Internet Engineering Task Force Tim Jenkins
IP Security Working Group TimeStep Corporation
Internet Draft November 30, 1998
IPSec Monitoring MIB
<draft-ietf-ipsec-mib-03.txt>
Status of this Memo
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@tis.com) or to the editor.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Copyright Notice
This document is a product of the IETF's IPSec Working Group.
Copyright (C) The Internet Society (1998). All Rights Reserved.
IPSec Working Group [Page 1]
Internet Draft IPSec Monitoring MIB November 1998
Table of Contents
1. Introduction 2
2. The SNMPv2 Network Management Framework 3
2.1 Object Definitions 4
3. IPSec MIB Objects Architecture 4
3.1 Tunnel MIB and Interface MIB Consideration 5
3.2 MIB Concepts 5
3.2.1 Transient Channels and Tunnels 5
3.2.2 Permanent Channels and Tunnels 6
3.2.3 IKE SAs and Control Channels 6
3.2.4 IPSec SAs and IPSec Virtual Tunnels 7
3.3 MIB Tables 9
3.4 Static IPSec SA and Protection Suite Use 10
3.5 Asymmetric Use 10
3.6 Notify Messages 12
3.7 IPSec MIB Traps 12
3.8 IPSec Entity Level Objects 12
4. MIB Definitions 13
5. Security Considerations 57
6. Acknowledgements 58
7. References 58
8. Revision History 60
9. Appendix A 61
1. Introduction
This document defines monitoring and status MIBs for IPSec. It does
not define MIBs that may be used for configuring IPSec
implementations or for providing low-level diagnostic or debugging
information. Further, it does not provide policy information. Those
MIBs may be defined in later versions of this document or in other
documents.
The purpose of the MIBs is to allow system administrators to
determine operating conditions and perform system operational level
monitoring of the IPSec portion of their network. Statistics are
provided as well.
The IPSec MIB definitions use a virtual tunnel model, of which there
can be configured permanent tunnels or transient tunnels. The virtual
tunnel model is used to allow the use of IPSec from a virtual private
networking (VPN) point of view. This allows users of IPSec based
products to get similar monitoring and statistical information from
IPSec Working Group [Page 2]
Internet Draft IPSec Monitoring MIB November 1998
an IPSec based VPN as they would from a VPN based on other
technologies, such as Frame Relay.
Finally, the objects defined perhaps represent a somewhat simplified
view of security associations. This is done for the purposes of
expediency and for simplification of presentation. Also, some
information about SAs has been intentionally left out to reduce the
security risk if SNMP traffic becomes compromised.
2. The SNMPv2 Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2271 [2271].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
version, called SMIv2, is described in RFC 1902 [1902],
RFC 1903 [1903] and RFC 1904 [1904].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [1157]. A second version of the SNMP message
protocol, which is not an Internet standards track protocol, is
called SNMPv2c and described in RFC 1901 [1901] and
RFC 1906 [1906]. The third version of the message protocol is
called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272]
and RFC 2274 [2274].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [1157]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [1905].
o A set of fundamental applications described in RFC 2273 [2273]
and the view-based access control mechanism described in
RFC 2275 [2275].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
IPSec Working Group [Page 3]
Internet Draft IPSec Monitoring MIB November 1998
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
2.1 Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we often
use a textual string, termed the descriptor, to refer to the object
type.
3. IPSec MIB Objects Architecture
The IPSec MIB provides information related to both phase 1 or
Internet Key Exchange (IKE) security associations (SAs) and phase 2
(or IPSec) SAs. Configuration about the SAs is provided as are
statistics related to the SAs themselves.
Since one of the uses of IPSec implementations is to provide Virtual
Private Network (VPN) services that other private network services
such as leased lines or frame relay networks, there exists a need to
provide the same type of monitoring capability.
To support this, the concept of virtual tunnels is developed.
Additionally, the concept of transients and permanent tunnels is also
developed.
Additionally, since IPSec itself has many structures, and because VPN
service providers may be interested in different kinds of statistics,
the MIB provides a number of aggregate totals. These totals are
provided to allow system administrators to take snapshots of system
behaviour without excessive SNMP traffic on the network.
IPSec Working Group [Page 4]
Internet Draft IPSec Monitoring MIB November 1998
3.1 Tunnel MIB and Interface MIB Consideration
It should be noted that the MIBs here are not extensions of the
Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach
was rejected for a number of reasons, including:
o The types of parameters required for those MIBs are not
appropriate for IPSec MIBs.
The parameters required for IPSec tunnels are related to security
services and statistics associated with handling those services.
There no parameters like that associated with the Tunnel MIB.
o The virtual tunnels created by IPSec SAs may be independent of
other logical interfaces; this is an implementation issue.
The IPSec layer may be placed in a number of locations on the host
implementation. These locations may be above the IP layer, within the
IP layer, or just below it. Therefore, the mapping of the IPSec
virtual tunnels to tunnels described by the tunnel MIB is
implementation dependent.
o The tunnel end point definitions are not the same as those used by
the tunnel MIB.
The Tunnel MIB uniquely defines tunnels by a simple source and
destination IP address pair. This is only a specific subset of the
identifiers needed for IPSec virtual tunnels.
3.2 MIB Concepts
There are four concepts needed to describe the structure of the MIB.
These concepts are the IKE control channel, the IKE SAs, the IPSec
virtual tunnel and the IPSec protection suite. IPSec SAs are
considered a subset of protection suites.
Also important in this document are the concepts of permanence and
transience.
3.2.1 Transient Channels and Tunnels
Transient channels and tunnels are made up of SAs and protection
suites that normally go up and down, such as those created by a dial-
in client implementation. Additionally, these SAs and protection
suites are prone to being torn down in an impolite manner. As an
example, system administrators typically do not want to have alarms
IPSec Working Group [Page 5]
Internet Draft IPSec Monitoring MIB November 1998
going off when these SAs and protection suites are torn down because
an end user disconnected his or her modem before performing a normal
dial-up networking shut down.
By necessity, this applies to both the IKE control channels and the
IPSec tunnels created by them.
3.2.2 Permanent Channels and Tunnels
Permanent channels and tunnels are made up of SAs and protection
suites that a system administrator considers of significant
importance in a VPN implementation. These SAs and protection suites
would typically be from one IPSec gateway to another and be used as
the link between two corporate networks. As such, the network
administrator would want alarms to go off when one of these virtual
tunnels goes down under any circumstance.
How implementations specify which tunnels are permanent versus
transient is implementation dependent, and therefore beyond the scope
of this document.
3.2.3 IKE SAs and Control Channels
Phase 1 or IKE SAs as negotiated by IKE are presented in a table.
Individual SAs are represented in part by a row from the IKE SA
table.
Each row is uniquely identified by its cookies. Also included is SA
state information, connection information, security information,
expiration information and traffic statistics.
Other information, such as the security provided by the SAs, is
included in a control channel table row.
An explanation of the use of control channels follows.
The primary use of phase 1 SAs is to allow host implementations to
exchange keying material for phase 2 negotiations and to perform
IPSec SA and protection suite management. Additionally,
implementations may also use this channel to perform other functions,
such as peer configuration. Since the host implementation, at a high
level, does not necessarily care which particular phase 1 SA it uses
to perform these functions, the concept of an IKE control channel is
introduced as a logical entity to indicate the virtual channel
created by the existence of phase 1 SAs established between two
peers.
IPSec Working Group [Page 6]
Internet Draft IPSec Monitoring MIB November 1998
The need for this abstraction is also in part due to the ability of
IPSec SAs and protection suites to exist beyond the expiration of the
IKE SA that created them.
Control channels appear in their own table, and each row describes a
single control channel, to which multiple phase 1 SAs may be
logically attached.
The IKE control channel is uniquely identified by the IDs at each
end, since it is a logical peer to peer communications channel. It
contains information common to all phase 1 SAs that create it, and
aggregate statistics for those phase 1 SAs. Additionally, it contains
aggregate statistics for all phase 2 SAs created by it. Finally, it
contains the information related to the authentication of the peer
that negotiated the phase 1 SAs with it. This includes certificate
information, specifically the issuer name and serial, even though it
is meaningless in pre-shared key authentication mode. This is due to
the importance of this information in many VPN implementations. The
distinguished name of the certificate is not provided; it may be the
ID used for phase 1 negotiation. If the ID used for phase 1
negotiation is not the certificates distinguished name, it should be
one of the alternate names encoded in the certificate.
Note that since the security service provided by the phase 1 SAs
appears in the IKE SA table, implementations may allow a single
control channel to provide multiple security services. There is no
requirement that implementations support this.
Phase 1 control channels may be transient or permanent. A transient
control channel disappears from the table when it goes down; a
permanent control channel does not. The status of a permanent control
channel can be determined by the number of active phase 1 SAs
attached to it.
It is recommended that implementations place permanent control
channels in the table before all transient control channels, and that
the order of permanent control channels displayed in the table does
not change.
3.2.4 IPSec SAs and IPSec Virtual Tunnels
IPSec SAs created between peers are identified by the peer IP
address, the SPI (CPI for IPCOMP) and the service provided by the SA.
In this document, the term service refers to one of IPCOMP, ESP and
AH. These are often referred to as security services; the concept is
generalized somewhat in this document since IPCOMP is not technically
a "security" service.
IPSec Working Group [Page 7]
Internet Draft IPSec Monitoring MIB November 1998
Further, in this document, IPSec SAs are considered a subset of
protection suites, and as such, appear in the IPSec protection suite
table. IPSec protection suites are as defined by [ISAKMP]. These are
multiple services that are negotiated in a single quick mode
exchange. Of the result, [ISAKMP] states: "All of the protections in
a suite must be treated as a single unit." For this reason, the
protection suites as presented in the MIB all assume that all
services in the protection suite live and die at the same time. Also
in this document, an IPSec SA is effectively a protection suite that
provides only a single service.
When multiple services are provided in a protection suite, the order
is implicit, based on statements found in [ARCH] and [IPCOMP]. The
order assumed is IPCOMP before ESP before AH. However, since the
order is implicit, implementation are free to choose different
orders, however, this cannot be shown in the MIB.
Some implementations may create SA bundles by the separate
negotiation of different services. In these cases, the separately
negotiates SAs or suites should appear on separate lines of the
protection suite table. In these cases, the MIB does not show the
order of application of the services in the bundle.
Virtual IPSec tunnels are created by the existence of IPSec SAs and
protection suites, either statically created, or created by IKE. The
tunnel concept comes from the effect of services on packets that are
handled by protection suites. As a packet encounters an IPSec
implementation, either in a security gateway or as layer in a
protocol stack, a policy decision causes the packet to be handed to a
protection suite for processing.
The protection suite then performs a service (including possibly
compression) on the packet, then adds at least one new header and
sends the packet into the normal IP stream for routing. (The only
time no header is added is when the only service provided by the
protection suite is compression, it is a transport mode protection
suite, and the packet is not compressible.)
When the secured (and possibly compressed) packet arrives at its
destination, the peer IPSec implementation removes the added header
or headers and reverse processes the packet. Another policy lookup is
then done to make sure the packet was appropriately handled by the
sending peer.
Since the original packet is conceptually "hidden" between the two
IPSec implementations, it can be considered tunneled. To help
conceptually, if ESP could be negotiated with no encryption and no
authentication, it would provide services very similar to IP-in-IP.
IPSec Working Group [Page 8]
Internet Draft IPSec Monitoring MIB November 1998
The specific protection suite chosen by the policy lookup is based on
what are called the selectors. The selectors are the packet's source
IP address, its destination IP address, its layer 4 protocol and its
layer 4 protocol source and destination port numbers. The policy
system uses this information to assign the packet to an protection
suite for handling.
Since it is irrelevant to the packet which specific protection suite
provided the services, and since all protection suites with same
selectors normally provide the same service, the existence of any and
all protection suites assigned to the selector effectively creates a
tunnel for the packets.
In other words, the tunnel created by the protection suites is
identified by the selectors used to assign the security services to
the packet. The selectors are explained in detail in [SECARCH].
3.3 MIB Tables
The MIB uses four tables that are linked as shown as an example in
Figure 3-1. Here, the four tables are the IKE control channel table,
the IKE SA table, the IPSec virtual tunnel table and the IPSec
protection suite table.
The IKE control channel table is shown with two entries. Both have
two active phase 1 SAs that support each of them. The first also has
created two IPSec tunnels, each supported by two IPSec protection
suites numbered 1 and 6, and 2 and 5 respectively. The second IKE
channel has a single IPSec tunnel, which is supported by two IPSec
protection suites, numbered 3 and 4.
A different diagram that is intended to show the tunnels that exist
between two IPSec gateways is shown in Figure 3-2. Two host groups
each are shown behind the IPSec gateways. Shown are the IKE control
channel between the gateways and four possible IPSec virtual tunnels.
The control channel has two active phase 1 SAs. Of the four possible
virtual tunnels, one is shown with two IPSec SAs in it. One of these
SAs may be just about to expire, while the other may have been
created in anticipation of the expiration of the first. These SAs are
the SAs that provide the service, supporting the existence of the
tunnel.
IPSec Working Group [Page 9]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeContChanTable -information and statistics on the IKE
Con. Chan. 1 <---+ control channel
Con. Chan. 2 <-+ | -aggregate information about IKE SAs
| | -aggregate information about IPSec tunnels
| |
| | ipsecIkeSaTable -information on specific
| +-- IKE SA 1 phase 1 SAs
+-|-- IKE SA 2
+-|-- IKE SA 3
| +-- IKE SA 4
/ /
| |
| |<- only if IPSec protection suites are not static
| |
| | ipsecTunnelTable -information and statistics on
| +- IPSec Tunnel 1 <---+ the IPSec virtual tunnels
| +- IPSec Tunnel 2 <--+|
+--- IPSec Tunnel 3 <-+||
|||
||| ipsecSaTable -information on
||+- IPSec PS 1 specific IPSec
|+|- IPSec PS 2 protection suites
+||- IPSec PS 3
+||- IPSec PS 4
+|- IPSec PS 5
+- IPSec PS 6
PS - Protection Suite
Figure 3-1 IPSec Monitoring MIB Structure
3.4 Static IPSec SA and Protection Suite Use
IPSec protection suites and SAs that are statically keyed do not
point back to IKE control channel table entries.
Implementations that do not use IKE at all will create empty phase 1
tables.
3.5 Asymmetric Use
This MIB is defined assuming symmetric use of SAs and protection
suites. That is to say that it assumes that an inbound SA is always
set up with a corresponding outbound SA that provides the same
security service.
IPSec Working Group [Page 10]
Internet Draft IPSec Monitoring MIB November 1998
+----------------------------+
| IKE (control channel) |
| +---------------------+ |
| | IKE SA 1 | |
| +---------------------+ |
| +---------------------+ |
| | IKE SA 2 | |
| +---------------------+ |
+----------------------------+
^ ^
| | <- aggregate IPSec statistics
| |
H11 -| +----+ | | +----+ |- H21
| | | | | |
|----| G1 |-------------------------| G2 |------|
| | | | | |
H12 -| +----+ | | +----+ |- H22
| |
| |
+-----------------------------------------+
| H11 to H21 (data tunnel) | <- aggregate
| +-------------------------------------+ | PS statistics
| | IPSec PS with H11 and H21 selectors | | for H11-H21
| +-------------------------------------+ |
| +-------------------------------------+ |
| | IPSec PS with H11 and H21 selectors | |
| +-------------------------------------+ |
+-----------------------------------------+
| |
+-----------------------------------------+
| H11 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ PS statistics
| | for H11-H22
+-----------------------------------------+
| H12 to H21 (data tunnel) | <- aggregate
+-----------------------------------------+ PS statistics
| | for H12-H21
+-----------------------------------------+
| H12 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ PS statistics
| | for H12-H22
+--+
PS - Protection Suite
Figure 3-2 Illustration of IPSec Tunnels
IPSec Working Group [Page 11]
Internet Draft IPSec Monitoring MIB November 1998
In cases where this MIB is required for asymmetric use, the
corresponding objects that describe the unused direction may be set
to the equivalent of the unknown or zero state.
3.6 Notify Messages
Notify messages sent from peer to peer are not necessarily sent as
traps. However, they are collected as they occur and accumulated in a
parse table structure.
A notify message object is defined. This object is used as the index
into the table of accumulated notify messages. This helps system
administrators determine if there are potential configuration
problems or attacks on their network.
3.7 IPSec MIB Traps
Traps are provided to let system administrators know about the
existence of error conditions occurring in the entity. Errors are
associated with the creation and deletion of protection suites, and
also operational errors that may indicate the presence of attacks on
the system.
Traps are not provided when protection suites and tunnels come up or
go down, unless they go down due to error conditions. It should be
noted that the termination of a permanent tunnel is normally
considered an error condition, while the termination of a transient
tunnel is not normally considered an error.
The causes of protection suite negotiation failure are indicated by a
notify message object.
3.8 IPSec Entity Level Objects
This part of the MIB carries statistics global to the IPSec device.
Statistics included are aggregate errors, aggregate numbers
associated with protection suites, permanent tunnels and transient
tunnels. The statistics are provided as objects in a tree below these
groups.
More system wide statistics on transient tunnels is provided since
they disappear from the tables when they terminate, and aggregate
traffic statistics associated with individual tunnels is lost.
IPSec Working Group [Page 12]
Internet Draft IPSec Monitoring MIB November 1998
4. MIB Definitions
IPSEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
Integer32, Unsigned32,
experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI
DateAndTime, TruthValue FROM SNMPv2-TC;
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "9811301200Z"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
613-599-3610
tjenkins@timestep.com"
DESCRIPTION
"The MIB module to describe generic IPSec objects,
transient and permanent virtual tunnels created by IPSec
SAs, and entity level IPSec objects and events."
REVISION "9811301200Z"
DESCRIPTION
"Initial revision."
-- ::= { mib-2 ?? }
-- need correct value here
::= { experimental 500 }
ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }
ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }
-- the IPSec IKE Control Channel MIB-Group
--
-- a collection of objects providing information about
-- IPSec's IKE virtual IKE control channel
ipsecIkeConChanTable OBJECT-TYPE
IPSec Working Group [Page 13]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX SEQUENCE OF IpsecIkeConChanEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec's
IKE control channels."
::= { ipsec 1 }
ipsecIkeConChanEntry OBJECT-TYPE
SYNTAX IpsecIkeConChanEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE control channel."
INDEX { ipsecIkeConChanIndex }
::= { ipsecIkeConChanTable 1 }
IpsecIkeConChanEntry ::= SEQUENCE {
ipsecIkeConChanIndex Integer32,
-- the real identifiers for the control channel
ipsecIkeConChanLocalIdType Integer32,
ipsecIkeConChanLocalId OCTET STRING,
ipsecIkeConChanPeerIdType Integer32,
ipsecIkeConChanPeerId OCTET STRING,
ipsecIkeConChanAuthMethod Integer32,
ipsecIkeConChanPeerCertSerialNum OCTET STRING,
ipsecIkeConChanPeerCertIssuer OCTET STRING,
-- virtual channel status
ipsecIkeConChanType INTEGER,
ipsecIkeConChanCurrentSaNum Unsigned32,
ipsecIkeConChanTotalSaNum Counter64,
-- aggregate statistics (all SAs)
ipsecIkeConChanTimeStart DateAndTime,
ipsecIkeConChanInboundTraffic Counter64, -- in bytes
ipsecIkeConChanOutboundTraffic Counter64, -- in bytes
ipsecIkeConChanInboundPackets Counter64,
ipsecIkeConChanOutboundPackets Counter64,
-- aggregate error statistics
ipsecIkeConChanDecryptErrors Counter32,
ipsecIkeConChanHashErrors Counter32,
ipsecIkeConChanOtherReceiveErrors Counter32,
ipsecIkeConChanSendErrors Counter32,
IPSec Working Group [Page 14]
Internet Draft IPSec Monitoring MIB November 1998
-- IPSec SA (Phase 2) statistics (aggregate)
ipsecIkeConChanIpsecInboundTraffic Counter64,
ipsecIkeConChanIpsecOutboundTraffic Counter64,
ipsecIkeConChanIpsecInboundPackets Counter64,
ipsecIkeConChanIpsecOutboundPackets Counter64,
-- IPSec SA (Phase 2) error statistics (aggregate)
ipsecIkeConChanIpsecDecryptErrors Counter32,
ipsecIkeConChanIpsecAuthErrors Counter32,
ipsecIkeConChanIpsecReplayErrors Counter32,
ipsecIkeConChanIpsecOtherReceiveErrors Counter32,
ipsecIkeConChanIpsecSendErrors Counter32
}
ipsecIkeConChanIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
contiguously starting from 1.
The value for each channel interface must remain constant
at least from one re-initialization of entity's network
management system to the next re-initialization.
Further, the value for channel interfaces that are marked
as permanent must remain constant across all re-
initializations of the network management system."
::= { ipsecIkeConChanEntry 1 }
ipsecIkeConChanLocalIdType OBJECT-TYPE
SYNTAX Integer32 (0..256)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of ID used by the local end of the control
channel.
Specific values are used as described in Section 4.6.2.1
of [IPDOI]."
::= { ipsecIkeConChanEntry 2 }
ipsecIkeConChanLocalId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
IPSec Working Group [Page 15]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the local host that negotiated this control
channel.
The length may require truncation under some conditions."
::= { ipsecIkeConChanEntry 3 }
ipsecIkeConChanPeerIdType OBJECT-TYPE
SYNTAX Integer32 (0..256)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of ID used by the peer.
Specific values are used as described in Section 4.6.2.1
of [IPDOI]."
::= { ipsecIkeConChanEntry 4 }
ipsecIkeConChanPeerId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the peer host that negotiated this control
channel.
The length may require truncation under some conditions."
::= { ipsecIkeConChanEntry 5 }
ipsecIkeConChanAuthMethod OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authentication method used to authenticate the
peers.
Note that this does not include the specific method of
authentication if extended authenticated is used.
Specific values are used as described in the ISAKMP Class
Values of Authentication Method from Appendix A of
[IKE]."
::= { ipsecIkeConChanEntry 6 }
IPSec Working Group [Page 16]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeConChanPeerCertSerialNum OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..63))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the certificate of the peer this
control channel was negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeConChanEntry 7 }
ipsecIkeConChanPeerCertIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the certificate of the peer this
control channel was negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeConChanEntry 8 }
ipsecIkeConChanType OBJECT-TYPE
SYNTAX INTEGER { transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of control channel represented by this row.
A transient link will disappear from the table when
the SAs needed for it cannot be established. A
permanent link will shows its status in the
ipsecIkeConChanStatus object."
::= { ipsecIkeConChanEntry 9 }
ipsecIkeConChanCurrentSaNum OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of currently active SAs that are available
for use by this control channel.
If the control channel is permanent, a 0 value in this
object indicates the channel is either never tried or
down.
IPSec Working Group [Page 17]
Internet Draft IPSec Monitoring MIB November 1998
If the control channel is transient, this object can
never be 0 valued."
::= { ipsecIkeConChanEntry 10 }
ipsecIkeConChanTotalSaNum OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of SAs, including all expired and
active SAs, that have been set up to support this control
channel."
::= { ipsecIkeConChanEntry 11 }
ipsecIkeConChanTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the first SA within the control
channel was set up."
::= { ipsecIkeConChanEntry 12 }
ipsecIkeConChanInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the control channel in the inbound direction. In other
words, it is the aggregate value of all inbound traffic
carried by all phase 1 SAs ever set up to support the
control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 13 }
ipsecIkeConChanOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the control channel in the outbound direction. In other
IPSec Working Group [Page 18]
Internet Draft IPSec Monitoring MIB November 1998
words, it is the aggregate value of all outbound traffic
carried by all phase 1 SAs ever set up to support the
control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 14 }
ipsecIkeConChanInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled by the control
channel since it became active in the inbound direction.
In other words, it is the aggregate value of the number
of inbound packets carried by all phase 1 SAs ever set up
to support the control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 15 }
ipsecIkeConChanOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled by the control
channel since it became active in the outbound direction.
In other words, it is the aggregate value of the number
of outbound packets carried by all phase 1 SAs ever set
up to support the control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 16 }
ipsecIkeConChanDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this control
channel discarded due to decryption errors.
Note that this refers to IKE protocol packets, and not to
packets carried by IPSec protection suites set up by the
IPSec Working Group [Page 19]
Internet Draft IPSec Monitoring MIB November 1998
SAs supporting this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 17 }
ipsecIkeConChanHashErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this control
channel discarded due to hash errors.
Note that this refers to IKE protocol packets, and not to
packets carried by IPSec protection suites set up by the
SAs supporting this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 18 }
ipsecIkeConChanOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this control
channel discarded for reasons other than bad hashes or
decryption errors. This may include packets dropped to a
lack of receive buffer space.
Note that this refers to IKE protocol packets, and not to
packets carried by IPSec protection suites set up by the
SAs supporting this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 19 }
ipsecIkeConChanSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets from this control
channel discarded for any reason. This may include
packets dropped to a lack of transmit buffer space.
IPSec Working Group [Page 20]
Internet Draft IPSec Monitoring MIB November 1998
Note that this refers to IKE protocol packets, and not to
packets carried by IPSec protection suites set up by the
SAs supporting this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 20 }
ipsecIkeConChanIpsecInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic measured in bytes
handled by all IPSec SAs set up by phase 1 SAs supporting
this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 21 }
ipsecIkeConChanIpsecOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic measured in bytes
handled by all IPSec protection suites set up by all
phase 1 SAs supporting this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 22 }
ipsecIkeConChanIpsecInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets handled by all IPSec
protection suites set up by phase 1 SAs supporting this
control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
IPSec Working Group [Page 21]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecIkeConChanEntry 23 }
ipsecIkeConChanIpsecOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets handled by all
IPSec protection suites set up by phase 1 SAs supporting
this control channel.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 24 }
ipsecIkeConChanIpsecDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec protection suites set up by all phase 1 SAs in this
control channel due to decryption errors.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 25 }
ipsecIkeConChanIpsecAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec protection suites set up by all phase 1 SAs in this
control channel due to authentication errors. This
includes hash failures in IPSec SAs using ESP and AH.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 26 }
ipsecIkeConChanIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 22]
Internet Draft IPSec Monitoring MIB November 1998
"The total number of inbound packets discarded by all
IPSec protection suites set up by all phase 1 SAs in this
control channel due to replay errors.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 27 }
ipsecIkeConChanIpsecOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by all
IPSec protection suites set up by all phase 1 SAs in this
control channel due to errors other than authentication,
decryption or replay errors. This may include packets
dropped due to lack of receive buffers.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 34 }
ipsecIkeConChanIpsecSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets discarded by all
IPSec protection suites set up by all phase 1 SAs in this
control channel due to any error. This may include
packets dropped due to lack of receive buffers.
If this is a permanent control channel, it is not reset
to zero when the number of phase 1 SAs changes from 0."
::= { ipsecIkeConChanEntry 28 }
-- the IPSec IKE MIB-Group
--
-- a collection of objects providing information about
-- IPSec's IKE SAs and the virtual phase 1 SA tunnels
ipsecIkeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecIkeSaEntry
MAX-ACCESS not-accessible
IPSec Working Group [Page 23]
Internet Draft IPSec Monitoring MIB November 1998
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec's
IKE SAs."
::= { ipsec 2 }
ipsecIkeSaEntry OBJECT-TYPE
SYNTAX IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE SA."
INDEX { ipsecIkeSaIndex }
::= { ipsecIkeSaTable 1 }
IpsecIkeSaEntry ::= SEQUENCE {
ipsecIkeSaIndex Integer32,
ipsecIkeSaConChanIndex Integer32,
-- identifier information
ipsecIkeSaInitiatorCookie OCTET STRING,
ipsecIkeSaResponderCookie OCTET STRING,
ipsecIkeSaState INTEGER,
-- connection information
ipsecIkeSaLocalIpAddress OCTET STRING,
ipsecIkeSaLocalPortNumber INTEGER,
ipsecIkeSaPeerIpAddress OCTET STRING,
ipsecIkeSaPeerPortNumber INTEGER,
-- security algorithm information
ipsecIkeSaEncAlg INTEGER,
ipsecIkeSaEncKeyLength Unsigned32,
ipsecIkeSaHashAlg Integer32,
ipsecIkeSaDifHelGroupDesc Integer32,
ipsecIkeSaDifHelGroupType Integer32,
ipsecIkeSaPRF Integer32,
-- expiration limits, current SA
ipsecIkeSaTimeStart DateAndTime,
ipsecIkeSaTimeLimit OCTET STRING, -- in seconds
ipsecIkeSaTrafficLimit OCTET STRING,
ipsecIkeSaTrafficCount OCTET STRING,
-- this SA's operating statistics
ipsecIkeSaInboundTraffic Counter64, -- in bytes
ipsecIkeSaOutboundTraffic Counter64, -- in bytes
IPSec Working Group [Page 24]
Internet Draft IPSec Monitoring MIB November 1998
ipsecIkeSaInboundPackets Counter64,
ipsecIkeSaOutboundPackets Counter64,
-- this SA's error statistics
ipsecIkeSaDecryptErrors Counter32,
ipsecIkeSaHashErrors Counter32,
ipsecIkeSaOtherReceiveErrors Counter32,
ipsecIkeSaSendErrors Counter32
}
ipsecIkeSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each IKE SA.
Values are assigned contiguously starting from 1."
::= { ipsecIkeSaEntry 1 }
ipsecIkeSaConChanIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A reference to the IKE control channel that this SA
supports. It is the value of
'ipsecIkeConChanLocalIdType'."
::= { ipsecIkeSaEntry 2 }
ipsecIkeSaInitiatorCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the initiator for the
current phase 1 SA."
::= { ipsecIkeSaEntry 3 }
ipsecIkeSaResponderCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the responder for the
current phase 1 SA."
::= { ipsecIkeSaEntry 4 }
ipsecIkeSaState OBJECT-TYPE
IPSec Working Group [Page 25]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX INTEGER {
tryingInitiator(0),
tryingInitiatorIDProt(1),
tryingResponder(2),
tryingResponderIDProt(3),
upInitiator(4),
upInitiatorIDProt(5),
upResponder(6),
upResponderIDProt(7) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current state of the SA.
'tryingInitiator' means this end is attempting to
negotiate the SA using aggressive mode and is the
initiator. 'tryingInitiatorIDProt' means this end is
attempting to negotiate the SA using main mode and is the
initiator.
'tryingResponder' means the peer is attempting to
negotiate the SA using aggressive mode as initiator.
'tryingResponderIDProt' means the peer is attempting to
negotiate the SA using main mode as initiator.
'upInitiator' means the SA is up, and this end is the
initiator. 'upResponder' means the the SA is up and the
peer is the initiator. On the latter two, the suffix
'IDProt' means main mode was used to negotiate the SA."
::= { ipsecIkeSaEntry 5 }
ipsecIkeSaLocalIpAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 8 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address that this SA was negotiated with,
or 0 if unknown.
The size of this object is 4 if the IP address is a IPv4
address. The size is 8 of the IP address is an IPv6
address."
::= { ipsecIkeSaEntry 6 }
ipsecIkeSaLocalPortNumber OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 26]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The local UDP port number that this SA was negotiated
with."
DEFVAL { 500 }
::= { ipsecIkeSaEntry 7 }
ipsecIkeSaPeerIpAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 8 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the peer that this SA was negotiated
with, or 0 if unknown.
The size of this object is 4 if the IP address is a IPv4
address. The size is 8 of the IP address is an IPv6
address."
::= { ipsecIkeSaEntry 8 }
ipsecIkeSaPeerPortNumber OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The peer UDP port number of the peer that this SA was
negotiated with."
DEFVAL { 500 }
::= { ipsecIkeSaEntry 9 }
ipsecIkeSaEncAlg OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried on this SA.
Specific values are used as described in the ISAKMP
Class Values of Encryption Algorithms from Appendix A
of [IKE]."
::= { ipsecIkeSaEntry 10 }
ipsecIkeSaEncKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 27]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The length of the encryption key in bits used for
algorithm specified in the 'ipsecIkeSaEncAlg' object or 0
if the key length is implicit in the specified
algorithm."
::= { ipsecIkeSaEntry 11 }
ipsecIkeSaHashAlg OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried on this SA.
Specific values are used as described in the ISAKMP Class
Values of Hash Algorithms from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 12 }
ipsecIkeSaDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Description from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 13 }
ipsecIkeSaDifHelGroupType OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
type used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Type from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 14 }
ipsecIkeSaPRF OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 28]
Internet Draft IPSec Monitoring MIB November 1998
"The pseudo-random functions used, or 0 if not used or if
unknown.
Specific values are used as described in the ISAKMP Class
Values of PRF from Appendix A of [IKE] (which specifies
none at the present time)."
::= { ipsecIkeSaEntry 15 }
ipsecIkeSaTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current SA within the link
was set up.
It is not the date and time that the virtual tunnel was
set up."
::= { ipsecIkeSaEntry 16 }
ipsecIkeSaTimeLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the current SA
supporting the virtual tunnel, or 0 if there is no time
constraint on its expiration."
::= { ipsecIkeSaEntry 17 }
ipsecIkeSaTrafficLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the current
SA supporting the virtual tunnel is allowed to support,
or 0 if there is no traffic constraint on its
expiration."
::= { ipsecIkeSaEntry 18}
ipsecIkeSaTrafficCount OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 29]
Internet Draft IPSec Monitoring MIB November 1998
"The amount of traffic that this SA has processed that
contributes against it expiration by traffic limit,
measured in 1024-byte blocks. It includes traffic in both
directions.
It may be 0 if there is no traffic constraint on the SA's
expiration."
::= { ipsecIkeSaEntry 19 }
ipsecIkeSaInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes handled in the
current SA in the inbound direction."
::= { ipsecIkeSaEntry 20 }
ipsecIkeSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes handled in the
current SA in the outbound direction."
::= { ipsecIkeSaEntry 21 }
ipsecIkeSaInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled in the current SA in the
inbound direction."
::= { ipsecIkeSaEntry 22 }
ipsecIkeSaOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled in the current SA in the
outbound direction."
::= { ipsecIkeSaEntry 23 }
ipsecIkeSaDecryptErrors OBJECT-TYPE
IPSec Working Group [Page 30]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA discarded
due to decryption errors.
The following may used as a guideline to distinguish
decryption errors from protocol negotiation errors:
If there are any errors in the packet's generic payload
structures (next payload field, reserved, payload
length), then this is considered a decryption error.
If an error happens inside the payload structure, then it
is not assumed to be a decryption error, and is
considered a protocol negotiation error."
::= { ipsecIkeSaEntry 24 }
ipsecIkeSaHashErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA discarded
due to hash errors. These errors are considered packet
errors, and not protocol negotation errors.
The case of hash failures when the hash is generated by
authentication data is considered an authentication
failure, and not a hash failure."
::= { ipsecIkeSaEntry 25 }
ipsecIkeSaOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets to this SA discarded
for reasons other than bad hashes or decryption errors.
This may include packets dropped to a lack of receive
buffer space.
Packets that contain protocol negotation errors are not
considered dropped packets."
::= { ipsecIkeSaEntry 26 }
ipsecIkeSaSendErrors OBJECT-TYPE
IPSec Working Group [Page 31]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets from this SA
discarded for any reason. This may include packets
dropped to a lack of transmit buffer space."
::= { ipsecIkeSaEntry 27 }
-- the IPSec Tunnel MIB-Group
--
-- a collection of objects providing information about
-- IPSec protection suite-based virtual tunnels
ipsecTunnelTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTunnelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
protection suite-based tunnels."
::= { ipsec 3 }
ipsecTunnelEntry OBJECT-TYPE
SYNTAX IpsecTunnelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular configured tunnel."
INDEX { ipsecTunnelIndex }
::= { ipsecTunnelTable 1 }
IpsecTunnelEntry ::= SEQUENCE {
ipsecTunnelIndex Integer32,
ipsecTunnelIkeConChan Integer32, -- if not static
ipsecTunnelType INTEGER, -- static, transient, permanent
-- tunnel identifiers
ipsecTunnelLocalIdentifier OCTET STRING,
ipsecTunnelLocalIdentifierType INTEGER,
ipsecTunnelRemoteIdentifier OCTET STRING,
ipsecTunnelRemoteIdentifierType INTEGER,
ipsecTunnelProtocol Integer32,
ipsecTunnelLocalPort Integer32,
ipsecTunnelRemotePort Integer32,
IPSec Working Group [Page 32]
Internet Draft IPSec Monitoring MIB November 1998
-- tunnel creation mechanism
ipsecTunnelDifHelGroupDesc Integer32,
ipsecTunnelDifHelGroupType Integer32,
ipsecTunnelPFS TruthValue,
-- tunnel security services description
ipsecTunnelEncapsulation INTEGER,
ipsecTunnelEspEncAlg Integer32,
ipsecTunnelEspEncKeyLength Unsigned32,
ipsecTunnelEspAuthAlg Integer32,
ipsecTunnelAhAuthAlg Integer32,
ipsecTunnelCompAlg Integer32,
-- aggregate statistics
ipsecTunnelStartTime DateAndTime,
ipsecTunnelCurrentProtSuitesNum Unsigned32,
ipsecTunnelTotalProtSuitesNum Counter32,
ipsecTunnelTotalInboundTraffic Counter64,
ipsecTunnelTotalOutboundTraffic Counter64,
ipsecTunnelTotalInboundPackets Counter64,
ipsecTunnelTotalOutboundPackets Counter64,
-- aggregate error statistics
ipsecTunnelDecryptErrors Counter32,
ipsecTunnelAuthErrors Counter32,
ipsecTunnelReplayErrors Counter32,
ipsecTunnelPolicyErrors Counter32,
ipsecTunnelOtherReceiveErrors Counter32,
ipsecTunnelSendErrors Counter32
}
ipsecTunnelIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel
interface. It is recommended that values are assigned
contiguously starting from 1.
The value for each tunnel interface must remain constant
at least from one re-initialization of the entity's
network management system to the next re-initialization.
Further, the value for tunnel interfaces that are marked
IPSec Working Group [Page 33]
Internet Draft IPSec Monitoring MIB November 1998
as permanent must remain constant across all re-
initializations of the network management system."
::= { ipsecTunnelEntry 1 }
ipsecTunnelIkeConChan OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the index into the IKE control channel
table that created this tunnel (ipsecIkeConChanIndex), or
0 if the tunnel is created by a static IPSec protection
suite."
::= { ipsecTunnelEntry 2 }
ipsecTunnelType OBJECT-TYPE
SYNTAX INTEGER { static(0), transient(1), permanent(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the virtual tunnel represented by this row.
'static' means that the tunnel is supported by a single
static IPSec protection suite that was setup by
configuration, and not by using a key exchange protocol.
In this case, the value of ipsecTunnelIkeSa must be 0."
::= { ipsecTunnelEntry 3 }
ipsecTunnelLocalIdentifier OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local identifier of the virtual tunnel, or 0 if
unknown or if the protection suite uses transport mode
encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecTunnelEntry 4 }
ipsecTunnelLocalIdentifierType OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecTunnelLocalIdentifier', or 0 if unknown or if the
IPSec Working Group [Page 34]
Internet Draft IPSec Monitoring MIB November 1998
protection suite uses transport mode encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecTunnelEntry 5 }
ipsecTunnelRemoteIdentifier OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote identifier of the virtual tunnel, or 0 if
unknown or if the protection suite uses transport mode
encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecTunnelEntry 6 }
ipsecTunnelRemoteIdentifierType OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecTunnelRemoteIdentifier', or 0 if unknown or if the
protection suite uses transport mode encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecTunnelEntry 7 }
ipsecTunnelProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the protocol that this tunnel carries, or
0 if it carries any protocol."
::= { ipsecTunnelEntry 8 }
ipsecTunnelLocalPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the local port that this tunnel carries,
or 0 if it carries any port number."
IPSec Working Group [Page 35]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecTunnelEntry 9 }
ipsecTunnelRemotePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of the remote port that this tunnel carries,
or 0 if it carries any port number."
::= { ipsecTunnelEntry 10 }
ipsecTunnelDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used to set up protection suites for this
tunnel or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Description from Appendix A of [IKE]."
::= { ipsecTunnelEntry 11 }
ipsecTunnelDifHelGroupType OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" A unique value representing the Diffie-Hellman group
type used to set up protection suites for this tunnel or
0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Type from Appendix A of [IKE]."
::= { ipsecTunnelEntry 12 }
ipsecTunnelPFS OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"'true' if protection suites setup for this tunnel were
created using perfect forward secrect."
::= { ipsecTunnelEntry 13 }
ipsecTunnelEncapsulation OBJECT-TYPE
IPSec Working Group [Page 36]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX INTEGER { transport(1), tunnel(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by protection suites
created for this virtual tunnel."
::= { ipsecTunnelEntry 14 }
ipsecTunnelEspEncAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this tunnel if it uses ESP
or 0 if there is no encryption applied by ESP or if ESP
is not used.
Specific values are taken from section 4.4.4 of [IPDOI]."
::= { ipsecTunnelEntry 15 }
ipsecTunnelEspEncKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the 'ipsecTunnelEspEncAlg' object,
or 0 if the key length is implicit in the specified
algorithm or there is no encryption specified."
::= { ipsecTunnelEntry 16 }
ipsecTunnelEspAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this tunnel if it uses ESP or 0 if
there is no authentication applied by ESP or if ESP is
not used.
Specific values are taken from the Authentication
Algorithm attribute values of Section 4.5 of [IPDOI]."
::= { ipsecTunnelEntry 17 }
ipsecTunnelAhAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
IPSec Working Group [Page 37]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this tunnel if it uses AH or 0 if
AH is not used.
Specific values are taken from Section 4.4.3 of [IPDOI]."
::= { ipsecTunnelEntry 18 }
ipsecTunnelCompAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the compression algorithm
applied to traffic carried by this tunnel if it uses
IPCOMP.
Specific values are taken from Section 4.4.5 of [IPDOI]."
::= { ipsecTunnelEntry 19 }
ipsecTunnelStartTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that this virtual tunnel was set up.
If this is a permanent virtual tunnel, it is not reset
when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 20 }
ipsecTunnelCurrentProtSuitesNum OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of protection suites currently active
supporting this virtual tunnel.
If this number is 0, the tunnel must be considered down.
Also if this number is 0, the tunnel must a permanent
tunnel, since transient tunnels that are down do not
appear in the table."
::= { ipsecTunnelEntry 21 }
IPSec Working Group [Page 38]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTunnelTotalProtSuitesNum OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of protection suites, including all
current protection suites, that have been set up to
support this virtual tunnel."
::= { ipsecTunnelEntry 22 }
ipsecTunnelTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the inbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all IPSec protection suites ever set up to support the
virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 23 }
ipsecTunnelTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes handled in
the tunnel in the outbound direction. In other words, it
is the aggregate value of all inbound traffic carried by
all IPSec protection suites ever set up to support the
virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 24 }
ipsecTunnelTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 39]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The total number of packets handled in the tunnel in the
inbound direction. In other words, it is the aggregate
value of all inbound packets carried by all IPSec
protection suites ever set up to support the virtual
tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 25 }
ipsecTunnelTotalOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets handled in the tunnel in the
outbound direction. In other words, it is the aggregate
value of all outbound packets carried by all IPSec SAs
ever set up to support the virtual tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 26 }
ipsecTunnelDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to decryption errors in ESP.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 27 }
ipsecTunnelAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to authentication errors. This
includes hash failures in IPSec protection suites using
IPSec Working Group [Page 40]
Internet Draft IPSec Monitoring MIB November 1998
both ESP and AH.
If this is a permanent virtual tunnel, it is not resetto
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 28 }
ipsecTunnelReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to replay errors. This includes replay
failures in IPSec protection suites using both ESP and
AH.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 29 }
ipsecTunnelPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to policy errors. This includes errors
in all transforms if protection suites are used.
Policy errors are due to the detection of a packet that
was inappropriately sent into this tunnel.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 30 }
ipsecTunnelOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets discarded by this
virtual tunnel due to errors other than decryption,
authentication or replay errors. This may include packets
dropped due to a lack of receive buffers.
IPSec Working Group [Page 41]
Internet Draft IPSec Monitoring MIB November 1998
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 31 }
ipsecTunnelSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets discarded by this
virtual tunnel due to any error. This may include packets
dropped due to a lack of transmit buffers.
If this is a permanent virtual tunnel, it is not reset to
zero when the number of current protection suites
(ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1."
::= { ipsecTunnelEntry 32 }
-- the IPSec Protection Suites MIB-Group
--
-- a collection of objects providing information about
-- IPSec protection suites
ipsecProtSuiteTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecProtSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
protection suites."
::= { ipsec 4 }
ipsecProtSuiteEntry OBJECT-TYPE
SYNTAX IpsecProtSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec SA."
INDEX { ipsecProtSuiteIndex }
::= { ipsecProtSuiteTable 1 }
IpsecProtSuiteEntry ::= SEQUENCE {
ipsecProtSuiteIndex Integer32,
IPSec Working Group [Page 42]
Internet Draft IPSec Monitoring MIB November 1998
ipsecProtSuiteTunnel Integer32, -- from ipsecTunnelTable
-- identification
ipsecProtSuitePeerAddress OCTET STRING,
ipsecProtSuiteInboundEspSpi Unsigned32,
ipsecProtSuiteOutboundEspSpi Unsigned32,
ipsecProtSuiteInboundAhSpi Unsigned32,
ipsecProtSuiteOutboundAhSpi Unsigned32,
ipsecProtSuiteInboundCompCpi INTEGER,
ipsecProtSuiteOutboundCompCpi INTEGER,
-- expiration limits
ipsecProtSuiteCreationTime DateAndTime,
ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none
ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none
ipsecProtSuiteTrafficCount OCTET STRING,
-- current operating statistics
ipsecProtSuiteInboundTraffic Counter64,
ipsecProtSuiteOutboundTraffic Counter64,
ipsecProtSuiteInboundPackets Counter64,
ipsecProtSuiteOutboundPackets Counter64,
-- error statistics
ipsecProtSuiteDecryptErrors Counter32,
ipsecProtSuiteAuthErrors Counter32,
ipsecProtSuiteReplayErrors Counter32,
ipsecProtSuitePolicyErrors Counter32,
ipsecProtSuiteOtherReceiveErrors Counter32,
ipsecProtSuiteSendErrors Counter32
}
ipsecProtSuiteIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each IPSec
protection suite. It is recommended that values are
assigned contiguously starting from 1."
::= { ipsecProtSuiteEntry 1 }
ipsecProtSuiteTunnel OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 43]
Internet Draft IPSec Monitoring MIB November 1998
"The value of the index into the IPSec tunnel table that
this protection suite supports (ipsecTunnelIndex)."
::= { ipsecProtSuiteEntry 2 }
ipsecProtSuitePeerAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 8 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The peer IP address used by the protection suite.
The size of this object is 4 if the address is an IPv4
address, or 8 if the address is an IPv6 address."
::= { ipsecProtSuiteEntry 3 }
ipsecProtSuiteInboundEspSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound protection suite
that provides the ESP security service, or zero if ESP is
not used."
::= { ipsecProtSuiteEntry 4 }
ipsecProtSuiteOutboundEspSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the outbound protection suite
that provides the ESP security service, or zero if ESP is
not used."
::= { ipsecProtSuiteEntry 5 }
ipsecProtSuiteInboundAhSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound protection suite
that provides the AH security service, or zero if AH is
not used."
::= { ipsecProtSuiteEntry 6 }
ipsecProtSuiteOutboundAhSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
IPSec Working Group [Page 44]
Internet Draft IPSec Monitoring MIB November 1998
STATUS current
DESCRIPTION
"The value of the SPI for the outbound protection suite
that provides the AH security service, or zero if AH is
not used."
::= { ipsecProtSuiteEntry 7 }
ipsecProtSuiteInboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the inbound protection suite
that provides IP compression, or zero if IPCOMP is not
used."
::= { ipsecProtSuiteEntry 8 }
ipsecProtSuiteOutboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the outbound protection suite
that provides IP compression, or zero if IPCOMP is not
used."
::= { ipsecProtSuiteEntry 9 }
ipsecProtSuiteCreationTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current protection suite was
set up."
::= { ipsecProtSuiteEntry 10 }
ipsecProtSuiteTimeLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the protection suite,
or 0 if there is no time constraint on its expiration."
::= { ipsecProtSuiteEntry 11 }
ipsecProtSuiteTrafficLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
IPSec Working Group [Page 45]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the
protection suite is allowed to support, or 0 if there is
no traffic constraint on its expiration."
::= { ipsecProtSuiteEntry 12 }
ipsecProtSuiteTrafficCount OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic accumulated that counts against
the protection suite's expiration by traffic limitation,
measured in 1024-byte blocks."
::= { ipsecProtSuiteEntry 13 }
ipsecProtSuiteInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes
handled by the protection suite in the inbound direction.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecProtSuiteEntry 14 }
ipsecProtSuiteOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes
handled by the protection suite in the outbound
direction.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecProtSuiteEntry 15 }
ipsecProtSuiteInboundPackets OBJECT-TYPE
SYNTAX Counter64
IPSec Working Group [Page 46]
Internet Draft IPSec Monitoring MIB November 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the protection suite in
the inbound direction."
::= { ipsecProtSuiteEntry 16 }
ipsecProtSuiteOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the protection suite in
the outbound direction."
::= { ipsecProtSuiteEntry 17 }
ipsecProtSuiteDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to decryption errors."
::= { ipsecProtSuiteEntry 18 }
ipsecProtSuiteAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to authentication errors. This
includes hash failures in both ESP and AH."
::= { ipsecProtSuiteEntry 19 }
ipsecProtSuiteReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to replay errors. This includes
replay failures both ESP and AH."
::= { ipsecProtSuiteEntry 20 }
ipsecProtSuitePolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
IPSec Working Group [Page 47]
Internet Draft IPSec Monitoring MIB November 1998
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to policy errors."
::= { ipsecProtSuiteEntry 21 }
ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to errors other than decryption,
authentication or replay errors. This may include
decompression errors or errors due to a lack of receive
buffers."
::= { ipsecProtSuiteEntry 22 }
ipsecProtSuiteSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets discarded by the
protection suite due to any error. This may include
compression errors or errors due to a lack of transmit
buffers."
::= { ipsecProtSuiteEntry 23 }
-- the IPSec Entity MIB-Group
--
-- a collection of objects providing information about overall IPSec
-- status in the entity
--
-- Definitions of significant branches
--
ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 5 }
ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 }
ipsecProtSuiteCounts OBJECT IDENTIFIER ::= { ipsec 6 }
ipsecPermChanTunStats OBJECT IDENTIFIER ::= { ipsec 7 }
ipsecTransChanTunStats OBJECT IDENTIFIER ::= { ipsec 8 }
ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 9 }
ipsecErrorStats OBJECT IDENTIFIER ::= { ipsec 10 }
IPSec Working Group [Page 48]
Internet Draft IPSec Monitoring MIB November 1998
--
-- SA and protection suite counts
--
ipsecTotalIkeSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 1 SAs established by the
entity since boot time. It is not the total number of
channels established by the entity since boot time. It
includes SAs established to support both permanent and
transient channels."
::= { ipsecProtSuiteCounts 1 }
ipsecTotalIpsecProtSuites OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of protection suites established by the
entity since boot time. It is not the total number of
IPSec virtual tunnels established by the entity since
boot time. It includes protection suites established to
support both permanent and transient tunnels."
::= { ipsecProtSuiteCounts 2 }
--
-- permanent channel and tunnel statistics
--
ipsecCnfgPermIkeChannels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 1 control channels in the
entity that are configured as permanent."
::= { ipsecPermChanTunStats 1 }
ipsecUpPermIkeChannels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 49]
Internet Draft IPSec Monitoring MIB November 1998
"The total number of phase 1 control channels in the
entity that are configured as permanent and are up and
available for use."
::= { ipsecPermChanTunStats 2 }
ipsecCnfgPermIpsecTunnels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 tunnels in the entity that
are configured as permanent."
::= { ipsecPermChanTunStats 3 }
ipsecUpPermIpsecTunnels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 tunnels in the entity that
are configured as permanent and are up and available for
use."
::= { ipsecPermChanTunStats 4 }
--
-- transient tunnel counts
--
ipsecTotalTransIkeTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of transient phase 1 tunnels
established by the entity since boot time."
::= { ipsecTransChanTunStats 1 }
ipsecCurrentTransIkeTunnels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of transient phase 1 tunnels in the entity
that are up and available for use at this moment in
time."
::= { ipsecTransChanTunStats 2 }
ipsecTotalTransIpsecTunnels OBJECT-TYPE
IPSec Working Group [Page 50]
Internet Draft IPSec Monitoring MIB November 1998
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of transient phase 2 tunnels
established by the entity since boot time."
::= { ipsecTransChanTunStats 3 }
ipsecCurrentTransIpsecTunnels OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of phase 2 tunnels in the entity that are up
and available for use at this moment in time."
::= { ipsecTransChanTunStats 4 }
--
-- transient protection suite traffic statistics
--
ipsecTotalTransInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on transient
IPSec tunnels since boot time."
::= { ipsecTransChanTunStats 5 }
ipsecTotalTransOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on
transient IPSec tunnels since boot time."
::= { ipsecTransChanTunStats 6 }
ipsecTotalTransInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on transient
IPSec tunnels since boot time, measured in 1024-octet
blocks."
IPSec Working Group [Page 51]
Internet Draft IPSec Monitoring MIB November 1998
::= { ipsecTransChanTunStats 7 }
ipsecTotalTransOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on
transient IPSec tunnels since boot time, measured in
1024-octet blocks."
::= { ipsecTransChanTunStats 8 }
--
-- error counts
--
ipsecUnknownSpiErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with SPIs or CPIs that were not valid."
::= { ipsecErrorStats 1 }
ipsecIkeProtocolErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with IKE protocol errors.
This includes packets with invalid cookies, but does not
include errors that could be associated with specific IKE
SAs."
::= { ipsecErrorStats 2 }
ipsecIpsecAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with authentication errors in the IPSec SAs.
IPSec Working Group [Page 52]
Internet Draft IPSec Monitoring MIB November 1998
This includes all packets in which the hash value is
determined to be invalid."
::= { ipsecErrorStats 3 }
ipsecIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with replay errors in the IPSec SAs."
::= { ipsecErrorStats 4 }
ipsecIpsecPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time and discarded due to policy errors. This
includes packets that had selectors that were invalid for
the SA that carried them."
::= { ipsecErrorStats 5 }
-- the IPSec Notify Message MIB-Group
--
-- a collection of objects providing information about
-- the occurrences of notify messages
ipsecNotifyMessageTotalCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of all types of notify messages sent or
received by the entity since boot time.
It is the sum of all occurrences in the
'ipsecNotifyCountTable'."
::= { ipsecNotifications 1 }
ipsecNotifyCountTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
IPSec Working Group [Page 53]
Internet Draft IPSec Monitoring MIB November 1998
DESCRIPTION
"The (conceptual) table containing information on IPSec
notify message counts.
This table MAY be sparsely populated; that is, rows for
which the count is 0 may be absent."
::= { ipsecNotifications 2 }
ipsecNotifyCountEntry OBJECT-TYPE
SYNTAX IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the total number of
occurrences of a notify message."
INDEX { ipsecNotifyMessage }
::= { ipsecNotifyCountTable 1 }
IpsecNotifyCountEntry::= SEQUENCE {
ipsecNotifyMessage INTEGER,
ipsecNotifyMessageCount Counter32
}
ipsecNotifyMessage OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value representing a specific IPSec notify message,
or 0 if unknown.
Values are assigned from the set of notify message types
as defined in Section 3.14.1 of [ISAKMP]. In addition,
the value 0 may be used for this object when the object
is used as a trap cause, and the cause is unknown."
::= { ipsecNotifyCountEntry 1 }
ipsecNotifyMessageCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of times the specific notify message
has been received or sent by the entity since system
boot."
::= { ipsecNotifyCountEntry 2 }
IPSec Working Group [Page 54]
Internet Draft IPSec Monitoring MIB November 1998
--
-- traps
--
ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeConChanIndex,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 1 SA for the specified
permanent IKE tunnel failed."
::= { ipsecTraps 1 }
ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeConChanLocalIdType,
ipsecIkeConChanLocalId,
ipsecIkeConChanPeerIdType,
ipsecIkeConChanPeerId,
ipsecIkeSaLocalIpAddress,
ipsecIkeSaLocalPortNumber,
ipsecIkeSaLocalIpAddress,
ipsecIkeSaLocalPortNumber,
ipsecIkeConChanAuthMethod,
ipsecIkeConChanPeerCertSerialNum,
ipsecIkeConChanPeerCertIssuer,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 1 SA for a transient IKE
tunnel failed.
This trap is different from the
'ipsecTrapPermIkeNegFailure' trap, since this one will
likely result in the removal of this entry from the IKE
control channel table."
::= { ipsecTraps 2 }
ipsecTrapInvalidCookie NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress,
ipsecIkeSaPeerPortNumber
}
STATUS current
DESCRIPTION
IPSec Working Group [Page 55]
Internet Draft IPSec Monitoring MIB November 1998
"IKE packets with invalid cookies were detected from the
specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period, rather than sending one trap per
packet."
::= { ipsecTraps 3 }
ipsecTrapIpsecNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeConChanIndex,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 2 protection suite
within the specified IKE tunnel failed."
::= { ipsecTraps 4 }
ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid hashes were found in the
specified protection suite.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 5 }
ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid sequence numbers were found
in the specified protection suite.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 6 }
IPSec Working Group [Page 56]
Internet Draft IPSec Monitoring MIB November 1998
ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets carrying packets with invalid selectors
for the specified protection suite were found.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 7 }
ipsecTrapInvalidSpi NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress
}
STATUS current
DESCRIPTION
"ESP, AH or IPCOMP packets with unknown SPIs (or CPIs)
were detected from the specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period), rather than sending one trap per
packet."
::= { ipsecTraps 8 }
END
5. Security Considerations
This MIB contains readable objects whose values provide information
related to IPSec virtual tunnels. There are no objects with
MAXACCESS clauses of read-write or read-create.
While unauthorized access to the readable objects is relatively
innocuous, unauthorized access to those objects through an insecure
channel can provide attackers with more information about a system
than an administrator may desire.
IPSec Working Group [Page 57]
Internet Draft IPSec Monitoring MIB November 1998
6. Acknowledgements
Portions of this document's origins are based on the working paper
"IP Security Management Information Base" by R. Thayer and U.
Blumenthal.
Significant contribution to this document comes from Charles Brooks
and Carl Powell, both of GTE Internetworking. Obviously, the IPSec
working group made signification contributions, specifically
including M. Daniele, T. Kivinen, J. Shriver, J. Walker, S. Kelly and
M. Richardson.
Additionally, thanks are extended to Gabriella Dinescu for assistance
in the preparation of the MIB structures.
7. References
[IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in
progress.
[SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", draft-ietf-ipsec-arch-sec-07.txt, work in
progress.
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE),"
draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress.
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in
progress.
[IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib-
02.txt, work in progress.
[IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
using SMIv2", RFC2233
[IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft-
ietf-ippcp-protocol-06.txt", work in progress
[1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Structure of Management Information for version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
IPSec Working Group [Page 58]
Internet Draft IPSec Monitoring MIB November 1998
[2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2271, January
1998
[1155] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155,
May 1990
[1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
1212, March 1991
[1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Textual Conventions for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1903,
January 1996.
[1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Conformance Statements for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1904,
January 1996.
[1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", RFC 1157, May 1990.
[1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Introduction to Community-based SNMPv2", RFC
1901, January 1996.
[1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Transport Mappings for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1906,
January 1996.
[2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2272, January 1998.
[2274] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2274, January 1998.
[1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Protocol Operations for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1905,
January 1996.
IPSec Working Group [Page 59]
Internet Draft IPSec Monitoring MIB November 1998
[2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation,
Cisco Systems, January 1998.
[2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2275, January 1998.
8. Revision History
This section will be removed before publication.
September 11, 1998 Initial internal release.
Traps not yet defined in ASN.1 format.
Device MIB not yet defined in ASN.1 format.
October 4, 1998 Added significantly more explanations on
tunnel concept, including picture.
Added packet counters for traffic.
Made time usage consistent.
Added generic error counters.
Added SPIs and CPIs to IPSec SA table, and
cookies to IKE SA tunnel table.
Added peer port number to IKE SA table.
Added peer's certificate serial number and
issuer to IKE SA table.
More information about traps.
Added policy enforcement errors to IPSec
tunnels.
Issues:
1) Do aggregate statistic values on permanent
tunnels restart if link goes down and comes
back up again?
2) Should the IKE SA table indicate who was the
initiator?
3) Still have not put traps into ASN.1 format.
4) Still have not put entity-wide statistics
into ASN.1 format.
November 2,1998 Add ASN.1 for entity level objects.
Add ASN.1 for traps.
Non-error event traps removed.
Added appendix to duplicate assigned numbers
from current drafts.
Issues:
1) Do aggregate statistic values on permanent
IPSec Working Group [Page 60]
Internet Draft IPSec Monitoring MIB November 1998
tunnels restart if link goes down and comes
back up again?
2) Group and Compliance statements?
3) Sub-identifier under the experimental tree?
November 24, 1998 Major changes; most too numerous to mention.
Single largest change is splitting IKE SAs from
what was the IKE tunnel table (now the control
channel table).
Issues:
1) Should aggregate statistic values on
permanent tunnels restart if link goes down and
comes back up again?
2) Group and Compliance statements?
3) Sub-identifier under the experimental tree?
4) Is existing address object implementation
okay for both IPv4 and IPv6?
9. Appendix A
This appendix reproduces the assigned numbers from the referenced
IPSec documents that are used in the MIB. They are to be used as a
reference only and are not part of this specification. As the IPSec
protocol evolves, this list is almost certain to become incomplete.
Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP].
ipsecIkeSaEncAlg - Encryption Algorithm
DES-CBC 1
IDEA-CBC 2
Blowfish-CBC 3
RC5-R16-B64-CBC 4
3DES-CBC 5
CAST-CBC 6
ipsecIkeSaPeerIdType
ID Type Value
------- -----
RESERVED 0
ID_IPV4_ADDR 1
ID_FQDN 2
ID_USER_FQDN 3
ID_IPV4_ADDR_SUBNET 4
ID_IPV6_ADDR 5
ID_IPV6_ADDR_SUBNET 6
IPSec Working Group [Page 61]
Internet Draft IPSec Monitoring MIB November 1998
ID_IPV4_ADDR_RANGE 7
ID_IPV6_ADDR_RANGE 8
ID_DER_ASN1_DN 9
ID_DER_ASN1_GN 10
ID_KEY_ID 11
ipsecIkeSaHashAlg - Hash Algorithm
MD5 1
SHA 2
Tiger 3
ipsecIkeSaAuthMethod - Authentication Method
pre-shared key 1
DSS signatures 2
RSA signatures 3
Encryption with RSA 4
Revised encryption with RSA 5
ipsecIkeSaDifHelGroupDesc - Group Description
default 768-bit MODP group 1
alternate 1024-bit MODP group 2
EC2N group on GP[2^155] 3
EC2N group on GP[2^185] 4
ipsecIkeSaDifHelGroupType - Group Type
MODP (modular exponentiation group) 1
ECP (elliptic curve group over GF[P]) 2
EC2N (elliptic curve group over GF[2^N]) 3
ipsecTunnelEspEncAlg
Transform ID Value
------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
IPSec Working Group [Page 62]
Internet Draft IPSec Monitoring MIB November 1998
ESP_RC4 10
ESP_NULL 11
ipsecTunnelEspAuthAlg - Authentication Algorithm
RESERVED 0
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4
ipsecTunnelAhAuthAlg
Transform ID Value
------------ -----
RESERVED 0-1
AH_MD5 2
AH_SHA 3
AH_DES 4
ipsecTunnelCompAlg
Transform ID Value
------------ -----
RESERVED 0
IPCOMP_OUI 1
IPCOMP_DEFLATE 2
IPCOMP_LZS 3
IPCOMP_V42BIS 4
NOTIFY MESSAGES - ERROR TYPES
___________Errors______________Value_____
INVALID-PAYLOAD-TYPE 1
DOI-NOT-SUPPORTED 2
SITUATION-NOT-SUPPORTED 3
INVALID-COOKIE 4
INVALID-MAJOR-VERSION 5
INVALID-MINOR-VERSION 6
INVALID-EXCHANGE-TYPE 7
INVALID-FLAGS 8
INVALID-MESSAGE-ID 9
INVALID-PROTOCOL-ID 10
INVALID-SPI 11
IPSec Working Group [Page 63]
Internet Draft IPSec Monitoring MIB November 1998
INVALID-TRANSFORM-ID 12
ATTRIBUTES-NOT-SUPPORTED 13
NO-PROPOSAL-CHOSEN 14
BAD-PROPOSAL-SYNTAX 15
PAYLOAD-MALFORMED 16
INVALID-KEY-INFORMATION 17
INVALID-ID-INFORMATION 18
INVALID-CERT-ENCODING 19
INVALID-CERTIFICATE 20
CERT-TYPE-UNSUPPORTED 21
INVALID-CERT-AUTHORITY 22
INVALID-HASH-INFORMATION 23
AUTHENTICATION-FAILED 24
INVALID-SIGNATURE 25
ADDRESS-NOTIFICATION 26
NOTIFY-SA-LIFETIME 27
CERTIFICATE-UNAVAILABLE 28
UNSUPPORTED-EXCHANGE-TYPE 29
UNEQUAL-PAYLOAD-LENGTHS 30
RESERVED (Future Use) 31 - 8191
Private Use 8192 - 16383
NOTIFY MESSAGES - STATUS TYPES
_________Status_____________Value______
CONNECTED 16384
RESERVED (Future Use) 16385 - 24575
DOI-specific codes 24576 - 32767
Private Use 32768 - 40959
RESERVED (Future Use) 40960 - 65535
Notify Messages - Status Types Value
------------------------------ -----
RESPONDER-LIFETIME 24576
REPLAY-STATUS 24577
INITIAL-CONTACT 24578
IPSec Working Group [Page 64]
Internet Draft IPSec Monitoring MIB November 1998
Editor's Address
Tim Jenkins
tjenkins@timestep.com
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON
Canada
K2K 2P5
+1 (613) 599-3610
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tis.com) or through its chairs:
Robert Moskowitz
rgm@icsa.net
International Computer Security Association
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
IPSec Working Group [Page 65]