[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]
Alternate Formats: rfc5324.txt
RFC 5324 - MIB for Fibre-Channel Security Protocols (FC-SP)
|
 |
RFC5324
Network Working Group C. DeSanti
Request for Comments: 5324 F. Maino
Category: Standards Track K. McCloghrie
Cisco Systems
September 2008
MIB for Fibre-Channel Security Protocols (FC-SP)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes managed objects for information related
to FC-SP, the Security Protocols defined for Fibre Channel.
Table of Contents
1. Introduction ....................................................3
2. The Internet-Standard Management Framework ......................3
3. Overview of Fibre Channel .......................................3
3.1. Introduction ...............................................3
3.2. Zoning .....................................................4
3.3. Virtual Fabrics ............................................5
3.4. Security ...................................................5
3.4.1. Authentication ......................................5
3.4.2. Security Associations ...............................6
3.4.3. Fabric Security Policies ............................7
3.4.4. Policy Model ........................................8
3.4.5. Policy Objects ......................................9
3.4.5.1. Policy Object Names .......................10
3.4.6. Three Kinds of Switches ............................10
3.4.7. Security Policy Management .........................11
3.4.8. FC-SP Zoning .......................................11
4. Document Overview ..............................................12
4.1. Fibre Channel Management Instance .........................12
4.2. Entity Name ...............................................12
4.3. Fabric Index ..............................................13
4.4. Interface Index ...........................................13
4.5. Syntax for Policy Object Names ............................14
4.6. Certificates, CAs, and CRLs ...............................14
4.7. Traffic Selectors .........................................15
4.8. The MIB Modules ...........................................16
4.8.1. The T11-FC-SP-TC-MIB Module ........................16
4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module ............16
4.8.3. The T11-FC-SP-ZONING-MIB Module ....................16
4.8.4. The T11-FC-SP-POLICY-MIB Module ....................17
4.8.5. The T11-FC-SP-SA-MIB Module ........................17
4.9. Rate Control for Notifications ............................18
5. Relationship to Other MIB Modules ..............................19
6. MIB Module Definitions .........................................20
6.1. The T11-FC-SP-TC-MIB Module ...............................20
6.2. The T11-FC-SP-AUTHENTICATION-MIB Module ...................33
6.3. The T11-FC-SP-ZONING-MIB Module ...........................52
6.4. The T11-FC-SP-POLICY-MIB Module ...........................64
6.5. The T11-FC-SP-SA-MIB Module ..............................152
7. IANA Considerations ...........................................204
8. Security Considerations .......................................204
8.1. Information Not Defined in This Document .................204
8.2. The T11-FC-SP-TC-MIB Module ..............................204
8.3. The T11-FC-SP-AUTHENTICATION-MIB Module ..................205
8.4. The T11-FC-SP-ZONING-MIB Module ..........................206
8.5. The T11-FC-SP-POLICY-MIB Module ..........................207
8.6. The T11-FC-SP-SA-MIB Module ..............................209
8.7. Recommendations Common to All MIB Modules ................211
9. Normative References ..........................................212
10. Informative References .......................................213
11. Acknowledgements .............................................215
1. Introduction
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes managed objects for information
concerning the Fibre Channel Security Protocols (FC-SP), as specified
in [FC-SP]. The FC-SP standard includes the definition of protocols
to authenticate Fibre Channel entities, protocols to set up session
keys, protocols to negotiate the parameters required to ensure frame-
by-frame integrity and confidentiality, and protocols to establish
and distribute policies across a Fibre Channel Fabric.
This memo was initially developed by the INCITS T11 committee
(http://www.t11.org), which subsequently approved it for forwarding
to the IETF.
This memo uses one of the following terms:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base, or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
[RFC2580].
3. Overview of Fibre Channel
3.1. Introduction
Fibre Channel (FC) is logically a bidirectional point-to-point serial
data channel, structured for high performance. Fibre Channel
provides a general transport vehicle for higher-level protocols such
as Small Computer System Interface (SCSI) command sets, the High-
Performance Parallel Interface (HIPPI) data framing, IP (Internet
Protocol), IEEE 802.2, and others.
Physically, Fibre Channel is an interconnection of multiple
communication points, called N_Ports, interconnected either by a
switching network, called a Fabric, or by a point-to-point link. A
Fibre Channel "Node" consists of one or more N_Ports. A Fabric may
consist of multiple Interconnect Elements, some of which are
Switches. An N_Port connects to the Fabric via a port on a Switch
called an F_Port. When multiple FC Nodes are connected to a single
port on a Switch via an "Arbitrated Loop" topology, the Switch port
is called an FL_Port, and the Nodes' ports are called NL_Ports. The
term Nx_Port is used to refer to either an N_Port or an NL_Port. The
term Fx_Port is used to refer to either an F_Port or an FL_Port. A
Switch port, which is interconnected to another Switch port via an
Inter-Switch Link (ISL), is called an E_Port. A B_Port connects a
bridge device with an E_Port on a Switch; a B_Port provides a subset
of E_Port functionality.
Many Fibre Channel components, including the Fabric, each Node, and
most ports, have globally unique names. These globally unique names
are typically formatted as World Wide Names (WWNs). More information
on WWNs can be found in [FC-FS-2]. WWNs are expected to be
persistent across agent and unit resets.
Fibre Channel frames contain 24-bit address identifiers that identify
the frame's source and destination ports. Each FC port has both an
address identifier and a WWN. When a Fabric is in use, the FC
address identifiers are dynamic and are assigned by a Switch. Each
octet of a 24-bit address represents a level in an address hierarchy,
with a Domain_ID being the highest level of the hierarchy.
3.2. Zoning
Zones within a Fabric provide a mechanism to control frame delivery
between Nx_Ports ("Hard Zoning") or to expose selected views of Name
Server information ("Soft Zoning").
Communication is only possible when the communicating endpoints are
members of a common zone. This technique is similar to virtual
private networks in that the Fabric has the ability to group devices
into Zones.
Hard zoning and soft zoning are two different means of realizing
this. Hard zoning is enforced in the Fabric (i.e., Switches),
whereas soft zoning is enforced at the endpoints (e.g., Host Bus
Adapters) by relying on the endpoints to not send traffic to an
N_Port_ID not obtained from the Name Server with a few exceptions for
well known Addresses (e.g., the Name Server).
Administrators create Zones to increase network security, and prevent
data loss or corruption, by controlling access between devices or
user groups.
3.3. Virtual Fabrics
The standard for an interconnecting Fabric containing multiple Fabric
Switch elements is [FC-SW-4]. [FC-SW-4] carries forward the earlier
specification for the operation of a single Fabric in a physical
infrastructure, and augments it with the definition of Virtual
Fabrics and with the specification of how multiple Virtual Fabrics
can operate within one or more physical infrastructures. The use of
Virtual Fabrics provides for each frame to be tagged in its header to
indicate which one of several Virtual Fabrics that frame is being
transmitted on. All frames entering a particular "Core Switch"
[FC-SW-4] (i.e., a physical Switch) on the same Virtual Fabric are
processed by the same "Virtual Switch" within that Core Switch.
3.4. Security
The Fibre Channel Security Protocols (FC-SP) standard [FC-SP]
describes the protocols used to implement security in a Fibre Channel
Fabric, including the definition of:
- protocols to authenticate Fibre Channel entities,
- protocols to set up session keys,
- protocols to negotiate the parameters required to ensure frame-
by-frame integrity and confidentiality, and
- protocols to establish and distribute (security) policies across
a Fibre Channel Fabric.
3.4.1. Authentication
Two entities may negotiate whether authentication is required and
which Authentication Protocol is to be used. Authentication can be
used in Switch-to-Switch, Node-to-Switch, and Node-to-Node
communication. The defined Authentication Protocols are able to
perform mutual authentication with optional shared key establishment.
The shared key computed at the end of an Authentication Transaction
may be used to establish Security Associations.
The Fabric security architecture is defined for several
authentication infrastructures. Secret-based, certificate-based, and
password-based authentication infrastructures are accommodated.
Specific authentication protocols that directly leverage these three
authentication infrastructures are defined.
With a secret-based infrastructure, entities within the Fabric
environment that establish a security relationship share a common
secret or centralize the secret administration in an external (e.g.,
RADIUS [RFC2865], Diameter [RFC3588], or Terminal Access Controller
Access Control System (TACACS) [RFC1492]) server. Entities may
mutually authenticate with other entities by using the Diffie-Hellman
Challenge Handshake Authentication Protocol (DH-CHAP) [FC-SP].
Security Associations may be set up using the session key computed at
the end of the DH-CHAP transaction.
With a certificate-based infrastructure, entities within the Fabric
environment are certified by a trusted Certificate Authority (CA).
The resulting certificates bind each entity to a public-private key
pair that may be used to mutually authenticate with other certified
entities via the Fibre Channel Certificate Authentication Protocol
(FCAP) [FC-SP]. Security Associations may be set up by using these
entity certificates and associated keys or by using the session key
computed at the end of the FCAP transaction.
With a password-based infrastructure, entities within the Fabric
environment that establish a security relationship have knowledge of
the password-based credential material of other entities. Entities
may use this credential material to mutually authenticate with other
entities using the Fibre Channel Password Authentication Protocol
(FCPAP) [FC-SP]. Security Associations may be set up using the
session key computed at the end of the FCPAP transaction.
In addition to DH-CHAP, FCAP, and FCPAP, one other Authentication
Protocol is defined: Internet Key Exchange Protocol version 2-AUTH
(IKEv2-AUTH), which refers to the use of an SA Management Transaction
of the Security Association Management Protocol (see below) to
perform two functions: not only SA management but also
authentication. The credentials used in an IKEv2-AUTH transaction
are either strong shared secrets or certificates.
3.4.2. Security Associations
A subset of the IKEv2 protocol [RFC4306] suitable for Fibre Channel
is defined as the (Fibre Channel) Security Association Management
protocol [RFC4595]. This protocol -- which is *not* IPsec --
provides the means to establish Security Associations (SAs) between
Fibre Channel entities. Traffic Selectors are defined to specify
which type of traffic has to be protected by which SA, and what the
characteristics of the protection are. Two mechanisms are available
to protect specific classes of traffic:
- ESP_Header is used to protect FC-2 frames (see [FC-FS-2] and the
conceptually similar mechanisms in [RFC4303]), and
- CT_Authentication is used to protect CT_IUs (Common Transport
Information Units) [FC-GS-5].
An entity protecting specific classes of traffic maintains an
internal Security Association Database (SADB) that contains the
currently active Security Associations and Traffic Selectors.
Each active SA has a Security Association entry in the SADB. Each SA
entry includes the SA's SPI (the Security Parameters Index, which is
included in frames transmitted on the SA), a Sequence Number counter,
and the parameters for the selected transforms (e.g., encryption
algorithm, integrity algorithm, mode of operation of the algorithms,
keys).
Each active Traffic Selector has an entry in the SADB that indicates
whether it is used for ingress traffic or for egress traffic. These
Traffic Selector entries are ordered such that they are searched
(when checking for a match) in the given order. Two types of Traffic
Selector entries may be present:
- Traffic Selector entries identifying FC-2 frames or CT_IUs to be
bypassed or discarded; and
- Traffic Selector entries identifying FC-2 frames or CT_IUs to be
protected or verified. These entries point to the corresponding
SA entry defining the parameters and the security processing to
be performed.
SAs are unidirectional, but they always exist as an SA pair of the
same type, one in each direction.
3.4.3. Fabric Security Policies
Two separate approaches to defining Policies are adopted in FC-SP,
but both approaches follow the same general concept for their Policy
model. One is the definition of a Policy Model for Fabric Policies
that focus on Security. These Security Policies specify the
membership and connectivity allowed within a Fabric, and also which
IP hosts are allowed to manage a Fabric.
The other approach is to define a variant of the Enhanced Zoning
model defined in [FC-SW-4] and [FC-GS-5], such that the variant
specifies extensions for use in a secure environment. This variant
of Zoning, denoted as "FC-SP Zoning", follows the same general
concepts of the Policy model for Security Policies, but keeps Zoning
management and enforcement completely independent from the management
and enforcement of other policies.
3.4.4. Policy Model
Figure 25 of [FC-SP] depicts FC-SP's policy management model like
this:
***** ************************
* * * Policy * *********************
* M * Add, * Configuration * * Policy *
* A * Get, * Entity * * Enforcement *
* N * Remove * * * Entity *
* A * Policy * +----------------+ * * *
* G * Objects * | Non-Active | * * +-------------+ *
* I *<-------->* | Policy Objects |==*====*=>| Active | *
* N * * +----------------+ * * | Policy | *
* G * ************************ * | Objects | *
* * * +-------------+ *
* * Activate Policy Summary * *
* E *=====================================>* +-------------+ *
* N * Deactivate Policy Summary * | Policy | *
* T *=====================================>* | Summary | *
* I * * | Object | *
* T * Get Policy Summary * +-------------+ *
* Y *<-------------------------------------* *
* * Get Policy Objects * *
* *<-------------------------------------* *
***** *********************
Note that the arrows in the picture above are used to indicate the
movement of "data", rather than the direction of "messages", e.g.,
for a "Get" (with no data) in one direction which invokes a
"Response" (typically with data) in the reverse direction, the
diagram has arrows only for the "with data" direction.
3.4.5. Policy Objects
The Policies to be enforced by a Fabric are specified in a set of
Policy Objects. The various types of Policy Objects are:
- The Policy Summary Object is a list of pointers to other Policy
Objects, one pointer per each other active Policy Object. Each
pointer in a Policy Summary Object is paired with a
cryptographic hash of the referenced Policy Object.
- The Switch Membership List Object is a Fabric-wide Policy Object
that defines which Switches are allowed to be part of a Fabric.
- The Node Membership List Object is a Fabric-wide Policy Object
that defines which Nodes are allowed to be connected to a
Fabric.
- The IP Management List Object is a Fabric-wide Policy Object
that describes which IP hosts are allowed to manage a Fabric.
- A Switch Connectivity Object is a per-Switch Policy Object that
describes the topology restrictions for a specific Switch; it
specifies the other Switches or Nodes to which the particular
Switch may be connected at the Node level and/or at the Port
level.
- Attribute Objects are Fabric-wide Policy Objects that define
optional attributes to be associated with Switches or Nodes.
They allow the extension of this policy model by defining new
attributes as required.
Note that the administratively specified name for a Fabric is
contained in the Switch Membership List Object (not in the Policy
Summary Object).
When FC-SP is in use, each Fabric has a set of active Policy Objects:
- one Policy Summary Object,
- one Switch Membership List Object,
- one Node Membership List Object,
- one IP Management List Object,
- zero or more Switch Connectivity Objects, and
- zero or more Attribute Objects.
The active Policy Objects specify the Policies currently being
enforced. In addition, policies not currently being enforced are
contained in non-active Policy Objects. To change the active Policy
Objects, the non-active Policy Objects are edited as necessary and a
new Policy Summary Object that includes/references the changed Policy
Objects is activated.
3.4.5.1. Policy Object Names
Every Policy Object has a name. In a Fabric's database of Policy
Objects, a Policy Object Name is specified as a type/length/value
(see section 7.2 of [FC-SP]). The possible types are:
- Node_Name
- Restricted Node_Name
- Port_Name
- Restricted Port_Name
- Wildcard
- Negated Wildcard
- Alphanumeric Name
- IPv6 Address Range
- IPv4 Address Range
3.4.6. Three Kinds of Switches
For a Fabric composed of n Switches and m Nodes, the potential
complexity of Switch Connectivity Objects is O(n**2) to describe
Switch to Switch connections, and O(n*m) for Switch to Node
connections. To provide better scaling, the Switch Connectivity
Objects are not Fabric-wide information, but are distributed only to
where they are needed. To support this, the policy model supports
three kinds of Switches in a Fabric:
- Server Switches, which maintain the Fabric-wide Policy Objects,
all the Switch Connectivity Objects, and a full copy of the FC-
SP Zoning Database;
- Autonomous Switches, which maintain the Fabric-wide Policy
Objects, their own Switch Connectivity Object, and a full copy
of the FC-SP Zoning Database; and
- Client Switches, which maintain the Fabric-wide Policy Objects,
their own Switch Connectivity Object, and a subset of the FC-SP
Active Zone Set (which is the configurations of zones currently
being enforced by a Fabric, see section 10.4.3.3 of [FC-SW-4]).
3.4.7. Security Policy Management
Security Policy can be changed in a server session [FC-GS-5] with a
Security Policy Server. All write access to a Security Policy Server
occurs within a server session. While read access to a Security
Policy Server may occur at any time, the consistency of the returned
data is guaranteed only inside a server session.
The Enhanced Commit Service [FC-SW-4] is used to perform Fabric
operations as and when necessary (see table 144 of [FC-SP]). Many of
these operations are named as if they were acronyms, e.g., SSB for
Server Session Begin; SSE for Server Session End; SW_ILS for Switch
Fabric Internal Link Services; EACA for Enhanced Acquire Change
Authorization; ERCA for Enhanced Release Change Authorization; SFC
for Stage Fabric Configuration.
Each server session begins and ends, with a SSB request and a SSE
request respectively, sent to a Security Policy Server. In the
Fabric, the SSB requests a lock of the Fabric via an EACA SW_ILS,
while the SSE requests a release of the lock via the ERCA SW_ILS
[FC-SW-4]. Active and non-active Policy Objects are persistent in
that they survive after the end of a server session.
3.4.8. FC-SP Zoning
To preserve backward compatibility with existing Zoning definitions
and implementations, FC-SP Zoning is defined as a variant of the
Enhanced Zoning model defined in [FC-SW-4] and [FC-GS-5] that follows
the general concepts of the Policy model for Security Policy
Management, but keeps Zoning management and enforcement completely
independent.
FC-SP Zoning allows for some Switches to retain less than a complete
replicated copy of the Zoning Database, as follows:
- Server Switches maintain the policies data structures for all
Switches in the Fabric plus a replica of the Zoning data
structures;
- Autonomous Switches maintain only the subset of policies data
structures relevant for their operations plus a replica of the
Zoning Database; and
- Client Switches maintain only the subset of policies data
structures and the subset of the Active Zone Set relevant for
their operations.
When Client Switches are deployed in a Fabric, at least one Server
Switch must also be deployed in the same Fabric. A client-server
protocol allows Client Switches to dynamically retrieve the Zoning
information they may require from the Server Switches.
A management application manages the Fabric Zoning configuration
through the Fabric Zone Server, while other policies are managed
through the Security Policy Server. A new Zoning Check Protocol
replaces the Zone Merge Protocol [FC-SW-4], and new command codes are
defined for the SFC SW_ILS to distribute the FC-SP Zoning
configuration on a Fabric. The Zoning definitions are ordered to
allow for the computation of a hash of the Active Zone Set and a hash
of the Zone Set Database, plus other optional security data (e.g.,
for integrity protection of Zoning information).
4. Document Overview
This document defines five MIB modules that together provide the
means for monitoring the operation of, and configuring some
parameters of, one or more instances of the FC-SP protocols.
4.1. Fibre Channel Management Instance
A Fibre Channel management instance is defined in [RFC4044] as a
separable managed instance of Fibre Channel functionality. Fibre
Channel functionality may be grouped into Fibre Channel management
instances in whatever way is most convenient for the
implementation(s). For example, one such grouping accommodates a
single SNMP agent having multiple AgentX [RFC2741] sub-agents, with
each sub-agent implementing a different Fibre Channel management
instance.
The object, fcmInstanceIndex, is IMPORTed from the FC-MGMT-MIB
[RFC4044] as the index value to uniquely identify each Fibre Channel
management instance, for example, within the same SNMP context
([RFC3411] section 3.3.1).
4.2. Entity Name
A central capability of FC-SP is the use of an Authentication
Protocol. The purpose of each of the possible Authentication
Protocols is to allow a Fibre Channel entity to be assured of the
identity of each entity with which it is communicating. Examples of
such entities are Fibre Channel Switches and Fibre Channel Nx_Ports.
Each entity is identified by a name. The FC-MGMT-MIB [RFC4044]
defines MIB objects for such names:
- for entities that are Fibre Channel Switches, the definition of
a Fibre Channel management instance allows multiple Switches to
be managed by the same Fibre Channel management instance. In
this case, each entity is a Switch and has the name given by the
MIB object, fcmSwitchWWN.
- for entities other than Fibre Channel Switches, a Fibre Channel
management instance can manage only one entity, and the name of
the entity is given by the MIB object, fcmInstanceWwn.
4.3. Fabric Index
With multiple Fabrics, each Fabric has its own instances of the
Fabric-related management instrumentation. Thus, these MIB modules
define all Fabric-related information in tables that are INDEX-ed by
an arbitrary integer, named a "Fabric Index". The syntax of a Fabric
Index is T11FabricIndex, imported from T11-TC-MIB [RFC4439]. When a
device is connected to a single physical Fabric, without use of any
virtual Fabrics, the value of this Fabric Index will always be 1. In
an environment of multiple virtual and/or physical Fabrics, this
index provides a means to distinguish one Fabric from another.
4.4. Interface Index
Several of the MIB modules defined in this document use the
InterfaceIndexOrZero syntax in order to allow information to be
specified/instantiated on a per-port/interface basis, e.g., for:
statistics, Traffic Selectors, Security Associations, etc. This
allows the same object to be used either when there is a separate row
for each of multiple ports/interfaces, or when multiple interfaces
are represented by a single row. The use of a zero value supports
the simpler cases of: a) when there is only one port/interface, b)
where the implementation chooses to aggregate the information for
multiple ports/interfaces. The minimum (for compliance) requirement
is to implement any one of the above cases.
When a Fabric Index and an object with the InterfaceIndexOrZero
syntax are used together in a single INDEX clause, the
InterfaceIndexOrZero object is listed before the Fabric Index in
order to simplify management queries that retrieve information
concerning multiple Fabrics connected to the same port/interface.
4.5. Syntax for Policy Object Names
T11FcSpPolicyNameType and T11FcSpPolicyName are two Textual
Conventions defined in this document (in the T11-FC-SP-TC-MIB module)
to represent the types and values of Policy Object Names (see section
3.4.5.1 above). However, two of the nine possible types are IPv4
Address Range and IPv6 Address Range. It is standard practice in MIB
modules to represent all IP addresses using the standard Textual
Conventions defined in [RFC4001] for IP addresses: specifically,
InetAddressType and InetAddress. This document adheres to such
standard practice to the following extent:
- for MIB objects representing a Policy Object Name that can
*only* be an IPv4 Address Range or an IPv6 Address Range, then
those MIB objects are defined as a 3-tuple: (InetAddressType,
InetAddress, InetAddress), in which the first address is the low
end of the range, the second address is the high end of the
range, and both addresses are of the type given by
InetAddressType.
- for MIB objects representing a Policy Object Name that is
(possibly) of a different type, i.e., it is not (necessarily) an
IPv4 or IPv6 Address Range, then those MIB objects are defined
as a 2-tuple: (T11FcSpPolicyNameType, T11FcSpPolicyName), in
which the first object represents the type of Policy Object Name
and the second object represents the value of the Policy Object
Name. For MIB objects defined in this manner, if and when they
represent a range of IP addresses: a) the value of
T11FcSpPolicyNameType differentiates between an IPv4 Address
Range and an IPv6 Address Range; and b) the value of
T11FcSpPolicyName is one string containing the concatenation of
the two addresses that are the low and high addresses of the
range. This is the same format as used within FC-SP Policy
Objects [FC-SP].
4.6. Certificates, CAs, and CRLs
In order to authenticate with the FCAP protocol, each entity,
identified by a unique Name, is provided with: a digital certificate
associated with that Name, the private/public key pair that
corresponds to the certificate, and with the Root Certificate (the
certificate of the signing Certification Authority). To authenticate
another entity, an entity is required to be provided with the
certificate of the associated Certification Authority.
FCAP requires entities to support at least four Root Certificates
against which received corresponding certificates can be validated.
Support for certificate chains and verification of certificate chains
containing more than one certificate is optional. Entities need to
be able to access a Certificate Revocation List (CRL) for each
configured Root Certificate, if one is available from the CA.
Certificates on the CRL are considered invalid.
The management of certificates, Certification Authorities, and
Certificate Revocation Lists is the same in Fibre Channel networks as
it is in other networks. Therefore, this document does not define
any MIB objects for such management.
4.7. Traffic Selectors
When Traffic Selectors are compared against an ingress or egress
frame in order to determine the security processing to be applied to
that frame, there are circumstances in which multiple Traffic
Selectors, specifying different actions, can match with the frame.
Specifically, when matching against an egress frame to decide which
active Security Association to transmit on, or, against an ingress
frame unprotected by FC-SP, i.e., without an SPI value in it, to
decide which action ('drop' or 'bypass') to apply. For these cases,
the MIB includes a unique precedence value for each Traffic Selector
such that the one with the numerically lowest precedence value is
determined to be the one that matches. In contrast, ingress frames
on active Security Associations (i.e., protected by FC-SP) are
compared against the set of traffic selectors negotiated when the
Security Association was set up and identified by the SPI value
contained in the frame; the action taken depends on whether any
Traffic Selector matches, but not on which one.
This difference between ingress and egress Traffic Selectors on
active Security Associations is reflected in having separate MIB
tables defined for them: the table for Traffic Selectors on egress
SAs, t11FcSpSaTSelNegOutTable, has a precedence value in its INDEX
clause; whereas the table for Traffic Selectors on ingress SAs,
t11FcSpSaTSelNegInTable, has an arbitrary integer value in its INDEX
clause. For 'drop' and 'bypass' Traffic Selectors, one table,
t11FcSpSaTSelDrByTable, having a precedence value in its INDEX
clause, is sufficient for both ingress and egress traffic.
4.8. The MIB Modules
4.8.1. The T11-FC-SP-TC-MIB Module
This MIB module defines Textual Conventions that are being, or have
the potential to be, used in more than one MIB module. The module
also defines Object Identifiers to identify the Cryptographic
Algorithms listed in [FC-SP] so that they can be used as the value of
various MIB objects that specify the algorithms being/to be used by
an FC-SP implementation.
4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module
This MIB module specifies the management information required to
manage FC-SP Authentication Protocols. It defines three tables:
- t11FcSpAuEntityTable -- a table of Fibre Channel entities that
can be authenticated using FC-SP's Authentication Protocols,
including the names, capabilities, and basic configuration
parameters of the entities.
- t11FcSpAuIfStatTable -- this table has two purposes: to be a
list of the mappings of a FC-SP Authentication entity onto an
interface and to contain Authentication Protocol per-interface
statistics.
- t11FcSpAuRejectTable -- a table of FC-SP Authentication Protocol
transactions that were recently rejected.
It also defines two notifications: one for sending a reject in
response to an AUTH message and another for receiving a reject in
response to an AUTH message.
4.8.3. The T11-FC-SP-ZONING-MIB Module
This MIB module specifies the extensions to the T11-FC-ZONE-SERVER-
MIB module [RFC4936] for the management of FC-SP Zoning Servers.
Specifically, it augments three tables defined in T11-FC-ZONE-SERVER-
MIB:
- t11FcSpZsServerTable -- to this table, it adds FC-SP Zoning
information defined for Zone Servers.
- t11ZsStatsTable -- to this table, it adds FC-SP Zoning
statistics for Zone Servers.
- t11ZsNotifyControlTable -- to this table, it adds control
information for FC-SP Zoning notifications.
It also defines two FC-SP Zoning notifications: one for success and
one for failure in the joining of two Fabrics.
4.8.4. The T11-FC-SP-POLICY-MIB Module
This MIB module specifies management information that is used to
manage FC-SP policies. The MIB module has five parts:
- Active Policy Objects - read-only MIB objects representing the
set of active Policy Objects for each Fabric;
- Activate/Deactivate Operations - read-write MIB objects for
invoking operations, either 1) to activate policies that are
specified as a set of non-active Policy Objects, or 2) to
deactivate the currently active policies; also included are
objects giving the status of invoked operations;
- Non-Active Policy Objects - read-create MIB objects to create
and modify non-active Policy Objects;
- Statistics for FC-SP Security Policy Servers;
- The definition and control of notifications for the success or
failure of the activation or deactivation of FC-SP policies.
4.8.5. The T11-FC-SP-SA-MIB Module
This MIB module specifies the management information required to
manage Security Associations established via FC-SP. All of the
tables in this MIB module are INDEX-ed by t11FcSpSaIfIndex, with
syntax InterfaceIndexOrZero, which is either non-zero for a specific
interface or zero for all (of the management instance's) interfaces
to the particular Fabric.
The MIB module consists of six parts:
- a per-Fabric table, t11FcSpSaIfTable, of capabilities,
parameters, status information, and counters; the counters
include non-transient aggregates of per-SA transient counters;
- three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable, and
t11FcSpSaTransTable, specifying the proposals for an FC-SP
entity acting as an SA_Initiator to present to the SA_Responder
during the negotiation of Security Associations. The same
information is also used by an FC-SP entity acting as an
SA_Responder to decide what to accept during the negotiation of
Security Associations. One of these tables,
t11FcSpSaTransTable, is used not only for information about
security transforms to propose and to accept, but also as agreed
upon during the negotiation of Security Associations;
- a table, t11FcSpSaTSelDrByTable, of Traffic Selectors having the
security action of 'drop' or 'bypass' to be applied either to
ingress traffic, which is unprotected by FC-SP, or to all egress
traffic;
- four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable,
t11FcSpSaTSelNegOutTable, and t11FcSpSaTSelSpiTable, containing
information about active bidirectional pairs of Security
Associations; in particular, t11FcSpSaPairTable has one row per
active bidirectional SA pair, t11FcSpSaTSelNegInTable and
t11FcSpSaTSelNegOutTable contain information on the Traffic
Selectors negotiated on the SAs, and the t11FcSpSaTSelSpiTable
is an alternate lookup table such that the Traffic Selector(s)
in use on a particular Security Association can be quickly
determined based on its (ingress) SPI value;
- a table, t11FcSpSaControlTable, of control and other information
concerning the generation of notifications for events related to
FC-SP Security Associations;
- one notification, t11FcSpSaNotifyAuthFailure, generated on the
occurrence of an Authentication failure for a received FC-2 or
CT_IU frame.
4.9. Rate Control for Notifications
All but one of the notifications defined in the five MIB modules in
this document are notifications that are generated based on events
occurring in the "control plane", e.g., notifications that are
generated at the frequency of operator-initiated activities. The one
exception is t11FcSpSaNotifyAuthFailure, which is generated based on
an event occurring in the "data plane", and could (in a worst case
scenario) occur for every received ingress frame. Therefore, a
method of rate controlling the generation of notifications is needed
for t11FcSpSaNotifyAuthFailure, but not for any of the other
notifications.
For t11FcSpSaNotifyAuthFailure, rate control is achieved by
specifying that a) after the first occurrence of an Authentication
failure on any particular Security Association, the SNMP
notifications for second and subsequent failures are suppressed for
the duration of a time window and b) that even the notification for
the first occurrence is suppressed after it is sent in the same time
window for a configured (in t11FcSpSaControlMaxNotifs) number of
Security Associations within a Fabric. Note that while these
suppressions prevent the network from being flooded with
notifications, the Authentication Failures themselves must still be
detected and counted.
The length of the time window is given by t11FcSpSaControlWindow, a
read-write object in the t11FcSpSaControlTable. If and when the time
since the last generation of the notification is less than the value
of sysUpTime (e.g., if one or more notifications have occurred since
the last re-initialization of the management system), then
t11FcSpSaControlElapsed and t11FcSpSaControlSuppressed contain the
elapsed time since the last notification and the number of
notifications suppressed in the window after sending the last one,
respectively. Otherwise, t11FcSpSaControlElapsed contains the value
of sysUpTime and t11FcSpSaControlSuppressed has the value zero.
5. Relationship to Other MIB Modules
The first standardized MIB module for Fibre Channel [RFC2837] was
focused on Fibre Channel Switches. It was obsoleted by the more
generic Fibre Channel Management MIB [RFC4044], which defines basic
information for Fibre Channel Nodes and Switches, including
extensions to the standard IF-MIB [RFC2863] for Fibre Channel
interfaces. Several other MIB modules have since been defined to
extend [RFC4044] for various specific Fibre Channel functionality,
(e.g., [RFC4438], [RFC4439], [RFC4625], [RFC4626], [RFC4747],
[RFC4936], [RFC4935], and [RFC4983]).
The MIB modules defined in this memo further extend [RFC4044] to
cover the operation of Fibre Channel Security Protocols, as specified
in [FC-SP].
One part of the FC-SP specification is "FC-SP Zoning", which is an
extension/variant of the Fibre Channel Zoning defined in [FC-GS-5].
Management information for the latter is defined in the T11-FC-ZONE-
SERVER-MIB module [RFC4936]. Consequently, the T11-FC-SP-ZONING-MIB
module defined in this document defines the extensions to the T11-FC-
ZONE-SERVER-MIB module that are needed to manage FC-SP Zoning.
The MIB modules in this memo import some common Textual Conventions
from T11-TC-MIB, defined in [RFC4439], and from INET-ADDRESS-MIB,
defined in [RFC4001].
If the RADIUS protocol is used for access to an external server,
information about RADIUS Servers is likely to be available from the
RADIUS-AUTH-CLIENT-MIB [RFC4668].
6. MIB Module Definitions
6.1. The T11-FC-SP-TC-MIB Module
T11-FC-SP-TC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-IDENTITY, mib-2,
Unsigned32 FROM SNMPv2-SMI -- [RFC2578]
TEXTUAL-CONVENTION FROM SNMPv2-TC; -- [RFC2579]
t11FcTcMIB MODULE-IDENTITY
LAST-UPDATED "200808200000Z"
ORGANIZATION "This MIB module was developed through the
coordinated effort of two organizations:
T11 began the development and the IETF (in
the IMSS Working Group) finished it."
CONTACT-INFO
" Claudio DeSanti
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
EMail: cds@cisco.com
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
Email: kzm@cisco.com"
DESCRIPTION
"This MIB module defines Textual Conventions for use in
the multiple MIB modules, which together define the
instrumentation for an implementation of the Fibre Channel
Security Protocols (FC-SP) specification.
This MIB module also defines Object Identities (for use as
possible values of MIB objects with syntax AutonomousType),
including OIDs for the Cryptographic Algorithms defined
in FC-SP.
Copyright (C) The IETF Trust (2008). This version
of this MIB module is part of RFC 5324; see the RFC
itself for full legal notices."
REVISION "200808200000Z"
DESCRIPTION
"Initial version of this MIB module, published as RFC 5324."
::= { mib-2 175 }
t11FcSpIdentities OBJECT IDENTIFIER ::= { t11FcTcMIB 1 }
t11FcSpAlgorithms OBJECT IDENTIFIER ::= { t11FcSpIdentities 1 }
--
-- Textual Conventions
--
T11FcSpPolicyHashFormat ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Identifies a cryptographic hash function used to create
a hash value that summarizes an FC-SP Policy Object.
Each definition of an object with this TC as its syntax
must be accompanied by a corresponding definition of an
object with T11FcSpPolicyHashValue as its syntax, and
containing the hash value.
The first two cryptographic hash functions are:
Hash Type Hash Tag Hash Length (Bytes)
SHA-1 '00000001'h 20
SHA-256 '00000002'h 32
"
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 7.1.3.1 and table 106.
- FIPS PUB 180-2."
SYNTAX OCTET STRING (SIZE (4))
T11FcSpPolicyHashValue ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Represents the value of the cryptographic hash function
of an FC-SP Policy Object.
Each definition of an object with this TC as its syntax
must be accompanied by a corresponding definition of an
object with T11FcSpPolicyHashFormat as its syntax.
The corresponding object identifies the cryptographic
hash function used to create the hash value."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 7.1.3.1 and table 106."
SYNTAX OCTET STRING (SIZE (0..64))
T11FcSpHashCalculationStatus ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"When some kind of 'database' is defined in a set of
read-write MIB objects, it is common that multiple changes
in the data need to be made at the same time. So, if hash
values are maintained for that data, those hash values are
only correct if and when they are re-calculated after every
change. In such circumstances, the use of an object with
this syntax allows the re-calculation of the hash values to
be deferred until all changes have been made, and therefore
the calculation need only be done once after all changes,
rather than repeatedly/after each individual change.
The definition of an object defined using this TC is
required to specify which one or more instances of which
MIB objects contain the hash values operated upon (or
whose status is given) by the value of this TC.
When read, the value of an object with this syntax is
either:
correct -- the identified MIB object instance(s)
contain the correct hash values; or
stale -- the identified MIB object instance(s)
contain stale (possibly incorrect) values.
Writing a value of 'calculate' is a request to re-calculate
and update the values of the corresponding instances of the
identified MIB objects. Writing a value of 'correct' or
'stale' to this object is an error (e.g., 'wrongValue')."
SYNTAX INTEGER {
calculate(1),
correct(2),
stale(3)
}
T11FcSpAuthRejectReasonCode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A reason code contained in an AUTH_Reject message, or
in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT
(rejecting an AUTH-ELS)."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 17, 48, 52."
SYNTAX INTEGER {
authFailure(1),
logicalError(2),
logicalBusy(3),
authILSNotSupported(4),
authELSNotSupported(5),
notLoggedIn(6)
}
T11FcSpAuthRejReasonCodeExp ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A reason code explanation contained in an AUTH_Reject
message, or in an SW_RJT (rejecting an AUTH_ILS), or in
an LS_RJT (rejecting an AUTH-ELS)."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Tables 18, 48, 52."
SYNTAX INTEGER {
authMechanismNotUsable(1),
dhGroupNotUsable(2),
hashFunctionNotUsable(3),
authTransactionAlreadyStarted(4),
authenticationFailed(5),
incorrectPayload(6),
incorrectAuthProtocolMessage(7),
restartAuthProtocol(8),
authConcatNotSupported(9),
unsupportedProtocolVersion(10),
logicalBusy(11),
authILSNotSupported(12),
authELSNotSupported(13),
notLoggedIn(14)
}
T11FcSpHashFunctions ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A set of zero, one, or more hash functions defined for
use in FC-SP."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 14."
SYNTAX BITS {
md5(0),
sha1(1)
}
T11FcSpSignFunctions ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A set of zero, one, or more signature functions defined
for signing certificates for use with FCAP in FC-SP."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, tables 38 & 39."
SYNTAX BITS {
rsaSha1(0)
}
T11FcSpDhGroups ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A set of zero, one, or more DH Groups defined for use
in FC-SP."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 15."
SYNTAX BITS {
null(0),
group1024(1),
group1280(2),
group1536(3),
group2048(4),
group3072(5),
group4096(6),
group6144(7),
group8192(8)
}
T11FcSpPolicyObjectType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A value that identifies the type of an FC-SP Policy
Object."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 102."
SYNTAX INTEGER {
summary(1),
switchMemberList(2),
nodeMemberList(3),
switchConnectivity(4),
ipMgmtList(5),
attribute(6)
}
T11FcSpPolicyNameType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The format and usage of a companion object having
T11FcSpPolicyName as its syntax.
Six of the values indicate the same format, i.e., they
differ only in semantics. That common format is a Fibre
Channel 'Name_Identifier', i.e., the same syntax as
'FcNameIdOrZero (SIZE(8))'.
These six are three pairs of one restricted and one
unrestricted. Each usage of this syntax must specify
what the meaning of 'restricted' is for that usage and
how the characteristics and behavior of restricted
names differ from unrestricted names.
The six are:
'nodeName' - a Node_Name, which is the
Name_Identifier associated
with a Fibre Channel Node.
'restrictedNodeName' - a Restricted Node_Name.
'portName' - the Name_Identifier associated
with a Fibre Channel Port.
'restrictedPortName' - a Restricted Port_Name.
'wildcard' - a Wildcard value that is used to
identify 'all others' (typically,
all other members of a Policy
Object, not all other Policy
Objects).
'restrictedWildcard' - a Restricted Wildcard value.
Other possible values are:
'alphaNumericName' - the value begins with an ASCII
letter (upper or lower case) followed by (0 ... 63)
characters from the set: lower case letters, upper case
letters, digits, and the four symbols: dollar-sign ($),
dash (-), caret (^), and underscore (_).
'ipv6AddressRange' - two IPv6 addresses in network
byte order, the numerically smallest first and the
numerically largest second; total length is 32 bytes.
'ipv4AddressRange' - two IPv4 addresses in network
byte order, the numerically smallest first and the
numerically largest second; total length is 8 bytes."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 103."
SYNTAX INTEGER {
nodeName(1),
restrictedNodeName(2),
portName(3),
restrictedPortName(4),
wildcard(5),
restrictedWildcard(6),
alphaNumericName(7),
ipv6AddressRange(8),
ipv4AddressRange(9)
}
T11FcSpPolicyName ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A syntax used, when defining Policy Objects, for the
name of something.
An object that uses this syntax always identifies a
companion object with syntax T11FcSpPolicyNameType
such that the companion object specifies the format
and usage of the object with this syntax.
When the companion object has the value 'wildcard' or
'restrictedWildcard', the value of the T11FcSpPolicyName
object is: '0000000000000000'h."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 103."
SYNTAX OCTET STRING (SIZE (1..64))
T11FcSpAlphaNumName ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A syntax used when defining Policy Objects for the
name of something, where the name is always in the format
specified by:
T11FcSpPolicyNameType = 'alphaNumericName'
"
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 103."
SYNTAX OCTET STRING (SIZE (1..64))
T11FcSpAlphaNumNameOrAbsent ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An extension of the T11FcSpAlphaNumName TC with
one additional possible value: the zero-length string
to indicate the absence of a name."
SYNTAX OCTET STRING (SIZE (0..64))
T11FcSaDirection ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The direction of frame transmission on a Security
Association. Note that Security Associations are
unidirectional, but they always exist as part of an
SA pair of the same type in opposite directions."
SYNTAX INTEGER { ingress(1), egress(2) }
T11FcSpiIndex ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An SPI (Security Parameter Index) value is carried in the
SPI field of a frame protected by the ESP_Header. An SPI
is also carried in the SAID field of a Common Transport
Information Unit (CT_IU) protected by CT_Authentication.
An SPI value identifies the Security Association on which
the frame is being transmitted."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 4.7.2 and 4.7.3."
SYNTAX Unsigned32 (0..4294967295) -- the default range!!
T11FcSpPrecedence ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"The precedence of a Traffic Selector. If a frame
matches with two or more Traffic Selectors, then the match
that takes precedence is the one with the Traffic Selector
having the numerically smallest precedence value. Note that
precedence values are not necessarily contiguous."
SYNTAX Unsigned32 (0..4294967295) -- the default range!!
T11FcRoutingControl ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1x"
STATUS current
DESCRIPTION
"A value stored in the R_CTL (Routing Control) 8-bit field
of an FC-2 frame containing routing and information bits to
categorize the frame function.
For FC-2 frames, an R_CTL value typically distinguishes
between control versus data frames and/or solicited versus
unsolicited frames, and in combination with the TYPE field
(see T11FcSpType), identifies a particular link-layer
service/protocol using FC-2.
For CT_Authentication, the information field in the R_CTL
field contains '02'h for Request CT_IUs and '03'h for
Response CT_IUs.
The comparison of two values having this syntax is done
by treating each string as an 8-bit numeric value."
REFERENCE
"- Fibre Channel - Framing and Signaling-2 (FC-FS-2),
ANSI INCITS 424-2007, Project T11/1619-D,
February 2007, section 9.3.
- Fibre Channel - Generic Services-5 (FC-GS-5),
ANSI INCITS 427-2006, sections 4.5.2.4.2, 4.5.2.4.3
and table 12."
SYNTAX OCTET STRING (SIZE(1))
T11FcSpType ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2x"
STATUS current
DESCRIPTION
"A value, or combination of values, contained in a frame
header used in identifying the link layer service/protocol
of a frame. The value is always two octets:
- for FC-2 frames, the first octet is zero and the second
octet contains the Data structure type (TYPE) value
defined by FC-FS-2. The TYPE value is used in
combination with T11FcRoutingControl to identify a link
layer service/protocol.
- for Common Transport Information Units (CT_IUs), the
first octet contains a GS_Type value and the second
octet contains a GS_Subtype value, defined by FC-GS-5.
The comparison of two values having this syntax is done
by treating each string as the numeric value obtained by
numerically combining the individual octet's value as
follows:
(256 * 1st-octet) + 2nd-octet
"
REFERENCE
"- Fibre Channel - Framing and Signaling-2 (FC-FS-2),
ANSI INCITS 424-2007, Project T11/1619-D,
February 2007, section 9.6.
- Fibre Channel - Generic Services-5 (FC-GS-5),
ANSI INCITS 427-2006, sections 4.3.2.4 and 4.3.2.5."
SYNTAX OCTET STRING (SIZE(2))
T11FcSpTransforms ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A list of the standardized transforms that are defined
by FC-SP for use with ESP_Header, CT_Authentication, and/or
IKEv2 Support."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP), February 2007,
Appendix A.3.1, tables A.23, A.24, A.25, A.26."
SYNTAX BITS {
encrNull(0),
encrAesCbc(1),
encrAesCtr(2),
encrAesGcm(3),
encr3Des(4),
prfHmacMd5(5),
prfHmacSha1(6),
prfAesCbc(7),
authHmacMd5L96(8),
authHmacSha1L96(9),
authHmacMd5L128(10),
authHmacSha1L160(11),
encrNullAuthAesGmac(12),
dhGroups1024bit(13),
dhGroups2048bit(14)
}
T11FcSpSecurityProtocolId ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A Security Protocol identifier to identify
the protocol by which traffic is to be protected,
e.g., ESP_Header or CT_Authentication."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 6.3.2.2 and table 67."
SYNTAX INTEGER { espHeader(1), ctAuth(2) }
T11FcSpLifetimeLeft ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This TC is used for one object of an associated pair
of objects. The object with this syntax specifies a
remaining lifetime of something, e.g., of an SA, where
the lifetime is given in the units specified by the other
object of the pair which has T11FcSpLifetimeLeftUnits
as its syntax."
SYNTAX Unsigned32
T11FcSpLifetimeLeftUnits ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An object, defined using T11FcSpLifetimeLeft TC as
its syntax, is required to be one of an associated
pair of objects such that the other object of the pair
is defined with this T11FcSpLifetimeLeftUnits TC as
its syntax and with its value specifying the
units of the remaining lifetime given by the
value of the T11FcSpLifetimeLeft object."
SYNTAX INTEGER {
seconds(1), -- seconds
kiloBytes(2), -- 10^^3 bytes
megaBytes(3), -- 10^^6 bytes
gigaBytes(4), -- 10^^9 bytes
teraBytes(5), -- 10^^12 bytes
petaBytes(6), -- 10^^15 bytes
exaBytes(7), -- 10^^18 bytes
zettaBytes(8), -- 10^^21 bytes
yottaBytes(9) -- 10^^24 bytes
}
--
-- Object Identities to identify the Cryptographic Algorithms
-- listed in FC-SP.
--
t11FcSpEncryptAlgorithms
OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 1 }
t11FcSpEncrNull OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_NULL algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 1 }
t11FcSpEncrAesCbc OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_AES_CBC algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 2 }
t11FcSpEncrAesCtr OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_AES_CTR algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 3 }
t11FcSpEncrAesGcm OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_AES_GCM algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 4 }
t11FcSpEncr3Des OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_3DES algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 5 }
t11FcSpAuthAlgorithms
OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 2 }
t11FcSpAuthNull OBJECT-IDENTITY
STATUS current
DESCRIPTION "The AUTH_NONE algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 72."
::= { t11FcSpAuthAlgorithms 1 }
t11FcSpAuthHmacMd5L96 OBJECT-IDENTITY
STATUS current
DESCRIPTION "The AUTH_HMAC_MD5_96 algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 72."
::= { t11FcSpAuthAlgorithms 2 }
t11FcSpAuthHmacSha1L96 OBJECT-IDENTITY
STATUS current
DESCRIPTION "The AUTH_HMAC_SHA1_96 algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 72."
::= { t11FcSpAuthAlgorithms 3 }
t11FcSpAuthHmacMd5L128 OBJECT-IDENTITY
STATUS current
DESCRIPTION "The AUTH_HMAC_MD5_128 algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 72."
::= { t11FcSpAuthAlgorithms 4 }
t11FcSpAuthHmacSha1L160 OBJECT-IDENTITY
STATUS current
DESCRIPTION "The AUTH_HMAC_SHA1_160 algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 72."
::= { t11FcSpAuthAlgorithms 5 }
t11FcSpEncrNullAuthAesGmac OBJECT-IDENTITY
STATUS current
DESCRIPTION "The ENCR_NULL_AUTH_AES_GMAC algorithm."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 70."
::= { t11FcSpEncryptAlgorithms 6 }
END
6.2. The T11-FC-SP-AUTHENTICATION-MIB Module
--********************************************************************
-- FC-SP Authentication Protocols
--
T11-FC-SP-AUTHENTICATION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
NOTIFICATION-TYPE,
mib-2, Counter32, Unsigned32
FROM SNMPv2-SMI -- [RFC2578]
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- [RFC2580]
StorageType, AutonomousType,
TruthValue, TimeStamp FROM SNMPv2-TC -- [RFC2579]
InterfaceIndex FROM IF-MIB -- [RFC2863]
fcmInstanceIndex,
FcNameIdOrZero FROM FC-MGMT-MIB -- [RFC4044]
t11FamLocalSwitchWwn
FROM T11-FC-FABRIC-ADDR-MGR-MIB -- [RFC4439]
T11FabricIndex FROM T11-TC-MIB -- [RFC4439]
T11FcSpDhGroups,
T11FcSpHashFunctions,
T11FcSpSignFunctions,
T11FcSpLifetimeLeft,
T11FcSpLifetimeLeftUnits,
T11FcSpAuthRejectReasonCode,
T11FcSpAuthRejReasonCodeExp FROM T11-FC-SP-TC-MIB;
t11FcSpAuthenticationMIB MODULE-IDENTITY
LAST-UPDATED "200808200000Z"
ORGANIZATION "This MIB module was developed through the
coordinated effort of two organizations:
T11 began the development and the IETF (in
the IMSS Working Group) finished it."
CONTACT-INFO
" Claudio DeSanti
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
EMail: cds@cisco.com
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
Email: kzm@cisco.com"
DESCRIPTION
"This MIB module specifies the management information
required to manage the Authentication Protocols defined by
Fibre Channel's FC-SP specification.
This MIB module defines three tables:
- t11FcSpAuEntityTable is a table of Fibre Channel
entities that can be authenticated using FC-SP's
Authentication Protocols.
- t11FcSpAuIfStatTable is a table with one row for each
mapping of an Authentication entity onto an interface,
containing statistics information.
- t11FcSpAuRejectTable is a table of volatile information
about FC-SP Authentication Protocol transactions
that were most recently rejected.
Copyright (C) The IETF Trust (2008). This version
of this MIB module is part of RFC 5324; see the RFC
itself for full legal notices."
REVISION "200808200000Z"
DESCRIPTION
"Initial version of this MIB module, published as RFC 5324."
::= { mib-2 176 }
t11FcSpAuMIBNotifications
OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 0 }
t11FcSpAuMIBObjects
OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 1 }
t11FcSpAuMIBConformance
OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 2 }
t11FcSpAuMIBIdentities
OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 3 }
--
-- OIDs defined for use as values of t11FcSpAuServerProtocol
--
t11FcSpAuServerProtocolRadius OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This OID identifies RADIUS as the protocol used
to communicate with an External Server as part of
the process by which identities are verified.
In this case, information about the RADIUS Servers
is likely to be provided in radiusAuthServerExtTable
defined in the RADIUS-AUTH-CLIENT-MIB."
REFERENCE
"radiusAuthServerExtTable in 'RADIUS Authentication
Client MIB', RFC 4668, August 2006."
::= { t11FcSpAuMIBIdentities 1 }
t11FcSpAuServerProtocolDiameter OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This OID identifies Diameter as the protocol used
to communicate with an External Server as part of
the process by which identities are verified."
REFERENCE
"RFC 3588, September 2003."
::= { t11FcSpAuMIBIdentities 2 }
t11FcSpAuServerProtocolTacacs OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This OID identifies TACACS as the protocol used
to communicate with an External Server as part of
the process by which identities are verified."
REFERENCE
"RFC 1492, July 1993."
::= { t11FcSpAuMIBIdentities 3 }
--
-- Configuration for the Authentication Protocols
--
t11FcSpAuEntityTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpAuEntityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of Fibre Channel entities that can be authenticated
using FC-SP's Authentication Protocols.
The purpose of an FC-SP Authentication Protocol is to verify
that a claimed name is associated with the claiming entity.
The Authentication Protocols can be used to authenticate
Nx_Ports, B_Ports, or Switches."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 3.2.25."
::= { t11FcSpAuMIBObjects 1 }
t11FcSpAuEntityEntry OBJECT-TYPE
SYNTAX T11FcSpAuEntityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information about the configuration and capabilities of an
FC-SP entity (which is managed within the Fibre Channel
management instance identified by fcmInstanceIndex) on a
particular Fabric with respect to FC-SP's Authentication
Protocols."
INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
t11FcSpAuFabricIndex }
::= { t11FcSpAuEntityTable 1 }
T11FcSpAuEntityEntry ::= SEQUENCE {
t11FcSpAuEntityName FcNameIdOrZero,
t11FcSpAuFabricIndex T11FabricIndex,
t11FcSpAuServerProtocol AutonomousType,
-- Config parameters
t11FcSpAuStorageType StorageType,
t11FcSpAuSendRejNotifyEnable TruthValue,
t11FcSpAuRcvRejNotifyEnable TruthValue,
t11FcSpAuDefaultLifetime T11FcSpLifetimeLeft,
t11FcSpAuDefaultLifetimeUnits T11FcSpLifetimeLeftUnits,
t11FcSpAuRejectMaxRows Unsigned32,
-- Capabilities
t11FcSpAuDhChapHashFunctions T11FcSpHashFunctions,
t11FcSpAuDhChapDhGroups T11FcSpDhGroups,
t11FcSpAuFcapHashFunctions T11FcSpHashFunctions,
t11FcSpAuFcapCertsSignFunctions T11FcSpSignFunctions,
t11FcSpAuFcapDhGroups T11FcSpDhGroups,
t11FcSpAuFcpapHashFunctions T11FcSpHashFunctions,
t11FcSpAuFcpapDhGroups T11FcSpDhGroups
}
t11FcSpAuEntityName OBJECT-TYPE
SYNTAX FcNameIdOrZero (SIZE (8))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name used to identify the FC-SP entity.
For entities that are Fibre Channel Switches, this value
corresponds to the Switch's value of fcmSwitchWWN. For
entities other than Fibre Channel Switches, this value
corresponds to the value of fcmInstanceWwn for the
corresponding Fibre Channel management instance."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.3.3.
- fcmInstanceWwn & fcmSwitchWWN,
'Fibre Channel Management MIB', RFC 4044, May 2005."
::= { t11FcSpAuEntityEntry 1 }
t11FcSpAuFabricIndex OBJECT-TYPE
SYNTAX T11FabricIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value that uniquely identifies a
particular Fabric to which the entity is attached."
::= { t11FcSpAuEntityEntry 2 }
t11FcSpAuServerProtocol OBJECT-TYPE
SYNTAX AutonomousType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol, if any, used by the entity to communicate
with a third party (i.e., an External Server) as part of
the process by which it verifies DH-CHAP responses. For
example, if the entity is using an external RADIUS server
to verify DH-CHAP responses, then this object will have
the value t11FcSpAuServerProtocolRadius.
The value, zeroDotZero, is used to indicate that no
protocol is being used to communicate with a third
party to verify DH-CHAP responses.
When no protocol is being used, or if the third party is
unreachable via the specified protocol, then locally
configured information (if any) may be used instead."
::= { t11FcSpAuEntityEntry 3 }
t11FcSpAuStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies the memory realization of
configuration information related to an FC-SP
Entity on a particular Fabric: specifically, for
MIB objects in the row containing this object.
Even if an instance of this object has the value
'permanent(4)', none of the information in the
corresponding row of this table needs to be writable."
::= { t11FcSpAuEntityEntry 4 }
t11FcSpAuSendRejNotifyEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An indication of whether or not the entity should issue
t11FcSpAuRejectSentNotify notifications when sending
AUTH_Reject/SW_RJT/LS_RJT to reject an AUTH message.
If the value of the object is 'true', then this type of
notification is generated. If the value is 'false',
this type of notification is not generated."
DEFVAL { false }
::= { t11FcSpAuEntityEntry 5 }
t11FcSpAuRcvRejNotifyEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An indication of whether or not the entity should issue
t11FcSpAuRejectReceivedNotify notifications on the receipt
of AUTH_Reject/SW_RJT/LS_RJT messages.
If the value of the object is 'true', then this type of
notification is generated. If the value is 'false',
this type of notification is not generated."
DEFVAL { false }
::= { t11FcSpAuEntityEntry 6 }
t11FcSpAuDefaultLifetime OBJECT-TYPE
SYNTAX T11FcSpLifetimeLeft
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When the value of this object is non-zero, it specifies the
default value of a lifetime, specified in units given by
the corresponding instance of t11FcSpAuDefaultLifetimeUnits.
This default lifetime is to be used for any Security
Association that has no explicitly specified value for its
lifetime.
An SA's lifetime is either the time interval or the number
of passed bytes, after which the SA has to be terminated and
(if necessary) replaced with a new SA.
If this object is zero, then there is no default value for
lifetime."
DEFVAL { 28800 } -- 8 hours (in units of seconds)
::= { t11FcSpAuEntityEntry 7 }
t11FcSpAuDefaultLifetimeUnits OBJECT-TYPE
SYNTAX T11FcSpLifetimeLeftUnits
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The units in which the value of the corresponding
instance of t11FcSpAuDefaultLifetime specifies a
default lifetime for a Security Association that has
no explicitly-specified value for its lifetime."
DEFVAL { seconds }
::= { t11FcSpAuEntityEntry 8 }
t11FcSpAuRejectMaxRows OBJECT-TYPE
SYNTAX Unsigned32 (0..1000)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum number of rows in the t11FcSpAuRejectTable for
this entity on this Fabric. If and when an AUTH message is
rejected, and the t11FcSpAuRejectTable already contains this
maximum number of rows for the specific entity and Fabric,
the row containing the oldest information is discarded and
replaced by a row containing information about the new
rejection.
There will be less than this maximum number of rows in
the t11FcSpAuRejectTable in exceptional circumstances,
e.g., after an agent restart.
In an implementation that does not support the
t11FcSpAuRejectTable, this object will always be zero."
::= { t11FcSpAuEntityEntry 9 }
t11FcSpAuDhChapHashFunctions OBJECT-TYPE
SYNTAX T11FcSpHashFunctions
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash functions that the entity supports when using
the DH-CHAP algorithm."
::= { t11FcSpAuEntityEntry 10 }
t11FcSpAuDhChapDhGroups OBJECT-TYPE
SYNTAX T11FcSpDhGroups
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The DH Groups that the entity supports when using the
DH-CHAP algorithm in FC-SP."
::= { t11FcSpAuEntityEntry 11 }
t11FcSpAuFcapHashFunctions OBJECT-TYPE
SYNTAX T11FcSpHashFunctions
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash functions that the entity supports when
specified as Protocol Parameters in the AUTH_Negotiate
message for FCAP in FC-SP."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.5.2.1 and table 28."
::= { t11FcSpAuEntityEntry 12 }
t11FcSpAuFcapCertsSignFunctions OBJECT-TYPE
SYNTAX T11FcSpSignFunctions
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The signature functions used within certificates that
the entity supports when using FCAP in FC-SP."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.5.4.2 and tables 38 & 39."
::= { t11FcSpAuEntityEntry 13 }
t11FcSpAuFcapDhGroups OBJECT-TYPE
SYNTAX T11FcSpDhGroups
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The DH Groups that the entity supports when using the
FCAP algorithm in FC-SP."
::= { t11FcSpAuEntityEntry 14 }
t11FcSpAuFcpapHashFunctions OBJECT-TYPE
SYNTAX T11FcSpHashFunctions
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hash functions that the entity supports when using
the FCPAP algorithm in FC-SP."
::= { t11FcSpAuEntityEntry 15 }
t11FcSpAuFcpapDhGroups OBJECT-TYPE
SYNTAX T11FcSpDhGroups
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The DH Groups that the entity supports when using the
FCPAP algorithm in FC-SP."
::= { t11FcSpAuEntityEntry 16 }
--
-- The Mapping of Authentication Entities onto Interfaces
-- and Statistics
--
t11FcSpAuIfStatTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpAuIfStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each FC-SP Authentication entity can operate on one or more
interfaces, but at most one of them can operate on each
interface. A row in this table exists for each interface
to each Fabric on which each Authentication entity operates.
The objects within this table contain statistics information
related to FC-SP's Authentication Protocols."
::= { t11FcSpAuMIBObjects 2 }
t11FcSpAuIfStatEntry OBJECT-TYPE
SYNTAX T11FcSpAuIfStatEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A set of Authentication Protocols statistics for an FC-SP
Authentication entity (identified by t11FcSpAuEntityName) on
one of its interfaces to a particular Fabric, which is
managed within the Fibre Channel management instance
identified by fcmInstanceIndex."
INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
t11FcSpAuIfStatInterfaceIndex,
t11FcSpAuIfStatFabricIndex }
::= { t11FcSpAuIfStatTable 1 }
T11FcSpAuIfStatEntry ::= SEQUENCE {
t11FcSpAuIfStatInterfaceIndex InterfaceIndex,
t11FcSpAuIfStatFabricIndex T11FabricIndex,
t11FcSpAuIfStatTimeouts Counter32,
t11FcSpAuIfStatInAcceptedMsgs Counter32,
t11FcSpAuIfStatInLsSwRejectedMsgs Counter32,
t11FcSpAuIfStatInAuthRejectedMsgs Counter32,
t11FcSpAuIfStatOutAcceptedMsgs Counter32,
t11FcSpAuIfStatOutLsSwRejectedMsgs Counter32,
t11FcSpAuIfStatOutAuthRejectedMsgs Counter32
}
t11FcSpAuIfStatInterfaceIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The interface on which the FC-SP Authentication entity
operates and for which the statistics are collected."
::= { t11FcSpAuIfStatEntry 1 }
t11FcSpAuIfStatFabricIndex OBJECT-TYPE
SYNTAX T11FabricIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value identifying the particular Fabric for
which the statistics are collected."
::= { t11FcSpAuIfStatEntry 2 }
t11FcSpAuIfStatTimeouts OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages sent
by the particular entity on the particular Fabric on the
particular interface, for which no response was received
within a timeout period.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.11."
::= { t11FcSpAuIfStatEntry 3 }
t11FcSpAuIfStatInAcceptedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages
received and accepted by the particular entity on the
particular Fabric on the particular interface.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 4 }
t11FcSpAuIfStatInLsSwRejectedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages
received by the particular entity on the particular Fabric
on the particular interface, and rejected by a lower-level
(SW_RJT or LS_RJT) reject.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 5 }
t11FcSpAuIfStatInAuthRejectedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages
received by the particular entity on the particular Fabric
on the particular interface, and rejected by an AUTH_Reject
message.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 6 }
t11FcSpAuIfStatOutAcceptedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages sent
by the particular entity on the particular Fabric on the
particular interface, which were accepted by the
neighboring entity, i.e., not rejected by an AUTH_Reject
message, nor by a lower-level (SW_RJT or LS_RJT) reject.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 7 }
t11FcSpAuIfStatOutLsSwRejectedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages sent
by the particular entity on the particular Fabric on the
particular interface, which were rejected by a lower-level
(SW_RJT or LS_RJT) reject.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 8 }
t11FcSpAuIfStatOutAuthRejectedMsgs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of FC-SP Authentication Protocol messages sent
by the particular entity on the particular Fabric on the
particular interface, which were rejected by an
AUTH_Reject message.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, section 5.1."
::= { t11FcSpAuIfStatEntry 9 }
--
-- Information about Authentication Protocol Transactions
-- which were recently rejected
--
t11FcSpAuRejectTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpAuRejectEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of volatile information about FC-SP Authentication
Protocol transactions that were recently rejected with
an AUTH_Reject message, or with an SW_RJT/LS_RJT.
The maximum number of rows in this table for a specific
entity on a specific Fabric is given by the value of the
corresponding instance of t11FcSpAuRejectMaxRows.
The syntax of t11FcSpAuRejTimestamp is TimeStamp, and thus
its value rolls over to zero after approximately 497 days.
To avoid any confusion due to such a rollover, rows should
be deleted from this table before they are 497 days old.
This table will be empty if no AUTH_Reject messages,
nor any SW_RJT/LS_RJT's rejecting an AUTH message,
have been sent or received since the last
re-initialization of the agent."
::= { t11FcSpAuMIBObjects 3 }
t11FcSpAuRejectEntry OBJECT-TYPE
SYNTAX T11FcSpAuRejectEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information about one AUTH message (either an
AUTH_ELS or an AUTH_ILS) that was rejected with an
AUTH_Reject, SW_RJT or LS_RJT message, sent/received by
the entity identified by values of fcmInstanceIndex and
t11FcSpAuEntityName, on an interface to a particular
Fabric."
INDEX { fcmInstanceIndex, t11FcSpAuEntityName,
t11FcSpAuRejInterfaceIndex, t11FcSpAuRejFabricIndex,
t11FcSpAuRejTimestamp }
::= { t11FcSpAuRejectTable 1 }
T11FcSpAuRejectEntry ::= SEQUENCE {
t11FcSpAuRejInterfaceIndex InterfaceIndex,
t11FcSpAuRejFabricIndex T11FabricIndex,
t11FcSpAuRejTimestamp TimeStamp,
t11FcSpAuRejDirection INTEGER,
t11FcSpAuRejType INTEGER,
t11FcSpAuRejAuthMsgString OCTET STRING,
t11FcSpAuRejReasonCode T11FcSpAuthRejectReasonCode,
t11FcSpAuRejReasonCodeExp T11FcSpAuthRejReasonCodeExp
}
t11FcSpAuRejInterfaceIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The interface on which the rejected AUTH message was
sent or received."
::= { t11FcSpAuRejectEntry 1 }
t11FcSpAuRejFabricIndex OBJECT-TYPE
SYNTAX T11FabricIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index value identifying the particular Fabric on
which the rejected AUTH message was sent or received."
::= { t11FcSpAuRejectEntry 2 }
t11FcSpAuRejTimestamp OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The time at which the AUTH message was rejected. If two
rows have the same value of this object for the same
entity on the same interface and Fabric, the value of
this object for the later one is incremented by one."
::= { t11FcSpAuRejectEntry 3 }
t11FcSpAuRejDirection OBJECT-TYPE
SYNTAX INTEGER { sent(1), received(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of whether the rejection was sent or
received by the identified entity.
The value 'sent(1)' corresponds to a notification of
type t11FcSpAuRejectSentNotify; the value 'received(2)'
corresponds to t11FcSpAuRejectReceivedNotify."
::= { t11FcSpAuRejectEntry 4 }
t11FcSpAuRejType OBJECT-TYPE
SYNTAX INTEGER {
authReject(1),
swRjt(2),
lsRjt(3)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of whether the rejection was an
AUTH_Reject, an SW_RJT or an LS_RJT."
::= { t11FcSpAuRejectEntry 5 }
t11FcSpAuRejAuthMsgString OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The binary content of the AUTH message that was
rejected, formatted as an octet string (in network
byte order) containing the content of the message.
If the binary content is unavailable, then the
length is zero. Otherwise, the first octet of the
message identifies the type of message:
'90'h - an AUTH_ELS, see Table 6 in FC-SP,
'40'h - an AUTH_ILS, see Table 3 in FC-SP, or
'41'h - an B_AUTH_ILS, see Table 5 in FC-SP.
and the remainder of the message may be truncated."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Tables 3, 5 and 6."
::= { t11FcSpAuRejectEntry 6 }
t11FcSpAuRejReasonCode OBJECT-TYPE
SYNTAX T11FcSpAuthRejectReasonCode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The reason code with which this AUTH message was
rejected."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 17, 48, 52."
::= { t11FcSpAuRejectEntry 7 }
t11FcSpAuRejReasonCodeExp OBJECT-TYPE
SYNTAX T11FcSpAuthRejReasonCodeExp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The reason code explanation with which this AUTH
message was rejected."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 17, 48, 52."
::= { t11FcSpAuRejectEntry 8 }
--
-- Notifications
--
t11FcSpAuRejectSentNotify NOTIFICATION-TYPE
OBJECTS { t11FamLocalSwitchWwn,
t11FcSpAuRejAuthMsgString,
t11FcSpAuRejType,
t11FcSpAuRejReasonCode,
t11FcSpAuRejReasonCodeExp }
STATUS current
DESCRIPTION
"This notification indicates that a Switch (identified
by the value of t11FamLocalSwitchWwn) has sent a reject
message of the type indicated by t11FcSpAuRejType in
response to an AUTH message.
The content of the rejected AUTH message is given by the
value of t11FcSpAuRejAuthMsgString. The values of the
Reason Code and Reason Code Explanation in the
AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of
t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp."
::= { t11FcSpAuMIBNotifications 1 }
t11FcSpAuRejectReceivedNotify NOTIFICATION-TYPE
OBJECTS { t11FamLocalSwitchWwn,
t11FcSpAuRejAuthMsgString,
t11FcSpAuRejType,
t11FcSpAuRejReasonCode,
t11FcSpAuRejReasonCodeExp }
STATUS current
DESCRIPTION
"This notification indicates that a Switch (identified
by the value of t11FamLocalSwitchWwn) has received a
reject message of the type indicated by t11FcSpAuRejType
in response to an AUTH message.
The content of the rejected AUTH message is given by the
value of t11FcSpAuRejAuthMsgString. The values of the
Reason Code and Reason Code Explanation in the
AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of
t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp."
::= { t11FcSpAuMIBNotifications 2 }
--
-- Conformance
--
t11FcSpAuMIBCompliances
OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 1 }
t11FcSpAuMIBGroups
OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 2 }
t11FcSpAuMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities that
implement one or more of the Authentication Protocols
defined in FC-SP."
MODULE -- this module
MANDATORY-GROUPS { t11FcSpAuGeneralGroup,
t11FcSpAuRejectedGroup,
t11FcSpAuNotificationGroup }
GROUP t11FcSpAuIfStatsGroup
DESCRIPTION
"These counters, of particular FC-SP messages and
events, are mandatory only for those systems that
count such messages/events."
-- Write access is not required for any objects in this MIB module:
OBJECT t11FcSpAuStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpAuSendRejNotifyEnable
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpAuRcvRejNotifyEnable
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpAuDefaultLifetime
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpAuDefaultLifetimeUnits
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpAuRejectMaxRows
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { t11FcSpAuMIBCompliances 1 }
-- Units of Conformance
t11FcSpAuGeneralGroup OBJECT-GROUP
OBJECTS { t11FcSpAuServerProtocol,
t11FcSpAuStorageType,
t11FcSpAuSendRejNotifyEnable,
t11FcSpAuRcvRejNotifyEnable,
t11FcSpAuDefaultLifetime,
t11FcSpAuDefaultLifetimeUnits,
t11FcSpAuRejectMaxRows,
t11FcSpAuDhChapHashFunctions,
t11FcSpAuDhChapDhGroups,
t11FcSpAuFcapHashFunctions,
t11FcSpAuFcapCertsSignFunctions,
t11FcSpAuFcapDhGroups,
t11FcSpAuFcpapHashFunctions,
t11FcSpAuFcpapDhGroups,
t11FcSpAuIfStatTimeouts }
STATUS current
DESCRIPTION
"A collection of objects for the capabilities and
configuration parameters of FC-SP's Authentication
Protocols. The inclusion of t11FcSpAuIfStatTimeouts
in this group provides information on mappings of
Authentication entities onto interfaces."
::= { t11FcSpAuMIBGroups 1 }
t11FcSpAuIfStatsGroup OBJECT-GROUP
OBJECTS { t11FcSpAuIfStatInAcceptedMsgs,
t11FcSpAuIfStatInLsSwRejectedMsgs,
t11FcSpAuIfStatInAuthRejectedMsgs,
t11FcSpAuIfStatOutAcceptedMsgs,
t11FcSpAuIfStatOutLsSwRejectedMsgs,
t11FcSpAuIfStatOutAuthRejectedMsgs }
STATUS current
DESCRIPTION
"A collection of objects for monitoring the
operations of FC-SP's Authentication Protocols."
::= { t11FcSpAuMIBGroups 2 }
t11FcSpAuRejectedGroup OBJECT-GROUP
OBJECTS { t11FcSpAuRejDirection,
t11FcSpAuRejType,
t11FcSpAuRejAuthMsgString,
t11FcSpAuRejReasonCode,
t11FcSpAuRejReasonCodeExp }
STATUS current
DESCRIPTION
"A collection of objects holding information concerning
FC-SP Authentication Protocol transactions that were
recently rejected with an AUTH_Reject, with an SW_RJT,
or with an LS_RJT."
::= { t11FcSpAuMIBGroups 3 }
t11FcSpAuNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { t11FcSpAuRejectSentNotify,
t11FcSpAuRejectReceivedNotify }
STATUS current
DESCRIPTION
"A collection of notifications for use in the management
of FC-SP's Authentication Protocols."
::= { t11FcSpAuMIBGroups 4 }
END
6.3. The T11-FC-SP-ZONING-MIB Module
--*******************************************************************
-- FC-SP Zoning
--
T11-FC-SP-ZONING-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
NOTIFICATION-TYPE, mib-2,
Counter32
FROM SNMPv2-SMI -- [RFC2578]
TruthValue FROM SNMPv2-TC -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- [RFC2580]
ifIndex FROM IF-MIB -- [RFC2863]
t11ZsServerEntry,
t11ZsStatsEntry,
t11ZsNotifyControlEntry,
t11ZsFabricIndex FROM T11-FC-ZONE-SERVER-MIB -- [RFC4936]
T11FcSpPolicyHashValue,
T11FcSpPolicyHashFormat,
T11FcSpHashCalculationStatus
FROM T11-FC-SP-TC-MIB;
t11FcSpZoningMIB MODULE-IDENTITY
LAST-UPDATED "200808200000Z"
ORGANIZATION "This MIB module was developed through the
coordinated effort of two organizations:
T11 began the development and the IETF (in
the IMSS Working Group) finished it."
CONTACT-INFO
" Claudio DeSanti
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
EMail: cds@cisco.com
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134 USA
Email: kzm@cisco.com"
DESCRIPTION
"This MIB module specifies the extensions to the
T11-FC-ZONE-SERVER-MIB module that are necessary for the
management of Fibre Channel's FC-SP Zoning Servers, as
defined in the FC-SP specification.
The persistence of values written to these MIB objects is
the same as the persistence of the objects they extend,
i.e., it is given by the value of the relevant instance of
t11ZsServerDatabaseStorageType (defined in the
T11-FC-ZONE-SERVER-MIB module).
Copyright (C) The IETF Trust (2008). This version
of this MIB module is part of RFC 5324; see the RFC
itself for full legal notices."
REVISION "200808200000Z"
DESCRIPTION
"Initial version of this MIB module, published as RFC 5324."
::= { mib-2 177 }
t11FcSpZsMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 0 }
t11FcSpZsMIBObjects OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 1 }
t11FcSpZsMIBConformance OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 2 }
t11FcSpZsConfiguration OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 1 }
t11FcSpZsStatistics OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 2 }
--
-- Augmenting the table of Zone Servers
--
t11FcSpZsServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpZsServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table which provides FC-SP-specific information about
the Zone Servers on each Fabric in one or more Switches."
::= { t11FcSpZsConfiguration 1 }
t11FcSpZsServerEntry OBJECT-TYPE
SYNTAX T11FcSpZsServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains information relevant to FC-SP
for a particular Zone Server for a particular Fabric
on a particular Switch. The Fabric and Switch are
identified in the same manner as in t11ZsServerEntry."
AUGMENTS { t11ZsServerEntry }
::= { t11FcSpZsServerTable 1 }
T11FcSpZsServerEntry ::= SEQUENCE {
t11FcSpZsServerCapabilityObject BITS,
t11FcSpZsServerEnabled TruthValue,
t11FcSpZoneSetHashStatus T11FcSpHashCalculationStatus,
t11FcSpActiveZoneSetHashType T11FcSpPolicyHashFormat,
t11FcSpActiveZoneSetHash T11FcSpPolicyHashValue,
t11FcSpZoneSetDatabaseHashType T11FcSpPolicyHashFormat,
t11FcSpZoneSetDatabaseHash T11FcSpPolicyHashValue
}
t11FcSpZsServerCapabilityObject OBJECT-TYPE
SYNTAX BITS {
fcSpZoning(0)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Capabilities of the Zone Server for the particular Fabric
on the particular Switch, with respect to FC-SP Zoning:
fcSpZoning -- set to 1 to indicate the Switch is
capable of supporting FC-SP Zoning.
"
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 184."
::= { t11FcSpZsServerEntry 1 }
t11FcSpZsServerEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object indicates whether the Zone Server for the
particular Fabric on the particular Switch, is operating in
FC-SP Zoning mode."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 185."
::= { t11FcSpZsServerEntry 2 }
t11FcSpZoneSetHashStatus OBJECT-TYPE
SYNTAX T11FcSpHashCalculationStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"When read, the value of this object is either:
correct -- the corresponding instances of both
t11FcSpActiveZoneSetHash and
t11FcSpZoneSetDatabaseHash contain
the correct hash values; or
stale -- the corresponding instances of
t11FcSpActiveZoneSetHash and
t11FcSpZoneSetDatabaseHash contain
stale (possibly incorrect) values;
Writing a value of 'calculate' is a request to re-calculate
and update the values of the corresponding instances of both
t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash.
Writing a value of 'correct' or 'stale' to this object
is an error (e.g., 'wrongValue').
When the Active Zone Set and/or the Zone Set Database are
updated, it is common that multiple changes need to be made
at the same time. In such circumstances, the use of this
object allows the hash values to be updated only once after
all changes, rather than repeatedly/after each individual
change.
If and when the corresponding instance of
t11ZsServerDatabaseStorageType has the value 'permanent(4)',
then if write access is supported to any instance of a
read-write object in any row of any table governed by the
'permanent' value of t11ZsServerDatabaseStorageType, then
write access to the corresponding instance of this object
must also be supported."
REFERENCE
"t11ZsServerDatabaseStorageType in
'Fibre Channel Zone Server MIB', RFC 4936, August 2007."
DEFVAL { stale }
::= { t11FcSpZsServerEntry 3 }
t11FcSpActiveZoneSetHashType OBJECT-TYPE
SYNTAX T11FcSpPolicyHashFormat
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The format used for the hash value contained in the
corresponding instance of t11FcSpActiveZoneSetHash."
::= { t11FcSpZsServerEntry 4 }
t11FcSpActiveZoneSetHash OBJECT-TYPE
SYNTAX T11FcSpPolicyHashValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the hash for the current Active Zone Set.
The format of this value is given by the corresponding
instance of t11FcSpActiveZoneSetHashType."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 187."
::= { t11FcSpZsServerEntry 5 }
t11FcSpZoneSetDatabaseHashType OBJECT-TYPE
SYNTAX T11FcSpPolicyHashFormat
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The format used for the hash value contained in the
corresponding instance of t11FcSpZoneSetDatabaseHash."
::= { t11FcSpZsServerEntry 6 }
t11FcSpZoneSetDatabaseHash OBJECT-TYPE
SYNTAX T11FcSpPolicyHashValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the hash for the current Zone Set Database.
The format of this value is given by the corresponding
instance of t11FcSpZoneSetDatabaseHashType."
REFERENCE
"- ANSI INCITS 426-2007, T11/Project 1570-D,
Fibre Channel - Security Protocols (FC-SP),
February 2007, Table 187."
::= { t11FcSpZsServerEntry 7 }
--
-- Additional Statistics for FC-SP Zoning
--
t11FcSpZsStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpZsStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of statistics specific to FC-SP that are
maintained by Zone Servers."
::= { t11FcSpZsStatistics 1 }
t11FcSpZsStatsEntry OBJECT-TYPE
SYNTAX T11FcSpZsStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A set of statistics specific to FC-SP for a particular
Zone Server for a particular Fabric on a particular Switch.
The Fabric and Switch are identified in the same manner as
in t11ZsStatsEntry."
AUGMENTS { t11ZsStatsEntry }
::= { t11FcSpZsStatsTable 1 }
T11FcSpZsStatsEntry ::= SEQUENCE {
t11FcSpZsSPCMITrequestsSent Counter32,
t11FcSpZsSPCMITrequestsAccepted Counter32,
t11FcSpZsSPCMITrequestsRejected Counter32,
t11FcSpZsZcpRequestsSent Counter32,
t11FcSpZsZcpRequestsAccepted Counter32,
t11FcSpZsZcpRequestsRejected Counter32,
t11FcSpZsZirRequestsAccepted Counter32,
t11FcSpZsZirRequestsRejected Counter32
}
t11FcSpZsSPCMITrequestsSent OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SP Commit Zone Changes (SPCMIT) operation
requests sent by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 1 }
t11FcSpZsSPCMITrequestsAccepted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SP Commit Zone Changes (SPCMIT) operation
requests received and accepted by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 2 }
t11FcSpZsSPCMITrequestsRejected OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of SP Commit Zone Changes (SPCMIT) operation
requests received but rejected by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 3 }
t11FcSpZsZcpRequestsSent OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Zoning Check Protocol (ZCP) requests sent
by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 4 }
t11FcSpZsZcpRequestsAccepted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Zoning Check Protocol (ZCP) requests received
and accepted by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 5 }
t11FcSpZsZcpRequestsRejected OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Zoning Check Protocol (ZCP) requests received
but rejected by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 6 }
t11FcSpZsZirRequestsAccepted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Zoning Information Request (ZIR) requests
received and accepted by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 7 }
t11FcSpZsZirRequestsRejected OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of Zoning Information Request (ZIR) requests
received but rejected by the Zone Server.
This counter has no discontinuities other than those
that all Counter32's have when sysUpTime=0."
::= { t11FcSpZsStatsEntry 8 }
--
-- Enable/Disable for Notifications
--
t11FcSpZsNotifyControlTable OBJECT-TYPE
SYNTAX SEQUENCE OF T11FcSpZsNotifyControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of control information for notifications
generated due to Zone Server events related to
FC-SP Zoning."
::= { t11FcSpZsConfiguration 2 }
t11FcSpZsNotifyControlEntry OBJECT-TYPE
SYNTAX T11FcSpZsNotifyControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry is an augmentation of the notification control
information for a Zone Server for a particular Fabric on a
particular Switch. The Fabric and Switch are identified in
the same manner as in t11ZsNotifyControlEntry."
AUGMENTS { t11ZsNotifyControlEntry }
::= { t11FcSpZsNotifyControlTable 1 }
T11FcSpZsNotifyControlEntry ::= SEQUENCE {
t11FcSpZsNotifyJoinSuccessEnable TruthValue,
t11FcSpZsNotifyJoinFailureEnable TruthValue
}
t11FcSpZsNotifyJoinSuccessEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether
t11FcSpZsFabricJoinFailureNotify notifications should be
generated by the Zone Server for this Fabric."
::= { t11FcSpZsNotifyControlEntry 1 }
t11FcSpZsNotifyJoinFailureEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether
t11FcSpZsFabricJoinSuccessNotify notifications should be
generated by the Zone Server for this Fabric."
::= { t11FcSpZsNotifyControlEntry 2 }
--
-- Notifications
--
t11FcSpZsFabricJoinSuccessNotify NOTIFICATION-TYPE
OBJECTS { ifIndex, t11ZsFabricIndex }
STATUS current
DESCRIPTION
"This notification indicates that a Switch that is part
of one Fabric (indicated by the value of t11ZsFabricIndex)
has successfully joined (on the interface indicated by the
value of ifIndex) with a Switch that is part of another
Fabric.
If multiple Virtual Fabrics are configured on an interface,
and all are successfully joined at the same time, and if
the agent so chooses, then it can generate just one
notification in which t11ZsFabricIndex has the value 4096."
::= { t11FcSpZsMIBNotifications 1 }
t11FcSpZsFabricJoinFailureNotify NOTIFICATION-TYPE
OBJECTS { ifIndex, t11ZsFabricIndex }
STATUS current
DESCRIPTION
"This notification indicates that an E_Port on the local
Switch has entered the Isolated state because a join
between two Fabrics failed. The failure occurred on the
local Fabric indicated by the value of t11ZsFabricIndex,
on the interface indicated by the value of ifIndex.
If multiple Virtual Fabrics are configured on an interface,
and all have a failure to join at the same time, and if the
agent so chooses, then it can generate just one notification
in which t11ZsFabricIndex has the value 4096."
::= { t11FcSpZsMIBNotifications 2 }
--
-- Conformance
--
t11FcSpZsMIBCompliances
OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 1 }
t11FcSpZsMIBGroups OBJECT IDENTIFIER ::= { t11FcSpZsMIBConformance 2 }
t11FcSpZsMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities that
implement the extensions specified in FC-SP for
Fibre Channel's Zone Server."
MODULE -- this module
MANDATORY-GROUPS { t11FcSpZsObjectsGroup,
t11FcSpZsNotificationControlGroup,
t11FcSpZsNotificationGroup }
GROUP t11FcSpZsStatisticsGroup
DESCRIPTION
"These counters, containing Zone Server statistics,
are mandatory only for those systems that count
such events."
-- Write access is not required for any objects in this MIB module:
OBJECT t11FcSpZsServerEnabled
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpZoneSetHashStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpZsNotifyJoinSuccessEnable
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT t11FcSpZsNotifyJoinFailureEnable
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { t11FcSpZsMIBCompliances 1 }
-- Units of Conformance
t11FcSpZsObjectsGroup OBJECT-GROUP
OBJECTS { t11FcSpZsServerCapabilityObject,
t11FcSpZsServerEnabled,
t11FcSpZoneSetHashStatus,
t11FcSpActiveZoneSetHashType,
t11FcSpActiveZoneSetHash,
t11FcSpZoneSetDatabaseHashType,
t11FcSpZoneSetDatabaseHash
}
STATUS current
DESCRIPTION
"A collection of objects for Zone configuration
information of a Zone Server capable of
operating in FC-SP Zoning mode."
::= { t11FcSpZsMIBGroups 1 }
t11FcSpZsNotificationControlGroup OBJECT-GROUP
OBJECTS { t11FcSpZsNotifyJoinSuccessEnable,
t11FcSpZsNotifyJoinFailureEnable
}
STATUS current
DESCRIPTION
"A collection of notification control objects for
monitoring Zone Server failures specific to FC-SP."
::= { t11FcSpZsMIBGroups 2 }
t11FcSpZsStatisticsGroup OBJECT-GROUP
OBJECTS { t11FcSpZsSPCMITrequestsSent,
t11FcSpZsSPCMITrequestsAccepted,
t11FcSpZsSPCMITrequestsRejected,
t11FcSpZsZcpRequestsSent,
t11FcSpZsZcpRequestsAccepted,
t11FcSpZsZcpRequestsRejected,
t11FcSpZsZirRequestsAccepted,
t11FcSpZsZirRequestsRejected
}
STATUS current
DESCRIPTION
"A collection of objects for collecting Zone Server
statistics which are specific to FC-SP."
::= { t11FcSpZsMIBGroups 3 }
t11FcSpZsNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { t11FcSpZsFabricJoinSuccessNotify,
t11FcSpZsFabricJoinFailureNotify
}
STATUS current
DESCRIPTION
"A collection of notification(s) for monitoring
Zone Server events that are specific to FC-SP."
::= { t11FcSpZsMIBGroups 4 }
END
6.4. The T11-FC-SP-POLICY-MIB Module
--*******************************************************************
-- FC-SP Policy
--
T11-FC-SP-POLICY-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, mib-2,
Counter32, Unsigned32
FROM SNMPv2-SMI -- [RFC2578]
RowStatus, StorageType, TimeStamp,
TruthValue FROM SNMPv2-TC -- [RFC2579]
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- [RFC2580]
SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
InetAddress, InetPortNumber,
InetAddressType FROM INET-ADDRESS-MIB -- [RFC4001]
fcmInstanceIndex,
FcNameIdOrZero,
FcDomainIdOrZero FROM FC-MGMT-MIB --