Internet Engineering Task Force Tim Jenkins
IP Security Working Group TimeStep Corporation
Internet Draft September 14, 1998
IPSec MIB
<draft-ietf-ipsec-mib-00.txt>
Status of this Memo
This document is a submission to the IETF Internet Protocol
Security (IPSEC) Working Group. Comments are solicited and should
be addressed to the working group mailing list (ipsec@tis.com) or
to the editor.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts draft documents are valid for a maximum of six
months and may be updated, replaced, or made obsolete by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress".
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Copyright Notice
This document is a product of the IETF's IPSec Working Group.
Copyright (C) The Internet Society (1998). All Rights Reserved.
IPSec Working Group [Page 1]
Internet Draft IPSec MIB September, 98
Table of Contents
1. Revision History...............................................2
2. Introduction...................................................2
3. The SNMPv2 Network Management Framework........................3
3.1 Object Definitions............................................4
4. IPSec MIB Objects Architecture.................................4
4.1 IPSec Virtual Tunnels.........................................5
4.1.1 Transient Tunnels...........................................5
4.1.2 Permanent Tunnels...........................................5
4.2 IKE SA Tunnels................................................5
4.3 Phase 2 SA Tunnels............................................7
4.4 Phase 2 SAs...................................................7
4.5 IPSec MIB Traps...............................................8
4.6 IPSec Device MIB..............................................8
5. MIB Definitions................................................8
6. Security Considerations.......................................29
7. Acknowledgements..............................................30
8. References....................................................30
9. Editor's Address..............................................32
1. Revision History
This section will be removed before publication.
September 11, 1998 Initial internal release.
Traps not yet defined in ASN.1 format.
Device MIB not yet defined in ASN.1 format.
2. Introduction
This document defines monitoring and status MIBs for IPSec. It does
not define MIBs that may be used for configuring IPSec
implementations or for providing low-level diagnostic or debugging
information. Those MIBs may be defined in later versions of this
document or in other documents.
The purpose of the MIBs is to allow system administrators to
determine operating conditions and perform system operational level
monitoring of the IPSec portion of their network. Statistics are
provided as well.
The IPSec MIB definitions use a virtual tunnel model, of which
there can be configured permanent tunnels or transient tunnels. The
virtual tunnel model is used to allow the use of IPSec from a
virtual private networking (VPN) point of view. This allows users
IPSec Working Group [Page 2]
Internet Draft IPSec MIB September, 98
of IPSec based products to get similar monitoring and statistical
information from an IPSec based VPN as they would from a VPN based
on other technologies, such as Frame Relay.
Finally, the objects defined perhaps represent a somewhat
simplified view of security associations. This is done for the
purposes of expediency and for simplification of presentation.
Also, some information about SAs has been intentionally left out to
reduce the security risk if SNMP traffic becomes compromised.
3. The SNMPv2 Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2271 [2271].
O Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
version, called SMIv2, is described in RFC 1902 [1902], RFC
1903 [1903] and RFC 1904 [1904].
O Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [1157]. A second version of the SNMP
message protocol, which is not an Internet standards track
protocol, is called SNMPv2c and described in RFC 1901 [1901]
and RFC 1906 [1906]. The third version of the message protocol
is called SNMPv3 and described in RFC 1906 [1906], RFC 2272
[2272] and RFC 2274 [2274].
O Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [1157]. A second set of protocol
operations and associated PDU formats is described in RFC 1905
[1905].
O A set of fundamental applications described in RFC 2273 [2273]
and the view-based access control mechanism described in RFC
2275 [2275].
Managed objects are accessed via a virtual information store,
termed the Management Information Base or MIB. Objects in the MIB
are defined using the mechanisms defined in the SMI.
IPSec Working Group [Page 3]
Internet Draft IPSec MIB September, 98
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of
the MIB.
3.1 Object Definitions
Managed objects are accessed via a virtual information store,
termed the Management Information Base or MIB. Objects in the MIB
are defined using the subset of Abstract Syntax Notation One
(ASN.1) defined in the SMI. In particular, each object type is
named by an OBJECT IDENTIFIER, an administratively assigned name.
The object type together with an object instance serves to uniquely
identify a specific instantiation of the object. For human
convenience, we often use a textual string, termed the descriptor,
to refer to the object type.
4. IPSec MIB Objects Architecture
The IPSec MIB provides information related to both phase 1 or
Internet Key Exchange (IKE) security associations (SAs) and phase 2
(or IPSec) SAs. Configuration about the SAs is provided as are
statistics related to the SAs themselves.
Since one of the uses of IPSec implementations is to provide
Virtual Private Network (VPN) services that other private network
services such as leased lines or frame relay networks, there exists
a need to provide the same type of monitoring capability.
To support this, the concept of virtual tunnels is developed.
Additionally, the concept of transients and permanent tunnels is
also developed.
It should be noted that the MIBs here are not extensions of the
Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That
approach was rejected for a number of reasons, including:
1) The types of parameters required for those MIBs are not
appropriate for IPSec MIBs.
IPSec Working Group [Page 4]
Internet Draft IPSec MIB September, 98
2) The virtual tunnels created by IPSec SAs are independent of
other logical interfaces.
3) The tunnel end point definitions are not the same as those used
by the tunnel MIB.
4.1 IPSec Virtual Tunnels
IPSec implementations effectively create tunnels that user traffic
may pass through, performing various services on that traffic as it
passes through the tunnel.
4.1.1 Transient Tunnels
Transient tunnels are made up of SAs that normally go up and down,
such as those created by a dial-in client implementation.
Additionally, these SAs are prone to being torn down in an impolite
manner. As an example, system administrators typically do not want
to have alarms going off when these SAs are torn down because an
end user disconnected his or her modem before performing a normal
dial-up networking shut down.
4.1.2 Permanent Tunnels
Transient tunnels are made up of SAs that a system administrator
considers of significant importance in a VPN implementation. These
SAs would typically be from one IPSec gateway to another and be
used as the link between two corporate networks. As such, the
network administrator would want alarms to go off when one of these
virtual tunnels goes down under any circumstances.
How implementations specify which tunnels are permanent versus
transient is beyond the scope of this document.
To determine if a particular permanent tunnel is up, the value of
'ipsecTunnelCurrentSaNum' must be greater than 0.
4.2 IKE SA Tunnels
Phase 1 or IKE tunnels are defined as being made up of a series of
phase 1 SAs that carry secured management traffic. It is assumed
that only one phase 1 SA can exist between any two peers.
Therefore, there is no separate table of phase 1 SAs and phase 1 SA
tunnels. A tunnel can be considered to exist past the lifetime of
IPSec Working Group [Page 5]
Internet Draft IPSec MIB September, 98
a phase 1 SA if a subsequent phase 1 SA can be immediately formed
between the same peers, and any phase 2 SAs created by previous
phase 1 SAs are not deleted when the original phase 1 SA expires.
Stated another way, successful re-keying of a phase 1 SA keeps a
phase 1 tunnel alive, but only if all phase 2 SAs created are kept
as well.
Phase 1 tunnels are uniquely identified by the IP addresses of the
end points. [Question: Should port number be added to this
definition and to the MIB? If so, a responder port number change
from 500 to a user port number should not create a new tunnel.]
IKE SAs are displayed as a table. It is assumed that there is only
a single SA between end points. Therefore, the table consists of
all active phase 1 SAs that are established between the local
entity and other entities.
Each row of the table contains configuration information such as
the encryption algorithm used, the key length, and the
authentication algorithm used. Peer information, such as the peer
ID is also provided. [Question: Should certificate information,
such as subject name, issuer name and serial number also be part of
the row, even though it is meaningless in pre-shared key mode?]
Phase 1 tunnels may be transient or permanent. The status column
has no meaning for a transient phase 1 tunnel, since it indicates a
tunnel that is up or down. A transient tunnel disappears from the
table when it goes down; a permanent tunnel does not.
It is recommended that implementations place permanent SAs in the
table before all transient SAs, and that the order of permanent SAs
displayed in the table does not change.
Statistics are provided as well. There are three types of
statistics provided. These are the statistics associated with the
current phase 1 SA between the peers, the aggregate statistics of
phase 1 SA communications between the peers and the aggregate
statistics of all other phase 2 SAs created by the phase 1 SA.
These statistics are kept based on the assumption that information
is passed forward when SAs are re-keyed. This allows network
monitors to determine the total amount of protected traffic passed
between two IPSec implementations.
Note that the cookies are not part of each row to reduce the
security risk if SNMP traffic becomes compromised. These can be
added by augmenting the existing phase 1 SA table and phase 2 SA
table.
IPSec Working Group [Page 6]
Internet Draft IPSec MIB September, 98
4.3 Phase 2 SA Tunnels
Phase 2 or IPSec tunnels are defined as being made up of an
arbitrary number of phase 2 or IPsec SAs with the same tunnel
parameters. They may be transient or permanent. Functionally, this
table is very similar to the IP Tunnel MIB, however the definition
of IPSec SA-based tunnels are not defined the same as the tunnels
in that MIB.
Phase 2 tunnels are uniquely identified by IPSec SA mode (transport
or tunnel), the IP address ranges (which may be single IP addresses
or subnets) at each end, the port number at each end and the
protocol, as defined in [IPDOI]. Note that the protocol and port
numbers may be wildcards.
Further, phase 2 tunnels must be considered different if the
services they provide changes. In other words, if an SA is created
that provide compression and ESP is created for the above
parameters where previous SAs had only ESP, the new SA MUST be
considered part of a different virtual tunnel than the previous SA.
Individual phase 2 SAs are presented in another table. This table
contains aggregate information related to phase 2 SAs operating in
the IPsec implementation. Each row of the table contains
configuration information related to phase 2 SAs and aggregate
statistics related to all of those SAs. It does not contain
information about specific phase 2 SAs.
Each row in the table has a value which is an index to the row of
phase 1 SAs that created it if the phase 2 SA is not a static SA.
If the tunnel is configured as permanent, its status can be
determined by the number of phase 2 SAs currently active with it.
If that number is zero, then the tunnel must be considered down. If
that number greater than 0, then the tunnel is considered up.
4.4 Phase 2 SAs
Individual phase 2 SAs appear in a third table. This table contains
only the statistics for the individual SA and a value which is an
index into the phase 2 SA tunnel table.
Bundled SAs are supported by having separate objects for each of
ESP, AH and IPCOMP, under the assumption that no implementation
will use any of those protocols more than once in the same SA
bundle. Further, the expiration parameters specified refer to the
IPSec Working Group [Page 7]
Internet Draft IPSec MIB September, 98
minimum value of each security service if there is more than one in
the bundle.
Note that the SPIs (CPIs for compression) are not part of each row
to reduce the security risk if SNMP traffic becomes compromised.
4.5 IPSec MIB Traps
Traps are provided to let system administrators know about the
creation and deletion of SAs, errors related to the creation of SAs
and operational errors that may indicate the presence of attacks on
the system.
Specifically, the following traps are provided:
IKE SA Start
IKE SA End
IKE SA Negotiation Failure
Invalid Cookie Problem
IPSec SA Tunnel Start
IPSec SA Tunnel End
IPSec SA Negotiation Failure
IPSec SA Authentication Failure
IPSec SA Replay Failure
Invalid SPI Problem
4.6 IPSec Device MIB
This MIB carries statistics global to the IPSec device.
Statistics included are:
The number of packets received with unknown SPIs (or CPIs).
The number of general IKE protocol errors that occurred,
including packets received with invalid cookies.
The total number of phase 1 SAs established since boot time.
The total number of phase 2 SAs established since boot time.
5. MIB Definitions
IPSEC-MIB DEFINITIONS :: BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Counter64,
Integer32, mib-2,
NOTIFICATION-TYPE FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DateAndTime,
IPSec Working Group [Page 8]
Internet Draft IPSec MIB September, 98
TruthValue FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
snmpTraps FROM SNMPv2-MIB
IANAifType FROM IANAifType-
MIB;
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "????"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
613-599-3610
tjenkins@timestep.com"
DESCRIPTION
"The MIB module to describe generic IPSec objects
and transient and permanent virtual tunnels created
by IPSec SAs."
REVISION "????"
DESCRIPTION
"Initial revision."
:: { mib-2 ?? }
ipsecMIBObjects OBJECT IDENTIFIER :: { ipsecMIB 1 }
ipsec OBJECT IDENTIFIER :: { ipsecMIBObjects 1 }
-- the IPSec IKE MIB-Group
--
-- a collection of objects providing information about
-- IPSec's IKE SAs
ipsecIkeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on
IPSec Working Group [Page 9]
Internet Draft IPSec MIB September, 98
IPSec's IKE SAs."
:: { ipsec 1 }
ipsecIkeSaEntry OBJECT-TYPE
SYNTAX IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information
on a particular IKE SA."
INDEX { ipsecIkeSaIndex }
:: { ipsecIkeSaTable 1 }
IpsecIkeSaEntry :: SEQUENCE {
ipsecIkeSaIndex Integer32,
-- security algorithm information
ipsecIkeSaEncAlg INTEGER,
ipsecIkeSaEncLeyLength Integer32,
ipsecIkeSaHashAlg Integer32,
ipsecIkeSaDifHelGroupDesc Integer32,
ipsecIkeSaDifHelGroupType Integer32,
ipsecIkeSaDifHelFieldSize Integer32,
ipsecIkeSaPRF Integer32,
ipsecIkeSaPFS TruthValue,
-- peer information
ipsecIkeSaPeerIpAddress IpAddress,
ipsecIkeSaAuthMethod Integer32,
ipsecIkeSaPeerIdType Integer32,
ipsecIkeSaPeerId OCTET STRING,
-- virtual link status
ipsecIkeSaType INTEGER,
ipsecIkeSaStatus INTEGER,
-- expiration limits, current SA
ipsecIkeSaTimeStart DateAndTime,
ipsecIkeSaTimeLimit Counter32,
ipsecIkeSaTrafficLimit Counter32,
-- current operating statistics
ipsecIkeSaInboundTraffic Counter64, -- in bytes
ipsecIkeSaOutboundTraffic Counter64, -- in bytes
-- aggregate statistics
ipsecIkeSaTotalSaNum Counter32
ipsecIkeSaTotalTime Counter32,
IPSec Working Group [Page 10]
Internet Draft IPSec MIB September, 98
ipsecIkeSaTotalInboundTraffic Counter64, -- in bytes
ipsecIkeSaTotalOutboundTraffic Counter64, -- in bytes
-- aggregate error statistics
ipsecIkeSaDecryptErrors Counter32,
ipsecIkeSaHashErrors Counter32,
-- IPSec SA (Phase 2) statistics (aggregate)
ipsecIkeSaIpsecInboundTraffic Counter64,
ipsecIkeSaIpsecOutboundTraffic Counter64,
-- IPSec SA (Phase 2) error statistics (aggregate)
ipsecIkeSaIpsecDecryptErrors Counter32,
ipsecIkeSaIpsecAuthErrors Counter32,
ipsecIkeSaIpsecReplayErrors Counter32,
}
ipsecIkeSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
contiguously starting from 1.
The value for each tunnel interface must remain
constant at least from one re-initialization of the
entity's network management system to the next re-
initialization.
Further, the value for tunnel interfaces that are
marked as permanent must remain constand across all
re-initializations of the network management system."
:: { ipsecIkeSaEntry 1 }
ipsecIkeSaEncAlg OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this SA or 0 if there
is no encryption applied.
Specific values are used as described in the ISAKMP
Class Values of Encryption Algorithms from Appendix A
IPSec Working Group [Page 11]
Internet Draft IPSec MIB September, 98
of [IKE]."
:: { ipsecIkeSaEntry 2 }
ipsecIkeSaEncLeyLength OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the ipsecIkeSaEncAlg object,
or 0 if the key length is implicit in the specified
algorithm or there is no encryption specified."
:: { ipsecIkeSaEntry 3 }
ipsecIkeSaHashAlg OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm
applied to traffic carried by this SA or 0 if there
is no encryption applied.
Specific values are used as described in the ISAKMP
Class Values of Hash Algorithms from Appendix A
of [IKE]."
:: { ipsecIkeSaEntry 4 }
ipsecIkeSaDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP
Class Values of Group Description from Appendix A
of [IKE]."
:: { ipsecIkeSaEntry 5 }
ipsecIkeSaDifHelGroupType OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
type used or 0 if the group is unknown.
IPSec Working Group [Page 12]
Internet Draft IPSec MIB September, 98
Specific values are used as described in the ISAKMP
Class Values of Group Type from Appendix A of [IKE]."
:: { ipsecIkeSaEntry 6 }
ipsecIkeSaDifHelFieldSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The field size, in bits, of a Diffie-Hellman group."
:: { ipsecIkeSaEntry 7 }
ipsecIkeSaPRF OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The pseudo-random functions used, or 0 if not used or
if unknown.
Specific values are used as described in the ISAKMP
Class Values of PRF from Appendix A of [IKE]."
:: { ipsecIkeSaEntry 8 }
ipsecIkeSaPFS OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A value that indicates that perfect forward secrecy is
used for all protocol SAs created by this IKE SA."
:: { ipsecIkeSaEntry 9 }
ipsecIkeSaPeerIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the peer that this SA was negotiated
with, or 0 if unknown."
:: { ipsecIkeSaEntry 10 }
ipsecIkeSaAuthMethod OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 13]
Internet Draft IPSec MIB September, 98
"The authentication method used to authenticate the
peers.
Note that this does not include the specific method of
authentication if extended authenticated is used.
Specific values are used as described in the ISAKMP
Class Values of Authentication Method from Appendix A
of [IKE]."
:: { ipsecIkeSaEntry 11 }
ipsecIkeSaPeerIdType OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of ID used by the peer.
Specific values are used as described in
Section 4.6.2.1 of [IPDOI]."
:: { ipsecIkeSaEntry 12 }
ipsecIkeSaPeerId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511)),
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the peer this SA was negotiated with.
The length may require truncation under some
conditions."
:: { ipsecIkeSaEntry 13 }
ipsecIkeSaType OBJECT-TYPE
SYNTAX INTEGER { transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of virtual tunnel represented by this row.
A transient link will disappear from the table when
the SAs needed for it cannot be established. A
permanent link will shows its status in the
ipsecIkeSaStatus object."
:: { ipsecIkeSaEntry 14 }
IPSec Working Group [Page 14]
Internet Draft IPSec MIB September, 98
ipsecIkeSaStatus OBJECT-TYPE
SYNTAX INTEGER
{ never_tried(0), link_up(1), link_down(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the virtual tunnel represented by this
row, if the tunnel is configured as permanent.
never_tried means that no attempt to set-up the link
has been done. link_up means that the link is up and
operating normally. link_down means that the link was
up, but has gone down."
:: { ipsecIkeSaEntry 15 }
ipsecIkeSaTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current SA within the link
was set up.
It is not the date and time that the virtual tunnel
was set up."
:: { ipsecIkeSaEntry 16 }
ipsecIkeSaTimeLimit OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the current SA
supporting the virtual tunnel, or 0 if there is
no time constraint on its expiration."
:: { ipsecIkeSaEntry 17 }
ipsecIkeSaTrafficLimit OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the
current SA supporting the virtual tunnel is allowd
to support, or 0 if there is no traffic constraint
on its expiration."
:: { ipsecIkeSaEntry 18 }
IPSec Working Group [Page 15]
Internet Draft IPSec MIB September, 98
ipsecIkeSaInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
current SA in the inbound direction."
:: { ipsecIkeSaEntry 19 }
ipsecIkeSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
current SA in the outbound direction."
:: { ipsecIkeSaEntry 20 }
ipsecIkeSaTotalSaNum OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of SAs, including the current SA,
that have been set up to support this virtual tunnel."
:: { ipsecIkeSaEntry 21 }
ipsecIkeSaTotalTime OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total time in minutes that this virtual tunnel
has been up.
If this is a permanent virtual tunnel, it is reset to
zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 22 }
ipsecIkeSaTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled
in the tunnel in the inbound direction. In other
words, it is the aggregate value of all inbound
traffic carried by all SAs ever set up to support the
IPSec Working Group [Page 16]
Internet Draft IPSec MIB September, 98
virtual tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 23 }
ipsecIkeSaTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled
in the tunnel in the outbound direction. In other
words, it is the aggregate value of all inbound
traffic carried by all SAs ever set up to support the
virtual tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 24 }
ipsecIkeSaDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA
discarded due to decryption errors.
Note that this refers to IKE protocol packets, and not
to packets carried by SAs set up by the SAs supporting
this tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 25 }
ipsecIkeSaHashErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA
discarded due to hash errors.
Note that this refers to IKE protocol packets, and not
to packets carried by SAs set up by the SAs supporting
this tunnel.
IPSec Working Group [Page 17]
Internet Draft IPSec MIB September, 98
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 26 }
ipsecIkeSaIpsecInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic measured in bytes
handled by all protocol SAs set up by phase 1 SAs
supporting this tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 27 }
ipsecIkeSaIpsecOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic measured in bytes
handled by all protocol SAs set up by phase 1 SAs
supporting this tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 28 }
ipsecIkeSaIpsecDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
protocol SAs due to decryption errors.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 29 }
ipsecIkeSaIpsecAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 18]
Internet Draft IPSec MIB September, 98
DESCRIPTION
"The total number of inbound packets discarded by all
protocol SAs due to authentication errors. This
includes hash failures in IPSec SAs using ESP and AH.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 30 }
ipsecIkeSaIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
protocol SAs due to replay errors.
If this is a permanent virtual tunnel, it is not reset
to zero when the tunnel goes to the link_up state."
:: { ipsecIkeSaEntry 30 }
-- the IPSec Tunnel MIB-Group
--
-- a collection of objects providing information about
-- IPSec SA-based Tunnels
ipsecTunnelIfTable OBJECT-TYPE
SYNTAX SEQUENCE OF ipsecTunnelIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
SA-based tunnels."
:: { ipsec 2 }
ipsecTunnelIfEntry OBJECT-TYPE
SYNTAX IpsecTunnelIfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information
on a particular configured tunnel."
INDEX { ipsecTunnelIfIndex }
:: { ipsecTunnelIfTable 1 }
IpsecTunnelIfEntry :: SEQUENCE {
ipsecTunnelIfIndex Integer32,
IPSec Working Group [Page 19]
Internet Draft IPSec MIB September, 98
ipsecTunnelIkeSa Integer32, -- if not static
ipsecTunnelType INTEGER, -- static, transient, permanent
-- tunnel identifiers
ipsecTunnelIfLocalAddressOrStart IpAddress,
ipsecTunnelIfLocalAddressMaskOrEnd IpAddress,
ipsecTunnelIfRemoteAddressOrStart IpAddress,
ipsecTunnelIfRemoteAddressMaskOrEnd IpAddress,
ipsecTunnelIfProtocol Integer32,
ipsecTunnelIfLocalPort Integer32,
ipsecTunnelIfRemotePort Integer32,
-- tunnel security
ipsecTunnelMode INTEGER,
ipsecTunnelEspEncAlg Integer32,
ipsecTunnelEspEncLeyLength Integer32,
ipsecTunnelEspAuthAlg Integer32,
ipsecTunnelAhAuthAlg Integer32,
ipsecTunnelCompAlg Integer32
-- aggregate statistics
ipsecTunnelCurrentSaNum Counter32
ipsecTunnelTotalSaNum Counter32
ipsecTunnelTotalTimeUp Counter32,
ipsecTunnelTotalInboundTraffic Counter64,
ipsecTunnelTotalOutboundTraffic Counter64,
-- aggregate error statistics
ipsecTunnelDecryptErrors Counter32,
ipsecTunnelAuthErrors Counter32,
ipsecTunnelReplayErrors Counter32,
}
ipsecTunnelIfIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
contiguously starting from 1.
The value for each tunnel interface must remain
constant at least from one re-initialization of the
entity's network management system to the next
IPSec Working Group [Page 20]
Internet Draft IPSec MIB September, 98
re-initialization.
Further, the value for tunnel interfaces that are
marked as permanent must remain constant across all
re-initializations of the network management system."
:: { ipsecTunnelIfEntry 1 }
ipsecTunnelIkeSa OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the index into the IKE SA tunnel table
that created this tunnel (ipsecIkeSaIndex), or 0 if
the tunnel is created by a static IPSec SA."
:: { ipsecTunnelIfEntry 2 }
ipsecTunnelType OBJECT-TYPE
SYNTAX INTEGER { static(0), transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the virtual tunnel represented by this
row.
static means that the tunnel is supported by a single
static IPSec SA that was setup by configuration, and
not by using a key exchange protocol. In this case,
the value of ipsecTunnelIkeSa must be 0."
:: { ipsecTunnelIfEntry 3 }
ipsecTunnelIfLocalAddressOrStart OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address of or the start address (if an address
range) of the local endpoint of the tunnel, or 0.0.0.0
if unknown or transport mode."
:: { ipsecTunnelIfTable 4 }
ipsecTunnelIfLocalAddressMaskOrEnd OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The mask of or the end address (if an address
range) of the local endpoint of the tunnel, or 0.0.0.0
IPSec Working Group [Page 21]
Internet Draft IPSec MIB September, 98
if unknown or transport mode."
:: { ipsecTunnelIfTable 5 }
ipsecTunnelIfRemoteAddressOrStart OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address of or the start address (if an address
range) of the remote endpoint of the tunnel,
or 0.0.0.0 if unknown or transport mode."
:: { ipsecTunnelIfTable 6 }
ipsecTunnelIfRemoteAddressMaskOrEnd OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The mask of or the end address (if an address
range) of the remote endpoint of the tunnel,
or 0.0.0.0 if unknown or transport mode."
:: { ipsecTunnelIfTable 7 }
ipsecTunnelIfProtocol OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the protocol that this tunnel carries,
or 0 if it carries any protocol."
:: { ipsecTunnelIfTable 8 }
ipsecTunnelIfLocalPort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the local port that this tunnel carries,
or 0 if it carries any port number."
:: { ipsecTunnelIfTable 9 }
ipsecTunnelIfRemotePort OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the remote port that this tunnel
carries, or 0 if it carries any port number."
IPSec Working Group [Page 22]
Internet Draft IPSec MIB September, 98
:: { ipsecTunnelIfTable 10 }
ipsecTunnelMode OBJECT-TYPE
SYNTAX INTEGER { transport(1), tunnel(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapulation used by this tunnel."
:: { ipsecTunnelIfTable 11 }
ipsecTunnelEspEncAlg OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this SA if it uses ESP
or 0 if there is no encryption applied by ESP
or if ESP is not used.
Specific values are taken from section 4.4.4
of [IPDOI]."
:: { ipsecTunnelIfTable 12 }
ipsecTunnelEspEncLeyLength OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the ipsecTunnelEspEncAlg
object, or 0 if the key length is implicit in the
specified algorithm or there is no encryption
specified."
:: { ipsecTunnelIfTable 13 }
ipsecTunnelEspAuthAlg OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm
applied to traffic carried by this SA if it uses ESP
or 0 if there is no authentication applied by ESP
or if ESP is not used.
Specific values are taken from the Authentication
Algorithm attribute values of Section 4.5 of [IPDOI]."
IPSec Working Group [Page 23]
Internet Draft IPSec MIB September, 98
:: { ipsecTunnelIfTable 14 }
ipsecTunnelAhAuthAlg OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm
applied to traffic carried by this SA if it uses AH
or 0 if AH is not used.
Specific values are taken from Section 4.4.3 of
[IPDOI]."
:: { ipsecTunnelIfTable 15 }
ipsecTunnelCompAlg OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the compression algorithm
applied to traffic carried by this SA if it uses
IPCOMP.
Specific values are taken from Section 4.4.5
of [IPDOI]."
:: { ipsecTunnelIfTable 16 }
ipsecTunnelCurrentSaNum OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current SAs set up to support this
virtual tunnel."
:: { ipsecTunnelIfTable 17 }
ipsecTunnelTotalSaNum OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of SAs, including all current SAs,
that have been set up to support this virtual tunnel."
:: { ipsecTunnelIfTable 18 }
ipsecTunnelTotalTimeUp OBJECT-TYPE
SYNTAX Counter32
IPSec Working Group [Page 24]
Internet Draft IPSec MIB September, 98
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total time in minutes that this virtual tunnel
has been up.
If this is a permanent virtual tunnel, it is reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 19 }
ipsecTunnelTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled
in the tunnel in the inbound direction. In other
words, it is the aggregate value of all inbound
traffic carried by all protocol SAs ever set up to
support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 20 }
ipsecTunnelTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled
in the tunnel in the outbound direction. In other
words, it is the aggregate value of all inbound
traffic carried by all protocol SAs ever set up to
support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset
to zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 21 }
ipsecTunnelDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 25]
Internet Draft IPSec MIB September, 98
"The total number of inbound packets discarded by this
virtual tunnel due to decryption errors in ESP.
If this is a permanent virtual tunnel, it is not reset
to zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 22 }
ipsecTunnelAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to authentication errors. This
includes hash failures in IPSec SA bundles using both
ESP and AH.
If this is a permanent virtual tunnel, it is not reset
to zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 30 }
ipsecTunnelReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to replay errors. This includes
replay failures in IPSec SA bundles using both ESP and
AH.
If this is a permanent virtual tunnel, it is not reset
to zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
:: { ipsecTunnelIfTable 30 }
-- the IPSec SA MIB-Group
--
-- a collection of objects providing information about
-- IPSec SAs
ipsecSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEntry
MAX-ACCESS not-accessible
IPSec Working Group [Page 26]
Internet Draft IPSec MIB September, 98
STATUS current
DESCRIPTION
"The (conceptual) table containing information on
IPSec SAs."
:: { ipsec 3 }
ipsecSaEntry OBJECT-TYPE
SYNTAX IpsecSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information
on a particular IPSec SA."
INDEX { ipsecSaIndex }
:: { ipsecSaTable 1 }
IpsecSaEntry :: SEQUENCE {
ipsecSaIndex Integer32,
ipsecSaTunnel Integer32, -- index from ipsecTunnelIfTable
-- expiration limits
ipsecSaCreationTime DateAndTime,
ipsecSaTimeLimit Counter32, -- seconds, 0 if none
ipsecSaTrafficLimit Counter64, -- bytes, 0 if none
-- current operating statistics
ipsecSaInboundTraffic Counter64,
ipsecSaOutboundTraffic Counter64,
-- error statistics
ipsecSaDecryptErrors Counter32,
ipsecSaAuthErrors Counter32,
ipsecSaReplayErrors Counter32,
}
ipsecSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each IPSec SA.
It is recommended that values are assigned
contiguously starting from 1."
:: { ipsecSaEntry 1 }
ipsecSaTunnel OBJECT-TYPE
IPSec Working Group [Page 27]
Internet Draft IPSec MIB September, 98
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the index into the IPSec SA tunnel table
that this SA supports (ipsecTunnelIfIndex)."
:: { ipsecSaEntry 2 }
ipsecSaCreationTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current SA was set up."
:: { ipsecSaEntry 3 }
ipsecSaTimeLimit OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA,
or 0 if there is no time constraint on its
expiration."
:: { ipsecSaEntry 4 }
ipsecSaTrafficLimit OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the
SA is allowed to support,
or 0 if there is no traffic constraint on its
expiration."
:: { ipsecSaEntry 5 }
ipsecSaInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
SA in the inbound direction."
:: { ipsecSaEntry 6 }
ipsecSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
IPSec Working Group [Page 28]
Internet Draft IPSec MIB September, 98
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
SA in the outbound direction."
:: { ipsecSaEntry 7 }
ipsecSaDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA
due to decryption errors."
:: { ipsecSaEntry 8 }
ipsecSaAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA
due to authentication errors. This includes
hash failures in both ESP and AH."
:: { ipsecSaEntry 9 }
ipsecSaReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA
due to replay errors. This includes replay failures
both ESP and AH."
:: { ipsecSaEntry 10 }
END
6. Security Considerations
This MIB contains readable objects whose values provide information
related to IPSec virtual tunnels. There are no objects with
MAX=ADACCESS clauses of read-write or read-create.
While unauthorized access to the readable objects is relatively
innocuous, unauthorized access to those objects through an insecure
channel can provide attackers with more information about a system
than an administrator may desire.
IPSec Working Group [Page 29]
Internet Draft IPSec MIB September, 98
7. Acknowledgements
Portions of this document's origins are based on "IP Security
Management Information Base" by R. Thayer and U. Blumenthal, hence
this document's numbering starting at one.
Additionally, thanks are extended to Gabriella Dinescu for
assistance in the preparation of the MIB structures.
8. References
[IPDOI] Derrell Piper, "The Internet IP Security Domain of
Interpretation for ISAKMP", draft-ietf-ipsec-ipsec-doi-
10.txt, work in progress.
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange
(IKE)," draft-ietf-ipsec-isakmp-oakley-08.txt, work in
progress.
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in
progress.
[IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib-
02.txt, work in progress.
[IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
using SMIv2", RFC2233
[1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Structure of Management Information for version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[2271] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing SNMP Management Frameworks",
RFC 2271, January 1998
[1155] Rose, M., and K. McCloghrie, "Structure and Identification
of Management Information for TCP/IP-based Internets", RFC
1155, May 1990
[1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions",
RFC 1212, March 1991
IPSec Working Group [Page 30]
Internet Draft IPSec MIB September, 98
[1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
and S. Waldbusser, "Textual Conventions for Version 2 of
the Simple Network Management Protocol (SNMPv2)", RFC
1903, January 1996.
[1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
and S. Waldbusser, "Conformance Statements for Version 2
of the Simple Network Management Protocol (SNMPv2)", RFC
1904, January 1996.
[1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin,
"Simple Network Management Protocol", RFC 1157, May 1990.
[1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
and S. Waldbusser, "Introduction to Community-based
SNMPv2", RFC 1901, January 1996.
[1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
and S. Waldbusser, "Transport Mappings for Version 2 of
the Simple Network Management Protocol (SNMPv2)", RFC
1906, January 1996.
[2272] Case, J., Harrington D., Presuhn R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", RFC 2272, January 1998.
[2274] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 2274, January 1998.
[1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M.,
and S. Waldbusser, "Protocol Operations for Version 2 of
the Simple Network Management Protocol (SNMPv2)", RFC
1905, January 1996.
[2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications",
RFC 2273, SNMP Research, Inc., Secure Computing
Corporation, Cisco Systems, January 1998.
[2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", RFC 2275, January 1998.
IPSec Working Group [Page 31]
Internet Draft IPSec MIB September, 98
9. Editor's Address
Tim Jenkins
tjenkins@timestep.com
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON
Canada
K2K 2P5
+1 (613) 599-3610
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tis.com) or through its chairs:
Robert Moskowitz
rgm@icsa.net
International Computer Security Association
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
IPSec Working Group [Page 32]
