This MIB module specifies the management information
required to manage Security Associations established via
Fibre Channel's FC-SP specification.
The MIB module consists of six parts:
- a per-Fabric table, t11FcSpSaIfTable, of capabilities,
parameters, status information, and counters; the counters
include non-transient aggregates of per-SA transient
counters;
- three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable,
and t11FcSpSaTransTable, specifying the proposals for an
FC-SP entity acting as an SA_Initiator to present to the
SA_Responder during the negotiation of Security
Associations. The same information is also used by an
FC-SP entity acting as an SA_Responder to decide what to
accept during the negotiation of Security Associations.
One of these tables, t11FcSpSaTransTable, is used not only
for information about security transforms to propose and
to accept, but also as agreed upon during the negotiation
of Security Associations;
- a table, t11FcSpSaTSelDrByTable, of Traffic Selectors
having the security action of 'drop' or 'bypass' to be
applied either to ingress traffic that is unprotected by
FC-SP, or to all egress traffic;
- four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable,
t11FcSpSaTSelNegOutTable, and t11FcSpSaTSelSpiTable,
containing information about active bidirectional pairs of
Security Associations; in particular, t11FcSpSaPairTable
has one row per active bidirectional SA pair,
t11FcSpSaTSelNegInTable and t11FcSpSaTSelNegOutTable
contain information on the Traffic Selectors negotiated on
the SAs, and the t11FcSpSaTSelSpiTable is an alternate
lookup table such that the Traffic Selector(s) in use on a
particular Security Association can be quickly determined
based on the (ingress) SPI value;
- a table, t11FcSpSaControlTable, of control and other
information concerning the generation of notifications for
events related to FC-SP Security Associations;
- one notification, t11FcSpSaNotifyAuthFailure, generated on
the occurrence of an Authentication failure for a received
FC-2 or CT_IU frame.
Copyright (C) The IETF Trust (2008). This version
of this MIB module is part of RFC 5324; see the RFC
itself for full legal notices.
notification is generated, it indicates the
occurrence of an Authentication failure for a received
FC-2 or CT_IU frame. The t11FcSpSaControlInboundSpi,
t11FcSpSaControlSource, and t11FcSpSaControlDestination
objects in the varbindlist are the frame's SPI, source and
destination addresses, respectively. t11FcSpSaControlFrame
provides the (beginning of the) frame's content if such is
available.
This notification is generated only for the first
occurrence of an Authentication failure on a Fabric within
a time window. Subsequent occurrences of an Authentication
Failure on the same Fabric within the same time window
are counted but suppressed.
The value of t11FcSpSaControlElapsed contains (a lower bound
on) the elapsed time since the last generation of this
notification for the same Fabric. The value of
t11FcSpSaControlSuppressed contains the number of
generations which were suppressed in the time window after
that last generation, or zero if unknown.
t11FcSpSaNotifyLifeExceeded
.1.3.6.1.2.1.179.0.2
ication is generated when the lifetime (in
seconds or in passed bytes) of an SA is exceeded, and the
SA is either immediately terminated or is terminated
because an attempt to renew the SA fails. The values of
t11FcSpSaControlLifeExcdSpi and t11FcSpSaControlLifeExcdDir
contain the SPI and direction of the terminated SA.