T11-FC-SP-TC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY, mib-2, Unsigned32 FROM SNMPv2-SMI -- [RFC2578] TEXTUAL-CONVENTION FROM SNMPv2-TC; -- [RFC2579] t11FcTcMIB MODULE-IDENTITY LAST-UPDATED "200808200000Z" ORGANIZATION "This MIB module was developed through the coordinated effort of two organizations: T11 began the development and the IETF (in the IMSS Working Group) finished it." CONTACT-INFO " Claudio DeSanti Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: [email protected] Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Email: [email protected]" DESCRIPTION "This MIB module defines Textual Conventions for use in the multiple MIB modules, which together define the instrumentation for an implementation of the Fibre Channel Security Protocols (FC-SP) specification. This MIB module also defines Object Identities (for use as possible values of MIB objects with syntax AutonomousType), including OIDs for the Cryptographic Algorithms defined in FC-SP. Copyright (C) The IETF Trust (2008). This version of this MIB module is part of RFC 5324; see the RFC itself for full legal notices." REVISION "200808200000Z" DESCRIPTION "Initial version of this MIB module, published as RFC 5324." ::= { mib-2 175 } t11FcSpIdentities OBJECT IDENTIFIER ::= { t11FcTcMIB 1 } t11FcSpAlgorithms OBJECT IDENTIFIER ::= { t11FcSpIdentities 1 } -- -- Textual Conventions -- T11FcSpPolicyHashFormat ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Identifies a cryptographic hash function used to create a hash value that summarizes an FC-SP Policy Object. Each definition of an object with this TC as its syntax must be accompanied by a corresponding definition of an object with T11FcSpPolicyHashValue as its syntax, and containing the hash value. The first two cryptographic hash functions are: Hash Type Hash Tag Hash Length (Bytes) SHA-1 '00000001'h 20 SHA-256 '00000002'h 32 " REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, section 7.1.3.1 and table 106. - FIPS PUB 180-2." SYNTAX OCTET STRING (SIZE (4)) T11FcSpPolicyHashValue ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Represents the value of the cryptographic hash function of an FC-SP Policy Object. Each definition of an object with this TC as its syntax must be accompanied by a corresponding definition of an object with T11FcSpPolicyHashFormat as its syntax. The corresponding object identifies the cryptographic hash function used to create the hash value." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, section 7.1.3.1 and table 106." SYNTAX OCTET STRING (SIZE (0..64)) T11FcSpHashCalculationStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "When some kind of 'database' is defined in a set of read-write MIB objects, it is common that multiple changes in the data need to be made at the same time. So, if hash values are maintained for that data, those hash values are only correct if and when they are re-calculated after every change. In such circumstances, the use of an object with this syntax allows the re-calculation of the hash values to be deferred until all changes have been made, and therefore the calculation need only be done once after all changes, rather than repeatedly/after each individual change. The definition of an object defined using this TC is required to specify which one or more instances of which MIB objects contain the hash values operated upon (or whose status is given) by the value of this TC. When read, the value of an object with this syntax is either: correct -- the identified MIB object instance(s) contain the correct hash values; or stale -- the identified MIB object instance(s) contain stale (possibly incorrect) values. Writing a value of 'calculate' is a request to re-calculate and update the values of the corresponding instances of the identified MIB objects. Writing a value of 'correct' or 'stale' to this object is an error (e.g., 'wrongValue')." SYNTAX INTEGER { calculate(1), correct(2), stale(3) } T11FcSpAuthRejectReasonCode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A reason code contained in an AUTH_Reject message, or in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT (rejecting an AUTH-ELS)." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 17, 48, 52." SYNTAX INTEGER { authFailure(1), logicalError(2), logicalBusy(3), authILSNotSupported(4), authELSNotSupported(5), notLoggedIn(6) } T11FcSpAuthRejReasonCodeExp ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A reason code explanation contained in an AUTH_Reject message, or in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT (rejecting an AUTH-ELS)." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Tables 18, 48, 52." SYNTAX INTEGER { authMechanismNotUsable(1), dhGroupNotUsable(2), hashFunctionNotUsable(3), authTransactionAlreadyStarted(4), authenticationFailed(5), incorrectPayload(6), incorrectAuthProtocolMessage(7), restartAuthProtocol(8), authConcatNotSupported(9), unsupportedProtocolVersion(10), logicalBusy(11), authILSNotSupported(12), authELSNotSupported(13), notLoggedIn(14) } T11FcSpHashFunctions ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one, or more hash functions defined for use in FC-SP." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 14." SYNTAX BITS { md5(0), sha1(1) } T11FcSpSignFunctions ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one, or more signature functions defined for signing certificates for use with FCAP in FC-SP." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, tables 38 & 39." SYNTAX BITS { rsaSha1(0) } T11FcSpDhGroups ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one, or more DH Groups defined for use in FC-SP." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 15." SYNTAX BITS { null(0), group1024(1), group1280(2), group1536(3), group2048(4), group3072(5), group4096(6), group6144(7), group8192(8) } T11FcSpPolicyObjectType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value that identifies the type of an FC-SP Policy Object." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 102." SYNTAX INTEGER { summary(1), switchMemberList(2), nodeMemberList(3), switchConnectivity(4), ipMgmtList(5), attribute(6) } T11FcSpPolicyNameType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The format and usage of a companion object having T11FcSpPolicyName as its syntax. Six of the values indicate the same format, i.e., they differ only in semantics. That common format is a Fibre Channel 'Name_Identifier', i.e., the same syntax as 'FcNameIdOrZero (SIZE(8))'. These six are three pairs of one restricted and one unrestricted. Each usage of this syntax must specify what the meaning of 'restricted' is for that usage and how the characteristics and behavior of restricted names differ from unrestricted names. The six are: 'nodeName' - a Node_Name, which is the Name_Identifier associated with a Fibre Channel Node. 'restrictedNodeName' - a Restricted Node_Name. 'portName' - the Name_Identifier associated with a Fibre Channel Port. 'restrictedPortName' - a Restricted Port_Name. 'wildcard' - a Wildcard value that is used to identify 'all others' (typically, all other members of a Policy Object, not all other Policy Objects). 'restrictedWildcard' - a Restricted Wildcard value. Other possible values are: 'alphaNumericName' - the value begins with an ASCII letter (upper or lower case) followed by (0 ... 63) characters from the set: lower case letters, upper case letters, digits, and the four symbols: dollar-sign ($), dash (-), caret (^), and underscore (_). 'ipv6AddressRange' - two IPv6 addresses in network byte order, the numerically smallest first and the numerically largest second; total length is 32 bytes. 'ipv4AddressRange' - two IPv4 addresses in network byte order, the numerically smallest first and the numerically largest second; total length is 8 bytes." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 103." SYNTAX INTEGER { nodeName(1), restrictedNodeName(2), portName(3), restrictedPortName(4), wildcard(5), restrictedWildcard(6), alphaNumericName(7), ipv6AddressRange(8), ipv4AddressRange(9) } T11FcSpPolicyName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A syntax used, when defining Policy Objects, for the name of something. An object that uses this syntax always identifies a companion object with syntax T11FcSpPolicyNameType such that the companion object specifies the format and usage of the object with this syntax. When the companion object has the value 'wildcard' or 'restrictedWildcard', the value of the T11FcSpPolicyName object is: '0000000000000000'h." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 103." SYNTAX OCTET STRING (SIZE (1..64)) T11FcSpAlphaNumName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A syntax used when defining Policy Objects for the name of something, where the name is always in the format specified by: T11FcSpPolicyNameType = 'alphaNumericName' " REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 103." SYNTAX OCTET STRING (SIZE (1..64)) T11FcSpAlphaNumNameOrAbsent ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An extension of the T11FcSpAlphaNumName TC with one additional possible value: the zero-length string to indicate the absence of a name." SYNTAX OCTET STRING (SIZE (0..64)) T11FcSaDirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The direction of frame transmission on a Security Association. Note that Security Associations are unidirectional, but they always exist as part of an SA pair of the same type in opposite directions." SYNTAX INTEGER { ingress(1), egress(2) } T11FcSpiIndex ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An SPI (Security Parameter Index) value is carried in the SPI field of a frame protected by the ESP_Header. An SPI is also carried in the SAID field of a Common Transport Information Unit (CT_IU) protected by CT_Authentication. An SPI value identifies the Security Association on which the frame is being transmitted." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, section 4.7.2 and 4.7.3." SYNTAX Unsigned32 (0..4294967295) -- the default range!! T11FcSpPrecedence ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The precedence of a Traffic Selector. If a frame matches with two or more Traffic Selectors, then the match that takes precedence is the one with the Traffic Selector having the numerically smallest precedence value. Note that precedence values are not necessarily contiguous." SYNTAX Unsigned32 (0..4294967295) -- the default range!! T11FcRoutingControl ::= TEXTUAL-CONVENTION DISPLAY-HINT "1x" STATUS current DESCRIPTION "A value stored in the R_CTL (Routing Control) 8-bit field of an FC-2 frame containing routing and information bits to categorize the frame function. For FC-2 frames, an R_CTL value typically distinguishes between control versus data frames and/or solicited versus unsolicited frames, and in combination with the TYPE field (see T11FcSpType), identifies a particular link-layer service/protocol using FC-2. For CT_Authentication, the information field in the R_CTL field contains '02'h for Request CT_IUs and '03'h for Response CT_IUs. The comparison of two values having this syntax is done by treating each string as an 8-bit numeric value." REFERENCE "- Fibre Channel - Framing and Signaling-2 (FC-FS-2), ANSI INCITS 424-2007, Project T11/1619-D, February 2007, section 9.3. - Fibre Channel - Generic Services-5 (FC-GS-5), ANSI INCITS 427-2006, sections 4.5.2.4.2, 4.5.2.4.3 and table 12." SYNTAX OCTET STRING (SIZE(1)) T11FcSpType ::= TEXTUAL-CONVENTION DISPLAY-HINT "2x" STATUS current DESCRIPTION "A value, or combination of values, contained in a frame header used in identifying the link layer service/protocol of a frame. The value is always two octets: - for FC-2 frames, the first octet is zero and the second octet contains the Data structure type (TYPE) value defined by FC-FS-2. The TYPE value is used in combination with T11FcRoutingControl to identify a link layer service/protocol. - for Common Transport Information Units (CT_IUs), the first octet contains a GS_Type value and the second octet contains a GS_Subtype value, defined by FC-GS-5. The comparison of two values having this syntax is done by treating each string as the numeric value obtained by numerically combining the individual octet's value as follows: (256 * 1st-octet) + 2nd-octet " REFERENCE "- Fibre Channel - Framing and Signaling-2 (FC-FS-2), ANSI INCITS 424-2007, Project T11/1619-D, February 2007, section 9.6. - Fibre Channel - Generic Services-5 (FC-GS-5), ANSI INCITS 427-2006, sections 4.3.2.4 and 4.3.2.5." SYNTAX OCTET STRING (SIZE(2)) T11FcSpTransforms ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A list of the standardized transforms that are defined by FC-SP for use with ESP_Header, CT_Authentication, and/or IKEv2 Support." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Appendix A.3.1, tables A.23, A.24, A.25, A.26." SYNTAX BITS { encrNull(0), encrAesCbc(1), encrAesCtr(2), encrAesGcm(3), encr3Des(4), prfHmacMd5(5), prfHmacSha1(6), prfAesCbc(7), authHmacMd5L96(8), authHmacSha1L96(9), authHmacMd5L128(10), authHmacSha1L160(11), encrNullAuthAesGmac(12), dhGroups1024bit(13), dhGroups2048bit(14) } T11FcSpSecurityProtocolId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A Security Protocol identifier to identify the protocol by which traffic is to be protected, e.g., ESP_Header or CT_Authentication." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, section 6.3.2.2 and table 67." SYNTAX INTEGER { espHeader(1), ctAuth(2) } T11FcSpLifetimeLeft ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This TC is used for one object of an associated pair of objects. The object with this syntax specifies a remaining lifetime of something, e.g., of an SA, where the lifetime is given in the units specified by the other object of the pair which has T11FcSpLifetimeLeftUnits as its syntax." SYNTAX Unsigned32 T11FcSpLifetimeLeftUnits ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An object, defined using T11FcSpLifetimeLeft TC as its syntax, is required to be one of an associated pair of objects such that the other object of the pair is defined with this T11FcSpLifetimeLeftUnits TC as its syntax and with its value specifying the units of the remaining lifetime given by the value of the T11FcSpLifetimeLeft object." SYNTAX INTEGER { seconds(1), -- seconds kiloBytes(2), -- 10^^3 bytes megaBytes(3), -- 10^^6 bytes gigaBytes(4), -- 10^^9 bytes teraBytes(5), -- 10^^12 bytes petaBytes(6), -- 10^^15 bytes exaBytes(7), -- 10^^18 bytes zettaBytes(8), -- 10^^21 bytes yottaBytes(9) -- 10^^24 bytes } -- -- Object Identities to identify the Cryptographic Algorithms -- listed in FC-SP. -- t11FcSpEncryptAlgorithms OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 1 } t11FcSpEncrNull OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_NULL algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 1 } t11FcSpEncrAesCbc OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_CBC algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 2 } t11FcSpEncrAesCtr OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_CTR algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 3 } t11FcSpEncrAesGcm OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_GCM algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 4 } t11FcSpEncr3Des OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_3DES algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 5 } t11FcSpAuthAlgorithms OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 2 } t11FcSpAuthNull OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_NONE algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 72." ::= { t11FcSpAuthAlgorithms 1 } t11FcSpAuthHmacMd5L96 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_MD5_96 algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 72." ::= { t11FcSpAuthAlgorithms 2 } t11FcSpAuthHmacSha1L96 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_SHA1_96 algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 72." ::= { t11FcSpAuthAlgorithms 3 } t11FcSpAuthHmacMd5L128 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_MD5_128 algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 72." ::= { t11FcSpAuthAlgorithms 4 } t11FcSpAuthHmacSha1L160 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_SHA1_160 algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 72." ::= { t11FcSpAuthAlgorithms 5 } t11FcSpEncrNullAuthAesGmac OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_NULL_AUTH_AES_GMAC algorithm." REFERENCE "- ANSI INCITS 426-2007, T11/Project 1570-D, Fibre Channel - Security Protocols (FC-SP), February 2007, Table 70." ::= { t11FcSpEncryptAlgorithms 6 } END