Internet Engineering Task Force Tim Jenkins
IP Security Working Group TimeStep Corporation
Internet Draft John Shriver
Intel Corporation
June 3, 1999
IPSec Monitoring MIB
<draft-ietf-ipsec-monitor-mib-01.txt>
Status of this Memo
This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@lists.tislabs.com) or to the
editor.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
This document is a product of the IETF's IPSec Working Group.
Copyright (C) The Internet Society (1999). All Rights Reserved.
IPSec Working Group Expires December 3, 1999 [Page 1]
Internet Draft IPSec Monitoring MIB June 1999
Table of Contents
1. Introduction....................................................2
2. The SNMPv2 Network Management Framework.........................2
2.1 Object Definitions.............................................3
3. IPSec MIB Objects Architecture..................................4
3.1 IPSec Security Association Tables..............................4
3.1.1 IPCOMP Security Associations.................................4
3.2 IPSec MIB Traps................................................4
3.3 IPSec Entity Level Objects.....................................5
4. MIB Definitions.................................................6
5. Security Considerations........................................55
6. Acknowledgments................................................55
7. Revision History...............................................56
8. References.....................................................56
1. Introduction
This document defines low level monitoring and status MIBs for IPSec
security associations (SAs). It does not define MIBs that may be used
for configuring IPSec implementations or for providing low-level
diagnostic or debugging information. It assumes no specific use of
IPSec. Further, it does not provide policy information.
The purpose of the MIBs is to allow system administrators to
determine operating conditions and perform system operational level
monitoring of the IPSec portion of their network. Statistics are
provided as well. Additionally, it may be used as the basis for
application specific MIBs for specific uses of IPSec SAs.
2. The SNMPv2 Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2271 [2271].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described inRFC
1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second
version, called SMIv2, is described in RFC 1902 [1902], RFC 1903
[1903] and RFC 1904 [1904].
IPSec Working Group [Page 2]
Internet Draft IPSec Monitoring MIB June 1999
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [1157]. A second version of the SNMP message
protocol, which is not an Internet standards track protocol, is
called SNMPv2c and described in RFC 1901 [1901] and RFC 1906
[1906]. The third version of the message protocol is called SNMPv3
and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274
[2274].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [1157]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [1905].
o A set of fundamental applications described in RFC 2273 [2273] and
the view-based access control mechanism described in RFC 2275
[2275].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter32). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
2.1 Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we often
use a textual string, termed the descriptor, to refer to the object
type.
IPSec Working Group [Page 3]
Internet Draft IPSec Monitoring MIB June 1999
3. IPSec MIB Objects Architecture
The IPSec MIB consists of tables for the display of raw IPSec
security associations (SAs), some entity statistics and traps.
Configuration about the SAs is provided as are statistics related to
the SAs themselves.
The traps may be used by system administrators to help detect mis-
configurations or possible attacks.
3.1 IPSec Security Association Tables
Individual IPSec phase 2 SAs are separated by both direction and
(security) protocol, resulting in the creation of six separate
tables.
Separate inbound tables are used for ESP, AH and IPCOMP. All tables
contain common information, such as the selectors and expiration
limits, in addition to protocol specific information. Similarly,
there is a set of outbound tables for each protocol.
The SAs in the tables may have been statically created, created by
IKE or by some other mechanism.
3.1.1 IPCOMP Security Associations
For IPCOMP SAs, the following assumptions are made:
o These SAs don't care about policy errors.
o These SAs don't care about expiration.
o The selectors can be empty (all 0) if IPCOMP is shared across
multiple protection suites.
o There are no send errors; the SA will send uncompressed if it
can't compress for any reason.
3.2 IPSec MIB Traps
Traps are provided to let system administrators know about the
existence of error conditions occurring in the entity. Errors are
associated with operational errors that may indicate the presence of
attacks on the system.
IPSec Working Group [Page 4]
Internet Draft IPSec Monitoring MIB June 1999
Traps are not provided when SAs come up or go down.
Traps may also be enabled or disabled as required, using configurable
configuration objects. Note that support for these objects is
optional, so that system administrators that have concerns about SNMP
security can choose to implement objects that are write-only.
3.3 IPSec Entity Level Objects
This part of the MIB carries statistics global to the IPSec device.
Statistics included are aggregate numbers of and aggregate errors for
SAs.
IPSec Working Group [Page 5]
Internet Draft IPSec Monitoring MIB June 1999
4. MIB Definitions
IPSEC-SA-MON-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32,
Integer32, Unsigned32, NOTIFICATION-TYPE,
OBJECT-IDENTITY
-- remove next line before release
,experimental
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TruthValue
FROM SNMPv2-TC
ifIndex FROM IF-MIB
-- uncomment next line before release
-- mib-2 FROM RFC1213-MIB
IpsecDoiIdentType,
IpsecDoiEncapsulationMode,
IpsecDoiEspTransform,
IpsecDoiAhTransform,
IpsecDoiAuthAlgorithm,
IpsecDoiIpcompTransform,
IpsecDoiSecProtocolId
FROM IPSEC-ISAKMP-IKE-DOI-TC;
ipsecSaMonModule MODULE-IDENTITY
LAST-UPDATED "9906031200Z"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
+1 (613) 599-3610
tjenkins@timestep.com
John Shriver
Intel Corporation
28 Crosby Drive Bedford, MA
01730
+1 (781) 687-1329
John.Shriver@intel.com
"
IPSec Working Group [Page 6]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The MIB module to describe generic IPSec objects, and
entity level objects and events for those types."
REVISION "9906031200Z"
DESCRIPTION
"Initial revision."
-- replace xxx in next line before release, uncomment before release
-- ::= { mib-2 xxx }
-- delete next line before release
::= { experimental 500 } -- invalid!
IpsecSaCreatorIdent ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A value indicating how an SA was created."
SYNTAX INTEGER {
unknown(0),
static(1), -- statically created
ike(2), -- IKE
other(3)
}
IpsecIpv6Address ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2x:2x:2x:2x:2x:2x:1d.1d.1d.1d"
STATUS current
DESCRIPTION
"This data type is used to model IPv6 address prefixes. This
is a binary string of 16 octets in network byte-order."
SYNTAX OCTET STRING (SIZE (16))
ipsecSaMonitorMIB OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all IPSec branches."
::= { ipsecSaMonModule 1 }
-- significant branches
saTables OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all SA tables."
::= { ipsecSaMonitorMIB 1 }
IPSec Working Group [Page 7]
Internet Draft IPSec Monitoring MIB June 1999
saStatistics OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
are global counters for IPSec security associations."
::= { ipsecSaMonitorMIB 2 }
saErrors OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
are global error counters for IPSec security associations."
::= { ipsecSaMonitorMIB 3 }
saTraps OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
are traps for IPSec security associations."
::= { ipsecSaMonitorMIB 4 }
saTrapObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for objects which are
used as part of traps."
::= { ipsecSaMonitorMIB 5 }
saTrapControl OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
are trap controls for IPSec security associations."
::= { ipsecSaMonitorMIB 6 }
saGroups OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the groups in this MIB."
::= { ipsecSaMonitorMIB 7 }
saConformance OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the conformance for this MIB."
::= { ipsecSaMonitorMIB 8 }
IPSec Working Group [Page 8]
Internet Draft IPSec Monitoring MIB June 1999
-- the IPSec Inbound ESP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound ESP SAs
ipsecSaEspInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEspInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound ESP SAs.
There should be one row for every inbound ESP security
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 1 }
ipsecSaEspInEntry OBJECT-TYPE
SYNTAX IpsecSaEspInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec inbound ESP SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaEspInAddress, ipsecSaEspInSpi }
::= { ipsecSaEspInTable 1 }
IpsecSaEspInEntry::= SEQUENCE {
-- identification
ipsecSaEspInAddress IpsecIpv6Address,
ipsecSaEspInSpi Unsigned32,
-- SA selectors
ipsecSaEspInDestId OCTET STRING,
ipsecSaEspInDestIdType IpsecDoiIdentType,
ipsecSaEspInSourceId OCTET STRING,
ipsecSaEspInSourceIdType IpsecDoiIdentType,
ipsecSaEspInProtocol Integer32,
ipsecSaEspInDestPort Integer32,
ipsecSaEspInSourcePort Integer32,
IPSec Working Group [Page 9]
Internet Draft IPSec Monitoring MIB June 1999
-- how created
ipsecSaEspInCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaEspInEncapsulation IpsecDoiEncapsulationMode,
ipsecSaEspInEncAlg IpsecDoiEspTransform,
ipsecSaEspInEncKeyLength Unsigned32,
ipsecSaEspInAuthAlg IpsecDoiAuthAlgorithm,
-- expiration limits
ipsecSaEspInLimitSeconds Unsigned32, -- sec., 0 if none
ipsecSaEspInLimitKbytes Unsigned32, -- 0 if none
-- current operating statistics
ipsecSaEspInAccSeconds Counter32,
ipsecSaEspInAccKbytes Counter32,
ipsecSaEspInUserOctets Counter32,
ipsecSaEspInPackets Counter32,
-- error statistics
ipsecSaEspInDecryptErrors Counter32,
ipsecSaEspInAuthErrors Counter32,
ipsecSaEspInReplayErrors Counter32,
ipsecSaEspInPolicyErrors Counter32,
ipsecSaEspInPadErrors Counter32,
ipsecSaEspInOtherReceiveErrors Counter32
}
ipsecSaEspInAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaEspInEntry 1 }
ipsecSaEspInSpi OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
IPSec Working Group [Page 10]
Internet Draft IPSec Monitoring MIB June 1999
STATUS current
DESCRIPTION
"The security parameters index of the SA."
REFERENCE"RFC 2406 Section 2.1"
::= { ipsecSaEspInEntry 2 }
ipsecSaEspInDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchanged during SA creation negotiation."
::= { ipsecSaEspInEntry 3 }
ipsecSaEspInDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaEspInDestId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaEspInEntry 4 }
ipsecSaEspInSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during SA creation negotiation."
::= { ipsecSaEspInEntry 5 }
ipsecSaEspInSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 11]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The type of identifier presented by 'ipsecSaEspInSourceId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaEspInEntry 6 }
ipsecSaEspInProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspInEntry 7 }
ipsecSaEspInDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspInEntry 8 }
ipsecSaEspInSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspInEntry 9 }
ipsecSaEspInCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaEspInEntry 10 }
IPSec Working Group [Page 12]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaEspInEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaEspInEntry 11 }
ipsecSaEspInEncAlg OBJECT-TYPE
SYNTAX IpsecDoiEspTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic or 0 if there is no encryption used."
::= { ipsecSaEspInEntry 12 }
ipsecSaEspInEncKeyLength OBJECT-TYPE
SYNTAX Unsigned32 (0..65531)
UNITS "bits"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the 'ipsecSaEspInEncAlg' object, or 0
if the key length is implicit in the specified algorithm or
there is no encryption specified."
::= { ipsecSaEspInEntry 13 }
ipsecSaEspInAuthAlg OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied to
traffic or 0 if there is no authentication used."
::= { ipsecSaEspInEntry 14 }
ipsecSaEspInLimitSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there is
no time constraint on its expiration.
IPSec Working Group [Page 13]
Internet Draft IPSec Monitoring MIB June 1999
The display value is limited to 4294967295 seconds (more
than 136 years); values greater than that value will be
truncated."
::= { ipsecSaEspInEntry 15 }
ipsecSaEspInLimitKbytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in kilobytes that the SA is allowed to
support, or 0 if there is no traffic constraint on its
expiration.
The display value is limited to 4294967295 kilobytes; values
greater than that value will be truncated."
::= { ipsecSaEspInEntry 16 }
ipsecSaEspInAccSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of seconds accumulated against the SA's
expiration by time.
This is also the number of seconds that the SA has existed."
::= { ipsecSaEspInEntry 17 }
ipsecSaEspInAccKbytes OBJECT-TYPE
SYNTAX Counter32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic accumulated that counts against the
SA's expiration by traffic limitation, measured in bytes.
This value may be 0 if the SA does not expire based on
traffic."
::= { ipsecSaEspInEntry 18 }
ipsecSaEspInUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
IPSec Working Group [Page 14]
Internet Draft IPSec Monitoring MIB June 1999
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecSaEspInEntry 19 }
ipsecSaEspInPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaEspInEntry 20 }
ipsecSaEspInDecryptErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to decryption
errors."
::= { ipsecSaEspInEntry 21 }
ipsecSaEspInAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to
authentication errors."
::= { ipsecSaEspInEntry 22 }
ipsecSaEspInReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to replay
errors."
::= { ipsecSaEspInEntry 23 }
ipsecSaEspInPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 15]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The number of packets discarded by the SA due to policy
errors. This includes packets where the next protocol is
invalid."
::= { ipsecSaEspInEntry 24 }
ipsecSaEspInPadErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to pad value
errors.
Implementations that do not check this must not support this
object."
REFERENCE "RFC 2406 section 2.4"
::= { ipsecSaEspInEntry 25 }
ipsecSaEspInOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to errors
other than decryption, authentication or replay errors. This
may include packets dropped due to a lack of receive
buffers, and may include packets dropped due to congestion
at the decryption element."
::= { ipsecSaEspInEntry 26 }
-- the IPSec Inbound AH MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound AH SAs
ipsecSaAhInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaAhInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound AH SAs.
IPSec Working Group [Page 16]
Internet Draft IPSec Monitoring MIB June 1999
There should be one row for every inbound AH security
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 2 }
ipsecSaAhInEntry OBJECT-TYPE
SYNTAX IpsecSaAhInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec inbound AH SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaAhInAddress, ipsecSaAhInSpi }
::= { ipsecSaAhInTable 1 }
IpsecSaAhInEntry::= SEQUENCE {
-- identification
ipsecSaAhInAddress IpsecIpv6Address,
ipsecSaAhInSpi Unsigned32,
-- SA selectors
ipsecSaAhInDestId OCTET STRING,
ipsecSaAhInDestIdType IpsecDoiIdentType,
ipsecSaAhInSourceId OCTET STRING,
ipsecSaAhInSourceIdType IpsecDoiIdentType,
ipsecSaAhInProtocol Integer32,
ipsecSaAhInDestPort Integer32,
ipsecSaAhInSourcePort Integer32,
-- how created
ipsecSaAhInCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaAhInEncapsulation IpsecDoiEncapsulationMode,
ipsecSaAhInAuthAlg IpsecDoiAhTransform,
-- expiration limits
ipsecSaAhInLimitSeconds Unsigned32, -- sec., 0 if none
ipsecSaAhInLimitKbytes Unsigned32, -- 0 if none
-- current operating statistics
ipsecSaAhInAccSeconds Counter32,
ipsecSaAhInAccKbytes Counter32,
ipsecSaAhInUserOctets Counter32,
IPSec Working Group [Page 17]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaAhInPackets Counter32,
-- error statistics
ipsecSaAhInAuthErrors Counter32,
ipsecSaAhInReplayErrors Counter32,
ipsecSaAhInPolicyErrors Counter32,
ipsecSaAhInOtherReceiveErrors Counter32
}
ipsecSaAhInAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaAhInEntry 1 }
ipsecSaAhInSpi OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The security parameters index of the SA."
REFERENCE "RFC 2402 Section 2.4"
::= { ipsecSaAhInEntry 2 }
ipsecSaAhInDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during SA creation negotiation."
::= { ipsecSaAhInEntry 3 }
IPSec Working Group [Page 18]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaAhInDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaAhInDestId', or
0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaAhInEntry 4 }
ipsecSaAhInSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during SA creation negotiation."
::= { ipsecSaAhInEntry 5 }
ipsecSaAhInSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaAhInSourceId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaAhInEntry 6 }
ipsecSaAhInProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhInEntry 7 }
ipsecSaAhInDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 19]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhInEntry 8 }
ipsecSaAhInSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhInEntry 9 }
ipsecSaAhInCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaAhInEntry 10 }
ipsecSaAhInEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaAhInEntry 11 }
ipsecSaAhInAuthAlg OBJECT-TYPE
SYNTAX IpsecDoiAhTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied to
traffic carried by this SA if it uses ESP or 0 if there is
no authentication applied by ESP."
::= { ipsecSaAhInEntry 12 }
ipsecSaAhInLimitSeconds OBJECT-TYPE
SYNTAX Unsigned32
IPSec Working Group [Page 20]
Internet Draft IPSec Monitoring MIB June 1999
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there is
no time constraint on its expiration.
The display value is limited to 4294967295 seconds (more
than 136 years); values greater than that value will be
truncated."
::= { ipsecSaAhInEntry 13 }
ipsecSaAhInLimitKbytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in bytes that the SA is allowed to
support, or 0 if there is no traffic constraint on its
expiration.
The display value is limited to 4294967295 kilobytes; values
greater than that value will be truncated."
::= { ipsecSaAhInEntry 14 }
ipsecSaAhInAccSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of seconds accumulated against the SA's
expiration by time.
This is also the number of seconds that the SA has existed."
::= { ipsecSaAhInEntry 15 }
ipsecSaAhInAccKbytes OBJECT-TYPE
SYNTAX Counter32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic accumulated that counts against the
SA's expiration by traffic limitation, measured in bytes.
IPSec Working Group [Page 21]
Internet Draft IPSec Monitoring MIB June 1999
This value may be 0 if the SA does not expire based on
traffic."
::= { ipsecSaAhInEntry 16 }
ipsecSaAhInUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecSaAhInEntry 17 }
ipsecSaAhInPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaAhInEntry 18 }
ipsecSaAhInAuthErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to
authentication errors."
::= { ipsecSaAhInEntry 19 }
ipsecSaAhInReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to replay
errors."
::= { ipsecSaAhInEntry 20 }
ipsecSaAhInPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 22]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The number of packets discarded by the SA due to policy
errors. This includes packets where the next protocol is
invalid."
::= { ipsecSaAhInEntry 21 }
ipsecSaAhInOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to errors
other than decryption, authentication or replay errors. This
may include packets dropped due to a lack of receive
buffers, and may include packets dropped due to congestion
at the authentication element."
::= { ipsecSaAhInEntry 22 }
-- the IPSec Inbound IPCOMP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound IPCOMP SAs
ipsecSaIpcompInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaIpcompInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound IPCOMP SAs.
There should be one row for every inbound IPCOMP (security)
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 3 }
ipsecSaIpcompInEntry OBJECT-TYPE
SYNTAX IpsecSaIpcompInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec inbound IPCOMP SA.
IPSec Working Group [Page 23]
Internet Draft IPSec Monitoring MIB June 1999
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaIpcompInAddress, ipsecSaIpcompInCpi }
::= { ipsecSaIpcompInTable 1 }
IpsecSaIpcompInEntry::= SEQUENCE {
-- identification
ipsecSaIpcompInAddress IpsecIpv6Address,
ipsecSaIpcompInCpi IpsecDoiIpcompTransform,
-- SA selectors (if needed)
ipsecSaIpcompInDestId OCTET STRING,
ipsecSaIpcompInDestIdType IpsecDoiIdentType,
ipsecSaIpcompInSourceId OCTET STRING,
ipsecSaIpcompInSourceIdType IpsecDoiIdentType,
ipsecSaIpcompInProtocol Integer32,
ipsecSaIpcompInDestPort Integer32,
ipsecSaIpcompInSourcePort Integer32,
-- how created
ipsecSaIpcompInCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaIpcompInEncapsulation IpsecDoiEncapsulationMode,
ipsecSaIpcompInDecompAlg IpsecDoiIpcompTransform,
-- current operating statistics
ipsecSaIpcompInSeconds Counter32,
ipsecSaIpcompInUserOctets Counter32,
ipsecSaIpcompInPackets Counter32,
-- error statistics
ipsecSaIpcompInDecompErrors Counter32,
ipsecSaIpcompInOtherReceiveErrors Counter32
}
ipsecSaIpcompInAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
IPSec Working Group [Page 24]
Internet Draft IPSec Monitoring MIB June 1999
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaIpcompInEntry 1 }
ipsecSaIpcompInCpi OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The CPI of the SA. Since the lower values of CPIs are
reserved to be the same as the algorithm, the syntax for
this object is the same as the transform."
REFERENCE "RFC 2393 Section 3.3"
::= { ipsecSaIpcompInEntry 2 }
ipsecSaIpcompInDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode, or 0 if this SA is used with
multiple SAs in protection suites.
This value, if non-zero, is taken directly from the optional
ID payloads that are exchange during SA creation
negotiation."
::= { ipsecSaIpcompInEntry 3 }
ipsecSaIpcompInDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecSaIpcompInDestId', or 0 if unknown or if the SA uses
transport mode, or 0 if this SA is used with multiple SAs in
protection suites."
::= { ipsecSaIpcompInEntry 4 }
ipsecSaIpcompInSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255))
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 25]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation, or 0 if this SA is
used with multiple SAs in protection suites.
This value, if non-zero, is taken directly from the optional
ID payloads that are exchange during SA creation
negotiation."
::= { ipsecSaIpcompInEntry 5 }
ipsecSaIpcompInSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecSaIpcompInSourceId', or 0 if unknown or if the SA uses
transport mode encapsulation, or 0 if this SA is used with
multiple SAs in protection suites."
::= { ipsecSaIpcompInEntry 6 }
ipsecSaIpcompInProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompInEntry 7 }
ipsecSaIpcompInDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompInEntry 8 }
ipsecSaIpcompInSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
IPSec Working Group [Page 26]
Internet Draft IPSec Monitoring MIB June 1999
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompInEntry 9 }
ipsecSaIpcompInCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaIpcompInEntry 10 }
ipsecSaIpcompInEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaIpcompInEntry 11 }
ipsecSaIpcompInDecompAlg OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the decompression algorithm
applied to traffic."
::= { ipsecSaIpcompInEntry 12 }
ipsecSaIpcompInSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of seconds that the SA has existed."
::= { ipsecSaIpcompInEntry 13 }
ipsecSaIpcompInUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 27]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA."
::= { ipsecSaIpcompInEntry 14 }
ipsecSaIpcompInPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaIpcompInEntry 15 }
ipsecSaIpcompInDecompErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to
decompression errors."
::= { ipsecSaIpcompInEntry 16 }
ipsecSaIpcompInOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets discarded by the SA due to errors
other than decompression errors. This may include packets
dropped due to a lack of receive buffers, and packets
dropped due to congestion at the decompression element."
::= { ipsecSaIpcompInEntry 17 }
-- the IPSec Outbound ESP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound ESP SAs
ipsecSaEspOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEspOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound ESP SAs.
IPSec Working Group [Page 28]
Internet Draft IPSec Monitoring MIB June 1999
There should be one row for every outbound ESP security
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 4 }
ipsecSaEspOutEntry OBJECT-TYPE
SYNTAX IpsecSaEspOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec Outbound ESP SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaEspOutAddress, ipsecSaEspOutSpi }
::= { ipsecSaEspOutTable 1 }
IpsecSaEspOutEntry::= SEQUENCE {
-- identification
ipsecSaEspOutAddress IpsecIpv6Address,
ipsecSaEspOutSpi Unsigned32,
-- SA selectors
ipsecSaEspOutSourceId OCTET STRING,
ipsecSaEspOutSourceIdType IpsecDoiIdentType,
ipsecSaEspOutDestId OCTET STRING,
ipsecSaEspOutDestIdType IpsecDoiIdentType,
ipsecSaEspOutProtocol Integer32,
ipsecSaEspOutSourcePort Integer32,
ipsecSaEspOutDestPort Integer32,
-- how created
ipsecSaEspOutCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaEspOutEncapsulation IpsecDoiEncapsulationMode,
ipsecSaEspOutEncAlg IpsecDoiEspTransform,
ipsecSaEspOutEncKeyLength Unsigned32,
ipsecSaEspOutAuthAlg IpsecDoiAuthAlgorithm,
-- expiration limits
ipsecSaEspOutLimitSeconds Unsigned32, -- sec., 0 if none
ipsecSaEspOutLimitKbytes Unsigned32, -- 0 if none
-- current operating statistics
ipsecSaEspOutAccSeconds Counter32,
IPSec Working Group [Page 29]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaEspOutAccKbytes Counter32,
ipsecSaEspOutUserOctets Counter32,
ipsecSaEspOutPackets Counter32,
-- error statistics
ipsecSaEspOutSendErrors Counter32
}
ipsecSaEspOutAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaEspOutEntry 1 }
ipsecSaEspOutSpi OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The security parameters index of the SA."
REFERENCE"RFC 2406 Section 2.1"
::= { ipsecSaEspOutEntry 2 }
ipsecSaEspOutSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during phase 2 negotiations."
::= { ipsecSaEspOutEntry 3 }
IPSec Working Group [Page 30]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaEspOutSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecSaEspOutSourceId', or 0 if unknown or if the SA uses
transport mode encapsulation."
::= { ipsecSaEspOutEntry 4 }
ipsecSaEspOutDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during phase 2 negotiations."
::= { ipsecSaEspOutEntry 5 }
ipsecSaEspOutDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaEspOutDestId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaEspOutEntry 6 }
ipsecSaEspOutProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspOutEntry 7 }
ipsecSaEspOutSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 31]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspOutEntry 8 }
ipsecSaEspOutDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaEspOutEntry 9 }
ipsecSaEspOutCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaEspOutEntry 10 }
ipsecSaEspOutEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaEspOutEntry 11 }
ipsecSaEspOutEncAlg OBJECT-TYPE
SYNTAX IpsecDoiEspTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the encryption algorithm
applied to traffic or 0 if there is no encryption used."
::= { ipsecSaEspOutEntry 12 }
ipsecSaEspOutEncKeyLength OBJECT-TYPE
SYNTAX Unsigned32 (0..65531)
UNITS "bits"
IPSec Working Group [Page 32]
Internet Draft IPSec Monitoring MIB June 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The length of the encryption key in bits used for the
algorithm specified in the 'ipsecSaEspOutEncAlg' object, or
0 if the key length is implicit in the specified algorithm
or there is no encryption specified."
::= { ipsecSaEspOutEntry 13 }
ipsecSaEspOutAuthAlg OBJECT-TYPE
SYNTAX IpsecDoiAuthAlgorithm
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied to
traffic or 0 if there is no authentication used."
::= { ipsecSaEspOutEntry 14 }
ipsecSaEspOutLimitSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there is
no time constraint on its expiration.
The display value is limited to 4294967295 seconds (more
than 136 years); values greater than that value will be
truncated."
::= { ipsecSaEspOutEntry 15 }
ipsecSaEspOutLimitKbytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in bytes that the SA is allowed to
support, or 0 if there is no traffic constraint on its
expiration.
The display value is limited to 4294967295 kilobytes; values
greater than that value will be truncated."
::= { ipsecSaEspOutEntry 16 }
ipsecSaEspOutAccSeconds OBJECT-TYPE
SYNTAX Counter32
IPSec Working Group [Page 33]
Internet Draft IPSec Monitoring MIB June 1999
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of seconds accumulated against the SA's
expiration by time.
This is also the number of seconds that the SA has existed."
::= { ipsecSaEspOutEntry 17 }
ipsecSaEspOutAccKbytes OBJECT-TYPE
SYNTAX Counter32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic accumulated that counts against the
SA's expiration by traffic limitation, measured in bytes.
This value may be 0 if the SA does not expire based on
traffic."
::= { ipsecSaEspOutEntry 18 }
ipsecSaEspOutUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecSaEspOutEntry 19 }
ipsecSaEspOutPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaEspOutEntry 20 }
ipsecSaEspOutSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 34]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The number of packets discarded by the SA due to any error.
This may include errors due to a lack of transmit buffers."
::= { ipsecSaEspOutEntry 21 }
-- the IPSec Outbound AH MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound AH SAs
ipsecSaAhOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaAhOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound AH SAs.
There should be one row for every outbound AH security
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 5 }
ipsecSaAhOutEntry OBJECT-TYPE
SYNTAX IpsecSaAhOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec Outbound AH SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaAhOutAddress, ipsecSaAhOutSpi }
::= { ipsecSaAhOutTable 1 }
IpsecSaAhOutEntry::= SEQUENCE {
-- identification
ipsecSaAhOutAddress IpsecIpv6Address,
ipsecSaAhOutSpi Unsigned32,
-- SA selectors
ipsecSaAhOutSourceId OCTET STRING,
ipsecSaAhOutSourceIdType IpsecDoiIdentType,
ipsecSaAhOutDestId OCTET STRING,
ipsecSaAhOutDestIdType IpsecDoiIdentType,
IPSec Working Group [Page 35]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaAhOutProtocol Integer32,
ipsecSaAhOutSourcePort Integer32,
ipsecSaAhOutDestPort Integer32,
-- how created
ipsecSaAhOutCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaAhOutEncapsulation IpsecDoiEncapsulationMode,
ipsecSaAhOutAuthAlg IpsecDoiAhTransform,
-- expiration limits
ipsecSaAhOutLimitSeconds Unsigned32, -- sec., 0 if none
ipsecSaAhOutLimitKbytes Unsigned32, -- 0 if none
-- current operating statistics
ipsecSaAhOutAccSeconds Counter32,
ipsecSaAhOutAccKbytes Counter32,
ipsecSaAhOutUserOctets Counter32,
ipsecSaAhOutPackets Counter32,
-- error statistics
ipsecSaAhOutSendErrors Counter32
}
ipsecSaAhOutAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaAhOutEntry 1 }
ipsecSaAhOutSpi OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 36]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The security parameters index of the SA."
REFERENCE"RFC 2402 Section 2.4"
::= { ipsecSaAhOutEntry 2 }
ipsecSaAhOutSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during phase 2 negotiations."
::= { ipsecSaAhOutEntry 3 }
ipsecSaAhOutSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaAhOutSourceId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaAhOutEntry 4 }
ipsecSaAhOutDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode encapsulation.
This value is taken directly from the optional ID payloads
that are exchange during phase 2 negotiations."
::= { ipsecSaAhOutEntry 5 }
ipsecSaAhOutDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by 'ipsecSaAhOutDestId',
or 0 if unknown or if the SA uses transport mode
encapsulation."
::= { ipsecSaAhOutEntry 6 }
IPSec Working Group [Page 37]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaAhOutProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhOutEntry 7 }
ipsecSaAhOutSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhOutEntry 8 }
ipsecSaAhOutDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaAhOutEntry 9 }
ipsecSaAhOutCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaAhOutEntry 10 }
ipsecSaAhOutEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 38]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaAhOutEntry 11 }
ipsecSaAhOutAuthAlg OBJECT-TYPE
SYNTAX IpsecDoiAhTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the hash algorithm applied to
traffic or 0 if there is no authentication used."
::= { ipsecSaAhOutEntry 12 }
ipsecSaAhOutLimitSeconds OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum lifetime in seconds of the SA, or 0 if there is
no time constraint on its expiration.
The display value is limited to 4294967295 seconds (more
than 136 years); values greater than that value will be
truncated."
::= { ipsecSaAhOutEntry 13 }
ipsecSaAhOutLimitKbytes OBJECT-TYPE
SYNTAX Unsigned32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The maximum traffic in bytes that the SA is allowed to
support, or 0 if there is no traffic constraint on its
expiration.
The display value is limited to 4294967295 kilobytes; values
greater than that value will be truncated."
::= { ipsecSaAhOutEntry 14 }
ipsecSaAhOutAccSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 39]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The number of seconds accumulated against the SA's
expiration by time.
This is also the number of seconds that the SA has existed."
::= { ipsecSaAhOutEntry 15 }
ipsecSaAhOutAccKbytes OBJECT-TYPE
SYNTAX Counter32
UNITS "kilobytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic accumulated that counts against the
SA's expiration by traffic limitation, measured in bytes.
This value may be 0 if the SA does not expire based on
traffic."
::= { ipsecSaAhOutEntry 16 }
ipsecSaAhOutUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecSaAhOutEntry 17 }
ipsecSaAhOutPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaAhOutEntry 18 }
ipsecSaAhOutSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 40]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The number of packets discarded by the SA due to any error.
This may include errors due to a lack of transmit buffers."
::= { ipsecSaAhOutEntry 19 }
-- the IPSec Outbound IPCOMP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound IPCOMP SAs
ipsecSaIpcompOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaIpcompOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound IPCOMP SAs.
There should be one row for every outbound IPCOMP (security)
association that exists in the entity. The maximum number of
rows is implementation dependent."
::= { saTables 6 }
ipsecSaIpcompOutEntry OBJECT-TYPE
SYNTAX IpsecSaIpcompOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular IPSec Outbound IPCOMP SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX{ ipsecSaIpcompOutAddress, ipsecSaIpcompOutCpi }
::= { ipsecSaIpcompOutTable 1 }
IpsecSaIpcompOutEntry::= SEQUENCE {
-- identification
ipsecSaIpcompOutAddress IpsecIpv6Address,
ipsecSaIpcompOutCpi IpsecDoiIpcompTransform,
-- SA selectors
ipsecSaIpcompOutSourceId OCTET STRING,
ipsecSaIpcompOutSourceIdType IpsecDoiIdentType,
ipsecSaIpcompOutDestId OCTET STRING,
ipsecSaIpcompOutDestIdType IpsecDoiIdentType,
IPSec Working Group [Page 41]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaIpcompOutProtocol Integer32,
ipsecSaIpcompOutSourcePort Integer32,
ipsecSaIpcompOutDestPort Integer32,
-- how created
ipsecSaIpcompOutCreator IpsecSaCreatorIdent,
-- security services description
ipsecSaIpcompOutEncapsulation IpsecDoiEncapsulationMode,
ipsecSaIpcompOutCompAlg IpsecDoiIpcompTransform,
-- current operating statistics
ipsecSaIpcompOutSeconds Counter32,
ipsecSaIpcompOutUserOctets Counter32,
ipsecSaIpcompOutPackets Counter32
}
ipsecSaIpcompOutAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination address of the SA.
If the IPCOMP SA is shared across multiple SAs in protection
suites, this value may be 0.
For implementations that do not support IPv6, this address
should appear as one of the IPv4-mapped IPv6 addresses as
defined in Section 2.5.4 of [IPV6AA].
Specifically, the prefix '0000:0000:0000:0000:0000:FFFF:' is
used for IPv4 only nodes, while the prefix
'0000:0000:0000:0000:0000:0000:' is used for bi-lingual
nodes."
::= { ipsecSaIpcompOutEntry 1 }
ipsecSaIpcompOutCpi OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The CPI of the SA. Since the lower values of CPIs are
reserved to be the same as the algorithm, the syntax for
this object is the same as the transform."
REFERENCE"RFC 2393 Section 3.3"
::= { ipsecSaIpcompOutEntry 2 }
IPSec Working Group [Page 42]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaIpcompOutSourceId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source identifier of the SA, or 0 if unknown or if the
SA uses transport mode encapsulation, or 0 if this SA is
used with multiple SAs in protection suites.
This value, if non-zero, is taken directly from the optional
ID payloads that are exchange during phase 2 negotiations."
::= { ipsecSaIpcompOutEntry 3 }
ipsecSaIpcompOutSourceIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecSaIpcompOutSourceId', or 0 if unknown or if the SA
uses transport mode encapsulation, or 0 if this SA is used
with multiple SAs in protection suites."
::= { ipsecSaIpcompOutEntry 4 }
ipsecSaIpcompOutDestId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (4..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination identifier of the SA, or 0 if unknown or if
the SA uses transport mode encapsulation, or 0 if this SA is
used with multiple SAs in protection suites.
This value, if non-zero, is taken directly from the optional
ID payloads that are exchange during phase 2 negotiations."
::= { ipsecSaIpcompOutEntry 5 }
ipsecSaIpcompOutDestIdType OBJECT-TYPE
SYNTAX IpsecDoiIdentType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of identifier presented by
'ipsecSaIpcompOutDestId', or 0 if unknown or if the SA uses
transport mode encapsulation, or 0 if this SA is used with
multiple SAs in protection suites."
::= { ipsecSaIpcompOutEntry 6 }
IPSec Working Group [Page 43]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSaIpcompOutProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The transport-layer protocol number that this SA carries,
or 0 if it carries any protocol."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompOutEntry 7 }
ipsecSaIpcompOutSourcePort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompOutEntry 8 }
ipsecSaIpcompOutDestPort OBJECT-TYPE
SYNTAX Integer32 (0.. 65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination port number of the protocol that this SA
carries, or 0 if it carries any port number."
REFERENCE "RFC2401 section 4.4.2"
::= { ipsecSaIpcompOutEntry 9 }
ipsecSaIpcompOutCreator OBJECT-TYPE
SYNTAX IpsecSaCreatorIdent
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The creator of this SA.
This MIB makes no assumptions about how the SAs are created.
They may be created statically, or by a key exchange
protocol such as IKE, or by some other method."
::= { ipsecSaIpcompOutEntry 10 }
ipsecSaIpcompOutEncapsulation OBJECT-TYPE
SYNTAX IpsecDoiEncapsulationMode
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 44]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The type of encapsulation used by this SA."
::= { ipsecSaIpcompOutEntry 11 }
ipsecSaIpcompOutCompAlg OBJECT-TYPE
SYNTAX IpsecDoiIpcompTransform
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value representing the compression algorithm
applied to traffic."
::= { ipsecSaIpcompOutEntry 12 }
ipsecSaIpcompOutSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of seconds that the SA has existed."
::= { ipsecSaIpcompOutEntry 13 }
ipsecSaIpcompOutUserOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of user level traffic measured in bytes handled
by the SA.
This is not necessarily the same as the amount of traffic
applied against the traffic expiration limit."
::= { ipsecSaIpcompOutEntry 14 }
ipsecSaIpcompOutPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets handled by the SA."
::= { ipsecSaIpcompOutEntry 15 }
--
-- entity IPSec statistics
--
IPSec Working Group [Page 45]
Internet Draft IPSec Monitoring MIB June 1999
ipsecEspCurrentInboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of inbound ESP SAs in the entity."
::= { saStatistics 1 }
ipsecEspTotalInboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound ESP SAs created in the entity
since boot time."
::= { saStatistics 2 }
ipsecEspCurrentOutboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of outbound ESP SAs in the entity."
::= { saStatistics 3 }
ipsecEspTotalOutboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound ESP SAs created in the entity
since boot time."
::= { saStatistics 4 }
ipsecAhCurrentInboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of inbound AH SAs in the entity."
::= { saStatistics 5 }
ipsecAhTotalInboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 46]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The total number of inbound AH SAs created in the entity
since boot time."
::= { saStatistics 6 }
ipsecAhCurrentOutboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of outbound AH SAs in the entity."
::= { saStatistics 7 }
ipsecAhTotalOutboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound AH SAs created in the entity
since boot time."
::= { saStatistics 8 }
ipsecIpcompCurrentInboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of inbound IPCOMP SAs in the entity."
::= { saStatistics 9 }
ipsecIpcompTotalInboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound IPCOMP SAs created in the
entity since boot time."
::= { saStatistics 10 }
ipsecIpcompCurrentOutboundSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of outbound IPCOMP SAs in the entity."
::= { saStatistics 11 }
IPSec Working Group [Page 47]
Internet Draft IPSec Monitoring MIB June 1999
ipsecIpcompTotalOutboundSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound IPCOMP SAs created in the
entity since boot time."
::= { saStatistics 12 }
--
-- IPSec error counts
--
ipsecDecryptionErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in SAs
since boot time with decryption errors."
::= { saErrors 1 }
ipsecAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in SAs
since boot time with authentication errors.
This includes all packets in which the hash value is
determined to be invalid, for both ESP and AH SAs."
::= { saErrors 2 }
ipsecReplayErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in SAs
since boot time with replay errors."
::= { saErrors 3 }
ipsecPolicyErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
IPSec Working Group [Page 48]
Internet Draft IPSec Monitoring MIB June 1999
DESCRIPTION
"The total number of packets received by the entity in SAs
since boot time and discarded due to policy errors. This
includes packets that had selectors that were invalid for
the SA that carried them."
::= { saErrors 4 }
ipsecOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in SAs
since boot time and discarded due to errors not due to
decryption, authentication, replay or policy."
::= { saErrors 5 }
ipsecSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets to be sent by the entity in SAs
since boot time and discarded due to errors."
::= { saErrors 6 }
ipsecUnknownSpiErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with SPIs or CPIs that were not valid."
::= { saErrors 7 }
--
-- traps
--
--
-- some objects used in trap reporting
--
-- NOTE: A MAX-ACCESS value of 'accessible-for-notify' was wanted
-- for these objects; this would not compile with smicng 2.2.07
--
IPSec Working Group [Page 49]
Internet Draft IPSec Monitoring MIB June 1999
ipsecSecurityProtocol OBJECT-TYPE
SYNTAX IpsecDoiSecProtocolId
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A security protocol associated with the trap."
::= { saTrapObjects 1 }
ipsecSPI OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An SPI associated with a trap. Where the security protocol
associated with the trap is IPCOMP, this value has a maximum
of 65535."
::= { saTrapObjects 2 }
ipsecLocalAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A local IP address associated with the trap."
::= { saTrapObjects 3 }
ipsecPeerAddress OBJECT-TYPE
SYNTAX IpsecIpv6Address
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A peer IP address associated with the trap."
::= { saTrapObjects 4 }
--
-- trap control
--
espAuthFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether espAuthFailureTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 1 }
IPSec Working Group [Page 50]
Internet Draft IPSec Monitoring MIB June 1999
ahAuthFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether ahAuthFailureTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 2 }
espReplayFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether espReplayFailureTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 3 }
ahReplayFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether ahReplayFailureTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 4 }
espPolicyFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether espPolicyFailureTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 5 }
ahPolicyFailureTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether ahPolicyFailureTrap traps should be
generated."
IPSec Working Group [Page 51]
Internet Draft IPSec Monitoring MIB June 1999
DEFVAL { false }
::= { saTrapControl 6 }
invalidSpiTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether invalidSpiTrap traps should be
generated."
DEFVAL { false }
::= { saTrapControl 7 }
--
-- the traps themselves
--
espAuthFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaEspInAuthErrors
}
STATUS current
DESCRIPTION
"IPSec packets with invalid hashes were found in an inbound
ESP SA. The total number of authentication errors
accumulated is sent for the specific row of the
'ipsecSaEspInTable' table for the SA; this provides the
identity of the SA in which the error occurred.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 1 }
ahAuthFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaAhInAuthErrors
}
STATUS current
DESCRIPTION
"IPSec packets with invalid hashes were found in an inbound
AH SA. The total number of authentication errors accumulated
is sent for the specific row of the 'ipsecSaAhInTable' table
for the SA; this provides the identity of the SA in which
the error occurred.
IPSec Working Group [Page 52]
Internet Draft IPSec Monitoring MIB June 1999
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 2 }
espReplayFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaEspInReplayErrors
}
STATUS current
DESCRIPTION
"IPSec packets with invalid sequence numbers were found in
an inbound ESP SA. The total number of replay errors
accumulated is sent for the specific row of the
'ipsecSaEspInTable' table for the SA; this provides the
identity of the SA in which the error occurred.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 3 }
ahReplayFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaAhInReplayErrors
}
STATUS current
DESCRIPTION
"IPSec packets with invalid sequence numbers were found in
the specified AH SA. The total number of replay errors
accumulated is sent for the specific row of the
'ipsecSaAhInTable' table for the SA; this provides the
identity of the SA in which the error occurred.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 4 }
espPolicyFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaEspInPolicyErrors
}
STATUS current
DESCRIPTION
"IPSec packets carrying packets with invalid selectors for
the specified ESP SA were found. The total number of policy
errors accumulated is sent for the specific row of the
IPSec Working Group [Page 53]
Internet Draft IPSec Monitoring MIB June 1999
'ipsecSaEspInTable' table for the SA; this provides the
identity of the SA in which the error occurred.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 5 }
ahPolicyFailureTrap NOTIFICATION-TYPE
OBJECTS {
ipsecSaAhInPolicyErrors
}
STATUS current
DESCRIPTION
"IPSec packets carrying packets with invalid selectors for
the specified AH SA were found. The total number of policy
errors accumulated is sent for the specific row of the
'ipsecSaAhInTable' table for the SA; this provides the
identity of the SA in which the error occurred.
Implementations SHOULD send one trap per SA (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 6 }
espInvalidSpiTrap NOTIFICATION-TYPE
OBJECTS {
ipsecLocalAddress,
ipsecSecurityProtocol,
ipsecPeerAddress,
ipsecSPI,
ifIndex
}
STATUS current
DESCRIPTION
"A packet with an unknown SPI was detected from the
specified peer with the specified SPI using the specified
protocol. The destination address of the received packet is
specified by 'ipsecLocalAddress'.
The value 'ifIndex' may be 0 if this optional linkage is
unsupported.
If the object 'ipsecSecurityProtocol' has the value for
IPCOMP, then the 'ipsecSPI' object is the CPI of the packet.
IPSec Working Group [Page 54]
Internet Draft IPSec Monitoring MIB June 1999
Implementations SHOULD send one trap per peer (within a
reasonable time period), rather than sending one trap per
packet."
::= { saTraps 0 7 }
END
5. Security Considerations
This MIB contains readable objects whose values provide information
related to IPSec SAs. While some of the information is readily
available by monitoring the traffic into an entity, other information
may provide attackers with more information than an administrator may
desire.
Some of the specific concerns are related to the display of the
algorithms and key lengths associated with encryption, and the
feedback of error counters and traps that enable an attacker to
quickly determine the effect of his or her attacks.
Specific examples of this include, but are not limited to:
o Replay counts that tell attackers that replay values are being
checked, and what the current window is.
o Specific algorithms and key lengths are displayed, giving
attackers a better idea of how to attack.
o Specific traffic counts, giving attackers more information for
traffic analysis.
Of particular concern is the ability to disable the transmission of
traps. The traps defined in this MIB may appear due to badly
configured systems and transient error conditions, but they may also
appear due to attacks. If an attacker can disable these traps, they
reduce some of the warnings that may be provided to system
administrators.
6. Acknowledgments
This document is based in part on an earlier proposal titled "draft-
ietf-ipsec-mib-xx.txt". That series was abandoned, since it included
application specific constructs in addition to the IPSec only
objects.
IPSec Working Group [Page 55]
Internet Draft IPSec Monitoring MIB June 1999
Portions of the original document's origins were based on the working
paper "IP Security Management Information Base" by R. Thayer and U.
Blumenthal.
Contribution to the IPSec MIB series of documents comes from C.
Brooks, C. Powell, M. Daniele, T. Kivinen, J. Walker, S. Kelly, J.
Leonard, M. Richardson and R. Charlet, and others participating in
the IPSec WG.
7. Revision History
This section will be removed before publication.
June 3, 1999 Initial Release as IPSec SA only version.
1) Group and Compliance statements?
2) Sub-identifier under the experimental tree?
8. References
[IPSECTC] Shriver, J., "IPSec DOI Textual Conventions MIB <draft-
ietf-ipsec-doi-tc-mib-00.txt>", work in progress, March 22,
1999
[IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC2407, November 1998
[SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", RFC2401, November 1998
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
RFC2409, November 1998
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)", RFC2408, November 1998
[IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB
using SMIv2", RFC2233
[IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP
Payload Compression Protocol (IPComp)", RFC2393, December
1998
[1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Structure of Management Information for version 2 of the
IPSec Working Group [Page 56]
Internet Draft IPSec Monitoring MIB June 1999
Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2271, January
1998
[1155] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155,
May 1990
[1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC
1212, March 1991
[1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Textual Conventions for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1903,
January 1996.
[1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Conformance Statements for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1904,
January 1996.
[1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", RFC 1157, May 1990.
[1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Introduction to Community-based SNMPv2", RFC
1901, January 1996.
[1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Transport Mappings for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1906,
January 1996.
[2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2272, January 1998.
[2274] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2274, January 1998.
IPSec Working Group [Page 57]
Internet Draft IPSec Monitoring MIB June 1999
[1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Protocol Operations for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1905,
January 1996.
[2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation,
Cisco Systems, January 1998.
[2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2275, January 1998.
Editors' Addresses
Tim Jenkins
tjenkins@timestep.com
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON
Canada
K2K 2P5
+1 (613) 599-3610
John Shriver
John.Shriver@intel.com
Intel Corporation
28 Crosby Drive Bedford, MA
01730
+1 (781) 687-1329
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tislabs.com) or through its chairs:
Robert Moskowitz
rgm@icsa.net
International Computer Security Association
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
Expiration
This document expires December 3, 1999.
IPSec Working Group [Page 58]
