Internet Engineering Task Force Tim Jenkins
IP Security Working Group TimeStep Corporation
Internet Draft November 9, 1998
IPSec Monitoring MIB
<draft-ietf-ipsec-mib-02.txt>
Status of this Memo
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@tis.com) or to the editor.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Copyright Notice
This document is a product of the IETF's IPSec Working Group.
Copyright (C) The Internet Society (1998). All Rights Reserved.
IPSec Working Group [Page 1]
Internet Draft IPSec Monitoring MIB November 1998
Table of Contents
1. Revision History 2
2. Introduction 3
3. The SNMPv2 Network Management Framework 4
3.1 Object Definitions 5
4. IPSec MIB Objects Architecture 5
4.1 Tunnel MIB and Interface MIB Consideration 5
4.2 MIB Tables 6
4.3 IPSec Virtual Tunnels 7
4.3.1 Transient Tunnels 9
4.3.2 Permanent Tunnels 10
4.4 IKE SA Tunnels 10
4.5 Phase 2 SA Tunnels 11
4.6 Phase 2 SAs 12
4.7 Asymmetric Use 12
4.8 Notify Messages 13
4.9 IPSec MIB Traps 13
4.10 IPSec Entity Level Objects 13
5. MIB Definitions 14
6. Security Considerations 51
7. Acknowledgements 52
8. References 52
9. Appendix A 54
1. Revision History
This section will be removed before publication.
September 11, 1998 Initial internal release.
Traps not yet defined in ASN.1 format.
Device MIB not yet defined in ASN.1 format.
October 4, 1998 Added significantly more explanations on
tunnel concept, including picture.
Added packet counters for traffic.
Made time usage consistent.
Added generic error counters.
Added SPIs and CPIs to IPSec SA table, and
cookies to IKE SA tunnel table.
Added peer port number to IKE SA table.
Added peer's certificate serial number and
issuer to IKE SA table.
More information about traps.
Added policy enforcement errors to IPSec
tunnels.
IPSec Working Group [Page 2]
Internet Draft IPSec Monitoring MIB November 1998
Issues:
1) Do aggregate statistic values on permanent
tunnels restart if link goes down and comes
back up again?
2) Should the IKE SA table indicate who was the
initiator?
3) Still have not put traps into ASN.1 format.
4) Still have not put entity-wide statistics
into ASN.1 format.
November 2,1998 Add ASN.1 for entity level objects.
Add ASN.1 for traps.
Non-error event traps removed.
Added appendix to duplicate assigned numbers
from current drafts.
Issues:
1) Do aggregate statistic values on permanent
tunnels restart if link goes down and comes
back up again?
2) Group and Compliance statements?
3) Sub-identifier under the experimental tree?
2. Introduction
This document defines monitoring and status MIBs for IPSec. It does
not define MIBs that may be used for configuring IPSec
implementations or for providing low-level diagnostic or debugging
information. Further, it does not provide policy information. Those
MIBs may be defined in later versions of this document or in other
documents.
The purpose of the MIBs is to allow system administrators to
determine operating conditions and perform system operational level
monitoring of the IPSec portion of their network. Statistics are
provided as well.
The IPSec MIB definitions use a virtual tunnel model, of which there
can be configured permanent tunnels or transient tunnels. The virtual
tunnel model is used to allow the use of IPSec from a virtual private
networking (VPN) point of view. This allows users of IPSec based
products to get similar monitoring and statistical information from
an IPSec based VPN as they would from a VPN based on other
technologies, such as Frame Relay.
Finally, the objects defined perhaps represent a somewhat simplified
view of security associations. This is done for the purposes of
expediency and for simplification of presentation. Also, some
IPSec Working Group [Page 3]
Internet Draft IPSec Monitoring MIB November 1998
information about SAs has been intentionally left out to reduce the
security risk if SNMP traffic becomes compromised.
3. The SNMPv2 Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2271 [2271].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
version, called SMIv2, is described in RFC 1902 [1902],
RFC 1903 [1903] and RFC 1904 [1904].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [1157]. A second version of the SNMP message
protocol, which is not an Internet standards track protocol, is
called SNMPv2c and described in RFC 1901 [1901] and
RFC 1906 [1906]. The third version of the message protocol is
called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272]
and RFC 2274 [2274].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [1157]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [1905].
o A set of fundamental applications described in RFC 2273 [2273]
and the view-based access control mechanism described in
RFC 2275 [2275].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
IPSec Working Group [Page 4]
Internet Draft IPSec Monitoring MIB November 1998
readable information is not considered to change the semantics of the
MIB.
3.1 Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we often
use a textual string, termed the descriptor, to refer to the object
type.
4. IPSec MIB Objects Architecture
The IPSec MIB provides information related to both phase 1 or
Internet Key Exchange (IKE) security associations (SAs) and phase 2
(or IPSec) SAs. Configuration about the SAs is provided as are
statistics related to the SAs themselves.
Since one of the uses of IPSec implementations is to provide Virtual
Private Network (VPN) services that other private network services
such as leased lines or frame relay networks, there exists a need to
provide the same type of monitoring capability.
To support this, the concept of virtual tunnels is developed.
Additionally, the concept of transients and permanent tunnels is also
developed.
Additionally, since IPSec itself has many structures, and because VPN
service providers may be interested in different kinds of statistics,
the MIB provides a number of aggregate totals. These totals are
provided to allow system administrators to take snapshots of system
behaviour without excessive SNMP traffic on the network.
4.1 Tunnel MIB and Interface MIB Consideration
It should be noted that the MIBs here are not extensions of the
Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach
was rejected for a number of reasons, including:
o The types of parameters required for those MIBs are not
appropriate for IPSec MIBs.
IPSec Working Group [Page 5]
Internet Draft IPSec Monitoring MIB November 1998
The parameters required for IPSec tunnels are related to security
services and statistics associated with handling those services.
There no parameters like that associated with the Tunnel MIB.
o The virtual tunnels created by IPSec SAs are independent of other
logical interfaces.
This document takes the point of view that IPSec sits on top of IP.
This perspective is used since IPSec adds additional protocol headers
before the IP header. In this case, it may be conceptually viewed as
a layer 4 protocol from the IP layer point of view. As such, the
handling of IPSec secured packets by IP is independent of how IP is
routed over the physical or logical layer 2 interfaces. That
particular mapping is part of the purpose of the Tunnel MIB, and thus
has no direct relationship on the IPSec virtual tunnels.
o The tunnel end point definitions are not the same as those used by
the tunnel MIB.
The Tunnel MIB uniquely defines tunnels by a simple source and
destination IP address pair. This is only a specific subset of the
identifiers needed for IPSec virtual tunnels.
4.2 MIB Tables
The MIB uses three tables that are linked as shown in Figure 4-1. The
following sections describe the use of these tables.
The IPSec SAs appear in the IPSec SA table. These SAs create the
virtual tunnels shown in the IPSec virtual tunnel table. These may
have been created by SAs in the IKE SA table, which is also
considered a virtual tunnel, and contains statistics about itself,
the IKE SAs used to support it, and aggregate information about IPSec
virtual tunnels created by it.
In Figure 4-1, IKE virtual tunnel number 1 has created two IPSec
virtual tunnels 1 and 2. Virtual tunnel 1 at this moment has SAs
numbered 1 and 6, while virtual tunnel 2 at this moment has SAs
numbered 2 and 5. IKE virtual tunnel number 2 has created IPSec
virtual tunnel 3, which has IPSec SAs numbered 3 and 4.
A diagram that is intended to show the tunnels that exist between two
IPSec gateways is shown in Figure 4-2. Two host groups each are shown
behind the IPSec gateways. Also shown are the IKE or phase 1 virtual
tunnel between the gateways and four possible IPSec virtual tunnels.
Of these four possible virtual tunnels, one is shown with two IPSec
SAs in it. One of these SAs may be just about to expire, while the
IPSec Working Group [Page 6]
Internet Draft IPSec Monitoring MIB November 1998
other may have been created in anticipation of the expiration of the
first. These SAs are the SAs that provide the service, supporting the
existence of the tunnel.
Within each IPSec virtual tunnel are the IPSec SAs that are set up to
maintain the virtual tunnels. Also illustrated is the link to the
phase 1 SA tunnel that collects the aggregate statistics associated
with all IPSec virtual tunnels associated with the IKE tunnel.
More information on the virtual tunnels is presented in subsequent
sections.
ipsecIkeSaTable -information and statistics on the IKE SAs
IKE SA1 <---+ -aggregate information about IPSec tunnels
IKE SA2 <-+ |
| |<- only if IPSec SAs are not static
| |
| | ipsecTunnelTable -information and statistics on
| +- IPSec Tunnel 1 <---+ the IPSec virtual tunnels
| +- IPSec Tunnel 2 <--+|
+--- IPSec Tunnel 3 <-+||
|||
||| ipsecSaTable -information on
||+- IPSec SA 1 specific IPSec SAs
|+|- IPSec SA 2
+||- IPSec SA 3
+||- IPSec SA 4
+|- IPSec SA 5
+- IPSec SA 6
Figure 4-1 IPSec Monitoring MIB Structure
4.3 IPSec Virtual Tunnels
IPSec implementations effectively create tunnels that user traffic
may pass through, performing various services on that traffic as it
passes through the tunnel.
Virtual IPSec tunnels are created by the existence of SAs, either
statically created, or created by IKE. The tunnel concept comes from
the effect of SAs on packets that are handled by SAs. As a packet
encounters an IPSec implementation, either in a security gateway or
as layer in a protocol stack, a policy decision causes the packet to
be handed to an SA for processing.
IPSec Working Group [Page 7]
Internet Draft IPSec Monitoring MIB November 1998
+----------------------------+
| IKE (control tunnel) |
| +---------------------+ |
| | IKE SA | |
| +---------------------+ |
+----------------------------+
^ ^
| | <- aggregate IPSec statistics
| |
H11 -| +----+ | | +----+ |- H21
| | | | | |
|----| G1 |-------------------------| G2 |------|
| | | | | |
H12 -| +----+ | | +----+ |- H22
| |
| |
+-----------------------------------------+
| H11 to H21 (data tunnel) | <- aggregate
| +-------------------------------------+ | SA statistics
| | IPSec SA with H11 and H21 selectors | | for H11-H21
| +-------------------------------------+ |
| +-------------------------------------+ |
| | IPSec SA with H11 and H21 selectors | |
| +-------------------------------------+ |
+-----------------------------------------+
| |
+-----------------------------------------+
| H11 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ SA statistics
| | for H11-H22
+-----------------------------------------+
| H12 to H21 (data tunnel) | <- aggregate
+-----------------------------------------+ SA statistics
| | for H12-H21
+-----------------------------------------+
| H12 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ SA statistics
| | for H12-H22
+--+
Figure 4-2 Illustration of IPSec Tunnels
The SA then performs a security service (including possibly
compression) on the packet, then adds at least one new header and
sends the packet into the normal IP stream for routing. (The only
time no header is added is when the only service provided by the SA
is compression, it is a transport mode SA, and the packet is not
compressible.)
IPSec Working Group [Page 8]
Internet Draft IPSec Monitoring MIB November 1998
When the secured (and possibly compressed) packet arrives at its
destination, the peer IPSec implementation removes the added header
or headers and reverse processes the packet. Another policy lookup is
then done to make sure the packet was appropriately handled by the
sending peer.
Since the original packet is conceptually "hidden" between the two
IPSec implementations, it can be considered tunneled. To help
conceptually, if ESP could be negotiated with no encryption and no
authentication, it would provide services very similar to IP-in-IP.
The specific SA chosen by the policy lookup is based on what are
called the selectors. The selectors are the packet's source IP
address, its destination IP address, its layer 4 protocol and its
layer 4 protocol source and destination port numbers. The policy
system uses this information to assign the packet to an SA for
handling.
Since it is irrelevant to the packet which specific SA provided the
services, and since all SAs with same selectors should provide the
same service, the existence of any and all SAs assigned to the
selector effectively creates a tunnel for the packets.
In other words, the tunnel created by the SAs is identified by the
selectors used to assign the security services to the packet. The
selectors are explained in detail in [SECARCH].
While the virtual tunnel described so far is for packets that are
passed to the IPSec SAs, there exists another type of virtual tunnel.
This virtual tunnel carries control traffic for the management of the
IPSec SAs between two peers.
This tunnel is created by the existence of phase 1 SAs between the
two peers. This document assumes that there is never more than one
phase 1 SA between peers for the purposes of the statistics provided
by the phase 1, or IKE, tunnel. This allows the statistics for IKE
SAs and the virtual tunnel created by those SAs to be combined into
the same table.
4.3.1 Transient Tunnels
Transient tunnels are made up of SAs that normally go up and down,
such as those created by a dial-in client implementation.
Additionally, these SAs are prone to being torn down in an impolite
manner. As an example, system administrators typically do not want to
have alarms going off when these SAs are torn down because an end
IPSec Working Group [Page 9]
Internet Draft IPSec Monitoring MIB November 1998
user disconnected his or her modem before performing a normal dial-up
networking shut down.
By necessity, this applies to both the IKE tunnel and the IPSec
tunnels created by it. Static SAs can never create transient tunnels.
4.3.2 Permanent Tunnels
Permanent tunnels are made up of SAs that a system administrator
considers of significant importance in a VPN implementation. These
SAs would typically be from one IPSec gateway to another and be used
as the link between two corporate networks. As such, the network
administrator would want alarms to go off when one of these virtual
tunnels goes down under any circumstance.
How implementations specify which tunnels are permanent versus
transient is beyond the scope of this document.
To determine if a particular permanent tunnel is up, the value of
'ipsecTunnelCurrentSaNum' in the ASN.1 notation to follow must be
greater than 0.
4.4 IKE SA Tunnels
Phase 1 or IKE tunnels are defined as being made up of a series of
phase 1 SAs that carry secured management traffic. It is assumed that
only one phase 1 SA can exist between any two peers. Therefore, there
is no separate table of phase 1 SAs and phase 1 SA tunnels. A tunnel
can be considered to exist past the lifetime of a phase 1 SA if a
subsequent phase 1 SA can be immediately formed between the same
peers, and any phase 2 SAs created by previous phase 1 SAs are not
deleted when the original phase 1 SA expires. Stated another way,
successful re-keying of a phase 1 SA keeps a phase 1 tunnel alive,
but only if all phase 2 SAs created are kept as well.
Phase 1 tunnels are uniquely identified by the IP addresses and port
numbers of the end points. It is assumed that a peer that either
initiates from or responds from a port number that is not the IKE
default port number will continue to use the same port number.
IKE SAs are displayed as a table. It is assumed that there is only a
single SA between end points. Therefore, the table consists of all
active phase 1 SAs that are established between the local entity and
other entities.
IPSec Working Group [Page 10]
Internet Draft IPSec Monitoring MIB November 1998
Each row of the table contains configuration information such as the
encryption algorithm used, the key length, and the authentication
algorithm used. Peer information, such as the peer ID is also
provided. Certificate information, specifically the issuer name and
serial number is included, even though it is meaningless in pre-
shared key authentication mode. This is due to the importance of this
information in many VPN implementations. The distinguished name of
the certificate is not provided; it may be the ID used for phase 1
negotiation. If the ID used for phase 1 negotiation is not the
certificateÆs distinguished name, it should be one of the alternate
names encoded in the certificate.
Phase 1 tunnels may be transient or permanent. The status column has
no meaning for a transient phase 1 tunnel, since it indicates a
tunnel that is up or down. A transient tunnel disappears from the
table when it goes down; a permanent tunnel does not.
It is recommended that implementations place permanent SAs in the
table before all transient SAs, and that the order of permanent SAs
displayed in the table does not change.
Statistics are provided as well. There are three types of statistics
provided. These are the statistics associated with the current phase
1 SA between the peers, the aggregate statistics of phase 1 SA
communications between the peers and the aggregate statistics of all
other phase 2 SAs created by the phase 1 SA. These statistics are
kept based on the assumption that information is passed forward when
SAs are re-keyed. This allows network monitors to determine the total
amount of protected traffic passed between two IPSec implementations.
4.5 Phase 2 SA Tunnels
Phase 2 or IPSec tunnels are defined as being made up of an arbitrary
number of phase 2 or IPsec SAs with the same tunnel parameters. They
may be transient or permanent. Functionally, this table is very
similar to the IP Tunnel MIB, however the definition of IPSec SA-
based tunnels are not defined the same as the tunnels in that MIB.
Phase 2 tunnels are uniquely identified by the IP addresses (which
may be single IP addresses, ranges or subnets) at each end, the port
number at each end and the protocol, as defined in [IPDOI]. Note that
the protocol and port numbers may be wildcards.
Further, phase 2 tunnels must be considered different if the services
they provide changes. In other words, if an SA is created that
provide compression and ESP is created for the above parameters where
IPSec Working Group [Page 11]
Internet Draft IPSec Monitoring MIB November 1998
previous SAs had only ESP, the new SA MUST be considered part of a
different virtual tunnel than the previous SA.
Individual phase 2 SAs are presented in another table. Each row of
the IPSec tunnel table contains configuration information related to
phase 2 SAs and aggregate statistics related to all of those SAs. It
does not contain information about specific phase 2 SAs.
Each row in the table has a value which is an index to the row of
phase 1 SAs that created it if the phase 2 SA is not a static SA.
If the tunnel is configured as permanent, its status can be
determined by the number of phase 2 SAs currently active with it. If
that number is zero, then the tunnel must be considered down. If that
number greater than 0, then the tunnel is considered up.
4.6 Phase 2 SAs
Individual phase 2 SAs appear in a third table. This table contains
only the statistics for the individual SA and a value which is an
index into the phase 2 SA tunnel table. This means that each entry in
this table is information and statistics for the individual SAs in
the system that are unique to each SA. Since many SAs may share the
selectors, these are found in the IPSec tunnel table entry referenced
by each SA.
Bundled SAs are supported by having separate objects for each of ESP,
AH and IPCOMP, under the assumption that no implementation will use
any of those protocols more than once in the same SA bundle. While no
particular order of application of the three services is specified,
it is expected that IPCOMP will always be applied first if used and
AH will always be applied last if used. Further, the expiration
parameters specified refer to the minimum value of each security
service if there is more than one in the bundle.
4.7 Asymmetric Use
This MIB is defined assuming symmetric use of SAs. That is to say
that it assumes that an inbound SA is always set up with a
corresponding outbound SA that provides the same security service.
In cases where this MIB is required for asymmetric use, the
corresponding objects that describe the unused direction may be set
to the equivalent of the unknown or zero state.
IPSec Working Group [Page 12]
Internet Draft IPSec Monitoring MIB November 1998
4.8 Notify Messages
Notify messages sent from peer to peer are not necessarily sent as
traps. However, they are collected as they occur and accumulated in a
parse table structure.
A notify message object is defined. This object is used as the index
into the table of accumulated notify messages. This helps system
administrators determine if there are potential configuration
problems or attacks on their network.
4.9 IPSec MIB Traps
Traps are provided to let system administrators know about the
existence of error conditions occurring in the entity. Errors are
associated with the creation and deletion of SAs, and also
operational errors that may indicate the presence of attacks on the
system.
Traps are not provided when SAs and tunnels come up or go down,
unless they go down due to error conditions. It should be noted that
the termination of a permanent tunnel is normally considered an error
condition, while the termination of a transient tunnel is not
normally considered an error.
The causes of SA negotiation failure are indicated by a notify
message object.
4.10 IPSec Entity Level Objects
This part of the MIB carries statistics global to the IPSec device.
Statistics included are aggregate errors, aggregate numbers
associated with SAs, permanent tunnels and transient tunnels. The
statistics are provided as objects in a tree below these groups.
More system wide statistics on transient tunnels is provided since
they disappear from the tables when they terminate, and aggregate
traffic statistics associated with individual tunnels is lost.
IPSec Working Group [Page 13]
Internet Draft IPSec Monitoring MIB November 1998
5. MIB Definitions
IPSEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Counter64,
Integer32, mib-2, IpAddress,
experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI
DateAndTime, TruthValue FROM SNMPv2-TC;
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "9811091200Z"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
613-599-3610
tjenkins@timestep.com"
DESCRIPTION
"The MIB module to describe generic IPSec objects,
transient and permanent virtual tunnels created by IPSec
SAs, and entity level IPSec objects and events."
REVISION "9811091200Z "
DESCRIPTION
"Initial revision."
-- ::= { mib-2 ?? }
::= { experimental 500 } - what's the correct value?
ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }
ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }
-- the IPSec IKE MIB-Group
--
-- a collection of objects providing information about
-- IPSec's IKE SAs and the virtual phase 1 SA tunnels
IPSec Working Group [Page 14]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec's
IKE SAs."
::= { ipsec 1 }
ipsecIkeSaEntry OBJECT-TYPE
SYNTAX IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE SA."
INDEX { ipsecIkeSaIndex }
::= { ipsecIkeSaTable 1 }
IpsecIkeSaEntry ::= SEQUENCE {
ipsecIkeSaIndex Integer32,
-- peer information
ipsecIkeSaPeerIpAddress IpAddress,
ipsecIkeSaPeerPortNumber INTEGER,
ipsecIkeSaAuthMethod Integer32,
ipsecIkeSaPeerIdType Integer32,
ipsecIkeSaPeerId OCTET STRING,
ipsecIkeSaPeerCertSerialNum OCTET STRING,
ipsecIkeSaPeerCertIssuer OCTET STRING,
-- virtual link status
ipsecIkeSaType INTEGER,
ipsecIkeSaStatus INTEGER,
-- security algorithm information
ipsecIkeSaEncAlg INTEGER,
ipsecIkeSaEncKeyLength Integer32,
ipsecIkeSaHashAlg Integer32,
ipsecIkeSaDifHelGroupDesc Integer32,
ipsecIkeSaDifHelGroupType Integer32,
ipsecIkeSaDifHelFieldSize Integer32,
ipsecIkeSaPRF Integer32,
ipsecIkeSaPFS TruthValue,
-- identifier information
ipsecIkeSaInitiatorCookie OCTET STRING,
ipsecIkeSaResponderCookie OCTET STRING,
IPSec Working Group [Page 15]
Internet Draft IPSec Monitoring MIB November 1998
-- expiration limits, current SA
ipsecIkeSaTimeStart DateAndTime,
ipsecIkeSaTimeLimit Gauge32, -- in seconds
ipsecIkeSaTrafficLimit Gauge32, -- in kbytes
-- current SA's operating statistics
ipsecIkeSaInboundTraffic Counter64, -- in bytes
ipsecIkeSaOutboundTraffic Counter64, -- in bytes
ipsecIkeSaInboundPackets Counter32,
ipsecIkeSaOutboundPackets Counter32,
-- aggregate statistics (all SAs)
ipsecIkeSaTotalSaNum Counter32,
ipsecIkeSaFirstTimeStart DateAndTime,
ipsecIkeSaTotalInboundTraffic Counter64, -- in bytes
ipsecIkeSaTotalOutboundTraffic Counter64, -- in bytes
ipsecIkeSaTotalInboundPackets Counter32,
ipsecIkeSaTotalOutboundPackets Counter32,
-- aggregate error statistics
ipsecIkeSaDecryptErrors Counter32,
ipsecIkeSaHashErrors Counter32,
ipsecIkeSaOtherReceiveErrors Counter32,
ipsecIkeSaSendErrors Counter32,
-- IPSec SA (Phase 2) statistics (aggregate)
ipsecIkeSaIpsecInboundTraffic Counter64,
ipsecIkeSaIpsecOutboundTraffic Counter64,
ipsecIkeSaIpsecInboundPackets Counter32,
ipsecIkeSaIpsecOutboundPackets Counter32,
-- IPSec SA (Phase 2) error statistics (aggregate)
ipsecIkeSaIpsecDecryptErrors Counter32,
ipsecIkeSaIpsecAuthErrors Counter32,
ipsecIkeSaIpsecReplayErrors Counter32,
ipsecIkeSaIpsecOtherReceiveErrors Counter32,
ipsecIkeSaIpsecSendErrors Counter32
}
ipsecIkeSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
IPSec Working Group [Page 16]
Internet Draft IPSec Monitoring MIB November 1998
contiguously starting from 1.
The value for each tunnel interface must remain constant
at least from one re-initialization of entity's network
management system to the next re-initialization.
Further, the value for tunnel interfaces that are marked
as permanent must remain constant across all re-
initializations of the network management system."
::= { ipsecIkeSaEntry 1 }
ipsecIkeSaPeerIpAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the peer that this SA was negotiated
with, or 0 if unknown."
::= { ipsecIkeSaEntry 2 }
ipsecIkeSaPeerPortNumber OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The port number of the peer that this SA was negotiated
with, or 0 if the default ISAKMP port number (500)."
::= { ipsecIkeSaEntry 3 }
ipsecIkeSaAuthMethod OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authentication method used to authenticate the
peers.
Note that this does not include the specific method of
authentication if extended authenticated is used.
Specific values are used as described in the ISAKMP Class
Values of Authentication Method from Appendix A of
[IKE]."
::= { ipsecIkeSaEntry 4 }
ipsecIkeSaPeerIdType OBJECT-TYPE
SYNTAX Integer32 (0..256)
MAX-ACCESS read-only
IPSec Working Group [Page 17]
Internet Draft IPSec Monitoring MIB November 1998
STATUS current
DESCRIPTION
"The type of ID used by the peer.
Specific values are used as described in Section 4.6.2.1
of [IPDOI]."
::= { ipsecIkeSaEntry 5 }
ipsecIkeSaPeerId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the peer this SA was negotiated with.
The length may require truncation under some conditions."
::= { ipsecIkeSaEntry 6 }
ipsecIkeSaPeerCertSerialNum OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..63))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the certificate of the peer this SA
was negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeSaEntry 7 }
ipsecIkeSaPeerCertIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the certificate of the peer this SA
was negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeSaEntry 8 }
ipsecIkeSaType OBJECT-TYPE
SYNTAX INTEGER { transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 18]
Internet Draft IPSec Monitoring MIB November 1998
"The type of virtual tunnel represented by this row.
A transient link will disappear from the table when
the SAs needed for it cannot be established. A
permanent link will shows its status in the
ipsecIkeSaStatus object."
::= { ipsecIkeSaEntry 9 }
ipsecIkeSaStatus OBJECT-TYPE
SYNTAX INTEGER
{ neverTried(0), linkUp(1), linkDown(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the virtual tunnel represented by this
row, if the tunnel is configured as permanent.
'neverTried' means that no attempt to set-up the link
has been done. 'linkUp' means that the link is up and
operating normally. 'linkDown' means that the link was
up, but has gone down."
::= { ipsecIkeSaEntry 10 }
ipsecIkeSaEncAlg OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this SA or 0 if there
is no encryption applied.
Specific values are used as described in the ISAKMP
Class Values of Encryption Algorithms from Appendix A
of [IKE]."
::= { ipsecIkeSaEntry 11 }
ipsecIkeSaEncLeyLength OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for
algorithm specified in the ipsecIkeSaEncAlg object or 0
if the key length is implicit in the specified
algorithm or there is no encryption specified."
::= { ipsecIkeSaEntry 12 }
IPSec Working Group [Page 19]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaHashAlg OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this SA or 0 if there is no
encryption applied.
Specific values are used as described in the ISAKMP Class
Values of Hash Algorithms from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 13 }
ipsecIkeSaDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Description from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 14 }
ipsecIkeSaDifHelGroupType OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
type used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Type from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 15 }
ipsecIkeSaDifHelFieldSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The field size, in bits, of a Diffie-Hellman group."
::= { ipsecIkeSaEntry 16 }
ipsecIkeSaPRF OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
IPSec Working Group [Page 20]
Internet Draft IPSec Monitoring MIB November 1998
STATUS current
DESCRIPTION
"The pseudo-random functions used, or 0 if not used or if
unknown.
Specific values are used as described in the ISAKMP Class
Values of PRF from Appendix A of [IKE] (which specifies
none at the present time)."
::= { ipsecIkeSaEntry 17 }
ipsecIkeSaPFS OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A value that indicates that perfect forward secrecy is
used for all IPSec SAs created by this IKE SA."
::= { ipsecIkeSaEntry 18 }
ipsecIkeSaInitiatorCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the initiator for the
current phase 1 SA."
::= { ipsecIkeSaEntry 19 }
ipsecIkeSaResponderCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the responder for the
current phase 1 SA."
::= { ipsecIkeSaEntry 20 }
ipsecIkeSaTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current SA within the link
was set up.
It is not the date and time that the virtual tunnel was
set up."
::= { ipsecIkeSaEntry 21 }
IPSec Working Group [Page 21]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaTimeLimit OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the current SA
supporting the virtual tunnel, or 0 if there is no time
constraint on its expiration."
::= { ipsecIkeSaEntry 22 }
ipsecIkeSaTrafficLimit OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the current
SA supporting the virtual tunnel is allowed to support,
or 0 if there is no traffic constraint on its
expiration."
::= { ipsecIkeSaEntry 23 }
ipsecIkeSaInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
current SA in the inbound direction. "
::= { ipsecIkeSaEntry 24 }
ipsecIkeSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the
current SA in the outbound direction. "
::= { ipsecIkeSaEntry 25 }
ipsecIkeSaInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled in the current SA in the
inbound direction. "
::= { ipsecIkeSaEntry 26 }
IPSec Working Group [Page 22]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled in the current SA in the
outbound direction. "
::= { ipsecIkeSaEntry 27 }
ipsecIkeSaTotalSaNum OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of SAs, including the current SA, that
have been set up to support this virtual tunnel."
::= { ipsecIkeSaEntry 28 }
ipsecIkeSaFirstTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The data and time that this virtual tunnel was
originally set up.
It is not the time that the current SA was set up.
If this is a permanent virtual tunnel, it is reset when
the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 29 }
ipsecIkeSaTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the inbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all SAs ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 30 }
IPSec Working Group [Page 23]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the outbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all SAs ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 31 }
ipsecIkeSaTotalInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled by the virtual
tunnel since it became active in the inbound direction.
In other words, it is the aggregate value of the number
of inbound packets carried by all SAs ever set up to
support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 32 }
ipsecIkeSaTotalOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled by the virtual
tunnel since it became active in the outbound direction.
In other words, it is the aggregate value of the number
of outbound packets carried by all SAs ever set up to
support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 33 }
ipsecIkeSaDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 24]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The total number of inbound packets to this SA discarded
due to decryption errors.
Note that this refers to IKE protocol packets, and not to
packets carried by SAs set up by the SAs supporting this
tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 34 }
ipsecIkeSaHashErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA discarded
due to hash errors.
Note that this refers to IKE protocol packets, and not to
packets carried by SAs set up by the SAs supporting this
tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 35 }
ipsecIkeSaOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA discarded
for reasons other than bad hashes or decryption errors.
This may include packets dropped to a lack of receive
buffer space.
Note that this refers to IKE protocol packets, and not to
packets carried by SAs set up by the SAs supporting this
tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 36 }
ipsecIkeSaSendErrors OBJECT-TYPE
SYNTAX Counter32
IPSec Working Group [Page 25]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets from this SA
discarded for any reason. This may include packets
dropped to a lack of transmit buffer space.
Note that this refers to IKE protocol packets, and not to
packets carried by SAs set up by the SAs supporting this
tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 37 }
ipsecIkeSaIpsecInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic measured in bytes
handled by all IPSec SAs set up by phase 1 SAs supporting
this tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 38 }
ipsecIkeSaIpsecOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic measured in bytes
handled by all IPSec SAs set up by phase 1 SAs supporting
this tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 39 }
ipsecIkeSaIpsecInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets handled by all IPSec
SAs set up by phase 1 SAs supporting this tunnel.
IPSec Working Group [Page 26]
Internet Draft IPSec Monitoring MIB November 1998
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 40 }
ipsecIkeSaIpsecOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets handled by all
IPSec SAs set up by phase 1 SAs supporting this tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 41 }
ipsecIkeSaIpsecDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec SAs due to decryption errors.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 42 }
ipsecIkeSaIpsecAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec SAs due to authentication errors. This includes
hash failures in IPSec SAs using ESP and AH.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 43 }
ipsecIkeSaIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 27]
Internet Draft IPSec Monitoring MIB November 1998
"The total number of inbound packets discarded by all
IPSec SAs due to replay errors.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 44 }
ipsecIkeSaIpsecOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec SAs due to errors other than authentication,
decryption or replay errors. This may include packets
dropped due to lack of receive buffers.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 45 }
ipsecIkeSaIpsecSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets discarded by all
IPSec SAs due to any error. This may include packets
dropped due to lack of receive buffers.
If this is a permanent virtual tunnel, it is not reset to
zero when the tunnel goes to the 'linkUp' state."
::= { ipsecIkeSaEntry 46 }
-- the IPSec Tunnel MIB-Group
--
-- a collection of objects providing information about
-- IPSec SA-based virtual tunnels
ipsecTunnelTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTunnelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
SA-based tunnels."
::= { ipsec 2 }
IPSec Working Group [Page 28]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTunnelEntry OBJECT-TYPE
SYNTAX IpsecTunnelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular configured tunnel."
INDEX { ipsecTunnelIndex }
::= { ipsecTunnelTable 1 }
IpsecTunnelEntry ::= SEQUENCE {
ipsecTunnelIndex Integer32,
ipsecTunnelIkeSa Integer32, -- if not static
ipsecTunnelType INTEGER, -- static, transient, permanent
-- tunnel identifiers
ipsecTunnelLocalAddressOrStart IpAddress,
ipsecTunnelLocalAddressMaskOrEnd IpAddress,
ipsecTunnelRemoteAddressOrStart IpAddress,
ipsecTunnelRemoteAddressMaskOrEnd IpAddress,
ipsecTunnelProtocol Integer32,
ipsecTunnelLocalPort Integer32,
ipsecTunnelRemotePort Integer32,
-- tunnel security services description
ipsecTunnelMode INTEGER,
ipsecTunnelEspEncAlg Integer32,
ipsecTunnelEspEncKeyLength Integer32,
ipsecTunnelEspAuthAlg Integer32,
ipsecTunnelAhAuthAlg Integer32,
ipsecTunnelCompAlg Integer32,
-- aggregate statistics
ipsecTunnelStartTime DateAndTime,
ipsecTunnelCurrentSaNum Gauge32,
ipsecTunnelTotalSaNum Counter32,
ipsecTunnelTotalInboundTraffic Counter64,
ipsecTunnelTotalOutboundTraffic Counter64,
ipsecTunnelTotalInboundPackets Counter32,
ipsecTunnelTotalOutboundPackets Counter32,
-- aggregate error statistics
ipsecTunnelDecryptErrors Counter32,
ipsecTunnelAuthErrors Counter32,
ipsecTunnelReplayErrors Counter32,
IPSec Working Group [Page 29]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTunnelPolicyErrors Counter32,
ipsecTunnelOtherReceiveErrors Counter32,
ipsecTunnelSendErrors Counter32
}
ipsecTunnelIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
contiguously starting from 1.
The value for each tunnel interface must remain constant
at least from one re-initialization of the entity's
network management system to the next re-initialization.
Further, the value for tunnel interfaces that are marked
as permanent must remain constant across all re-
initializations of the network management system."
::= { ipsecTunnelEntry 1 }
ipsecTunnelIkeSa OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the index into the IKE SA tunnel table that
created this tunnel (ipsecIkeSaIndex), or 0 if the tunnel
is created by a static IPSec SA."
::= { ipsecTunnelEntry 2 }
ipsecTunnelType OBJECT-TYPE
SYNTAX INTEGER { static(0), transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the virtual tunnel represented by this row.
'static' means that the tunnel is supported by a single
static IPSec SA that was setup by configuration, and not
by using a key exchange protocol. In this case, the value
of ipsecTunnelIkeSa must be 0."
::= { ipsecTunnelEntry 3 }
IPSec Working Group [Page 30]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTunnelLocalAddressOrStart OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address of or the start address (if an address
range) of the local endpoint of the tunnel, or 0.0.0.0 if
unknown or if the SA uses transport mode encapsulation."
::= { ipsecTunnelEntry 4 }
ipsecTunnelLocalAddressMaskOrEnd OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The mask of or the end address (if an address range) of
the local endpoint of the tunnel, or 0.0.0.0 if unknown
or if the SA uses transport mode encapsulation."
::= { ipsecTunnelEntry 5 }
ipsecTunnelRemoteAddressOrStart OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address of or the start address (if an address
range) of the remote endpoint of the tunnel, or 0.0.0.0
if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecTunnelEntry 6 }
ipsecTunnelRemoteAddressMaskOrEnd OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The mask of or the end address (if an address range) of
the remote endpoint of the tunnel, or 0.0.0.0 if unknown
or if the SA uses transport mode encapsulation."
::= { ipsecTunnelEntry 7 }
ipsecTunnelProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the protocol that this tunnel carries, or
0 if it carries any protocol."
IPSec Working Group [Page 31]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecTunnelEntry 8 }
ipsecTunnelLocalPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the local port that this tunnel carries,
or 0 if it carries any port number."
::= { ipsecTunnelEntry 9 }
ipsecTunnelRemotePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the remote port that this tunnel carries,
or 0 if it carries any port number."
::= { ipsecTunnelEntry 10 }
ipsecTunnelMode OBJECT-TYPE
SYNTAX INTEGER { transport(1), tunnel(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this virtual tunnel."
::= { ipsecTunnelEntry 11 }
ipsecTunnelEspEncAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this SA if it uses ESP or 0
if there is no encryption applied by ESP or if ESP is not
used.
Specific values are taken from section 4.4.4 of [IPDOI]."
::= { ipsecTunnelEntry 12 }
ipsecTunnelEspEncKeyLength OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the ipsecTunnelEspEncAlg object,
IPSec Working Group [Page 32]
Internet Draft IPSec Monitoring MIB November 1998
or 0 if the key length is implicit in the specified
algorithm or there is no encryption specified."
::= { ipsecTunnelEntry 13 }
ipsecTunnelEspAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this SA if it uses ESP or 0 if
there is no authentication applied by ESP or if ESP is
not used.
Specific values are taken from the Authentication
Algorithm attribute values of Section 4.5 of [IPDOI]."
::= { ipsecTunnelEntry 14 }
ipsecTunnelAhAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this SA if it uses AH or 0 if AH is
not used.
Specific values are taken from Section 4.4.3 of [IPDOI]."
::= { ipsecTunnelEntry 15 }
ipsecTunnelCompAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the compression algorithm
applied to traffic carried by this SA if it uses IPCOMP.
Specific values are taken from Section 4.4.5 of [IPDOI]."
::= { ipsecTunnelEntry 16 }
ipsecTunnelStartTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that this virtual tunnel was set up.
IPSec Working Group [Page 33]
Internet Draft IPSec Monitoring MIB November 1998
If this is a permanent virtual tunnel, it is reset when
the number of current SAs (ipsecTunnelCurrentSaNum)
changes from 0 to 1."
::= { ipsecTunnelEntry 17 }
ipsecTunnelCurrentSaNum OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of current SAs set up to support this virtual
tunnel.
If this number is 0, the tunnel must be considered down.
Also if this number is 0, the tunnel must a permanent
tunnel, since transient tunnels that are down do not
appear in the table."
::= { ipsecTunnelEntry 18 }
ipsecTunnelTotalSaNum OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of SAs, including all current SAs, that
have been set up to support this virtual tunnel."
::= { ipsecTunnelEntry 19 }
ipsecTunnelTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the inbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all IPSec SAs ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 20 }
ipsecTunnelTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 34]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the outbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all IPSec SAs ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 21 }
ipsecTunnelTotalInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled in the tunnel in the
inbound direction. In other words, it is the aggregate
value of all inbound packets carried by all IPSec SAs
ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 22 }
ipsecTunnelTotalOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled in the tunnel in the
outbound direction. In other words, it is the aggregate
value of all outbound packets carried by all IPSec SAs
ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 23 }
ipsecTunnelDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to decryption errors in ESP.
IPSec Working Group [Page 35]
Internet Draft IPSec Monitoring MIB November 1998
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 24 }
ipsecTunnelAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to authentication errors. This
includes hash failures in IPSec SA bundles using both ESP
and AH.
If this is a permanent virtual tunnel, it is not resetto
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 25 }
ipsecTunnelReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to replay errors. This includes replay
failures in IPSec SA bundles using both ESP and AH.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 26 }
ipsecTunnelPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to policy errors. This includes errors
in all transforms if SA bundles are used.
Policy errors are due to the detection of a packet that
was inappropriately sent into this tunnel.
If this is a permanent virtual tunnel, it is not reset to
IPSec Working Group [Page 36]
Internet Draft IPSec Monitoring MIB November 1998
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 27 }
ipsecTunnelOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to errors other than decryption,
authentication or replay errors. This may include packets
dropped due to a lack of receive buffers.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 28 }
ipsecTunnelSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets discarded by this
virtual tunnel due to any error. This may include packets
dropped due to a lack of transmit buffers.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current SAs
(ipsecTunnelCurrentSaNum) changes from 0 to 1."
::= { ipsecTunnelEntry 29 }
-- the IPSec SA MIB-Group
--
-- a collection of objects providing information about
-- IPSec SAs
ipsecSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
SAs."
::= { ipsec 3 }
IPSec Working Group [Page 37]
Internet Draft IPSec Monitoring MIB November 1998
ipsecSaEntry OBJECT-TYPE
SYNTAX IpsecSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec SA."
INDEX { ipsecSaIndex }
::= { ipsecSaTable 1 }
IpsecSaEntry ::= SEQUENCE {
ipsecSaIndex Integer32,
ipsecSaTunnel Integer32, -- index from ipsecTunnelTable
-- identification
ipsecSaInboundEspSpi INTEGER,
ipsecSaOutboundEspSpi INTEGER,
ipsecSaInboundAhSpi INTEGER,
ipsecSaOutboundAhSpi INTEGER,
ipsecSaInboundCompCpi INTEGER,
ipsecSaOutboundCompCpi INTEGER,
-- expiration limits
ipsecSaCreationTime DateAndTime,
ipsecSaTimeLimit Gauge32, -- seconds, 0 if none
ipsecSaTrafficLimit Gauge32, -- bytes, 0 if none
-- current operating statistics
ipsecSaInboundTraffic Counter64,
ipsecSaOutboundTraffic Counter64,
ipsecSaInboundPackets Counter32,
ipsecSaOutboundPackets Counter32,
-- error statistics
ipsecSaDecryptErrors Counter32,
ipsecSaAuthErrors Counter32,
ipsecSaReplayErrors Counter32,
ipsecSaOtherReceiveErrors Counter32,
ipsecSaSendErrors Counter32
}
ipsecSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 38]
Internet Draft IPSec Monitoring MIB November 1998
"A unique value, greater than zero, for each IPSec SA. It
is recommended that values are assigned contiguously
starting from 1."
::= { ipsecSaEntry 1 }
ipsecSaTunnel OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the index into the IPSec SA tunnel table
that this SA supports (ipsecTunnelIndex)."
::= { ipsecSaEntry 2 }
ipsecSaInboundEspSpi OBJECT-TYPE
SYNTAX INTEGER (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound SA that provides
the ESP security service, or zero if ESP is not used."
::= { ipsecSaEntry 3 }
ipsecSaOutboundEspSpi OBJECT-TYPE
SYNTAX INTEGER (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the outbound SA that provides
the ESP security service, or zero if ESP is not used."
::= { ipsecSaEntry 4 }
ipsecSaInboundAhSpi OBJECT-TYPE
SYNTAX INTEGER (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound SA that provides
the AH security service, or zero if AH is not used."
::= { ipsecSaEntry 5 }
ipsecSaOutboundAhSpi OBJECT-TYPE
SYNTAX INTEGER (1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the outbound SA that provides
the AH security service, or zero if AH is not used."
IPSec Working Group [Page 39]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecSaEntry 6 }
ipsecSaInboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the inbound SA that provides IP
compression, or zero if IPCOMP is not used."
::= { ipsecSaEntry 7 }
ipsecSaOutboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the outbound SA that provides
IP compression, or zero if IPCOMP is not used."
::= { ipsecSaEntry 8 }
ipsecSaCreationTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current SA was set up."
::= { ipsecSaEntry 9 }
ipsecSaTimeLimit OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there
is no time constraint on its expiration."
::= { ipsecSaEntry 10 }
ipsecSaTrafficLimit OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the SA is
allowed to support, or 0 if there is no traffic
constraint on its expiration."
::= { ipsecSaEntry 11 }
ipsecSaInboundTraffic OBJECT-TYPE
IPSec Working Group [Page 40]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled by the SA
in the inbound direction."
::= { ipsecSaEntry 12 }
ipsecSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled by the SA
in the outbound direction."
::= { ipsecSaEntry 13 }
ipsecSaInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA in the inbound
direction."
::= { ipsecSaEntry 14 }
ipsecSaOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA in the outbound
direction."
::= { ipsecSaEntry 15 }
ipsecSaDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA due to
decryption errors."
::= { ipsecSaEntry 16 }
ipsecSaAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 41]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The number of inbound packets discarded by the SA due to
authentication errors. This includes hash failures in
both ESP and AH."
::= { ipsecSaEntry 17 }
ipsecSaReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA due to
replay errors. This includes replay failures both ESP and
AH."
::= { ipsecSaEntry 18 }
ipsecSaOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the SA due to
errors other than decryption, authentication or replay
errors. This may include decompression errors or errors
due to a lack of receive buffers."
::= { ipsecSaEntry 19 }
ipsecSaSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets discarded by the SA due
to any error. This may include compression errors or
errors due to a lack of transmit buffers."
::= { ipsecSaEntry 20 }
-- the IPSec Entity MIB-Group
--
-- a collection of objects providing information about overall IPSec
-- status in the entity
--
-- Definitions of significant branches
--
IPSec Working Group [Page 42]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTraps OBJECT IDENTIFIER ::= { ipsec 4 }
ipsecSaCounts OBJECT IDENTIFIER ::= { ipsec 5 }
ipsecPermTunStats OBJECT IDENTIFIER ::= { ipsec 6 }
ipsecTransTunStats OBJECT IDENTIFIER ::= { ipsec 7 }
ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 8 }
ipsecErrorStats OBJECT IDENTIFIER ::= { ipsec 9 }
--
-- SA counts
--
ipsecTotalIkeSAs OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 1 SAs established by the
entity since boot time. It is not the total number of
tunnels established by the entity since boot time. It
does include SAs established to support both permanent
and transient tunnels."
::= { ipsecSaCounts 1 }
ipsecTotalIpsecSAs OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 SAs established by the
entity since boot time. It is not the total number of
IPSec virtual tunnels established by the entity since
boot time. It does include SAs established to support
permanent and transient tunnels.
It is recommended that SA bundles or security suites be
considered a single SA for the purposes of this
statistic."
::= { ipsecSaCounts 2 }
--
-- permanent tunnel statistics
--
ipsecCnfgPermIkeTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 43]
Internet Draft IPSec Monitoring MIB November 1998
"The total number of phase 1 tunnels in the entity that
are configured as permanent."
::= { ipsecPermTunStats 1 }
ipsecUpPermIkeTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 1 tunnels in the entity that
are configured as permanent and are up and available for
use."
::= { ipsecPermTunStats 2 }
ipsecCnfgPermIpsecTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 tunnels in the entity that
are configured as permanent."
::= { ipsecPermTunStats 3 }
ipsecUpPermIpsecTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 tunnels in the entity that
are configured as permanent and are up and available for
use."
::= { ipsecPermTunStats 4 }
--
-- transient tunnel counts
--
ipsecTotalTransIkeTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of transient phase 1 tunnels
established by the entity since boot time."
::= { ipsecTransTunStats 1 }
ipsecCurrentTransIkeTunnels OBJECT-TYPE
SYNTAX Gauge32
IPSec Working Group [Page 44]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of transient phase 1 tunnels in the entity
that are up and available for use at this moment in
time."
::= { ipsecTransTunStats 2 }
ipsecTotalTransIpsecTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of transient phase 2 tunnels
established by the entity since boot time."
::= { ipsecTransTunStats 3 }
ipsecCurrentTransIpsecTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of phase 2 tunnels in the entity that are up
and available for use at this moment in time."
::= { ipsecTransTunStats 4 }
--
-- transient SA traffic statistics
--
ipsecTotalTransInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on transient
IPSec tunnels since boot time."
::= { ipsecTransTunStats 5 }
ipsecTotalTransOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on
transient IPSec tunnels since boot time."
::= { ipsecTransTunStats 6 }
IPSec Working Group [Page 45]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTotalTransInboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on transient
IPSec tunnels since boot time, measured in 1024-octet
blocks."
::= { ipsecTransTunStats 7 }
ipsecTotalTransOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on
transient IPSec tunnels since boot time, measured in
1024-octet blocks."
::= { ipsecTransTunStats 8 }
--
-- error counts
--
ipsecUnknownSpiErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with SPIs or CPIs that were not valid."
::= { ipsecErrorStats 1 }
ipsecIkeProtocolErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with IKE protocol errors.
This includes packets with invalid cookies, but does not
include errors that could be associated with specific IKE
SAs."
::= { ipsecErrorStats 2 }
ipsecIpsecAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
IPSec Working Group [Page 46]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with authentication errors in the IPSec SAs.
This includes all packets in which the hash value is
determined to be invalid."
::= { ipsecErrorStats 3 }
ipsecIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with replay errors in the IPSec SAs."
::= { ipsecErrorStats 4 }
ipsecIpsecPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time and discarded due to policy errors. This
includes packets that had selectors that were invalid for
the SA that carried them."
::= { ipsecErrorStats 5 }
-- the IPSec Notify Message MIB-Group
--
-- a collection of objects providing information about
-- the occurrences of notify messages
ipsecNotifyMessageTotalCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of all types of notify messages sent or
received by the entity since boot time.
It is the sum of all occurrences in the
'ipsecNotifyCountTable'."
::= { ipsecNotifications 1 }
IPSec Working Group [Page 47]
Internet Draft IPSec Monitoring MIB November 1998
ipsecNotifyCountTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
notify message counts.
This table MAY be sparsely populated; that is, rows for
which the count is 0 may be absent."
::= { ipsecNotifications 2 }
ipsecNotifyCountEntry OBJECT-TYPE
SYNTAX IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the total number of
occurrences of a notify message."
INDEX { ipsecNotifyMessage }
::= { ipsecNotifyCountTable 1 }
IpsecNotifyCountEntry::= SEQUENCE {
ipsecNotifyMessage INTEGER,
ipsecNotifyMessageCount Counter32
}
ipsecNotifyMessage OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value representing a specific IPSec notify message,
or 0 if unknown.
Values are assigned from the set of notify message types
as defined in Section 3.14.1 of [ISAKMP]. In addition,
the value 0 may be used for this object when the object
is used as a trap cause, and the cause is unknown."
::= { ipsecNotifyCountEntry 1 }
ipsecNotifyMessageCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 48]
Internet Draft IPSec Monitoring MIB November 1998
"The total number of times the specific notify message
has been received or sent by the entity since system
boot."
::= { ipsecNotifyCountEntry 2 }
--
-- traps
--
ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaIndex,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 1 SA for the specified
permanent IKE tunnel failed."
::= { ipsecTraps 1 }
ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress,
ipsecIkeSaPeerPortNumber,
ipsecIkeSaAuthMethod,
ipsecIkeSaPeerIdType,
ipsecIkeSaPeerId,
ipsecIkeSaPeerCertSerialNum,
ipsecIkeSaPeerCertIssuer,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 1 SA for a transient IKE
tunnel failed.
This trap is different from the
'ipsecTrapPermIkeNegFailure' trap, since this one will
likely result in the removal of this entry from the IKE
SA tunnel table."
::= { ipsecTraps 2 }
ipsecTrapInvalidCookie NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress,
ipsecIkeSaPeerPortNumber
IPSec Working Group [Page 49]
Internet Draft IPSec Monitoring MIB November 1998
}
STATUS current
DESCRIPTION
"IKE packets with invalid cookies were detected from the
specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period, rather than sending one trap per
packet."
::= { ipsecTraps 3 }
ipsecTrapIpsecNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaIndex,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 2 SA within the
specified IKE tunnel failed."
::= { ipsecTraps 4 }
ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE
OBJECTS {
ipsecSaIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid hashes were found in the
specified SA.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { ipsecTraps 5 }
ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE
OBJECTS {
ipsecSaIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid sequence numbers were found
in the specified SA.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
IPSec Working Group [Page 50]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecTraps 6 }
ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE
OBJECTS {
ipsecSaIndex
}
STATUS current
DESCRIPTION
"IPSec packets carrying packets with invalid selectors
for the specified SA were found.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { ipsecTraps 7 }
ipsecTrapInvalidSpi NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress
}
STATUS current
DESCRIPTION
"ESP, AH or IPCOMP packets with unknown SPIs (or CPIs)
were detected from the specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period), rather than sending one trap per
packet."
::= { ipsecTraps 8 }
END
6. Security Considerations
This MIB contains readable objects whose values provide information
related to IPSec virtual tunnels. There are no objects with
MAX¡ACCESS clauses of read-write or read-create.
While unauthorized access to the readable objects is relatively
innocuous, unauthorized access to those objects through an insecure
channel can provide attackers with more information about a system
than an administrator may desire.
IPSec Working Group [Page 51]
Internet Draft IPSec Monitoring MIB November 1998
7. Acknowledgements
Portions of this document's origins are based on the working paper
"IP Security Management Information Base" by R. Thayer and U.
Blumenthal.
Significant contribution to this document comes from Charles Brooks
and Carl Powell, both of GTE Internetworking. Additional
contributions came from J. Walker, S. Kelly and M. Richardson.
Additionally, thanks are extended to Gabriella Dinescu for assistance
in the preparation of the MIB structures.
8. References
[IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in
progress.
[SECARCH] Kent, S., Atkinson, R., æ
æSecurity Architecture for the
Internet ProtocolÆ
Æ, draft-ietf-ipsec-arch-sec-07.txt, work
in progress.
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE),"
draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress.
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in
progress.
[IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib-
02.txt, work in progress.
[IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
using SMIv2", RFC2233
[1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Structure of Management Information for version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2271, January
1998
IPSec Working Group [Page 52]
Internet Draft IPSec Monitoring MIB November 1998
[1155] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155,
May 1990
[1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
1212, March 1991
[1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Textual Conventions for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1903,
January 1996.
[1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Conformance Statements for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1904,
January 1996.
[1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", RFC 1157, May 1990.
[1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Introduction to Community-based SNMPv2", RFC
1901, January 1996.
[1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Transport Mappings for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1906,
January 1996.
[2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2272, January 1998.
[2274] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2274, January 1998.
[1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Protocol Operations for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1905,
January 1996.
[2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation,
Cisco Systems, January 1998.
IPSec Working Group [Page 53]
Internet Draft IPSec Monitoring MIB November 1998
[2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2275, January 1998.
9. Appendix A
This appendix reproduces the assigned numbers from the referenced
IPSec documents that are used in the MIB. They are to be used as a
reference only and are not part of this specification. As the IPSec
protocol evolves, this list is almost certain to become incomplete.
Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP].
ipsecIkeSaEncAlg - Encryption Algorithm
DES-CBC 1
IDEA-CBC 2
Blowfish-CBC 3
RC5-R16-B64-CBC 4
3DES-CBC 5
CAST-CBC 6
DES40-CBC 65001
ipsecIkeSaPeerIdType
ID Type Value
------- -----
RESERVED 0
ID_IPV4_ADDR 1
ID_FQDN 2
ID_USER_FQDN 3
ID_IPV4_ADDR_SUBNET 4
ID_IPV6_ADDR 5
ID_IPV6_ADDR_SUBNET 6
ID_IPV4_ADDR_RANGE 7
ID_IPV6_ADDR_RANGE 8
ID_DER_ASN1_DN 9
ID_DER_ASN1_GN 10
ID_KEY_ID 11
ipsecIkeSaHashAlg - Hash Algorithm
MD5 1
SHA 2
Tiger 3
IPSec Working Group [Page 54]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaAuthMethod - Authentication Method
pre-shared key 1
DSS signatures 2
RSA signatures 3
Encryption with RSA 4
Revised encryption with RSA 5
ipsecIkeSaDifHelGroupDesc - Group Description
default 768-bit MODP group 1
alternate 1024-bit MODP group 2
EC2N group on GP[2^155] 3
EC2N group on GP[2^185] 4
ipsecIkeSaDifHelGroupType - Group Type
MODP (modular exponentiation group) 1
ECP (elliptic curve group over GF[P]) 2
EC2N (elliptic curve group over GF[2^N]) 3
ipsecTunnelEspEncAlg
Transform ID Value
------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
ESP_RC4 10
ESP_NULL 11
ESP_DES40 249
ipsecTunnelEspAuthAlg - Authentication Algorithm
RESERVED 0
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4
IPSec Working Group [Page 55]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTunnelAhAuthAlg
Transform ID Value
------------ -----
RESERVED 0-1
AH_MD5 2
AH_SHA 3
AH_DES 4
ipsecTunnelCompAlg
Transform ID Value
------------ -----
RESERVED 0
IPCOMP_OUI 1
IPCOMP_DEFLATE 2
IPCOMP_LZS 3
IPCOMP_V42BIS 4
NOTIFY MESSAGES - ERROR TYPES
___________Errors______________Value_____
INVALID-PAYLOAD-TYPE 1
DOI-NOT-SUPPORTED 2
SITUATION-NOT-SUPPORTED 3
INVALID-COOKIE 4
INVALID-MAJOR-VERSION 5
INVALID-MINOR-VERSION 6
INVALID-EXCHANGE-TYPE 7
INVALID-FLAGS 8
INVALID-MESSAGE-ID 9
INVALID-PROTOCOL-ID 10
INVALID-SPI 11
INVALID-TRANSFORM-ID 12
ATTRIBUTES-NOT-SUPPORTED 13
NO-PROPOSAL-CHOSEN 14
BAD-PROPOSAL-SYNTAX 15
PAYLOAD-MALFORMED 16
INVALID-KEY-INFORMATION 17
INVALID-ID-INFORMATION 18
INVALID-CERT-ENCODING 19
INVALID-CERTIFICATE 20
CERT-TYPE-UNSUPPORTED 21
INVALID-CERT-AUTHORITY 22
INVALID-HASH-INFORMATION 23
IPSec Working Group [Page 56]
Internet Draft IPSec Monitoring MIB November 1998
AUTHENTICATION-FAILED 24
INVALID-SIGNATURE 25
ADDRESS-NOTIFICATION 26
NOTIFY-SA-LIFETIME 27
CERTIFICATE-UNAVAILABLE 28
UNSUPPORTED-EXCHANGE-TYPE 29
UNEQUAL-PAYLOAD-LENGTHS 30
RESERVED (Future Use) 31 - 8191
Private Use 8192 - 16383
NOTIFY MESSAGES - STATUS TYPES
_________Status_____________Value______
CONNECTED 16384
RESERVED (Future Use) 16385 - 24575
DOI-specific codes 24576 - 32767
Private Use 32768 - 40959
RESERVED (Future Use) 40960 - 65535
Notify Messages - Status Types Value
------------------------------ -----
RESPONDER-LIFETIME 24576
REPLAY-STATUS 24577
INITIAL-CONTACT 24578
Editor's Address
Tim Jenkins
tjenkins@timestep.com
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON
Canada
K2K 2P5
+1 (613) 599-3610
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tis.com) or through its chairs:
IPSec Working Group [Page 57]
Internet Draft IPSec Monitoring MIB November 1998
Robert Moskowitz
rgm@icsa.net
International Computer Security Association
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
IPSec Working Group [Page 58]