Internet Engineering Task Force Tim Jenkins
IP Security Working Group Catena Networks
Internet Draft October 5, 2001
IPsec Tunnel Monitoring MIB
<draft-jenkins-ipsec-tun-mon-mib-00.txt>
Status of this Memo
Informational
This document provides information for the Internet community. This
document does not specify an Internet standard of any kind, nor is it
intended to specify an Internet standard. Future considerations
related to Internet standards are the opinions of the author, and not
the IPsec working group.
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or made obsolete by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) Tim Jenkins (2001)
Jenkins Expires April 5, 2001 [Page 1]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
Table of Contents
1. Introduction..................................................2
2. The SNMP Management Framework.................................3
2.1 Object Definitions..........................................4
3. IPsec MIB Objects Architecture................................4
3.1 Control Channels............................................4
3.2 IPsec Virtual Tunnels.......................................5
3.3 Tunnel MIB and Interface MIB Consideration..................6
3.4 Channel and Tunnel Types....................................7
3.5 MIB Tables..................................................7
3.5.1 Control Channel Table.....................................8
3.5.2 IKE SA Table.............................................10
3.5.3 Tunnel Table.............................................10
3.5.4 SA Suite Table...........................................10
3.6 IPsec MIB Traps............................................11
3.7 IPsec Entity Level Objects.................................11
4. MIB Definitions..............................................12
5. Security Considerations......................................48
6. Acknowledgements.............................................49
7. References...................................................49
8. Revision History.............................................51
1. Introduction
This document defines monitoring and status MIBs for specific
applications of IPsec's security associations (SAs). The specific
applications are for the purposes of virtual private networking (VPN)
and secure remote access (SRA) applications. The MIB allows system
administrators to determine operating conditions and perform system
operational level monitoring of the VPN and SRA part of the network.
Statistics and traps are provided as well.
It builds upon the lower level IPsec MIBs that monitor specific phase
1 (IKE) and phase 2 (IPsec) SAs.
It does not define MIBs that may be used for configuring IPsec
implementations or for examination of configuration. It does not
provide low-level diagnostic or debugging information. Further, it
does not provide policy information.
The IPsec tunnel MIB definitions use a virtual tunnel model for phase
2 SAs, and a virtual channel model for phase 1 SAs. The virtual
tunnel model is used to allow the use of IPsec from a virtual private
networking (VPN) point of view. This allows users of IPsec based
products to get similar monitoring and statistical information from
Jenkins Expires April 4, 2001 [Page 2]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
an IPsec based VPN as they would from a VPN based on other
technologies, such as Frame Relay. The virtual channel model is used
to model the logical control channel that exists due to the presence
of (actual or potential) phase 1 SAs.
Finally, it is intended to illustrate how high level MIBs can be
built on top of the IPsec MIBs ([IPSECTC], [IDIMIB], [IKEMIB],
[IMMIB]).
2. The SNMP Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2571 [RFC2571].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in STD 16,
RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215
[RFC1215]. The second version, called SMIv2, is described in STD 58,
RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 [RFC2580].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP
message protocol, which is not an Internet standards track protocol,
is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906
[RFC1906]. The third version of the message protocol is called SNMPv3
and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574
[RFC2574].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [RFC1157]. A second set of protocol
operations and associated PDU formats is described in RFC 1905
[RFC1905].
o A set of fundamental applications described in RFC 2573 [RFC2573]
and the view-based access control mechanism described in RFC 2575
[RFC2575].
A more detailed introduction to the current SNMP Management Framework
can be found in RFC 2570 [RFC2570].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
Jenkins Expires April 4, 2001 [Page 3]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine-readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine-
readable information is not considered to change the semantics of the
MIB.
2.1 Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we often
use a textual string, termed the descriptor, to refer to the object
type.
3. IPsec MIB Objects Architecture
This MIB consists of two separate groups of objects. The two groups
are the tunnel group and the channel group. Channels and tunnels are
defined below.
Within the tunnel group, there is a tunnel table, a table to get to
the suites in the tunnel, a set of aggregate statistics on the
tunnels, and tunnel related traps.
The channel group is similar in that there is a channel table, a
table to get to the IKE SAs in the channel, a set of aggregate
statistics on the channels, and channel related traps.
3.1 Control Channels
The primary use of phase 1 SAs is to allow host implementations to
exchange keying material for phase 2 negotiations and to perform
IPsec SA management. Since the host implementation, at a high level,
does not necessarily care which particular phase 1 SA it uses to
perform these functions, the concept of an IKE control channel is
introduced as a logical entity. The control channel is the virtual
control channel created by the existence of phase 1 SAs established
Jenkins Expires April 4, 2001 [Page 4]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
or that may be established between two peers. This will often be
abbreviated to channel in this document.
The need for this abstraction is also in part due to the ability of
IPsec SAs suites to exist beyond the expiration of the IKE SA that
created them. Further, since there is no requirement that an IKE
phase 1 SA exist continuously between peers that have IPsec SAs
between them, is it possible that the channel may have no valid IKE
SAs supporting it. In these cases, it is assumed that an IKE SA could
be created on demand.
Control channels appear in their own table, and each row describes a
single control channel.
The IDs at each end uniquely identify the IKE control channel, since
it is a logical peer to peer communications channel. It contains
information common to all phase 1 SAs that are part of it, and
aggregate statistics for the same phase 1 SAs. Additionally, it
contains aggregate statistics for all phase 2 SAs created by it.
3.2 IPsec Tunnels
IPsec tunnels are created by the existence of SA suites (as defined
by the IKE Monitoring MIB [IKEMIB]). The tunnel concept comes from
the effect of services on packets that are handled by SA suites. As a
packet encounters an IPsec implementation, either in a security
gateway or as a layer in a protocol stack, a policy decision causes
the packet to be handed to an SA suite for processing.
The SA suite then performs a service (including possibly compression)
on the packet, then adds at least one new header and ultimately sends
the packet into the normal IP stream for routing. (The only time no
header is added is when the only service provided by the SA suite is
compression, it is a transport mode SA suite, and the packet is not
compressible. It is arguable that this particular case is outside
IPsec!)
When the secured (and possibly compressed) packet arrives at its
destination, the peer IPsec implementation removes the added header
or headers and reverse processes the packet. Another policy lookup is
then done to make sure the sending peer appropriately handled the
packet.
Since the original packet is conceptually "hidden" between the two
IPsec implementations, it can be considered tunneled. To help
conceptually, if ESP could be negotiated with no encryption and no
authentication, it would provide services very similar to IP-in-IP.
Jenkins Expires April 4, 2001 [Page 5]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
The specific SA suite chosen by the policy lookup is based on what
are called the selectors. The selectors are the packet's source IP
address, its destination IP address, its layer 4 protocol and its
layer 4 protocol source and destination port numbers. (Additional
selectors are also possible.) The policy system uses this information
to assign the packet to an SA suite for handling.
Since it is irrelevant to the packet which specific SA suite provided
the services, and since all SA suites with same selectors normally
provide the same service, the existence of any and all SA suites
assigned to the selector effectively creates a tunnel for the
packets.
In other words, the selectors used to assign the security services to
the packet identify the tunnel created by the SA suites. The
selectors are explained in detail in [SECARCH].
3.3 Tunnel MIB and Interface MIB Consideration
It should be noted that the MIBs here are not extensions of the
Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach
was rejected for a number of reasons, including:
o The types of parameters required for those MIBs are not
appropriate for IPsec MIBs.
The parameters required for IPsec tunnels are related to security
services and statistics associated with handling those services.
There no parameters like that associated with the Tunnel MIB.
o The virtual tunnels created by IPsec SAs may be independent of
other logical interfaces; this is an implementation issue.
The IPsec layer may be placed in a number of locations on the host
implementation. These locations may be above the IP layer, within the
IP layer, or just below it. Therefore, the mapping of the IPsec
virtual tunnels to tunnels described by the tunnel MIB is
implementation dependent.
o The tunnel end point definitions are not the same as those used by
the tunnel MIB.
The Tunnel MIB uniquely defines tunnels by a simple source and
destination IP address pair. This is only a specific subset of the
identifiers needed for IPsec virtual tunnels.
Note that implementations may still augment the tables in this MIB to
link them to tables in other MIBs if they so desire.
Jenkins Expires April 4, 2001 [Page 6]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
3.4 Channel and Tunnel Types
Implementations may need to configure certain channels and tunnels
with sets of characteristics. While the sets of characteristics are
implementation dependent, this MIB provides the ability to assign an
arbitrary type to the channels and tunnels. Each type will have an
implementation dependent set of characteristics. However, the MIB
will be able to use this type value to allow the monitoring of the
channel and tunnel types as individual groups.
How the implementation assigns the types is outside the scope of this
monitoring MIB.
An example of this might be to assign a value of one to the type
object for permanent channels, a value of two for transient entries
and a value of three for management channels. This causes permanent
channels to appear together in the table, and before the transient
entries. Finally, management channels would then appear as a group at
the end of the table.
Also, it allows the ability to collect statistics based on types.
3.5 MIB Tables
The MIB uses four tables that are linked as shown in Figure 3-1.
The control channel table has an augmenting table that provides links
to the specific IKE SAs that are used to support it.
The tunnel table depends on the selector table from the IPsec
monitoring MIB. There is also an augmenting table that provides links
to the SA suites that are used to support it. The tunnel table itself
indirectly links to the channel table by providing pointers to the
endpoints used to create it.
Jenkins Expires April 4, 2001 [Page 7]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
dependent +---------------------+
+------------------+ expansion | |
| channel table |---------->| IKE SA table |
+------------------+ | |
/ \ +---------------------+
| |
| -uses endpoint table from IKE MIB |
| |
| |
| dependent +----------------+ |
+--------------+ expansion | | |
| tunnel table |---------->| SA suite table | |
+--------------+ | | |
^ +----------------+ |
| dependent | |
- - - - - - - - | - - - - - - - - - - | - - - - - | - - -
| \ / |
Other Monitoring | +---------------+ |
MIB Tables | | suite table | |
| +---------------+ |
+----------+ \ /
| selector | +----------------+
| table | | IKE SA table |
+----------+ +----------------+
Figure 3-1 IPsec Tunnel Monitoring MIB Tables
A different diagram that is intended to show the tunnels that exist
between two IPsec gateways is shown in Figure 3-2. Two host groups
each are shown behind the IPsec gateways. Shown are the IKE control
channel between the gateways and four possible IPsec virtual tunnels.
The control channel has two active phase 1 SAs. Of the four possible
virtual tunnels, one is shown with two IPsec SAs in it. One of these
SAs may be just about to expire, while the other may have been
created in anticipation of the expiration of the first. These SAs are
the SAs that provide the service, supporting the existence of the
tunnel.
Two tables not shown in the figures are the optional tables that hold
aggregates statistics based on the implementation dependent channel
and tunnel type.
Jenkins Expires April 4, 2001 [Page 8]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
+----------------------------+
| IKE (control channel) |
| +---------------------+ |
| | IKE SA 1 | |
| +---------------------+ |
| +---------------------+ |
| | IKE SA 2 | |
| +---------------------+ |
+----------------------------+
^ ^
| | <- aggregate tunnel statistics
| |
H11 -| +----+ | | +----+ |- H21
| | | | | |
|----| G1 |-------------------------| G2 |------|
| | | | | |
H12 -| +----+ | | +----+ |- H22
| |
| |
+-----------------------------------------+
| H11 to H21 (data tunnel) | <- aggregate
| +-------------------------------------+ | SS statistics
| | IPsec SS with H11 and H21 selectors | | for H11-H21
| +-------------------------------------+ |
| +-------------------------------------+ |
| | IPsec SS with H11 and H21 selectors | |
| +-------------------------------------+ |
+-----------------------------------------+
| |
+-----------------------------------------+
| H11 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ SS statistics
| | for H11-H22
+-----------------------------------------+
| H12 to H21 (data tunnel) | <- aggregate
+-----------------------------------------+ SS statistics
| | for H12-H21
+-----------------------------------------+
| H12 to H22 (data tunnel) | <- aggregate
+-----------------------------------------+ SS statistics
| | for H12-H22
+--+
SS - SA Suite
Figure 3-2 Illustration of IPsec Tunnels
Jenkins Expires April 4, 2001 [Page 9]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
3.5.1 Control Channel Table
Each row in the control channel table corresponds to a logical
control channel. Rows in this table do not have to have any real IKE
SAs in order for them to appear in the table.
There are two reasons for this. The first is that there is no
requirement that IKE SAs continually exist between peers that are
using IPsec. The second is that implementations may want to designate
some channels between peers as permanent (as opposed to transient),
and want them to appear in the table even if no SAs exist or have
existed.
Rows in the table are effectively indexed by the endpoints of the
peers. In addition, an integer is added as a prefix to the index and
is the arbitrary type described earlier.
3.5.2 IKE SA Table
This table's purpose to allow administrators to get to the specific
IKE SAs that make up a channel. This augments the control channel
table, by using the same indices and adding an arbitrary integer for
each of its own rows.
Each row contains the identifier of the specific IKE SA used. The
identifier comes from the IKE monitoring MIB's IKE SA table, and
specifies the index of the specific row required.
Note that rows in this table do not exist for channels that have no
active IKE SAs.
3.5.3 Tunnel Table
Each row in the tunnel table corresponds to a logical tunnel between
entities. Rows in this table do not have to have any real phase 2 SA
suites in order for them to appear in the table. However, since
selectors identify tunnels in this MIB, a selector that is the tunnel
identifier must exist in the selector table of the IPsec Monitoring
MIB.
As with channels, implementations may want to designate some channels
between peers as permanent (as opposed to transient), and want them
to appear in the table even if no SA suites exist or have existed.
The SA suite selectors uniquely identify tunnels. However, since this
may require considerable sorting overhead on agent implementations,
and would make the number of indices be large (with large sub-
Jenkins Expires April 4, 2001 [Page 10]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
identifiers as well), an arbitrary integer is used along with the
tunnel type to perform tunnel indexing.
A helper table is provided to search tunnels by selectors.
3.5.4 SA Suite Table
This table's purpose to allow administrators to get to the specific
phase 2 SA suites that make up a tunnel. This augments the tunnel
table, by using the same indices and adding an arbitrary integer for
each of its own rows.
Each row contains the object identifier of the specific phase 2 SA
suite used. The object identifier comes from the IKE monitoring MIB's
suite table, and specifies the row of that table.
Note that rows in this table do not exist for tunnels that have no
active SA suites.
3.6 IPsec MIB Traps
Traps are provided to let system administrators know about the
existence of tunnel and channel related events occurring in the
entity.
Traps are provided only for channel up, channel down, tunnel up and
tunnel down events. Negotiation failures are assumed to be covered by
a lower level MIB.
Traps may be disabled on a global basis for channels and tunnels
independently.
3.7 IPsec Entity Level Objects
This part of the MIB carries statistics global to the IPsec device.
Statistics included are aggregate numbers of channels and tunnels,
and aggregate errors.
Jenkins Expires April 4, 2001 [Page 11]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
4. MIB Definitions
IPSEC-TUN-MON-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Unsigned32,
Gauge32, OBJECT-IDENTITY, experimental, NOTIFICATION-TYPE
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC
InetAddressType, InetAddress FROM INET-ADDRESS-MIB
IsakmpCookie FROM ISAKMP-DOI-IND-MON-MIB
;
ipsecTunMonModule MODULE-IDENTITY
LAST-UPDATED "0010041200Z"
ORGANIZATION "IETF IPsec Working Group"
CONTACT-INFO
"Tim Jenkins
Catena Networks
307 Legget Drive
Kanata, ON
Canada
K2K 3C8
+1 (613) 599-6430
tjenkins@catena.com "
DESCRIPTION
"The MIB module to describe logical IPsec channel and tunnel
objects, and entity level objects and events associated with
these objects."
REVISION "0010041200Z"
DESCRIPTION
"Initial revision."
-- ::= { ? }
-- bogus value currently in use
::= { experimental 1010 }
--
-- textual conventions
--
IpsecChanOrTunType ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"A value indicating an implementation specific type for
channels and tunnels.
Jenkins Expires April 4, 2001 [Page 12]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
The values below are defined as examples only, and are not
intended to imply any specific support or capability."
SYNTAX INTEGER {
unknown(0),
permanent(1),
transient(2),
management(3)
}
--
-- MIB root (trunk?)
--
ipsecTunnelMonitorMIB OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all branches."
::= { ipsecTunMonModule 1 }
-- first level branches
channelObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all channel related
objects."
::= { ipsecTunnelMonitorMIB 1 }
tunnelObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all tunnel related
objects."
::= { ipsecTunnelMonitorMIB 2 }
-- second level branches
channelTables OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
tables for channels."
::= { channelObjects 1 }
channelStats OBJECT-IDENTITY
STATUS current
Jenkins Expires April 4, 2001 [Page 13]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"This is the base object identifier for all objects which are
global (non-error) counters for channels."
::= { channelObjects 2 }
channelErrors OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
global error counters for channels."
::= { channelObjects 3 }
channelTraps OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
traps for channels."
::= { channelObjects 4 }
channelTrapObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for objects which are
used as part of traps for channels."
::= { channelObjects 5 }
channelTrapControl OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
trap controls for channel traps."
::= { channelObjects 6 }
channelGroups OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the groups in the channel part of this MIB."
::= { channelObjects 7 }
channelConformance OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the conformance in the channel part of this MIB."
::= { channelObjects 8 }
Jenkins Expires April 4, 2001 [Page 14]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
tunnelTables OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
tables for tunnels."
::= { tunnelObjects 1 }
tunnelStats OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
global (non-error) counters for tunnels."
::= { tunnelObjects 2 }
tunnelErrors OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
global error counters for tunnels."
::= { tunnelObjects 3 }
tunnelTraps OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
traps for tunnels."
::= { tunnelObjects 4 }
tunnelTrapObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for objects which are
used as part of traps for tunnels."
::= { tunnelObjects 5 }
tunnelTrapControl OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which are
trap controls for tunnel traps."
::= { tunnelObjects 6 }
tunnelGroups OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the groups in the tunnel part of this MIB."
::= { tunnelObjects 7 }
Jenkins Expires April 4, 2001 [Page 15]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
tunnelConformance OBJECT-IDENTITY
STATUS current
DESCRIPTION
"This is the base object identifier for all objects which
describe the conformance in the tunnel part of this MIB."
::= { tunnelObjects 8 }
-- the IPsec Channel statistics group
--
-- a collection of object providing information about channels
-- created using IKE SAs
currentChannels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of channels currently in existence in the
entity.
This is the same as the number of rows in the channel table,
whether there are IKE SAs for each row or not."
::= { channelStats 1 }
totalChannels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of channels created by the entity since
system boot.
Channel creation is defined as the addition of a row to the
channel table, whether an IKE SA was created at the same time
or not."
::= { channelStats 2 }
deletedChannels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of channels deleted by the entity.
Channel deletion is defined as the removal of a row from the
channel table, independent of the existence of the IKE SAs
that may have supported it.
Jenkins Expires April 4, 2001 [Page 16]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
Note that the sum of 'currentChannels' and 'deletedChannels'
is equal to 'totalChannels'."
::= { channelStats 3 }
-- the IPsec Tunnel statistics group
--
-- a collection of objects providing information about tunnels
-- created using IPsec SA suites
currentTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of tunnels currently in existence in the
entity.
This is the same as the number of rows in the tunnel table,
whether there are IPsec SA suites for each row or not."
::= { tunnelStats 1 }
totalTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of tunnels created by the entity since
system boot.
Tunnel creation is defined as the addition of a row to the
tunnel table, whether an IPsec SA was created at the same
time or not."
::= { tunnelStats 2 }
deletedTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of tunnels deleted by the entity.
Tunnel deletion is defined as the removal of a row from the
tunnel table, independent of the existence of the phase 2 SA
suites that may have supported it.
Note that the sum of 'currentTunnels' and 'deletedTunnels'
should is to 'totalTunnels'."
::= { tunnelStats 3 }
Jenkins Expires April 4, 2001 [Page 17]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
-- the IPsec Control Channel MIB-Group
--
-- a collection of objects providing information about
-- IPsec's control channels
ipsecChannelTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecChannelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on control
channels.
The number of rows in this table is, at a minimum, the same
as the number of IKE SAs that have the same phase 1 ID pairs.
Additional rows for channels without active phase 1 SAs may
also appear in the table.
The maximum number of rows is implementation dependent."
::= { channelTables 1 }
ipsecChannelEntry OBJECT-TYPE
SYNTAX IpsecChannelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular control channel.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX {
ipsecChannelType,
ipsecChannelLocalEndpoint,
ipsecChannelRemoteEndpoint
}
::= { ipsecChannelTable 1 }
IpsecChannelEntry ::= SEQUENCE {
-- indices
ipsecChannelType IpsecChanOrTunType,
ipsecChannelLocalEndpoint Unsigned32,
ipsecChannelRemoteEndpoint Unsigned32,
-- virtual channel status
ipsecChannelCurrentSAs Gauge32,
Jenkins Expires April 4, 2001 [Page 18]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecChannelTotalSAs Counter32,
ipsecChannelDeletedSAs Counter32,
ipsecChannelTimeUpSeconds Counter32, -- since SAs > 0
ipsecChannelTimeDownSeconds Counter32, -- since SAs = 0
-- aggregate statistics (all SAs)
ipsecChannelInboundOctets Counter32,
ipsecChannelOutboundOctets Counter32,
ipsecChannelInboundPackets Counter32,
ipsecChannelOutboundPackets Counter32,
-- aggregate error statistics
ipsecChannelReceiveErrors Counter32,
ipsecChannelSendErrors Counter32,
-- IPsec tunnel (Phase 2) statistics
ipsecChannelCurrentTunnels Gauge32,
ipsecChannelTotalTunnels Counter32,
ipsecChannelDeletedTunnels Counter32,
-- IPsec tunnel (Phase 2) statistics (aggregate)
ipsecChannelTunnelInboundOctets Counter64,
ipsecChannelTunnelOutboundOctets Counter64,
ipsecChannelTunnelInboundPackets Counter64,
ipsecChannelTunnelOutboundPackets Counter64,
-- IPsec SA (Phase 2) error statistics (aggregate)
ipsecChannelTunnelReceiveErrors Counter32,
ipsecChannelTunnelSendErrors Counter32
}
ipsecChannelType OBJECT-TYPE
SYNTAX IpsecChanOrTunType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The type of control channel represented by this row.
This is an implementation dependent value, used to assist in
controlling how channels are sorted."
::= { ipsecChannelEntry 1 }
ipsecChannelLocalEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
Jenkins Expires April 4, 2001 [Page 19]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The index value of the row of the IKE Monitoring MIB's
endpoint table corresponding to the local endpoint."
::= { ipsecChannelEntry 2 }
ipsecChannelRemoteEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index value of the row of the IKE Monitoring MIB's
endpoint table corresponding to the remote endpoint."
::= { ipsecChannelEntry 3 }
ipsecChannelCurrentSAs OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of IKE SAs that are currently active that make up
this channel.
This value may be 0 if the channel has not yet been set up,
or the implementation does not require the existence of IKE
SAs for the channel to exist, or if the channel is considered
a permanent entry in the table by the implementation.
This value should not include SA establishment attempts in
progress."
::= { ipsecChannelEntry 4 }
ipsecChannelTotalSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IKE SAs that are part of this channel
that have been created in the entity since boot time.
This value should not include failed SA establishment
attempts."
::= { ipsecChannelEntry 5 }
ipsecChannelDeletedSAs OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 20]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The total number of IKE SAs that are part of this channel
that have been deleted in the entity since boot time.
The sum of 'ipsecChannelCurrentSAs' and this value should
equal ipsecChannelTotalSAs."
::= { ipsecChannelEntry 6 }
ipsecChannelTimeUpSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of seconds since there has been at least
one valid IKE SA supporting the channel. In other words, the
number of seconds since the value of 'ipsecChannelCurrentSAs'
changed from 0 to any other value."
::= { ipsecChannelEntry 7 }
ipsecChannelTimeDownSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of seconds since the last valid IKE SA
supporting the channel was deleted. In other words, the
number of seconds since the value of 'ipsecChannelCurrentSAs'
changed to 0 from any other value."
::= { ipsecChannelEntry 8 }
ipsecChannelInboundOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes received by the
channel. This is the sum of 'saInOctets' from the 'saEntry'
of each IKE SA in 'saTable' that is part of this channel."
::= { ipsecChannelEntry 9 }
ipsecChannelOutboundOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 21]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The amount of traffic measured in bytes sent by the channel.
This is the sum of 'saOutOctets' from the 'saEntry' of each
IKE SA in 'saTable' that is part of this channel."
::= { ipsecChannelEntry 10 }
ipsecChannelInboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the channel. This is
the sum of 'saInPackets' from the 'saEntry' of each IKE SA in
'saTable' that is part of this channel."
::= { ipsecChannelEntry 11 }
ipsecChannelOutboundPackets OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by the channel. This is the
sum of 'saOutPackets' from the 'saEntry' of each IKE SA in
'saTable' that is part of this channel."
::= { ipsecChannelEntry 12 }
ipsecChannelReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of receive errors incurred in the channel.
This is the sum of all receive errors from the 'saEntry' of
each IKE SA in 'saTable' that is part of this channel."
::= { ipsecChannelEntry 13 }
ipsecChannelSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of send errors incurred in the channel.
This is the sum of all send errors from the 'saEntry' of each
IKE SA in 'saTable' that is part of this channel."
::= { ipsecChannelEntry 14 }
ipsecChannelCurrentTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
Jenkins Expires April 4, 2001 [Page 22]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
STATUS current
DESCRIPTION
"The number of IPsec tunnels that are currently active that
were created by this channel.
This value should not include tunnel establishment attempts
that are in progress."
::= { ipsecChannelEntry 15 }
ipsecChannelTotalTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IPsec tunnels that have been created in
the entity by this channel since boot time.
This value should not include failed tunnel establishment
attempts."
::= { ipsecChannelEntry 16 }
ipsecChannelDeletedTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IPsec tunnels that have been deleted by
this channel in the entity since boot time.
The sum of 'ipsecChannelCurrentTunnels' and this value should
equal 'ipsecChannelTotalTunnels'."
::= { ipsecChannelEntry 17 }
ipsecChannelTunnelInboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes received by all
tunnels created by the channel."
::= { ipsecChannelEntry 18 }
ipsecChannelTunnelOutboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 23]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The amount of traffic measured in bytes sent by all tunnels
created by the channel."
::= { ipsecChannelEntry 19 }
ipsecChannelTunnelInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by all tunnels created
by the channel."
::= { ipsecChannelEntry 20 }
ipsecChannelTunnelOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by all tunnels created by
the channel."
::= { ipsecChannelEntry 21 }
ipsecChannelTunnelReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of receive errors incurred in all tunnels
created by the channel."
::= { ipsecChannelEntry 22 }
ipsecChannelTunnelSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of send errors incurred in all tunnels
created the channel."
::= { ipsecChannelEntry 23 }
-- the IPsec channel SA table
--
-- a table providing a reference to specific IKE SAs as used by
-- IPsec channels
Jenkins Expires April 4, 2001 [Page 24]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecChannelSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecChannelSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on which IKE
SAs are used in channels.
The number of rows is the same as the number of IKE SAs in
the entity.
The maximum number of rows is implementation dependent."
::= { channelTables 2 }
ipsecChannelSaEntry OBJECT-TYPE
SYNTAX IpsecChannelSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the identifiers of a
specific IKE SA.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX {
ipsecChannelType,
ipsecChannelLocalEndpoint,
ipsecChannelRemoteEndpoint,
ipsecChannelSaIndex
}
::= { ipsecChannelSaTable 1 }
IpsecChannelSaEntry ::= SEQUENCE {
-- additional index to augment channel table
ipsecChannelSaIndex Unsigned32,
-- the SA specifiers
ipsecChannelSaLocalIpAddrType InetAddressType,
ipsecChannelSaLocalIpAddress InetAddress,
ipsecChannelSaRemoteIpAddrType InetAddressType,
ipsecChannelSaRemoteIpAddress InetAddress,
ipsecChannelSaInitiatorCookie IsakmpCookie,
ipsecChannelSaResponderCookie IsakmpCookie
}
ipsecChannelSaIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..16777215)
Jenkins Expires April 4, 2001 [Page 25]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each IKE SA in the
channel. It is recommended that values are assigned
contiguously starting from 1."
::= { ipsecChannelSaEntry 1 }
ipsecChannelSaLocalIpAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the local address used to negotiate the IKE SA
in the channel. (The value of 'saIkeLocalIpAddressType' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 2 }
ipsecChannelSaLocalIpAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE(4|16|20))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local address used to negotiate the IKE SA in the
channel. (The value of 'saIkeLocalIpAddress' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 3 }
ipsecChannelSaRemoteIpAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the remote address used to negotiate the IKE SA
in the channel. (The value of 'saIkeRemoteIpAddressType' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 4 }
ipsecChannelSaRemoteIpAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE(4|16|20))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The remote address used to negotiate the IKE SA in the
channel. (The value of 'saIkeRemoteIpAddress' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 5 }
Jenkins Expires April 4, 2001 [Page 26]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecChannelSaInitiatorCookie OBJECT-TYPE
SYNTAX IsakmpCookie
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the initiator for the IKE SA
in the channel. (The value of 'saIkeInitiatorCookie' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 6 }
ipsecChannelSaResponderCookie OBJECT-TYPE
SYNTAX IsakmpCookie
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the cookie used by the responder for the IKE SA
in the channel. (The value of 'saIkeResponderCookie' from
'ikeMonModule' for this row.)"
::= { ipsecChannelSaEntry 7 }
-- the IPsec channel SA aggregates table
--
-- a table providing aggregate statistics for the user-defined
-- channel types
ipsecChanAggTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecChanAggEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The optional (conceptual) table containing information on
aggregate statistics for the channel types.
The number of rows is the same as the number of channel types
supported by the entity.
The maximum number of rows is implementation dependent."
::= { channelTables 3 }
ipsecChanAggEntry OBJECT-TYPE
SYNTAX IpsecChanAggEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the aggregate
statistics for a specific channel type.
Jenkins Expires April 4, 2001 [Page 27]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX { ipsecChanAggType }
::= { ipsecChanAggTable 1 }
IpsecChanAggEntry ::= SEQUENCE {
-- index
ipsecChanAggType IpsecChanOrTunType,
-- channel counts
ipsecChanAggCurrentChannels Gauge32,
ipsecChanAggTotalChannels Counter32,
ipsecChanAggDeletedChannels Counter32,
-- aggregate statistics (all SAs)
ipsecChanAggInboundOctets Counter64,
ipsecChanAggOutboundOctets Counter64,
ipsecChanAggInboundPackets Counter64,
ipsecChanAggOutboundPackets Counter64,
-- aggregate error statistics
ipsecChanAggReceiveErrors Counter32,
ipsecChanAggSendErrors Counter32,
-- IPsec tunnel (Phase 2) statistics
ipsecChanAggCurrentTunnels Gauge32,
ipsecChanAggTotalTunnels Counter32,
ipsecChanAggDeletedTunnels Counter32,
-- IPsec tunnel (Phase 2) statistics (aggregate)
ipsecChanAggTnlInboundOctets Counter64,
ipsecChanAggTnlOutboundOctets Counter64,
ipsecChanAggTnlInboundPackets Counter64,
ipsecChanAggTnlOutboundPackets Counter64,
-- IPsec SA (Phase 2) error statistics (aggregate)
ipsecChanAggTnlReceiveErrors Counter32,
ipsecChanAggTnlSendErrors Counter32
}
ipsecChanAggType OBJECT-TYPE
SYNTAX IpsecChanOrTunType
MAX-ACCESS not-accessible
STATUS current
Jenkins Expires April 4, 2001 [Page 28]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The type of control channel for which this row aggregrates
statistics."
::= { ipsecChanAggEntry 1 }
ipsecChanAggCurrentChannels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of channels that are currently active that are of
the specified type.
This value should not include channel establishment attempts
in progress."
::= { ipsecChanAggEntry 2 }
ipsecChanAggTotalChannels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of channels of this type that have been
created in the entity since boot time.
This value should not include failed channel establishment
attempts."
::= { ipsecChanAggEntry 3 }
ipsecChanAggDeletedChannels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of channels of this type that have been
deleted in the entity since boot time.
The sum of 'ipsecChanAggCurrentChannels' and this value
should equal 'ipsecChanAggTotalChannels'."
::= { ipsecChanAggEntry 4 }
ipsecChanAggInboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes received by
all channels of this type. This is the sum of
Jenkins Expires April 4, 2001 [Page 29]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
'ipsecChannelInboundOctets' from the 'ipsecChannelEntry' of
each channel in 'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 5 }
ipsecChanAggOutboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes sent by all
channels of this type. This is the sum of
'ipsecChannelOutboundOctets' from the 'ipsecChannelEntry' of
each channel in 'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 6 }
ipsecChanAggInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by all channels of this
type. This is the sum of 'ipsecChannelInboundPackets' from
the 'ipsecChannelEntry' of each channel in
'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 7 }
ipsecChanAggOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by all channels of this
type. This is the sum of 'ipsecChannelOutboundPackets' from
the 'ipsecChannelEntry' of each channel in
'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 8 }
ipsecChanAggReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of receive errors incurred by all channels
of this type. This is the sum of 'ipsecChannelReceiveErrors'
from the 'ipsecChannelEntry' of each channel in
'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 9 }
Jenkins Expires April 4, 2001 [Page 30]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecChanAggSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of send errors incurred by all channels of
this type. This is the sum of 'ipsecChannelSendErrors' from
the 'ipsecChannelEntry' of each channel in
'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 10 }
ipsecChanAggCurrentTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current number of active IPsec tunnels that have been
created by all channels of this type. This is the sum of
'ipsecChannelCurrentTunnels' from the 'ipsecChannelEntry' of
each channel in 'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 11 }
ipsecChanAggTotalTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IPsec tunnels that have been created by
all channels of this type. This is the sum of
'ipsecChannelTotalTunnels' from the 'ipsecChannelEntry' of
each channel in 'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 12 }
ipsecChanAggDeletedTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IPsec tunnels that have been deleted by
all channels of this type. This is the sum of
'ipsecChannelDeletedTunnels' from the 'ipsecChannelEntry' of
each channel in 'ipsecChannelTable' that is of this type.
The sum of 'ipsecChanAggCurrentTunnels' and this value should
equal 'ipsecChanAggTotalTunnels'."
::= { ipsecChanAggEntry 13 }
ipsecChanAggTnlInboundOctets OBJECT-TYPE
SYNTAX Counter64
Jenkins Expires April 4, 2001 [Page 31]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes received by all
tunnels created by all channels of this type. This is the sum
of 'ipsecChannelTunnelInboundOctets' from the
'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
that is of this type."
::= { ipsecChanAggEntry 14 }
ipsecChanAggTnlOutboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of traffic measured in bytes sent by all tunnels
created by all channels of this type. This is the sum of
'ipsecChannelTunnelOutboundOctets' from the
'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
that is of this type."
::= { ipsecChanAggEntry 15 }
ipsecChanAggTnlInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by all tunnels created
by all channels of this type. This is the sum of
'ipsecChannelTunnelInboundPackets' from the
'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
that is of this type."
::= { ipsecChanAggEntry 16 }
ipsecChanAggTnlOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by all tunnels created by
all channels of this type. This is the sum of
'ipsecChannelTunnelOutboundPackets' from the
'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
that is of this type."
::= { ipsecChanAggEntry 17 }
Jenkins Expires April 4, 2001 [Page 32]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecChanAggTnlReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of receive errors incurred in all tunnels
created by all channels of this type. This is the sum of
'ipsecChannelTunnelReceiveErrors' from the
'ipsecChannelEntry' of each channel in 'ipsecChannelTable'
that is of this type."
::= { ipsecChanAggEntry 18 }
ipsecChanAggTnlSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of send errors incurred in all tunnels
created by all channels of this type. This is the sum of
'ipsecChannelTunnelSendErrors' from the 'ipsecChannelEntry'
of each channel in 'ipsecChannelTable' that is of this type."
::= { ipsecChanAggEntry 19 }
-- the IPsec Tunnel MIB-Group
--
-- a collection of objects providing information about
-- IPsec SA suite-based virtual tunnels
ipsecTunnelTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTunnelEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPsec SA
suite-based tunnels.
The number of rows is, at a minimum, the same as the number
of IPsec SA suites in the entity that have identical
selectors. Additional rows for tunnels without active IPsec
SA suites may also appear in the table.
The maximum number of rows is implementation dependent."
::= { tunnelTables 1 }
ipsecTunnelEntry OBJECT-TYPE
SYNTAX IpsecTunnelEntry
MAX-ACCESS not-accessible
Jenkins Expires April 4, 2001 [Page 33]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on a
particular tunnel.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX { ipsecTunnelType, ipsecTunnelId }
::= { ipsecTunnelTable 1 }
IpsecTunnelEntry ::= SEQUENCE {
ipsecTunnelType IpsecChanOrTunType,
ipsecTunnelId Unsigned32,
-- tunnel endpoints
ipsecTunnelLocalIpAddrType InetAddressType,
ipsecTunnelLocalIpAddress InetAddress,
ipsecTunnelRemoteIpAddrType InetAddressType,
ipsecTunnelRemoteIpAddress InetAddress,
-- creator identifiers
ipsecTunnelRemoteEndpoint Unsigned32,
ipsecTunnelLocalEndpoint Unsigned32,
-- operational statistics
ipsecTunnelCurrentSaSuites Gauge32,
ipsecTunnelTotalSaSuites Counter32,
ipsecTunnelDeletedSaSuites Counter32,
ipsecTunnelTimeUpSeconds Counter32, -- since suites > 0
ipsecTunnelTimeDownSeconds Counter32, -- since suites = 0
-- aggregate statistics
ipsecTunnelTotalInboundOctets Counter64,
ipsecTunnelTotalOutboundOctets Counter64,
ipsecTunnelTotalInboundPackets Counter64,
ipsecTunnelTotalOutboundPackets Counter64,
-- aggregate error statistics
ipsecTunnelSendErrors Counter32,
ipsecTunnelReceiveErrors Counter32
}
ipsecTunnelType OBJECT-TYPE
SYNTAX IpsecChanOrTunType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The type of tunnel represented by this row.
Jenkins Expires April 4, 2001 [Page 34]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
This is an implementation dependent value, used to assist in
controlling how tunnels are sorted."
::= { ipsecTunnelEntry 1 }
ipsecTunnelId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index value of the selector table row that contains the
selectors that are the identity of this tunnel.
Specifically, this is the value of 'selectorIndex' from the
appropriate row ('selectorEntry') from the table
'selectorTable' from the MIB 'ipsecMonModule'.
(NOTE: Should this be an OBJECT IDENTIFIER instead?)"
::= { ipsecTunnelEntry 2 }
ipsecTunnelLocalIpAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of address used by the local endpoint of the
tunnel."
::= { ipsecTunnelEntry 3 }
ipsecTunnelLocalIpAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE(4|16|20))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The address used by the local endpoint of the tunnel."
::= { ipsecTunnelEntry 4 }
ipsecTunnelRemoteIpAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of address used by the remote endpoint of the
tunnel."
::= { ipsecTunnelEntry 5 }
ipsecTunnelRemoteIpAddress OBJECT-TYPE
SYNTAX InetAddress (SIZE(4|16|20))
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 35]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The address used by the remote endpoint of the tunnel."
::= { ipsecTunnelEntry 6 }
ipsecTunnelLocalEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the local endpoint that negotiated this tunnel.
It is the value of 'endpointIndex' from the correct row
('IkeEndpointEntry') of the 'ikeEndpointTable' from
'ikeMonModule'.
(NOTE: Should this be an OBJECT IDENTIFIER instead?)"
::= { ipsecTunnelEntry 7 }
ipsecTunnelRemoteEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index of the remote endpoint that negotiated this
tunnel.
It is the value of 'endpointIndex' from the correct row
('IkeEndpointEntry') of the 'ikeEndpointTable' from
'ikeMonModule'."
::= { ipsecTunnelEntry 8 }
ipsecTunnelCurrentSaSuites OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of phase 2 SA suites that are currently active
that make up this tunnel.
This value may be 0 if the tunnel has not yet been set up, or
the implementation does not require the existence of phase 2
SA suites for the tunnel to exist, or if the tunnel is
considered a permanent entry in the table by the
implementation.
This value should not include phase 2 SA suite establishment
attempts in progress."
::= { ipsecTunnelEntry 9 }
Jenkins Expires April 4, 2001 [Page 36]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecTunnelTotalSaSuites OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 SA suites that are part of this
tunnel that have been created in the entity since boot time.
This value should not include failed phase 2 SA suite
establishment attempts."
::= { ipsecTunnelEntry 10 }
ipsecTunnelDeletedSaSuites OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of phase 2 SA suites that are part of this
channel that have been deleted in the entity since boot time.
The sum of 'ipsecTunnelCurrentSaSuites' and this value should
equal 'ipsecTunnelTotalSaSuites'."
::= { ipsecTunnelEntry 11 }
ipsecTunnelTimeUpSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of seconds since there has been at least
one valid phase 2 SA suite supporting the channel. In other
words, the number of seconds since the value of
'ipsecTunnelCurrentSaSuites' changed from 0 to any other
value."
::= { ipsecTunnelEntry 12 }
ipsecTunnelTimeDownSeconds OBJECT-TYPE
SYNTAX Counter32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of seconds since the last valid phase 2 SA
suite supporting the channel was deleted. In other words, the
number of seconds since the value of
'ipsecTunnelCurrentSaSuites' changed to 0 from any other
value."
::= { ipsecTunnelEntry 13 }
Jenkins Expires April 4, 2001 [Page 37]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
ipsecTunnelTotalInboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes received by
the tunnel. This is the sum of 'suiteInUserOctets' from the
'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is
part of this tunnel."
::= { ipsecTunnelEntry 14 }
ipsecTunnelTotalOutboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes sent by the
tunnel. This is the sum of 'suiteOutUserOctets' from the
'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is
part of this tunnel."
::= { ipsecTunnelEntry 15 }
ipsecTunnelTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the tunnel. This is
the sum of 'suiteInPackets' from the 'suiteEntry' of each
phase 2 SA suite in 'suiteTable' that is part of this
tunnel."
::= { ipsecTunnelEntry 16 }
ipsecTunnelTotalOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by the tunnel. This is the
sum of 'suiteOutPackets' from the 'suiteEntry' of each phase
2 SA suite in 'suiteTable' that is part of this tunnel."
::= { ipsecTunnelEntry 17 }
ipsecTunnelSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
Jenkins Expires April 4, 2001 [Page 38]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
STATUS current
DESCRIPTION
"The total number of send errors in the tunnel. This is the
sum of 'suiteSendErrors' from the 'suiteEntry' of each phase
2 SA suite in 'suiteTable' that is part of this tunnel."
::= { ipsecTunnelEntry 18 }
ipsecTunnelReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of receive errors in the tunnel. This is
the sum of 'suiteReceiveErrors' from the 'suiteEntry' of each
phase 2 SA suite in 'suiteTable' that is part of this
tunnel."
::= { ipsecTunnelEntry 19 }
-- the IPsec SA Suite MIB-Group
--
-- a collection of objects providing information about
-- IPsec SA suites used in virtual tunnels
ipsecTunnelSuiteTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTunnelSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPsec SA
suites.
The number of rows is the same as the number of IPsec SA
suites in the entity.
The maximum number of rows is implementation dependent."
::= { tunnelTables 2 }
ipsecTunnelSuiteEntry OBJECT-TYPE
SYNTAX IpsecTunnelSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the identifiers to a
particular SA suite.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
Jenkins Expires April 4, 2001 [Page 39]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
INDEX {
ipsecTunnelType,
ipsecTunnelId,
ipsecTunnelSuiteIndex
}
::= { ipsecTunnelSuiteTable 1 }
IpsecTunnelSuiteEntry ::= SEQUENCE {
-- additional index
ipsecTunnelSuiteIndex Unsigned32,
-- identifier of suite
ipsecTunnelSuiteReference OBJECT IDENTIFIER
}
ipsecTunnelSuiteIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..16777215)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each SA suite in the
tunnel. It is recommended that values are assigned
contiguously starting from 1."
::= { ipsecTunnelSuiteEntry 1 }
ipsecTunnelSuiteReference OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The object identifier of the IPsec SA suite row that
represents the IPsec SA suite in the tunnel.
Specifically, the value of this object is the object
identifier of 'suiteIndex' of the appropriate row
('SuiteEntry') in 'suiteTable' from 'ikeMonModule'."
::= { ipsecTunnelSuiteEntry 2 }
-- the IPsec tunnel aggregates table
--
-- a table providing aggregate statistics for the user-defined
-- tunnel types
ipsecTunAggTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecTunAggEntry
Jenkins Expires April 4, 2001 [Page 40]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The optional (conceptual) table containing information on
aggregate statistics for the tunnel types.
The number of rows is the same as the number of tunnel types
supported by the entity.
The maximum number of rows is implementation dependent."
::= { tunnelTables 3 }
ipsecTunAggEntry OBJECT-TYPE
SYNTAX IpsecTunAggEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the aggregate
statistics for a specific tunnel type.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX { ipsecTunnelType }
::= { ipsecTunAggTable 1 }
IpsecTunAggEntry ::= SEQUENCE {
-- tunnel counts of this type
ipsecTunAggCurrentTunnels Gauge32,
ipsecTunAggTotalTunnels Counter32,
ipsecTunAggDeletedTunnels Counter32,
-- aggregate statistics
ipsecTunAggInboundOctets Counter64,
ipsecTunAggOutboundOctets Counter64,
ipsecTunAggInboundPackets Counter64,
ipsecTunAggOutboundPackets Counter64,
-- aggregate error statistics
ipsecTunAggSendErrors Counter32,
ipsecTunAggReceiveErrors Counter32
}
ipsecTunAggCurrentTunnels OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 41]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The number of tunnels that are currently active that are of
the specified type.
This value should not include tunnel establishment attempts
in progress."
::= { ipsecTunAggEntry 1 }
ipsecTunAggTotalTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of tunnels of this type that have been
created in the entity since boot time.
This value should not include failed tunnel establishment
attempts."
::= { ipsecTunAggEntry 2 }
ipsecTunAggDeletedTunnels OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of tunnels of this type that have been
deleted in the entity since boot time.
The sum of 'ipsecTunAggCurrentTunnels' and this value should
equal 'ipsecTunAggTotalTunnels'."
::= { ipsecTunAggEntry 3 }
ipsecTunAggInboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of traffic measured in bytes received by
all tunnels of this type. This is the sum of
'ipsecTunnelInboundOctets' from the 'ipsecTunnelEntry' of
each tunnel in 'ipsecTunnelTable' that is of this type."
::= { ipsecTunAggEntry 4 }
ipsecTunAggOutboundOctets OBJECT-TYPE
SYNTAX Counter64
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 42]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The total amount of traffic measured in bytes sent by all
tunnels of this type. This is the sum of
'ipsecTunnelOutboundOctets' from the 'ipsecTunnelEntry' of
each tunnel in 'ipsecTunnelTable' that is of this type."
::= { ipsecTunAggEntry 5 }
ipsecTunAggInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by all tunnels of this
type. This is the sum of 'ipsecTunnelInboundPackets' from the
'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that
is of this type."
::= { ipsecTunAggEntry 6 }
ipsecTunAggOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets sent by all tunnels of this
type. This is the sum of 'ipsecTunnelOutboundPackets' from
the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable'
that is of this type."
::= { ipsecTunAggEntry 7 }
ipsecTunAggSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of send errors incurred by all tunnels of
this type. This is the sum of 'ipsecTunnelSendErrors' from
the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable'
that is of this type."
::= { ipsecTunAggEntry 8 }
ipsecTunAggReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 43]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The total number of receive errors incurred by all tunnels
of this type. This is the sum of 'ipsecTunnelReceiveErrors'
from the 'ipsecTunnelEntry' of each tunnel in
'ipsecTunnelTable' that is of this type."
::= { ipsecTunAggEntry 9 }
--
-- table to find tunnels based on the tunnel identifiers
--
tunnelBySelectorsTable OBJECT-TYPE
SYNTAX SEQUENCE OF TunnelBySelectorsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table that sorts the tunnels by the
selectors.
The number of rows in this table is the same as the number of
tunnels in the entity."
::= { tunnelTables 4 }
tunnelBySelectorsEntry OBJECT-TYPE
SYNTAX TunnelBySelectorsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) referencing a particular tunnel.
A row in this table cannot be created or deleted by SNMP
operations on columns of the table."
INDEX {
tunnelBySelectorsHash,
tunnelBySelectorsIndex
}
::= { tunnelBySelectorsTable 1 }
TunnelBySelectorsEntry ::= SEQUENCE {
-- index
tunnelBySelectorsHash OCTET STRING,
tunnelBySelectorsIndex Unsigned32,
-- real tunnel identifiers
tunnelBySelectorsId Unsigned32,
Jenkins Expires April 4, 2001 [Page 44]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
-- tunnel reference
tunnelBySelectorsType IpsecChanOrTunType,
tunnelBySelectorsRef OBJECT IDENTIFIER
}
tunnelBySelectorsHash OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(4))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The hash result of the full identifer of the tunnel. Precise
definition to be completed."
::= { tunnelBySelectorsEntry 1 }
tunnelBySelectorsIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..16777215)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique value, greater than zero, for each tunnel in the
table where the hash results of the tunnel identifiers
collide. It is recommended that values are assigned
contiguously starting from 1."
::= { tunnelBySelectorsEntry 2 }
tunnelBySelectorsId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The identifier of the tunnel.
The value of this object is the index of the selector
('selectorIndex') row ('SelectorEntry') from the
'selectorTable' that identifies this tunnel."
::= { tunnelBySelectorsEntry 3 }
tunnelBySelectorsType OBJECT-TYPE
SYNTAX IpsecChanOrTunType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type assigned to the tunnel for which this row refers."
::= { tunnelBySelectorsEntry 4 }
tunnelBySelectorsRef OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
Jenkins Expires April 4, 2001 [Page 45]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"The object identifier of 'tunnelIndex' in the row
('tunnelEntry') of the 'tunnelTable' to which this row
refers."
::= { tunnelBySelectorsEntry 5 }
--
-- trap parameters, traps and control
--
channelTrapLocalEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The index to an endpoint that is the local endpoint of a
channel in a trap."
::= { channelTrapObjects 1 }
channelTrapRemoteEndpoint OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The index to an endpoint that is the remote endpoint of a
channel in a trap."
::= { channelTrapObjects 2 }
tunnelTrapIdentifier OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The index to a selector that is the identifier of a tunnel
in a trap."
::= { tunnelTrapObjects 1 }
channelUpTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether channelUp traps should be generated."
DEFVAL { false }
::= { channelTrapControl 1 }
Jenkins Expires April 4, 2001 [Page 46]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
channelDownTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether channelDown traps should be generated."
DEFVAL { false }
::= { channelTrapControl 2 }
channelUp NOTIFICATION-TYPE
OBJECTS
{
channelTrapLocalEndpoint,
channelTrapRemoteEndpoint
}
STATUS current
DESCRIPTION
"The specified channel is now up. (In other words, the number
of current IKE SAs supporting the channel has changed from
zero to a non-zero value.)"
::= { channelTraps 1 }
channelDown NOTIFICATION-TYPE
OBJECTS
{
channelTrapLocalEndpoint,
channelTrapRemoteEndpoint
}
STATUS current
DESCRIPTION
"The specified channel is now down. (In other words, the
number of current IKE SAs supporting the channel has changed
to zero from a non-zero value.)"
::= { channelTraps 2 }
tunnelUpTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether tunnelUp traps should be generated."
DEFVAL { false }
::= { tunnelTrapControl 1 }
tunnelDownTrapEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
Jenkins Expires April 4, 2001 [Page 47]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
DESCRIPTION
"Indicates whether tunnelDown traps should be generated."
DEFVAL { false }
::= { tunnelTrapControl 2 }
tunnelUp NOTIFICATION-TYPE
OBJECTS
{
tunnelTrapIdentifier
}
STATUS current
DESCRIPTION
"The specified tunnel is now up. (In other words, the number
of current phase 2 SA suites supporting the tunnel has
changed from zero to a non-zero value.)"
::= { tunnelTraps 1 }
tunnelDown NOTIFICATION-TYPE
OBJECTS
{
tunnelTrapIdentifier
}
STATUS current
DESCRIPTION
"The specified tunnel is now down. (In other words, the
number of current phase 2 SA suites supporting the tunnel has
changed to zero from a non-zero value.)"
::= { tunnelTraps 2 }
END
5. Security Considerations
This MIB contains readable objects whose values provide information
related to IPsec virtual tunnels. There are no objects with
MAX¡ACCESS clauses of read-write or read-create, other than trap
control objects.
While unauthorized access to the readable objects is relatively
innocuous, unauthorized access to those objects through an insecure
channel can provide attackers with more information about a system
than an administrator may desire.
Of particular concern is the ability to disable the transmission of
traps. The traps defined in this MIB may appear due to badly
configured systems and transient error conditions, but they may also
appear due to attacks. If an attacker can disable these traps, they
Jenkins Expires April 4, 2001 [Page 48]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
reduce some of the warnings that may be provided to system
administrators.
It is thus important to control even GET access to these objects and
possibly to even encrypt the values of these object when sending them
over the network via SNMP. Not all versions of SNMP provide features
for such a secure environment.
SNMPv1 by itself is not a secure environment. Even if the network
itself is secure (for example by using IPsec), even then, there is no
control as to who on the secure network is allowed to access and
GET/SET (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [RFC2574] and the View-
based Access Control Model RFC 2575 [RFC2575] is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET
(change/create/delete) them.
6. Acknowledgements
This document is based on an earlier series of MIBs documents titled
<draft-ietf-ipsec-mib-xx.txt>. Contributors to that series
effectively contributed to this document.
7. References
[ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J.,
"Textual Conventions for Internet Network Addresses",
RFC 2851, June, 2000
[IDIMIB]Jenkins, T., Shriver, J., "ISAKMP DOI-Independent Monitoring
MIB", draft-ietf-ipsec-isakmp-di-mon-mib-04.txt, October 3,
2001, work in progress
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
RFC 2409, November 1998
[IKEMIB]Jenkins, T., Shriver, J., "IKE Monitoring MIB", draft-ietf-
ipsec-ike-mon-mib-03.txt, October 3, 2001, work in progress
Jenkins Expires April 4, 2001 [Page 49]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
[IMMIB] Jenkins, T., Shriver, J., "IPsec Monitoring MIB", draft-ietf-
ipsec-monitor-mib-05.txt, October 3, 2001, work in progress
[IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP
Payload Compression Protocol (IPcomp), RFC 3173, September
2001
[IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998
[IPSECTC] Shriver, J., "IPsec DOI Textual Conventions MIB", draft-
ietf-ipsec-doi-tc-mib-05.txt, October 3, 2001, work in
progress
[ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998
[OAKLEY]Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412,
November 1998
[RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing SNMP Management Frameworks",
RFC 2571, April 1999
[RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification
of Management Information for TCP/IP-based Internets",
STD 16, RFC 1155, May 1990
[RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions",
STD 16, RFC 1212, March 1991
[RFC1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999
[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
Jenkins Expires April 4, 2001 [Page 50]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
[RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", RFC 2572, April 1999
[RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, April 1999
[RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications",
RFC 2573, April 1999
[RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2575, April 1999
[RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction to Version 3 of the Internet-standard Network
Management Framework", RFC 2570, April 1999
[SECARCH] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998
8. Revision History
This section will be removed before publication.
October 4, 2001 Initial release.
No IANA number.
No groups or compliance statements.
Hash definitions for tunnel IDs not done.
Jenkins Expires April 4, 2001 [Page 51]
Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001
Author's Address
Tim Jenkins
Catena Networks
307 Legget Drive
Kanata, ON
Canada
K2K 3C8
+1 (613) 599-6430
tjenkins@catena.com
The IPsec working group can be contacted via the IPsec working
group's mailing list (ipsec@lists.tislabs.com) or through its chair:
Theodore Y. Ts'o
tytso@MIT.EDU
Massachusetts Institute of Technology
Barbara Fraser
byfraser@cisco.com
Cisco Systems, Inc.
This document expires April 5, 2001.
Jenkins Expires April 4, 2001 [Page 52]