IBM 221x Policy Schema Description Date: Tue May 25 15:32:41 EDT 1999 Draft: 1.0 Policy Class Structure +---------------+ | DeviceProfile | +---------------+ | | +-------------------+ +--->| DevicePolicyRules | +-------------------+ | | +------------+ +-->>| PolicyRule | +------------+ | | +----------------+ +--->| TrafficProfile | | +----------------+ | +----------------------+ +--->| PolicyValidityPeriod | | +----------------------+ | +-----------------+ +--->| DiffServAction* | | +-----------------+ | +-------------+ +-----------------+ +--->| RSVPAction* |--->| DiffServAction* | | +-------------+ +-----------------+ | +--------------------+ +----------------+ +--->| IPSecISAKMPAction* |-->>| ISAKMPProposal | | +--------------------+ +----------------+ | +----------------------+ +--->| IPSecSecurityAction* | +----------------------+ | +----------------+ +----------------+ +-->>| IPSecProposal* |-->>| IPSecTransform | +----------------+ +----------------+ Notes: 1: > = single reference, >> = multiple reference 2: * indicates optional reference 3: When defining Security Policies for IPSEC/ISAKMP, the traffic profile should define the traffic flowing into the secure tunnel. ClassName: DeviceProfile Requires objectClass cn devicerulesreference Allows Attribute Definitions: __________ NAME: objectClass REQUIRED MULTI-VALUED DESC: The Class type for this object EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: DeviceProfile, top DEFAULT VALUE: DeviceProfile, top ---------- __________ NAME: REQUIRED MULTI-VALUED DESC: The Common Name for this object EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Common name for object DEFAULT VALUE: None, must be specified ---------- __________ NAME: devicerulesreference REQUIRED SINGLE-VALUED DESC: The DN of the DevicePolicyRules object in the directory that contains the policy rules for this device EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: DN of DevicePolicyRules Object DEFAULT VALUE: None, must be specified ---------- ClassName: DevicePolicyRules Requires objectClass cn policyrulereference Allows Attribute Definitions: __________ NAME: objectClass REQUIRED MULTI-VALUED DESC: The Class type for this object EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: DevicePolicyRules, top DEFAULT VALUE: DevicePolicyRules, top ---------- __________ NAME: REQUIRED MULTI-VALUED DESC: The Common Name for this object EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Common name for object DEFAULT VALUE: None, must be specified ---------- __________ NAME: policyrulereference REQUIRED MULTI-VALUED DESC: The DN of a PolicyRule object in the directory EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: DN of PolicyRule Object DEFAULT VALUE: None, must be specified ---------- ClassName: PolicyRule DESC: The PolicyRule class describes what conditionals should be checked against and if the checks match then what actions should be enforced. The policy makes named references to the validity period and the profile. These are required references for the policy to be considered valid. The policy must make reference to one or more actions. The valid action combinations are: IPSEC Action (Drop) DIFFSERV Action (Drop) DIFFSERV Action (Pass with QOS) IPSEC Action (Pass in Clear) IPSEC Action (Pass in Clear) and DIFFSERV IPSEC and ISAKMP Action for security IPSEC and ISAKMP Action (security) and DIFFSERV RSVP Action RSVP and DIFFSERV Action Requires ObjectClass cn PolicyScope TrafficProfileReference PolicyValidityPeriodReference Allows RulePriority PolicyRuleEnabled RSVPActionReference DiffServActionReference IPSecISAKMPActionReference IPSecSecurityActionReference Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: PolicyRule, top DEFAULT VALUE: PolicyRule, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this should be also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: PolicyScope REQUIRED MULTI-VALUED DESC: Specifies the scope of the policy. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: ipsec isakmp diffserv rsvp DEFAULT VALUE: None, must be specified ---------- __________ NAME: RulePriority ALLOWED SINGLE-VALUED DESC: Specifies the priority of the policy. The priority is needed to resolve conflicts between policies with overlapping profiles. A higher number indicates a higher priority policy. In general, policies with more specific profiles should have higher priority and vice versa for policies with less specific profiles. Note, values 0 thru 5 are reserved for system use. EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 5 to 65535 DEFAULT VALUE: 5 ---------- __________ NAME: PolicyRuleEnabled ALLOWED SINGLE-VALUED DESC: This attribute is used to specify whether the policy rule is currently enabled or disabled from an Administrative point of view. Its purpose is to allow a policy to be disabled without having to remove it from the directory. By default, if this attribute is not specified the policy is enabled. EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (disabled) to 1 (enabled) DEFAULT VALUE: 1 (enabled) ---------- __________ NAME: TrafficProfileReference REQUIRED SINGLE-VALUED DESC: Specifies the DN of the profile entry in the directory. The profile object defines what traffic/users should use this policy. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a profile in the directory DEFAULT VALUE: None, must be specified ---------- __________ NAME: PolicyValidityPeriodReference REQUIRED SINGLE-VALUED DESC: Specifies the DN of the validity period entry in the directory for when this policy should be valid. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a policy validity period object in the directory DEFAULT VALUE: None, must be specified ---------- __________ NAME: RSVPActionReference ALLOWED SINGLE-VALUED DESC: Specifies the DN of the RSVP Action entry in the directory that should be enforced by this policy. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a RSVP Action object in the directory DEFAULT VALUE: None, must be specified ---------- __________ NAME: DiffServActionReference ALLOWED SINGLE-VALUED DESC: Specifies the DN of the DIFFSERV Action entry in the directory that should be enforced by this policy. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a DIFFSERV Action object in the directory DEFAULT VALUE: None, must be specified ---------- __________ NAME: IPSecISAKMPActionReference ALLOWED SINGLE-VALUED DESC: Specifies the DN of the ISAKMP (Key Management) Action entry in the directory that should be enforced by this policy. The IPSecSecurityActionReference attribute must be present if this attribute is specified. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a ISAKMP Action object in the directory DEFAULT VALUE: None, must be specified ---------- __________ NAME: IPSecSecurityActionReference ALLOWED SINGLE-VALUED DESC: Specifies the DN of the IPSEC Security Action entry in the directory that should be enforced by this policy. If the IPSEC Action refered to by this attribute specifies a Secure Connection, then the IPSecISAKMPActionReference must be initialized to the DN of a valid IPSEC Action. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of a IPSEC Action object in the directory DEFAULT VALUE: None, must be specified ---------- ClassName: TrafficProfile DESC: The profile determines the set of information that should be used to select a particular policy. The profile consists of source address and destination address information, protocol information, and source and destination port information. The profile also may be defined to select on the TOS byte and the ingress and egress interface addresses. The profile for an IPSEC security policy should state the source address(s) as the traffic to encapsulated into the tunnel and the destination address(s) should be on the remote side of the tunnel. Requires ObjectClass cn Allows Interface SourceAddressRange DestinationAddressRange SourcePortRange DestinationPortRange ProtocolNumber ReceivedTOSByteCheck LocalID RemoteID Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: TrafficProfile, top DEFAULT VALUE: TrafficProfile, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this should be also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: Interface ALLOWED MULTI-VALUED DESC: Specifies for which ingress and egress interfaces the profile should match against. If this attribute is missing then the default is any interface. Format: 1:- Example: 1:1.1.1.1- #Ingress 1.1.1.1 to any egress Example: 1:-1.1.1.1 #Any Ingress to egress 1.1.1.1 Example: 1:2.2.2.2-1.1.1.1 #2.2.2.2 to 1.1.1.1 EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted interface pair DEFAULT VALUE: Any ingress to any egress ---------- __________ NAME: SourceAddressRange ALLOWED SINGLE-VALUED DESC: Specifies the range of source ip addresses the profile should match against. If this attribute is missing then the default is any source ip address will match this profile. If the range format is used then the ipaddr end address must be greater than or equal to the starting ipaddr. Format: 1:- Format: 2:- Format: 3: Example: 1:1.1.1.0-255.255.255.0 #Subnet Mask Example: 2:1.1.1.1-1.1.1.255 #Range Example: 1:1.1.1.1-255.255.255.255 #Mask-Single Addr Example: 2:1.1.1.1-1.1.1.1 #Range-Single Addr Example: 3:1.1.1.1 #Single Addr EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted source address mask/range DEFAULT VALUE: Any source ip address ---------- __________ NAME: DestinationAddressRange ALLOWED SINGLE-VALUED DESC: Specifies the range of destination ip addresses the profile should match against. If this attribute is missing then the default is any destination ip address will match this profile. If the range format is used then the ipaddr end address must be greater than or equal to the starting ipaddr. Format: 1:- Format: 2:- Format: 3: Example: 1:1.1.1.0-255.255.255.0 #Subnet Mask Example: 2:1.1.1.1-1.1.1.255 #Range Example: 1:1.1.1.1-255.255.255.255 #Mask-Single Addr Example: 2:1.1.1.1-1.1.1.1 #Range-Single Addr Example: 3:1.1.1.1 #Single Addr EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted destination address mask/range DEFAULT VALUE: Any destination ip address ---------- __________ NAME: SourcePortRange ALLOWED SINGLE-VALUED DESC: Specifies the range of source ports that should match this profile. The ending port number must be greater than or equal to the starting port number. Format: : Example: 23:23 (telnet traffic) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted port range DEFAULT VALUE: All Source Ports ---------- __________ NAME: DestinationPortRange ALLOWED SINGLE-VALUED DESC: Specifies the range of destination ports that should match this profile. The ending port number must be greater than or equal to the starting port number. Format: : Example: 23:23 (telnet traffic) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted port range DEFAULT VALUE: All Destination Ports ---------- __________ NAME: ProtocolNumber ALLOWED SINGLE-VALUED DESC: Specifies the range of IP Protocols that should match this profile. The ending protocol number must be greater than or equal to the starting protocol number. Format: : Example: 17:17 (UDP traffic) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted protocol range DEFAULT VALUE: All protocols ---------- __________ NAME: ReceivedTOSByteCheck ALLOWED SINGLE-VALUED DESC: Specifies the value(s) of the IP TOS byte that should match this profile. This attribute is formated with a mask that should be applied to the incoming TOS byte and then the value that it should match. The mask and match values are a string of 0's and 1's that specifies the 8-bit field. The received TOS byte is ANDed with the MASK and the result is compared against the Match. Format: : (Mask:Match) Example: 11111111:00000001 (TOS Byte of 0x01 matches) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted TOS Byte mask:match DEFAULT VALUE: All protocols ---------- __________ NAME: LocalID ALLOWED SINGLE-VALUED DESC: Specifies the local Id information that should be used during ISAKMP Phase 1 negotiations. The local ID is optional. If specified, then the local ID sent will be of the type idType with the specified value. If the localID attribute is not specified then the local tunnel IP address will be sent in the IDii. Format: idType:value ID Types: 2(FQDN), 3(USER FQDN), 11(KEYID) Example: 2:foo@raleigh.ibm.com EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted idType:value combination DEFAULT VALUE: send local ipaddr(initiator) ---------- __________ NAME: RemoteID ALLOWED MULTI-VALUED DESC: Specifies the remote ISAKMP Peers that may initiate ISAKMP/IPSEC to the local entity. The remoteID attribute is optional. If specified then the IDii received as a responder will be matched in the profile to determine which Phase 1 policy to negotiate with the with the remote peer. If the IDii cannot be matched, then the remote peers Phase 1 negotiations will fail. Note this attribute is multi-valued any thus allows a list of remote peers to be configured that should be allowed access. This attribute does not authenticate the user, it just may be used to further determine which users SHOULD be authenticated. Format: idType:value ID Types: 2(FQDN), 3(USER FQDN), 11(KEYID) Example: 2:foo@raleigh.ibm.com EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted idType:value combination DEFAULT VALUE: Match Any IDii as responder ---------- ClassName: PolicyValidityPeriod DESC: The validity period specifies the life of the policy, the months that it should be valid, the days of the week it should be valid, and the hours of the day it should be valid. When a policy becomes invalid the next most specific policy will be enforced. This is useful to define a policy that says on Monday thru Friday from 9 to 5, secure all traffic from Subnet A to Subnet B and any other time drop all traffic. Requires ObjectClass cn Allows PolicyValidityTime PolicyValidityMonthMask PolicyValidityDayOfWeekMask PolicyValidityTimeOfDayRange Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: PolicyValidityPeriod, top DEFAULT VALUE: PolicyValidityPeriod, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this should be also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: PolicyValidityTime ALLOWED SINGLE-VALUED DESC: Specifies the duration of the policy. The attribute states when the policy becomes valid, when it expires and optionally what time zone it should apply in. If the Time zone is omitted then the is local time at the Policy Decision point. Format: yyyymmddhhmmss:yyyymmddhhmmss:timezone Example: 19980101000000:19981231235959 (1998 only) Example: 19980101000000:19981231235959:GMT (1998-GMT time) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted duration DEFAULT VALUE: No expiration, duration is forever ---------- __________ NAME: PolicyValidityMonthMask ALLOWED SINGLE-VALUED DESC: Specifies the months during which the policy is valid. The format is a string denoting a mask of 12 zeros and ones. A 1 states that month should be considered valid. The first bit in the mask is the month of January. Format: xxxxxxxxxxxx Example: 111000000000 (January, Febuary, March) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted month mask DEFAULT VALUE: Every month ---------- __________ NAME: PolicyValidityDayOfWeekMask ALLOWED SINGLE-VALUED DESC: Specifies the days of the week during which the policy is valid. The format is a string denoting a mask of 7 zeros and ones. A 1 states that day should be considered valid. The first bit in mask is Monday. Format: xxxxxxx Example: 1111100 (Monday thru Friday) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted day mask DEFAULT VALUE: Every day ---------- __________ NAME: PolicyValidityTimeOfDayRange ALLOWED SINGLE-VALUED DESC: Specifies the time of the day during which the policy is valid. The format is a start time: end time, 24 hr format. If the end time is less than the start time then wrap around midnight is assumed. Format: : Example: 090000:170000 (9:00am to 5:00pm) Example: 170000:090000 (5:00pm to 12:00am to 9:00am) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted day mask DEFAULT VALUE: Every day ---------- ClassName: IPSecTransform DESC: The attributes of the IPSEC Transform contain information about the IPSEC Encryption and Authentication parameters and also specify how often the keys are refreshed. The transform is either AH (authentication only) or ESP (Encryption and/or Authentication) and may be specified to operate in Tunnel or Transport mode. Requires ObjectClass cn IPSecProtocolID Allows EncapsulationMode AHIntegrityAlgorithm ESPIntegrityAlgorithm ESPCipherAlgorithm SecurityAssociationLifeTimeSec SecurityAssociationLifeTimeKBytes Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: IPSecTransform, top DEFAULT VALUE: IPSecTransform, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this may also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: IPSecProtocolID REQUIRED SINGLE-VALUED DESC: Specifies the type of IPSEC phase2 transform. Format: integer Example: 3 (ESP) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 2(AH), 3(ESP) DEFAULT VALUE: Required, Must be specified ---------- __________ NAME: EncapsulationMode ALLOWED SINGLE-VALUED DESC: Specifies the encapsulation mode for the transform. Format: integer Example: 1 (Tunnel) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1(Tunnel), 2(Transport) DEFAULT VALUE: 1(Tunnel) ---------- __________ NAME: AHIntegrityAlgorithm ALLOWED SINGLE-VALUED DESC: Specifies the type of integrity transform in AH. Format: integer Example: 3 (SHA) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 2(HMAC-MD5), 3(HMAC-SHA) DEFAULT VALUE: 2(HMAC-MD5) ---------- __________ NAME: ESPIntegrityAlgorithm ALLOWED SINGLE-VALUED DESC: Specifies the type of integrity transform in ESP. Format: integer Example: 2 (SHA) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (None), 1(HMAC-MD5), 2(HMAC-SHA) DEFAULT VALUE: 2 (HMAC-SHA) ---------- __________ NAME: ESPCipherAlgorithm ALLOWED SINGLE-VALUED DESC: Specifies the type of cipher algorithm to use in ESP. Format: integer Example: 2 (DES) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 2 (DES), 3(3DES), 11(NULL), 37 (IBM CDMF) DEFAULT VALUE: 2 (DES) ---------- __________ NAME: SecurityAssociationLifeTimeSec ALLOWED SINGLE-VALUED DESC: Specifies the lifetime of the Security Association in seconds. Format: integer Example: 3600 (1 hour) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 120 to 2147483647 DEFAULT VALUE: 3600 ---------- __________ NAME: SecurityAssociationLifeTimeKBytes ALLOWED SINGLE-VALUED DESC: Specifies the lifesize of the Security Association in KB Format: integer Example: 50000 (50,000 KB) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1024 to 2147483647 DEFAULT VALUE: 50000 ---------- ClassName: IPSecProposal DESC: The IPSEC Proposal contains the information about which ESP and/or AH transform should be proposed/checked against during phase 2 ISAKMP negotiations. If Perfect Forward Secrecy is required (A Fresh Diffie Hellman calculation), then the IPSEC Proposal contains which DH Group to use. The transforms referenced by the IPSEC Proposal are sent/checked against in the order in which they are specified. The first ESP/AH transform in the list should be the one that is most appropriate to use. If there is more than one transform in the list, then each one is compared against the peers list to find a match. If none of the configured transforms matches the peers list of transforms then the negotiation will fail. The IPSEC Proposal may list a combination of AH and ESP transforms, but the only valid combinations are: 1: List of AH Only (Tunnel or Transport Mode) 2: List of ESP Only (Tunnel or Transport Mode) 3: List of AH (Transport Mode) and ESP (Tunnel Mode) Requires ObjectClass cn PerfectForwardSecrecy Allows DefaultDiffHellmanGroupId AHProtocolTransformReference ESPProtocolTransformReference Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: IPSecProposal, top DEFAULT VALUE: IPSecProposal, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this may also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: PerfectForwardSecrecy REQUIRED SINGLE-VALUED DESC: Specifies the whether Perfert Forward Secrecy is required. PFS denotes whether a fresh Diffie Hellman exchange is required for the phase2 quick mode negotiation. Format: integer Example: 1 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (PFS Not Required), 1 (PFS Required) DEFAULT VALUE: 0 ---------- __________ NAME: DefaultDiffHellmanGroupId ALLOWED SINGLE-VALUED DESC: If the PerfectForwardSecrecy attribute is set to 1 (Required), then this attribute specifies which DH Group to use. The default, if not specified, is to use Group 1. Format: integer Example: 1 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1 (Group 1), 2 (Group 2) DEFAULT VALUE: 1 ---------- __________ NAME: AHProtocolTransformReference ALLOWED MULTI-VALUED DESC: If AH Transforms should be negotiated during phase 2, then this attribute specifies which AH transforms should be sent in this proposal. This attribute is multi-valued and lists in priority order which transforms should be sent (initiator) or checked against (responder). Note: At least one transform must be specified in the proposal for the proposal to be valid. Format: : Example: 1:cn=ahVeryStrong,o=ibm,c=us Example: 2:cn=ahStrong,o=ibm,c=us EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any properly formatted AH transform reference DEFAULT VALUE: No AH Transforms in proposal ---------- __________ NAME: ESPProtocolTransformReference ALLOWED MULTI-VALUED DESC: If ESP Transforms should be negotiated during phase 2, then this attribute specifies which ESP transforms should be sent in this proposal. This attribute is multi-valued and lists in priority order which transforms should be sent (initiator) or checked against (responder). Note: At least one transform must be specified in the proposal for the proposal to be valid. Format: : Example: 1:cn=espVeryStrong,o=ibm,c=us Example: 2:cn=espStrong,o=ibm,c=us EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any properly formatted ESP transform reference. DEFAULT VALUE: No ESP Transforms in proposal ---------- ClassName: IPSecSecurityAction DESC: The IPSEC Action may specify a Pass, Drop or Secure action. If the action is drop then all packets matching this policy will be dropped. If the action is pass with no security then all packets will be passed in the clear. If the action is pass with security then all packets will be secured via the security association negotiated by the information specified by this action. The IPSEC Action also contains the IP addresses of the tunnel endpoints for the IPSEC tunnel and IKE SAs. The attributes of the security association will be determined by the IPSEC proposals that are referenced by the IPSEC Action. Multiple IPSEC Proposals may be specified in the IPSEC action and they are sent/checked against in the order they are specified. Having multiple proposals in a IPSEC action allows the configuration to contain all the acceptable combinations of security thereby reducing the number of potential configuration mismatch between VPN gateways. Requires ObjectClass cn SecurityAction Allows IPSecTunnelStart IPSecTunnelEnd IPSecProposalReference MinSARefreshPercentage SecurityAssociationRefreshThreshold IPSecAutoStartFlag IPSecCopyDFBit IPSecReplayPrev IPSecTunnelInTunnel Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: IPSecSecurityAction, top DEFAULT VALUE: IPSecSecurityAction, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this may also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: SecurityAction REQUIRED SINGLE-VALUED DESC: This attribute specifies what type of security action should be applied to this packet. A value of Deny states: packets matching this action should be dropped. A value of Permit means one of two things: 1: If the IPSecProposalReference attribute IS NOT present in this object, then send the packet in the clear. 2: If the IPSecProposalReference attribute IS present in this object, then the packet must be secured by IPSEC. EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Permit, Deny DEFAULT VALUE: Permit ---------- __________ NAME: IPSecTunnelStart ALLOWED SINGLE-VALUED DESC: This attribute specifies the local IP Address of the IPSEC tunnel. This is the IP Address that should be used during the phase 1/2 negotiations and in the IP header for the secured traffic. This must be a valid IP Address on the box retrieving this action. Example: 1.1.1.1 EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any valid IP Address (dotted decimal IPv4 Address) DEFAULT VALUE: Must be specified if action is permit and secure ---------- __________ NAME: IPSecTunnelEnd ALLOWED SINGLE-VALUED DESC: This attribute specifies the remote IP Address of the IPSEC tunnel. This is the IP Address that packets should be sent to or received from during the phase 1/2negotiations and in the IP header for the secured traffic. If the IP Address of the remote peer is unknown, i.e. Remote Access Users, then a value of 0.0.0.0 may be specified. If 0.0.0.0 is specified, then the device retrieving will only be allowed to respond to ISAKMP negotiations. Example: 1.1.1.1 Example: 0.0.0.0 (Unknown, Remote Access User) EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any valid IP Address (dotted decimal IPv4 Address) DEFAULT VALUE: 0.0.0.0 ---------- __________ NAME: IPSecProposalReference ALLOWED MULTI-VALUED DESC: If the SecurityAction type is Permit and the traffic should be secured, then this attribute specifies which proposals should be sent/checked against during quick mode negotiations. This attribute is multi-valued and lists in priority order which IPSecProposals should be sent (initiator) or checked against (responder). Note: At least one proposal must be specified if the SecurityAction is permit and the action should secure traffic. If the IPSecProposalReference is not present then the action will be assumed to be permit traffic in the clear. Format: : Example: 1:cn=veryStrongProposal,o=ibm,c=us Example: 2:cn=strongProposal,o=ibm,c=us EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any valid formatted proposal reference DEFAULT VALUE: No proposals (clear) ---------- __________ NAME: MinSARefreshPercentage ALLOWED SINGLE-VALUED DESC: This attribute specifies percentage of the configured lifetime and lifesize values in the IPSecTransform to accept. There may be situations where the peer policy contains lifetime and lifesize values that are smaller than the local values. If this is true, then this attribute specifies what percentage of the local values should be acceptable when comparing the remote values to the local values. This attribute gives the user the flexibility to accept a range of values, but not accept a value so small that it hurts processing performance. Format: Example: 75 (percent) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1 to 100 DEFAULT VALUE: 75 ---------- __________ NAME: SecurityAssociationRefreshThreshold ALLOWED SINGLE-VALUED DESC: This attribute specifies percentage of the negotiated lifetime and lifesize for the SA before the refresh is actually started. For instance, if the negotiated lifetime is 3600 seconds (1 hour) and the value for SecurityAssociationRefreshThreshold is 75 percent then the SA refresh will actually occur after 2700 seconds. This allows for some overlap between refreshes so that no data is lost. Format: Example: 85 (percent) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1 to 100 DEFAULT VALUE: 85 ---------- __________ NAME: IPSecAutoStartFlag ALLOWED SINGLE-VALUED DESC: This attribute specifies whether the phase 2 negotiations should automatically start at device initialization. Format: Example: 1 (Autostart) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (autostart off), 1 (autostart on) DEFAULT VALUE: 0 ---------- __________ NAME: IPSecCopyDFBit ALLOWED SINGLE-VALUED DESC: This attribute specifies whether to copy the Dont Fragment bit into the outer tunnel header or to set it or to clear it. Format: Example: 0 (copy) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (copy), 1 (set), 2 (clear) DEFAULT VALUE: 0 ---------- __________ NAME: IPSecReplayPrev ALLOWED SINGLE-VALUED DESC: The attribute specifies whether the local side should enforce replay prevention. Format: Example: 0 (disabled) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (disabled), 1 (enabled) DEFAULT VALUE: 0 ---------- __________ NAME: IPSecTunnelInTunnel ALLOWED SINGLE-VALUED DESC: This attribute specifies whether the traffic secured by this IPSEC action will be encypted again by another IPSEC tunnel on the same device. Note: The 22xx only support a maximum of 2 cascaded tunnels. If a policy is found with an IPSEC Action with the tunnelInTunnel attribute set to 1, then there must be another policy that describes the second tunnel. Format: Example: 1 (Yes) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (No Further Tunnels), 1 (Yes, Further tunnels) DEFAULT VALUE: 0 ---------- ClassName: ISAKMPProposal DESC: The ISAKMP Proposal specifies the encryption and authentication attributes of the phase 1 security association. It also specifies which Diffie Hellman group should be used to generate the keys and the life of the phase 1 security association. The authentication method must be selected in the ISAKMP proposal and can be either pre-shared key or Certificate mode. Requires ObjectClass cn ISAKMPAuthenticationMethod ISAKMPHashAlgorithm ISAKMPCipherAlgorithm Allows DefaultDiffHellmanGroupId SecurityAssociationLifetimeSec SecurityAssociationLifetimeKBytes Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: ISAKMPProposal, top DEFAULT VALUE: ISAKMPProposal, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this may also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: ISAKMPAuthenticationMethod REQUIRED SINGLE-VALUED DESC: This attribute specifies the authentication method to use to authenticate the ISAKMP phase 1 peer. Format: Example: 1 (pre-shared key) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1(Pre-shared key), 3(Cert - RSA Signature) DEFAULT VALUE: 1 ---------- __________ NAME: ISAKMPHashAlgorithm REQUIRED SINGLE-VALUED DESC: This attribute specifies the hash algorithm to use during ISAKMP phase 1 negotiations. Format: Example: 1 (MD5) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1(MD5), 2(SHA) DEFAULT VALUE: 1 ---------- __________ NAME: ISAKMPCipherAlgorithm REQUIRED SINGLE-VALUED DESC: This attribute specifies the cipher algorithm to use during ISAKMP phase 1 negotiations. Format: Example: 1 (DES-CBC) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1(DES-CBC), 5(3DES-CBC) DEFAULT VALUE: 1 ---------- __________ NAME: DefaultDiffHellmanGroupId ALLOWED SINGLE-VALUED DESC: This attribute specifies which DH Group to use. The default, if not specified, is to use Group 1. Format: integer Example: 1 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1 (Group 1), 2 (Group 2) DEFAULT VALUE: 1 ---------- __________ NAME: SecurityAssociationLifetimeSec ALLOWED SINGLE-VALUED DESC: Specifies the lifetime of the Security Association in seconds. Format: integer Example: 3600 (1 hour) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 120 to 2147483647 DEFAULT VALUE: 15000 ---------- __________ NAME: SecurityAssociationLifetimeKBytes ALLOWED SINGLE-VALUED DESC: Specifies the lifesize of the Security Association in KBytes Format: integer Example: 50000 (50,000 KB) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 100 to 2147483647 DEFAULT VALUE: 1000 ---------- ClassName: IPSecISAKMPAction DESC: The ISAKMP Action specifies the Key Management information for phase 1. It specifies whether the phase 1 negotiations should be started in Main Mode (Provides Identity Protection) or Aggressive Mode. It also specifies whether the phase 1 Security Association should be negotiated a box startup or on demand. The ISAKMP action also must reference one or more ISAKMP proposals. The first reference should be to the most acceptable ISAKMP Proposal. Requires ObjectClass cn ISAKMPExchangeMode ISAKMPProposalReference Allows MinSARefreshPercentage ISAKMPConnectionLifetimeSec ISAKMPConnectionLifetimeKBytes ISAKMPAutoStartFlag Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: IPSecISAKMPAction, top DEFAULT VALUE: IPSecISAKMPAction, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this may also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: ISAKMPExchangeMode REQUIRED SINGLE-VALUED DESC: This attribute specifies whether identity protection is required. If Main mode is chosen then the Identification information is guarenteed to be secured during phase 1. If Aggressive mode is chosen the identification is received earlier in the negotiations however it is unsecured. Format: Example: 2 (Main Mode) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 2(Main Mode), 4(Aggressive Mode) DEFAULT VALUE: 2 ---------- __________ NAME: ISAKMPProposalReference REQUIRED MULTI-VALUED DESC: This attribute specifies which ISAKMPProposals should be sent/checked against during Phase 1 negotiations. This attribute is multi-valued and lists in priority order which ISAKMPProposals should be sent (initiator) or checked against(responder). Note: At least one proposal must be specified. Format: : Example: 1:cn=veryStrongProposal,o=ibm,c=us Example: 2:cn=strongProposal,o=ibm,c=us EQUALITY: caseIgnoreMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any valid formatted proposal reference DEFAULT VALUE: Must be specified ---------- __________ NAME: MinSARefreshPercentage ALLOWED SINGLE-VALUED DESC: This attribute specifies percentage of the configured lifetime and lifesize values in the ISAKMPProposal to accept. There may be situations where the peer policy contains lifetime and lifesize values that are smaller than the local values. If this is true, then this attribute specifies what percentage of the local values should be acceptable when comparing the remote values to the local values. This attribute gives the user the flexibility to accept a range of values, but not accept a value so small that it hurts processing performance. Format: Example: 75 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1 to 100 DEFAULT VALUE: 75 ---------- __________ NAME: ISAKMPConnectionLifetimeSec ALLOWED SINGLE-VALUED DESC: Specifies the amount of time, in seconds, that the phase 1 SA should automatically refresh. Once this time expires then some other event must occur to restart the phase 1 tunnel. Format: integer Example: 30000 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 120 to 2147483647 DEFAULT VALUE: 30000 ---------- __________ NAME: ISAKMPConnectionLifetimeKBytes ALLOWED SINGLE-VALUED DESC: Specifies the total number of KBytes exchanged over the phase 2 exchanges protected by this phase 1 may exchange while automatically refreshing the phase 1. Format: integer Example: 5000 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 100 to 2147483647 DEFAULT VALUE: 5000 ---------- __________ NAME: ISAKMPAutoStartFlag ALLOWED SINGLE-VALUED DESC: This attribute specifies whether the phase 1 negotiations should automatically start at device initialization. Format: Example: 1 (Autostart) EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 0 (autostart off), 1 (autostart on) DEFAULT VALUE: 0 ---------- ClassName: DiffServAction DESC: The DiffServ Action describes the quality of service that should be provided to packets matching a policy that specifies a DiffServ Action. The DiffServ Action may be configured to drop packets thus providing a QOS of 0 percent. It may also be used to map packets into relative qualities of service. The bandwidth allocated may be configured as a percentage of output bandwidth or as an absolute value in kbps. The user must specify whether the best effort/assured queue or the premium queue should provide the bandwidth allocation. The DiffServ Action also specifies how the TOS byte should be marked before it is sent out the egress interface. By default the TOS byte is not marked. It is useful to mark the packets at some point in the network based on the information in the IP packet header. Once the classification has been determined, since the TOS byte marking has already been performed, then the rest of the hops in the network can just look at the new TOS byte to determine the QOS that should be applied to this packet. Requires ObjectClass cn DiffServPermission Allows DiffServOutTOSByte DiffServBandwidthShare DiffServQueuePriority Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: DiffServAction, top DEFAULT VALUE: DiffServAction, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this should be also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: DiffServPermission REQUIRED SINGLE-VALUED DESC: Accept or Deny DiffServ Flow. If the permission is Deny then all packets matching this action will be dropped. If the permission is Accept then the packets matching this action will have the service described by this action applied to them. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Accept, Deny DEFAULT VALUE: Accept ---------- __________ NAME: DiffServOutTOSByte ALLOWED SINGLE-VALUED DESC: Specifies the marking of the IP TOS byte that should be applied to packets be forwarded by this device. This attribute is formated with a mask that should be applied to the outgoing TOS byte and then the value to be ORed into TOS Byte. The mask and mark values are a string of 0's and 1's that specifies the 8-bit field. Zeros in the mask imply that the corresponding bit should not change. A one implies that the bit should be marked with the bit value in the mark byte. The operation is: newTOSByte = (Mask^ & receivedTOSByte) | (Mask&Mark) The ^ is a bitwise complement Format: : (Mask:Mark) Example: 11111101:00000001 Using the example, a received value 0x07 would be sent out with a value of 0x02 EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted mask:mark DEFAULT VALUE: Do not mark outgoing tos byte (00000000:00000000) ---------- __________ NAME: DiffServBandwidthShare ALLOWED SINGLE-VALUED DESC: Specifies the amount of bandwidth packets matching that action should be allocated. The syntax for the value of this attribute is the type of allocation and the amount of allocation. The bwType can be a 1 (indicating absolute allocation in kbps) or a 2 (indicating a percentage of output bandwidth). Format: : Example: 1:100000 (100000 kbps) Example: 2:60 (60 percentage) EQUALITY: caseExactIA5Match SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Any correctly formatted bandwidth share DEFAULT VALUE: Must be specified if the permission is permit ---------- __________ NAME: DiffServQueuePriority ALLOWED SINGLE-VALUED DESC: Specifies the queue that packets matching this action should be put into. Format: Integer Example: 1 Example: 2 EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: 1(Premium), 2(Assured/Best Effort) DEFAULT VALUE: 2 ---------- ClassName: RSVPAction DESC: The RSVP Action specifies whether RSVP flows should be permitted or denied when a RSVP reservation occurs and the reservation request matches the profile of the policy. If the reservation is to be permitted then the RSVP Action also states the allowed duration of the reservation, the allowed bandwidth, and optionally a reference to a DiffServ Action. The reference to the DiffServ Action allows RSVP to determine how to mark the TOS byte before the packet leaves the router. This is useful when packets leave an RSVP network into a DiffServ network. RSVP can provide the QOS up to the RSVP boundary and then mark the TOS byte appropriately so the DiffServ network can now apply the correct bandwidth. Requires ObjectClass cn RSVPPermission Allows RSVPMaxRatePerFlow RSVPMaxFlowDuration RSVPtoDiffServReference Attribute Definitions: __________ NAME: ObjectClass REQUIRED MULTI-VALUED DESC: The class type for this object. EQUALITY: objectIdentifierMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.38 VALID VALUES: RSVPAction, top DEFAULT VALUE: RSVPAction, top ---------- __________ NAME: cn REQUIRED MULTI-VALUED DESC: The common name for this object, this should be also be the rdn for this object. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15 VALID VALUES: Any string DEFAULT VALUE: NA ---------- __________ NAME: RSVPPermission REQUIRED SINGLE-VALUED DESC: Accept or Deny RSVP requests for flows matching this action. If the permission is Deny then all RSVP reservations matching this action will be denied. If the permission is Accept then the RSVP flows matching this action will be accepted with the limitations/guarentees described by this action. EQUALITY: caseIgnoreString SYNTAX: 1.3.6.1.4.1.1466.115.121.1.26 VALID VALUES: Accept, Deny DEFAULT VALUE: Accept ---------- __________ NAME: RSVPMaxRatePerFlow ALLOWED SINGLE-VALUED DESC: The maximum amount of bandwidth (in kbs) that RSVP should be allowed to allocate for one individual flow. EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: integer DEFAULT VALUE: Must specify if permission is Accept ---------- __________ NAME: RSVPMaxFlowDuration ALLOWED SINGLE-VALUED DESC: The maximum amount of time RSVP should allow a reservation to be active (in seconds), 0 means no limit EQUALITY: integerMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.27 VALID VALUES: integer DEFAULT VALUE: 600 ---------- __________ NAME: RSVPtoDiffServReference ALLOWED SINGLE-VALUED DESC: Optional. The name of a configured diffserv action to map RSVP flows onto. RSVP will use the information from the diffserv action to mark the TOS byte for the next diffserv enabled upstream device. This is intended for use in networks where packets leave an RSVP enabled network into a DIFFSERV enabled network. EQUALITY: distinguishedNameMatch SYNTAX: 1.3.6.1.4.1.1466.115.121.1.12 VALID VALUES: The DN of any valid DiffServAction DEFAULT VALUE: None, no relationship to DiffServ ----------