Internet Engineering Task Force                              Tim Jenkins
IP Security Working Group                                Catena Networks
Internet Draft                                           October 5, 2001




                      IPsec Tunnel Monitoring MIB
                <draft-jenkins-ipsec-tun-mon-mib-00.txt>

Status of this Memo

   Informational

   This document provides information for the Internet community. This
   document does not specify an Internet standard of any kind, nor is it
   intended to specify an Internet standard. Future considerations
   related to Internet standards are the opinions of the author, and not
   the IPsec working group.

   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or made obsolete by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Copyright Notice


   Copyright (C) Tim Jenkins (2001)






Jenkins                  Expires April 5, 2001                 [Page 1]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

Table of Contents


   1.  Introduction..................................................2
   2.  The SNMP Management Framework.................................3
   2.1   Object Definitions..........................................4
   3.  IPsec MIB Objects Architecture................................4
   3.1   Control Channels............................................4
   3.2   IPsec Virtual Tunnels.......................................5
   3.3   Tunnel MIB and Interface MIB Consideration..................6
   3.4   Channel and Tunnel Types....................................7
   3.5   MIB Tables..................................................7
   3.5.1   Control Channel Table.....................................8
   3.5.2   IKE SA Table.............................................10
   3.5.3   Tunnel Table.............................................10
   3.5.4   SA Suite Table...........................................10
   3.6   IPsec MIB Traps............................................11
   3.7   IPsec Entity Level Objects.................................11
   4.  MIB Definitions..............................................12
   5.  Security Considerations......................................48
   6.  Acknowledgements.............................................49
   7.  References...................................................49
   8.  Revision History.............................................51



1. Introduction

   This document defines monitoring and status MIBs for specific
   applications of IPsec's security associations (SAs). The specific
   applications are for the purposes of virtual private networking (VPN)
   and secure remote access (SRA) applications. The MIB allows system
   administrators to determine operating conditions and perform system
   operational level monitoring of the VPN and SRA part of the network.
   Statistics and traps are provided as well.

   It builds upon the lower level IPsec MIBs that monitor specific phase
   1 (IKE) and phase 2 (IPsec) SAs.

   It does not define MIBs that may be used for configuring IPsec
   implementations or for examination of configuration. It does not
   provide low-level diagnostic or debugging information. Further, it
   does not provide policy information.

   The IPsec tunnel MIB definitions use a virtual tunnel model for phase
   2 SAs, and a virtual channel model for phase 1 SAs. The virtual
   tunnel model is used to allow the use of IPsec from a virtual private
   networking (VPN) point of view. This allows users of IPsec based
   products to get similar monitoring and statistical information from


Jenkins                  Expires April 4, 2001                 [Page 2]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   an IPsec based VPN as they would from a VPN based on other
   technologies, such as Frame Relay. The virtual channel model is used
   to model the logical control channel that exists due to the presence
   of (actual or potential) phase 1 SAs.

   Finally, it is intended to illustrate how high level MIBs can be
   built on top of the IPsec MIBs ([IPSECTC], [IDIMIB], [IKEMIB],
   [IMMIB]).


2. The SNMP Management Framework

   The SNMP Management Framework presently consists of five major
   components:

   o   An overall architecture, described in RFC 2571 [RFC2571].

   o   Mechanisms for describing and naming objects and events for the
   purpose of management. The first version of this Structure of
   Management Information (SMI) is called SMIv1 and described in STD 16,
   RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215
   [RFC1215]. The second version, called SMIv2, is described in STD 58,
   RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 [RFC2580].

   o   Message protocols for transferring management information. The
   first version of the SNMP message protocol is called SNMPv1 and
   described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP
   message protocol, which is not an Internet standards track protocol,
   is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906
   [RFC1906]. The third version of the message protocol is called SNMPv3
   and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574
   [RFC2574].

   o   Protocol operations for accessing management information. The
   first set of protocol operations and associated PDU formats is
   described in STD 15, RFC 1157 [RFC1157]. A second set of protocol
   operations and associated PDU formats is described in RFC 1905
   [RFC1905].

   o   A set of fundamental applications described in RFC 2573 [RFC2573]
   and the view-based access control mechanism described in RFC 2575
   [RFC2575].

   A more detailed introduction to the current SNMP Management Framework
   can be found in RFC 2570 [RFC2570].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB. Objects in the MIB are
   defined using the mechanisms defined in the SMI.


Jenkins                  Expires April 4, 2001                 [Page 3]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   This memo specifies a MIB module that is compliant to the SMIv2. A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations. The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64). Some machine-readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process. However, this loss of machine-
   readable information is not considered to change the semantics of the
   MIB.


2.1 Object Definitions

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the subset of Abstract Syntax Notation One (ASN.1)
   defined in the SMI. In particular, each object type is named by an
   OBJECT IDENTIFIER, an administratively assigned name. The object type
   together with an object instance serves to uniquely identify a
   specific instantiation of the object. For human convenience, we often
   use a textual string, termed the descriptor, to refer to the object
   type.


3. IPsec MIB Objects Architecture

   This MIB consists of two separate groups of objects. The two groups
   are the tunnel group and the channel group. Channels and tunnels are
   defined below.

   Within the tunnel group, there is a tunnel table, a table to get to
   the suites in the tunnel, a set of aggregate statistics on the
   tunnels, and tunnel related traps.

   The channel group is similar in that there is a channel table, a
   table to get to the IKE SAs in the channel, a set of aggregate
   statistics on the channels, and channel related traps.


3.1 Control Channels

   The primary use of phase 1 SAs is to allow host implementations to
   exchange keying material for phase 2 negotiations and to perform
   IPsec SA management. Since the host implementation, at a high level,
   does not necessarily care which particular phase 1 SA it uses to
   perform these functions, the concept of an IKE control channel is
   introduced as a logical entity. The control channel is the virtual
   control channel created by the existence of phase 1 SAs established



Jenkins                  Expires April 4, 2001                 [Page 4]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   or that may be established between two peers. This will often be
   abbreviated to channel in this document.

   The need for this abstraction is also in part due to the ability of
   IPsec SAs suites to exist beyond the expiration of the IKE SA that
   created them. Further, since there is no requirement that an IKE
   phase 1 SA exist continuously between peers that have IPsec SAs
   between them, is it possible that the channel may have no valid IKE
   SAs supporting it. In these cases, it is assumed that an IKE SA could
   be created on demand.

   Control channels appear in their own table, and each row describes a
   single control channel.

   The IDs at each end uniquely identify the IKE control channel, since
   it is a logical peer to peer communications channel. It contains
   information common to all phase 1 SAs that are part of it, and
   aggregate statistics for the same phase 1 SAs. Additionally, it
   contains aggregate statistics for all phase 2 SAs created by it.


3.2 IPsec Tunnels

   IPsec tunnels are created by the existence of SA suites (as defined
   by the IKE Monitoring MIB [IKEMIB]). The tunnel concept comes from
   the effect of services on packets that are handled by SA suites. As a
   packet encounters an IPsec implementation, either in a security
   gateway or as a layer in a protocol stack, a policy decision causes
   the packet to be handed to an SA suite for processing.

   The SA suite then performs a service (including possibly compression)
   on the packet, then adds at least one new header and ultimately sends
   the packet into the normal IP stream for routing. (The only time no
   header is added is when the only service provided by the SA suite is
   compression, it is a transport mode SA suite, and the packet is not
   compressible. It is arguable that this particular case is outside
   IPsec!)

   When the secured (and possibly compressed) packet arrives at its
   destination, the peer IPsec implementation removes the added header
   or headers and reverse processes the packet. Another policy lookup is
   then done to make sure the sending peer appropriately handled the
   packet.

   Since the original packet is conceptually "hidden" between the two
   IPsec implementations, it can be considered tunneled. To help
   conceptually, if ESP could be negotiated with no encryption and no
   authentication, it would provide services very similar to IP-in-IP.



Jenkins                  Expires April 4, 2001                 [Page 5]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   The specific SA suite chosen by the policy lookup is based on what
   are called the selectors. The selectors are the packet's source IP
   address, its destination IP address, its layer 4 protocol and its
   layer 4 protocol source and destination port numbers. (Additional
   selectors are also possible.) The policy system uses this information
   to assign the packet to an SA suite for handling.

   Since it is irrelevant to the packet which specific SA suite provided
   the services, and since all SA suites with same selectors normally
   provide the same service, the existence of any and all SA suites
   assigned to the selector effectively creates a tunnel for the
   packets.

   In other words, the selectors used to assign the security services to
   the packet identify the tunnel created by the SA suites. The
   selectors are explained in detail in [SECARCH].


3.3 Tunnel MIB and Interface MIB Consideration

   It should be noted that the MIBs here are not extensions of the
   Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach
   was rejected for a number of reasons, including:

  o  The types of parameters required for those MIBs are not
     appropriate for IPsec MIBs.

   The parameters required for IPsec tunnels are related to security
   services and statistics associated with handling those services.
   There no parameters like that associated with the Tunnel MIB.

  o  The virtual tunnels created by IPsec SAs may be independent of
     other logical interfaces; this is an implementation issue.

   The IPsec layer may be placed in a number of locations on the host
   implementation. These locations may be above the IP layer, within the
   IP layer, or just below it. Therefore, the mapping of the IPsec
   virtual tunnels to tunnels described by the tunnel MIB is
   implementation dependent.

  o  The tunnel end point definitions are not the same as those used by
     the tunnel MIB.

   The Tunnel MIB uniquely defines tunnels by a simple source and
   destination IP address pair. This is only a specific subset of the
   identifiers needed for IPsec virtual tunnels.

   Note that implementations may still augment the tables in this MIB to
   link them to tables in other MIBs if they so desire.


Jenkins                  Expires April 4, 2001                 [Page 6]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

3.4 Channel and Tunnel Types

   Implementations may need to configure certain channels and tunnels
   with sets of characteristics. While the sets of characteristics are
   implementation dependent, this MIB provides the ability to assign an
   arbitrary type to the channels and tunnels. Each type will have an
   implementation dependent set of characteristics. However, the MIB
   will be able to use this type value to allow the monitoring of the
   channel and tunnel types as individual groups.

   How the implementation assigns the types is outside the scope of this
   monitoring MIB.

   An example of this might be to assign a value of one to the type
   object for permanent channels, a value of two for transient entries
   and a value of three for management channels. This causes permanent
   channels to appear together in the table, and before the transient
   entries. Finally, management channels would then appear as a group at
   the end of the table.

   Also, it allows the ability to collect statistics based on types.


3.5 MIB Tables

   The MIB uses four tables that are linked as shown in Figure 3-1.

   The control channel table has an augmenting table that provides links
   to the specific IKE SAs that are used to support it.

   The tunnel table depends on the selector table from the IPsec
   monitoring MIB. There is also an augmenting table that provides links
   to the SA suites that are used to support it. The tunnel table itself
   indirectly links to the channel table by providing pointers to the
   endpoints used to create it.
















Jenkins                  Expires April 4, 2001                 [Page 7]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001


                          dependent +---------------------+
     +------------------+ expansion |                     |
     |  channel table   |---------->|    IKE SA table     |
     +------------------+           |                     |
             / \                    +---------------------+
              |                                         |
              | -uses endpoint table from IKE MIB       |
              |                                         |
              |                                         |
              |           dependent +----------------+  |
         +--------------+ expansion |                |  |
         | tunnel table |---------->| SA suite table |  |
         +--------------+           |                |  |
                  ^                 +----------------+  |
                  | dependent             |             |
 - - - - - - - -  |  - - - - - - - - - -  |  - - - - -  |  - - -
                  |                      \ /            |
Other Monitoring  |               +---------------+     |
MIB Tables        |               | suite table   |     |
                  |               +---------------+     |
             +----------+                              \ /
             | selector |                +----------------+
             |  table   |                |  IKE SA table  |
             +----------+                +----------------+

             Figure 3-1 IPsec Tunnel Monitoring MIB Tables



   A different diagram that is intended to show the tunnels that exist
   between two IPsec gateways is shown in Figure 3-2. Two host groups
   each are shown behind the IPsec gateways. Shown are the IKE control
   channel between the gateways and four possible IPsec virtual tunnels.
   The control channel has two active phase 1 SAs. Of the four possible
   virtual tunnels, one is shown with two IPsec SAs in it. One of these
   SAs may be just about to expire, while the other may have been
   created in anticipation of the expiration of the first. These SAs are
   the SAs that provide the service, supporting the existence of the
   tunnel.

   Two tables not shown in the figures are the optional tables that hold
   aggregates statistics based on the implementation dependent channel
   and tunnel type.








Jenkins                  Expires April 4, 2001                 [Page 8]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

               +----------------------------+
               |  IKE (control channel)     |
               |  +---------------------+   |
               |  |  IKE SA 1           |   |
               |  +---------------------+   |
               |  +---------------------+   |
               |  |  IKE SA 2           |   |
               |  +---------------------+   |
               +----------------------------+
                                  ^  ^
                                  |  | <- aggregate tunnel statistics
                                  |  |
 H11 -|    +----+                 |  |    +----+      |- H21
      |    |    |                         |    |      |
      |----| G1 |-------------------------| G2 |------|
      |    |    |                         |    |      |
 H12 -|    +----+                 |  |    +----+      |- H22
                                  |  |
                                  |  |
         +-----------------------------------------+
         |      H11 to H21 (data tunnel)           | <- aggregate
         | +-------------------------------------+ |    SS statistics
         | | IPsec SS with H11 and H21 selectors | |    for H11-H21
         | +-------------------------------------+ |
         | +-------------------------------------+ |
         | | IPsec SS with H11 and H21 selectors | |
         | +-------------------------------------+ |
         +-----------------------------------------+
                                  |  |
         +-----------------------------------------+
         |      H11 to H22 (data tunnel)           | <- aggregate
         +-----------------------------------------+    SS statistics
                                  |  |                  for H11-H22
         +-----------------------------------------+
         |      H12 to H21 (data tunnel)           | <- aggregate
         +-----------------------------------------+    SS statistics
                                  |  |                  for H12-H21
         +-----------------------------------------+
         |      H12 to H22 (data tunnel)           | <- aggregate
         +-----------------------------------------+    SS statistics
                                  |  |                  for H12-H22
                                  +--+
SS - SA Suite

                Figure 3-2 Illustration of IPsec Tunnels







Jenkins                  Expires April 4, 2001                 [Page 9]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

3.5.1 Control Channel Table

   Each row in the control channel table corresponds to a logical
   control channel. Rows in this table do not have to have any real IKE
   SAs in order for them to appear in the table.

   There are two reasons for this. The first is that there is no
   requirement that IKE SAs continually exist between peers that are
   using IPsec. The second is that implementations may want to designate
   some channels between peers as permanent (as opposed to transient),
   and want them to appear in the table even if no SAs exist or have
   existed.

   Rows in the table are effectively indexed by the endpoints of the
   peers. In addition, an integer is added as a prefix to the index and
   is the arbitrary type described earlier.


3.5.2 IKE SA Table

   This table's purpose to allow administrators to get to the specific
   IKE SAs that make up a channel. This augments the control channel
   table, by using the same indices and adding an arbitrary integer for
   each of its own rows.

   Each row contains the identifier of the specific IKE SA used. The
   identifier comes from the IKE monitoring MIB's IKE SA table, and
   specifies the index of the specific row required.

   Note that rows in this table do not exist for channels that have no
   active IKE SAs.


3.5.3 Tunnel Table

   Each row in the tunnel table corresponds to a logical tunnel between
   entities. Rows in this table do not have to have any real phase 2 SA
   suites in order for them to appear in the table. However, since
   selectors identify tunnels in this MIB, a selector that is the tunnel
   identifier must exist in the selector table of the IPsec Monitoring
   MIB.

   As with channels, implementations may want to designate some channels
   between peers as permanent (as opposed to transient), and want them
   to appear in the table even if no SA suites exist or have existed.

   The SA suite selectors uniquely identify tunnels. However, since this
   may require considerable sorting overhead on agent implementations,
   and would make the number of indices be large (with large sub-


Jenkins                  Expires April 4, 2001                [Page 10]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   identifiers as well), an arbitrary integer is used along with the
   tunnel type to perform tunnel indexing.

   A helper table is provided to search tunnels by selectors.


3.5.4 SA Suite Table

   This table's purpose to allow administrators to get to the specific
   phase 2 SA suites that make up a tunnel. This augments the tunnel
   table, by using the same indices and adding an arbitrary integer for
   each of its own rows.

   Each row contains the object identifier of the specific phase 2 SA
   suite used. The object identifier comes from the IKE monitoring MIB's
   suite table, and specifies the row of that table.

   Note that rows in this table do not exist for tunnels that have no
   active SA suites.


3.6 IPsec MIB Traps

   Traps are provided to let system administrators know about the
   existence of tunnel and channel related events occurring in the
   entity.

   Traps are provided only for channel up, channel down, tunnel up and
   tunnel down events. Negotiation failures are assumed to be covered by
   a lower level MIB.

   Traps may be disabled on a global basis for channels and tunnels
   independently.


3.7 IPsec Entity Level Objects

   This part of the MIB carries statistics global to the IPsec device.

   Statistics included are aggregate numbers of channels and tunnels,
   and aggregate errors.










Jenkins                  Expires April 4, 2001                [Page 11]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001


4. MIB Definitions

IPSEC-TUN-MON-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Unsigned32,
        Gauge32, OBJECT-IDENTITY, experimental, NOTIFICATION-TYPE
                                       FROM SNMPv2-SMI
       TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC
       InetAddressType, InetAddress   FROM INET-ADDRESS-MIB
       IsakmpCookie                   FROM ISAKMP-DOI-IND-MON-MIB
   ;

   ipsecTunMonModule  MODULE-IDENTITY
       LAST-UPDATED   "0010041200Z"
       ORGANIZATION   "IETF IPsec Working Group"
       CONTACT-INFO
                   "Tim Jenkins
                    Catena Networks
                    307 Legget Drive
                    Kanata, ON
                    Canada
                    K2K 3C8
                    +1 (613) 599-6430
                    tjenkins@catena.com "

       DESCRIPTION
           "The MIB module to describe logical IPsec channel and tunnel
           objects, and entity level objects and events associated with
           these objects."
       REVISION       "0010041200Z"
       DESCRIPTION
           "Initial revision."
   --  ::= { ? }
       -- bogus value currently in use
      ::= { experimental 1010 }

   --
   -- textual conventions
   --

   IpsecChanOrTunType ::= TEXTUAL-CONVENTION
       DISPLAY-HINT   "d"
       STATUS     current
       DESCRIPTION
           "A value indicating an implementation specific type for
           channels and tunnels.



Jenkins                  Expires April 4, 2001                [Page 12]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

           The values below are defined as examples only, and are not
           intended to imply any specific support or capability."
       SYNTAX     INTEGER {
                       unknown(0),
                       permanent(1),
                       transient(2),
                       management(3)
                   }

   --
   -- MIB root (trunk?)
   --

   ipsecTunnelMonitorMIB OBJECT-IDENTITY
       STATUS current
       DESCRIPTION
           "This is the base object identifier for all branches."
       ::= { ipsecTunMonModule 1 }

   -- first level branches

   channelObjects OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all channel related
           objects."
       ::= { ipsecTunnelMonitorMIB 1 }

   tunnelObjects OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all tunnel related
           objects."
       ::= { ipsecTunnelMonitorMIB 2 }


   -- second level branches

    channelTables OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           tables for channels."
       ::= { channelObjects 1 }

    channelStats OBJECT-IDENTITY
       STATUS     current




Jenkins                  Expires April 4, 2001                [Page 13]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "This is the base object identifier for all objects which are
           global (non-error) counters for channels."
       ::= { channelObjects 2 }

   channelErrors OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           global error counters for channels."
       ::= { channelObjects 3 }

   channelTraps OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           traps for channels."
       ::= { channelObjects 4 }

    channelTrapObjects OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for objects which are
           used as part of traps for channels."
       ::= { channelObjects 5 }

   channelTrapControl OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           trap controls for channel traps."
       ::= { channelObjects 6 }

   channelGroups  OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which
           describe the groups in the channel part of this MIB."
       ::= { channelObjects 7 }

    channelConformance  OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which
           describe the conformance in the channel part of this MIB."
       ::= { channelObjects 8 }





Jenkins                  Expires April 4, 2001                [Page 14]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

    tunnelTables OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           tables for tunnels."
       ::= { tunnelObjects 1 }

    tunnelStats OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           global (non-error) counters for tunnels."
       ::= { tunnelObjects 2 }

   tunnelErrors OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           global error counters for tunnels."
       ::= { tunnelObjects 3 }

   tunnelTraps OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           traps for tunnels."
       ::= { tunnelObjects 4 }

    tunnelTrapObjects OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for objects which are
           used as part of traps for tunnels."
       ::= { tunnelObjects 5 }

   tunnelTrapControl OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which are
           trap controls for tunnel traps."
       ::= { tunnelObjects 6 }

   tunnelGroups   OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which
           describe the groups in the tunnel part of this MIB."
       ::= { tunnelObjects 7 }



Jenkins                  Expires April 4, 2001                [Page 15]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   tunnelConformance  OBJECT-IDENTITY
       STATUS     current
       DESCRIPTION
           "This is the base object identifier for all objects which
           describe the conformance in the tunnel part of this MIB."
       ::= { tunnelObjects 8 }


   -- the IPsec Channel statistics group
   --
   -- a collection of object providing information about channels
   -- created using IKE SAs

   currentChannels    OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of channels currently in existence in the
           entity.

           This is the same as the number of rows in the channel table,
           whether there are IKE SAs for each row or not."
       ::= { channelStats 1 }

   totalChannels  OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of channels created by the entity since
           system boot.

           Channel creation is defined as the addition of a row to the
           channel table, whether an IKE SA was created at the same time
           or not."
       ::= { channelStats 2 }

   deletedChannels    OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of channels deleted by the entity.

           Channel deletion is defined as the removal of a row from the
           channel table, independent of the existence of the IKE SAs
           that may have supported it.



Jenkins                  Expires April 4, 2001                [Page 16]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

           Note that the sum of 'currentChannels' and 'deletedChannels'
           is equal to 'totalChannels'."
       ::= { channelStats 3 }


   -- the IPsec Tunnel statistics group
   --
   -- a collection of objects providing information about tunnels
   -- created using IPsec SA suites

   currentTunnels OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of tunnels currently in existence in the
           entity.

           This is the same as the number of rows in the tunnel table,
           whether there are IPsec SA suites for each row or not."
       ::= { tunnelStats 1 }

   totalTunnels   OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of tunnels created by the entity since
           system boot.

           Tunnel creation is defined as the addition of a row to the
           tunnel table, whether an IPsec SA was created at the same
           time or not."
       ::= { tunnelStats 2 }

   deletedTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of tunnels deleted by the entity.

           Tunnel deletion is defined as the removal of a row from the
           tunnel table, independent of the existence of the phase 2 SA
           suites that may have supported it.

           Note that the sum of 'currentTunnels' and 'deletedTunnels'
           should is to 'totalTunnels'."
       ::= { tunnelStats 3 }


Jenkins                  Expires April 4, 2001                [Page 17]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001



   -- the IPsec Control Channel MIB-Group
   --
   -- a collection of objects providing information about
   -- IPsec's control channels


   ipsecChannelTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecChannelEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The (conceptual) table containing information on control
           channels.

           The number of rows in this table is, at a minimum, the same
           as the number of IKE SAs that have the same phase 1 ID pairs.
           Additional rows for channels without active phase 1 SAs may
           also appear in the table.

           The maximum number of rows is implementation dependent."
       ::= { channelTables 1 }

   ipsecChannelEntry OBJECT-TYPE
       SYNTAX     IpsecChannelEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the information on a
           particular control channel.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  {
                   ipsecChannelType,
                   ipsecChannelLocalEndpoint,
                   ipsecChannelRemoteEndpoint
               }
       ::= { ipsecChannelTable 1 }

   IpsecChannelEntry  ::= SEQUENCE {
   -- indices
       ipsecChannelType                   IpsecChanOrTunType,
       ipsecChannelLocalEndpoint          Unsigned32,
       ipsecChannelRemoteEndpoint         Unsigned32,

   -- virtual channel status
       ipsecChannelCurrentSAs             Gauge32,


Jenkins                  Expires April 4, 2001                [Page 18]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       ipsecChannelTotalSAs               Counter32,
       ipsecChannelDeletedSAs             Counter32,
       ipsecChannelTimeUpSeconds          Counter32, -- since SAs > 0
       ipsecChannelTimeDownSeconds        Counter32, -- since SAs = 0

   -- aggregate statistics (all SAs)
       ipsecChannelInboundOctets          Counter32,
       ipsecChannelOutboundOctets         Counter32,
       ipsecChannelInboundPackets         Counter32,
       ipsecChannelOutboundPackets        Counter32,

   -- aggregate error statistics
       ipsecChannelReceiveErrors          Counter32,
       ipsecChannelSendErrors             Counter32,

   -- IPsec tunnel (Phase 2) statistics
       ipsecChannelCurrentTunnels         Gauge32,
       ipsecChannelTotalTunnels           Counter32,
       ipsecChannelDeletedTunnels         Counter32,

   -- IPsec tunnel (Phase 2) statistics (aggregate)
       ipsecChannelTunnelInboundOctets    Counter64,
       ipsecChannelTunnelOutboundOctets   Counter64,
       ipsecChannelTunnelInboundPackets   Counter64,
       ipsecChannelTunnelOutboundPackets  Counter64,

   -- IPsec SA (Phase 2) error statistics (aggregate)
       ipsecChannelTunnelReceiveErrors    Counter32,
       ipsecChannelTunnelSendErrors       Counter32
   }


   ipsecChannelType OBJECT-TYPE
       SYNTAX     IpsecChanOrTunType
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The type of control channel represented by this row.

           This is an implementation dependent value, used to assist in
           controlling how channels are sorted."
       ::= { ipsecChannelEntry 1 }

   ipsecChannelLocalEndpoint OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS not-accessible
       STATUS     current




Jenkins                  Expires April 4, 2001                [Page 19]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The index value of the row of the IKE Monitoring MIB's
           endpoint table corresponding to the local endpoint."
       ::= { ipsecChannelEntry 2 }

   ipsecChannelRemoteEndpoint OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The index value of the row of the IKE Monitoring MIB's
           endpoint table corresponding to the remote endpoint."
       ::= { ipsecChannelEntry 3 }

   ipsecChannelCurrentSAs OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The number of IKE SAs that are currently active that make up
           this channel.

           This value may be 0 if the channel has not yet been set up,
           or the implementation does not require the existence of IKE
           SAs for the channel to exist, or if the channel is considered
           a permanent entry in the table by the implementation.

           This value should not include SA establishment attempts in
           progress."
       ::= { ipsecChannelEntry 4 }

   ipsecChannelTotalSAs OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of IKE SAs that are part of this channel
           that have been created in the entity since boot time.

           This value should not include failed SA establishment
           attempts."
       ::= { ipsecChannelEntry 5 }

   ipsecChannelDeletedSAs OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current




Jenkins                  Expires April 4, 2001                [Page 20]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The total number of IKE SAs that are part of this channel
           that have been deleted in the entity since boot time.

           The sum of 'ipsecChannelCurrentSAs' and this value should
           equal ipsecChannelTotalSAs."
       ::= { ipsecChannelEntry 6 }

   ipsecChannelTimeUpSeconds OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "seconds"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of seconds since there has been at least
           one valid IKE SA supporting the channel. In other words, the
           number of seconds since the value of 'ipsecChannelCurrentSAs'
           changed from 0 to any other value."
       ::= { ipsecChannelEntry 7 }

   ipsecChannelTimeDownSeconds OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "seconds"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of seconds since the last valid IKE SA
           supporting the channel was deleted. In other words, the
           number of seconds since the value of 'ipsecChannelCurrentSAs'
           changed to 0 from any other value."
       ::= { ipsecChannelEntry 8 }

   ipsecChannelInboundOctets OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The amount of traffic measured in bytes received by the
           channel. This is the sum of 'saInOctets' from the 'saEntry'
           of each IKE SA in 'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 9 }

   ipsecChannelOutboundOctets OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current



Jenkins                  Expires April 4, 2001                [Page 21]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The amount of traffic measured in bytes sent by the channel.
           This is the sum of 'saOutOctets' from the 'saEntry' of each
           IKE SA in 'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 10 }

   ipsecChannelInboundPackets OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by the channel. This is
           the sum of 'saInPackets' from the 'saEntry' of each IKE SA in
           'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 11 }

   ipsecChannelOutboundPackets OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by the channel. This is the
           sum of 'saOutPackets' from the 'saEntry' of each IKE SA in
           'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 12 }

   ipsecChannelReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of receive errors incurred in the channel.
           This is the sum of all receive errors from the 'saEntry' of
           each IKE SA in 'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 13 }

   ipsecChannelSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of send errors incurred in the channel.
           This is the sum of all send errors from the 'saEntry' of each
           IKE SA in 'saTable' that is part of this channel."
       ::= { ipsecChannelEntry 14 }

   ipsecChannelCurrentTunnels OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only


Jenkins                  Expires April 4, 2001                [Page 22]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       STATUS     current
       DESCRIPTION
           "The number of IPsec tunnels that are currently active that
           were created by this channel.

           This value should not include tunnel establishment attempts
           that are in progress."
       ::= { ipsecChannelEntry 15 }

   ipsecChannelTotalTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of IPsec tunnels that have been created in
           the entity by this channel since boot time.

           This value should not include failed tunnel establishment
           attempts."
       ::= { ipsecChannelEntry 16 }

   ipsecChannelDeletedTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of IPsec tunnels that have been deleted by
           this channel in the entity since boot time.

           The sum of 'ipsecChannelCurrentTunnels' and this value should
           equal 'ipsecChannelTotalTunnels'."
       ::= { ipsecChannelEntry 17 }

   ipsecChannelTunnelInboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The amount of traffic measured in bytes received by all
           tunnels created by the channel."
       ::= { ipsecChannelEntry 18 }

   ipsecChannelTunnelOutboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current



Jenkins                  Expires April 4, 2001                [Page 23]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The amount of traffic measured in bytes sent by all tunnels
           created by the channel."
       ::= { ipsecChannelEntry 19 }

   ipsecChannelTunnelInboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by all tunnels created
           by the channel."
       ::= { ipsecChannelEntry 20 }

   ipsecChannelTunnelOutboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by all tunnels created by
           the channel."
       ::= { ipsecChannelEntry 21 }

   ipsecChannelTunnelReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of receive errors incurred in all tunnels
           created by the channel."
       ::= { ipsecChannelEntry 22 }

   ipsecChannelTunnelSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of send errors incurred in all tunnels
           created the channel."
       ::= { ipsecChannelEntry 23 }


   -- the IPsec channel SA table
   --
   -- a table providing a reference to specific IKE SAs as used by
   -- IPsec channels





Jenkins                  Expires April 4, 2001                [Page 24]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   ipsecChannelSaTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecChannelSaEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The (conceptual) table containing information on which IKE
           SAs are used in channels.

           The number of rows is the same as the number of IKE SAs in
           the entity.

           The maximum number of rows is implementation dependent."
       ::= { channelTables 2 }

   ipsecChannelSaEntry OBJECT-TYPE
       SYNTAX     IpsecChannelSaEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the identifiers of a
           specific IKE SA.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  {
                   ipsecChannelType,
                   ipsecChannelLocalEndpoint,
                   ipsecChannelRemoteEndpoint,
                   ipsecChannelSaIndex
               }
       ::= { ipsecChannelSaTable 1 }

   IpsecChannelSaEntry ::= SEQUENCE {

   -- additional index to augment channel table
       ipsecChannelSaIndex                    Unsigned32,

   -- the SA specifiers
       ipsecChannelSaLocalIpAddrType          InetAddressType,
       ipsecChannelSaLocalIpAddress           InetAddress,
       ipsecChannelSaRemoteIpAddrType         InetAddressType,
       ipsecChannelSaRemoteIpAddress          InetAddress,
       ipsecChannelSaInitiatorCookie          IsakmpCookie,
       ipsecChannelSaResponderCookie          IsakmpCookie
   }


   ipsecChannelSaIndex OBJECT-TYPE
       SYNTAX     Unsigned32 (1..16777215)


Jenkins                  Expires April 4, 2001                [Page 25]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "A unique value, greater than zero, for each IKE SA in the
           channel. It is recommended that values are assigned
           contiguously starting from 1."
       ::= { ipsecChannelSaEntry 1 }

   ipsecChannelSaLocalIpAddrType OBJECT-TYPE
       SYNTAX     InetAddressType
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The type of the local address used to negotiate the IKE SA
           in the channel. (The value of 'saIkeLocalIpAddressType' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 2 }

   ipsecChannelSaLocalIpAddress OBJECT-TYPE
       SYNTAX     InetAddress (SIZE(4|16|20))
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The local address used to negotiate the IKE SA in the
           channel. (The value of 'saIkeLocalIpAddress' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 3 }

   ipsecChannelSaRemoteIpAddrType OBJECT-TYPE
       SYNTAX     InetAddressType
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The type of the remote address used to negotiate the IKE SA
           in the channel. (The value of 'saIkeRemoteIpAddressType' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 4 }

   ipsecChannelSaRemoteIpAddress OBJECT-TYPE
       SYNTAX     InetAddress (SIZE(4|16|20))
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The remote address used to negotiate the IKE SA in the
           channel. (The value of 'saIkeRemoteIpAddress' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 5 }




Jenkins                  Expires April 4, 2001                [Page 26]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   ipsecChannelSaInitiatorCookie OBJECT-TYPE
       SYNTAX     IsakmpCookie
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The value of the cookie used by the initiator for the IKE SA
           in the channel. (The value of 'saIkeInitiatorCookie' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 6 }

   ipsecChannelSaResponderCookie OBJECT-TYPE
       SYNTAX     IsakmpCookie
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The value of the cookie used by the responder for the IKE SA
           in the channel. (The value of 'saIkeResponderCookie' from
           'ikeMonModule' for this row.)"
       ::= { ipsecChannelSaEntry 7 }



   -- the IPsec channel SA aggregates table
   --
   -- a table providing aggregate statistics for the user-defined
   -- channel types


   ipsecChanAggTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecChanAggEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The optional (conceptual) table containing information on
           aggregate statistics for the channel types.

           The number of rows is the same as the number of channel types
           supported by the entity.

           The maximum number of rows is implementation dependent."
       ::= { channelTables 3 }

   ipsecChanAggEntry OBJECT-TYPE
       SYNTAX     IpsecChanAggEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the aggregate
           statistics for a specific channel type.


Jenkins                  Expires April 4, 2001                [Page 27]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001


           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  { ipsecChanAggType }
       ::= { ipsecChanAggTable 1 }

   IpsecChanAggEntry ::= SEQUENCE {
   -- index
       ipsecChanAggType               IpsecChanOrTunType,

   -- channel counts
       ipsecChanAggCurrentChannels    Gauge32,
       ipsecChanAggTotalChannels      Counter32,
       ipsecChanAggDeletedChannels    Counter32,

   -- aggregate statistics (all SAs)
       ipsecChanAggInboundOctets      Counter64,
       ipsecChanAggOutboundOctets     Counter64,
       ipsecChanAggInboundPackets     Counter64,
       ipsecChanAggOutboundPackets    Counter64,

   -- aggregate error statistics
       ipsecChanAggReceiveErrors      Counter32,
       ipsecChanAggSendErrors         Counter32,

   -- IPsec tunnel (Phase 2) statistics
       ipsecChanAggCurrentTunnels     Gauge32,
       ipsecChanAggTotalTunnels       Counter32,
       ipsecChanAggDeletedTunnels     Counter32,

   -- IPsec tunnel (Phase 2) statistics (aggregate)
       ipsecChanAggTnlInboundOctets   Counter64,
       ipsecChanAggTnlOutboundOctets  Counter64,
       ipsecChanAggTnlInboundPackets  Counter64,
       ipsecChanAggTnlOutboundPackets Counter64,

   -- IPsec SA (Phase 2) error statistics (aggregate)
       ipsecChanAggTnlReceiveErrors   Counter32,
       ipsecChanAggTnlSendErrors      Counter32

   }


   ipsecChanAggType OBJECT-TYPE
       SYNTAX     IpsecChanOrTunType
       MAX-ACCESS not-accessible
       STATUS     current




Jenkins                  Expires April 4, 2001                [Page 28]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The type of control channel for which this row aggregrates
           statistics."
       ::= { ipsecChanAggEntry 1 }

   ipsecChanAggCurrentChannels OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The number of channels that are currently active that are of
           the specified type.

           This value should not include channel establishment attempts
           in progress."
       ::= { ipsecChanAggEntry 2 }

   ipsecChanAggTotalChannels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of channels of this type that have been
           created in the entity since boot time.

           This value should not include failed channel establishment
           attempts."
       ::= { ipsecChanAggEntry 3 }

   ipsecChanAggDeletedChannels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of channels of this type that have been
           deleted in the entity since boot time.

           The sum of 'ipsecChanAggCurrentChannels' and this value
           should equal 'ipsecChanAggTotalChannels'."
       ::= { ipsecChanAggEntry 4 }

   ipsecChanAggInboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total amount of traffic measured in bytes received by
           all channels of this type. This is the sum of


Jenkins                  Expires April 4, 2001                [Page 29]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

           'ipsecChannelInboundOctets' from the 'ipsecChannelEntry' of
           each channel in 'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 5 }

   ipsecChanAggOutboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total amount of traffic measured in bytes sent by all
           channels of this type. This is the sum of
           'ipsecChannelOutboundOctets' from the 'ipsecChannelEntry' of
           each channel in 'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 6 }

   ipsecChanAggInboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by all channels of this
           type. This is the sum of 'ipsecChannelInboundPackets' from
           the 'ipsecChannelEntry' of each channel in
           'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 7 }

   ipsecChanAggOutboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by all channels of this
           type. This is the sum of 'ipsecChannelOutboundPackets' from
           the 'ipsecChannelEntry' of each channel in
           'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 8 }

   ipsecChanAggReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of receive errors incurred by all channels
           of this type. This is the sum of 'ipsecChannelReceiveErrors'
           from the 'ipsecChannelEntry' of each channel in
           'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 9 }



Jenkins                  Expires April 4, 2001                [Page 30]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   ipsecChanAggSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of send errors incurred by all channels of
           this type. This is the sum of 'ipsecChannelSendErrors' from
           the 'ipsecChannelEntry' of each channel in
           'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 10 }

   ipsecChanAggCurrentTunnels OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The current number of active IPsec tunnels that have been
           created by all channels of this type. This is the sum of
           'ipsecChannelCurrentTunnels' from the 'ipsecChannelEntry' of
           each channel in 'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 11 }

   ipsecChanAggTotalTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of IPsec tunnels that have been created by
           all channels of this type. This is the sum of
           'ipsecChannelTotalTunnels' from the 'ipsecChannelEntry' of
           each channel in 'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 12 }

   ipsecChanAggDeletedTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of IPsec tunnels that have been deleted by
           all channels of this type. This is the sum of
           'ipsecChannelDeletedTunnels' from the 'ipsecChannelEntry' of
           each channel in 'ipsecChannelTable' that is of this type.

           The sum of 'ipsecChanAggCurrentTunnels' and this value should
           equal 'ipsecChanAggTotalTunnels'."
       ::= { ipsecChanAggEntry 13 }

   ipsecChanAggTnlInboundOctets OBJECT-TYPE
       SYNTAX     Counter64


Jenkins                  Expires April 4, 2001                [Page 31]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The amount of traffic measured in bytes received by all
           tunnels created by all channels of this type. This is the sum
           of 'ipsecChannelTunnelInboundOctets' from the
           'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
           that is of this type."
       ::= { ipsecChanAggEntry 14 }

   ipsecChanAggTnlOutboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The amount of traffic measured in bytes sent by all tunnels
           created by all channels of this type. This is the sum of
           'ipsecChannelTunnelOutboundOctets' from the
           'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
           that is of this type."
       ::= { ipsecChanAggEntry 15 }

   ipsecChanAggTnlInboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by all tunnels created
           by all channels of this type. This is the sum of
           'ipsecChannelTunnelInboundPackets' from the
           'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
           that is of this type."
       ::= { ipsecChanAggEntry 16 }

   ipsecChanAggTnlOutboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by all tunnels created by
           all channels of this type. This is the sum of
           'ipsecChannelTunnelOutboundPackets' from the
           'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
           that is of this type."
       ::= { ipsecChanAggEntry 17 }




Jenkins                  Expires April 4, 2001                [Page 32]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   ipsecChanAggTnlReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of receive errors incurred in all tunnels
           created by all channels of this type. This is the sum of
           'ipsecChannelTunnelReceiveErrors' from the
           'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
           that is of this type."
       ::= { ipsecChanAggEntry 18 }

   ipsecChanAggTnlSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of send errors incurred in all tunnels
           created by all channels of this type. This is the sum of
           'ipsecChannelTunnelSendErrors' from the 'ipsecChannelEntry'
           of each channel in 'ipsecChannelTable' that is of this type."
       ::= { ipsecChanAggEntry 19 }


   -- the IPsec Tunnel MIB-Group
   --
   -- a collection of objects providing information about
   -- IPsec SA suite-based virtual tunnels


   ipsecTunnelTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecTunnelEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The (conceptual) table containing information on IPsec SA
           suite-based tunnels.

           The number of rows is, at a minimum, the same as the number
           of IPsec SA suites in the entity that have identical
           selectors. Additional rows for tunnels without active IPsec
           SA suites may also appear in the table.

           The maximum number of rows is implementation dependent."
       ::= { tunnelTables 1 }

   ipsecTunnelEntry OBJECT-TYPE
       SYNTAX     IpsecTunnelEntry
       MAX-ACCESS not-accessible


Jenkins                  Expires April 4, 2001                [Page 33]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the information on a
           particular tunnel.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  { ipsecTunnelType, ipsecTunnelId }
       ::= { ipsecTunnelTable 1 }

   IpsecTunnelEntry ::= SEQUENCE {
       ipsecTunnelType                IpsecChanOrTunType,
       ipsecTunnelId                  Unsigned32,

   -- tunnel endpoints
       ipsecTunnelLocalIpAddrType     InetAddressType,
       ipsecTunnelLocalIpAddress      InetAddress,
       ipsecTunnelRemoteIpAddrType    InetAddressType,
       ipsecTunnelRemoteIpAddress     InetAddress,

   -- creator identifiers
       ipsecTunnelRemoteEndpoint      Unsigned32,
       ipsecTunnelLocalEndpoint       Unsigned32,

   -- operational statistics
       ipsecTunnelCurrentSaSuites     Gauge32,
       ipsecTunnelTotalSaSuites       Counter32,
       ipsecTunnelDeletedSaSuites     Counter32,
       ipsecTunnelTimeUpSeconds       Counter32, -- since suites > 0
       ipsecTunnelTimeDownSeconds     Counter32, -- since suites = 0

   -- aggregate statistics
       ipsecTunnelTotalInboundOctets  Counter64,
       ipsecTunnelTotalOutboundOctets Counter64,
       ipsecTunnelTotalInboundPackets Counter64,
       ipsecTunnelTotalOutboundPackets    Counter64,

   -- aggregate error statistics
       ipsecTunnelSendErrors          Counter32,
       ipsecTunnelReceiveErrors       Counter32

   }

   ipsecTunnelType OBJECT-TYPE
       SYNTAX     IpsecChanOrTunType
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The type of tunnel represented by this row.


Jenkins                  Expires April 4, 2001                [Page 34]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001


           This is an implementation dependent value, used to assist in
           controlling how tunnels are sorted."
       ::= { ipsecTunnelEntry 1 }

   ipsecTunnelId  OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The index value of the selector table row that contains the
           selectors that are the identity of this tunnel.

           Specifically, this is the value of 'selectorIndex' from the
           appropriate row ('selectorEntry') from the table
           'selectorTable' from the MIB 'ipsecMonModule'.
           (NOTE: Should this be an OBJECT IDENTIFIER instead?)"
       ::= { ipsecTunnelEntry 2 }

   ipsecTunnelLocalIpAddrType OBJECT-TYPE
       SYNTAX     InetAddressType
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The type of address used by the local endpoint of the
           tunnel."
       ::= { ipsecTunnelEntry 3 }

   ipsecTunnelLocalIpAddress  OBJECT-TYPE
       SYNTAX     InetAddress (SIZE(4|16|20))
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The address used by the local endpoint of the tunnel."
       ::= { ipsecTunnelEntry 4 }

   ipsecTunnelRemoteIpAddrType    OBJECT-TYPE
       SYNTAX     InetAddressType
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The type of address used by the remote endpoint of the
           tunnel."
       ::= { ipsecTunnelEntry 5 }

   ipsecTunnelRemoteIpAddress OBJECT-TYPE
       SYNTAX     InetAddress (SIZE(4|16|20))
       MAX-ACCESS read-only
       STATUS     current


Jenkins                  Expires April 4, 2001                [Page 35]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The address used by the remote endpoint of the tunnel."
       ::= { ipsecTunnelEntry 6 }

   ipsecTunnelLocalEndpoint   OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The index of the local endpoint that negotiated this tunnel.

           It is the value of 'endpointIndex' from the correct row
           ('IkeEndpointEntry') of the 'ikeEndpointTable' from
           'ikeMonModule'.
           (NOTE: Should this be an OBJECT IDENTIFIER instead?)"
       ::= { ipsecTunnelEntry 7 }

   ipsecTunnelRemoteEndpoint  OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The index of the remote endpoint that negotiated this
           tunnel.

           It is the value of 'endpointIndex' from the correct row
           ('IkeEndpointEntry') of the 'ikeEndpointTable' from
           'ikeMonModule'."
       ::= { ipsecTunnelEntry 8 }

   ipsecTunnelCurrentSaSuites OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The number of phase 2 SA suites that are currently active
           that make up this tunnel.

           This value may be 0 if the tunnel has not yet been set up, or
           the implementation does not require the existence of phase 2
           SA suites for the tunnel to exist, or if the tunnel is
           considered a permanent entry in the table by the
           implementation.

           This value should not include phase 2 SA suite establishment
           attempts in progress."
       ::= { ipsecTunnelEntry 9 }




Jenkins                  Expires April 4, 2001                [Page 36]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   ipsecTunnelTotalSaSuites OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of phase 2 SA suites that are part of this
           tunnel that have been created in the entity since boot time.

           This value should not include failed phase 2 SA suite
           establishment attempts."
       ::= { ipsecTunnelEntry 10 }

   ipsecTunnelDeletedSaSuites OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of phase 2 SA suites that are part of this
           channel that have been deleted in the entity since boot time.

           The sum of 'ipsecTunnelCurrentSaSuites' and this value should
           equal 'ipsecTunnelTotalSaSuites'."
       ::= { ipsecTunnelEntry 11 }

   ipsecTunnelTimeUpSeconds OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "seconds"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of seconds since there has been at least
           one valid phase 2 SA suite supporting the channel. In other
           words, the number of seconds since the value of
           'ipsecTunnelCurrentSaSuites' changed from 0 to any other
           value."
       ::= { ipsecTunnelEntry 12 }

   ipsecTunnelTimeDownSeconds OBJECT-TYPE
       SYNTAX     Counter32
       UNITS      "seconds"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of seconds since the last valid phase 2 SA
           suite supporting the channel was deleted. In other words, the
           number of seconds since the value of
           'ipsecTunnelCurrentSaSuites' changed to 0 from any other
           value."
       ::= { ipsecTunnelEntry 13 }


Jenkins                  Expires April 4, 2001                [Page 37]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001


   ipsecTunnelTotalInboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total amount of traffic measured in bytes received by
           the tunnel. This is the sum of 'suiteInUserOctets' from the
           'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is
           part of this tunnel."
       ::= { ipsecTunnelEntry 14 }

   ipsecTunnelTotalOutboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total amount of traffic measured in bytes sent by the
           tunnel. This is the sum of 'suiteOutUserOctets' from the
           'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is
           part of this tunnel."
       ::= { ipsecTunnelEntry 15 }

   ipsecTunnelTotalInboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by the tunnel. This is
           the sum of 'suiteInPackets' from the 'suiteEntry' of each
           phase 2 SA suite in 'suiteTable' that is part of this
           tunnel."
       ::= { ipsecTunnelEntry 16 }

   ipsecTunnelTotalOutboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by the tunnel. This is the
           sum of 'suiteOutPackets' from the 'suiteEntry' of each phase
           2 SA suite in 'suiteTable' that is part of this tunnel."
       ::= { ipsecTunnelEntry 17 }

   ipsecTunnelSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only


Jenkins                  Expires April 4, 2001                [Page 38]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       STATUS     current
       DESCRIPTION
           "The total number of send errors in the tunnel. This is the
           sum of 'suiteSendErrors' from the 'suiteEntry' of each phase
           2 SA suite in 'suiteTable' that is part of this tunnel."
       ::= { ipsecTunnelEntry 18 }

   ipsecTunnelReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of receive errors in the tunnel. This is
           the sum of 'suiteReceiveErrors' from the 'suiteEntry' of each
           phase 2 SA suite in 'suiteTable' that is part of this
           tunnel."
       ::= { ipsecTunnelEntry 19 }


   -- the IPsec SA Suite MIB-Group
   --
   -- a collection of objects providing information about
   -- IPsec SA suites used in virtual tunnels


   ipsecTunnelSuiteTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecTunnelSuiteEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The (conceptual) table containing information on IPsec SA
           suites.

           The number of rows is the same as the number of IPsec SA
           suites in the entity.

           The maximum number of rows is implementation dependent."
       ::= { tunnelTables 2 }

   ipsecTunnelSuiteEntry OBJECT-TYPE
       SYNTAX     IpsecTunnelSuiteEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the identifiers to a
           particular SA suite.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."


Jenkins                  Expires April 4, 2001                [Page 39]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       INDEX  {
                   ipsecTunnelType,
                   ipsecTunnelId,
                   ipsecTunnelSuiteIndex
               }
       ::= { ipsecTunnelSuiteTable 1 }

   IpsecTunnelSuiteEntry ::= SEQUENCE {

   -- additional index
       ipsecTunnelSuiteIndex      Unsigned32,

   -- identifier of suite
       ipsecTunnelSuiteReference  OBJECT IDENTIFIER
   }

   ipsecTunnelSuiteIndex  OBJECT-TYPE
       SYNTAX     Unsigned32 (1..16777215)
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "A unique value, greater than zero, for each SA suite in the
           tunnel. It is recommended that values are assigned
           contiguously starting from 1."
       ::= { ipsecTunnelSuiteEntry 1 }

   ipsecTunnelSuiteReference  OBJECT-TYPE
       SYNTAX     OBJECT IDENTIFIER
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The object identifier of the IPsec SA suite row that
           represents the IPsec SA suite in the tunnel.

           Specifically, the value of this object is the object
           identifier of 'suiteIndex' of the appropriate row
           ('SuiteEntry') in 'suiteTable' from 'ikeMonModule'."
       ::= { ipsecTunnelSuiteEntry 2 }



   -- the IPsec tunnel aggregates table
   --
   -- a table providing aggregate statistics for the user-defined
   -- tunnel types


   ipsecTunAggTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF IpsecTunAggEntry


Jenkins                  Expires April 4, 2001                [Page 40]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The optional (conceptual) table containing information on
           aggregate statistics for the tunnel types.

           The number of rows is the same as the number of tunnel types
           supported by the entity.

           The maximum number of rows is implementation dependent."
       ::= { tunnelTables 3 }

   ipsecTunAggEntry OBJECT-TYPE
       SYNTAX     IpsecTunAggEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) containing the aggregate
           statistics for a specific tunnel type.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  { ipsecTunnelType }
       ::= { ipsecTunAggTable 1 }

   IpsecTunAggEntry ::= SEQUENCE {

   -- tunnel counts of this type
       ipsecTunAggCurrentTunnels      Gauge32,
       ipsecTunAggTotalTunnels        Counter32,
       ipsecTunAggDeletedTunnels      Counter32,

   -- aggregate statistics
       ipsecTunAggInboundOctets       Counter64,
       ipsecTunAggOutboundOctets      Counter64,
       ipsecTunAggInboundPackets      Counter64,
       ipsecTunAggOutboundPackets     Counter64,

   -- aggregate error statistics
       ipsecTunAggSendErrors          Counter32,
       ipsecTunAggReceiveErrors       Counter32
   }


   ipsecTunAggCurrentTunnels OBJECT-TYPE
       SYNTAX     Gauge32
       MAX-ACCESS read-only
       STATUS     current



Jenkins                  Expires April 4, 2001                [Page 41]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The number of tunnels that are currently active that are of
           the specified type.

           This value should not include tunnel establishment attempts
           in progress."
       ::= { ipsecTunAggEntry 1 }

   ipsecTunAggTotalTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of tunnels of this type that have been
           created in the entity since boot time.

           This value should not include failed tunnel establishment
           attempts."
       ::= { ipsecTunAggEntry 2 }

   ipsecTunAggDeletedTunnels OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of tunnels of this type that have been
           deleted in the entity since boot time.

           The sum of 'ipsecTunAggCurrentTunnels' and this value should
           equal 'ipsecTunAggTotalTunnels'."
       ::= { ipsecTunAggEntry 3 }

   ipsecTunAggInboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total amount of traffic measured in bytes received by
           all tunnels of this type. This is the sum of
           'ipsecTunnelInboundOctets' from the 'ipsecTunnelEntry' of
           each tunnel in 'ipsecTunnelTable' that is of this type."
       ::= { ipsecTunAggEntry 4 }

   ipsecTunAggOutboundOctets OBJECT-TYPE
       SYNTAX     Counter64
       UNITS      "bytes"
       MAX-ACCESS read-only
       STATUS     current


Jenkins                  Expires April 4, 2001                [Page 42]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The total amount of traffic measured in bytes sent by all
           tunnels of this type. This is the sum of
           'ipsecTunnelOutboundOctets' from the 'ipsecTunnelEntry' of
           each tunnel in 'ipsecTunnelTable' that is of this type."
       ::= { ipsecTunAggEntry 5 }

   ipsecTunAggInboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets received by all tunnels of this
           type. This is the sum of 'ipsecTunnelInboundPackets' from the
           'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that
           is of this type."
       ::= { ipsecTunAggEntry 6 }

   ipsecTunAggOutboundPackets OBJECT-TYPE
       SYNTAX     Counter64
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of packets sent by all tunnels of this
           type. This is the sum of 'ipsecTunnelOutboundPackets' from
           the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable'
           that is of this type."
       ::= { ipsecTunAggEntry 7 }

   ipsecTunAggSendErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The total number of send errors incurred by all tunnels of
           this type. This is the sum of 'ipsecTunnelSendErrors' from
           the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable'
           that is of this type."
       ::= { ipsecTunAggEntry 8 }

   ipsecTunAggReceiveErrors OBJECT-TYPE
       SYNTAX     Counter32
       MAX-ACCESS read-only
       STATUS     current







Jenkins                  Expires April 4, 2001                [Page 43]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The total number of receive errors incurred by all tunnels
           of this type. This is the sum of 'ipsecTunnelReceiveErrors'
           from the 'ipsecTunnelEntry' of each tunnel in
           'ipsecTunnelTable' that is of this type."
       ::= { ipsecTunAggEntry 9 }



   --
   -- table to find tunnels based on the tunnel identifiers
   --

   tunnelBySelectorsTable OBJECT-TYPE
       SYNTAX     SEQUENCE OF TunnelBySelectorsEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The (conceptual) table that sorts the tunnels by the
           selectors.

           The number of rows in this table is the same as the number of
           tunnels in the entity."
       ::= { tunnelTables 4 }

   tunnelBySelectorsEntry OBJECT-TYPE
       SYNTAX     TunnelBySelectorsEntry
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "An entry (conceptual row) referencing a particular tunnel.

           A row in this table cannot be created or deleted by SNMP
           operations on columns of the table."
       INDEX  {
                   tunnelBySelectorsHash,
                   tunnelBySelectorsIndex
               }
       ::= { tunnelBySelectorsTable 1 }

   TunnelBySelectorsEntry ::= SEQUENCE {
   -- index
       tunnelBySelectorsHash          OCTET STRING,
       tunnelBySelectorsIndex         Unsigned32,

   -- real tunnel identifiers
       tunnelBySelectorsId            Unsigned32,




Jenkins                  Expires April 4, 2001                [Page 44]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   -- tunnel reference
       tunnelBySelectorsType          IpsecChanOrTunType,
       tunnelBySelectorsRef           OBJECT IDENTIFIER
   }

   tunnelBySelectorsHash  OBJECT-TYPE
       SYNTAX     OCTET STRING (SIZE(4))
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "The hash result of the full identifer of the tunnel. Precise
           definition to be completed."
       ::= { tunnelBySelectorsEntry 1 }

   tunnelBySelectorsIndex OBJECT-TYPE
       SYNTAX     Unsigned32 (1..16777215)
       MAX-ACCESS not-accessible
       STATUS     current
       DESCRIPTION
           "A unique value, greater than zero, for each tunnel in the
           table where the hash results of the tunnel identifiers
           collide. It is recommended that values are assigned
           contiguously starting from 1."
       ::= { tunnelBySelectorsEntry 2 }

   tunnelBySelectorsId OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The identifier of the tunnel.

           The value of this object is the index of the selector
           ('selectorIndex') row ('SelectorEntry') from the
           'selectorTable' that identifies this tunnel."
       ::= { tunnelBySelectorsEntry 3 }

   tunnelBySelectorsType  OBJECT-TYPE
       SYNTAX     IpsecChanOrTunType
       MAX-ACCESS read-only
       STATUS     current
       DESCRIPTION
           "The type assigned to the tunnel for which this row refers."
       ::= { tunnelBySelectorsEntry 4 }

   tunnelBySelectorsRef   OBJECT-TYPE
       SYNTAX     OBJECT IDENTIFIER
       MAX-ACCESS read-only
       STATUS     current


Jenkins                  Expires April 4, 2001                [Page 45]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "The object identifier of 'tunnelIndex' in the row
           ('tunnelEntry') of the 'tunnelTable' to which this row
           refers."
       ::= { tunnelBySelectorsEntry 5 }



   --
   -- trap parameters, traps and control
   --

   channelTrapLocalEndpoint OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS accessible-for-notify
       STATUS     current
       DESCRIPTION
           "The index to an endpoint that is the local endpoint of a
           channel in a trap."
       ::= { channelTrapObjects 1 }

   channelTrapRemoteEndpoint OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS accessible-for-notify
       STATUS     current
       DESCRIPTION
           "The index to an endpoint that is the remote endpoint of a
           channel in a trap."
       ::= { channelTrapObjects 2 }

   tunnelTrapIdentifier OBJECT-TYPE
       SYNTAX     Unsigned32
       MAX-ACCESS accessible-for-notify
       STATUS     current
       DESCRIPTION
           "The index to a selector that is the identifier of a tunnel
           in a trap."
       ::= { tunnelTrapObjects 1 }


   channelUpTrapEnable OBJECT-TYPE
       SYNTAX     TruthValue
       MAX-ACCESS read-write
       STATUS     current
       DESCRIPTION
           "Indicates whether channelUp traps should be generated."
       DEFVAL { false }
       ::= { channelTrapControl 1 }



Jenkins                  Expires April 4, 2001                [Page 46]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   channelDownTrapEnable OBJECT-TYPE
       SYNTAX     TruthValue
       MAX-ACCESS read-write
       STATUS     current
       DESCRIPTION
           "Indicates whether channelDown traps should be generated."
       DEFVAL { false }
       ::= { channelTrapControl 2 }

   channelUp NOTIFICATION-TYPE
       OBJECTS
       {
           channelTrapLocalEndpoint,
           channelTrapRemoteEndpoint
       }
       STATUS current
       DESCRIPTION
           "The specified channel is now up. (In other words, the number
           of current IKE SAs supporting the channel has changed from
           zero to a non-zero value.)"
       ::= { channelTraps 1 }

   channelDown NOTIFICATION-TYPE
       OBJECTS
       {
           channelTrapLocalEndpoint,
           channelTrapRemoteEndpoint
       }
       STATUS current
       DESCRIPTION
           "The specified channel is now down. (In other words, the
           number of current IKE SAs supporting the channel has changed
           to zero from a non-zero value.)"
       ::= { channelTraps 2 }

   tunnelUpTrapEnable OBJECT-TYPE
       SYNTAX     TruthValue
       MAX-ACCESS read-write
       STATUS     current
       DESCRIPTION
           "Indicates whether tunnelUp traps should be generated."
       DEFVAL { false }
       ::= { tunnelTrapControl 1 }

   tunnelDownTrapEnable OBJECT-TYPE
       SYNTAX     TruthValue
       MAX-ACCESS read-write
       STATUS     current



Jenkins                  Expires April 4, 2001                [Page 47]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

       DESCRIPTION
           "Indicates whether tunnelDown traps should be generated."
       DEFVAL { false }
       ::= { tunnelTrapControl 2 }

   tunnelUp NOTIFICATION-TYPE
       OBJECTS
       {
           tunnelTrapIdentifier
       }
       STATUS current
       DESCRIPTION
           "The specified tunnel is now up. (In other words, the number
           of current phase 2 SA suites supporting the tunnel has
           changed from zero to a non-zero value.)"
       ::= { tunnelTraps 1 }

   tunnelDown NOTIFICATION-TYPE
       OBJECTS
       {
           tunnelTrapIdentifier
       }
       STATUS current
       DESCRIPTION
           "The specified tunnel is now down. (In other words, the
           number of current phase 2 SA suites supporting the tunnel has
           changed to zero from a non-zero value.)"
       ::= { tunnelTraps 2 }


   END


5. Security Considerations

   This MIB contains readable objects whose values provide information
   related to IPsec virtual tunnels. There are no objects with
   MAX¡ACCESS clauses of read-write or read-create, other than trap
   control objects.

   While unauthorized access to the readable objects is relatively
   innocuous, unauthorized access to those objects through an insecure
   channel can provide attackers with more information about a system
   than an administrator may desire.

   Of particular concern is the ability to disable the transmission of
   traps. The traps defined in this MIB may appear due to badly
   configured systems and transient error conditions, but they may also
   appear due to attacks. If an attacker can disable these traps, they


Jenkins                  Expires April 4, 2001                [Page 48]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   reduce some of the warnings that may be provided to system
   administrators.

   It is thus important to control even GET access to these objects and
   possibly to even encrypt the values of these object when sending them
   over the network via SNMP. Not all versions of SNMP provide features
   for such a secure environment.

   SNMPv1 by itself is not a secure environment. Even if the network
   itself is secure (for example by using IPsec), even then, there is no
   control as to who on the secure network is allowed to access and
   GET/SET (read/change/create/delete) the objects in this MIB.

   It is recommended that the implementers consider the security
   features as provided by the SNMPv3 framework. Specifically, the use
   of the User-based Security Model RFC 2574 [RFC2574] and the View-
   based Access Control Model RFC 2575 [RFC2575] is recommended.

   It is then a customer/user responsibility to ensure that the SNMP
   entity giving access to an instance of this MIB, is properly
   configured to give access to the objects only to those principals
   (users) that have legitimate rights to indeed GET or SET
   (change/create/delete) them.


6. Acknowledgements

   This document is based on an earlier series of MIBs documents titled
   <draft-ietf-ipsec-mib-xx.txt>. Contributors to that series
   effectively contributed to this document.


7. References

   [ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J.,
           "Textual Conventions for Internet Network Addresses",
           RFC 2851, June, 2000

   [IDIMIB]Jenkins, T., Shriver, J., "ISAKMP DOI-Independent Monitoring
           MIB", draft-ietf-ipsec-isakmp-di-mon-mib-04.txt, October 3,
           2001, work in progress

   [IKE]   Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
           RFC 2409, November 1998

   [IKEMIB]Jenkins, T., Shriver, J., "IKE Monitoring MIB", draft-ietf-
           ipsec-ike-mon-mib-03.txt, October 3, 2001, work in progress




Jenkins                  Expires April 4, 2001                [Page 49]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   [IMMIB] Jenkins, T., Shriver, J., "IPsec Monitoring MIB", draft-ietf-
           ipsec-monitor-mib-05.txt, October 3, 2001, work in progress

   [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP
           Payload Compression Protocol (IPcomp), RFC 3173, September
           2001

   [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
           for ISAKMP", RFC 2407, November 1998

   [IPSECTC] Shriver, J., "IPsec DOI Textual Conventions MIB", draft-
           ietf-ipsec-doi-tc-mib-05.txt, October 3, 2001, work in
           progress

   [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
           "Internet Security Association and Key Management Protocol
           (ISAKMP)", RFC 2408, November 1998

   [OAKLEY]Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412,
           November 1998

   [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An
           Architecture for Describing SNMP Management Frameworks",
           RFC 2571, April 1999

   [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification
           of Management Information for TCP/IP-based Internets",
           STD 16, RFC 1155, May 1990

   [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions",
           STD 16, RFC 1212, March 1991

   [RFC1215] M. Rose, "A Convention for Defining Traps for use with the
           SNMP", RFC 1215, March 1991

   [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
           Rose, M., and S. Waldbusser, "Structure of Management
           Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999

   [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
           Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2",
           STD 58, RFC 2579, April 1999

   [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
           Rose, M., and S. Waldbusser, "Conformance Statements for
           SMIv2", STD 58, RFC 2580, April 1999

   [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
           Network Management Protocol", STD 15, RFC 1157, May 1990.


Jenkins                  Expires April 4, 2001                [Page 50]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

   [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
           "Introduction to Community-based SNMPv2", RFC 1901, January
           1996.

   [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
           "Transport Mappings for Version 2 of the Simple Network
           Management Protocol (SNMPv2)", RFC 1906, January 1996.

   [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen,
           "Message Processing and Dispatching for the Simple Network
           Management Protocol (SNMP)", RFC 2572, April 1999

   [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model
           (USM) for version 3 of the Simple Network Management Protocol
           (SNMPv3)", RFC 2574, April 1999

   [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
           "Protocol Operations for Version 2 of the Simple Network
           Management Protocol (SNMPv2)", RFC 1905, January 1996.

   [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications",
           RFC 2573, April 1999

   [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
           Access Control Model (VACM) for the Simple Network Management
           Protocol (SNMP)", RFC 2575, April 1999

   [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart,
           "Introduction to Version 3 of the Internet-standard Network
           Management Framework", RFC 2570, April 1999

   [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
           Internet Protocol", RFC 2401, November 1998


8. Revision History

   This section will be removed before publication.

   October 4, 2001      Initial release.
                         No IANA number.
                         No groups or compliance statements.
                         Hash definitions for tunnel IDs not done.








Jenkins                  Expires April 4, 2001                [Page 51]


Internet Draft        IPsec Tunnel Monitoring MIB       October 5, 2001

Author's Address

     Tim Jenkins
     Catena Networks
     307 Legget Drive
     Kanata, ON
     Canada
     K2K 3C8
     +1 (613) 599-6430
     tjenkins@catena.com



   The IPsec working group can be contacted via the IPsec working
   group's mailing list (ipsec@lists.tislabs.com) or through its chair:

     Theodore Y. Ts'o
     tytso@MIT.EDU
     Massachusetts Institute of Technology

     Barbara Fraser
     byfraser@cisco.com
     Cisco Systems, Inc.








   This document expires April 5, 2001.



















Jenkins                  Expires April 4, 2001                [Page 52]