Internet Engineering Task Force Tim Jenkins
IP Security Working Group TimeStep Corporation
Internet Draft January 25, 1999
IPSec Monitoring MIB
<draft-ietf-ipsec-monitor-mib-00.txt>
Status of this Memo
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@tis.com) or to the editor.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Copyright Notice
This document is a product of the IETF's IPSec Working Group.
Copyright (C) The Internet Society (1998). All Rights Reserved.
IPSec Working Group [Page 1]
Internet Draft IPSec Monitoring MIB January 1999
Table of Contents
1. Introduction.....................................................2
2. The SNMPv2 Network Management Framework..........................2
2.1 Object Definitions .............................................3
3. IPSec MIB Objects Architecture...................................4
3.1 MIB Tables .....................................................4
3.2 Phase 1 Security Association Table .............................4
3.3 Phase 2 Protection Suite Table .................................4
3.3.1 Asymmetric Use ...............................................5
3.3.2 Security Association Bundles .................................5
3.4 Notify Messages ................................................5
3.5 IPSec MIB Traps ................................................5
3.6 IPSec Entity Level Objects .....................................6
4. MIB Definitions..................................................7
5. Security Considerations.........................................38
6. Acknowledgments.................................................38
7. Revision History................................................38
8. References......................................................38
9. Appendix A - Some Related Assigned Numbers......................40
1. Introduction
This document defines low level monitoring and status MIBs for IPSec.
It does not define MIBs that may be used for configuring IPSec
implementations or for providing low-level diagnostic or debugging
information. It assumes no specific use of IPSec. Further, it does
not provide policy information.
The purpose of the MIBs is to allow system administrators to
determine operating conditions and perform system operational level
monitoring of the IPSec portion of their network. Statistics are
provided as well. Additionally, it may be used as the basis for
application specific MIBs for specific uses of IPSec.
2. The SNMPv2 Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2271 [2271].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
IPSec Working Group [Page 2]
Internet Draft IPSec Monitoring MIB January 1999
RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
version, called SMIv2, is described in RFC 1902 [1902],
RFC 1903 [1903] and RFC 1904 [1904].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [1157]. A second version of the SNMP message
protocol, which is not an Internet standards track protocol, is
called SNMPv2c and described in RFC 1901 [1901] and
RFC 1906 [1906]. The third version of the message protocol is
called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272]
and RFC 2274 [2274].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [1157]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [1905].
o A set of fundamental applications described in RFC 2273 [2273] and
the view-based access control mechanism described in
RFC 2275 [2275].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
2.1 Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we often
use a textual string, termed the descriptor, to refer to the object
type.
IPSec Working Group [Page 3]
Internet Draft IPSec Monitoring MIB January 1999
3. IPSec MIB Objects Architecture
The IPSec MIB provides information related to both phase 1 or
Internet Key Exchange (IKE) security associations (SAs) and phase 2
(or IPSec) SAs. Configuration about the SAs is provided as are
statistics related to the SAs themselves. Additionally, the MIB
provides a number of entity level aggregate totals for the SAs.
There are also traps defined. These may be used by system
administrators to help detect mis-configurations or possible attacks.
3.1 MIB Tables
The MIB uses two tables to show phase 1 SAs and phase 2 SAs.
The IPSec SAs appear in the IPSec protection suite table. IPSec
protection suites are as defined by [ISAKMP]. An SA is effectively a
protection suite that provides only a single security service.
3.2 Phase 1 Security Association Table
Phase 1 SAs presented in the table contain information about their
services provided, lifetime, end point authentication and some
aggregate performance statistics.
3.3 Phase 2 Protection Suite Table
As stated above, phase 2 SAs appear in the protection suite table.
Since both protection suites and SAs are negotiated within IKE using
a single proposal payload during a single quick mode, SAs are
considered a subset of protection suites.
[ISAKMP] also requires that attributes negotiated within a protection
suite apply to all SAs. Therefore, the protection suite table
provides expiration values, selectors and statistics only once for
all SAs in a protection suite.
Further, it is assumed that protection suites have only a single
occurrence of any one of the three defined security services. (IP
compression is considered a security service for the purposes of this
MIB.) The order of these services within the protection suite is
assumed to be compression before ESP before AH (in the
encrypting/hashing direction) as also stated in [ISAKMP] and
[SECARCH].
IPSec Working Group [Page 4]
Internet Draft IPSec Monitoring MIB January 1999
Entries in the protection suite table are uniquely identified by the
SPI, remote IP address and security protocol.
The table shows the security services, expiration values and SA
statistics.
Note that both statically keyed SAs and SAs created by a key exchange
protocol may be shown in the table.
3.3.1 Asymmetric Use
This MIB is defined assuming symmetric use of SAs and protection
suites. That is to say that it assumes that an inbound SA is always
set up with a corresponding outbound SA that provides the same
security service.
In cases where this MIB is required for asymmetric use, the
corresponding objects that describe the unused direction may be set
to the equivalent of the unknown or zero state.
3.3.2 Security Association Bundles
This MIB does not explicitly show SA bundles or any combination of
layered SAs that do not meet the protection suite definition as
defined in [ISAKMP]. However, these may be represented in this MIB by
separate protections suites with the appropriate set of selectors.
3.4 Notify Messages
Notify messages sent from peer to peer are not necessarily sent as
traps. However, they are collected as they occur and accumulated in a
parse table structure.
A notify message object is defined. This object is used as the index
into the table of accumulated notify messages. This helps system
administrators determine if there are potential configuration
problems or attacks on their network.
3.5 IPSec MIB Traps
Traps are provided to let system administrators know about the
existence of error conditions occurring in the entity. Errors are
associated with the creation and deletion of SAs, and also
IPSec Working Group [Page 5]
Internet Draft IPSec Monitoring MIB January 1999
operational errors that may indicate the presence of attacks on the
system.
Traps are not provided when SAs come up or go down, unless they
cannot be negotiated or go down due to error conditions.
The causes of SA negotiation failure are indicated by a notify
message object.
3.6 IPSec Entity Level Objects
This part of the MIB carries statistics global to the IPSec device.
Statistics included are aggregate usage and aggregate errors for both
phase 1 SAs and phase 2 protection suites. The statistics are
provided as objects in a tree below these groups.
IPSec Working Group [Page 6]
Internet Draft IPSec Monitoring MIB January 1999
4. MIB Definitions
IPSEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
Integer32, Unsigned32,
experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI
DateAndTime, TruthValue FROM SNMPv2-TC;
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "9901251200Z"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
613-599-3610
tjenkins@timestep.com"
DESCRIPTION
"The MIB module to describe generic IPSec objects, and
entity level IPSec objects and events."
REVISION "9901251200Z"
DESCRIPTION
"Initial revision."
-- ::= { mib-2 ?? }
::= { experimental 500 }
ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }
ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }
-- the IPSec Protection Suites MIB-Group
--
-- a collection of objects providing information about
-- IPSec protection suites
ipsecProtSuiteTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecProtSuiteEntry
MAX-ACCESS not-accessible
IPSec Working Group [Page 7]
Internet Draft IPSec Monitoring MIB January 1999
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
protection suites."
::= { ipsec 1 }
ipsecProtSuiteEntry OBJECT-TYPE
SYNTAX IpsecProtSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec protection suite."
INDEX { ipsecProtSuiteIndex }
::= { ipsecProtSuiteTable 1 }
IpsecProtSuiteEntry ::= SEQUENCE {
ipsecProtSuiteIndex Integer32,
-- identification
ipsecProtSuiteLocalAddress OCTET STRING,
ipsecProtSuiteRemoteAddress OCTET STRING,
ipsecProtSuiteInboundEspSpi Unsigned32,
ipsecProtSuiteOutboundEspSpi Unsigned32,
ipsecProtSuiteInboundAhSpi Unsigned32,
ipsecProtSuiteOutboundAhSpi Unsigned32,
ipsecProtSuiteInboundCompCpi INTEGER,
ipsecProtSuiteOutboundCompCpi INTEGER,
-- protection suite selectors
ipsecProtSuiteLocalId OCTET STRING,
ipsecProtSuiteLocalIdType Unsigned32,
ipsecProtSuiteRemoteId OCTET STRING,
ipsecProtSuiteRemoteIdType Unsigned32,
ipsecProtSuiteProtocol Integer32,
ipsecProtSuiteLocalPort Integer32,
ipsecProtSuiteRemotePort Integer32,
-- creation mechanism
ipsecProtSuiteDifHelGroupDesc Integer32,
ipsecProtSuiteDifHelGroupType Integer32,
ipsecProtSuitePFS TruthValue,
-- security services description
ipsecProtSuiteEncapsulation INTEGER,
ipsecProtSuiteEspEncAlg Integer32,
ipsecProtSuiteEspEncKeyLength Unsigned32,
ipsecProtSuiteEspAuthAlg Integer32,
IPSec Working Group [Page 8]
Internet Draft IPSec Monitoring MIB January 1999
ipsecProtSuiteAhAuthAlg Integer32,
ipsecProtSuiteCompAlg Integer32,
-- expiration limits
ipsecProtSuiteCreationTime DateAndTime,
ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none
ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none
ipsecProtSuiteInTrafficCount OCTET STRING,
ipsecProtSuiteOutTrafficCount OCTET STRING,
-- current operating statistics
ipsecProtSuiteInboundTraffic Counter64,
ipsecProtSuiteOutboundTraffic Counter64,
ipsecProtSuiteInboundPackets Counter64,
ipsecProtSuiteOutboundPackets Counter64,
-- error statistics
ipsecProtSuiteDecryptErrors Counter32,
ipsecProtSuiteAuthErrors Counter32,
ipsecProtSuiteReplayErrors Counter32,
ipsecProtSuitePolicyErrors Counter32,
ipsecProtSuiteOtherReceiveErrors Counter32,
ipsecProtSuiteSendErrors Counter32
}
ipsecProtSuiteIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each IPSec
protection suite. It is recommended that values are
assigned contiguously starting from 1."
::= { ipsecProtSuiteEntry 1 }
ipsecProtSuiteLocalAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 16 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address used by the protection suite.
The size of this object is 4 if the address is an IPv4
address, or 16 if the address is an IPv6 address."
::= { ipsecProtSuiteEntry 2 }
ipsecProtSuiteRemoteAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 16 ) )
IPSec Working Group [Page 9]
Internet Draft IPSec Monitoring MIB January 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The peer IP address used by the protection suite.
The size of this object is 4 if the address is an IPv4
address, or 16 if the address is an IPv6 address."
::= { ipsecProtSuiteEntry 3 }
ipsecProtSuiteInboundEspSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound protection suite
that provides the ESP security service, or zero if ESP is
not used."
::= { ipsecProtSuiteEntry 4 }
ipsecProtSuiteOutboundEspSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the outbound protection suite
that provides the ESP security service, or zero if ESP is
not used."
::= { ipsecProtSuiteEntry 5 }
ipsecProtSuiteInboundAhSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the inbound protection suite
that provides the AH security service, or zero if AH is
not used."
::= { ipsecProtSuiteEntry 6 }
ipsecProtSuiteOutboundAhSpi OBJECT-TYPE
SYNTAX Unsigned32(1..4294967295)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the SPI for the outbound protection suite
that provides the AH security service, or zero if AH is
not used."
::= { ipsecProtSuiteEntry 7 }
IPSec Working Group [Page 10]
Internet Draft IPSec Monitoring MIB January 1999
ipsecProtSuiteInboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the inbound protection suite
that provides IP compression, or zero if IPCOMP is not
used."
::= { ipsecProtSuiteEntry 8 }
ipsecProtSuiteOutboundCompCpi OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the CPI for the outbound protection suite
that provides IP compression, or zero if IPCOMP is not
used."
::= { ipsecProtSuiteEntry 9 }
ipsecProtSuiteLocalId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local identifier of the protection suite, or 0 if
unknown or if the protection suite uses transport mode
encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecProtSuiteEntry 10 }
ipsecProtSuiteLocalIdType OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecTunnelLocalId', or 0 if unknown or if the
protection suite uses transport mode encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecProtSuiteEntry 11 }
IPSec Working Group [Page 11]
Internet Draft IPSec Monitoring MIB January 1999
ipsecProtSuiteRemoteId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote identifier of the protection suite, or 0 if
unknown or if the protection suite uses transport mode
encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecProtSuiteEntry 12 }
ipsecProtSuiteRemoteIdType OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecTunnelRemoteId', or 0 if unknown or if the
protection suite uses transport mode encapsulation.
This value is taken directly from the optional ID
payloads that are exchange during phase 2 negotiations."
::= { ipsecProtSuiteEntry 13 }
ipsecProtSuiteProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP protocol number that this protection suite
carries, or 0 if it carries any protocol."
::= { ipsecProtSuiteEntry 14 }
ipsecProtSuiteLocalPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local UDP or TCP port number that this protection
suite carries, or 0 if it carries any port number."
::= { ipsecProtSuiteEntry 15 }
ipsecProtSuiteRemotePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 12]
Internet Draft IPSec Monitoring MIB January 1999
DESCRIPTION
"The remote UDP or TCP port number that this protection
suite carries, or 0 if it carries any port number."
::= { ipsecProtSuiteEntry 16 }
ipsecProtSuiteDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used to set up this protection suite, or 0 if
the description is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Description from Appendix A of [IKE]."
::= { ipsecProtSuiteEntry 17 }
ipsecProtSuiteDifHelGroupType OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
type used to set up this protection suite, or 0 if the
type is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Type from Appendix A of [IKE]."
::= { ipsecProtSuiteEntry 18 }
ipsecProtSuitePFS OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"'true' if the protection suite was created using perfect
forward secrect."
::= { ipsecProtSuiteEntry 19 }
ipsecProtSuiteEncapsulation OBJECT-TYPE
SYNTAX INTEGER { transport(1), tunnel(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this protection
suite."
IPSec Working Group [Page 13]
Internet Draft IPSec Monitoring MIB January 1999
::= { ipsecProtSuiteEntry 20 }
ipsecProtSuiteEspEncAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this protection suite if it
uses ESP or 0 if there is no encryption applied by ESP or
if ESP is not used.
Specific values are taken from section 4.4.4 of [IPDOI]."
::= { ipsecProtSuiteEntry 21 }
ipsecProtSuiteEspEncKeyLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the 'ipsecTunnelEspEncAlg' object,
or 0 if the key length is implicit in the specified
algorithm or there is no encryption specified."
::= { ipsecProtSuiteEntry 22 }
ipsecProtSuiteEspAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this protection suite if it uses
ESP or 0 if there is no authentication applied by ESP or
if ESP is not used.
Specific values are taken from the Authentication
Algorithm attribute values of Section 4.5 of [IPDOI]."
::= { ipsecProtSuiteEntry 23 }
ipsecProtSuiteAhAuthAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this protection suite if it uses AH
or 0 if AH is not used.
IPSec Working Group [Page 14]
Internet Draft IPSec Monitoring MIB January 1999
Specific values are taken from Section 4.4.3 of [IPDOI]."
::= { ipsecProtSuiteEntry 24 }
ipsecProtSuiteCompAlg OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the compression algorithm
applied to traffic carried by this protection suite if it
uses IPCOMP.
Specific values are taken from Section 4.4.5 of [IPDOI]."
::= { ipsecProtSuiteEntry 25 }
ipsecProtSuiteCreationTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the current protection suite was
set up."
::= { ipsecProtSuiteEntry 26 }
ipsecProtSuiteTimeLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the protection suite,
or 0 if there is no time constraint on its expiration."
::= { ipsecProtSuiteEntry 27 }
ipsecProtSuiteTrafficLimit OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the
protection suite is allowed to support, or 0 if there is
no traffic constraint on its expiration."
::= { ipsecProtSuiteEntry 28 }
ipsecProtSuiteInTrafficCount OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
IPSec Working Group [Page 15]
Internet Draft IPSec Monitoring MIB January 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of inbound traffic accumulated that counts
against the protection suite's expiration by traffic
limitation, measured in 1024-byte blocks.
This value may be 0 if the protection suite does not
expire based on traffic.
In the case of multiple SAs within a protection suite,
this value is the maximum of any traffic accumulation
values applied to any of the individual SAs within the
protection suite."
::= { ipsecProtSuiteEntry 29 }
ipsecProtSuiteOutTrafficCount OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
UNITS "1024-byte blocks"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of outbound traffic accumulated that counts
against the protection suite's expiration by traffic
limitation, measured in 1024-byte blocks.
This value may be 0 if the protection suite does not
expire based on traffic.
In the case of multiple SAs within a protection suite,
this value is the maximum of any traffic accumulation
values applied to any of the individual SAs within the
protection suite."
::= { ipsecProtSuiteEntry 30 }
ipsecProtSuiteInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes
handled by the protection suite in the inbound direction.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecProtSuiteEntry 31 }
IPSec Working Group [Page 16]
Internet Draft IPSec Monitoring MIB January 1999
ipsecProtSuiteOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes
handled by the protection suite in the outbound
direction.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecProtSuiteEntry 32 }
ipsecProtSuiteInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the protection suite in
the inbound direction."
::= { ipsecProtSuiteEntry 33 }
ipsecProtSuiteOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the protection suite in
the outbound direction."
::= { ipsecProtSuiteEntry 34 }
ipsecProtSuiteDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to decryption errors."
::= { ipsecProtSuiteEntry 35 }
ipsecProtSuiteAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 17]
Internet Draft IPSec Monitoring MIB January 1999
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to authentication errors. This
includes hash failures in both ESP and AH."
::= { ipsecProtSuiteEntry 36 }
ipsecProtSuiteReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to replay errors. This includes
replay failures both ESP and AH."
::= { ipsecProtSuiteEntry 37 }
ipsecProtSuitePolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to policy errors."
::= { ipsecProtSuiteEntry 38 }
ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the
protection suite due to errors other than decryption,
authentication or replay errors. This may include
decompression errors or errors due to a lack of receive
buffers."
::= { ipsecProtSuiteEntry 39 }
ipsecProtSuiteSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets discarded by the
protection suite due to any error. This may include
compression errors or errors due to a lack of transmit
buffers."
::= { ipsecProtSuiteEntry 40 }
IPSec Working Group [Page 18]
Internet Draft IPSec Monitoring MIB January 1999
-- the IPSec IKE MIB-Group
--
-- a collection of objects providing information about
-- IPSec's IKE SAs
ipsecIkeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec's
IKE SAs."
::= { ipsec 2 }
ipsecIkeSaEntry OBJECT-TYPE
SYNTAX IpsecIkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE SA."
INDEX { ipsecIkeSaIndex }
::= { ipsecIkeSaTable 1 }
IpsecIkeSaEntry ::= SEQUENCE {
ipsecIkeSaIndex Integer32,
-- identifier information
ipsecIkeSaInitiatorCookie OCTET STRING,
ipsecIkeSaResponderCookie OCTET STRING,
ipsecIkeSaLocalIpAddress OCTET STRING,
ipsecIkeSaLocalPortNumber INTEGER,
ipsecIkeSaLocalIdType Integer32,
ipsecIkeSaLocalId OCTET STRING,
-- peer information
ipsecIkeSaPeerIpAddress OCTET STRING,
ipsecIkeSaPeerPortNumber INTEGER,
ipsecIkeSaAuthMethod Integer32,
ipsecIkeSaPeerIdType Integer32,
ipsecIkeSaPeerId OCTET STRING,
ipsecIkeSaPeerCertSerialNum OCTET STRING,
ipsecIkeSaPeerCertIssuer OCTET STRING,
-- security algorithm information
IPSec Working Group [Page 19]
Internet Draft IPSec Monitoring MIB January 1999
ipsecIkeSaEncAlg INTEGER,
ipsecIkeSaEncKeyLength Integer32,
ipsecIkeSaHashAlg Integer32,
ipsecIkeSaDifHelGroupDesc Integer32,
ipsecIkeSaDifHelGroupType Integer32,
ipsecIkeSaDifHelFieldSize Integer32,
ipsecIkeSaPRF Integer32,
ipsecIkeSaPFS TruthValue,
-- expiration limits
ipsecIkeSaTimeStart DateAndTime,
ipsecIkeSaTimeLimit OCTET STRING, -- in seconds
ipsecIkeSaTrafficLimit OCTET STRING, -- in kbytes
-- operating statistics
ipsecIkeSaInboundTraffic Counter64, -- in bytes
ipsecIkeSaOutboundTraffic Counter64, -- in bytes
ipsecIkeSaInboundPackets Counter32,
ipsecIkeSaOutboundPackets Counter32,
ipsecIkeProtSuitesCreated Counter32,
ipsecIkeProtSuitesDeleted Counter32,
-- error statistics
ipsecIkeSaDecryptErrors Counter32,
ipsecIkeSaAuthErrors Counter32,
ipsecIkeSaOtherReceiveErrors Counter32,
ipsecIkeSaSendErrors Counter32
}
ipsecIkeSaIndex OBJECT-TYPE
SYNTAX Integer32 (1..16777215)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each phase 1 SA.
It is recommended that values are assigned contiguously
starting from 1.
The value for each entry must remain constant at least
from one re-initialization of entity's network management
system to the next re-initialization."
::= { ipsecIkeSaEntry 1 }
ipsecIkeSaInitiatorCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 20]
Internet Draft IPSec Monitoring MIB January 1999
DESCRIPTION
"The value of the cookie used by the initiator for the
phase 1 SA."
::= { ipsecIkeSaEntry 2 }
ipsecIkeSaResponderCookie OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the responder for the
phase 1 SA."
::= { ipsecIkeSaEntry 3 }
ipsecIkeSaLocalIpAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 16 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local IP address used to negotiated the SA.
The size of the object is 4 if the address is an IPv4
address and 16 if an IPv6 address."
::= { ipsecIkeSaEntry 4 }
ipsecIkeSaLocalPortNumber OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local UDP port number that this SA was negotiated
with."
::= { ipsecIkeSaEntry 5 }
ipsecIkeSaLocalIdType OBJECT-TYPE
SYNTAX Integer32 (0..256)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of ID used by the local end of this SA.
Specific values are used as described in Section 4.6.2.1
of [IPDOI]."
::= { ipsecIkeSaEntry 8 }
ipsecIkeSaLocalId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
IPSec Working Group [Page 21]
Internet Draft IPSec Monitoring MIB January 1999
STATUS current
DESCRIPTION
"The ID of the local host that negotiated this SA.
The length may require truncation under some conditions."
::= { ipsecIkeSaEntry 9 }
ipsecIkeSaPeerIpAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE( 4 | 16 ) )
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the peer that this SA was negotiated
with.
The size of the object is 4 if the address is an IPv4
address and 16 if it is an IPv6 address."
::= { ipsecIkeSaEntry 10 }
ipsecIkeSaPeerPortNumber OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The UDP port number of the peer that this SA was
negotiated with."
::= { ipsecIkeSaEntry 11 }
ipsecIkeSaAuthMethod OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authentication method used to authenticate the peer.
Note that this does not include the specific method of
authentication if extended authenticated is used.
Specific values are used as described in the ISAKMP Class
Values of Authentication Method from Appendix A of
[IKE]."
::= { ipsecIkeSaEntry 12 }
ipsecIkeSaPeerIdType OBJECT-TYPE
SYNTAX Integer32 (0..256)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 22]
Internet Draft IPSec Monitoring MIB January 1999
"The type of ID used by the peer.
Specific values are used as described in Section 4.6.2.1
of [IPDOI]."
::= { ipsecIkeSaEntry 13 }
ipsecIkeSaPeerId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID of the peer this SA was negotiated with.
The length may require truncation under some conditions."
::= { ipsecIkeSaEntry 14 }
ipsecIkeSaPeerCertSerialNum OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..63))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the certificate of the peer this SA
was negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeSaEntry 15 }
ipsecIkeSaPeerCertIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..511))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The issuer of the certificate of the peer this SA was
negotiated with.
This object has no meaning if a certificate was not used
in authenticating the peer."
::= { ipsecIkeSaEntry 16 }
ipsecIkeSaEncAlg OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic carried by this SA.
IPSec Working Group [Page 23]
Internet Draft IPSec Monitoring MIB January 1999
Specific values are used as described in the ISAKMP
Class Values of Encryption Algorithms from Appendix A
of [IKE]."
::= { ipsecIkeSaEntry 17 }
ipsecIkeSaEncKeyLength OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for
algorithm specified in the ipsecIkeSaEncAlg object or 0
if the key length is implicit in the specified
algorithm."
::= { ipsecIkeSaEntry 18 }
ipsecIkeSaHashAlg OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied
to traffic carried by this SA.
Specific values are used as described in the ISAKMP Class
Values of Hash Algorithms from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 19 }
ipsecIkeSaDifHelGroupDesc OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
description used or 0 if the group is unknown.
Specific values are used as described in the ISAKMP Class
Values of Group Description from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 20 }
ipsecIkeSaDifHelGroupType OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the Diffie-Hellman group
type used or 0 if the group is unknown.
IPSec Working Group [Page 24]
Internet Draft IPSec Monitoring MIB January 1999
Specific values are used as described in the ISAKMP Class
Values of Group Type from Appendix A of [IKE]."
::= { ipsecIkeSaEntry 21 }
ipsecIkeSaDifHelFieldSize OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The field size, in bits, of the Diffie-Hellman group
used to generate the key-pair, or 0 if unknown."
::= { ipsecIkeSaEntry 22 }
ipsecIkeSaPRF OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The pseudo-random functions used, or 0 if not used or if
unknown.
Specific values are used as described in the ISAKMP Class
Values of PRF from Appendix A of [IKE] (which specifies
none at the present time)."
::= { ipsecIkeSaEntry 23 }
ipsecIkeSaPFS OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A value that indicates that perfect forward secrecy is
used for all IPSec SAs created by this IKE SA."
::= { ipsecIkeSaEntry 24 }
ipsecIkeSaTimeStart OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date and time that the SA was set up."
::= { ipsecIkeSaEntry 25 }
ipsecIkeSaTimeLimit OBJECT-TYPE
SYNTAX OCTET STRING
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 25]
Internet Draft IPSec Monitoring MIB January 1999
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there
is no time constraint on its expiration."
::= { ipsecIkeSaEntry 26 }
ipsecIkeSaTrafficLimit OBJECT-TYPE
SYNTAX OCTET STRING
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in 1024-byte blocks that the SA is
allowed to carry, or 0 if there is no traffic constraint
on its expiration."
::= { ipsecIkeSaEntry 27 }
ipsecIkeSaInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the SA
in the inbound direction."
::= { ipsecIkeSaEntry 28 }
ipsecIkeSaOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount traffic measured in bytes handled in the SA
in the outbound direction."
::= { ipsecIkeSaEntry 29 }
ipsecIkeSaInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled in the SA in the inbound
direction."
::= { ipsecIkeSaEntry 30 }
ipsecIkeSaOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
IPSec Working Group [Page 26]
Internet Draft IPSec Monitoring MIB January 1999
STATUS current
DESCRIPTION
"The number of packets handled in the SA in the outbound
direction."
::= { ipsecIkeSaEntry 31 }
ipsecIkeProtSuitesCreated OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 protection suites created by
the SA."
::= { ipsecIkeSaEntry 32 }
ipsecIkeProtSuitesDeleted OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 protection suites deleted by
the SA."
::= { ipsecIkeSaEntry 33 }
ipsecIkeSaDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the phase1 SA
due to decryption errors."
::= { ipsecIkeSaEntry 34 }
ipsecIkeSaAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets discarded by the phase 1
SA due to authentication errors."
::= { ipsecIkeSaEntry 35 }
ipsecIkeSaOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
IPSec Working Group [Page 27]
Internet Draft IPSec Monitoring MIB January 1999
"The number of inbound packets discarded by the phase 1
SA due to errors other than decryption or authentication
errors. This may include errors due to a lack of receive
buffers."
::= { ipsecIkeSaEntry 36 }
ipsecIkeSaSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets discarded by the phase 1
SA due to any error. This may include errors due to a
lack of transmit buffers."
::= { ipsecIkeSaEntry 37 }
-- the IPSec Entity MIB-Group
--
-- a collection of objects providing information about overall IPSec
-- status in the entity
--
-- Definitions of significant branches
--
ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 3 }
ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 }
ipsecIpsecStats OBJECT IDENTIFIER ::= { ipsec 4 }
ipsecIpsecErrorStats OBJECT IDENTIFIER ::= { ipsec 5 }
ipsecIkeStats OBJECT IDENTIFIER ::= { ipsec 6 }
ipsecIkeErrorStats OBJECT IDENTIFIER ::= { ipsec 7 }
ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 8 }
--
-- entity IPSec statistics
--
ipsecIpsecTotalProtSuites OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 protection suites
established by the entity since boot time."
::= { ipsecIpsecStats 1 }
ipsecIpsecNegFailures OBJECT-TYPE
IPSec Working Group [Page 28]
Internet Draft IPSec Monitoring MIB January 1999
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 protection suite
negotiations that failed that occurred in the entity
since boot time."
::= { ipsecIpsecStats 2 }
ipsecIpsecTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on IPSec
protection suites since boot time."
::= { ipsecIpsecStats 3 }
ipsecIpsecTotalTransOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on IPSec
protection suites since boot time."
::= { ipsecIpsecStats 4 }
ipsecIpsecTotalTransInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on IPSec
protection suites since boot time, measured in 1024-octet
blocks."
::= { ipsecIpsecStats 5 }
ipsecIpsecTotalTransOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on IPSec
protection suites since boot time, measured in 1024-octet
blocks."
::= { ipsecIpsecStats 6 }
IPSec Working Group [Page 29]
Internet Draft IPSec Monitoring MIB January 1999
--
-- IPSec error counts
--
ipsecIpsecDecryptionErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time with
decryption errors."
::= { ipsecIpsecErrorStats 1 }
ipsecIpsecAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time with
authentication errors.
This includes all packets in which the hash value is
determined to be invalid."
::= { ipsecIpsecErrorStats 2 }
ipsecIpsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time with replay
errors."
::= { ipsecIpsecErrorStats 3 }
ipsecIpsecPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time and discarded
due to policy errors. This includes packets that had
selectors that were invalid for the SA or protection
suite that carried them."
IPSec Working Group [Page 30]
Internet Draft IPSec Monitoring MIB January 1999
::= { ipsecIpsecErrorStats 4 }
ipsecIpsecOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time and discarded
due to errors not due to decryption, authentication,
replay or policy."
::= { ipsecIpsecErrorStats 5 }
ipsecIpsecSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets to be sent by the entity in
the IPSec protection suites since boot time and discarded
due to errors."
::= { ipsecIpsecErrorStats 6 }
ipsecUnknownSpiErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with SPIs or CPIs that were not valid."
::= { ipsecIpsecErrorStats 7 }
--
-- entity IKE statistics
--
ipsecIkeTotalSAs OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 1 SAs successfully established
by the entity since boot time."
::= { ipsecIkeStats 1 }
ipsecIkeNegFailures OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
IPSec Working Group [Page 31]
Internet Draft IPSec Monitoring MIB January 1999
STATUS current
DESCRIPTION
"The total number of phase 1 SA negotiations that failed
that occurred in the entity since boot time."
::= { ipsecIkeStats 2 }
ipsecIkeTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on phase 1
SAs since boot time."
::= { ipsecIkeStats 3 }
ipsecIkeTotalTransOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on phase 1
SAs since boot time."
::= { ipsecIkeStats 4 }
ipsecIkeTotalTransInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on phase 1
SAs since boot time, measured in 1024-octet blocks."
::= { ipsecIkeStats 5 }
ipsecIkeTotalTransOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on phase 1
SAs since boot time, measured in 1024-octet blocks."
::= { ipsecIkeStats 6 }
--
-- IKE error counts
--
IPSec Working Group [Page 32]
Internet Draft IPSec Monitoring MIB January 1999
ipsecIkeProtocolErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with IKE protocol errors.
This includes packets with invalid cookies, but does not
include errors that are associated with specific IKE
SAs."
::= { ipsecIkeErrorStats 1 }
ipsecIkeDecryptionErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time with
decryption errors."
::= { ipsecIkeErrorStats 2 }
ipsecIkeAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
the IPSec protection suites since boot time with
authentication errors.
This includes all packets in which the hash value is
determined to be invalid."
::= { ipsecIkeErrorStats 3 }
ipsecIkeOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
phase 1 SAs since boot time and discarded due to errors
not due to decryption or authentication."
::= { ipsecIkeErrorStats 4 }
ipsecIkeSendErrors OBJECT-TYPE
SYNTAX Counter32
IPSec Working Group [Page 33]
Internet Draft IPSec Monitoring MIB January 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets to be sent by the entity in
phase 1 SAs since boot time and discarded due to errors."
::= { ipsecIkeErrorStats 5 }
-- the IPSec Notify Message MIB-Group
--
-- a collection of objects providing information about
-- the occurrences of notify messages
ipsecNotifyMessageTotalCount OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of all types of notify messages sent or
received by the entity since boot time.
It is the sum of all occurrences in the
'ipsecNotifyCountTable'."
::= { ipsecNotifications 1 }
ipsecNotifyCountTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
notify message counts.
This table MAY be sparsely populated; that is, rows for
which the count is 0 may be absent."
::= { ipsecNotifications 2 }
ipsecNotifyCountEntry OBJECT-TYPE
SYNTAX IpsecNotifyCountEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the total number of
occurrences of a notify message."
INDEX { ipsecNotifyMessage }
::= { ipsecNotifyCountTable 1 }
IPSec Working Group [Page 34]
Internet Draft IPSec Monitoring MIB January 1999
IpsecNotifyCountEntry::= SEQUENCE {
ipsecNotifyMessage INTEGER,
ipsecNotifyMessageCount Counter32
}
ipsecNotifyMessage OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value representing a specific IPSec notify message,
or 0 if unknown.
Values are assigned from the set of notify message types
as defined in Section 3.14.1 of [ISAKMP]. In addition,
the value 0 may be used for this object when the object
is used as a trap cause, and the cause is unknown."
::= { ipsecNotifyCountEntry 1 }
ipsecNotifyMessageCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of times the specific notify message
has been received or sent by the entity since system
boot."
::= { ipsecNotifyCountEntry 2 }
--
-- traps
--
ipsecTrapIkeNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaLocalIdType,
ipsecIkeSaLocalId,
ipsecIkeSaPeerIdType,
ipsecIkeSaPeerId,
ipsecIkeSaLocalIpAddress,
ipsecIkeSaLocalPortNumber,
ipsecIkeSaPeerIpAddress,
ipsecIkeSaPeerPortNumber,
ipsecIkeSaAuthMethod,
ipsecIkeSaPeerCertSerialNum,
ipsecIkeSaPeerCertIssuer,
IPSec Working Group [Page 35]
Internet Draft IPSec Monitoring MIB January 1999
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 1 SA failed."
::= { ipsecTraps 1 }
ipsecTrapInvalidCookie NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress,
ipsecIkeSaPeerPortNumber
}
STATUS current
DESCRIPTION
"IKE packets with invalid cookies were detected from the
specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period, rather than sending one trap per
packet."
::= { ipsecTraps 2 }
ipsecTrapIpsecNegFailure NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaIndex,
ipsecNotifyMessage
}
STATUS current
DESCRIPTION
"An attempt to negotiate a phase 2 protection suite
within the specified IKE SA failed."
::= { ipsecTraps 3 }
ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid hashes were found in the
specified protection suite.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 4 }
IPSec Working Group [Page 36]
Internet Draft IPSec Monitoring MIB January 1999
ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets with invalid sequence numbers were found
in the specified protection suite.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 5 }
ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE
OBJECTS {
ipsecProtSuiteIndex
}
STATUS current
DESCRIPTION
"IPSec packets carrying packets with invalid selectors
for the specified protection suite were found.
Implementations SHOULD send one trap per protection suite
(within a reasonable time period), rather than sending
one trap per packet."
::= { ipsecTraps 6 }
ipsecTrapInvalidSpi NOTIFICATION-TYPE
OBJECTS {
ipsecIkeSaPeerIpAddress
}
STATUS current
DESCRIPTION
"ESP, AH or IPCOMP packets with unknown SPIs (or CPIs)
were detected from the specified peer.
Implementations SHOULD send one trap per peer (within a
reasonable time period), rather than sending one trap per
packet."
::= { ipsecTraps 7 }
END
IPSec Working Group [Page 37]
Internet Draft IPSec Monitoring MIB January 1999
5. Security Considerations
This MIB contains readable objects whose values provide information
related to IKE SAs and IPSec protection suites. There are no objects
with MAX-ACCESS clauses of read-write or read-create.
While unauthorized access to the readable objects is relatively
innocuous, unauthorized access to those objects through an insecure
channel can provide attackers with more information about a system
than an administrator may desire.
6. Acknowledgments
This document is based in part on an earlier proposal titled "draft-
ietf-ipsec-mib-xx.txt". That series was abandoned, since it included
application specific constructs in addition to the IPSec only
objects.
Portions of the original document's origins were based on the working
paper "IP Security Management Information Base" by R. Thayer and U.
Blumenthal.
Significant contribution to the IPSec MIB series of documents comes
from Charles Brooks and Carl Powell, both of GTE Internetworking.
Obviously, the IPSec working group made signification contributions,
specifically including M. Daniele, T. Kivinen, J. Shriver, J. Walker,
S. Kelly, J. Leonard and M. Richardson.
Additionally, thanks are extended to Gabriella Dinescu for assistance
in the preparation of the MIB structures.
7. Revision History
This section will be removed before publication.
January 15, 1999 Initial Release.
1) Group and Compliance statements?
2) Sub-identifier under the experimental tree?
8. References
[IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC2407, November 1998
IPSec Working Group [Page 38]
Internet Draft IPSec Monitoring MIB January 1999
[SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", RFC2401, November 1998
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
RFC2409, November 1998
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)", RFC2408, November 1998
[IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib-
02.txt, work in progress.
[IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
using SMIv2", RFC2233
[IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft-
ietf-ippcp-protocol-06.txt", work in progress
[1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Structure of Management Information for version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2271, January
1998
[1155] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155,
May 1990
[1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
1212, March 1991
[1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Textual Conventions for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1903,
January 1996.
[1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Conformance Statements for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1904,
January 1996.
IPSec Working Group [Page 39]
Internet Draft IPSec Monitoring MIB January 1999
[1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", RFC 1157, May 1990.
[1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Introduction to Community-based SNMPv2", RFC
1901, January 1996.
[1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Transport Mappings for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1906,
January 1996.
[2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2272, January 1998.
[2274] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2274, January 1998.
[1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Protocol Operations for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1905,
January 1996.
[2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation,
Cisco Systems, January 1998.
[2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2275, January 1998.
9. Appendix A - Some Related Assigned Numbers
This appendix reproduces the assigned numbers from the referenced
IPSec documents that are used in the MIB. They are to be used as a
reference only and are not part of this specification. As the IPSec
protocol evolves, this list is almost certain to become incomplete.
Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP].
ipsecIkeSaEncAlg - Encryption Algorithm
DES-CBC 1
IDEA-CBC 2
Blowfish-CBC 3
RC5-R16-B64-CBC 4
IPSec Working Group [Page 40]
Internet Draft IPSec Monitoring MIB January 1999
3DES-CBC 5
CAST-CBC 6
DES40-CBC 65001
ipsecIkeSaPeerIdType
ID Type Value
------- -----
RESERVED 0
ID_IPV4_ADDR 1
ID_FQDN 2
ID_USER_FQDN 3
ID_IPV4_ADDR_SUBNET 4
ID_IPV6_ADDR 5
ID_IPV6_ADDR_SUBNET 6
ID_IPV4_ADDR_RANGE 7
ID_IPV6_ADDR_RANGE 8
ID_DER_ASN1_DN 9
ID_DER_ASN1_GN 10
ID_KEY_ID 11
ipsecIkeSaHashAlg - Hash Algorithm
MD5 1
SHA 2
Tiger 3
ipsecIkeSaAuthMethod - Authentication Method
pre-shared key 1
DSS signatures 2
RSA signatures 3
Encryption with RSA 4
Revised encryption with RSA 5
ipsecIkeSaDifHelGroupDesc - Group Description
default 768-bit MODP group 1
alternate 1024-bit MODP group 2
EC2N group on GP[2^155] 3
EC2N group on GP[2^185] 4
ipsecIkeSaDifHelGroupType - Group Type
MODP (modular exponentiation group) 1
ECP (elliptic curve group over GF[P]) 2
EC2N (elliptic curve group over GF[2^N]) 3
IPSec Working Group [Page 41]
Internet Draft IPSec Monitoring MIB January 1999
ipsecTunnelEspEncAlg
Transform ID Value
------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
ESP_RC4 10
ESP_NULL 11
ESP_DES40 249
ipsecTunnelEspAuthAlg - Authentication Algorithm
RESERVED 0
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4
ipsecTunnelAhAuthAlg
Transform ID Value
------------ -----
RESERVED 0-1
AH_MD5 2
AH_SHA 3
AH_DES 4
ipsecTunnelCompAlg
Transform ID Value
------------ -----
RESERVED 0
IPCOMP_OUI 1
IPCOMP_DEFLATE 2
IPCOMP_LZS 3
IPSec Working Group [Page 42]
Internet Draft IPSec Monitoring MIB January 1999
IPCOMP_V42BIS 4
NOTIFY MESSAGES - ERROR TYPES
___________Errors______________Value_____
INVALID-PAYLOAD-TYPE 1
DOI-NOT-SUPPORTED 2
SITUATION-NOT-SUPPORTED 3
INVALID-COOKIE 4
INVALID-MAJOR-VERSION 5
INVALID-MINOR-VERSION 6
INVALID-EXCHANGE-TYPE 7
INVALID-FLAGS 8
INVALID-MESSAGE-ID 9
INVALID-PROTOCOL-ID 10
INVALID-SPI 11
INVALID-TRANSFORM-ID 12
ATTRIBUTES-NOT-SUPPORTED 13
NO-PROPOSAL-CHOSEN 14
BAD-PROPOSAL-SYNTAX 15
PAYLOAD-MALFORMED 16
INVALID-KEY-INFORMATION 17
INVALID-ID-INFORMATION 18
INVALID-CERT-ENCODING 19
INVALID-CERTIFICATE 20
CERT-TYPE-UNSUPPORTED 21
INVALID-CERT-AUTHORITY 22
INVALID-HASH-INFORMATION 23
AUTHENTICATION-FAILED 24
INVALID-SIGNATURE 25
ADDRESS-NOTIFICATION 26
NOTIFY-SA-LIFETIME 27
CERTIFICATE-UNAVAILABLE 28
UNSUPPORTED-EXCHANGE-TYPE 29
UNEQUAL-PAYLOAD-LENGTHS 30
RESERVED (Future Use) 31 - 8191
Private Use 8192 - 16383
NOTIFY MESSAGES - STATUS TYPES
_________Status_____________Value______
CONNECTED 16384
RESERVED (Future Use) 16385 - 24575
DOI-specific codes 24576 - 32767
Private Use 32768 - 40959
RESERVED (Future Use) 40960 - 65535
Notify Messages - Status Types Value
IPSec Working Group [Page 43]
Internet Draft IPSec Monitoring MIB January 1999
------------------------------ -----
RESPONDER-LIFETIME 24576
REPLAY-STATUS 24577
INITIAL-CONTACT 24578
Editor's Address
Tim Jenkins
tjenkins@timestep.com
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON
Canada
K2K 2P5
+1 (613) 599-3610
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tis.com) or through its chairs:
Robert Moskowitz
rgm@icsa.net
International Computer Security Association
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
IPSec Working Group [Page 44]