-FC-SP-SA-MIB Module 10286 There are several management objects defined in this MIB module with 10287 a MAX-ACCESS clause of read-write and/or read-create. Such objects 10288 may be considered sensitive or vulnerable in some network 10289 environments. The support for SET operations in a non-secure 10290 environment without proper protection can have a negative effect on 10291 network operations. These objects and their 10292 sensitivity/vulnerability are: 10294 t11FcSpSaIfStorageType 10295 - could cause changes in configuration information related to 10296 FC-SP Security Associations to be retained or not retained 10297 over restarts, against the wishes of management. 10299 t11FcSpSaIfReplayPrevention 10300 t11FcSpSaIfReplayWindowSize 10301 - could cause changes in the operation of anti-replay 10302 protection, thereby permitting an attacker to conduct replay 10303 attacks, or requiring FC-SP implementations to engage in 10304 unnecessary protection against replay. 10306 t11FcSpSaIfTerminateAllSas 10307 t11FcSpSaPairTerminate 10308 - could cause FC-SP Security Associations to be aborted 10309 unnecessarily. 10311 t11FcSpSaControlAuthFailEnable 10312 - could cause the suppression of SNMP notifications on the 10313 occurrence of Authentication failures for received FC-2 or 10314 CT_IU frames, thereby hiding attempts to subvert security 10315 measures, or cause the disruption of network operations due 10316 to the generation of unwanted notifications. 10318 t11FcSpSaControlLifeExcdEnable 10319 - could cause the suppression of SNMP notifications on the 10320 occurrence of an FC-SP Security Association exceeding its 10321 lifetime, thereby possibly causing disruption to network 10322 usage due to a delay in determining the problem and/or re- 10323 establishing the Security Association. 10325 t11FcSpSaControlWindow 10326 - could cause the suppression of second and subsequent SNMP 10327 notifications on the occurrence of Authentication failures 10328 for received FC-2 or CT_IU frames, thereby masking repeated 10329 attempts to subvert security measures, or cause the 10330 disruption of network operations due to the generation of 10331 unwanted notifications. 10333 t11FcSpSaPropTable 10334 t11FcSpSaTSelPropTable 10335 t11FcSpSaTransTable 10336 - could cause an FC-SP entity to propose the setup of Security 10337 Associations which apply to a different selection of traffic 10338 and/or using different security transforms, such that some 10339 traffic has a reduced level of security which might improve 10340 an attacker's chance of subverting security, or an increased 10341 level of security which would involve unnecessary security 10342 processing, or cause the negotiation of Security Associations 10343 to fail to find commonly-acceptable parameters such that no 10344 Security Associations can be established. 10346 t11FcSpSaTSelDrByTable 10347 - could cause an FC-SP entity to select different sets of 10348 traffic which are: a) to be sent/received without being 10349 protected by FC-SP security, thereby providing an attacker 10350 with access to read authentic traffic or the ability to 10351 introduce unauthentic traffic; or b) to be dropped instead of 10352 being sent/after being received, thereby causing disruption 10353 to network usage. 10355 The support for SET operations in a non-secure environment without 10356 proper protection can have a negative effect on network operations. 10358 Some of the readable objects in this MIB module (i.e., objects with a 10359 MAX-ACCESS other than not-accessible) may be considered sensitive or 10360 vulnerable in some network environments. It is thus important to 10361 control even GET and/or NOTIFY access to these objects and possibly 10362 to even encrypt the values of these objects when sending them over 10363 the network via SNMP. These are the tables and objects and their 10364 sensitivity/vulnerability: 10366 t11FcSpSaIfTable 10367 - information concerning the capabilities, parameters and 10368 status of an FC-SP entity's support for Security 10369 Associations. 10371 t11FcSpSaPropTable 10372 t11FcSpSaTSelPropTable 10373 t11FcSpSaTransTable 10374 - information on the proposals which will be used by an FC-SP 10375 entity to negotiate Security Associations. 10377 t11FcSpSaTSelDrByTable 10378 - information on which subsets of traffic an FC-SP entity will 10379 send or receive without being protected by FC-SP security, or 10380 will drop before sending/after receiving. 10382 t11FcSpSaPairTable 10383 t11FcSpSaTSelNegInTable 10384 t11FcSpSaTSelNegOutTable 10385 t11FcSpSaTSelSpiTable 10386 - information on which Security Associations are currently 10387 active, what subsets of traffic they are carrying, and what 10388 security protection is being given to them. 10390 11.7. The T11-FC-SP-CERTS-MIB Module 10392 There are no objects defined in this MIB module with a MAX-ACCESS 10393 clause of read-write and/or read-create. 10395 Some of the readable objects in this MIB module (i.e., objects with a 10396 MAX-ACCESS other than not-accessible) may be considered sensitive or 10397 vulnerable in some network environments. It is thus important to 10398 control even GET and/or NOTIFY access to these objects and possibly 10399 to even encrypt the values of these objects when sending them over 10400 the network via SNMP. These are the tables and objects and their 10401 sensitivity/vulnerability: 10403 t11FcSpCertPointer 10404 - a pointer to information about certificates being used by an 10405 FC-SP entity. 10407 t11FcSpCertUsage 10408 - information about how certificates are being used by an FC-SP 10409 entity. 10411 11.8. Recommendations common to all MIB Modules 10413 SNMP versions prior to SNMPv3 did not include adequate security. 10414 Even if the network itself is secure (for example by using IPsec), 10415 even then, there is no control as to who on the secure network is 10416 allowed to access and GET/SET (read/change/create/delete) the objects 10417 in this MIB module. 10419 It is RECOMMENDED that implementors consider the security features as 10420 provided by the SNMPv3 framework (see [RFC3410], section 8), 10421 including full support for the SNMPv3 cryptographic mechanisms (for 10422 authentication and privacy). 10424 Further, deployment of SNMP versions prior to SNMPv3 is NOT 10425 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 10426 enable cryptographic security. It is then a customer/operator 10427 responsibility to ensure that the SNMP entity giving access to an 10428 instance of this MIB module is properly configured to give access to 10429 the objects only to those principals (users) that have legitimate 10430 rights to indeed GET or SET (change/create/delete) them. 10432 12. Authors' Addresses 10434 Claudio DeSanti 10435 Cisco Systems, Inc. 10436 170 West Tasman Drive 10437 San Jose, CA 95134 USA 10438 Phone: +1 408 853-9172 10439 EMail: cds@cisco.com 10441 Fabio Maino 10442 Cisco Systems, Inc. 10443 170 West Tasman Drive 10444 San Jose, CA 95134 USA 10445 Phone: +1 408 853-7530 10446 EMail: fmaino@cisco.com 10448 Keith McCloghrie 10449 Cisco Systems, Inc. 10450 170 West Tasman Drive 10451 San Jose, CA USA 95134 10452 Phone: +1 408-526-5260 10453 Email: kzm@cisco.com 10455 Full Copyright Statement 10457 Copyright (C) The IETF Trust (2007). This document is subject to the 10458 rights, licenses and restrictions contained in BCP 78, and except as 10459 set forth therein, the authors retain all their rights. 10461 This document and the information contained herein are provided on an 10462 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 10463 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 10464 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 10465 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 10466 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 10467 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 10469 Disclaimer of validity 10471 The IETF takes no position regarding the validity or scope of any 10472 Intellectual Property Rights or other rights that might be claimed to 10473 pertain to the implementation or use of the technology described in 10474 this document or the extent to which any license under such rights 10475 might or might not be available; nor does it represent that it has 10476 made any independent effort to identify any such rights. Information 10477 on the procedures with respect to rights in RFC documents can be 10478 found in BCP 78 and BCP 79. 10480 Copies of IPR disclosures made to the IETF Secretariat and any 10481 assurances of licenses to be made available, or the result of an 10482 attempt made to obtain a general license or permission for the use of 10483 such proprietary rights by implementers or users of this 10484 specification can be obtained from the IETF on-line IPR repository at 10485 http://www.ietf.org/ipr. 10487 The IETF invites any interested party to bring to its attention any 10488 copyrights, patents or patent applications, or other proprietary 10489 rights that may cover technology that may be required to implement 10490 this standard. Please address the information to the IETF at 10491 ietf-ipr@ietf.org. 10493 Acknowledgment 10495 Funding for the RFC Editor function is currently provided by the 10496 Internet Society.