Internet Engineering Task Force Tim Jenkins IP Security Working Group TimeStep Corporation Internet Draft John Shriver Intel Corporation October 21, 1999 IPsec Monitoring MIB Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPsec) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@lists.tislabs.com) or to the editor. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice This document is a product of the IETF's IPsec Working Group. Copyright (C) The Internet Society (1999). All Rights Reserved. Jenkins & Shriver Expires April 21, 2000 [Page 1] Internet Draft IPSec Monitoring MIB October 21, 1999 Table of Contents 1. Introduction....................................................2 2. The SNMP Management Framework...................................2 2.1 Object Definitions.............................................3 3. Definitions.....................................................4 3.1 Security Association...........................................4 3.2 Inbound........................................................4 3.3 Outbound.......................................................4 4. IPsec MIB Objects Architecture..................................4 4.1 IPsec Security Association Tables..............................5 4.1.1 IPcomp Security Associations.................................5 4.2 IPsec MIB Traps................................................6 4.3 IPsec Entity Level Objects.....................................6 5. MIB Definitions.................................................6 6. Security Considerations........................................64 7. Acknowledgments................................................65 8. References.....................................................66 1. Introduction This document defines low level monitoring and status MIBs for IPsec security associations (SAs). It does not define MIBs that may be used for configuring IPsec implementations or for providing low-level diagnostic or debugging information. It assumes no specific use of IPsec. Further, it does not provide policy information. The purpose of the MIBs is to allow system administrators to determine operating conditions and perform system operational level monitoring of the IPsec portion of their network. Statistics are provided as well. Additionally, it may be used as the basis for application specific MIBs for specific uses of IPsec SAs. 2. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [RFC2571]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 IPsec Working Group [Page 2] Internet Draft IPSec Monitoring MIB October 21, 1999 [RFC1215]. The second version, called SMIv2, is described in STD 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 [RFC2580]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905]. o A set of fundamental applications described in RFC 2573 [RFC2573] and the view-based access control mechanism described in RFC 2575 [RFC2575]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [RFC2570]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a IPsec Working Group [Page 3] Internet Draft IPSec Monitoring MIB October 21, 1999 specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. 3. Definitions 3.1 Security Association This MIB uses the RFC 2401 [ISAKMP] Section 4.1 identification of a security association (SA). "A security association is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier." As such, an SA in this MIB is a unidirectional entity. IKE negotiates these in pairs, outbound and inbound. For IPcomp [IPCOMP] SAs, the SPI is replaced by a CPI (Compression Parameter Index). 3.2 Inbound In the inbound direction, a packet crosses an interface of a logical or physical entity and enters the entity. No assumption is made about what happens to the packet after it enters the entity. An inbound SA then is an SA that processes inbound packets at an interface. 3.3 Outbound In the outbound direction, a packet crosses an interface of a logical or physical entity and leaves the entity. No assumption is made about the origins of the packet before it exits the entity. An outbound SA then is an SA that processes outbound packets at an interface. 4. IPsec MIB Objects Architecture The IPsec MIB consists of tables for the display of raw IPsec security associations (SAs), some entity statistics and traps. IPsec Working Group [Page 4] Internet Draft IPSec Monitoring MIB October 21, 1999 Configuration about the SAs is provided as are statistics related to the SAs themselves. However, no ability is provided to configure the SAs themselves. The intent is that this MIB may be used by any entity that somehow creates IPsec SAs, be that creation mechanism be IKE, static configuration or some other key exchange protocol. The traps may be used by system administrators to help detect mis- configurations or possible attacks. 4.1 IPsec Security Association Tables Due to the definition of the identification of an SA, individual SAs in this MIB are indexed by the equivalent three objects, where the security protocol is implicit by the SA's appearance in a particular table. Further, for the purposes of this MIB, IPcomp is considered a security protocol. Individual IPsec phase 2 SAs are separated by both direction and security protocol, resulting in the creation of six separate tables. All tables contain common information, such as the selectors and expiration limits, in addition to protocol specific information. The SAs in the tables may have been statically created, created by IKE or by some other mechanism. When SAs expire, they are removed from the table. There is no SA history kept with the exception of some global counters. 4.1.1 IPcomp Security Associations For IPcomp SAs, the following assumptions are made: o These SAs don't care about policy errors. o These SAs don't care about expiration. o The selectors can be empty (all 0) if IPcomp is shared across multiple security association suites. This may happen if an implementation chooses to use a CPI in the range of 1 to 63, representing the specific compression protocol chosen. o There are no transmission errors; the SA will send packets uncompressed if it is unable to compress then for any reason. IPsec Working Group [Page 5] Internet Draft IPSec Monitoring MIB October 21, 1999 o The outbound SA also makes decisions about which packets are compressed or not compressed. o Packets which were not compressed by an outbound IPcomp SA are not passed to an inbound IPcomp SA for processing. A compression performance metric can be calculated for outbound IPcomp SAs by dividing the SAs' output traffic counter value by the SAs' input traffic counter. This metric is not available for the inbound IPcomp SAs because uncompressed packets will normally not be passed to the inbound SA for processing. 4.2 IPsec MIB Traps Traps are provided to let system administrators know about the existence of error conditions occurring in the entity. These errors are associated with operational errors and may also indicate the presence of attacks on the system. Traps are not provided when SAs come up or go down. Traps may also be enabled or disabled as required, using configurable configuration objects. Note that support for these objects is optional, so that system administrators that have concerns about SNMP security can choose to implement objects that are write-only. 4.3 IPsec Entity Level Objects This part of the MIB carries statistics global to the IPsec device. Statistics included are aggregate numbers of SAs and aggregate errors for SAs. 5. MIB Definitions IPSEC-SA-MON-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Integer32, Unsigned32, NOTIFICATION-TYPE, OBJECT-IDENTITY, Counter64 -- remove this and next line before release , experimental FROM SNMPv2-SMI TEXTUAL-CONVENTION, TruthValue IPsec Working Group [Page 6] Internet Draft IPSec Monitoring MIB October 21, 1999 FROM SNMPv2-TC OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF ifIndex FROM IF-MIB -- uncomment next line before release (and remove this one) -- mib-2 FROM RFC1213-MIB IpsecDoiIdentType, IpsecDoiEncapsulationMode, IpsecDoiEspTransform, IpsecDoiAhTransform, IpsecDoiAuthAlgorithm, IpsecDoiIpcompTransform, IpsecDoiSecProtocolId FROM IPSEC-ISAKMP-IKE-DOI-TC; ipsecSaMonModule MODULE-IDENTITY LAST-UPDATED "9910211200Z" ORGANIZATION "IETF IPsec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada +1 (613) 599-3610 tjenkins@timestep.com John Shriver Intel Corporation 28 Crosby Drive Bedford, MA 01730 +1 (781) 687-1329 John.Shriver@intel.com " DESCRIPTION "The MIB module to describe generic IPsec objects, and entity level objects and events for those types." REVISION "9906031200Z" DESCRIPTION "Initial revision." REVISION "9906251200Z" DESCRIPTION "Add module compliance requirements. Added common textual conventions. Other minor edits and clarifications." IPsec Working Group [Page 7] Internet Draft IPSec Monitoring MIB October 21, 1999 REVISION "9910211200Z" DESCRIPTION "Group and compliance statements added. OID value under experimental tree added. Authentication algorithm key length values added." -- replace xxx in next line before release and uncomment it -- ::= { mib-2 xxx } -- delete this and next line before release ::= { experimental 98 } IpsecSaCreatorIdent ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A value indicating how an SA was created." SYNTAX INTEGER { unknown(0), static(1), -- statically created ike(2), -- IKE other(3) } IpsecIpv6Address ::= TEXTUAL-CONVENTION DISPLAY-HINT "2x:2x:2x:2x:2x:2x:1d.1d.1d.1d" STATUS current DESCRIPTION "This data type is used to model IPv6 addresses. This is a binary string of 16 octets in network byte-order. For implementations that do not support IPv6, this address should appear as the 'IPv4-mapped IPv6 address' as defined in Section 2.5.4 of [IPV6AA]. Specifically, the prefix '0000:0000:0000:0000:0000:FFFF::/96' is used for IPv4 addresses." REFERENCE "RFC 2373 sections 2.2 and 2.5.4" SYNTAX OCTET STRING (SIZE (16)) IpsecRawId ::= TEXTUAL-CONVENTION DISPLAY-HINT "x" STATUS current DESCRIPTION "This data type is used to model the ID values used by entities that have negotiated and created SAs. The values are taken directly from any payloads exchanged, independent of the type of ID transmitted. IPsec Working Group [Page 8] Internet Draft IPSec Monitoring MIB October 21, 1999 In some cases, the payload may be truncated. Note also that some IDs have human readable forms that are not used by this textual convention." SYNTAX OCTET STRING (SIZE (0..255)) -- the main MIB branch ipsecSaMonitorMIB OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all IPsec branches." ::= { ipsecSaMonModule 1 } -- significant branches saTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all SA tables." ::= { ipsecSaMonitorMIB 1 } saStatistics OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global counters for IPsec security associations." ::= { ipsecSaMonitorMIB 2 } saErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global error counters for IPsec security associations." ::= { ipsecSaMonitorMIB 3 } saTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are traps for IPsec security associations." ::= { ipsecSaMonitorMIB 4 } saTrapObjects OBJECT-IDENTITY STATUS current IPsec Working Group [Page 9] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "This is the base object identifier for objects which are used as part of traps." ::= { ipsecSaMonitorMIB 5 } saTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are trap controls for IPsec security associations." ::= { ipsecSaMonitorMIB 6 } saGroups OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the groups in this MIB." ::= { ipsecSaMonitorMIB 7 } saConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the conformance for this MIB." ::= { ipsecSaMonitorMIB 8 } -- the IPsec Inbound ESP MIB-Group -- -- a collection of objects providing information about -- IPsec Inbound ESP SAs ipsecSaEspInTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEspInEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec inbound ESP SAs. There should be one row for every inbound ESP security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 1 } ipsecSaEspInEntry OBJECT-TYPE SYNTAX IpsecSaEspInEntry MAX-ACCESS not-accessible IPsec Working Group [Page 10] Internet Draft IPSec Monitoring MIB October 21, 1999 STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec inbound ESP SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaEspInAddress, ipsecSaEspInSpi } ::= { ipsecSaEspInTable 1 } IpsecSaEspInEntry::= SEQUENCE { -- identification ipsecSaEspInAddress IpsecIpv6Address, ipsecSaEspInSpi Unsigned32, -- SA selectors ipsecSaEspInDestId IpsecRawId, ipsecSaEspInDestIdType IpsecDoiIdentType, ipsecSaEspInSourceId IpsecRawId, ipsecSaEspInSourceIdType IpsecDoiIdentType, ipsecSaEspInProtocol Integer32, ipsecSaEspInDestPort Integer32, ipsecSaEspInSourcePort Integer32, -- how created ipsecSaEspInCreator IpsecSaCreatorIdent, -- security services description ipsecSaEspInEncapsulation IpsecDoiEncapsulationMode, ipsecSaEspInEncAlg IpsecDoiEspTransform, ipsecSaEspInEncKeyLength Unsigned32, ipsecSaEspInAuthAlg IpsecDoiAuthAlgorithm, ipsecSaEspInAuthKeyLength Unsigned32, ipsecSaEspInRepWinSize Unsigned32, -- expiration limits ipsecSaEspInLimitSeconds Unsigned32, -- sec., 0 if none ipsecSaEspInLimitKbytes Unsigned32, -- 0 if none -- current operating statistics ipsecSaEspInAccSeconds Counter32, ipsecSaEspInAccKbytes Counter32, ipsecSaEspInUserOctets Counter64, ipsecSaEspInPackets Counter64, -- error statistics ipsecSaEspInDecryptErrors Counter32, IPsec Working Group [Page 11] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspInAuthErrors Counter32, ipsecSaEspInReplayErrors Counter32, ipsecSaEspInPolicyErrors Counter32, ipsecSaEspInPadErrors Counter32, ipsecSaEspInOtherReceiveErrors Counter32 } ipsecSaEspInAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaEspInEntry 1 } ipsecSaEspInSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the SA." REFERENCE "RFC 2406 Section 2.1" ::= { ipsecSaEspInEntry 2 } ipsecSaEspInDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during SA creation negotiation." ::= { ipsecSaEspInEntry 3 } ipsecSaEspInDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current IPsec Working Group [Page 12] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The type of identifier presented by 'ipsecSaEspInDestId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaEspInEntry 4 } ipsecSaEspInSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during SA creation negotiation." ::= { ipsecSaEspInEntry 5 } ipsecSaEspInSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaEspInSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaEspInEntry 6 } ipsecSaEspInProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspInEntry 7 } ipsecSaEspInDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspInEntry 8 } IPsec Working Group [Page 13] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspInSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspInEntry 9 } ipsecSaEspInCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaEspInEntry 10 } ipsecSaEspInEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaEspInEntry 11 } ipsecSaEspInEncAlg OBJECT-TYPE SYNTAX IpsecDoiEspTransform MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic or 0 if there is no encryption used." ::= { ipsecSaEspInEntry 12 } ipsecSaEspInEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecSaEspInEncAlg' object. It IPsec Working Group [Page 14] Internet Draft IPSec Monitoring MIB October 21, 1999 may be 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecSaEspInEntry 13 } ipsecSaEspInAuthAlg OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic or 0 if there is no authentication used." ::= { ipsecSaEspInEntry 14 } ipsecSaEspInAuthKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the authentication key in bits used for the algorithm specified in the 'ipsecSaEspInAuthAlg'. It may be 0 if the key length is implicit in the specified algorithm or there is no authentication specified." ::= { ipsecSaEspInEntry 15 } ipsecSaEspInRepWinSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The size of the anti-replay window used by this SA, or 0 if anti-replay checking is not being done." REFERENCE "Section 3.4.3 of RFC 2406" ::= { ipsecSaEspInEntry 16 } ipsecSaEspInLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration. The display value is limited to 4294967295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ipsecSaEspInEntry 17 } IPsec Working Group [Page 15] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspInLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in kilobytes that the SA is allowed to process, or 0 if there is no traffic constraint on its expiration. The display value is limited to 4294967295 kilobytes; values greater than that value will be truncated." ::= { ipsecSaEspInEntry 18 } ipsecSaEspInAccSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds accumulated against the SA's expiration by time. This is also the number of seconds that the SA has existed." ::= { ipsecSaEspInEntry 19 } ipsecSaEspInAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the SA's expiration by traffic limitation, measured in kilobytes. This value may be 0 if the SA does not expire based on traffic." ::= { ipsecSaEspInEntry 20 } ipsecSaEspInUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current IPsec Working Group [Page 16] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the decrypted IP packet, including the original IP header of that decrypted packet. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit due to padding or other protocol specific overhead." ::= { ipsecSaEspInEntry 21 } ipsecSaEspInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the SA." ::= { ipsecSaEspInEntry 22 } ipsecSaEspInDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to detectable decryption errors. Not all decryption errors are detectable within SA processing, so this count should not be considered definitive." ::= { ipsecSaEspInEntry 23 } ipsecSaEspInAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to authentication errors." ::= { ipsecSaEspInEntry 24 } ipsecSaEspInReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to replay errors." ::= { ipsecSaEspInEntry 25 } IPsec Working Group [Page 17] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspInPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to policy errors. This includes packets where the next protocol is invalid." ::= { ipsecSaEspInEntry 26 } ipsecSaEspInPadErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to pad value errors. Implementations that do not check this must not support this object." REFERENCE "RFC 2406 section 2.4" ::= { ipsecSaEspInEntry 27 } ipsecSaEspInOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to errors other than decryption, authentication, replay errors or, when supported, invalid padding errors. This may include packets dropped due to a lack of receive buffers, and may include packets dropped due to congestion at the decryption element." ::= { ipsecSaEspInEntry 28 } -- the IPsec Inbound AH MIB-Group -- -- a collection of objects providing information about -- IPsec Inbound AH SAs ipsecSaAhInTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaAhInEntry MAX-ACCESS not-accessible STATUS current IPsec Working Group [Page 18] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The (conceptual) table containing information on IPsec inbound AH SAs. There should be one row for every inbound AH security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 2 } ipsecSaAhInEntry OBJECT-TYPE SYNTAX IpsecSaAhInEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec inbound AH SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaAhInAddress, ipsecSaAhInSpi } ::= { ipsecSaAhInTable 1 } IpsecSaAhInEntry::= SEQUENCE { -- identification ipsecSaAhInAddress IpsecIpv6Address, ipsecSaAhInSpi Unsigned32, -- SA selectors ipsecSaAhInDestId IpsecRawId, ipsecSaAhInDestIdType IpsecDoiIdentType, ipsecSaAhInSourceId IpsecRawId, ipsecSaAhInSourceIdType IpsecDoiIdentType, ipsecSaAhInProtocol Integer32, ipsecSaAhInDestPort Integer32, ipsecSaAhInSourcePort Integer32, -- how created ipsecSaAhInCreator IpsecSaCreatorIdent, -- security services description ipsecSaAhInEncapsulation IpsecDoiEncapsulationMode, ipsecSaAhInAuthAlg IpsecDoiAhTransform, ipsecSaAhInAuthKeyLength Unsigned32, ipsecSaAhInRepWinSize Unsigned32, -- expiration limits ipsecSaAhInLimitSeconds Unsigned32, -- sec., 0 if none IPsec Working Group [Page 19] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaAhInLimitKbytes Unsigned32, -- 0 if none -- current operating statistics ipsecSaAhInAccSeconds Counter32, ipsecSaAhInAccKbytes Counter32, ipsecSaAhInUserOctets Counter64, ipsecSaAhInPackets Counter64, -- error statistics ipsecSaAhInAuthErrors Counter32, ipsecSaAhInReplayErrors Counter32, ipsecSaAhInPolicyErrors Counter32, ipsecSaAhInOtherReceiveErrors Counter32 } ipsecSaAhInAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaAhInEntry 1 } ipsecSaAhInSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the SA." REFERENCE "RFC 2402 Section 2.4" ::= { ipsecSaAhInEntry 2 } ipsecSaAhInDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during SA creation negotiation, or the equivalent process." ::= { ipsecSaAhInEntry 3 } IPsec Working Group [Page 20] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaAhInDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaAhInDestId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaAhInEntry 4 } ipsecSaAhInSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during SA creation negotiation or the equivelant process." ::= { ipsecSaAhInEntry 5 } ipsecSaAhInSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaAhInSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaAhInEntry 6 } ipsecSaAhInProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhInEntry 7 } ipsecSaAhInDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current IPsec Working Group [Page 21] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhInEntry 8 } ipsecSaAhInSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhInEntry 9 } ipsecSaAhInCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaAhInEntry 10 } ipsecSaAhInEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaAhInEntry 11 } ipsecSaAhInAuthAlg OBJECT-TYPE SYNTAX IpsecDoiAhTransform MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA." ::= { ipsecSaAhInEntry 12 } ipsecSaAhInAuthKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" IPsec Working Group [Page 22] Internet Draft IPSec Monitoring MIB October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the authentication key in bits used for the algorithm specified in the 'ipsecSaAhInAuthAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ipsecSaAhInEntry 13 } ipsecSaAhInRepWinSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The size of the anti-replay window used by this SA, or 0 if anti-replay checking is not being done." REFERENCE "Section 3.4.3 of RFC 2402" ::= { ipsecSaAhInEntry 14 } ipsecSaAhInLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration. The display value is limited to 4294967295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ipsecSaAhInEntry 15 } ipsecSaAhInLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in bytes that the SA is allowed to process, or 0 if there is no traffic constraint on its expiration. The display value is limited to 4294967295 kilobytes; values greater than that value will be truncated." ::= { ipsecSaAhInEntry 16 } IPsec Working Group [Page 23] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaAhInAccSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds accumulated against the SA's expiration by time. This is also the number of seconds that the SA has existed." ::= { ipsecSaAhInEntry 17 } ipsecSaAhInAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the SA's expiration by traffic limitation, measured in kilobytes. This value may be 0 if the SA does not expire based on traffic." ::= { ipsecSaAhInEntry 18 } ipsecSaAhInUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the de-processed IP packet, including the original IP header of that de- processed packet. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit due to padding or other protocol specific overhead." ::= { ipsecSaAhInEntry 19 } ipsecSaAhInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current IPsec Working Group [Page 24] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The number of packets handled by the SA." ::= { ipsecSaAhInEntry 20 } ipsecSaAhInAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to authentication errors." ::= { ipsecSaAhInEntry 21 } ipsecSaAhInReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to replay errors." ::= { ipsecSaAhInEntry 22 } ipsecSaAhInPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to policy errors. This includes packets where the next protocol is invalid." ::= { ipsecSaAhInEntry 23 } ipsecSaAhInOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to errors other than decryption, authentication or replay errors. This may include packets dropped due to a lack of receive buffers, and may include packets dropped due to congestion at the authentication element." ::= { ipsecSaAhInEntry 24 } -- the IPsec Inbound IPcomp MIB-Group -- IPsec Working Group [Page 25] Internet Draft IPSec Monitoring MIB October 21, 1999 -- a collection of objects providing information about -- IPsec Inbound IPcomp SAs ipsecSaIpcompInTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaIpcompInEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec inbound IPcomp SAs. There should be one row for every inbound IPcomp (security) association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 3 } ipsecSaIpcompInEntry OBJECT-TYPE SYNTAX IpsecSaIpcompInEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec inbound IPcomp SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaIpcompInAddress, ipsecSaIpcompInCpi } ::= { ipsecSaIpcompInTable 1 } IpsecSaIpcompInEntry::= SEQUENCE { -- identification ipsecSaIpcompInAddress IpsecIpv6Address, ipsecSaIpcompInCpi IpsecDoiIpcompTransform, -- SA selectors (if needed) ipsecSaIpcompInDestId IpsecRawId, ipsecSaIpcompInDestIdType IpsecDoiIdentType, ipsecSaIpcompInSourceId IpsecRawId, ipsecSaIpcompInSourceIdType IpsecDoiIdentType, ipsecSaIpcompInProtocol Integer32, ipsecSaIpcompInDestPort Integer32, ipsecSaIpcompInSourcePort Integer32, -- how created ipsecSaIpcompInCreator IpsecSaCreatorIdent, IPsec Working Group [Page 26] Internet Draft IPSec Monitoring MIB October 21, 1999 -- security services description ipsecSaIpcompInEncapsulation IpsecDoiEncapsulationMode, ipsecSaIpcompInDecompAlg IpsecDoiIpcompTransform, -- current operating statistics ipsecSaIpcompInSeconds Counter32, ipsecSaIpcompInUserOctets Counter64, ipsecSaIpcompInPackets Counter64, -- error statistics ipsecSaIpcompInDecompErrors Counter32, ipsecSaIpcompInOtherReceiveErrors Counter32 } ipsecSaIpcompInAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaIpcompInEntry 1 } ipsecSaIpcompInCpi OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-only STATUS current DESCRIPTION "The CPI of the SA. Since the lower values of CPIs are reserved to be the same as the algorithm, the syntax for this object is the same as the transform." REFERENCE "RFC 2393 Section 3.3" ::= { ipsecSaIpcompInEntry 2 } ipsecSaIpcompInDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode, or 0 if this SA is used with multiple SAs in security association suites. IPsec Working Group [Page 27] Internet Draft IPSec Monitoring MIB October 21, 1999 This value, if non-zero, is taken directly from the optional ID payloads that are exchanged during SA creation negotiation, or the equivalent process." ::= { ipsecSaIpcompInEntry 3 } ipsecSaIpcompInDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaIpcompInDestId'. It may be 0 if unknown or if the SA uses transport mode, or if this SA is used with multiple SAs in security association suites." ::= { ipsecSaIpcompInEntry 4 } ipsecSaIpcompInSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation, or 0 if this SA is used with multiple SAs in security association suites. This value, if non-zero, is taken directly from the optional ID payloads that are exchanged during SA creation negotiation, or the equivalent process." ::= { ipsecSaIpcompInEntry 5 } ipsecSaIpcompInSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaIpcompInSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation, or if this SA is used with multiple SAs in security association suites." ::= { ipsecSaIpcompInEntry 6 } ipsecSaIpcompInProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." IPsec Working Group [Page 28] Internet Draft IPSec Monitoring MIB October 21, 1999 REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompInEntry 7 } ipsecSaIpcompInDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompInEntry 8 } ipsecSaIpcompInSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompInEntry 9 } ipsecSaIpcompInCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaIpcompInEntry 10 } ipsecSaIpcompInEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaIpcompInEntry 11 } ipsecSaIpcompInDecompAlg OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-only STATUS current IPsec Working Group [Page 29] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "A unique value representing the decompression algorithm applied to traffic." ::= { ipsecSaIpcompInEntry 12 } ipsecSaIpcompInSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds that the SA has existed." ::= { ipsecSaIpcompInEntry 13 } ipsecSaIpcompInUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the uncompressed IP packet, including the original IP header of that uncompressed packet. Packets which are not decompressed by the SA are not counted in this total." ::= { ipsecSaIpcompInEntry 14 } ipsecSaIpcompInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the SA." ::= { ipsecSaIpcompInEntry 15 } ipsecSaIpcompInDecompErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to decompression errors." ::= { ipsecSaIpcompInEntry 16 } ipsecSaIpcompInOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 IPsec Working Group [Page 30] Internet Draft IPSec Monitoring MIB October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to errors other than decompression errors. This may include packets dropped due to a lack of receive buffers, and packets dropped due to congestion at the decompression element." ::= { ipsecSaIpcompInEntry 17 } -- the IPsec Outbound ESP MIB-Group -- -- a collection of objects providing information about -- IPsec Outbound ESP SAs ipsecSaEspOutTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEspOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec Outbound ESP SAs. There should be one row for every outbound ESP security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 4 } ipsecSaEspOutEntry OBJECT-TYPE SYNTAX IpsecSaEspOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec Outbound ESP SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaEspOutAddress, ipsecSaEspOutSpi } ::= { ipsecSaEspOutTable 1 } IpsecSaEspOutEntry::= SEQUENCE { -- identification ipsecSaEspOutAddress IpsecIpv6Address, ipsecSaEspOutSpi Unsigned32, IPsec Working Group [Page 31] Internet Draft IPSec Monitoring MIB October 21, 1999 -- SA selectors ipsecSaEspOutSourceId IpsecRawId, ipsecSaEspOutSourceIdType IpsecDoiIdentType, ipsecSaEspOutDestId IpsecRawId, ipsecSaEspOutDestIdType IpsecDoiIdentType, ipsecSaEspOutProtocol Integer32, ipsecSaEspOutSourcePort Integer32, ipsecSaEspOutDestPort Integer32, -- how created ipsecSaEspOutCreator IpsecSaCreatorIdent, -- security services description ipsecSaEspOutEncapsulation IpsecDoiEncapsulationMode, ipsecSaEspOutEncAlg IpsecDoiEspTransform, ipsecSaEspOutEncKeyLength Unsigned32, ipsecSaEspOutAuthAlg IpsecDoiAuthAlgorithm, ipsecSaEspOutAuthKeyLength Unsigned32, -- expiration limits ipsecSaEspOutLimitSeconds Unsigned32, -- sec., 0 if none ipsecSaEspOutLimitKbytes Unsigned32, -- 0 if none -- current operating statistics ipsecSaEspOutAccSeconds Counter32, ipsecSaEspOutAccKbytes Counter32, ipsecSaEspOutUserOctets Counter64, ipsecSaEspOutPackets Counter64, -- error statistics ipsecSaEspOutSendErrors Counter32 } ipsecSaEspOutAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaEspOutEntry 1 } ipsecSaEspOutSpi OBJECT-TYPE SYNTAX Unsigned32 IPsec Working Group [Page 32] Internet Draft IPSec Monitoring MIB October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the SA." REFERENCE"RFC 2406 Section 2.1" ::= { ipsecSaEspOutEntry 2 } ipsecSaEspOutSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations, or the equivalent process." ::= { ipsecSaEspOutEntry 3 } ipsecSaEspOutSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaEspOutSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaEspOutEntry 4 } ipsecSaEspOutDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations or the equivalent process." ::= { ipsecSaEspOutEntry 5 } ipsecSaEspOutDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current IPsec Working Group [Page 33] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The type of identifier presented by 'ipsecSaEspOutDestId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaEspOutEntry 6 } ipsecSaEspOutProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspOutEntry 7 } ipsecSaEspOutSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspOutEntry 8 } ipsecSaEspOutDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaEspOutEntry 9 } ipsecSaEspOutCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaEspOutEntry 10 } IPsec Working Group [Page 34] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspOutEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaEspOutEntry 11 } ipsecSaEspOutEncAlg OBJECT-TYPE SYNTAX IpsecDoiEspTransform MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic or 0 if there is no encryption used." ::= { ipsecSaEspOutEntry 12 } ipsecSaEspOutEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecSaEspOutEncAlg' object. It may be 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecSaEspOutEntry 13 } ipsecSaEspOutAuthAlg OBJECT-TYPE SYNTAX IpsecDoiAuthAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic or 0 if there is no authentication used." ::= { ipsecSaEspOutEntry 14 } ipsecSaEspOutAuthKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current IPsec Working Group [Page 35] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The length of the authentication key in bits used for the algorithm specified in the 'ipsecSaEspOutAuthAlg' object. It may be 0 if the key length is implicit in the specified algorithm or there is no authentication specified." ::= { ipsecSaEspOutEntry 15 } ipsecSaEspOutLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration. The display value is limited to 4294967295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ipsecSaEspOutEntry 16 } ipsecSaEspOutLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in bytes that the SA is allowed to process, or 0 if there is no traffic constraint on its expiration. The display value is limited to 4294967295 kilobytes; values greater than that value will be truncated." ::= { ipsecSaEspOutEntry 17 } ipsecSaEspOutAccSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds accumulated against the SA's expiration by time. This is also the number of seconds that the SA has existed." ::= { ipsecSaEspOutEntry 18 } IPsec Working Group [Page 36] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaEspOutAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the SA's expiration by traffic limitation, measured in kilobytes. This value may be 0 if the SA does not expire based on traffic." ::= { ipsecSaEspOutEntry 19 } ipsecSaEspOutUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the unencrypted IP packet, including the original IP header of that unencrypted packet. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit due to padding or other protocol specific overhead." ::= { ipsecSaEspOutEntry 20 } ipsecSaEspOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the SA." ::= { ipsecSaEspOutEntry 21 } ipsecSaEspOutSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to any error. This may include errors due to a lack of transmit buffers." ::= { ipsecSaEspOutEntry 22 } IPsec Working Group [Page 37] Internet Draft IPSec Monitoring MIB October 21, 1999 -- the IPsec Outbound AH MIB-Group -- -- a collection of objects providing information about -- IPsec Outbound AH SAs ipsecSaAhOutTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaAhOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec Outbound AH SAs. There should be one row for every outbound AH security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 5 } ipsecSaAhOutEntry OBJECT-TYPE SYNTAX IpsecSaAhOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec Outbound AH SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaAhOutAddress, ipsecSaAhOutSpi } ::= { ipsecSaAhOutTable 1 } IpsecSaAhOutEntry::= SEQUENCE { -- identification ipsecSaAhOutAddress IpsecIpv6Address, ipsecSaAhOutSpi Unsigned32, -- SA selectors ipsecSaAhOutSourceId IpsecRawId, ipsecSaAhOutSourceIdType IpsecDoiIdentType, ipsecSaAhOutDestId IpsecRawId, ipsecSaAhOutDestIdType IpsecDoiIdentType, ipsecSaAhOutProtocol Integer32, ipsecSaAhOutSourcePort Integer32, ipsecSaAhOutDestPort Integer32, -- how created ipsecSaAhOutCreator IpsecSaCreatorIdent, IPsec Working Group [Page 38] Internet Draft IPSec Monitoring MIB October 21, 1999 -- security services description ipsecSaAhOutEncapsulation IpsecDoiEncapsulationMode, ipsecSaAhOutAuthAlg IpsecDoiAhTransform, ipsecSaAhOutAuthKeyLength Unsigned32, -- expiration limits ipsecSaAhOutLimitSeconds Unsigned32, -- sec., 0 if none ipsecSaAhOutLimitKbytes Unsigned32, -- 0 if none -- current operating statistics ipsecSaAhOutAccSeconds Counter32, ipsecSaAhOutAccKbytes Counter32, ipsecSaAhOutUserOctets Counter64, ipsecSaAhOutPackets Counter64, -- error statistics ipsecSaAhOutSendErrors Counter32 } ipsecSaAhOutAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaAhOutEntry 1 } ipsecSaAhOutSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the SA." REFERENCE"RFC 2402 Section 2.4" ::= { ipsecSaAhOutEntry 2 } ipsecSaAhOutSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current IPsec Working Group [Page 39] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations, or the equivalent process." ::= { ipsecSaAhOutEntry 3 } ipsecSaAhOutSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaAhOutSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaAhOutEntry 4 } ipsecSaAhOutDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchanged during phase 2 negotiations, or the equivalent process." ::= { ipsecSaAhOutEntry 5 } ipsecSaAhOutDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaAhOutDestId'. It may be 0 if unknown or if the SA uses transport mode encapsulation." ::= { ipsecSaAhOutEntry 6 } ipsecSaAhOutProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current IPsec Working Group [Page 40] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhOutEntry 7 } ipsecSaAhOutSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhOutEntry 8 } ipsecSaAhOutDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaAhOutEntry 9 } ipsecSaAhOutCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaAhOutEntry 10 } ipsecSaAhOutEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaAhOutEntry 11 } ipsecSaAhOutAuthAlg OBJECT-TYPE SYNTAX IpsecDoiAhTransform IPsec Working Group [Page 41] Internet Draft IPSec Monitoring MIB October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA." ::= { ipsecSaAhOutEntry 12 } ipsecSaAhOutAuthKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the authentication key in bits used for the algorithm specified in the 'ipsecSaAhOutAuthAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ipsecSaAhOutEntry 13 } ipsecSaAhOutLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration. The display value is limited to 4294967295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ipsecSaAhOutEntry 14 } ipsecSaAhOutLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in bytes that the SA is allowed to process, or 0 if there is no traffic constraint on its expiration. The display value is limited to 4294967295 kilobytes; values greater than that value will be truncated." ::= { ipsecSaAhOutEntry 15 } IPsec Working Group [Page 42] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaAhOutAccSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds accumulated against the SA's expiration by time. This is also the number of seconds that the SA has existed." ::= { ipsecSaAhOutEntry 16 } ipsecSaAhOutAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the SA's expiration by traffic limitation, measured in kilobytes. This value may be 0 if the SA does not expire based on traffic." ::= { ipsecSaAhOutEntry 17 } ipsecSaAhOutUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the unprocessed IP packet, including the original IP header of that unprocessed packet. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit due to padding or other protocol specific overhead." ::= { ipsecSaAhOutEntry 18 } ipsecSaAhOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current IPsec Working Group [Page 43] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The number of packets handled by the SA." ::= { ipsecSaAhOutEntry 19 } ipsecSaAhOutSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets discarded by the SA due to any error. This may include errors due to a lack of transmit buffers." ::= { ipsecSaAhOutEntry 20 } -- the IPsec Outbound IPcomp MIB-Group -- -- a collection of objects providing information about -- IPsec Outbound IPcomp SAs ipsecSaIpcompOutTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaIpcompOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec Outbound IPcomp SAs. There should be one row for every outbound IPcomp (security) association that exists in the entity. The maximum number of rows is implementation dependent." ::= { saTables 6 } ipsecSaIpcompOutEntry OBJECT-TYPE SYNTAX IpsecSaIpcompOutEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPsec Outbound IPcomp SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX{ ipsecSaIpcompOutAddress, ipsecSaIpcompOutCpi } ::= { ipsecSaIpcompOutTable 1 } IPsec Working Group [Page 44] Internet Draft IPSec Monitoring MIB October 21, 1999 IpsecSaIpcompOutEntry::= SEQUENCE { -- identification ipsecSaIpcompOutAddress IpsecIpv6Address, ipsecSaIpcompOutCpi IpsecDoiIpcompTransform, -- SA selectors ipsecSaIpcompOutSourceId IpsecRawId, ipsecSaIpcompOutSourceIdType IpsecDoiIdentType, ipsecSaIpcompOutDestId IpsecRawId, ipsecSaIpcompOutDestIdType IpsecDoiIdentType, ipsecSaIpcompOutProtocol Integer32, ipsecSaIpcompOutSourcePort Integer32, ipsecSaIpcompOutDestPort Integer32, -- how created ipsecSaIpcompOutCreator IpsecSaCreatorIdent, -- security services description ipsecSaIpcompOutEncapsulation IpsecDoiEncapsulationMode, ipsecSaIpcompOutCompAlg IpsecDoiIpcompTransform, -- current operating statistics ipsecSaIpcompOutSeconds Counter32, ipsecSaIpcompOutUserOctets Counter64, ipsecSaIpcompOutOutputOctets Counter64, ipsecSaIpcompOutPackets Counter64 } ipsecSaIpcompOutAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the SA. If the IPcomp SA is shared across multiple SAs in security association suites, this value may be 0. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { ipsecSaIpcompOutEntry 1 } ipsecSaIpcompOutCpi OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-only IPsec Working Group [Page 45] Internet Draft IPSec Monitoring MIB October 21, 1999 STATUS current DESCRIPTION "The CPI of the SA. Since the lower values of CPIs are reserved to be the same as the algorithm, the syntax for this object is the same as the transform." REFERENCE "RFC 2393 Section 3.3" ::= { ipsecSaIpcompOutEntry 2 } ipsecSaIpcompOutSourceId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The source identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation, or if this SA is used with multiple SAs in security association suites. This value, if non-zero, is taken directly from the optional ID payloads that are exchange during phase 2 negotiations or the equivalent process." ::= { ipsecSaIpcompOutEntry 3 } ipsecSaIpcompOutSourceIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaIpcompOutSourceId'. It may be 0 if unknown or if the SA uses transport mode encapsulation, or if this SA is used with multiple SAs in security association suites." ::= { ipsecSaIpcompOutEntry 4 } ipsecSaIpcompOutDestId OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only STATUS current DESCRIPTION "The destination identifier of the SA. It may be 0 if unknown or if the SA uses transport mode encapsulation, or if this SA is used with multiple SAs in security association suites. This value, if non-zero, is taken directly from the optional ID payloads that are exchange during phase 2 negotiations or the equivalent process." ::= { ipsecSaIpcompOutEntry 5 } IPsec Working Group [Page 46] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaIpcompOutDestIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecSaIpcompOutDestId', or 0 if unknown or if the SA uses transport mode encapsulation, or 0 if this SA is used with multiple SAs in security association suites." ::= { ipsecSaIpcompOutEntry 6 } ipsecSaIpcompOutProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The transport-layer protocol number that this SA carries, or 0 if it carries any protocol." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompOutEntry 7 } ipsecSaIpcompOutSourcePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The source port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompOutEntry 8 } ipsecSaIpcompOutDestPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination port number of the protocol that this SA carries, or 0 if it carries any port number." REFERENCE "RFC 2401 section 4.4.2" ::= { ipsecSaIpcompOutEntry 9 } ipsecSaIpcompOutCreator OBJECT-TYPE SYNTAX IpsecSaCreatorIdent MAX-ACCESS read-only STATUS current DESCRIPTION "The creator of this SA. IPsec Working Group [Page 47] Internet Draft IPSec Monitoring MIB October 21, 1999 This MIB makes no assumptions about how the SAs are created. They may be created statically, or by a key exchange protocol such as IKE, or by some other method." ::= { ipsecSaIpcompOutEntry 10 } ipsecSaIpcompOutEncapsulation OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by this SA." ::= { ipsecSaIpcompOutEntry 11 } ipsecSaIpcompOutCompAlg OBJECT-TYPE SYNTAX IpsecDoiIpcompTransform MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic." ::= { ipsecSaIpcompOutEntry 12 } ipsecSaIpcompOutSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds that the SA has existed." ::= { ipsecSaIpcompOutEntry 13 } ipsecSaIpcompOutUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the SA. This is the number of bytes of the decompressed IP packet, including the original IP header of that decompressed packet." ::= { ipsecSaIpcompOutEntry 14 } ipsecSaIpcompOutOutputOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current IPsec Working Group [Page 48] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The amount of traffic measured in bytes output by the SA. This includes byte counts from packets compressed by the SA and also packets not modified by the SA. This object can be divided into the 'ipsecSaIpcompOutUserOctets' object to get a compression performance metric for the SA." ::= { ipsecSaIpcompOutEntry 15 } ipsecSaIpcompOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the SA. This includes packets that were both compressed and not compressed." ::= { ipsecSaIpcompOutEntry 16 } -- -- entity IPsec statistics -- ipsecEspCurrentInboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of inbound ESP SAs in the entity." ::= { saStatistics 1 } ipsecEspTotalInboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound ESP SAs created in the entity since boot time." ::= { saStatistics 2 } ipsecEspCurrentOutboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of outbound ESP SAs in the entity." ::= { saStatistics 3 } IPsec Working Group [Page 49] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecEspTotalOutboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound ESP SAs created in the entity since boot time." ::= { saStatistics 4 } ipsecAhCurrentInboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of inbound AH SAs in the entity." ::= { saStatistics 5 } ipsecAhTotalInboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound AH SAs created in the entity since boot time." ::= { saStatistics 6 } ipsecAhCurrentOutboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of outbound AH SAs in the entity." ::= { saStatistics 7 } ipsecAhTotalOutboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound AH SAs created in the entity since boot time." ::= { saStatistics 8 } ipsecIpcompCurrentInboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current IPsec Working Group [Page 50] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The current number of inbound IPcomp SAs in the entity." ::= { saStatistics 9 } ipsecIpcompTotalInboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound IPcomp SAs created in the entity since boot time." ::= { saStatistics 10 } ipsecIpcompCurrentOutboundSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of outbound IPcomp SAs in the entity." ::= { saStatistics 11 } ipsecIpcompTotalOutboundSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound IPcomp SAs created in the entity since boot time." ::= { saStatistics 12 } -- -- IPsec error counts -- ipsecDecryptionErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in SAs since boot time with detectable decryption errors. Not all decryption errors are detectable within SA processing, so this count should not be considered definitive." ::= { saErrors 1 } ipsecAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 IPsec Working Group [Page 51] Internet Draft IPSec Monitoring MIB October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in SAs since boot time with authentication errors. This includes all packets in which the hash value is determined to be invalid, for both ESP and AH SAs." ::= { saErrors 2 } ipsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in SAs since boot time with replay errors." ::= { saErrors 3 } ipsecPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in SAs since boot time and discarded due to policy errors. This includes packets that had selectors that were invalid for the SA that carried them, and also includes packets that arrived at the entity in the clear and that should have been protected by IPsec or should have been dropped." ::= { saErrors 4 } ipsecOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity in SAs since boot time and discarded due to errors not due to decryption, authentication, replay or policy." ::= { saErrors 5 } ipsecSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current IPsec Working Group [Page 52] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "The total number of packets to be sent by the entity in SAs since boot time and discarded due to errors." ::= { saErrors 6 } ipsecUnknownSpiErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with SPIs or CPIs that were not valid." ::= { saErrors 7 } -- -- traps -- -- -- some objects used in trap reporting -- ipsecSecurityProtocol OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A security protocol associated with the trap." ::= { saTrapObjects 1 } ipsecSPI OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "An SPI associated with a trap. Where the security protocol associated with the trap is IPcomp, this value has a maximum of 65535." ::= { saTrapObjects 2 } ipsecLocalAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A local IP address associated with the trap. IPsec Working Group [Page 53] Internet Draft IPSec Monitoring MIB October 21, 1999 IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { saTrapObjects 3 } ipsecPeerAddress OBJECT-TYPE SYNTAX IpsecIpv6Address MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "A peer IP address associated with the trap. IPv4 entities will prefix the IP address with '0000:0000:0000:0000:0000:FFFF::'." ::= { saTrapObjects 4 } -- -- trap control -- espAuthFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether espAuthFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 1 } ahAuthFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether ahAuthFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 2 } espReplayFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether espReplayFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 3 } IPsec Working Group [Page 54] Internet Draft IPSec Monitoring MIB October 21, 1999 ahReplayFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether ahReplayFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 4 } espPolicyFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether espPolicyFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 5 } ahPolicyFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether ahPolicyFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 6 } invalidSpiTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether invalidSpiTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 7 } otherPolicyFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current IPsec Working Group [Page 55] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "Indicates whether otherPolicyFailureTrap traps should be generated." DEFVAL { false } ::= { saTrapControl 8 } -- -- the traps themselves -- espAuthFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaEspInAuthErrors } STATUS current DESCRIPTION "IPsec packets with invalid hashes were found in an inbound ESP SA. The total number of authentication errors accumulated is sent for the specific row of the 'ipsecSaEspInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 1 } ahAuthFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaAhInAuthErrors } STATUS current DESCRIPTION "IPsec packets with invalid hashes were found in an inbound AH SA. The total number of authentication errors accumulated is sent for the specific row of the 'ipsecSaAhInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 2 } espReplayFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaEspInReplayErrors } IPsec Working Group [Page 56] Internet Draft IPSec Monitoring MIB October 21, 1999 STATUS current DESCRIPTION "IPsec packets with invalid sequence numbers were found in an inbound ESP SA. The total number of replay errors accumulated is sent for the specific row of the 'ipsecSaEspInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 3 } ahReplayFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaAhInReplayErrors } STATUS current DESCRIPTION "IPsec packets with invalid sequence numbers were found in the specified AH SA. The total number of replay errors accumulated is sent for the specific row of the 'ipsecSaAhInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 4 } espPolicyFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaEspInPolicyErrors } STATUS current DESCRIPTION "IPsec packets carrying packets with invalid selectors for the specified ESP SA were found. The total number of policy errors accumulated is sent for the specific row of the 'ipsecSaEspInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 5 } IPsec Working Group [Page 57] Internet Draft IPSec Monitoring MIB October 21, 1999 ahPolicyFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecSaAhInPolicyErrors } STATUS current DESCRIPTION "IPsec packets carrying packets with invalid selectors for the specified AH SA were found. The total number of policy errors accumulated is sent for the specific row of the 'ipsecSaAhInTable' table for the SA; this provides the identity of the SA in which the error occurred. Implementations SHOULD send one trap per SA (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 6 } espInvalidSpiTrap NOTIFICATION-TYPE OBJECTS { ipsecLocalAddress, ipsecSecurityProtocol, ipsecPeerAddress, ipsecSPI, ifIndex } STATUS current DESCRIPTION "A packet with an unknown SPI was detected from the specified peer with the specified SPI using the specified protocol. The destination address of the received packet is specified by 'ipsecLocalAddress'. The value 'ifIndex' may be 0 if this optional linkage is unsupported. If the object 'ipsecSecurityProtocol' has the value for IPcomp, then the 'ipsecSPI' object is the CPI of the packet. Implementations SHOULD send one trap per peer (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 7 } otherPolicyFailureTrap NOTIFICATION-TYPE OBJECTS { ipsecPolicyErrors, ipsecPeerAddress, ipsecLocalAddress IPsec Working Group [Page 58] Internet Draft IPSec Monitoring MIB October 21, 1999 } STATUS current DESCRIPTION "Clear packets were found that should not have been sent to the entity in the clear. The total number of policy errors accumulated by the entity is sent, along with the source and destination addresses of the packet that triggered the trap. Implementations SHOULD send one trap per source address pair (within a reasonable time period), rather than sending one trap per packet." ::= { saTraps 0 8 } -- -- Units of Conformance (Object Groups) -- ipsecSaEspGroup OBJECT-GROUP OBJECTS { ipsecSaEspInAddress, ipsecSaEspInSpi, ipsecSaEspInDestId, ipsecSaEspInDestIdType, ipsecSaEspInSourceId, ipsecSaEspInSourceIdType, ipsecSaEspInProtocol, ipsecSaEspInDestPort, ipsecSaEspInSourcePort, ipsecSaEspInCreator, ipsecSaEspInEncapsulation, ipsecSaEspInEncAlg, ipsecSaEspInEncKeyLength, ipsecSaEspInAuthAlg, ipsecSaEspInAuthKeyLength, ipsecSaEspInRepWinSize, ipsecSaEspInLimitSeconds, ipsecSaEspInLimitKbytes, ipsecSaEspInAccSeconds, ipsecSaEspInAccKbytes, ipsecSaEspInUserOctets, ipsecSaEspInPackets, ipsecSaEspInDecryptErrors, ipsecSaEspInAuthErrors, ipsecSaEspInReplayErrors, ipsecSaEspInPolicyErrors, ipsecSaEspInPadErrors, ipsecSaEspInOtherReceiveErrors, ipsecSaEspOutAddress, ipsecSaEspOutSpi, ipsecSaEspOutSourceId, ipsecSaEspOutSourceIdType, ipsecSaEspOutDestId, ipsecSaEspOutDestIdType, ipsecSaEspOutProtocol, ipsecSaEspOutSourcePort, ipsecSaEspOutDestPort, ipsecSaEspOutCreator, ipsecSaEspOutEncapsulation, ipsecSaEspOutEncAlg, ipsecSaEspOutAuthKeyLength, ipsecSaEspOutEncKeyLength, ipsecSaEspOutAuthAlg, ipsecSaEspOutLimitSeconds, ipsecSaEspOutLimitKbytes, ipsecSaEspOutAccSeconds, ipsecSaEspOutAccKbytes, ipsecSaEspOutUserOctets, ipsecSaEspOutPackets, ipsecSaEspOutSendErrors, ipsecEspCurrentInboundSAs, ipsecEspTotalInboundSAs, ipsecEspCurrentOutboundSAs, ipsecEspTotalOutboundSAs } STATUS current IPsec Working Group [Page 59] Internet Draft IPSec Monitoring MIB October 21, 1999 DESCRIPTION "A collection of objects that describe the state of the security associations of the ESP protocol." ::= { saGroups 1 } ipsecSaAhGroup OBJECT-GROUP OBJECTS { ipsecSaAhInAddress, ipsecSaAhInSpi, ipsecSaAhInDestId, ipsecSaAhInDestIdType, ipsecSaAhInSourceId, ipsecSaAhInSourceIdType, ipsecSaAhInProtocol, ipsecSaAhInDestPort, ipsecSaAhInSourcePort, ipsecSaAhInCreator, ipsecSaAhInEncapsulation, ipsecSaAhInAuthAlg, ipsecSaAhInAuthKeyLength, ipsecSaAhInRepWinSize, ipsecSaAhInLimitSeconds, ipsecSaAhInLimitKbytes, ipsecSaAhInAccSeconds, ipsecSaAhInAccKbytes, ipsecSaAhInUserOctets, ipsecSaAhInPackets, ipsecSaAhInAuthErrors, ipsecSaAhInReplayErrors, ipsecSaAhInPolicyErrors, ipsecSaAhInOtherReceiveErrors, ipsecSaAhOutAddress, ipsecSaAhOutSpi, ipsecSaAhOutSourceId, ipsecSaAhOutSourceIdType, ipsecSaAhOutDestId, ipsecSaAhOutDestIdType, ipsecSaAhOutProtocol, ipsecSaAhOutSourcePort, ipsecSaAhOutDestPort, ipsecSaAhOutCreator, ipsecSaAhOutEncapsulation, ipsecSaAhOutAuthAlg, ipsecSaAhOutAuthKeyLength, ipsecSaAhOutLimitSeconds, ipsecSaAhOutLimitKbytes, ipsecSaAhOutAccSeconds, ipsecSaAhOutAccKbytes, ipsecSaAhOutUserOctets, ipsecSaAhOutPackets, ipsecSaAhOutSendErrors, ipsecAhCurrentInboundSAs, ipsecAhTotalInboundSAs, ipsecAhCurrentOutboundSAs, ipsecAhTotalOutboundSAs } STATUS current DESCRIPTION "A collection of objects that describe the state of the security associations of the AH protocol." ::= { saGroups 2 } ipsecSaIpcompGroup OBJECT-GROUP OBJECTS { ipsecSaIpcompInAddress, ipsecSaIpcompInCpi, ipsecSaIpcompInDestId, ipsecSaIpcompInDestIdType, ipsecSaIpcompInSourceId, ipsecSaIpcompInSourceIdType, ipsecSaIpcompInProtocol, ipsecSaIpcompInDestPort, ipsecSaIpcompInSourcePort, ipsecSaIpcompInCreator, ipsecSaIpcompInEncapsulation, ipsecSaIpcompInDecompAlg, ipsecSaIpcompInSeconds, ipsecSaIpcompInUserOctets, ipsecSaIpcompInPackets, ipsecSaIpcompInDecompErrors, IPsec Working Group [Page 60] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaIpcompInOtherReceiveErrors, ipsecSaIpcompOutAddress, ipsecSaIpcompOutCpi, ipsecSaIpcompOutSourceId, ipsecSaIpcompOutSourceIdType, ipsecSaIpcompOutDestId, ipsecSaIpcompOutDestIdType, ipsecSaIpcompOutProtocol, ipsecSaIpcompOutSourcePort, ipsecSaIpcompOutDestPort, ipsecSaIpcompOutCreator, ipsecSaIpcompOutEncapsulation, ipsecSaIpcompOutCompAlg, ipsecSaIpcompOutSeconds, ipsecSaIpcompOutUserOctets, ipsecSaIpcompOutOutputOctets, ipsecSaIpcompOutPackets, ipsecIpcompCurrentInboundSAs, ipsecIpcompTotalInboundSAs, ipsecIpcompCurrentOutboundSAs, ipsecIpcompTotalOutboundSAs } STATUS current DESCRIPTION "A collection of objects that describe the state of the security associations of the IPComp protocol." ::= { saGroups 3 } ipsecSaErrorsGroup OBJECT-GROUP OBJECTS { ipsecDecryptionErrors, ipsecAuthenticationErrors, ipsecReplayErrors, ipsecPolicyErrors, ipsecOtherReceiveErrors, ipsecUnknownSpiErrors, ipsecSendErrors } STATUS current DESCRIPTION "A collection of objects providing global IPsec error counters." ::= { saGroups 4 } ipsecSaFailureTrapEnableGroup OBJECT-GROUP OBJECTS { espAuthFailureTrapEnable, ahAuthFailureTrapEnable, espReplayFailureTrapEnable, ahReplayFailureTrapEnable, espPolicyFailureTrapEnable, ahPolicyFailureTrapEnable, invalidSpiTrapEnable, otherPolicyFailureTrapEnable } STATUS current DESCRIPTION "A collection of objects providing control over trap generation." ::= { saGroups 5 } IPsec Working Group [Page 61] Internet Draft IPSec Monitoring MIB October 21, 1999 ipsecSaTrapArgumentGroup OBJECT-GROUP OBJECTS { ipsecSecurityProtocol, ipsecSPI, ipsecLocalAddress, ipsecPeerAddress } STATUS current DESCRIPTION "A collection of objects used only as arguments in traps." ::= { saGroups 6 } ipsecSaFailureTrapGroup NOTIFICATION-GROUP NOTIFICATIONS { espAuthFailureTrap, ahAuthFailureTrap, espReplayFailureTrap, ahReplayFailureTrap, espPolicyFailureTrap, ahPolicyFailureTrap, espInvalidSpiTrap, otherPolicyFailureTrap } STATUS current DESCRIPTION "A collection of traps." ::= { saGroups 7 } -- -- Compliance statements -- ipsecSaMonitorCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMPv2 entities which implement the IPsec Monitoring MIB." MODULE -- this module MANDATORY-GROUPS { ipsecSaEspGroup, ipsecSaAhGroup, ipsecSaErrorsGroup, ipsecSaFailureTrapEnableGroup, ipsecSaFailureTrapGroup } -- Allow all the trap controls to be read-only OBJECT espAuthFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, IPsec Working Group [Page 62] Internet Draft IPSec Monitoring MIB October 21, 1999 there must be other means of controlling the generation of the associated trap." OBJECT ahAuthFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT espReplayFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT ahReplayFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT espPolicyFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT ahPolicyFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it IPsec Working Group [Page 63] Internet Draft IPSec Monitoring MIB October 21, 1999 SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT invalidSpiTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT otherPolicyFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." GROUP ipsecSaIpcompGroup DESCRIPTION "This group is mandatory only for those systems that implement the IPComp protocol as a part of the IPsec suite." ::= { saConformance 1 } END 6. Security Considerations This MIB contains readable objects whose values provide information related to IPsec SAs. While some of the information is readily available by monitoring the traffic into an entity, other information may provide attackers with more information than an administrator may desire. Some of the specific concerns are related to the display of the algorithms and key lengths associated with encryption, and the feedback of error counters and traps that enable an attacker to quickly determine the effect of his or her attacks. IPsec Working Group [Page 64] Internet Draft IPSec Monitoring MIB October 21, 1999 Specific examples of this include, but are not limited to: o Replay counts that tell attackers that replay values are being checked, and what the current window is. o Specific algorithms and key lengths are displayed, giving attackers a better idea of how to attack. o Specific traffic counts, giving attackers more information for traffic analysis. Of particular concern is the ability to disable the transmission of traps. The traps defined in this MIB may appear due to badly configured systems and transient error conditions, but they may also appear due to attacks. If an attacker can disable these traps, they reduce some of the warnings that may be provided to system administrators. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2574 [RFC2574] and the View- based Access Control Model RFC 2575 [RFC2575] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 7. Acknowledgments This document is based in part on an earlier proposal titled "draft- ietf-ipsec-mib-xx.txt". That series was abandoned, since it included application specific constructs in addition to the IPsec only objects. IPsec Working Group [Page 65] Internet Draft IPSec Monitoring MIB October 21, 1999 Portions of the original document's origins were based on the working paper "IP Security Management Information Base" by R. Thayer and U. Blumenthal. Contribution to the IPsec MIB series of documents comes from D. McDonald, M. Baugher, C. Brooks, C. Powell, M. Daniele, T. Kivinen, J. Walker, S. Kelly, J. Leonard, M. Richardson, R. Charlet, S. Waters and others participating in the IPsec WG. 8. References [ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998 [AH] Kent, S., Atkinson, R., "IP Authentication Header", RFC 2402, November 1998 [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)", RFC 2409, November 1998 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP Payload Compression Protocol (IPComp)", RFC 2393, December 1998 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998 [IPSECTC] Shriver, J., "IPSec DOI Textual Conventions MIB ", work in progress, October 13, 1999 [IPV6AA]Hinden, R., Deering, S., "IP Version 6 Addressing Architecture", RFC 2373, July 1998 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. IPsec Working Group [Page 66] Internet Draft IPSec Monitoring MIB October 21, 1999 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999 [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999 [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999 IPsec Working Group [Page 67] Internet Draft IPSec Monitoring MIB October 21, 1999 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998 Authors' Addresses Tim Jenkins tjenkins@timestep.com TimeStep Corporation 362 Terry Fox Drive Kanata, ON Canada K2K 2P5 +1 (613) 599-3610 John Shriver John.Shriver@intel.com Intel Corporation 28 Crosby Drive Bedford, MA 01730 +1 (781) 687-1329 The IPsec working group can be contacted via the IPsec working group's mailing list (ipsec@lists.tislabs.com) or through its chairs: Robert Moskowitz rgm@icsa.net International Computer Security Association Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology Expiration This document expires April 21, 2000. IPsec Working Group [Page 68]