[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03                                                   
Internet Engineering Task Force                              Tim Jenkins
IP Security Working Group                           TimeStep Corporation
Internet Draft                                         November 30, 1998




                          IPSec Monitoring MIB
                     <draft-ietf-ipsec-mib-03.txt>

Status of this Memo

   This document is a submission to the IETF Internet Protocol Security
   (IPSEC) Working Group. Comments are solicited and should be addressed
   to the working group mailing list (ipsec@tis.com) or to the editor.

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or made obsolete by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
   Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
   Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).

   Distribution of this memo is unlimited.

Copyright Notice


   This document is a product of the IETF's IPSec Working Group.
   Copyright (C) The Internet Society (1998).  All Rights Reserved.










IPSec Working Group                                             [Page 1]


Internet Draft           IPSec Monitoring MIB              November 1998


Table of Contents


   1. Introduction                                                    2
   2. The SNMPv2 Network Management Framework                         3
   2.1 Object Definitions                                             4
   3. IPSec MIB Objects Architecture                                  4
   3.1 Tunnel MIB and Interface MIB Consideration                     5
   3.2 MIB Concepts                                                   5
   3.2.1 Transient Channels and Tunnels                               5
   3.2.2 Permanent Channels and Tunnels                               6
   3.2.3 IKE SAs and Control Channels                                 6
   3.2.4 IPSec SAs and IPSec Virtual Tunnels                          7
   3.3 MIB Tables                                                     9
   3.4 Static IPSec SA and Protection Suite Use                      10
   3.5 Asymmetric Use                                                10
   3.6 Notify Messages                                               12
   3.7 IPSec MIB Traps                                               12
   3.8 IPSec Entity Level Objects                                    12
   4. MIB Definitions                                                13
   5. Security Considerations                                        57
   6. Acknowledgements                                               58
   7. References                                                     58
   8. Revision History                                               60
   9. Appendix A                                                     61



1. Introduction

   This document defines monitoring and status MIBs for IPSec. It does
   not define MIBs that may be used for configuring IPSec
   implementations or for providing low-level diagnostic or debugging
   information. Further, it does not provide policy information. Those
   MIBs may be defined in later versions of this document or in other
   documents.

   The purpose of the MIBs is to allow system administrators to
   determine operating conditions and perform system operational level
   monitoring of the IPSec portion of their network. Statistics are
   provided as well.

   The IPSec MIB definitions use a virtual tunnel model, of which there
   can be configured permanent tunnels or transient tunnels. The virtual
   tunnel model is used to allow the use of IPSec from a virtual private
   networking (VPN) point of view. This allows users of IPSec based
   products to get similar monitoring and statistical information from



IPSec Working Group                                             [Page 2]


Internet Draft           IPSec Monitoring MIB              November 1998


   an IPSec based VPN as they would from a VPN based on other
   technologies, such as Frame Relay.

   Finally, the objects defined perhaps represent a somewhat simplified
   view of security associations. This is done for the purposes of
   expediency and for simplification of presentation. Also, some
   information about SAs has been intentionally left out to reduce the
   security risk if SNMP traffic becomes compromised.


2. The SNMPv2 Network Management Framework

   The SNMP Management Framework presently consists of five major
   components:

  o  An overall architecture, described in RFC 2271 [2271].

  o  Mechanisms for describing and naming objects and events for the
     purpose of management. The first version of this Structure of
     Management Information (SMI) is called SMIv1 and described in
     RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
     version, called SMIv2, is described in RFC 1902 [1902],
     RFC 1903 [1903] and RFC 1904 [1904].

  o  Message protocols for transferring management information. The
     first version of the SNMP message protocol is called SNMPv1 and
     described in RFC 1157 [1157]. A second version of the SNMP message
     protocol, which is not an Internet standards track protocol, is
     called SNMPv2c and described in RFC 1901 [1901] and
     RFC 1906 [1906]. The third version of the message protocol is
     called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272]
     and RFC 2274 [2274].

  o  Protocol operations for accessing management information. The
     first set of protocol operations and associated PDU formats is
     described in RFC 1157 [1157]. A second set of protocol operations
     and associated PDU formats is described in RFC 1905 [1905].

  o  A set of fundamental applications described in RFC 2273 [2273]
     and the view-based access control mechanism described in
     RFC 2275 [2275].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2. A
   MIB conforming to the SMIv1 can be produced through the appropriate


IPSec Working Group                                             [Page 3]


Internet Draft           IPSec Monitoring MIB              November 1998


   translations. The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64). Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process. However, this loss of machine
   readable information is not considered to change the semantics of the
   MIB.


2.1 Object Definitions

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the subset of Abstract Syntax Notation One (ASN.1)
   defined in the SMI. In particular, each object type is named by an
   OBJECT IDENTIFIER, an administratively assigned name. The object type
   together with an object instance serves to uniquely identify a
   specific instantiation of the object. For human convenience, we often
   use a textual string, termed the descriptor, to refer to the object
   type.


3. IPSec MIB Objects Architecture

   The IPSec MIB provides information related to both phase 1 or
   Internet Key Exchange (IKE) security associations (SAs) and phase 2
   (or IPSec) SAs. Configuration about the SAs is provided as are
   statistics related to the SAs themselves.

   Since one of the uses of IPSec implementations is to provide Virtual
   Private Network (VPN) services that other private network services
   such as leased lines or frame relay networks, there exists a need to
   provide the same type of monitoring capability.

   To support this, the concept of virtual tunnels is developed.
   Additionally, the concept of transients and permanent tunnels is also
   developed.

   Additionally, since IPSec itself has many structures, and because VPN
   service providers may be interested in different kinds of statistics,
   the MIB provides a number of aggregate totals. These totals are
   provided to allow system administrators to take snapshots of system
   behaviour without excessive SNMP traffic on the network.







IPSec Working Group                                             [Page 4]


Internet Draft           IPSec Monitoring MIB              November 1998


3.1 Tunnel MIB and Interface MIB Consideration

   It should be noted that the MIBs here are not extensions of the
   Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach
   was rejected for a number of reasons, including:

  o  The types of parameters required for those MIBs are not
     appropriate for IPSec MIBs.

   The parameters required for IPSec tunnels are related to security
   services and statistics associated with handling those services.
   There no parameters like that associated with the Tunnel MIB.

  o  The virtual tunnels created by IPSec SAs may be independent of
     other logical interfaces; this is an implementation issue.

   The IPSec layer may be placed in a number of locations on the host
   implementation. These locations may be above the IP layer, within the
   IP layer, or just below it. Therefore, the mapping of the IPSec
   virtual tunnels to tunnels described by the tunnel MIB is
   implementation dependent.

  o  The tunnel end point definitions are not the same as those used by
     the tunnel MIB.

   The Tunnel MIB uniquely defines tunnels by a simple source and
   destination IP address pair. This is only a specific subset of the
   identifiers needed for IPSec virtual tunnels.


3.2 MIB Concepts

   There are four concepts needed to describe the structure of the MIB.
   These concepts are the IKE control channel, the IKE SAs, the IPSec
   virtual tunnel and the IPSec protection suite. IPSec SAs are
   considered a subset of protection suites.

   Also important in this document are the concepts of permanence and
   transience.


3.2.1 Transient Channels and Tunnels

   Transient channels and tunnels are made up of SAs and protection
   suites that normally go up and down, such as those created by a dial-
   in client implementation. Additionally, these SAs and protection
   suites are prone to being torn down in an impolite manner. As an
   example, system administrators typically do not want to have alarms


IPSec Working Group                                             [Page 5]


Internet Draft           IPSec Monitoring MIB              November 1998


   going off when these SAs and protection suites are torn down because
   an end user disconnected his or her modem before performing a normal
   dial-up networking shut down.

   By necessity, this applies to both the IKE control channels and the
   IPSec tunnels created by them.


3.2.2 Permanent Channels and Tunnels

   Permanent channels and tunnels are made up of SAs and protection
   suites that a system administrator considers of significant
   importance in a VPN implementation. These SAs and protection suites
   would typically be from one IPSec gateway to another and be used as
   the link between two corporate networks. As such, the network
   administrator would want alarms to go off when one of these virtual
   tunnels goes down under any circumstance.

   How implementations specify which tunnels are permanent versus
   transient is implementation dependent, and therefore beyond the scope
   of this document.


3.2.3 IKE SAs and Control Channels

   Phase 1 or IKE SAs as negotiated by IKE are presented in a table.
   Individual SAs are represented in part by a row from the IKE SA
   table.

   Each row is uniquely identified by its cookies. Also included is SA
   state information, connection information, security information,
   expiration information and traffic statistics.

   Other information, such as the security provided by the SAs, is
   included in a control channel table row.

   An explanation of the use of control channels follows.

   The primary use of phase 1 SAs is to allow host implementations to
   exchange keying material for phase 2 negotiations and to perform
   IPSec SA and protection suite management. Additionally,
   implementations may also use this channel to perform other functions,
   such as peer configuration. Since the host implementation, at a high
   level, does not necessarily care which particular phase 1 SA it uses
   to perform these functions, the concept of an IKE control channel is
   introduced as a logical entity to indicate the virtual channel
   created by the existence of phase 1 SAs established between two
   peers.


IPSec Working Group                                             [Page 6]


Internet Draft           IPSec Monitoring MIB              November 1998


   The need for this abstraction is also in part due to the ability of
   IPSec SAs and protection suites to exist beyond the expiration of the
   IKE SA that created them.

   Control channels appear in their own table, and each row describes a
   single control channel, to which multiple phase 1 SAs may be
   logically attached.

   The IKE control channel is uniquely identified by the IDs at each
   end, since it is a logical peer to peer communications channel. It
   contains information common to all phase 1 SAs that create it, and
   aggregate statistics for those phase 1 SAs. Additionally, it contains
   aggregate statistics for all phase 2 SAs created by it. Finally, it
   contains the information related to the authentication of the peer
   that negotiated the phase 1 SAs with it. This includes certificate
   information, specifically the issuer name and serial, even though it
   is meaningless in pre-shared key authentication mode. This is due to
   the importance of this information in many VPN implementations. The
   distinguished name of the certificate is not provided; it may be the
   ID used for phase 1 negotiation. If the ID used for phase 1
   negotiation is not the certificate’s distinguished name, it should be
   one of the alternate names encoded in the certificate.

   Note that since the security service provided by the phase 1 SAs
   appears in the IKE SA table, implementations may allow a single
   control channel to provide multiple security services. There is no
   requirement that implementations support this.

   Phase 1 control channels may be transient or permanent. A transient
   control channel disappears from the table when it goes down; a
   permanent control channel does not. The status of a permanent control
   channel can be determined by the number of active phase 1 SAs
   attached to it.

   It is recommended that implementations place permanent control
   channels in the table before all transient control channels, and that
   the order of permanent control channels displayed in the table does
   not change.


3.2.4 IPSec SAs and IPSec Virtual Tunnels

   IPSec SAs created between peers are identified by the peer IP
   address, the SPI (CPI for IPCOMP) and the service provided by the SA.
   In this document, the term service refers to one of IPCOMP, ESP and
   AH. These are often referred to as security services; the concept is
   generalized somewhat in this document since IPCOMP is not technically
   a "security" service.


IPSec Working Group                                             [Page 7]


Internet Draft           IPSec Monitoring MIB              November 1998


   Further, in this document, IPSec SAs are considered a subset of
   protection suites, and as such, appear in the IPSec protection suite
   table. IPSec protection suites are as defined by [ISAKMP]. These are
   multiple services that are negotiated in a single quick mode
   exchange. Of the result, [ISAKMP] states: "All of the protections in
   a suite must be treated as a single unit." For this reason, the
   protection suites as presented in the MIB all assume that all
   services in the protection suite live and die at the same time. Also
   in this document, an IPSec SA is effectively a protection suite that
   provides only a single service.

   When multiple services are provided in a protection suite, the order
   is implicit, based on statements found in [ARCH] and [IPCOMP]. The
   order assumed is IPCOMP before ESP before AH. However, since the
   order is implicit, implementation are free to choose different
   orders, however, this cannot be shown in the MIB.

   Some implementations may create SA bundles by the separate
   negotiation of different services. In these cases, the separately
   negotiates SAs or suites should appear on separate lines of the
   protection suite table. In these cases, the MIB does not show the
   order of application of the services in the bundle.

   Virtual IPSec tunnels are created by the existence of IPSec SAs and
   protection suites, either statically created, or created by IKE. The
   tunnel concept comes from the effect of services on packets that are
   handled by protection suites. As a packet encounters an IPSec
   implementation, either in a security gateway or as layer in a
   protocol stack, a policy decision causes the packet to be handed to a
   protection suite for processing.

   The protection suite then performs a service (including possibly
   compression) on the packet, then adds at least one new header and
   sends the packet into the normal IP stream for routing. (The only
   time no header is added is when the only service provided by the
   protection suite is compression, it is a transport mode protection
   suite, and the packet is not compressible.)

   When the secured (and possibly compressed) packet arrives at its
   destination, the peer IPSec implementation removes the added header
   or headers and reverse processes the packet. Another policy lookup is
   then done to make sure the packet was appropriately handled by the
   sending peer.

   Since the original packet is conceptually "hidden" between the two
   IPSec implementations, it can be considered tunneled. To help
   conceptually, if ESP could be negotiated with no encryption and no
   authentication, it would provide services very similar to IP-in-IP.


IPSec Working Group                                             [Page 8]


Internet Draft           IPSec Monitoring MIB              November 1998


   The specific protection suite chosen by the policy lookup is based on
   what are called the selectors. The selectors are the packet's source
   IP address, its destination IP address, its layer 4 protocol and its
   layer 4 protocol source and destination port numbers. The policy
   system uses this information to assign the packet to an protection
   suite for handling.

   Since it is irrelevant to the packet which specific protection suite
   provided the services, and since all protection suites with same
   selectors normally provide the same service, the existence of any and
   all protection suites assigned to the selector effectively creates a
   tunnel for the packets.

   In other words, the tunnel created by the protection suites is
   identified by the selectors used to assign the security services to
   the packet. The selectors are explained in detail in [SECARCH].


3.3 MIB Tables

   The MIB uses four tables that are linked as shown as an example in
   Figure 3-1. Here, the four tables are the IKE control channel table,
   the IKE SA table, the IPSec virtual tunnel table and the IPSec
   protection suite table.

   The IKE control channel table is shown with two entries. Both have
   two active phase 1 SAs that support each of them. The first also has
   created two IPSec tunnels, each supported by two IPSec protection
   suites numbered 1 and 6, and 2 and 5 respectively. The second IKE
   channel has a single IPSec tunnel, which is supported by two IPSec
   protection suites, numbered 3 and 4.

   A different diagram that is intended to show the tunnels that exist
   between two IPSec gateways is shown in Figure 3-2. Two host groups
   each are shown behind the IPSec gateways. Shown are the IKE control
   channel between the gateways and four possible IPSec virtual tunnels.
   The control channel has two active phase 1 SAs. Of the four possible
   virtual tunnels, one is shown with two IPSec SAs in it. One of these
   SAs may be just about to expire, while the other may have been
   created in anticipation of the expiration of the first. These SAs are
   the SAs that provide the service, supporting the existence of the
   tunnel.








IPSec Working Group                                             [Page 9]


Internet Draft           IPSec Monitoring MIB              November 1998



ipsecIkeContChanTable  -information and statistics on the IKE
 Con. Chan. 1 <---+     control channel
 Con. Chan. 2 <-+ |    -aggregate information about IKE SAs
                | |    -aggregate information about IPSec tunnels
                | |
                | |  ipsecIkeSaTable -information on specific
                | +-- IKE SA 1        phase 1 SAs
                +-|-- IKE SA 2
                +-|-- IKE SA 3
                | +-- IKE SA 4
               / /
              | |
              | |<- only if IPSec protection suites are not static
              | |
              | | ipsecTunnelTable       -information and statistics on
              | +- IPSec Tunnel 1 <---+   the IPSec virtual tunnels
              | +- IPSec Tunnel 2 <--+|
              +--- IPSec Tunnel 3 <-+||
                                    |||
                                    ||| ipsecSaTable -information on
                                    ||+- IPSec PS 1   specific IPSec
                                    |+|- IPSec PS 2   protection suites
                                    +||- IPSec PS 3
                                    +||- IPSec PS 4
                                     +|- IPSec PS 5
                                      +- IPSec PS 6
  PS - Protection Suite

               Figure 3-1 IPSec Monitoring MIB Structure



3.4 Static IPSec SA and Protection Suite Use

   IPSec protection suites and SAs that are statically keyed do not
   point back to IKE control channel table entries.

   Implementations that do not use IKE at all will create empty phase 1
   tables.


3.5 Asymmetric Use

   This MIB is defined assuming symmetric use of SAs and protection
   suites. That is to say that it assumes that an inbound SA is always
   set up with a corresponding outbound SA that provides the same
   security service.



IPSec Working Group                                            [Page 10]


Internet Draft           IPSec Monitoring MIB              November 1998



               +----------------------------+
               |  IKE (control channel)     |
               |  +---------------------+   |
               |  |  IKE SA 1           |   |
               |  +---------------------+   |
               |  +---------------------+   |
               |  |  IKE SA 2           |   |
               |  +---------------------+   |
               +----------------------------+
                                  ^  ^
                                  |  | <- aggregate IPSec statistics
                                  |  |
 H11 -|    +----+                 |  |    +----+      |- H21
      |    |    |                         |    |      |
      |----| G1 |-------------------------| G2 |------|
      |    |    |                         |    |      |
 H12 -|    +----+                 |  |    +----+      |- H22
                                  |  |
                                  |  |
         +-----------------------------------------+
         |      H11 to H21 (data tunnel)           | <- aggregate
         | +-------------------------------------+ |    PS statistics
         | | IPSec PS with H11 and H21 selectors | |    for H11-H21
         | +-------------------------------------+ |
         | +-------------------------------------+ |
         | | IPSec PS with H11 and H21 selectors | |
         | +-------------------------------------+ |
         +-----------------------------------------+
                                  |  |
         +-----------------------------------------+
         |      H11 to H22 (data tunnel)           | <- aggregate
         +-----------------------------------------+    PS statistics
                                  |  |                  for H11-H22
         +-----------------------------------------+
         |      H12 to H21 (data tunnel)           | <- aggregate
         +-----------------------------------------+    PS statistics
                                  |  |                  for H12-H21
         +-----------------------------------------+
         |      H12 to H22 (data tunnel)           | <- aggregate
         +-----------------------------------------+    PS statistics
                                  |  |                  for H12-H22
                                  +--+
PS - Protection Suite

                Figure 3-2 Illustration of IPSec Tunnels





IPSec Working Group                                            [Page 11]


Internet Draft           IPSec Monitoring MIB              November 1998


   In cases where this MIB is required for asymmetric use, the
   corresponding objects that describe the unused direction may be set
   to the equivalent of the unknown or zero state.


3.6 Notify Messages

   Notify messages sent from peer to peer are not necessarily sent as
   traps. However, they are collected as they occur and accumulated in a
   parse table structure.

   A notify message object is defined. This object is used as the index
   into the table of accumulated notify messages. This helps system
   administrators determine if there are potential configuration
   problems or attacks on their network.


3.7 IPSec MIB Traps

   Traps are provided to let system administrators know about the
   existence of error conditions occurring in the entity. Errors are
   associated with the creation and deletion of protection suites, and
   also operational errors that may indicate the presence of attacks on
   the system.

   Traps are not provided when protection suites and tunnels come up or
   go down, unless they go down due to error conditions. It should be
   noted that the termination of a permanent tunnel is normally
   considered an error condition, while the termination of a transient
   tunnel is not normally considered an error.

   The causes of protection suite negotiation failure are indicated by a
   notify message object.


3.8 IPSec Entity Level Objects

   This part of the MIB carries statistics global to the IPSec device.

   Statistics included are aggregate errors, aggregate numbers
   associated with protection suites, permanent tunnels and transient
   tunnels. The statistics are provided as objects in a tree below these
   groups.

   More system wide statistics on transient tunnels is provided since
   they disappear from the tables when they terminate, and aggregate
   traffic statistics associated with individual tunnels is lost.



IPSec Working Group                                            [Page 12]


Internet Draft           IPSec Monitoring MIB              November 1998



4. MIB Definitions

 IPSEC-MIB DEFINITIONS ::= BEGIN

     IMPORTS
         MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
         Integer32, Unsigned32,
         experimental, NOTIFICATION-TYPE          FROM SNMPv2-SMI
         DateAndTime, TruthValue                  FROM SNMPv2-TC;

     ipsecMIB MODULE-IDENTITY
         LAST-UPDATED "9811301200Z"
         ORGANIZATION "IETF IPSec Working Group"
         CONTACT-INFO
                 "   Tim Jenkins
                     TimeStep Corporation
                     362 Terry Fox Drive
                     Kanata, ON  K0A 2H0
                     Canada

                     613-599-3610
                     tjenkins@timestep.com"

         DESCRIPTION
               "The MIB module to describe generic IPSec objects,
               transient and permanent virtual tunnels created by IPSec
               SAs, and entity level IPSec objects and events."
         REVISION      "9811301200Z"
         DESCRIPTION
                 "Initial revision."
  --     ::= { mib-2 ?? }
       -- need correct value here
         ::= { experimental 500 }


     ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }

     ipsec      OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }


  -- the IPSec IKE Control Channel MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec's IKE virtual IKE control channel


  ipsecIkeConChanTable OBJECT-TYPE


IPSec Working Group                                            [Page 13]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX     SEQUENCE OF IpsecIkeConChanEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec's
               IKE control channels."
      ::= { ipsec 1 }

  ipsecIkeConChanEntry OBJECT-TYPE
      SYNTAX     IpsecIkeConChanEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IKE control channel."
      INDEX      { ipsecIkeConChanIndex }
      ::= { ipsecIkeConChanTable 1 }

  IpsecIkeConChanEntry ::= SEQUENCE {
     ipsecIkeConChanIndex             Integer32,

  -- the real identifiers for the control channel
     ipsecIkeConChanLocalIdType       Integer32,
     ipsecIkeConChanLocalId           OCTET STRING,
     ipsecIkeConChanPeerIdType        Integer32,
     ipsecIkeConChanPeerId            OCTET STRING,
     ipsecIkeConChanAuthMethod        Integer32,
     ipsecIkeConChanPeerCertSerialNum OCTET STRING,
     ipsecIkeConChanPeerCertIssuer    OCTET STRING,

  -- virtual channel status
     ipsecIkeConChanType              INTEGER,
     ipsecIkeConChanCurrentSaNum      Unsigned32,
     ipsecIkeConChanTotalSaNum        Counter64,

   -- aggregate statistics (all SAs)
     ipsecIkeConChanTimeStart         DateAndTime,
     ipsecIkeConChanInboundTraffic    Counter64,  -- in bytes
     ipsecIkeConChanOutboundTraffic   Counter64,  -- in bytes
     ipsecIkeConChanInboundPackets    Counter64,
     ipsecIkeConChanOutboundPackets   Counter64,

  -- aggregate error statistics
     ipsecIkeConChanDecryptErrors          Counter32,
     ipsecIkeConChanHashErrors             Counter32,
     ipsecIkeConChanOtherReceiveErrors     Counter32,
     ipsecIkeConChanSendErrors             Counter32,



IPSec Working Group                                            [Page 14]


Internet Draft           IPSec Monitoring MIB              November 1998


  -- IPSec SA (Phase 2) statistics (aggregate)
     ipsecIkeConChanIpsecInboundTraffic    Counter64,
     ipsecIkeConChanIpsecOutboundTraffic   Counter64,
     ipsecIkeConChanIpsecInboundPackets    Counter64,
     ipsecIkeConChanIpsecOutboundPackets   Counter64,

  -- IPSec SA (Phase 2) error statistics (aggregate)
     ipsecIkeConChanIpsecDecryptErrors     Counter32,
     ipsecIkeConChanIpsecAuthErrors        Counter32,
     ipsecIkeConChanIpsecReplayErrors      Counter32,
     ipsecIkeConChanIpsecOtherReceiveErrors  Counter32,
     ipsecIkeConChanIpsecSendErrors        Counter32

  }


  ipsecIkeConChanIndex OBJECT-TYPE
      SYNTAX      Integer32 (1..16777215)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value, greater than zero, for each tunnel
               interface.  It is recommended that values are assigned
               contiguously starting from 1.

               The value for each channel interface must remain constant
               at least from one re-initialization of entity's network
               management system to the next re-initialization.

               Further, the value for channel interfaces that are marked
               as permanent must remain constant across all re-
               initializations of the network management system."
      ::= { ipsecIkeConChanEntry 1 }

  ipsecIkeConChanLocalIdType OBJECT-TYPE
      SYNTAX      Integer32 (0..256)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The type of ID used by the local end of the control
               channel.

               Specific values are used as described in Section 4.6.2.1
               of [IPDOI]."
      ::= { ipsecIkeConChanEntry 2 }

  ipsecIkeConChanLocalId OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (0..511))


IPSec Working Group                                            [Page 15]


Internet Draft           IPSec Monitoring MIB              November 1998


      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The ID of the local host that negotiated this control
               channel.

               The length may require truncation under some conditions."
      ::= { ipsecIkeConChanEntry 3 }

  ipsecIkeConChanPeerIdType OBJECT-TYPE
      SYNTAX      Integer32 (0..256)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The type of ID used by the peer.

               Specific values are used as described in Section 4.6.2.1
               of [IPDOI]."
      ::= { ipsecIkeConChanEntry 4 }

  ipsecIkeConChanPeerId OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (0..511))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The ID of the peer host that negotiated this control
               channel.

               The length may require truncation under some conditions."
      ::= { ipsecIkeConChanEntry 5 }

 ipsecIkeConChanAuthMethod OBJECT-TYPE
      SYNTAX      Integer32 (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The authentication method used to authenticate the
               peers.

               Note that this does not include the specific method of
               authentication if extended authenticated is used.

               Specific values are used as described in the ISAKMP Class
               Values of Authentication Method from Appendix A of
               [IKE]."
      ::= { ipsecIkeConChanEntry 6 }




IPSec Working Group                                            [Page 16]


Internet Draft           IPSec Monitoring MIB              November 1998


  ipsecIkeConChanPeerCertSerialNum OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (0..63))
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The serial number of the certificate of the peer this
               control channel was negotiated with.

               This object has no meaning if a certificate was not used
               in authenticating the peer."
      ::= { ipsecIkeConChanEntry 7 }

  ipsecIkeConChanPeerCertIssuer OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (0..511))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The serial number of the certificate of the peer this
               control channel was negotiated with.

               This object has no meaning if a certificate was not used
               in authenticating the peer."
      ::= { ipsecIkeConChanEntry 8 }

  ipsecIkeConChanType OBJECT-TYPE
      SYNTAX      INTEGER { transient(1), permanent(2) }
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The type of control channel represented by this row.

               A transient link will disappear from the table when
               the SAs needed for it cannot be established. A
               permanent link will shows its status in the
               ipsecIkeConChanStatus object."
      ::= { ipsecIkeConChanEntry 9 }

  ipsecIkeConChanCurrentSaNum OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of currently active SAs that are available
               for use by this control channel.

               If the control channel is permanent, a 0 value in this
               object indicates the channel is either never tried or
               down.


IPSec Working Group                                            [Page 17]


Internet Draft           IPSec Monitoring MIB              November 1998



               If the control channel is transient, this object can
               never be 0 valued."
      ::= { ipsecIkeConChanEntry 10 }

  ipsecIkeConChanTotalSaNum OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of SAs, including all expired and
               active SAs, that have been set up to support this control
               channel."
      ::= { ipsecIkeConChanEntry 11 }

  ipsecIkeConChanTimeStart OBJECT-TYPE
      SYNTAX      DateAndTime
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The date and time that the first SA within the control
               channel was set up."
      ::= { ipsecIkeConChanEntry 12 }

   ipsecIkeConChanInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS   "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of traffic measured in bytes handled in
               the control channel in the inbound direction. In other
               words, it is the aggregate value of all inbound traffic
               carried by all phase 1 SAs ever set up to support the
               control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 13 }

  ipsecIkeConChanOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of traffic measured in bytes handled in
               the control channel in the outbound direction. In other


IPSec Working Group                                            [Page 18]


Internet Draft           IPSec Monitoring MIB              November 1998


               words, it is the aggregate value of all outbound traffic
               carried by all phase 1 SAs ever set up to support the
               control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 14 }

  ipsecIkeConChanInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets handled by the control
               channel since it became active in the inbound direction.
               In other words, it is the aggregate value of the number
               of inbound packets carried by all phase 1 SAs ever set up
               to support the control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 15 }

  ipsecIkeConChanOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets handled by the control
               channel since it became active in the outbound direction.
               In other words, it is the aggregate value of the number
               of outbound packets carried by all phase 1 SAs ever set
               up to support the control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 16 }

  ipsecIkeConChanDecryptErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of inbound packets to this control
               channel discarded due to decryption errors.

               Note that this refers to IKE protocol packets, and not to
               packets carried by IPSec protection suites set up by the


IPSec Working Group                                            [Page 19]


Internet Draft           IPSec Monitoring MIB              November 1998


               SAs supporting this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 17 }

  ipsecIkeConChanHashErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets to this control
               channel discarded due to hash errors.

               Note that this refers to IKE protocol packets, and not to
               packets carried by IPSec protection suites set up by the
               SAs supporting this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 18 }

  ipsecIkeConChanOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets to this control
               channel discarded for reasons other than bad hashes or
               decryption errors. This may include packets dropped to a
               lack of receive buffer space.

               Note that this refers to IKE protocol packets, and not to
               packets carried by IPSec protection suites set up by the
               SAs supporting this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 19 }

  ipsecIkeConChanSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets from this control
               channel discarded for any reason. This may include
               packets dropped to a lack of transmit buffer space.


IPSec Working Group                                            [Page 20]


Internet Draft           IPSec Monitoring MIB              November 1998



               Note that this refers to IKE protocol packets, and not to
               packets carried by IPSec protection suites set up by the
               SAs supporting this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 20 }

  ipsecIkeConChanIpsecInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of inbound traffic measured in bytes
               handled by all IPSec SAs set up by phase 1 SAs supporting
               this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 21 }

  ipsecIkeConChanIpsecOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of outbound traffic measured in bytes
               handled by all IPSec protection suites set up by all
               phase 1 SAs supporting this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 22 }

  ipsecIkeConChanIpsecInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets handled by all IPSec
               protection suites set up by phase 1 SAs supporting this
               control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."


IPSec Working Group                                            [Page 21]


Internet Draft           IPSec Monitoring MIB              November 1998


      ::= { ipsecIkeConChanEntry 23 }

  ipsecIkeConChanIpsecOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets handled by all
               IPSec protection suites set up by phase 1 SAs supporting
               this control channel.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 24 }

  ipsecIkeConChanIpsecDecryptErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of inbound packets discarded by all
               IPSec protection suites set up by all phase 1 SAs in this
               control channel due to decryption errors.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 25 }

  ipsecIkeConChanIpsecAuthErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by all
               IPSec protection suites set up by all phase 1 SAs in this
               control channel due to authentication errors. This
               includes hash failures in IPSec SAs using ESP and AH.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 26 }

  ipsecIkeConChanIpsecReplayErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION



IPSec Working Group                                            [Page 22]


Internet Draft           IPSec Monitoring MIB              November 1998


              "The total number of inbound packets discarded by all
               IPSec protection suites set up by all phase 1 SAs in this
               control channel due to replay errors.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 27 }

  ipsecIkeConChanIpsecOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of inbound packets discarded by all
               IPSec protection suites set up by all phase 1 SAs in this
               control channel due to errors other than authentication,
               decryption or replay errors. This may include packets
               dropped due to lack of receive buffers.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 34 }

   ipsecIkeConChanIpsecSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets discarded by all
               IPSec protection suites set up by all phase 1 SAs in this
               control channel due to any error. This may include
               packets dropped due to lack of receive buffers.

               If this is a permanent control channel, it is not reset
               to zero when the number of phase 1 SAs changes from 0."
      ::= { ipsecIkeConChanEntry 28 }



  -- the IPSec IKE MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec's IKE SAs and the virtual phase 1 SA tunnels


  ipsecIkeSaTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecIkeSaEntry
      MAX-ACCESS not-accessible


IPSec Working Group                                            [Page 23]


Internet Draft           IPSec Monitoring MIB              November 1998


      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec's
               IKE SAs."
      ::= { ipsec 2 }

  ipsecIkeSaEntry OBJECT-TYPE
      SYNTAX     IpsecIkeSaEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IKE SA."
      INDEX      { ipsecIkeSaIndex }
      ::= { ipsecIkeSaTable 1 }

  IpsecIkeSaEntry ::= SEQUENCE {
     ipsecIkeSaIndex                  Integer32,
     ipsecIkeSaConChanIndex           Integer32,

  -- identifier information
     ipsecIkeSaInitiatorCookie        OCTET STRING,
     ipsecIkeSaResponderCookie        OCTET STRING,
     ipsecIkeSaState                  INTEGER,

  -- connection information
     ipsecIkeSaLocalIpAddress         OCTET STRING,
     ipsecIkeSaLocalPortNumber        INTEGER,
     ipsecIkeSaPeerIpAddress          OCTET STRING,
     ipsecIkeSaPeerPortNumber         INTEGER,

  -- security algorithm information
     ipsecIkeSaEncAlg                 INTEGER,
     ipsecIkeSaEncKeyLength           Unsigned32,
     ipsecIkeSaHashAlg                Integer32,
     ipsecIkeSaDifHelGroupDesc        Integer32,
     ipsecIkeSaDifHelGroupType        Integer32,
     ipsecIkeSaPRF                    Integer32,

  -- expiration limits, current SA
     ipsecIkeSaTimeStart              DateAndTime,
     ipsecIkeSaTimeLimit              OCTET STRING,  -- in seconds
     ipsecIkeSaTrafficLimit           OCTET STRING,
     ipsecIkeSaTrafficCount           OCTET STRING,

  -- this SA's operating statistics
     ipsecIkeSaInboundTraffic         Counter64,  -- in bytes
     ipsecIkeSaOutboundTraffic        Counter64,  -- in bytes


IPSec Working Group                                            [Page 24]


Internet Draft           IPSec Monitoring MIB              November 1998


     ipsecIkeSaInboundPackets         Counter64,
     ipsecIkeSaOutboundPackets        Counter64,

  -- this SA's error statistics
     ipsecIkeSaDecryptErrors          Counter32,
     ipsecIkeSaHashErrors             Counter32,
     ipsecIkeSaOtherReceiveErrors     Counter32,
     ipsecIkeSaSendErrors             Counter32
  }

  ipsecIkeSaIndex OBJECT-TYPE
      SYNTAX      Integer32 (1..16777215)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value, greater than zero, for each IKE SA.
               Values are assigned contiguously starting from 1."
      ::= { ipsecIkeSaEntry 1 }

  ipsecIkeSaConChanIndex OBJECT-TYPE
      SYNTAX      Integer32 (1..16777215)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A reference to the IKE control channel that this SA
               supports. It is the value of
               'ipsecIkeConChanLocalIdType'."
      ::= { ipsecIkeSaEntry 2 }

  ipsecIkeSaInitiatorCookie OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (16))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the cookie used by the initiator for the
               current phase 1 SA."
      ::= { ipsecIkeSaEntry 3 }

  ipsecIkeSaResponderCookie OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (16))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the cookie used by the responder for the
               current phase 1 SA."
      ::= { ipsecIkeSaEntry 4 }

  ipsecIkeSaState OBJECT-TYPE


IPSec Working Group                                            [Page 25]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX      INTEGER {
               tryingInitiator(0),
               tryingInitiatorIDProt(1),
               tryingResponder(2),
               tryingResponderIDProt(3),
               upInitiator(4),
               upInitiatorIDProt(5),
               upResponder(6),
               upResponderIDProt(7)  }
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The current state of the SA.

               'tryingInitiator' means this end is attempting to
               negotiate the SA using aggressive mode and is the
               initiator. 'tryingInitiatorIDProt' means this end is
               attempting to negotiate the SA using main mode and is the
               initiator.

               'tryingResponder' means the peer is attempting to
               negotiate the SA using aggressive mode as initiator.
               'tryingResponderIDProt' means the peer is attempting to
               negotiate the SA using main mode as initiator.

               'upInitiator' means the SA is up, and this end is the
               initiator. 'upResponder' means the the SA is up and the
               peer is the initiator. On the latter two, the suffix
               'IDProt' means main mode was used to negotiate the SA."
      ::= { ipsecIkeSaEntry 5 }

   ipsecIkeSaLocalIpAddress OBJECT-TYPE
      SYNTAX      OCTET STRING ( SIZE( 4 | 8 ) )
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The local IP address that this SA was negotiated with,
               or 0 if unknown.

               The size of this object is 4 if the IP address is a IPv4
               address. The size is 8 of the IP address is an IPv6
               address."
      ::= { ipsecIkeSaEntry 6 }

  ipsecIkeSaLocalPortNumber OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current


IPSec Working Group                                            [Page 26]


Internet Draft           IPSec Monitoring MIB              November 1998


      DESCRIPTION
              "The local UDP port number that this SA was negotiated
               with."
      DEFVAL { 500 }
      ::= { ipsecIkeSaEntry 7 }

   ipsecIkeSaPeerIpAddress OBJECT-TYPE
      SYNTAX      OCTET STRING ( SIZE( 4 | 8 ) )
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The IP address of the peer that this SA was negotiated
               with, or 0 if unknown.

               The size of this object is 4 if the IP address is a IPv4
               address. The size is 8 of the IP address is an IPv6
               address."
      ::= { ipsecIkeSaEntry 8 }

  ipsecIkeSaPeerPortNumber OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The peer UDP port number of the peer that this SA was
               negotiated with."
      DEFVAL { 500 }
      ::= { ipsecIkeSaEntry 9 }

  ipsecIkeSaEncAlg OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the encryption algorithm
               applied to traffic carried on this SA.

               Specific values are used as described in the ISAKMP
               Class Values of Encryption Algorithms from Appendix A
               of [IKE]."
      ::= { ipsecIkeSaEntry 10 }

  ipsecIkeSaEncKeyLength OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current




IPSec Working Group                                            [Page 27]


Internet Draft           IPSec Monitoring MIB              November 1998


      DESCRIPTION
              "The length of the encryption key in bits used for
               algorithm specified in the 'ipsecIkeSaEncAlg' object or 0
               if the key length is implicit in the specified
               algorithm."
      ::= { ipsecIkeSaEntry 11 }

  ipsecIkeSaHashAlg OBJECT-TYPE
      SYNTAX      Integer32 (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the hash algorithm applied
               to traffic carried on this SA.

               Specific values are used as described in the ISAKMP Class
               Values of Hash Algorithms from Appendix A of [IKE]."
      ::= { ipsecIkeSaEntry 12 }

 ipsecIkeSaDifHelGroupDesc OBJECT-TYPE
      SYNTAX      Integer32 (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the Diffie-Hellman group
               description used or 0 if the group is unknown.

               Specific values are used as described in the ISAKMP Class
               Values of Group Description from Appendix A of [IKE]."
      ::= { ipsecIkeSaEntry 13 }

  ipsecIkeSaDifHelGroupType OBJECT-TYPE
      SYNTAX      Integer32 (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the Diffie-Hellman group
               type used or 0 if the group is unknown.

               Specific values are used as described in the ISAKMP Class
               Values of Group Type from Appendix A of [IKE]."
      ::= { ipsecIkeSaEntry 14 }

  ipsecIkeSaPRF OBJECT-TYPE
      SYNTAX      Integer32 (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION


IPSec Working Group                                            [Page 28]


Internet Draft           IPSec Monitoring MIB              November 1998


              "The pseudo-random functions used, or 0 if not used or if
               unknown.

               Specific values are used as described in the ISAKMP Class
               Values of PRF from Appendix A of [IKE] (which specifies
               none at the present time)."
      ::= { ipsecIkeSaEntry 15 }

  ipsecIkeSaTimeStart OBJECT-TYPE
      SYNTAX      DateAndTime
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The date and time that the current SA within the link
               was set up.

               It is not the date and time that the virtual tunnel was
               set up."
      ::= { ipsecIkeSaEntry 16 }

  ipsecIkeSaTimeLimit OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The maximum lifetime in seconds of the current SA
               supporting the virtual tunnel, or 0 if there is no time
               constraint on its expiration."
      ::= { ipsecIkeSaEntry 17 }

   ipsecIkeSaTrafficLimit OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      UNITS       "1024-byte blocks"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The maximum traffic in 1024-byte blocks that the current
               SA supporting the virtual tunnel is allowed to support,
               or 0 if there is no traffic constraint on its
               expiration."
      ::= { ipsecIkeSaEntry 18}

   ipsecIkeSaTrafficCount OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      UNITS       "1024-byte blocks"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION


IPSec Working Group                                            [Page 29]


Internet Draft           IPSec Monitoring MIB              November 1998


              "The amount of traffic that this SA has processed that
               contributes against it expiration by traffic limit,
               measured in 1024-byte blocks. It includes traffic in both
               directions.

               It may be 0 if there is no traffic constraint on the SA's
               expiration."
      ::= { ipsecIkeSaEntry 19 }

   ipsecIkeSaInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The amount of traffic measured in bytes handled in the
               current SA in the inbound direction."
      ::= { ipsecIkeSaEntry 20 }

  ipsecIkeSaOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The amount of traffic measured in bytes handled in the
               current SA in the outbound direction."
      ::= { ipsecIkeSaEntry 21 }

  ipsecIkeSaInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of packets handled in the current SA in the
               inbound direction."
      ::= { ipsecIkeSaEntry 22 }

  ipsecIkeSaOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of packets handled in the current SA in the
               outbound direction."
      ::= { ipsecIkeSaEntry 23 }

  ipsecIkeSaDecryptErrors OBJECT-TYPE


IPSec Working Group                                            [Page 30]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of inbound packets to this SA discarded
               due to decryption errors.

               The following may used as a guideline to distinguish
               decryption errors from protocol negotiation errors:

               If there are any errors in the packet's generic payload
               structures (next payload field, reserved, payload
               length), then this is considered a decryption error.

               If an error happens inside the payload structure, then it
               is not assumed to be a decryption error, and is
               considered a protocol negotiation error."
      ::= { ipsecIkeSaEntry 24 }

  ipsecIkeSaHashErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets to this SA discarded
               due to hash errors. These errors are considered packet
               errors, and not protocol negotation errors.

               The case of hash failures when the hash is generated by
               authentication data is considered an authentication
               failure, and not a hash failure."
      ::= { ipsecIkeSaEntry 25 }

  ipsecIkeSaOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets to this SA discarded
               for reasons other than bad hashes or decryption errors.
               This may include packets dropped to a lack of receive
               buffer space.

               Packets that contain protocol negotation errors are not
               considered dropped packets."
      ::= { ipsecIkeSaEntry 26 }

  ipsecIkeSaSendErrors OBJECT-TYPE


IPSec Working Group                                            [Page 31]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets from this SA
               discarded for any reason. This may include packets
               dropped to a lack of transmit buffer space."
      ::= { ipsecIkeSaEntry 27 }

  -- the IPSec Tunnel MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec protection suite-based virtual tunnels


  ipsecTunnelTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecTunnelEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               protection suite-based tunnels."
      ::= { ipsec 3 }

  ipsecTunnelEntry OBJECT-TYPE
      SYNTAX     IpsecTunnelEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular configured tunnel."
      INDEX      { ipsecTunnelIndex }
      ::= { ipsecTunnelTable 1 }

  IpsecTunnelEntry ::= SEQUENCE {
     ipsecTunnelIndex      Integer32,
     ipsecTunnelIkeConChan Integer32, -- if not static
     ipsecTunnelType       INTEGER, -- static, transient, permanent

  -- tunnel identifiers
     ipsecTunnelLocalIdentifier              OCTET STRING,
     ipsecTunnelLocalIdentifierType          INTEGER,
     ipsecTunnelRemoteIdentifier             OCTET STRING,
     ipsecTunnelRemoteIdentifierType         INTEGER,
     ipsecTunnelProtocol                     Integer32,
     ipsecTunnelLocalPort                    Integer32,
     ipsecTunnelRemotePort                   Integer32,



IPSec Working Group                                            [Page 32]


Internet Draft           IPSec Monitoring MIB              November 1998


  -- tunnel creation mechanism
     ipsecTunnelDifHelGroupDesc       Integer32,
     ipsecTunnelDifHelGroupType       Integer32,
     ipsecTunnelPFS                   TruthValue,

  -- tunnel security services description
     ipsecTunnelEncapsulation         INTEGER,
     ipsecTunnelEspEncAlg             Integer32,
     ipsecTunnelEspEncKeyLength       Unsigned32,
     ipsecTunnelEspAuthAlg            Integer32,
     ipsecTunnelAhAuthAlg             Integer32,
     ipsecTunnelCompAlg               Integer32,

  -- aggregate statistics
     ipsecTunnelStartTime             DateAndTime,
     ipsecTunnelCurrentProtSuitesNum  Unsigned32,
     ipsecTunnelTotalProtSuitesNum    Counter32,
     ipsecTunnelTotalInboundTraffic   Counter64,
     ipsecTunnelTotalOutboundTraffic  Counter64,
     ipsecTunnelTotalInboundPackets   Counter64,
     ipsecTunnelTotalOutboundPackets  Counter64,

  -- aggregate error statistics
     ipsecTunnelDecryptErrors         Counter32,
     ipsecTunnelAuthErrors            Counter32,
     ipsecTunnelReplayErrors          Counter32,
     ipsecTunnelPolicyErrors          Counter32,
     ipsecTunnelOtherReceiveErrors    Counter32,
     ipsecTunnelSendErrors            Counter32

  }


  ipsecTunnelIndex OBJECT-TYPE
      SYNTAX      Integer32 (1..16777215)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value, greater than zero, for each tunnel
               interface.  It is recommended that values are assigned
               contiguously starting from 1.

               The value for each tunnel interface must remain constant
               at least from one re-initialization of the entity's
               network management system to the next re-initialization.

               Further, the value for tunnel interfaces that are marked



IPSec Working Group                                            [Page 33]


Internet Draft           IPSec Monitoring MIB              November 1998


               as permanent must remain constant across all re-
               initializations of the network management system."
      ::= { ipsecTunnelEntry 1 }

  ipsecTunnelIkeConChan OBJECT-TYPE
      SYNTAX      Integer32 (0..2147483647)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the index into the IKE control channel
               table that created this tunnel (ipsecIkeConChanIndex), or
               0 if the tunnel is created by a static IPSec protection
               suite."
      ::= { ipsecTunnelEntry 2 }

  ipsecTunnelType OBJECT-TYPE
      SYNTAX      INTEGER { static(0), transient(1), permanent(2) }
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The type of the virtual tunnel represented by this row.

               'static' means that the tunnel is supported by a single
               static IPSec protection suite that was setup by
               configuration, and not by using a key exchange protocol.
               In this case, the value of ipsecTunnelIkeSa must be 0."
      ::= { ipsecTunnelEntry 3 }

  ipsecTunnelLocalIdentifier OBJECT-TYPE
      SYNTAX     OCTET STRING (SIZE (4..255))
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The local identifier of the virtual tunnel, or 0 if
               unknown or if the protection suite uses transport mode
               encapsulation.

               This value is taken directly from the optional ID
               payloads that are exchange during phase 2 negotiations."
      ::= { ipsecTunnelEntry 4 }

   ipsecTunnelLocalIdentifierType OBJECT-TYPE
      SYNTAX     INTEGER
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The type of identifier presented by
               'ipsecTunnelLocalIdentifier', or 0 if unknown or if the


IPSec Working Group                                            [Page 34]


Internet Draft           IPSec Monitoring MIB              November 1998


               protection suite uses transport mode encapsulation.

               This value is taken directly from the optional ID
               payloads that are exchange during phase 2 negotiations."
      ::= { ipsecTunnelEntry 5 }

   ipsecTunnelRemoteIdentifier OBJECT-TYPE
      SYNTAX     OCTET STRING (SIZE (4..255))
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The remote identifier of the virtual tunnel, or 0 if
               unknown or if the protection suite uses transport mode
               encapsulation.

               This value is taken directly from the optional ID
               payloads that are exchange during phase 2 negotiations."
      ::= { ipsecTunnelEntry 6 }

  ipsecTunnelRemoteIdentifierType OBJECT-TYPE
      SYNTAX     INTEGER
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The type of identifier presented by
               'ipsecTunnelRemoteIdentifier', or 0 if unknown or if the
               protection suite uses transport mode encapsulation.

               This value is taken directly from the optional ID
               payloads that are exchange during phase 2 negotiations."
      ::= { ipsecTunnelEntry 7 }

  ipsecTunnelProtocol OBJECT-TYPE
      SYNTAX     Integer32 (0..255)
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The number of the protocol that this tunnel carries, or
               0 if it carries any protocol."
      ::= { ipsecTunnelEntry 8 }

  ipsecTunnelLocalPort OBJECT-TYPE
      SYNTAX     Integer32 (0.. 65535)
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The number of the local port that this tunnel carries,
               or 0 if it carries any port number."


IPSec Working Group                                            [Page 35]


Internet Draft           IPSec Monitoring MIB              November 1998


      ::= { ipsecTunnelEntry 9 }

  ipsecTunnelRemotePort OBJECT-TYPE
      SYNTAX     Integer32 (0.. 65535)
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The number of the remote port that this tunnel carries,
               or 0 if it carries any port number."
      ::= { ipsecTunnelEntry 10 }

  ipsecTunnelDifHelGroupDesc OBJECT-TYPE
      SYNTAX     Integer32
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "A unique value representing the Diffie-Hellman group
               description used to set up protection suites for this
               tunnel or 0 if the group is unknown.

               Specific values are used as described in the ISAKMP Class
               Values of Group Description from Appendix A of [IKE]."
      ::= { ipsecTunnelEntry 11 }

  ipsecTunnelDifHelGroupType OBJECT-TYPE
      SYNTAX     Integer32
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              " A unique value representing the Diffie-Hellman group
               type used to set up protection suites for this tunnel or
               0 if the group is unknown.

               Specific values are used as described in the ISAKMP Class
               Values of Group Type from Appendix A of [IKE]."
      ::= { ipsecTunnelEntry 12 }

  ipsecTunnelPFS OBJECT-TYPE
      SYNTAX     TruthValue
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "'true' if protection suites setup for this tunnel were
               created using perfect forward secrect."
      ::= { ipsecTunnelEntry 13 }


  ipsecTunnelEncapsulation OBJECT-TYPE


IPSec Working Group                                            [Page 36]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX     INTEGER { transport(1), tunnel(2) }
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
              "The type of encapsulation used by protection suites
               created for this virtual tunnel."
      ::= { ipsecTunnelEntry 14 }

  ipsecTunnelEspEncAlg OBJECT-TYPE
      SYNTAX      Integer32 (0..255)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the encryption algorithm
               applied to traffic carried by this tunnel if it uses ESP
               or 0 if there is no encryption applied by ESP or if ESP
               is not used.

               Specific values are taken from section 4.4.4 of [IPDOI]."
      ::= { ipsecTunnelEntry 15 }

   ipsecTunnelEspEncKeyLength OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The length of the encryption key in bits used for the
               algorithm specified in the 'ipsecTunnelEspEncAlg' object,
               or 0 if the key length is implicit in the specified
               algorithm or there is no encryption specified."
      ::= { ipsecTunnelEntry 16 }

  ipsecTunnelEspAuthAlg OBJECT-TYPE
      SYNTAX      Integer32 (0..255)
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "A unique value representing the hash algorithm applied
               to traffic carried by this tunnel if it uses ESP or 0 if
               there is no authentication applied by ESP or if ESP is
               not used.

               Specific values are taken from the Authentication
               Algorithm attribute values of Section 4.5 of [IPDOI]."
      ::= { ipsecTunnelEntry 17 }

  ipsecTunnelAhAuthAlg OBJECT-TYPE
      SYNTAX      Integer32 (0..255)


IPSec Working Group                                            [Page 37]


Internet Draft           IPSec Monitoring MIB              November 1998


      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the hash algorithm applied
               to traffic carried by this tunnel if it uses AH or 0 if
               AH is not used.

               Specific values are taken from Section 4.4.3 of [IPDOI]."
      ::= { ipsecTunnelEntry 18 }

  ipsecTunnelCompAlg OBJECT-TYPE
      SYNTAX      Integer32 (0..255)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value representing the compression algorithm
               applied to traffic carried by this tunnel if it uses
               IPCOMP.

               Specific values are taken from Section 4.4.5 of [IPDOI]."
      ::= { ipsecTunnelEntry 19 }

  ipsecTunnelStartTime OBJECT-TYPE
      SYNTAX      DateAndTime
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The date and time that this virtual tunnel was set up.

               If this is a permanent virtual tunnel, it is not reset
               when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 20 }

  ipsecTunnelCurrentProtSuitesNum OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of protection suites currently active
               supporting this virtual tunnel.

               If this number is 0, the tunnel must be considered down.
               Also if this number is 0, the tunnel must a permanent
               tunnel, since transient tunnels that are down do not
               appear in the table."
      ::= { ipsecTunnelEntry 21 }



IPSec Working Group                                            [Page 38]


Internet Draft           IPSec Monitoring MIB              November 1998


   ipsecTunnelTotalProtSuitesNum OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of protection suites, including all
               current protection suites, that have been set up to
               support this virtual tunnel."
      ::= { ipsecTunnelEntry 22 }

  ipsecTunnelTotalInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of traffic measured in bytes handled in
               the tunnel in the inbound direction. In other words, it
               is the aggregate value of all inbound traffic carried by
               all IPSec protection suites ever set up to support the
               virtual tunnel.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 23 }

  ipsecTunnelTotalOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of traffic measured in bytes handled in
               the tunnel in the outbound direction. In other words, it
               is the aggregate value of all inbound traffic carried by
               all IPSec protection suites ever set up to support the
               virtual tunnel.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 24 }

  ipsecTunnelTotalInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current


IPSec Working Group                                            [Page 39]


Internet Draft           IPSec Monitoring MIB              November 1998


       DESCRIPTION
              "The total number of packets handled in the tunnel in the
               inbound direction. In other words, it is the aggregate
               value of all inbound packets carried by all IPSec
               protection suites ever set up to support the virtual
               tunnel.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 25 }

  ipsecTunnelTotalOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets handled in the tunnel in the
               outbound direction. In other words, it is the aggregate
               value of all outbound packets carried by all IPSec SAs
               ever set up to support the virtual tunnel.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 26 }

  ipsecTunnelDecryptErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by this
               virtual tunnel due to decryption errors in ESP.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 27 }

  ipsecTunnelAuthErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by this
               virtual tunnel due to authentication errors. This
               includes hash failures in IPSec protection suites using


IPSec Working Group                                            [Page 40]


Internet Draft           IPSec Monitoring MIB              November 1998


               both ESP and AH.

               If this is a permanent virtual tunnel, it is not resetto
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 28 }

  ipsecTunnelReplayErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by this
               virtual tunnel due to replay errors. This includes replay
               failures in IPSec protection suites using both ESP and
               AH.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 29 }

  ipsecTunnelPolicyErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by this
               virtual tunnel due to policy errors. This includes errors
               in all transforms if protection suites are used.

               Policy errors are due to the detection of a packet that
               was inappropriately sent into this tunnel.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 30 }

  ipsecTunnelOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets discarded by this
               virtual tunnel due to errors other than decryption,
               authentication or replay errors. This may include packets
               dropped due to a lack of receive buffers.


IPSec Working Group                                            [Page 41]


Internet Draft           IPSec Monitoring MIB              November 1998



               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 31 }

  ipsecTunnelSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets discarded by this
               virtual tunnel due to any error. This may include packets
               dropped due to a lack of transmit buffers.

               If this is a permanent virtual tunnel, it is not reset to
               zero when the number of current protection suites
               (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
      ::= { ipsecTunnelEntry 32 }


  -- the IPSec Protection Suites MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec protection suites


  ipsecProtSuiteTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecProtSuiteEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               protection suites."
      ::= { ipsec 4 }

  ipsecProtSuiteEntry OBJECT-TYPE
      SYNTAX     IpsecProtSuiteEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec SA."
      INDEX      { ipsecProtSuiteIndex }
      ::= { ipsecProtSuiteTable 1 }

  IpsecProtSuiteEntry ::= SEQUENCE {
     ipsecProtSuiteIndex        Integer32,


IPSec Working Group                                            [Page 42]


Internet Draft           IPSec Monitoring MIB              November 1998


     ipsecProtSuiteTunnel       Integer32,  -- from ipsecTunnelTable

  -- identification
     ipsecProtSuitePeerAddress       OCTET STRING,
     ipsecProtSuiteInboundEspSpi     Unsigned32,
     ipsecProtSuiteOutboundEspSpi    Unsigned32,
     ipsecProtSuiteInboundAhSpi      Unsigned32,
     ipsecProtSuiteOutboundAhSpi     Unsigned32,
     ipsecProtSuiteInboundCompCpi    INTEGER,
     ipsecProtSuiteOutboundCompCpi   INTEGER,

  -- expiration limits
     ipsecProtSuiteCreationTime      DateAndTime,
     ipsecProtSuiteTimeLimit         OCTET STRING, -- sec., 0 if none
     ipsecProtSuiteTrafficLimit      OCTET STRING, -- 0 if none
     ipsecProtSuiteTrafficCount      OCTET STRING,

   -- current operating statistics
     ipsecProtSuiteInboundTraffic     Counter64,
     ipsecProtSuiteOutboundTraffic    Counter64,
     ipsecProtSuiteInboundPackets     Counter64,
     ipsecProtSuiteOutboundPackets    Counter64,

  -- error statistics
     ipsecProtSuiteDecryptErrors          Counter32,
     ipsecProtSuiteAuthErrors             Counter32,
     ipsecProtSuiteReplayErrors           Counter32,
     ipsecProtSuitePolicyErrors           Counter32,
     ipsecProtSuiteOtherReceiveErrors     Counter32,
     ipsecProtSuiteSendErrors             Counter32
  }


  ipsecProtSuiteIndex OBJECT-TYPE
      SYNTAX      Integer32 (1..2147483647)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "A unique value, greater than zero, for each IPSec
               protection suite. It is recommended that values are
               assigned contiguously starting from 1."
      ::= { ipsecProtSuiteEntry 1 }

  ipsecProtSuiteTunnel OBJECT-TYPE
      SYNTAX      Integer32 (1..2147483647)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION


IPSec Working Group                                            [Page 43]


Internet Draft           IPSec Monitoring MIB              November 1998


              "The value of the index into the IPSec tunnel table that
               this protection suite supports (ipsecTunnelIndex)."
      ::= { ipsecProtSuiteEntry 2 }

  ipsecProtSuitePeerAddress OBJECT-TYPE
      SYNTAX      OCTET STRING ( SIZE( 4 | 8 ) )
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The peer IP address used by the protection suite.

               The size of this object is 4 if the address is an IPv4
               address, or 8 if the address is an IPv6 address."
      ::= { ipsecProtSuiteEntry 3 }

  ipsecProtSuiteInboundEspSpi OBJECT-TYPE
      SYNTAX      Unsigned32(1..4294967295)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the SPI for the inbound protection suite
               that provides the ESP security service, or zero if ESP is
               not used."
      ::= { ipsecProtSuiteEntry 4 }

  ipsecProtSuiteOutboundEspSpi OBJECT-TYPE
      SYNTAX      Unsigned32(1..4294967295)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the SPI for the outbound protection suite
               that provides the ESP security service, or zero if ESP is
               not used."
      ::= { ipsecProtSuiteEntry 5 }

  ipsecProtSuiteInboundAhSpi OBJECT-TYPE
      SYNTAX      Unsigned32(1..4294967295)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the SPI for the inbound protection suite
               that provides the AH security service, or zero if AH is
               not used."
      ::= { ipsecProtSuiteEntry 6 }

  ipsecProtSuiteOutboundAhSpi OBJECT-TYPE
      SYNTAX      Unsigned32(1..4294967295)
      MAX-ACCESS  read-only


IPSec Working Group                                            [Page 44]


Internet Draft           IPSec Monitoring MIB              November 1998


      STATUS      current
      DESCRIPTION
              "The value of the SPI for the outbound protection suite
               that provides the AH security service, or zero if AH is
               not used."
      ::= { ipsecProtSuiteEntry 7 }

  ipsecProtSuiteInboundCompCpi OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the CPI for the inbound protection suite
               that provides IP compression, or zero if IPCOMP is not
               used."
      ::= { ipsecProtSuiteEntry 8 }

  ipsecProtSuiteOutboundCompCpi OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value of the CPI for the outbound protection suite
               that provides IP compression, or zero if IPCOMP is not
               used."
      ::= { ipsecProtSuiteEntry 9 }

  ipsecProtSuiteCreationTime OBJECT-TYPE
      SYNTAX      DateAndTime
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The date and time that the current protection suite was
               set up."
      ::= { ipsecProtSuiteEntry 10 }

  ipsecProtSuiteTimeLimit OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The maximum lifetime in seconds of the protection suite,
               or 0 if there is no time constraint on its expiration."
      ::= { ipsecProtSuiteEntry 11 }

  ipsecProtSuiteTrafficLimit OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      UNITS       "1024-byte blocks"


IPSec Working Group                                            [Page 45]


Internet Draft           IPSec Monitoring MIB              November 1998


      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The maximum traffic in 1024-byte blocks that the
               protection suite is allowed to support, or 0 if there is
               no traffic constraint on its expiration."
      ::= { ipsecProtSuiteEntry 12 }

  ipsecProtSuiteTrafficCount OBJECT-TYPE
      SYNTAX      OCTET STRING (SIZE (4..255))
      UNITS       "1024-byte blocks"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The amount of traffic accumulated that counts against
               the protection suite's expiration by traffic limitation,
               measured in 1024-byte blocks."
      ::= { ipsecProtSuiteEntry 13 }

  ipsecProtSuiteInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The amount of user level traffic measured in bytes
               handled by the protection suite in the inbound direction.

               This is not necessarily the same as the amount of traffic
               applied against the traffic expiration limit."
      ::= { ipsecProtSuiteEntry 14 }

   ipsecProtSuiteOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "bytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The amount of user level traffic measured in bytes
               handled by the protection suite in the outbound
               direction.

               This is not necessarily the same as the amount of traffic
               applied against the traffic expiration limit."
      ::= { ipsecProtSuiteEntry 15 }

  ipsecProtSuiteInboundPackets OBJECT-TYPE
      SYNTAX      Counter64


IPSec Working Group                                            [Page 46]


Internet Draft           IPSec Monitoring MIB              November 1998


      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of packets handled by the protection suite in
               the inbound direction."
      ::= { ipsecProtSuiteEntry 16 }

  ipsecProtSuiteOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of packets handled by the protection suite in
               the outbound direction."
      ::= { ipsecProtSuiteEntry 17 }

  ipsecProtSuiteDecryptErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of inbound packets discarded by the
               protection suite due to decryption errors."
      ::= { ipsecProtSuiteEntry 18 }

  ipsecProtSuiteAuthErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The number of inbound packets discarded by the
               protection suite due to authentication errors. This
               includes hash failures in both ESP and AH."
      ::= { ipsecProtSuiteEntry 19 }

  ipsecProtSuiteReplayErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of inbound packets discarded by the
               protection suite due to replay errors. This includes
               replay failures both ESP and AH."
      ::= { ipsecProtSuiteEntry 20 }

  ipsecProtSuitePolicyErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only


IPSec Working Group                                            [Page 47]


Internet Draft           IPSec Monitoring MIB              November 1998


      STATUS      current
      DESCRIPTION
              "The number of inbound packets discarded by the
               protection suite due to policy errors."
      ::= { ipsecProtSuiteEntry 21 }

  ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of inbound packets discarded by the
               protection suite due to errors other than decryption,
               authentication or replay errors. This may include
               decompression errors or errors due to a lack of receive
               buffers."
      ::= { ipsecProtSuiteEntry 22 }

   ipsecProtSuiteSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of outbound packets discarded by the
               protection suite due to any error. This may include
               compression errors or errors due to a lack of transmit
               buffers."
      ::= { ipsecProtSuiteEntry 23 }



  -- the IPSec Entity MIB-Group
  --
  -- a collection of objects providing information about overall IPSec
  -- status in the entity


     --
     --      Definitions of significant branches
     --
     ipsecTrapsA             OBJECT IDENTIFIER  ::= { ipsec 5 }
     ipsecTraps              OBJECT IDENTIFIER  ::= { ipsecTrapsA 0 }
     ipsecProtSuiteCounts    OBJECT IDENTIFIER  ::= { ipsec 6 }
     ipsecPermChanTunStats   OBJECT IDENTIFIER  ::= { ipsec 7 }
     ipsecTransChanTunStats  OBJECT IDENTIFIER  ::= { ipsec 8 }
     ipsecNotifications      OBJECT IDENTIFIER  ::= { ipsec 9 }
     ipsecErrorStats         OBJECT IDENTIFIER  ::= { ipsec 10 }



IPSec Working Group                                            [Page 48]


Internet Draft           IPSec Monitoring MIB              November 1998


  --
  -- SA and protection suite counts
  --

  ipsecTotalIkeSAs OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of phase 1 SAs established by the
               entity since boot time. It is not the total number of
               channels established by the entity since boot time. It
               includes SAs established to support both permanent and
               transient channels."
      ::= { ipsecProtSuiteCounts 1 }

  ipsecTotalIpsecProtSuites OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of protection suites established by the
               entity since boot time. It is not the total number of
               IPSec virtual tunnels established by the entity since
               boot time. It includes protection suites established to
               support both permanent and transient tunnels."
      ::= { ipsecProtSuiteCounts 2 }

  --
  -- permanent channel and tunnel statistics
  --

  ipsecCnfgPermIkeChannels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of phase 1 control channels in the
               entity that are configured as permanent."
      ::= { ipsecPermChanTunStats 1 }

  ipsecUpPermIkeChannels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION




IPSec Working Group                                            [Page 49]


Internet Draft           IPSec Monitoring MIB              November 1998


              "The total number of phase 1 control channels in the
               entity that are configured as permanent and are up and
               available for use."
      ::= { ipsecPermChanTunStats 2 }

  ipsecCnfgPermIpsecTunnels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of phase 2 tunnels in the entity that
               are configured as permanent."
      ::= { ipsecPermChanTunStats 3 }

  ipsecUpPermIpsecTunnels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of phase 2 tunnels in the entity that
               are configured as permanent and are up and available for
               use."
      ::= { ipsecPermChanTunStats 4 }

  --
  -- transient tunnel counts
  --

  ipsecTotalTransIkeTunnels OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of transient phase 1 tunnels
               established by the entity since boot time."
      ::= { ipsecTransChanTunStats 1 }

  ipsecCurrentTransIkeTunnels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of transient phase 1 tunnels in the entity
               that are up and available for use at this moment in
               time."
      ::= { ipsecTransChanTunStats 2 }

  ipsecTotalTransIpsecTunnels OBJECT-TYPE


IPSec Working Group                                            [Page 50]


Internet Draft           IPSec Monitoring MIB              November 1998


      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of transient phase 2 tunnels
               established by the entity since boot time."
      ::= { ipsecTransChanTunStats 3 }

  ipsecCurrentTransIpsecTunnels OBJECT-TYPE
      SYNTAX      Unsigned32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The number of phase 2 tunnels in the entity that are up
               and available for use at this moment in time."
      ::= { ipsecTransChanTunStats 4 }

  --
   -- transient protection suite traffic statistics
   --

   ipsecTotalTransInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of inbound packets carried on transient
               IPSec tunnels since boot time."
      ::= { ipsecTransChanTunStats 5 }

  ipsecTotalTransOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets carried on
               transient IPSec tunnels since boot time."
      ::= { ipsecTransChanTunStats 6 }

  ipsecTotalTransInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "1024-byte blocks"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of inbound traffic carried on transient
               IPSec tunnels since boot time, measured in 1024-octet
               blocks."


IPSec Working Group                                            [Page 51]


Internet Draft           IPSec Monitoring MIB              November 1998


      ::= { ipsecTransChanTunStats 7 }

  ipsecTotalTransOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "1024-byte blocks"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of outbound traffic carried on
               transient IPSec tunnels since boot time, measured in
               1024-octet blocks."
      ::= { ipsecTransChanTunStats 8 }

  --
  -- error counts
  --

  ipsecUnknownSpiErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of packets received by the entity since
               boot time with SPIs or CPIs that were not valid."
      ::= { ipsecErrorStats 1 }

  ipsecIkeProtocolErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets received by the entity since
               boot time with IKE protocol errors.

               This includes packets with invalid cookies, but does not
               include errors that could be associated with specific IKE
               SAs."
      ::= { ipsecErrorStats 2 }

  ipsecIpsecAuthenticationErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets received by the entity since
               boot time with authentication errors in the IPSec SAs.




IPSec Working Group                                            [Page 52]


Internet Draft           IPSec Monitoring MIB              November 1998


               This includes all packets in which the hash value is
               determined to be invalid."
      ::= { ipsecErrorStats 3 }

  ipsecIpsecReplayErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets received by the entity since
               boot time with replay errors in the IPSec SAs."
      ::= { ipsecErrorStats 4 }

   ipsecIpsecPolicyErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of packets received by the entity since
               boot time and discarded due to policy errors. This
               includes packets that had selectors that were invalid for
               the SA that carried them."
      ::= { ipsecErrorStats 5 }


  -- the IPSec Notify Message MIB-Group
  --
  -- a collection of objects providing information about
  -- the occurrences of notify messages


  ipsecNotifyMessageTotalCount OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of all types of notify messages sent or
               received by the entity since boot time.

               It is the sum of all occurrences in the
               'ipsecNotifyCountTable'."
      ::= { ipsecNotifications 1 }

  ipsecNotifyCountTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecNotifyCountEntry
      MAX-ACCESS not-accessible
      STATUS     current



IPSec Working Group                                            [Page 53]


Internet Draft           IPSec Monitoring MIB              November 1998


      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               notify message counts.

               This table MAY be sparsely populated; that is, rows for
               which the count is 0 may be absent."
      ::= { ipsecNotifications 2 }

  ipsecNotifyCountEntry OBJECT-TYPE
      SYNTAX     IpsecNotifyCountEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the total number of
               occurrences of a notify message."
      INDEX      { ipsecNotifyMessage }
      ::= { ipsecNotifyCountTable 1 }

  IpsecNotifyCountEntry::= SEQUENCE {
      ipsecNotifyMessage        INTEGER,
      ipsecNotifyMessageCount   Counter32
  }

  ipsecNotifyMessage OBJECT-TYPE
      SYNTAX      INTEGER (0..65535)
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The value representing a specific IPSec notify message,
               or 0 if unknown.

               Values are assigned from the set of notify message types
               as defined in Section 3.14.1 of [ISAKMP]. In addition,
               the value 0 may be used for this object when the object
               is used as a trap cause, and the cause is unknown."
      ::= { ipsecNotifyCountEntry 1 }

  ipsecNotifyMessageCount OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of times the specific notify message
               has been received or sent by the entity since system
               boot."
      ::= { ipsecNotifyCountEntry 2 }




IPSec Working Group                                            [Page 54]


Internet Draft           IPSec Monitoring MIB              November 1998


  --
  -- traps
  --

  ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecIkeConChanIndex,
               ipsecNotifyMessage
               }
      STATUS  current
      DESCRIPTION
               "An attempt to negotiate a phase 1 SA for the specified
               permanent IKE tunnel failed."
      ::= { ipsecTraps 1 }

   ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecIkeConChanLocalIdType,
               ipsecIkeConChanLocalId,
               ipsecIkeConChanPeerIdType,
               ipsecIkeConChanPeerId,
               ipsecIkeSaLocalIpAddress,
               ipsecIkeSaLocalPortNumber,
               ipsecIkeSaLocalIpAddress,
               ipsecIkeSaLocalPortNumber,
               ipsecIkeConChanAuthMethod,
               ipsecIkeConChanPeerCertSerialNum,
               ipsecIkeConChanPeerCertIssuer,
               ipsecNotifyMessage
               }
      STATUS  current
      DESCRIPTION
               "An attempt to negotiate a phase 1 SA for a transient IKE
               tunnel failed.

               This trap is different from the
               'ipsecTrapPermIkeNegFailure' trap, since this one will
               likely result in the removal of this entry from the IKE
               control channel table."
      ::= { ipsecTraps 2 }

   ipsecTrapInvalidCookie NOTIFICATION-TYPE
      OBJECTS {
               ipsecIkeSaPeerIpAddress,
               ipsecIkeSaPeerPortNumber
               }
      STATUS  current
      DESCRIPTION


IPSec Working Group                                            [Page 55]


Internet Draft           IPSec Monitoring MIB              November 1998


               "IKE packets with invalid cookies were detected from the
               specified peer.

               Implementations SHOULD send one trap per peer (within a
               reasonable time period, rather than sending one trap per
               packet."
      ::= { ipsecTraps 3 }

   ipsecTrapIpsecNegFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecIkeConChanIndex,
               ipsecNotifyMessage
               }
      STATUS  current
      DESCRIPTION
               "An attempt to negotiate a phase 2 protection suite
               within the specified IKE tunnel failed."
      ::= { ipsecTraps 4 }

   ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecProtSuiteIndex
               }
      STATUS  current
      DESCRIPTION
               "IPSec packets with invalid hashes were found in the
               specified protection suite.

               Implementations SHOULD send one trap per protection suite
               (within a reasonable time period), rather than sending
               one trap per packet."
      ::= { ipsecTraps 5 }

   ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecProtSuiteIndex
               }
      STATUS  current
       DESCRIPTION
               "IPSec packets with invalid sequence numbers were found
               in the specified protection suite.

               Implementations SHOULD send one trap per protection suite
               (within a reasonable time period), rather than sending
               one trap per packet."
      ::= { ipsecTraps 6 }




IPSec Working Group                                            [Page 56]


Internet Draft           IPSec Monitoring MIB              November 1998


   ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE
      OBJECTS {
               ipsecProtSuiteIndex
               }
      STATUS  current
      DESCRIPTION
               "IPSec packets carrying packets with invalid selectors
               for the specified protection suite were found.

               Implementations SHOULD send one trap per protection suite
               (within a reasonable time period), rather than sending
               one trap per packet."
      ::= { ipsecTraps 7 }

   ipsecTrapInvalidSpi NOTIFICATION-TYPE
      OBJECTS {
               ipsecIkeSaPeerIpAddress
               }
      STATUS  current
      DESCRIPTION
               "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs)
               were detected from the specified peer.

               Implementations SHOULD send one trap per peer (within a
               reasonable time period), rather than sending one trap per
               packet."
      ::= { ipsecTraps 8 }


  END


5. Security Considerations

   This MIB contains readable objects whose values provide information
   related to IPSec virtual tunnels. There are no objects with
   MAX­ACCESS clauses of read-write or read-create.

   While unauthorized access to the readable objects is relatively
   innocuous, unauthorized access to those objects through an insecure
   channel can provide attackers with more information about a system
   than an administrator may desire.








IPSec Working Group                                            [Page 57]


Internet Draft           IPSec Monitoring MIB              November 1998


6. Acknowledgements

   Portions of this document's origins are based on the working paper
   "IP Security Management Information Base" by R. Thayer and U.
   Blumenthal.

   Significant contribution to this document comes from Charles Brooks
   and Carl Powell, both of GTE Internetworking. Obviously, the IPSec
   working group made signification contributions, specifically
   including M. Daniele, T. Kivinen, J. Shriver, J. Walker, S. Kelly and
   M. Richardson.

   Additionally, thanks are extended to Gabriella Dinescu for assistance
   in the preparation of the MIB structures.


7. References

   [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
           for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in
           progress.

   [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
           Internet Protocol", draft-ietf-ipsec-arch-sec-07.txt, work in
           progress.

   [IKE]   Harkins, D., Carrel, D., "The Internet Key Exchange (IKE),"
           draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress.

   [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
           "Internet Security Association and Key Management Protocol
           (ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in
           progress.

   [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib-
           02.txt, work in progress.

   [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
           using SMIv2", RFC2233

   [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft-
           ietf-ippcp-protocol-06.txt", work in progress

   [1902]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
           "Structure of Management Information for version 2 of the
           Simple Network Management Protocol (SNMPv2)", RFC 1902,
           January 1996.



IPSec Working Group                                            [Page 58]


Internet Draft           IPSec Monitoring MIB              November 1998


   [2271]  Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
           for Describing SNMP Management Frameworks", RFC 2271, January
           1998

   [1155]  Rose, M., and K. McCloghrie, "Structure and Identification of
           Management Information for TCP/IP-based Internets", RFC 1155,
           May 1990

   [1212]  Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
           1212, March 1991

   [1215]  M. Rose, "A Convention for Defining Traps for use with the
           SNMP", RFC 1215, March 1991

   [1903]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
           S. Waldbusser, "Textual Conventions for Version 2 of the
           Simple Network Management Protocol (SNMPv2)", RFC 1903,
           January 1996.

   [1904]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
           S. Waldbusser, "Conformance Statements for Version 2 of the
           Simple Network Management Protocol (SNMPv2)", RFC 1904,
           January 1996.

   [1157]  Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
           Network Management Protocol", RFC 1157, May 1990.

   [1901]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
           S. Waldbusser, "Introduction to Community-based SNMPv2", RFC
           1901, January 1996.

   [1906]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
           S. Waldbusser, "Transport Mappings for Version 2 of the
           Simple Network Management Protocol (SNMPv2)", RFC 1906,
           January 1996.

   [2272]  Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
           Processing and Dispatching for the Simple Network Management
           Protocol (SNMP)", RFC 2272, January 1998.

   [2274]  Blumenthal, U., and B. Wijnen, "User-based Security Model
           (USM) for version 3 of the Simple Network Management Protocol
           (SNMPv3)", RFC 2274, January 1998.

   [1905]  SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
           S. Waldbusser, "Protocol Operations for Version 2 of the
           Simple Network Management Protocol (SNMPv2)", RFC 1905,
           January 1996.


IPSec Working Group                                            [Page 59]


Internet Draft           IPSec Monitoring MIB              November 1998


   [2273]  Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC
           2273, SNMP Research, Inc., Secure Computing Corporation,
           Cisco Systems, January 1998.

   [2275]  Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
           Access Control Model (VACM) for the Simple Network Management
           Protocol (SNMP)", RFC 2275, January 1998.


8. Revision History

   This section will be removed before publication.

   September 11, 1998    Initial internal release.
                         Traps not yet defined in ASN.1 format.
                         Device MIB not yet defined in ASN.1 format.

   October 4, 1998       Added significantly more explanations on
                         tunnel concept, including picture.
                         Added packet counters for traffic.
                         Made time usage consistent.
                         Added generic error counters.
                         Added SPIs and CPIs to IPSec SA table, and
                         cookies to IKE SA tunnel table.
                         Added peer port number to IKE SA table.
                         Added peer's certificate serial number and
                         issuer to IKE SA table.
                         More information about traps.
                         Added policy enforcement errors to IPSec
                         tunnels.

                         Issues:
                         1) Do aggregate statistic values on permanent
                         tunnels restart if link goes down and comes
                         back up again?
                         2) Should the IKE SA table indicate who was the
                         initiator?
                         3) Still have not put traps into ASN.1 format.
                         4) Still have not put entity-wide statistics
                         into ASN.1 format.

   November 2,1998       Add ASN.1 for entity level objects.
                         Add ASN.1 for traps.
                         Non-error event traps removed.
                         Added appendix to duplicate assigned numbers
                         from current drafts.
                          Issues:
                         1) Do aggregate statistic values on permanent


IPSec Working Group                                            [Page 60]


Internet Draft           IPSec Monitoring MIB              November 1998


                         tunnels restart if link goes down and comes
                         back up again?
                         2) Group and Compliance statements?
                         3) Sub-identifier under the experimental tree?

   November 24, 1998     Major changes; most too numerous to mention.
                         Single largest change is splitting IKE SAs from
                         what was the IKE tunnel table (now the control
                         channel table).
                         Issues:
                         1) Should aggregate statistic values on
                         permanent tunnels restart if link goes down and
                         comes back up again?
                         2) Group and Compliance statements?
                         3) Sub-identifier under the experimental tree?
                         4) Is existing address object implementation
                         okay for both IPv4 and IPv6?


9. Appendix A

   This appendix reproduces the assigned numbers from the referenced
   IPSec documents that are used in the MIB. They are to be used as a
   reference only and are not part of this specification. As the IPSec
   protocol evolves, this list is almost certain to become incomplete.

   Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP].

  ipsecIkeSaEncAlg - Encryption Algorithm
      DES-CBC                             1
      IDEA-CBC                            2
      Blowfish-CBC                        3
      RC5-R16-B64-CBC                     4
      3DES-CBC                            5
      CAST-CBC                            6


  ipsecIkeSaPeerIdType

       ID Type                           Value
       -------                           -----
       RESERVED                            0
       ID_IPV4_ADDR                        1
       ID_FQDN                             2
       ID_USER_FQDN                        3
       ID_IPV4_ADDR_SUBNET                 4
       ID_IPV6_ADDR                        5
       ID_IPV6_ADDR_SUBNET                 6


IPSec Working Group                                            [Page 61]


Internet Draft           IPSec Monitoring MIB              November 1998


       ID_IPV4_ADDR_RANGE                  7
       ID_IPV6_ADDR_RANGE                  8
       ID_DER_ASN1_DN                      9
       ID_DER_ASN1_GN                      10
       ID_KEY_ID                           11


  ipsecIkeSaHashAlg - Hash Algorithm
      MD5                                 1
      SHA                                 2
      Tiger                               3


  ipsecIkeSaAuthMethod - Authentication Method
      pre-shared key                      1
      DSS signatures                      2
      RSA signatures                      3
      Encryption with RSA                 4
      Revised encryption with RSA         5


  ipsecIkeSaDifHelGroupDesc - Group Description
      default 768-bit MODP group      1
      alternate 1024-bit MODP group   2
      EC2N group on GP[2^155]         3
      EC2N group on GP[2^185]         4


  ipsecIkeSaDifHelGroupType - Group Type
      MODP (modular exponentiation group)            1
      ECP  (elliptic curve group over GF[P])         2
      EC2N (elliptic curve group over GF[2^N])       3


  ipsecTunnelEspEncAlg

       Transform ID                        Value
       ------------                        -----
       RESERVED                            0
       ESP_DES_IV64                        1
       ESP_DES                             2
       ESP_3DES                            3
       ESP_RC5                             4
       ESP_IDEA                            5
       ESP_CAST                            6
       ESP_BLOWFISH                        7
       ESP_3IDEA                           8
       ESP_DES_IV32                        9


IPSec Working Group                                            [Page 62]


Internet Draft           IPSec Monitoring MIB              November 1998


       ESP_RC4                             10
       ESP_NULL                            11


  ipsecTunnelEspAuthAlg - Authentication Algorithm
           RESERVED                0
           HMAC-MD5                1
           HMAC-SHA                2
           DES-MAC                 3
           KPDK                    4


  ipsecTunnelAhAuthAlg

       Transform ID                        Value
       ------------                        -----
       RESERVED                            0-1
       AH_MD5                              2
       AH_SHA                              3
       AH_DES                              4


  ipsecTunnelCompAlg

       Transform ID                        Value
       ------------                        -----

       RESERVED                            0
       IPCOMP_OUI                          1
       IPCOMP_DEFLATE                      2
       IPCOMP_LZS                          3
       IPCOMP_V42BIS                       4


NOTIFY MESSAGES - ERROR TYPES

                ___________Errors______________Value_____
                 INVALID-PAYLOAD-TYPE             1
                 DOI-NOT-SUPPORTED                2
                 SITUATION-NOT-SUPPORTED          3
                 INVALID-COOKIE                   4
                 INVALID-MAJOR-VERSION            5
                 INVALID-MINOR-VERSION            6
                 INVALID-EXCHANGE-TYPE            7
                 INVALID-FLAGS                    8
                 INVALID-MESSAGE-ID               9
                 INVALID-PROTOCOL-ID             10
                 INVALID-SPI                     11


IPSec Working Group                                            [Page 63]


Internet Draft           IPSec Monitoring MIB              November 1998


                 INVALID-TRANSFORM-ID            12
                 ATTRIBUTES-NOT-SUPPORTED        13
                 NO-PROPOSAL-CHOSEN              14
                 BAD-PROPOSAL-SYNTAX             15
                 PAYLOAD-MALFORMED               16
                 INVALID-KEY-INFORMATION         17
                 INVALID-ID-INFORMATION          18
                 INVALID-CERT-ENCODING           19
                 INVALID-CERTIFICATE             20
                 CERT-TYPE-UNSUPPORTED           21
                 INVALID-CERT-AUTHORITY          22
                 INVALID-HASH-INFORMATION        23
                 AUTHENTICATION-FAILED           24
                 INVALID-SIGNATURE               25
                 ADDRESS-NOTIFICATION            26
                 NOTIFY-SA-LIFETIME              27
                 CERTIFICATE-UNAVAILABLE         28
                 UNSUPPORTED-EXCHANGE-TYPE       29
                 UNEQUAL-PAYLOAD-LENGTHS         30
                 RESERVED (Future Use)        31 - 8191
                 Private Use                8192 - 16383

                      NOTIFY MESSAGES - STATUS TYPES
                 _________Status_____________Value______
                  CONNECTED                   16384
                  RESERVED (Future Use)   16385 - 24575
                  DOI-specific codes     24576 - 32767
                  Private Use            32768 - 40959
                  RESERVED (Future Use)  40960 - 65535

       Notify Messages - Status Types      Value
       ------------------------------      -----
       RESPONDER-LIFETIME                  24576
       REPLAY-STATUS                       24577
       INITIAL-CONTACT                     24578















IPSec Working Group                                            [Page 64]


Internet Draft           IPSec Monitoring MIB              November 1998


Editor's Address

     Tim Jenkins
     tjenkins@timestep.com
     TimeStep Corporation
     362 Terry Fox Drive
     Kanata, ON
     Canada
     K2K 2P5
     +1 (613) 599-3610


   The IPSec working group can be contacted via the IPSec working
   group's mailing list (ipsec@tis.com) or through its chairs:

     Robert Moskowitz
     rgm@icsa.net
     International Computer Security Association

     Theodore Y. Ts'o
     tytso@MIT.EDU
     Massachusetts Institute of Technology




























IPSec Working Group                                            [Page 65]