idnits 2.17.1 draft-ietf-ipsec-monitor-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 3611 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 2844: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2861: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2878: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2895: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2912: '... Implementations SHOULD send one trap ...' (11 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 15, 2003) is 7675 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ISAKMP' is mentioned on line 113, but not defined == Missing Reference: 'IPCOMP' is mentioned on line 123, but not defined == Unused Reference: 'ADDRMIB' is defined on line 3429, but no explicit reference was found in the text == Unused Reference: 'IGMIB' is defined on line 3433, but no explicit reference was found in the text == Unused Reference: 'IPSECTC' is defined on line 3436, but no explicit reference was found in the text == Unused Reference: 'AH' is defined on line 3501, but no explicit reference was found in the text == Unused Reference: 'ESP' is defined on line 3504, but no explicit reference was found in the text == Unused Reference: 'IKE' is defined on line 3507, but no explicit reference was found in the text == Unused Reference: 'IPDOI' is defined on line 3514, but no explicit reference was found in the text == Unused Reference: 'SECARCH' is defined on line 3521, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2851 (ref. 'ADDRMIB') (Obsoleted by RFC 3291) ** Obsolete normative reference: RFC 2233 (ref. 'IGMIB') (Obsoleted by RFC 2863) == Outdated reference: A later version (-07) exists of draft-ietf-ipsec-doi-tc-mib-05 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2570 (Obsoleted by RFC 3410) ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Obsolete normative reference: RFC 2572 (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2573 (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) -- Obsolete informational reference (is this intentional?): RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) -- Obsolete informational reference (is this intentional?): RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) -- Obsolete informational reference (is this intentional?): RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2407 (ref. 'IPDOI') (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2401 (ref. 'SECARCH') (Obsoleted by RFC 4301) Summary: 19 errors (**), 0 flaws (~~), 13 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Paul Hoffman 2 draft-ietf-ipsec-monitor-mib-06.txt VPN Consortium 3 April 15, 2003 4 Expires in six months 6 IPsec Monitoring MIB 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other groups 15 may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Table of Contents 30 [[ Needs to be generated in the RFC publication step ]] 32 1. Introduction 34 This document defines low level monitoring and status MIBs for IPsec 35 security associations (SAs). It does not define MIBs that may be used 36 for configuring IPsec implementations or for providing low-level 37 diagnostic or debugging information. It assumes no specific use of 38 IPsec. Further, it does not provide policy information. 40 The purpose of the MIBs is to allow system administrators to 41 determine operating conditions and perform system operational level 42 monitoring of the IPsec portion of their network. Statistics are 43 provided as well. Additionally, it may be used as the basis for 44 application specific MIBs for specific uses of IPsec SAs. 46 2. The SNMP Management Framework 48 The SNMP Management Framework presently consists of five major 49 components: 51 o An overall architecture, described in RFC 2571 [RFC2571]. 53 o Mechanisms for describing and naming objects and events for the 54 purpose of management. The first version of this Structure of 55 Management Information (SMI) is called SMIv1 and described in STD 56 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 57 [RFC1215]. The second version, called SMIv2, is described in STD 58 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 59 [RFC2580]. 61 o Message protocols for transferring management information. The 62 first version of the SNMP message protocol is called SNMPv1 and 63 described in STD 15, RFC 1157 [RFC1157]. A second version of the 64 SNMP message protocol, which is not an Internet standards track 65 protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] 66 and RFC 1906 [RFC1906]. The third version of the message protocol 67 is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 68 [RFC2572] and RFC 2574 [RFC2574]. 70 o Protocol operations for accessing management information. The 71 first set of protocol operations and associated PDU formats is 72 described in STD 15, RFC 1157 [RFC1157]. A second set of protocol 73 operations and associated PDU formats is described in RFC 1905 74 [RFC1905]. 76 o A set of fundamental applications described in RFC 2573 [RFC2573] 77 and the view-based access control mechanism described in RFC 2575 78 [RFC2575]. 80 A more detailed introduction to the current SNMP Management Framework 81 can be found in RFC 2570 [RFC2570]. 83 Managed objects are accessed via a virtual information store, termed 84 the Management Information Base or MIB. Objects in the MIB are 85 defined using the mechanisms defined in the SMI. 87 This memo specifies a MIB module that is compliant to the SMIv2. A 88 MIB conforming to the SMIv1 can be produced through the appropriate 89 translations. The resulting translated MIB must be semantically 90 equivalent, except where objects or events are omitted because no 91 translation is possible (use of Counter64). Some machine-readable 92 information in SMIv2 will be converted into textual descriptions in 93 SMIv1 during the translation process. However, this loss of machine- 94 readable information is not considered to change the semantics of the 95 MIB. 97 2.1 Object Definitions 99 Managed objects are accessed via a virtual information store, termed 100 the Management Information Base or MIB. Objects in the MIB are 101 defined using the subset of Abstract Syntax Notation One (ASN.1) 102 defined in the SMI. In particular, each object type is named by an 103 OBJECT IDENTIFIER, an administratively assigned name. The object type 104 together with an object instance serves to uniquely identify a 105 specific instantiation of the object. For human convenience, we often 106 use a textual string, termed the descriptor, to refer to the object 107 type. 109 3. Definitions 111 3.1 Security Association 113 These MIBs use the RFC 2401 [ISAKMP] Section 4.1 identification of a 114 security association (SA). 116 "A security association is uniquely identified by a triple 117 consisting of a Security Parameter Index (SPI), an IP Destination 118 Address, and a security protocol (AH or ESP) identifier." 120 As such, an SA in these MIBs is a unidirectional entity. IKE 121 negotiates these in pairs, outbound and inbound. 123 For IPcomp [IPCOMP] SAs, a CPI (Compression Parameter Index) replaces 124 the SPI. 126 3.2 Inbound 128 In the inbound direction, a packet crosses an interface of a logical 129 or physical entity and enters the entity. No assumption is made about 130 what happens to the packet after it enters the entity. 132 An inbound SA then is an SA that processes inbound packets at an 133 interface. 135 3.3 Outbound 137 In the outbound direction, a packet crosses an interface of a logical 138 or physical entity and leaves the entity. No assumption is made about 139 the origins of the packet before it exits the entity. 141 An outbound SA then is an SA that processes outbound packets at an 142 interface. 144 4. IPsec MIB Objects Architecture 146 The IPsec MIB consists of tables for the display of raw IPsec 147 security associations (SAs), some entity statistics and traps. 148 Configuration about the SAs is provided as are statistics related to 149 the SAs themselves. However, no ability is provided to configure the 150 SAs themselves. 152 The intent is that these MIBs may be used by any entity that somehow 153 creates IPsec SAs. That creation mechanism can be IKE, static 154 configuration or some other key exchange protocol. 156 System administrators may use the traps to help detect mis- 157 configurations or possible attacks. 159 4.1 IPsec Security Association Tables 161 Due to the definition of the identification of an SA (see 162 Section 3.1), individual SAs in these MIBs are indexed by the 163 equivalent three objects, where the security protocol is implicit by 164 the SA's appearance in a particular table. Further, for the purposes 165 of these MIBs, IPcomp is considered a security protocol. 167 Individual IPsec phase 2 SAs are separated by both direction and 168 security protocol, resulting in the creation of six separate tables. 170 All tables contain common information, such as the selectors and 171 expiration limits, in addition to protocol specific information. The 172 selectors are important objects with respect to phase 2 SAs and can 173 be shared across multiple SAs, so there is a table of SA selectors. 175 The SAs in the tables may have been statically created, created by 176 IKE or by some other mechanism. 178 When SAs expire, they are removed from the table. There is no SA 179 history kept with the exception of some global counters. 181 4.1.1 Phase 2 Selector Table 183 This table provides a list of SA selectors. This table is arbitrarily 184 indexed. It contains the local phase 2 ID, then the remote phase 2 185 ID, a layer 4 protocol number, and finally the local and remote layer 186 4 port numbers. 188 The SA table uses entries in this table. 190 4.1.2 IPcomp Security Associations 192 For IPcomp SAs, the following assumptions are made: 193 o IPcomp SAs don't care about policy errors. 195 o IPcomp SAs don't care about expiration. 197 o The selector can be empty (0) if IPcomp is shared across multiple 198 security association suites. This may happen if an implementation 199 chooses to use a CPI in the range of 1 to 63, representing the 200 specific compression protocol chosen. 202 o There are no transmission errors; an outbound SA will send packets 203 uncompressed if it is unable to compress them for any reason. 205 o The outbound SA also makes decisions about which packets are 206 compressed or not compressed. 208 o Packets which were not compressed by an outbound IPcomp SA are 209 still passed to an inbound IPcomp SA for processing when the 210 IPcomp SA is part of a security association suite. This is for 211 accounting purposes only, and is not intended to force any 212 particular implementation. 214 A compression performance metric can be calculated for IPcomp SAs by 215 dividing the SAs' output traffic counter value by the SAs' input 216 traffic counter. 218 Also provided for IPcomp SAs are the total number of packets and 219 traffic that was compressed. The total for packets that were not 220 compressed can be calculated using the available objects. 222 4.2 IPsec MIB Traps 224 Traps are provided to let system administrators know about the 225 existence of error conditions occurring in the entity. These errors 226 are associated with operational errors and may also indicate the 227 presence of attacks on the system. 229 Traps are not provided when SAs come up or go down. 231 Traps may also be enabled or disabled as required, using configurable 232 configuration objects. Note that support for these objects is 233 optional, so that system administrators that have concerns about SNMP 234 security can choose to implement objects that are write-only. 236 4.3 IPsec Entity Level Objects 238 This part of the MIB carries statistics global to the IPsec device. 239 Statistics included are aggregate numbers of SAs and aggregate errors 240 for SAs. 242 5. MIB Definitions 244 IPSEC-SA-MON-MIB DEFINITIONS ::= BEGIN 246 IMPORTS 247 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, 248 Integer32, Unsigned32, NOTIFICATION-TYPE, 249 OBJECT-IDENTITY, Counter64 250 -- remove this and next line before release 251 , experimental 252 FROM SNMPv2-SMI 253 TEXTUAL-CONVENTION, TruthValue 254 FROM SNMPv2-TC 255 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 256 FROM SNMPv2-CONF 257 ifIndex FROM IF-MIB 258 -- uncomment next line before release (and remove this one) 259 -- mib-2 FROM RFC1213-MIB 260 InetAddressType, InetAddress 261 FROM INET-ADDRESS-MIB 262 IpsecDoiIdentType, 263 IpsecDoiEncapsulationMode, 264 IpsecDoiEspTransform, 265 IpsecDoiAhTransform, 266 IpsecDoiAuthAlgorithm, 267 IpsecDoiIpcompTransform, 268 IpsecDoiSecProtocolId 269 FROM IPSEC-ISAKMP-IKE-DOI-TC; 271 ipsecSaMonModule MODULE-IDENTITY 272 LAST-UPDATED "0110031200Z" 273 ORGANIZATION "IETF IPsec Working Group" 274 CONTACT-INFO 275 " Tim Jenkins 276 Catena Networks 277 307 Legget Drive 278 Kanata, ON 279 Canada 280 K2K 3C8 282 +1 (613) 599-6430 283 tjenkins@catena.com 285 John Shriver 286 Intel Corporation 287 28 Crosby Drive Bedford, MA 288 01730 290 +1 (781) 687-1329 291 John.Shriver@intel.com 292 " 294 DESCRIPTION 295 "The MIB module to describe generic IPsec objects, and 296 entity level objects and events for those types." 297 REVISION "9906031200Z" 298 DESCRIPTION 299 "Initial revision." 300 REVISION "9906251200Z" 301 DESCRIPTION 302 "Add module compliance requirements. 303 Added common textual conventions. 304 Other minor edits and clarifications." 305 REVISION "9910211200Z" 306 DESCRIPTION 307 "Group and compliance statements added. 308 OID value under experimental tree added. 309 Authentication algorithm key length values added." 310 REVISION "0007101200Z" 311 DESCRIPTION 312 "Added optional replay counter tables. 313 Added more statistics to IPcomp SAs. 314 Make packet and traffic counts definitions more explicit. 315 Use Internet address formats from INET-ADDRESS-MIB. 316 Added and used selector table." 317 REVISION "0102071200Z" 318 DESCRIPTION 319 "Change MAX-ACCESS clause of all index object to 320 not-accessible. This lead to other changes due to 321 restrictions on the use of objects with MAX-ACCESS clauses 322 of not-accessible." 323 REVISION "0110031200Z" 324 DESCRIPTION 325 "A number of typo errors corrected. Also: 326 -- selectorGroup made mandatory 327 -- add (SIZE (4|16|20)) to ipsecLocalAddress and 328 ipsecPeerAddress 329 -- change kilobytes to Kilobytes and make it 1024 bytes 330 -- used plurals in names in replay tables" 332 -- replace xxx in next line before release and uncomment it 333 -- ::= { mib-2 xxx } 334 -- delete this and next line before release 335 ::= { experimental 98 } 337 IpsecSaCreatorIdent::= TEXTUAL-CONVENTION 338 DISPLAY-HINT "d" 339 STATUS current 340 DESCRIPTION 341 "A value indicating how an SA was created." 342 SYNTAX INTEGER { 343 unknown(0), 344 static(1), -- statically created 345 ike(2), -- IKE 346 other(3) 347 } 349 IpsecRawId ::= TEXTUAL-CONVENTION 350 DISPLAY-HINT "x" 351 STATUS current 352 DESCRIPTION 353 "This data type is used to model the ID values used by 354 entities that have negotiated and created SAs. 356 The values are taken directly from any payloads exchanged, 357 independent of the type of ID transmitted. 359 In some cases, the payload may be truncated. Note also that 360 some IDs have human readable forms that are not used by this 361 textual convention." 362 SYNTAX OCTET STRING (SIZE (0..255)) 364 -- the main MIB branch 366 ipsecSaMonitorMIB OBJECT-IDENTITY 367 STATUS current 368 DESCRIPTION 369 "This is the base object identifier for all IPsec branches." 370 ::= { ipsecSaMonModule 1 } 372 -- significant branches 374 saTables OBJECT-IDENTITY 375 STATUS current 376 DESCRIPTION 377 "This is the base object identifier for all SA tables." 378 ::= { ipsecSaMonitorMIB 1 } 380 saStatistics OBJECT-IDENTITY 381 STATUS current 382 DESCRIPTION 383 "This is the base object identifier for all objects which 384 are global counters for IPsec security associations." 385 ::= { ipsecSaMonitorMIB 2 } 387 saErrors OBJECT-IDENTITY 388 STATUS current 389 DESCRIPTION 390 "This is the base object identifier for all objects which 391 are global error counters for IPsec security associations." 392 ::= { ipsecSaMonitorMIB 3 } 394 saTraps OBJECT-IDENTITY 395 STATUS current 396 DESCRIPTION 397 "This is the base object identifier for all objects which 398 are traps for IPsec security associations." 399 ::= { ipsecSaMonitorMIB 4 } 401 saTrapObjects OBJECT-IDENTITY 402 STATUS current 403 DESCRIPTION 404 "This is the base object identifier for objects which are 405 used as part of traps." 406 ::= { ipsecSaMonitorMIB 5 } 408 saTrapControl OBJECT-IDENTITY 409 STATUS current 410 DESCRIPTION 411 "This is the base object identifier for all objects which 412 are trap controls for IPsec security associations." 413 ::= { ipsecSaMonitorMIB 6 } 415 saGroups OBJECT-IDENTITY 416 STATUS current 417 DESCRIPTION 418 "This is the base object identifier for all objects which 419 describe the groups in this MIB." 420 ::= { ipsecSaMonitorMIB 7 } 422 saConformance OBJECT-IDENTITY 423 STATUS current 425 DESCRIPTION 426 "This is the base object identifier for all objects which 427 describe the conformance for this MIB." 428 ::= { ipsecSaMonitorMIB 8 } 430 -- 431 -- the Selector MIB-Group 432 -- 433 -- a collection of objects providing information about 434 -- the phase 2 selectors in the entity 435 -- 437 selectorTable OBJECT-TYPE 438 SYNTAX SEQUENCE OF SelectorEntry 439 MAX-ACCESS not-accessible 440 STATUS current 441 DESCRIPTION 442 "The (conceptual) table containing the phase 2 selectors. 444 The number of rows in this table is the same as the number 445 of selectors in the entity. The enity may create rows for 446 any purpose; no corresponding phase 2 SA or SA suite is 447 required. 449 The maximum number of rows is implementation dependent." 450 ::= { saTables 1 } 452 selectorEntry OBJECT-TYPE 453 SYNTAX SelectorEntry 454 MAX-ACCESS not-accessible 455 STATUS current 456 DESCRIPTION 457 "An entry (conceptual row) containing the information on a 458 particular phase 2 selector. 460 A row in this table cannot be created or deleted by SNMP 461 operations on columns of the table." 462 INDEX { selectorIndex } 463 ::= { selectorTable 1 } 465 SelectorEntry ::= SEQUENCE { 466 -- index 467 selectorIndex Unsigned32, 469 -- the values 470 selectorLocalId IpsecRawId, 471 selectorLocalIdType IpsecDoiIdentType, 472 selectorRemoteId IpsecRawId, 473 selectorRemoteIdType IpsecDoiIdentType, 474 selectorProtocol Integer32, 475 selectorLocalPort Integer32, 476 selectorRemotePort Integer32 477 } 479 selectorIndex OBJECT-TYPE 480 SYNTAX Unsigned32 (1..16777215) 481 MAX-ACCESS not-accessible 482 STATUS current 483 DESCRIPTION 484 "A unique value, greater than zero, for each selector. It is 485 recommended that values are assigned contiguously starting 486 from 1." 487 ::= { selectorEntry 1 } 489 selectorLocalId OBJECT-TYPE 490 SYNTAX IpsecRawId 491 MAX-ACCESS read-only 492 STATUS current 493 DESCRIPTION 494 "The local identifier of the selector. 496 This corresponds to the source identifier of outbound SAs 497 that use this selector, and to the destination identifier of 498 inbound SAs that use this selector. 500 This value is taken directly from the optional ID payloads 501 that are exchanged during phase 2 negotiations. 503 If those negotiations are for transport mode SAs, then this 504 value should be the IP address of the local entity." 505 REFERENCE "RFC 2401 section 4.4.2" 506 ::= { selectorEntry 2 } 508 selectorLocalIdType OBJECT-TYPE 509 SYNTAX IpsecDoiIdentType 510 MAX-ACCESS read-only 511 STATUS current 512 DESCRIPTION 513 "The type of ID used for 'selectorLocalId'. 515 This value is taken directly from the optional ID payloads 516 that are exchanged during phase 2 negotiations. 518 If those negotiations are for transport mode SAs, then this 519 value should indicate that an IP address is used by the 520 local entity." 521 REFERENCE "RFC 2401 section 4.4.2" 522 ::= { selectorEntry 3 } 524 selectorRemoteId OBJECT-TYPE 525 SYNTAX IpsecRawId 526 MAX-ACCESS read-only 527 STATUS current 528 DESCRIPTION 529 "The remote identifier of the selector. 531 This corresponds to the destination identifier of outbound 532 SAs that use this selector, and to the source identifier of 533 inbound SAs that use this selector. 535 This value is taken directly from the optional ID payloads 536 that are exchanged during phase 2 negotiations of SAs. 538 If those negotiations are for transport mode SAs, then this 539 value should be the IP address of the remote peer." 540 REFERENCE "RFC 2401 section 4.4.2" 541 ::= { selectorEntry 4 } 543 selectorRemoteIdType OBJECT-TYPE 544 SYNTAX IpsecDoiIdentType 545 MAX-ACCESS read-only 546 STATUS current 547 DESCRIPTION 548 "The type of ID used for 'selectorRemoteId'. 550 This value is taken directly from the optional ID payloads 551 that are exchanged during phase 2 negotiations of SAs. 553 If those negotiations are for transport mode SAs, then this 554 value should indicate that an IP address is used by the 555 remote peer." 556 REFERENCE "RFC 2401 section 4.4.2" 557 ::= { selectorEntry 5 } 559 selectorProtocol OBJECT-TYPE 560 SYNTAX Integer32 (0..255) 561 MAX-ACCESS read-only 562 STATUS current 563 DESCRIPTION 564 "The transport-layer protocol number that to which this 565 selector allows, or 0 if it selects any protocol. 567 This value is taken directly from the optional ID payloads 568 that are exchanged during phase 2 negotiations of SAs." 569 REFERENCE "RFC 2401 section 4.4.2" 570 ::= { selectorEntry 6 } 572 selectorLocalPort OBJECT-TYPE 573 SYNTAX Integer32 (0..65535) 574 MAX-ACCESS read-only 575 STATUS current 576 DESCRIPTION 577 "The local port number of the protocol that this selector 578 uses, or 0 if it carries any port number. 580 This corresponds to the source port number of outbound SAs 581 that use this selector, and to the destination port number 582 of inbound SAs that use this selector. 584 This value is taken directly from the optional ID payloads 585 that are exchanged during phase 2 negotiations of SAs." 586 REFERENCE "RFC 2401 section 4.4.2" 587 ::= { selectorEntry 7 } 589 selectorRemotePort OBJECT-TYPE 590 SYNTAX Integer32 (0..65535) 591 MAX-ACCESS read-only 592 STATUS current 593 DESCRIPTION 594 "The remote port number of the protocol that this selector 595 uses, or 0 if it allows any port number. 597 This corresponds to the destination port number of outbound 598 SAs that use this selector, and to the source port number of 599 inbound SAs that use this selector. 601 This value is taken directly from the optional ID payloads 602 that are exchanged during phase 2 negotiations of SA 603 suites." 604 REFERENCE "RFC 2401 section 4.4.2" 605 ::= { selectorEntry 8 } 607 -- the IPsec Inbound ESP MIB-Group 608 -- 609 -- a collection of objects providing information about 610 -- IPsec Inbound ESP SAs 612 ipsecSaEspInTable OBJECT-TYPE 613 SYNTAX SEQUENCE OF IpsecSaEspInEntry 614 MAX-ACCESS not-accessible 615 STATUS current 616 DESCRIPTION 617 "The (conceptual) table containing information on IPsec 618 inbound ESP SAs. 620 There should be one row for every inbound ESP security 621 association that exists in the entity. The maximum number of 622 rows is implementation dependent." 623 ::= { saTables 2 } 625 ipsecSaEspInEntry OBJECT-TYPE 626 SYNTAX IpsecSaEspInEntry 627 MAX-ACCESS not-accessible 628 STATUS current 629 DESCRIPTION 630 "An entry (conceptual row) containing the information on a 631 particular IPsec inbound ESP SA. 633 A row in this table cannot be created or deleted by SNMP 634 operations on columns of the table." 635 INDEX { 636 ipsecSaEspInAddressType, 637 ipsecSaEspInAddress, 638 ipsecSaEspInSpi 639 } 640 ::= { ipsecSaEspInTable 1 } 642 IpsecSaEspInEntry::= SEQUENCE { 644 -- identification 645 ipsecSaEspInAddressType InetAddressType, 646 ipsecSaEspInAddress InetAddress, 647 ipsecSaEspInSpi Unsigned32, 649 -- selector 650 ipsecSaEspInSelector Unsigned32, 652 -- how created 653 ipsecSaEspInCreator IpsecSaCreatorIdent, 655 -- security services description 656 ipsecSaEspInEncapsulation IpsecDoiEncapsulationMode, 657 ipsecSaEspInEncAlg IpsecDoiEspTransform, 658 ipsecSaEspInEncKeyLength Unsigned32, 659 ipsecSaEspInAuthAlg IpsecDoiAuthAlgorithm, 660 ipsecSaEspInAuthKeyLength Unsigned32, 661 ipsecSaEspInRepWinSize Unsigned32, 663 -- expiration limits 664 ipsecSaEspInLimitSeconds Unsigned32, -- sec., 0 if none 665 ipsecSaEspInLimitKbytes Unsigned32, -- 0 if none 667 -- current operating statistics 668 ipsecSaEspInAccSeconds Counter32, 669 ipsecSaEspInAccKbytes Counter32, 670 ipsecSaEspInUserOctets Counter64, 671 ipsecSaEspInPackets Counter64, 673 -- error statistics 674 ipsecSaEspInDecryptErrors Counter32, 675 ipsecSaEspInAuthErrors Counter32, 676 ipsecSaEspInReplayErrors Counter32, 677 ipsecSaEspInPolicyErrors Counter32, 678 ipsecSaEspInPadErrors Counter32, 679 ipsecSaEspInOtherReceiveErrors Counter32 681 } 683 ipsecSaEspInAddressType OBJECT-TYPE 684 SYNTAX InetAddressType 685 MAX-ACCESS not-accessible 686 STATUS current 687 DESCRIPTION 688 "The type of address used for the destination address of the 689 SA." 690 ::= { ipsecSaEspInEntry 1 } 692 ipsecSaEspInAddress OBJECT-TYPE 693 SYNTAX InetAddress (SIZE(4|16|20)) 694 MAX-ACCESS not-accessible 695 STATUS current 696 DESCRIPTION 697 "The destination address of the SA." 698 ::= { ipsecSaEspInEntry 2 } 700 ipsecSaEspInSpi OBJECT-TYPE 701 SYNTAX Unsigned32 702 MAX-ACCESS not-accessible 703 STATUS current 704 DESCRIPTION 705 "The security parameters index of the SA." 706 REFERENCE "RFC 2406 Section 2.1" 707 ::= { ipsecSaEspInEntry 3 } 709 ipsecSaEspInSelector OBJECT-TYPE 710 SYNTAX Unsigned32 711 MAX-ACCESS read-only 712 STATUS current 713 DESCRIPTION 714 "The index of the selector table row for this SA. In other 715 words, the value of 'selectorIndex' for the appropriate row 716 ('SelectorEntry') from the 'selectorTable'" 717 ::= { ipsecSaEspInEntry 4 } 719 ipsecSaEspInCreator OBJECT-TYPE 720 SYNTAX IpsecSaCreatorIdent 721 MAX-ACCESS read-only 722 STATUS current 723 DESCRIPTION 724 "The creator of this SA. 726 This MIB makes no assumptions about how the SAs are created. 727 They may be created statically, or by a key exchange 728 protocol such as IKE, or by some other method." 729 ::= { ipsecSaEspInEntry 5 } 731 ipsecSaEspInEncapsulation OBJECT-TYPE 732 SYNTAX IpsecDoiEncapsulationMode 733 MAX-ACCESS read-only 734 STATUS current 735 DESCRIPTION 736 "The type of encapsulation used by this SA." 737 ::= { ipsecSaEspInEntry 6 } 739 ipsecSaEspInEncAlg OBJECT-TYPE 740 SYNTAX IpsecDoiEspTransform 741 MAX-ACCESS read-only 742 STATUS current 743 DESCRIPTION 744 "A unique value representing the encryption algorithm 745 applied to traffic." 746 ::= { ipsecSaEspInEntry 7 } 748 ipsecSaEspInEncKeyLength OBJECT-TYPE 749 SYNTAX Unsigned32 (0..65531) 750 UNITS "bits" 751 MAX-ACCESS read-only 752 STATUS current 754 DESCRIPTION 755 "The length of the encryption key in bits used for the 756 algorithm specified in the ipsecSaEspInEncAlg object. It may 757 be 0 if the key length is implicit in the specified 758 algorithm or there is no encryption specified." 759 ::= { ipsecSaEspInEntry 8 } 761 ipsecSaEspInAuthAlg OBJECT-TYPE 762 SYNTAX IpsecDoiAuthAlgorithm 763 MAX-ACCESS read-only 764 STATUS current 765 DESCRIPTION 766 "A unique value representing the hash algorithm applied to 767 traffic." 768 ::= { ipsecSaEspInEntry 9 } 770 ipsecSaEspInAuthKeyLength OBJECT-TYPE 771 SYNTAX Unsigned32 (0..65531) 772 UNITS "bits" 773 MAX-ACCESS read-only 774 STATUS current 775 DESCRIPTION 776 "The length of the authentication key in bits used for the 777 algorithm specified in the ipsecSaEspInAuthAlg. It may be 0 778 if the key length is implicit in the specified algorithm or 779 there is no authentication specified." 780 ::= { ipsecSaEspInEntry 10 } 782 ipsecSaEspInRepWinSize OBJECT-TYPE 783 SYNTAX Unsigned32 784 MAX-ACCESS read-only 785 STATUS current 786 DESCRIPTION 787 "The size of the anti-replay window used by this SA, or 0 if 788 anti-replay checking is not being done." 789 REFERENCE "Section 3.4.3 of RFC 2406" 790 ::= { ipsecSaEspInEntry 11 } 792 ipsecSaEspInLimitSeconds OBJECT-TYPE 793 SYNTAX Unsigned32 794 UNITS "seconds" 795 MAX-ACCESS read-only 796 STATUS current 797 DESCRIPTION 798 "The maximum lifetime in seconds of the SA, or 0 if there is 799 no time constraint on its expiration, or 4294967295 if the 800 maximum lifetime is 4294967295 seconds or more but not 801 infinite." 802 ::= { ipsecSaEspInEntry 12 } 804 ipsecSaEspInLimitKbytes OBJECT-TYPE 805 SYNTAX Unsigned32 806 UNITS "Kilobytes" 807 MAX-ACCESS read-only 808 STATUS current 809 DESCRIPTION 810 "The maximum lifetime in Kilobytes (1024 bytes) of the SA, 811 or 0 if there is no traffic constraint on its expiration, or 812 4294967295 if the maximum lifetime is 4294967295 Kilobytes 813 or more but not infinite." 814 ::= { ipsecSaEspInEntry 13 } 816 ipsecSaEspInAccSeconds OBJECT-TYPE 817 SYNTAX Counter32 818 UNITS "seconds" 819 MAX-ACCESS read-only 820 STATUS current 821 DESCRIPTION 822 "The number of seconds accumulated against the SA's 823 expiration by time. 825 This is also the number of seconds that the SA has existed." 826 ::= { ipsecSaEspInEntry 14 } 828 ipsecSaEspInAccKbytes OBJECT-TYPE 829 SYNTAX Counter32 830 UNITS "Kilobytes" 831 MAX-ACCESS read-only 832 STATUS current 833 DESCRIPTION 834 "The amount of traffic handled by the SA that could 835 accumulate against a traffic expiration limit, measured in 836 Kilobytes (1024 bytes). 838 If the SA expires based on traffic, this value counts 839 against the SA's expiration by traffic limitation. If the SA 840 does not expire based on traffic, this value may be 0 to 841 indicate that the counter is not being used." 842 ::= { ipsecSaEspInEntry 15 } 844 ipsecSaEspInUserOctets OBJECT-TYPE 845 SYNTAX Counter64 846 UNITS "bytes" 847 MAX-ACCESS read-only 848 STATUS current 849 DESCRIPTION 850 "The amount of user level traffic measured in bytes 851 successfully handled by the SA. This is the number of bytes 852 of the decrypted IP packet, including the original IP header 853 of that decrypted packet. 855 This is not necessarily the same as the amount of traffic 856 applied against the traffic expiration limit due to padding 857 or other protocol specific overhead." 858 ::= { ipsecSaEspInEntry 16 } 860 ipsecSaEspInPackets OBJECT-TYPE 861 SYNTAX Counter64 862 UNITS "packets" 863 MAX-ACCESS read-only 864 STATUS current 865 DESCRIPTION 866 "The number of packets received and succcessfully processed 867 by the SA. This does not include received packets that were 868 discarded during processing by the SA." 869 ::= { ipsecSaEspInEntry 17 } 871 ipsecSaEspInDecryptErrors OBJECT-TYPE 872 SYNTAX Counter32 873 UNITS "packets" 874 MAX-ACCESS read-only 875 STATUS current 876 DESCRIPTION 877 "The number of packets discarded by the SA due to detectable 878 decryption errors. Not all decryption errors are detectable 879 within SA processing, so this count should not be considered 880 definitive." 881 ::= { ipsecSaEspInEntry 18 } 883 ipsecSaEspInAuthErrors OBJECT-TYPE 884 SYNTAX Counter32 885 UNITS "packets" 886 MAX-ACCESS read-only 887 STATUS current 888 DESCRIPTION 889 "The number of packets discarded by the SA due to 890 authentication errors." 891 ::= { ipsecSaEspInEntry 19 } 893 ipsecSaEspInReplayErrors OBJECT-TYPE 894 SYNTAX Counter32 895 UNITS "packets" 896 MAX-ACCESS read-only 897 STATUS current 898 DESCRIPTION 899 "The number of packets discarded by the SA due to replay 900 errors." 901 ::= { ipsecSaEspInEntry 20 } 903 ipsecSaEspInPolicyErrors OBJECT-TYPE 904 SYNTAX Counter32 905 UNITS "packets" 906 MAX-ACCESS read-only 907 STATUS current 908 DESCRIPTION 909 "The number of packets discarded by the SA due to policy 910 errors. This includes packets where the next protocol is 911 invalid." 912 ::= { ipsecSaEspInEntry 21 } 914 ipsecSaEspInPadErrors OBJECT-TYPE 915 SYNTAX Counter32 916 UNITS "packets" 917 MAX-ACCESS read-only 918 STATUS current 919 DESCRIPTION 920 "The number of packets discarded by the SA due to pad value 921 errors. 923 Implementations that do not check this must not support this 924 object." 925 REFERENCE "RFC 2406 section 2.4" 926 ::= { ipsecSaEspInEntry 22 } 928 ipsecSaEspInOtherReceiveErrors OBJECT-TYPE 929 SYNTAX Counter32 930 UNITS "packets" 931 MAX-ACCESS read-only 932 STATUS current 933 DESCRIPTION 934 "The number of packets discarded by the SA due to errors 935 other than decryption, authentication, replay errors or, 936 when supported, invalid padding errors. This may include 938 packets dropped due to a lack of receive buffers, and may 939 include packets dropped due to congestion at the decryption 940 element." 941 ::= { ipsecSaEspInEntry 23 } 943 -- the IPsec Inbound AH MIB-Group 944 -- 945 -- a collection of objects providing information about 946 -- IPsec Inbound AH SAs 948 ipsecSaAhInTable OBJECT-TYPE 949 SYNTAX SEQUENCE OF IpsecSaAhInEntry 950 MAX-ACCESS not-accessible 951 STATUS current 952 DESCRIPTION 953 "The (conceptual) table containing information on IPsec 954 inbound AH SAs. 956 There should be one row for every inbound AH security 957 association that exists in the entity. The maximum number of 958 rows is implementation dependent." 959 ::= { saTables 3 } 961 ipsecSaAhInEntry OBJECT-TYPE 962 SYNTAX IpsecSaAhInEntry 963 MAX-ACCESS not-accessible 964 STATUS current 965 DESCRIPTION 966 "An entry (conceptual row) containing the information on a 967 particular IPsec inbound AH SA. 969 A row in this table cannot be created or deleted by SNMP 970 operations on columns of the table." 971 INDEX { 972 ipsecSaAhInAddressType, 973 ipsecSaAhInAddress, 974 ipsecSaAhInSpi 975 } 976 ::= { ipsecSaAhInTable 1 } 978 IpsecSaAhInEntry::= SEQUENCE { 980 -- identification 981 ipsecSaAhInAddressType InetAddressType, 982 ipsecSaAhInAddress InetAddress, 983 ipsecSaAhInSpi Unsigned32, 985 -- SA selector 986 ipsecSaAhInSelector Unsigned32, 988 -- how created 989 ipsecSaAhInCreator IpsecSaCreatorIdent, 991 -- security services description 992 ipsecSaAhInEncapsulation IpsecDoiEncapsulationMode, 993 ipsecSaAhInAuthAlg IpsecDoiAhTransform, 994 ipsecSaAhInAuthKeyLength Unsigned32, 995 ipsecSaAhInRepWinSize Unsigned32, 997 -- expiration limits 998 ipsecSaAhInLimitSeconds Unsigned32, -- sec., 0 if none 999 ipsecSaAhInLimitKbytes Unsigned32, -- 0 if none 1001 -- current operating statistics 1002 ipsecSaAhInAccSeconds Counter32, 1003 ipsecSaAhInAccKbytes Counter32, 1004 ipsecSaAhInUserOctets Counter64, 1005 ipsecSaAhInPackets Counter64, 1007 -- error statistics 1008 ipsecSaAhInAuthErrors Counter32, 1009 ipsecSaAhInReplayErrors Counter32, 1010 ipsecSaAhInPolicyErrors Counter32, 1011 ipsecSaAhInOtherReceiveErrors Counter32 1012 } 1014 ipsecSaAhInAddressType OBJECT-TYPE 1015 SYNTAX InetAddressType 1016 MAX-ACCESS not-accessible 1017 STATUS current 1018 DESCRIPTION 1019 "The type of address that is the destination address of the 1020 SA." 1021 ::= { ipsecSaAhInEntry 1 } 1023 ipsecSaAhInAddress OBJECT-TYPE 1024 SYNTAX InetAddress (SIZE(4|16|20)) 1025 MAX-ACCESS not-accessible 1026 STATUS current 1027 DESCRIPTION 1028 "The destination address of the SA." 1029 ::= { ipsecSaAhInEntry 2 } 1031 ipsecSaAhInSpi OBJECT-TYPE 1032 SYNTAX Unsigned32 1033 MAX-ACCESS not-accessible 1034 STATUS current 1035 DESCRIPTION 1036 "The security parameters index of the SA." 1037 REFERENCE "RFC 2402 Section 2.4" 1038 ::= { ipsecSaAhInEntry 3 } 1040 ipsecSaAhInSelector OBJECT-TYPE 1041 SYNTAX Unsigned32 1042 MAX-ACCESS read-only 1043 STATUS current 1044 DESCRIPTION 1045 "The index of the selector table row for this SA. In other 1046 words, the value of 'selectorIndex' for the appropriate row 1047 ('SelectorEntry') from the 'selectorTable'" 1048 ::= { ipsecSaAhInEntry 4 } 1050 ipsecSaAhInCreator OBJECT-TYPE 1051 SYNTAX IpsecSaCreatorIdent 1052 MAX-ACCESS read-only 1053 STATUS current 1054 DESCRIPTION 1055 "The creator of this SA. 1057 This MIB makes no assumptions about how the SAs are created. 1058 They may be created statically, or by a key exchange 1059 protocol such as IKE, or by some other method." 1060 ::= { ipsecSaAhInEntry 5 } 1062 ipsecSaAhInEncapsulation OBJECT-TYPE 1063 SYNTAX IpsecDoiEncapsulationMode 1064 MAX-ACCESS read-only 1065 STATUS current 1066 DESCRIPTION 1067 "The type of encapsulation used by this SA." 1068 ::= { ipsecSaAhInEntry 6 } 1070 ipsecSaAhInAuthAlg OBJECT-TYPE 1071 SYNTAX IpsecDoiAhTransform 1072 MAX-ACCESS read-only 1073 STATUS current 1074 DESCRIPTION 1075 "A unique value representing the hash algorithm applied to 1076 traffic carried by this SA." 1077 ::= { ipsecSaAhInEntry 7 } 1079 ipsecSaAhInAuthKeyLength OBJECT-TYPE 1080 SYNTAX Unsigned32 (0..65531) 1081 UNITS "bits" 1082 MAX-ACCESS read-only 1083 STATUS current 1084 DESCRIPTION 1085 "The length of the authentication key in bits used for the 1086 algorithm specified in the ipsecSaAhInAuthAlg object. It may 1087 be 0 if the key length is implicit in the specified 1088 algorithm." 1089 ::= { ipsecSaAhInEntry 8 } 1091 ipsecSaAhInRepWinSize OBJECT-TYPE 1092 SYNTAX Unsigned32 1093 MAX-ACCESS read-only 1094 STATUS current 1095 DESCRIPTION 1096 "The size of the anti-replay window used by this SA, or 0 if 1097 anti-replay checking is not being done." 1098 REFERENCE "Section 3.4.3 of RFC 2402" 1099 ::= { ipsecSaAhInEntry 9 } 1101 ipsecSaAhInLimitSeconds OBJECT-TYPE 1102 SYNTAX Unsigned32 1103 UNITS "seconds" 1104 MAX-ACCESS read-only 1105 STATUS current 1106 DESCRIPTION 1107 "The maximum lifetime in seconds of the SA, or 0 if there is 1108 no time constraint on its expiration, or 4294967295 if the 1109 maximum lifetime is 4294967295 seconds or more but not 1110 infinite." 1111 ::= { ipsecSaAhInEntry 10 } 1113 ipsecSaAhInLimitKbytes OBJECT-TYPE 1114 SYNTAX Unsigned32 1115 UNITS "Kilobytes" 1116 MAX-ACCESS read-only 1117 STATUS current 1118 DESCRIPTION 1119 "The maximum lifetime in Kilobytes (1024 bytes) of the SA, 1120 or 0 if there is no traffic constraint on its expiration, or 1121 4294967295 if the maximum lifetime is 4294967295 Kilobytes 1122 or more but not infinite." 1123 ::= { ipsecSaAhInEntry 11 } 1125 ipsecSaAhInAccSeconds OBJECT-TYPE 1126 SYNTAX Counter32 1127 UNITS "seconds" 1128 MAX-ACCESS read-only 1129 STATUS current 1130 DESCRIPTION 1131 "The number of seconds accumulated against the SA's 1132 expiration by time. 1134 This is also the number of seconds that the SA has existed." 1135 ::= { ipsecSaAhInEntry 12 } 1137 ipsecSaAhInAccKbytes OBJECT-TYPE 1138 SYNTAX Counter32 1139 UNITS "Kilobytes" 1140 MAX-ACCESS read-only 1141 STATUS current 1142 DESCRIPTION 1143 "The amount of traffic handled by the SA that could 1144 accumulate against a traffic expiration limit, measured in 1145 Kilobytes (1024 bytes). 1147 If the SA expires based on traffic, this value counts 1148 against the SA's expiration by traffic limitation. If the SA 1149 does not expire based on traffic, this value may be 0 to 1150 indicate that the counter is not being used." 1151 ::= { ipsecSaAhInEntry 13 } 1153 ipsecSaAhInUserOctets OBJECT-TYPE 1154 SYNTAX Counter64 1155 UNITS "bytes" 1156 MAX-ACCESS read-only 1157 STATUS current 1158 DESCRIPTION 1159 "The amount of user level traffic measured in bytes handled 1160 successfully by the SA. This is the number of bytes of the 1161 de-processed IP packet, including the original IP header of 1162 that de-processed packet. 1164 This is not necessarily the same as the amount of traffic 1165 applied against the traffic expiration limit due to padding 1166 or other protocol specific overhead." 1167 ::= { ipsecSaAhInEntry 14 } 1169 ipsecSaAhInPackets OBJECT-TYPE 1170 SYNTAX Counter64 1171 UNITS "packets" 1172 MAX-ACCESS read-only 1173 STATUS current 1175 DESCRIPTION 1176 "The number of packets received and succcessfully processed 1177 by the SA. This does not include packets that were discarded 1178 during processing by the SA." 1179 ::= { ipsecSaAhInEntry 15 } 1181 ipsecSaAhInAuthErrors OBJECT-TYPE 1182 SYNTAX Counter32 1183 UNITS "packets" 1184 MAX-ACCESS read-only 1185 STATUS current 1186 DESCRIPTION 1187 "The number of packets discarded by the SA due to 1188 authentication errors." 1189 ::= { ipsecSaAhInEntry 16 } 1191 ipsecSaAhInReplayErrors OBJECT-TYPE 1192 SYNTAX Counter32 1193 UNITS "packets" 1194 MAX-ACCESS read-only 1195 STATUS current 1196 DESCRIPTION 1197 "The number of packets discarded by the SA due to replay 1198 errors." 1199 ::= { ipsecSaAhInEntry 17 } 1201 ipsecSaAhInPolicyErrors OBJECT-TYPE 1202 SYNTAX Counter32 1203 UNITS "packets" 1204 MAX-ACCESS read-only 1205 STATUS current 1206 DESCRIPTION 1207 "The number of packets discarded by the SA due to policy 1208 errors. This includes packets where the next protocol is 1209 invalid." 1210 ::= { ipsecSaAhInEntry 18 } 1212 ipsecSaAhInOtherReceiveErrors OBJECT-TYPE 1213 SYNTAX Counter32 1214 UNITS "packets" 1215 MAX-ACCESS read-only 1216 STATUS current 1217 DESCRIPTION 1218 "The number of packets discarded by the SA due to errors 1219 other than decryption, authentication or replay errors. This 1220 may include packets dropped due to a lack of receive 1222 buffers, and may include packets dropped due to congestion 1223 at the authentication element." 1224 ::= { ipsecSaAhInEntry 19 } 1226 -- the IPsec Inbound IPcomp MIB-Group 1227 -- 1228 -- a collection of objects providing information about 1229 -- IPsec Inbound IPcomp SAs 1231 ipsecSaIpcompInTable OBJECT-TYPE 1232 SYNTAX SEQUENCE OF IpsecSaIpcompInEntry 1233 MAX-ACCESS not-accessible 1234 STATUS current 1235 DESCRIPTION 1236 "The (conceptual) table containing information on IPsec 1237 inbound IPcomp SAs. 1239 There should be one row for every inbound IPcomp (security) 1240 association that exists in the entity. The maximum number of 1241 rows is implementation dependent." 1242 ::= { saTables 4 } 1244 ipsecSaIpcompInEntry OBJECT-TYPE 1245 SYNTAX IpsecSaIpcompInEntry 1246 MAX-ACCESS not-accessible 1247 STATUS current 1248 DESCRIPTION 1249 "An entry (conceptual row) containing the information on a 1250 particular IPsec inbound IPcomp SA. 1252 A row in this table cannot be created or deleted by SNMP 1253 operations on columns of the table." 1254 INDEX { 1255 ipsecSaIpcompInAddressType, 1256 ipsecSaIpcompInAddress, 1257 ipsecSaIpcompInCpi 1258 } 1259 ::= { ipsecSaIpcompInTable 1 } 1261 IpsecSaIpcompInEntry::= SEQUENCE { 1263 -- identification 1264 ipsecSaIpcompInAddressType InetAddressType, 1265 ipsecSaIpcompInAddress InetAddress, 1266 ipsecSaIpcompInCpi IpsecDoiIpcompTransform, 1268 -- SA selector (if needed) 1269 ipsecSaIpcompInSelector Unsigned32, 1271 -- how created 1272 ipsecSaIpcompInCreator IpsecSaCreatorIdent, 1274 -- security services description 1275 ipsecSaIpcompInEncapsulation IpsecDoiEncapsulationMode, 1276 ipsecSaIpcompInDecompAlg IpsecDoiIpcompTransform, 1278 -- current operating statistics 1279 ipsecSaIpcompInSeconds Counter32, 1280 ipsecSaIpcompInUserOctets Counter64, 1281 ipsecSaIpcompInUserPackets Counter64, 1282 ipsecSaIpcompInCompressedOctets Counter64, 1283 ipsecSaIpcompInCompressedPackets Counter64, 1284 ipsecSaIpcompInInputOctets Counter64, 1286 -- error statistics 1287 ipsecSaIpcompInDecompErrors Counter32, 1288 ipsecSaIpcompInOtherReceiveErrors Counter32 1289 } 1291 ipsecSaIpcompInAddressType OBJECT-TYPE 1292 SYNTAX InetAddressType 1293 MAX-ACCESS not-accessible 1294 STATUS current 1295 DESCRIPTION 1296 "The type of address used for the destination address of the 1297 SA. 1299 If the IPcomp SA is shared across multiple SAs in security 1300 association suites, this value may be 0." 1301 ::= { ipsecSaIpcompInEntry 1 } 1303 ipsecSaIpcompInAddress OBJECT-TYPE 1304 SYNTAX InetAddress (SIZE(0|4|16|20)) 1305 MAX-ACCESS not-accessible 1306 STATUS current 1307 DESCRIPTION 1308 "The destination address of the SA. 1310 If the IPcomp SA is shared across multiple SAs in security 1311 association suites, this value may be zero-length." 1312 ::= { ipsecSaIpcompInEntry 2 } 1314 ipsecSaIpcompInCpi OBJECT-TYPE 1315 SYNTAX IpsecDoiIpcompTransform 1316 MAX-ACCESS not-accessible 1317 STATUS current 1318 DESCRIPTION 1319 "The CPI of the SA. Since the lower values of CPIs are 1320 reserved to be the same as the algorithm, the syntax for 1321 this object is the same as the transform." 1322 REFERENCE "RFC 2393 Section 3.3" 1323 ::= { ipsecSaIpcompInEntry 3 } 1325 ipsecSaIpcompInSelector OBJECT-TYPE 1326 SYNTAX Unsigned32 1327 MAX-ACCESS read-only 1328 STATUS current 1329 DESCRIPTION 1330 "The index of the selector table row for this SA. In other 1331 words, the value of 'selectorIndex' for the appropriate row 1332 ('SelectorEntry') from the 'selectorTable' 1334 This value may be 0 if this SA is used with multiple SAs in 1335 security association suites." 1336 ::= { ipsecSaIpcompInEntry 4 } 1338 ipsecSaIpcompInCreator OBJECT-TYPE 1339 SYNTAX IpsecSaCreatorIdent 1340 MAX-ACCESS read-only 1341 STATUS current 1342 DESCRIPTION 1343 "The creator of this SA. 1345 This MIB makes no assumptions about how the SAs are created. 1346 They may be created statically, or by a key exchange 1347 protocol such as IKE, or by some other method." 1348 ::= { ipsecSaIpcompInEntry 5 } 1350 ipsecSaIpcompInEncapsulation OBJECT-TYPE 1351 SYNTAX IpsecDoiEncapsulationMode 1352 MAX-ACCESS read-only 1353 STATUS current 1354 DESCRIPTION 1355 "The type of encapsulation used by this SA." 1356 ::= { ipsecSaIpcompInEntry 6 } 1358 ipsecSaIpcompInDecompAlg OBJECT-TYPE 1359 SYNTAX IpsecDoiIpcompTransform 1360 MAX-ACCESS read-only 1361 STATUS current 1363 DESCRIPTION 1364 "A unique value representing the decompression algorithm 1365 applied to traffic." 1366 ::= { ipsecSaIpcompInEntry 7 } 1368 ipsecSaIpcompInSeconds OBJECT-TYPE 1369 SYNTAX Counter32 1370 UNITS "seconds" 1371 MAX-ACCESS read-only 1372 STATUS current 1373 DESCRIPTION 1374 "The number of seconds that the SA has existed." 1375 ::= { ipsecSaIpcompInEntry 8 } 1377 ipsecSaIpcompInUserOctets OBJECT-TYPE 1378 SYNTAX Counter64 1379 UNITS "bytes" 1380 MAX-ACCESS read-only 1381 STATUS current 1382 DESCRIPTION 1383 "The amount of user level traffic measured in bytes handled 1384 by the SA. This includes traffic on packets that were both 1385 compressed and uncompressed. Packets that were not 1386 compressed that count in this total may include packets that 1387 were received in a security association suite that included 1388 IPcomp." 1389 ::= { ipsecSaIpcompInEntry 9 } 1391 ipsecSaIpcompInUserPackets OBJECT-TYPE 1392 SYNTAX Counter64 1393 UNITS "packets" 1394 MAX-ACCESS read-only 1395 STATUS current 1396 DESCRIPTION 1397 "The number of packets sent from the SA after inbound 1398 processing, whether they were compressed or not. 1400 When used in a security association suite, this value is the 1401 total number of packets sent by the suite. If this SA is 1402 shared across multiple SA suites, this value is the sum of 1403 the number of packets sent from those suites." 1404 ::= { ipsecSaIpcompInEntry 10 } 1406 ipsecSaIpcompInCompressedOctets OBJECT-TYPE 1407 SYNTAX Counter64 1408 UNITS "bytes" 1409 MAX-ACCESS read-only 1410 STATUS current 1411 DESCRIPTION 1412 "The amount of traffic measured in bytes that is received by 1413 the SA that was compressed. This includes the IPcomp and IP 1414 headers that are not compressed. 1416 The amount of traffic that is not compressed (for any 1417 reason) is the value of ipsecSaIpcompInInputOctets minus 1418 ipsecSaIpcompInCompressedOctets." 1419 ::= { ipsecSaIpcompInEntry 11 } 1421 ipsecSaIpcompInCompressedPackets OBJECT-TYPE 1422 SYNTAX Counter64 1423 UNITS "packets" 1424 MAX-ACCESS read-only 1425 STATUS current 1426 DESCRIPTION 1427 "The number of packets received by the SA that were 1428 compressed. 1430 The number of packets that were not compressed (for any 1431 reason) is the value of ipsecSaIpcompInUserPackets minus 1432 ipsecSaIpcompInCompressedPackets. 1434 When used in a security association suite, this value is the 1435 total number of compressed packets received by the suite. If 1436 this SA is shared across multiple SA suites, this value is 1437 the sum of the number of compressed packets received by 1438 those suites." 1439 ::= { ipsecSaIpcompInEntry 12 } 1441 ipsecSaIpcompInInputOctets OBJECT-TYPE 1442 SYNTAX Counter64 1443 UNITS "bytes" 1444 MAX-ACCESS read-only 1445 STATUS current 1446 DESCRIPTION 1447 "The total amount of traffic measured in bytes that is 1448 received by the SA, compressed or not. This includes the 1449 IPcomp header if present and the IP header of each packet. 1451 When the IPcomp SA is shared across multiple security 1452 association suites, this value is the sum of the output of 1453 all SAs before this SA in those SA suites. 1455 When used in a security association suite, this value is the 1456 same as the traffic sent from the previous SA in the suite. 1457 If this SA is shared across multiple SA suites, this value 1459 is the sum of all traffic sent from the previous SAs in 1460 those suites " 1461 ::= { ipsecSaIpcompInEntry 13 } 1463 ipsecSaIpcompInDecompErrors OBJECT-TYPE 1464 SYNTAX Counter32 1465 UNITS "packets" 1466 MAX-ACCESS read-only 1467 STATUS current 1468 DESCRIPTION 1469 "The number of packets discarded by the SA due to 1470 decompression errors." 1471 ::= { ipsecSaIpcompInEntry 14 } 1473 ipsecSaIpcompInOtherReceiveErrors OBJECT-TYPE 1474 SYNTAX Counter32 1475 UNITS "packets" 1476 MAX-ACCESS read-only 1477 STATUS current 1478 DESCRIPTION 1479 "The number of packets discarded by the SA due to errors 1480 other than decompression errors. This may include packets 1481 dropped due to a lack of receive buffers, and packets 1482 dropped due to congestion at the decompression element." 1483 ::= { ipsecSaIpcompInEntry 15 } 1485 -- the IPsec Outbound ESP MIB-Group 1486 -- 1487 -- a collection of objects providing information about 1488 -- IPsec Outbound ESP SAs 1490 ipsecSaEspOutTable OBJECT-TYPE 1491 SYNTAX SEQUENCE OF IpsecSaEspOutEntry 1492 MAX-ACCESS not-accessible 1493 STATUS current 1494 DESCRIPTION 1495 "The (conceptual) table containing information on IPsec 1496 Outbound ESP SAs. 1498 There should be one row for every outbound ESP security 1499 association that exists in the entity. The maximum number of 1500 rows is implementation dependent." 1501 ::= { saTables 5 } 1503 ipsecSaEspOutEntry OBJECT-TYPE 1504 SYNTAX IpsecSaEspOutEntry 1505 MAX-ACCESS not-accessible 1506 STATUS current 1507 DESCRIPTION 1508 "An entry (conceptual row) containing the information on a 1509 particular IPsec Outbound ESP SA. 1511 A row in this table cannot be created or deleted by SNMP 1512 operations on columns of the table." 1513 INDEX { 1514 ipsecSaEspOutAddressType, 1515 ipsecSaEspOutAddress, 1516 ipsecSaEspOutSpi 1517 } 1518 ::= { ipsecSaEspOutTable 1 } 1520 IpsecSaEspOutEntry::= SEQUENCE { 1522 -- identification 1523 ipsecSaEspOutAddressType InetAddressType, 1524 ipsecSaEspOutAddress InetAddress, 1525 ipsecSaEspOutSpi Unsigned32, 1527 -- SA selector 1528 ipsecSaEspOutSelector Unsigned32, 1530 -- how created 1531 ipsecSaEspOutCreator IpsecSaCreatorIdent, 1533 -- security services description 1534 ipsecSaEspOutEncapsulation IpsecDoiEncapsulationMode, 1535 ipsecSaEspOutEncAlg IpsecDoiEspTransform, 1536 ipsecSaEspOutEncKeyLength Unsigned32, 1537 ipsecSaEspOutAuthAlg IpsecDoiAuthAlgorithm, 1538 ipsecSaEspOutAuthKeyLength Unsigned32, 1540 -- expiration limits 1541 ipsecSaEspOutLimitSeconds Unsigned32, -- sec., 0 if none 1542 ipsecSaEspOutLimitKbytes Unsigned32, -- 0 if none 1544 -- current operating statistics 1545 ipsecSaEspOutAccSeconds Counter32, 1546 ipsecSaEspOutAccKbytes Counter32, 1547 ipsecSaEspOutUserOctets Counter64, 1548 ipsecSaEspOutPackets Counter64, 1550 -- error statistics 1551 ipsecSaEspOutSendErrors Counter32 1553 } 1555 ipsecSaEspOutAddressType OBJECT-TYPE 1556 SYNTAX InetAddressType 1557 MAX-ACCESS not-accessible 1558 STATUS current 1559 DESCRIPTION 1560 "The type of address used by the destination address of the 1561 SA." 1562 ::= { ipsecSaEspOutEntry 1 } 1564 ipsecSaEspOutAddress OBJECT-TYPE 1565 SYNTAX InetAddress (SIZE(4|16|20)) 1566 MAX-ACCESS not-accessible 1567 STATUS current 1568 DESCRIPTION 1569 "The destination address of the SA." 1570 ::= { ipsecSaEspOutEntry 2 } 1572 ipsecSaEspOutSpi OBJECT-TYPE 1573 SYNTAX Unsigned32 1574 MAX-ACCESS not-accessible 1575 STATUS current 1576 DESCRIPTION 1577 "The security parameters index of the SA." 1578 REFERENCE"RFC 2406 Section 2.1" 1579 ::= { ipsecSaEspOutEntry 3 } 1581 ipsecSaEspOutSelector OBJECT-TYPE 1582 SYNTAX Unsigned32 1583 MAX-ACCESS read-only 1584 STATUS current 1585 DESCRIPTION 1586 "The index of the selector table row for this suite. In 1587 other words, the value of 'selectorIndex' for the 1588 appropriate row ('SelectorEntry') from the 'selectorTable'" 1589 ::= { ipsecSaEspOutEntry 4 } 1591 ipsecSaEspOutCreator OBJECT-TYPE 1592 SYNTAX IpsecSaCreatorIdent 1593 MAX-ACCESS read-only 1594 STATUS current 1595 DESCRIPTION 1596 "The creator of this SA. 1598 This MIB makes no assumptions about how the SAs are created. 1599 They may be created statically, or by a key exchange 1600 protocol such as IKE, or by some other method." 1601 ::= { ipsecSaEspOutEntry 5 } 1603 ipsecSaEspOutEncapsulation OBJECT-TYPE 1604 SYNTAX IpsecDoiEncapsulationMode 1605 MAX-ACCESS read-only 1606 STATUS current 1607 DESCRIPTION 1608 "The type of encapsulation used by this SA." 1609 ::= { ipsecSaEspOutEntry 6 } 1611 ipsecSaEspOutEncAlg OBJECT-TYPE 1612 SYNTAX IpsecDoiEspTransform 1613 MAX-ACCESS read-only 1614 STATUS current 1615 DESCRIPTION 1616 "A unique value representing the encryption algorithm 1617 applied to traffic." 1618 ::= { ipsecSaEspOutEntry 7 } 1620 ipsecSaEspOutEncKeyLength OBJECT-TYPE 1621 SYNTAX Unsigned32 (0..65531) 1622 UNITS "bits" 1623 MAX-ACCESS read-only 1624 STATUS current 1625 DESCRIPTION 1626 "The length of the encryption key in bits used for the 1627 algorithm specified in the ipsecSaEspOutEncAlg object. It 1628 may be 0 if the key length is implicit in the specified 1629 algorithm or there is no encryption specified." 1630 ::= { ipsecSaEspOutEntry 8 } 1632 ipsecSaEspOutAuthAlg OBJECT-TYPE 1633 SYNTAX IpsecDoiAuthAlgorithm 1634 MAX-ACCESS read-only 1635 STATUS current 1636 DESCRIPTION 1637 "A unique value representing the hash algorithm applied to 1638 traffic." 1639 ::= { ipsecSaEspOutEntry 9 } 1641 ipsecSaEspOutAuthKeyLength OBJECT-TYPE 1642 SYNTAX Unsigned32 (0..65531) 1643 UNITS "bits" 1644 MAX-ACCESS read-only 1645 STATUS current 1646 DESCRIPTION 1647 "The length of the authentication key in bits used for the 1648 algorithm specified in the ipsecSaEspOutAuthAlg object. It 1649 may be 0 if the key length is implicit in the specified 1650 algorithm or there is no authentication specified." 1651 ::= { ipsecSaEspOutEntry 10 } 1653 ipsecSaEspOutLimitSeconds OBJECT-TYPE 1654 SYNTAX Unsigned32 1655 UNITS "seconds" 1656 MAX-ACCESS read-only 1657 STATUS current 1658 DESCRIPTION 1659 "The maximum lifetime in seconds of the SA, or 0 if there is 1660 no time constraint on its expiration. 1662 The display value is limited to 4294967295 seconds (more 1663 than 136 years); values greater than that value will be 1664 truncated." 1665 ::= { ipsecSaEspOutEntry 11 } 1667 ipsecSaEspOutLimitKbytes OBJECT-TYPE 1668 SYNTAX Unsigned32 1669 UNITS "Kilobytes" 1670 MAX-ACCESS read-only 1671 STATUS current 1672 DESCRIPTION 1673 "The maximum traffic in Kilobytes (1024 bytes) that the SA 1674 is allowed to process, or 0 if there is no traffic 1675 constraint on its expiration. 1677 The display value is limited to 4294967295 Kilobytes; values 1678 greater than that value will be truncated." 1679 ::= { ipsecSaEspOutEntry 12 } 1681 ipsecSaEspOutAccSeconds OBJECT-TYPE 1682 SYNTAX Counter32 1683 UNITS "seconds" 1684 MAX-ACCESS read-only 1685 STATUS current 1686 DESCRIPTION 1687 "The number of seconds accumulated against the SA's 1688 expiration by time. 1690 This is also the number of seconds that the SA has existed." 1691 ::= { ipsecSaEspOutEntry 13 } 1693 ipsecSaEspOutAccKbytes OBJECT-TYPE 1694 SYNTAX Counter32 1695 UNITS "Kilobytes" 1696 MAX-ACCESS read-only 1697 STATUS current 1698 DESCRIPTION 1699 "The amount of traffic handled by the SA that could 1700 accumulate against a traffic expiration limit, measured in 1701 Kilobytes (1024 bytes). 1703 If the SA expires based on traffic, this value counts 1704 against the SA's expiration by traffic limitation. If the SA 1705 does not expire based on traffic, this value may be 0 to 1706 indicate that the counter is not being used." 1707 ::= { ipsecSaEspOutEntry 14 } 1709 ipsecSaEspOutUserOctets OBJECT-TYPE 1710 SYNTAX Counter64 1711 UNITS "bytes" 1712 MAX-ACCESS read-only 1713 STATUS current 1714 DESCRIPTION 1715 "The amount of user level traffic measured in bytes handled 1716 by the SA. This is the number of bytes of the unencrypted IP 1717 packet, including the original IP header of that unencrypted 1718 packet. 1720 Traffic from packets dropped due to errors is not included 1721 in this total. 1723 This is not necessarily the same as the amount of traffic 1724 applied against the traffic expiration limit due to padding 1725 or other protocol specific overhead." 1726 ::= { ipsecSaEspOutEntry 15 } 1728 ipsecSaEspOutPackets OBJECT-TYPE 1729 SYNTAX Counter64 1730 UNITS "packets" 1731 MAX-ACCESS read-only 1732 STATUS current 1733 DESCRIPTION 1734 "The number of packets successfully handled by the SA. 1735 Packets dropped due to errors are not included in this 1736 count." 1737 ::= { ipsecSaEspOutEntry 16 } 1739 ipsecSaEspOutSendErrors OBJECT-TYPE 1740 SYNTAX Counter32 1741 UNITS "packets" 1742 MAX-ACCESS read-only 1743 STATUS current 1744 DESCRIPTION 1745 "The number of packets discarded by the SA due to any error. 1746 This may include errors due to a lack of transmit buffers." 1747 ::= { ipsecSaEspOutEntry 17 } 1749 -- the IPsec Outbound AH MIB-Group 1750 -- 1751 -- a collection of objects providing information about 1752 -- IPsec Outbound AH SAs 1754 ipsecSaAhOutTable OBJECT-TYPE 1755 SYNTAX SEQUENCE OF IpsecSaAhOutEntry 1756 MAX-ACCESS not-accessible 1757 STATUS current 1758 DESCRIPTION 1759 "The (conceptual) table containing information on IPsec 1760 Outbound AH SAs. 1762 There should be one row for every outbound AH security 1763 association that exists in the entity. The maximum number of 1764 rows is implementation dependent." 1765 ::= { saTables 6 } 1767 ipsecSaAhOutEntry OBJECT-TYPE 1768 SYNTAX IpsecSaAhOutEntry 1769 MAX-ACCESS not-accessible 1770 STATUS current 1771 DESCRIPTION 1772 "An entry (conceptual row) containing the information on a 1773 particular IPsec Outbound AH SA. 1775 A row in this table cannot be created or deleted by SNMP 1776 operations on columns of the table." 1777 INDEX { 1778 ipsecSaAhOutAddressType, 1779 ipsecSaAhOutAddress, 1780 ipsecSaAhOutSpi 1781 } 1782 ::= { ipsecSaAhOutTable 1 } 1784 IpsecSaAhOutEntry::= SEQUENCE { 1786 -- identification 1787 ipsecSaAhOutAddressType InetAddressType, 1788 ipsecSaAhOutAddress InetAddress, 1789 ipsecSaAhOutSpi Unsigned32, 1791 -- SA selector 1792 ipsecSaAhOutSelector Unsigned32, 1794 -- how created 1795 ipsecSaAhOutCreator IpsecSaCreatorIdent, 1797 -- security services description 1798 ipsecSaAhOutEncapsulation IpsecDoiEncapsulationMode, 1799 ipsecSaAhOutAuthAlg IpsecDoiAhTransform, 1800 ipsecSaAhOutAuthKeyLength Unsigned32, 1802 -- expiration limits 1803 ipsecSaAhOutLimitSeconds Unsigned32, -- sec., 0 if none 1804 ipsecSaAhOutLimitKbytes Unsigned32, -- 0 if none 1806 -- current operating statistics 1807 ipsecSaAhOutAccSeconds Counter32, 1808 ipsecSaAhOutAccKbytes Counter32, 1809 ipsecSaAhOutUserOctets Counter64, 1810 ipsecSaAhOutPackets Counter64, 1812 -- error statistics 1813 ipsecSaAhOutSendErrors Counter32 1815 } 1817 ipsecSaAhOutAddressType OBJECT-TYPE 1818 SYNTAX InetAddressType 1819 MAX-ACCESS not-accessible 1820 STATUS current 1821 DESCRIPTION 1822 "The type of address used by the destination address of the 1823 SA." 1824 ::= { ipsecSaAhOutEntry 1 } 1826 ipsecSaAhOutAddress OBJECT-TYPE 1827 SYNTAX InetAddress (SIZE(4|16|20)) 1828 MAX-ACCESS not-accessible 1829 STATUS current 1830 DESCRIPTION 1831 "The destination address of the SA." 1832 ::= { ipsecSaAhOutEntry 2 } 1834 ipsecSaAhOutSpi OBJECT-TYPE 1835 SYNTAX Unsigned32 1836 MAX-ACCESS not-accessible 1837 STATUS current 1838 DESCRIPTION 1839 "The security parameters index of the SA." 1840 REFERENCE"RFC 2402 Section 2.4" 1841 ::= { ipsecSaAhOutEntry 3 } 1843 ipsecSaAhOutSelector OBJECT-TYPE 1844 SYNTAX Unsigned32 1845 MAX-ACCESS read-only 1846 STATUS current 1847 DESCRIPTION 1848 "The index of the selector table row for this suite. In 1849 other words, the value of 'selectorIndex' for the 1850 appropriate row ('SelectorEntry') from the 'selectorTable'" 1851 ::= { ipsecSaAhOutEntry 4 } 1853 ipsecSaAhOutCreator OBJECT-TYPE 1854 SYNTAX IpsecSaCreatorIdent 1855 MAX-ACCESS read-only 1856 STATUS current 1857 DESCRIPTION 1858 "The creator of this SA. 1860 This MIB makes no assumptions about how the SAs are created. 1861 They may be created statically, or by a key exchange 1862 protocol such as IKE, or by some other method." 1863 ::= { ipsecSaAhOutEntry 5 } 1865 ipsecSaAhOutEncapsulation OBJECT-TYPE 1866 SYNTAX IpsecDoiEncapsulationMode 1867 MAX-ACCESS read-only 1868 STATUS current 1869 DESCRIPTION 1870 "The type of encapsulation used by this SA." 1871 ::= { ipsecSaAhOutEntry 6 } 1873 ipsecSaAhOutAuthAlg OBJECT-TYPE 1874 SYNTAX IpsecDoiAhTransform 1875 MAX-ACCESS read-only 1876 STATUS current 1877 DESCRIPTION 1878 "A unique value representing the hash algorithm applied to 1879 traffic carried by this SA." 1880 ::= { ipsecSaAhOutEntry 7 } 1882 ipsecSaAhOutAuthKeyLength OBJECT-TYPE 1883 SYNTAX Unsigned32 (0..65531) 1884 UNITS "bits" 1885 MAX-ACCESS read-only 1886 STATUS current 1887 DESCRIPTION 1888 "The length of the authentication key in bits used for the 1889 algorithm specified in the ipsecSaAhOutAuthAlg object. It 1890 may be 0 if the key length is implicit in the specified 1891 algorithm." 1892 ::= { ipsecSaAhOutEntry 8 } 1894 ipsecSaAhOutLimitSeconds OBJECT-TYPE 1895 SYNTAX Unsigned32 1896 UNITS "seconds" 1897 MAX-ACCESS read-only 1898 STATUS current 1899 DESCRIPTION 1900 "The maximum lifetime in seconds of the SA, or 0 if there is 1901 no time constraint on its expiration. 1903 The display value is limited to 4294967295 seconds (more 1904 than 136 years); values greater than that value will be 1905 truncated." 1906 ::= { ipsecSaAhOutEntry 9 } 1908 ipsecSaAhOutLimitKbytes OBJECT-TYPE 1909 SYNTAX Unsigned32 1910 UNITS "Kilobytes" 1911 MAX-ACCESS read-only 1912 STATUS current 1913 DESCRIPTION 1914 "The maximum traffic in Kilobytes (1024 bytes) that the SA 1915 is allowed to process, or 0 if there is no traffic 1916 constraint on its expiration. 1918 The display value is limited to 4294967295 Kilobytes; values 1919 greater than that value will be truncated." 1920 ::= { ipsecSaAhOutEntry 10 } 1922 ipsecSaAhOutAccSeconds OBJECT-TYPE 1923 SYNTAX Counter32 1924 UNITS "seconds" 1925 MAX-ACCESS read-only 1926 STATUS current 1927 DESCRIPTION 1928 "The number of seconds accumulated against the SA's 1929 expiration by time. 1931 This is also the number of seconds that the SA has existed." 1932 ::= { ipsecSaAhOutEntry 11 } 1934 ipsecSaAhOutAccKbytes OBJECT-TYPE 1935 SYNTAX Counter32 1936 UNITS "Kilobytes" 1937 MAX-ACCESS read-only 1938 STATUS current 1939 DESCRIPTION 1940 "The amount of traffic handled by the SA that could 1941 accumulate against a traffic expiration limit, measured in 1942 Kilobytes (1024 bytes). 1944 If the SA expires based on traffic, this value counts 1945 against the SA's expiration by traffic limitation. If the SA 1946 does not expire based on traffic, this value may be 0 to 1947 indicate that the counter is not being used." 1948 ::= { ipsecSaAhOutEntry 12 } 1950 ipsecSaAhOutUserOctets OBJECT-TYPE 1951 SYNTAX Counter64 1952 UNITS "bytes" 1953 MAX-ACCESS read-only 1954 STATUS current 1955 DESCRIPTION 1956 "The amount of user level traffic measured in bytes handled 1957 by the SA. This is the number of bytes of the unprocessed IP 1958 packet, including the original IP header of that unprocessed 1959 packet. 1961 Traffic from packets dropped due to errors is not included 1962 in this total. 1964 This is not necessarily the same as the amount of traffic 1965 applied against the traffic expiration limit due to padding 1966 or other protocol specific overhead." 1967 ::= { ipsecSaAhOutEntry 13 } 1969 ipsecSaAhOutPackets OBJECT-TYPE 1970 SYNTAX Counter64 1971 UNITS "packets" 1972 MAX-ACCESS read-only 1973 STATUS current 1975 DESCRIPTION 1976 "The number of packets successfully handled by the SA. 1977 Packets dropped due to errors are not included in this 1978 count." 1979 ::= { ipsecSaAhOutEntry 14 } 1981 ipsecSaAhOutSendErrors OBJECT-TYPE 1982 SYNTAX Counter32 1983 UNITS "packets" 1984 MAX-ACCESS read-only 1985 STATUS current 1986 DESCRIPTION 1987 "The number of packets discarded by the SA due to any error. 1988 This may include errors due to a lack of transmit buffers." 1989 ::= { ipsecSaAhOutEntry 15 } 1991 -- the IPsec Outbound IPcomp MIB-Group 1992 -- 1993 -- a collection of objects providing information about 1994 -- IPsec Outbound IPcomp SAs 1996 ipsecSaIpcompOutTable OBJECT-TYPE 1997 SYNTAX SEQUENCE OF IpsecSaIpcompOutEntry 1998 MAX-ACCESS not-accessible 1999 STATUS current 2000 DESCRIPTION 2001 "The (conceptual) table containing information on IPsec 2002 Outbound IPcomp SAs. 2004 There should be one row for every outbound IPcomp (security) 2005 association that exists in the entity. The maximum number of 2006 rows is implementation dependent." 2007 ::= { saTables 7 } 2009 ipsecSaIpcompOutEntry OBJECT-TYPE 2010 SYNTAX IpsecSaIpcompOutEntry 2011 MAX-ACCESS not-accessible 2012 STATUS current 2013 DESCRIPTION 2014 "An entry (conceptual row) containing the information on a 2015 particular IPsec Outbound IPcomp SA. 2017 A row in this table cannot be created or deleted by SNMP 2018 operations on columns of the table." 2019 INDEX { 2020 ipsecSaIpcompOutAddressType, 2021 ipsecSaIpcompOutAddress, 2022 ipsecSaIpcompOutCpi 2023 } 2024 ::= { ipsecSaIpcompOutTable 1 } 2026 IpsecSaIpcompOutEntry::= SEQUENCE { 2028 -- identification 2029 ipsecSaIpcompOutAddressType InetAddressType, 2030 ipsecSaIpcompOutAddress InetAddress, 2031 ipsecSaIpcompOutCpi IpsecDoiIpcompTransform, 2033 -- SA selector 2034 ipsecSaIpcompOutSelector Unsigned32, 2036 -- how created 2037 ipsecSaIpcompOutCreator IpsecSaCreatorIdent, 2039 -- security services description 2040 ipsecSaIpcompOutEncapsulation IpsecDoiEncapsulationMode, 2041 ipsecSaIpcompOutCompAlg IpsecDoiIpcompTransform, 2043 -- current operating statistics 2044 ipsecSaIpcompOutSeconds Counter32, 2045 ipsecSaIpcompOutUserOctets Counter64, 2046 ipsecSaIpcompOutUserPackets Counter64, 2047 ipsecSaIpcompOutOutputOctets Counter64, 2048 ipsecSaIpcompOutCompressedPackets Counter64, 2049 ipsecSaIpcompOutCompressedOctets Counter64 2051 } 2053 ipsecSaIpcompOutAddressType OBJECT-TYPE 2054 SYNTAX InetAddressType 2055 MAX-ACCESS not-accessible 2056 STATUS current 2057 DESCRIPTION 2058 "The type of address used by the destination address of the 2059 SA. 2061 If the IPcomp SA is shared across multiple SAs in security 2062 association suites, this value may be 0 to indicate that the 2063 addresses to which this SA apply cannot be expressed with a 2064 single InetAddressType/InetAddress pair." 2065 ::= { ipsecSaIpcompOutEntry 1 } 2067 ipsecSaIpcompOutAddress OBJECT-TYPE 2068 SYNTAX InetAddress (SIZE(0|4|16|20)) 2069 MAX-ACCESS not-accessible 2070 STATUS current 2071 DESCRIPTION 2072 "The destination address of the SA. 2074 If the IPcomp SA is shared across multiple SAs in security 2075 association suites, this value may be zero-length to 2076 indicate that the addresses to which this SA apply cannot be 2077 expressed with a single InetAddressType/InetAddress pair." 2078 ::= { ipsecSaIpcompOutEntry 2 } 2080 ipsecSaIpcompOutCpi OBJECT-TYPE 2081 SYNTAX IpsecDoiIpcompTransform 2082 MAX-ACCESS not-accessible 2083 STATUS current 2084 DESCRIPTION 2085 "The CPI of the SA. Since the lower values of CPIs are 2086 reserved to be the same as the algorithm, the syntax for 2087 this object is the same as the transform." 2088 REFERENCE "RFC 2393 Section 3.3" 2089 ::= { ipsecSaIpcompOutEntry 3 } 2091 ipsecSaIpcompOutSelector OBJECT-TYPE 2092 SYNTAX Unsigned32 2093 MAX-ACCESS read-only 2094 STATUS current 2095 DESCRIPTION 2096 "The index of the selector table row for this suite. In 2097 other words, the value of 'selectorIndex' for the 2098 appropriate row ('SelectorEntry') from the 'selectorTable' 2100 This value may be 0 if this SA is used with multiple SAs in 2101 security association suites to indicate that this SA is 2102 applied to multiple rows from the 'selectorTable'." 2103 ::= { ipsecSaIpcompOutEntry 4 } 2105 ipsecSaIpcompOutCreator OBJECT-TYPE 2106 SYNTAX IpsecSaCreatorIdent 2107 MAX-ACCESS read-only 2108 STATUS current 2109 DESCRIPTION 2110 "The creator of this SA. 2112 This MIB makes no assumptions about how the SAs are created. 2113 They may be created statically, or by a key exchange 2114 protocol such as IKE, or by some other method." 2115 ::= { ipsecSaIpcompOutEntry 11 } 2117 ipsecSaIpcompOutEncapsulation OBJECT-TYPE 2118 SYNTAX IpsecDoiEncapsulationMode 2119 MAX-ACCESS read-only 2120 STATUS current 2121 DESCRIPTION 2122 "The type of encapsulation used by this SA." 2123 ::= { ipsecSaIpcompOutEntry 12 } 2125 ipsecSaIpcompOutCompAlg OBJECT-TYPE 2126 SYNTAX IpsecDoiIpcompTransform 2127 MAX-ACCESS read-only 2128 STATUS current 2129 DESCRIPTION 2130 "A unique value representing the compression algorithm 2131 applied to traffic." 2132 ::= { ipsecSaIpcompOutEntry 13 } 2134 ipsecSaIpcompOutSeconds OBJECT-TYPE 2135 SYNTAX Counter32 2136 UNITS "seconds" 2137 MAX-ACCESS read-only 2138 STATUS current 2139 DESCRIPTION 2140 "The number of seconds that the SA has existed." 2141 ::= { ipsecSaIpcompOutEntry 14 } 2143 ipsecSaIpcompOutUserOctets OBJECT-TYPE 2144 SYNTAX Counter64 2145 UNITS "bytes" 2146 MAX-ACCESS read-only 2147 STATUS current 2148 DESCRIPTION 2149 "The amount of user level traffic measured in bytes received 2150 by the SA. This is the number of bytes of the uncompressed 2151 IP packet, including the original IP header of that 2152 uncompressed packet." 2153 ::= { ipsecSaIpcompOutEntry 15 } 2155 ipsecSaIpcompOutUserPackets OBJECT-TYPE 2156 SYNTAX Counter64 2157 UNITS "packets" 2158 MAX-ACCESS read-only 2159 STATUS current 2160 DESCRIPTION 2161 "The number of packets received for handling by the SA. This 2162 includes packets that were both compressed and not 2163 compressed." 2164 ::= { ipsecSaIpcompOutEntry 16 } 2166 ipsecSaIpcompOutOutputOctets OBJECT-TYPE 2167 SYNTAX Counter64 2168 UNITS "bytes" 2169 MAX-ACCESS read-only 2170 STATUS current 2171 DESCRIPTION 2172 "The amount of traffic measured in bytes output by the SA. 2173 This includes byte counts from packets compressed by the SA 2174 and also packets not modified by the SA. 2176 This object can be divided into the 2177 ipsecSaIpcompOutUserOctets object to get a compression 2178 performance metric for the SA." 2179 ::= { ipsecSaIpcompOutEntry 17 } 2181 ipsecSaIpcompOutCompressedPackets OBJECT-TYPE 2182 SYNTAX Counter64 2183 UNITS "packets" 2184 MAX-ACCESS read-only 2185 STATUS current 2186 DESCRIPTION 2187 "The number of packets sent from the SA that were 2188 compressed. 2190 The number of packets sent from the SA that were not 2191 compressed can be calculated by subtracting the value of 2192 this object from the value of ipsecSaIpcompOutUserPackets." 2193 ::= { ipsecSaIpcompOutEntry 18 } 2195 ipsecSaIpcompOutCompressedOctets OBJECT-TYPE 2196 SYNTAX Counter64 2197 UNITS "bytes" 2198 MAX-ACCESS read-only 2199 STATUS current 2200 DESCRIPTION 2201 "The amount of traffic measured in bytes output by the SA 2202 that is in packets that were compressed. 2204 The amount of uncompressed traffic can be calculated by 2205 subtracting the value of this object from the value of 2206 ipsecSaIpcompOutOutputOctets." 2207 ::= { ipsecSaIpcompOutEntry 19 } 2209 -- 2210 -- optional tables for monitoring network performance via statistics 2211 -- on the anti-replay counter mechanisms in incoming ESP and AH SAs. 2212 -- 2214 -- 2215 -- ESP table 2216 -- 2218 ipsecSaEspReplayTable OBJECT-TYPE 2219 SYNTAX SEQUENCE OF IpsecSaEspReplayEntry 2220 MAX-ACCESS not-accessible 2221 STATUS current 2222 DESCRIPTION 2223 "The (conceptual) table containing information on the replay 2224 counter events on IPsec inbound ESP SAs. 2226 There should be one row in this table for every inbound ESP 2227 security association where ipsecSaEspInRepWinSize is non- 2228 zero in ipsecSaEspInTable. The maximum number of rows is 2229 implementation dependent. 2231 If any variable in this table is non-zero, it indicates that 2232 the underlying IP network is reordering, losing, or 2233 duplicating packets. While these are perfectly legal things 2234 for it to do, they can and will affect the performance of 2235 this security association." 2236 ::= { saTables 8 } 2238 ipsecSaEspReplayEntry OBJECT-TYPE 2239 SYNTAX IpsecSaEspReplayEntry 2240 MAX-ACCESS not-accessible 2241 STATUS current 2242 DESCRIPTION 2243 "An entry (conceptual row) containing the information on the 2244 replay counter events in a particular IPsec inbound ESP SA. 2246 A row in this table cannot be created or deleted by SNMP 2247 operations on columns of the table." 2248 INDEX { 2249 ipsecSaEspInAddressType, 2250 ipsecSaEspInAddress, 2251 ipsecSaEspInSpi 2252 } 2253 ::= { ipsecSaEspReplayTable 1 } 2255 IpsecSaEspReplayEntry::= SEQUENCE { 2257 -- event counters 2258 ipsecSaEspReplaysBeyondWindow Counter32, 2259 ipsecSaEspReplaysOutOfOrder Counter32, 2261 -- error counters 2262 ipsecSaEspReplaysBeforeWindow Counter32, 2263 ipsecSaEspReplaysDuplicate Counter32, 2264 ipsecSaEspReplaysZero Counter32 2265 } 2267 ipsecSaEspReplaysBeyondWindow OBJECT-TYPE 2268 SYNTAX Counter32 2269 UNITS "packets" 2270 MAX-ACCESS read-only 2271 STATUS current 2272 DESCRIPTION 2273 "The number of packets received on this SA where the anti- 2274 replay value in the packet was greater than the previous 2275 highest received anti-replay value by the replay window size 2276 or greater. 2278 This may be caused by either significant packet losses by 2279 the IP network, or by major reordering of packets." 2280 REFERENCE "RFC 2401 Appendix C: /* This packet has a 'way 2281 larger' */ " 2282 ::= { ipsecSaEspReplayEntry 1 } 2284 ipsecSaEspReplaysOutOfOrder OBJECT-TYPE 2285 SYNTAX Counter32 2286 UNITS "packets" 2287 MAX-ACCESS read-only 2288 STATUS current 2289 DESCRIPTION 2290 "The number of packets received on this SA where the anti- 2291 replay value in the packet was less than the highest 2292 received value, but was within the replay window. 2294 This may be caused by packet reordering by the IP network." 2295 REFERENCE "RFC 2401 Appendix C: /* out of order but good */ " 2296 ::= { ipsecSaEspReplayEntry 2 } 2298 ipsecSaEspReplaysBeforeWindow OBJECT-TYPE 2299 SYNTAX Counter32 2300 UNITS "packets" 2301 MAX-ACCESS read-only 2302 STATUS current 2303 DESCRIPTION 2304 "The number of packets received on this SA where the anti- 2305 replay value in the packet was less than the previous 2306 highest received anti-replay value by at least the replay 2307 window size. 2309 This may be caused by significant packet reordering by the 2310 IP network, very delayed packet duplication, or by a replay 2311 attack. 2313 The object ipsecSaEspInReplayErrors (of same INDEX) will be 2314 incremented by one each time this object is incremented." 2315 REFERENCE "RFC 2401 Appendix C: /* too old or wrapped */ " 2316 ::= { ipsecSaEspReplayEntry 3 } 2318 ipsecSaEspReplaysDuplicate OBJECT-TYPE 2319 SYNTAX Counter32 2320 UNITS "packets" 2321 MAX-ACCESS read-only 2322 STATUS current 2323 DESCRIPTION 2324 "The number of packets received on this SA where the anti- 2325 replay value in the packet was within the replay window 2326 size, and the same anti-replay value had already been seen. 2328 This may be caused by packet duplication by the IP network, 2329 or by a replay attack. 2331 The object ipsecSaEspInReplayErrors (of same INDEX) will be 2332 incremented by one each time this object is incremented." 2333 REFERENCE "RFC 2401 Appendix C: /* already seen */ " 2334 ::= { ipsecSaEspReplayEntry 4 } 2336 ipsecSaEspReplaysZero OBJECT-TYPE 2337 SYNTAX Counter32 2338 UNITS "packets" 2339 MAX-ACCESS read-only 2340 STATUS current 2341 DESCRIPTION 2342 "The number of packets received on this SA where the anti- 2343 replay value in the packet is zero. 2345 This may be caused by a programming error at the remote node 2346 causing it to send an initial anti-replay value of 0, or 2347 continuing to transmit after the anti-replay counter wraps. 2349 The object ipsecSaEspInReplayErrors (of same INDEX) will be 2350 incremented by one each time this object is incremented." 2351 REFERENCE "RFC 2401 Appendix C: /* first == 0 or wrapped */ " 2352 ::= { ipsecSaEspReplayEntry 5 } 2354 -- 2355 -- AH table 2356 -- 2358 ipsecSaAhReplayTable OBJECT-TYPE 2359 SYNTAX SEQUENCE OF IpsecSaAhReplayEntry 2360 MAX-ACCESS not-accessible 2361 STATUS current 2362 DESCRIPTION 2363 "The (conceptual) table containing information on the replay 2364 counter events on IPsec inbound AH SAs. 2366 There should be one row in this table for every inbound AH 2367 security association where ipsecSaAhInRepWinSize is non-zero 2368 in ipsecSaAhInTable. The maximum number of rows is 2369 implementation dependent. 2371 If any variable in this table is non-zero, it indicates that 2372 the underlying IP network is reordering, losing, or 2373 duplicating packets. While these are perfectly legal things 2374 for it to do, they can and will affect the performance of 2375 this security association." 2376 ::= { saTables 9 } 2378 ipsecSaAhReplayEntry OBJECT-TYPE 2379 SYNTAX IpsecSaAhReplayEntry 2380 MAX-ACCESS not-accessible 2381 STATUS current 2382 DESCRIPTION 2383 "An entry (conceptual row) containing the information on the 2384 replay counter events in a particular IPsec inbound AH SA. 2386 A row in this table cannot be created or deleted by SNMP 2387 operations on columns of the table." 2388 INDEX { 2389 ipsecSaAhInAddressType, 2390 ipsecSaAhInAddress, 2391 ipsecSaAhInSpi 2392 } 2393 ::= { ipsecSaAhReplayTable 1 } 2395 IpsecSaAhReplayEntry::= SEQUENCE { 2397 -- event counters 2398 ipsecSaAhReplaysBeyondWindow Counter32, 2399 ipsecSaAhReplaysOutOfOrder Counter32, 2401 -- error counters 2402 ipsecSaAhReplaysBeforeWindow Counter32, 2403 ipsecSaAhReplaysDuplicate Counter32, 2404 ipsecSaAhReplaysZero Counter32 2405 } 2407 ipsecSaAhReplaysBeyondWindow OBJECT-TYPE 2408 SYNTAX Counter32 2409 UNITS "packets" 2410 MAX-ACCESS read-only 2411 STATUS current 2412 DESCRIPTION 2413 "The number of packets received on this SA where the anti- 2414 replay value in the packet was greater than the previous 2415 highest received anti-replay value by the replay window size 2416 or greater. 2418 This may be caused by either significant packet losses by 2419 the IP network, or by major reordering of packets." 2420 REFERENCE "RFC 2401 Appendix C: /* This packet has a way 2421 larger */ " 2422 ::= { ipsecSaAhReplayEntry 1 } 2424 ipsecSaAhReplaysOutOfOrder OBJECT-TYPE 2425 SYNTAX Counter32 2426 UNITS "packets" 2427 MAX-ACCESS read-only 2428 STATUS current 2429 DESCRIPTION 2430 "The number of packets received on this SA where the anti- 2431 replay value in the packet was less than the highest 2432 received value, but was within the replay window. 2434 This may be caused by packet reordering by the IP network." 2435 REFERENCE "RFC 2401 Appendix C: /* out of order but good */ " 2436 ::= { ipsecSaAhReplayEntry 2 } 2438 ipsecSaAhReplaysBeforeWindow OBJECT-TYPE 2439 SYNTAX Counter32 2440 UNITS "packets" 2441 MAX-ACCESS read-only 2442 STATUS current 2443 DESCRIPTION 2444 "The number of packets received on this SA where the anti- 2445 replay value in the packet was less than the previous 2446 highest received anti-replay value by at least the replay 2447 window size. 2449 This may be caused by significant packet reordering by the 2450 IP network, very delayed packet duplication, or by a replay 2451 attack. 2453 The object ipsecSaAhInReplayErrors (of same INDEX) will be 2454 incremented by one each time this object is incremented." 2455 REFERENCE "RFC 2401 Appendix C: /* too old or wrapped */ " 2456 ::= { ipsecSaAhReplayEntry 3 } 2458 ipsecSaAhReplaysDuplicate OBJECT-TYPE 2459 SYNTAX Counter32 2460 UNITS "packets" 2461 MAX-ACCESS read-only 2462 STATUS current 2463 DESCRIPTION 2464 "The number of packets received on this SA where the anti- 2465 replay value in the packet was within the replay window 2466 size, and the same anti-replay value had already been seen. 2468 This may be caused by packet duplication by the IP network, 2469 or by a replay attack. 2471 The object ipsecSaAhInReplayErrors (of same INDEX) will be 2472 incremented by one each time this object is incremented." 2473 REFERENCE "RFC 2401 Appendix C: /* already seen */ " 2474 ::= { ipsecSaAhReplayEntry 4 } 2476 ipsecSaAhReplaysZero OBJECT-TYPE 2477 SYNTAX Counter32 2478 UNITS "packets" 2479 MAX-ACCESS read-only 2480 STATUS current 2481 DESCRIPTION 2482 "The number of packets received on this SA where the anti- 2483 replay value in the packet is zero. 2485 This may be caused by a programming error at the remote node 2486 causing it to send an initial anti-replay value of 0, or 2487 continuing to transmit after the anti-replay counter wraps. 2489 The object ipsecSaAhInReplayErrors (of same INDEX) will be 2490 incremented by one each time this object is incremented." 2491 REFERENCE "RFC 2401 Appendix C: /* first == 0 or wrapped */ " 2492 ::= { ipsecSaAhReplayEntry 5 } 2494 -- 2495 -- entity IPsec statistics 2496 -- 2498 ipsecEspCurrentInboundSAs OBJECT-TYPE 2499 SYNTAX Gauge32 2500 MAX-ACCESS read-only 2501 STATUS current 2502 DESCRIPTION 2503 "The current number of inbound ESP SAs in the entity." 2504 ::= { saStatistics 1 } 2506 ipsecEspTotalInboundSAs OBJECT-TYPE 2507 SYNTAX Counter32 2508 MAX-ACCESS read-only 2509 STATUS current 2510 DESCRIPTION 2511 "The total number of inbound ESP SAs created in the entity 2512 since boot time." 2513 ::= { saStatistics 2 } 2515 ipsecEspCurrentOutboundSAs OBJECT-TYPE 2516 SYNTAX Gauge32 2517 MAX-ACCESS read-only 2518 STATUS current 2519 DESCRIPTION 2520 "The current number of outbound ESP SAs in the entity." 2521 ::= { saStatistics 3 } 2523 ipsecEspTotalOutboundSAs OBJECT-TYPE 2524 SYNTAX Counter32 2525 MAX-ACCESS read-only 2526 STATUS current 2527 DESCRIPTION 2528 "The total number of outbound ESP SAs created in the entity 2529 since boot time." 2530 ::= { saStatistics 4 } 2532 ipsecAhCurrentInboundSAs OBJECT-TYPE 2533 SYNTAX Gauge32 2534 MAX-ACCESS read-only 2535 STATUS current 2537 DESCRIPTION 2538 "The current number of inbound AH SAs in the entity." 2539 ::= { saStatistics 5 } 2541 ipsecAhTotalInboundSAs OBJECT-TYPE 2542 SYNTAX Counter32 2543 MAX-ACCESS read-only 2544 STATUS current 2545 DESCRIPTION 2546 "The total number of inbound AH SAs created in the entity 2547 since boot time." 2548 ::= { saStatistics 6 } 2550 ipsecAhCurrentOutboundSAs OBJECT-TYPE 2551 SYNTAX Gauge32 2552 MAX-ACCESS read-only 2553 STATUS current 2554 DESCRIPTION 2555 "The current number of outbound AH SAs in the entity." 2556 ::= { saStatistics 7 } 2558 ipsecAhTotalOutboundSAs OBJECT-TYPE 2559 SYNTAX Counter32 2560 MAX-ACCESS read-only 2561 STATUS current 2562 DESCRIPTION 2563 "The total number of outbound AH SAs created in the entity 2564 since boot time." 2565 ::= { saStatistics 8 } 2567 ipsecIpcompCurrentInboundSAs OBJECT-TYPE 2568 SYNTAX Gauge32 2569 MAX-ACCESS read-only 2570 STATUS current 2571 DESCRIPTION 2572 "The current number of inbound IPcomp SAs in the entity." 2573 ::= { saStatistics 9 } 2575 ipsecIpcompTotalInboundSAs OBJECT-TYPE 2576 SYNTAX Counter32 2577 MAX-ACCESS read-only 2578 STATUS current 2579 DESCRIPTION 2580 "The total number of inbound IPcomp SAs created in the 2581 entity since boot time." 2582 ::= { saStatistics 10 } 2584 ipsecIpcompCurrentOutboundSAs OBJECT-TYPE 2585 SYNTAX Gauge32 2586 MAX-ACCESS read-only 2587 STATUS current 2588 DESCRIPTION 2589 "The current number of outbound IPcomp SAs in the entity." 2590 ::= { saStatistics 11 } 2592 ipsecIpcompTotalOutboundSAs OBJECT-TYPE 2593 SYNTAX Counter32 2594 MAX-ACCESS read-only 2595 STATUS current 2596 DESCRIPTION 2597 "The total number of outbound IPcomp SAs created in the 2598 entity since boot time." 2599 ::= { saStatistics 12 } 2601 -- 2602 -- IPsec error counts 2603 -- 2605 ipsecDecryptionErrors OBJECT-TYPE 2606 SYNTAX Counter32 2607 UNITS "packets" 2608 MAX-ACCESS read-only 2609 STATUS current 2610 DESCRIPTION 2611 "The total number of packets received by the entity in SAs 2612 since boot time with detectable decryption errors. Not all 2613 decryption errors are detectable within SA processing, so 2614 this count should not be considered definitive." 2615 ::= { saErrors 1 } 2617 ipsecAuthenticationErrors OBJECT-TYPE 2618 SYNTAX Counter32 2619 UNITS "packets" 2620 MAX-ACCESS read-only 2621 STATUS current 2622 DESCRIPTION 2623 "The total number of packets received by the entity in SAs 2624 since boot time with authentication errors. 2626 This includes all packets in which the hash value is 2627 determined to be invalid, for both ESP and AH SAs." 2628 ::= { saErrors 2 } 2630 ipsecReplayErrors OBJECT-TYPE 2631 SYNTAX Counter32 2632 UNITS "packets" 2633 MAX-ACCESS read-only 2634 STATUS current 2635 DESCRIPTION 2636 "The total number of packets received by the entity in SAs 2637 since boot time with replay errors." 2638 ::= { saErrors 3 } 2640 ipsecPolicyErrors OBJECT-TYPE 2641 SYNTAX Counter32 2642 UNITS "packets" 2643 MAX-ACCESS read-only 2644 STATUS current 2645 DESCRIPTION 2646 "The total number of packets received by the entity in SAs 2647 since boot time and discarded due to policy errors. This 2648 includes packets that had selectors that were invalid for 2649 the SA that carried them, and also includes packets that 2650 arrived at the entity in the clear and that should have been 2651 protected by IPsec or should have been dropped." 2652 ::= { saErrors 4 } 2654 ipsecOtherReceiveErrors OBJECT-TYPE 2655 SYNTAX Counter32 2656 UNITS "packets" 2657 MAX-ACCESS read-only 2658 STATUS current 2659 DESCRIPTION 2660 "The total number of packets received by the entity in SAs 2661 since boot time and discarded due to errors not due to 2662 decryption, authentication, replay or policy." 2663 ::= { saErrors 5 } 2665 ipsecSendErrors OBJECT-TYPE 2666 SYNTAX Counter32 2667 UNITS "packets" 2668 MAX-ACCESS read-only 2669 STATUS current 2670 DESCRIPTION 2671 "The total number of packets to be sent by the entity in SAs 2672 since boot time and discarded due to errors." 2673 ::= { saErrors 6 } 2675 ipsecUnknownSpiErrors OBJECT-TYPE 2676 SYNTAX Counter32 2677 UNITS "packets" 2678 MAX-ACCESS read-only 2679 STATUS current 2680 DESCRIPTION 2681 "The total number of packets received by the entity since 2682 boot time with SPIs or CPIs that were not valid." 2683 ::= { saErrors 7 } 2685 -- 2686 -- traps 2687 -- 2689 -- 2690 -- some objects used in trap reporting 2691 -- 2693 ipsecSecurityProtocol OBJECT-TYPE 2694 SYNTAX IpsecDoiSecProtocolId 2695 MAX-ACCESS accessible-for-notify 2696 STATUS current 2697 DESCRIPTION 2698 "A security protocol associated with the trap." 2699 ::= { saTrapObjects 1 } 2701 ipsecSPI OBJECT-TYPE 2702 SYNTAX Unsigned32 2703 MAX-ACCESS accessible-for-notify 2704 STATUS current 2705 DESCRIPTION 2706 "An SPI associated with a trap. Where the security protocol 2707 associated with the trap is IPcomp, this value has a maximum 2708 of 65535." 2709 ::= { saTrapObjects 2 } 2711 ipsecLocalAddressType OBJECT-TYPE 2712 SYNTAX InetAddressType 2713 MAX-ACCESS accessible-for-notify 2714 STATUS current 2715 DESCRIPTION 2716 "The type of a local IP address associated with a trap." 2717 ::= { saTrapObjects 3 } 2719 ipsecLocalAddress OBJECT-TYPE 2720 SYNTAX InetAddress (SIZE (4|16|20)) 2721 MAX-ACCESS accessible-for-notify 2722 STATUS current 2724 DESCRIPTION 2725 "A local IP address associated with a trap." 2726 ::= { saTrapObjects 4 } 2728 ipsecPeerAddressType OBJECT-TYPE 2729 SYNTAX InetAddressType 2730 MAX-ACCESS accessible-for-notify 2731 STATUS current 2732 DESCRIPTION 2733 "The type of a peer IP address associated with a trap." 2734 ::= { saTrapObjects 5 } 2736 ipsecPeerAddress OBJECT-TYPE 2737 SYNTAX InetAddress (SIZE (4|16|20)) 2738 MAX-ACCESS accessible-for-notify 2739 STATUS current 2740 DESCRIPTION 2741 "A peer IP address associated with a trap." 2742 ::= { saTrapObjects 6 } 2744 -- 2745 -- trap control 2746 -- 2748 espAuthFailureTrapEnable OBJECT-TYPE 2749 SYNTAX TruthValue 2750 MAX-ACCESS read-write 2751 STATUS current 2752 DESCRIPTION 2753 "Indicates whether espAuthFailureTrap traps should be 2754 generated." 2755 DEFVAL { false } 2756 ::= { saTrapControl 1 } 2758 ahAuthFailureTrapEnable OBJECT-TYPE 2759 SYNTAX TruthValue 2760 MAX-ACCESS read-write 2761 STATUS current 2762 DESCRIPTION 2763 "Indicates whether ahAuthFailureTrap traps should be 2764 generated." 2765 DEFVAL { false } 2766 ::= { saTrapControl 2 } 2768 espReplayFailureTrapEnable OBJECT-TYPE 2769 SYNTAX TruthValue 2770 MAX-ACCESS read-write 2771 STATUS current 2772 DESCRIPTION 2773 "Indicates whether espReplayFailureTrap traps should be 2774 generated." 2775 DEFVAL { false } 2776 ::= { saTrapControl 3 } 2778 ahReplayFailureTrapEnable OBJECT-TYPE 2779 SYNTAX TruthValue 2780 MAX-ACCESS read-write 2781 STATUS current 2782 DESCRIPTION 2783 "Indicates whether ahReplayFailureTrap traps should be 2784 generated." 2785 DEFVAL { false } 2786 ::= { saTrapControl 4 } 2788 espPolicyFailureTrapEnable OBJECT-TYPE 2789 SYNTAX TruthValue 2790 MAX-ACCESS read-write 2791 STATUS current 2792 DESCRIPTION 2793 "Indicates whether espPolicyFailureTrap traps should be 2794 generated." 2795 DEFVAL { false } 2796 ::= { saTrapControl 5 } 2798 ahPolicyFailureTrapEnable OBJECT-TYPE 2799 SYNTAX TruthValue 2800 MAX-ACCESS read-write 2801 STATUS current 2802 DESCRIPTION 2803 "Indicates whether ahPolicyFailureTrap traps should be 2804 generated." 2805 DEFVAL { false } 2806 ::= { saTrapControl 6 } 2808 invalidSpiTrapEnable OBJECT-TYPE 2809 SYNTAX TruthValue 2810 MAX-ACCESS read-write 2811 STATUS current 2812 DESCRIPTION 2813 "Indicates whether invalidSpiTrap traps should be 2814 generated." 2815 DEFVAL { false } 2816 ::= { saTrapControl 7 } 2818 otherPolicyFailureTrapEnable OBJECT-TYPE 2819 SYNTAX TruthValue 2820 MAX-ACCESS read-write 2821 STATUS current 2822 DESCRIPTION 2823 "Indicates whether otherPolicyFailureTrap traps should be 2824 generated." 2825 DEFVAL { false } 2826 ::= { saTrapControl 8 } 2828 -- 2829 -- the traps themselves 2830 -- 2832 espAuthFailureTrap NOTIFICATION-TYPE 2833 OBJECTS { 2834 ipsecSaEspInAuthErrors 2835 } 2836 STATUS current 2837 DESCRIPTION 2838 "IPsec packets with invalid hashes were found in an inbound 2839 ESP SA. The total number of authentication errors 2840 accumulated is sent for the specific row of the 2841 ipsecSaEspInTable table for the SA; this provides the 2842 identity of the SA in which the error occurred. 2844 Implementations SHOULD send one trap per SA (within a 2845 reasonable time period), rather than sending one trap per 2846 packet." 2847 ::= { saTraps 0 1 } 2849 ahAuthFailureTrap NOTIFICATION-TYPE 2850 OBJECTS { 2851 ipsecSaAhInAuthErrors 2852 } 2853 STATUS current 2854 DESCRIPTION 2855 "IPsec packets with invalid hashes were found in an inbound 2856 AH SA. The total number of authentication errors accumulated 2857 is sent for the specific row of the ipsecSaAhInTable table 2858 for the SA; this provides the identity of the SA in which 2859 the error occurred. 2861 Implementations SHOULD send one trap per SA (within a 2862 reasonable time period), rather than sending one trap per 2863 packet." 2864 ::= { saTraps 0 2 } 2866 espReplayFailureTrap NOTIFICATION-TYPE 2867 OBJECTS { 2868 ipsecSaEspInReplayErrors 2869 } 2870 STATUS current 2871 DESCRIPTION 2872 "IPsec packets with invalid sequence numbers were found in 2873 an inbound ESP SA. The total number of replay errors 2874 accumulated is sent for the specific row of the 2875 ipsecSaEspInTable table for the SA; this provides the 2876 identity of the SA in which the error occurred. 2878 Implementations SHOULD send one trap per SA (within a 2879 reasonable time period), rather than sending one trap per 2880 packet." 2881 ::= { saTraps 0 3 } 2883 ahReplayFailureTrap NOTIFICATION-TYPE 2884 OBJECTS { 2885 ipsecSaAhInReplayErrors 2886 } 2887 STATUS current 2888 DESCRIPTION 2889 "IPsec packets with invalid sequence numbers were found in 2890 the specified AH SA. The total number of replay errors 2891 accumulated is sent for the specific row of the 2892 ipsecSaAhInTable table for the SA; this provides the 2893 identity of the SA in which the error occurred. 2895 Implementations SHOULD send one trap per SA (within a 2896 reasonable time period), rather than sending one trap per 2897 packet." 2898 ::= { saTraps 0 4 } 2900 espPolicyFailureTrap NOTIFICATION-TYPE 2901 OBJECTS { 2902 ipsecSaEspInPolicyErrors 2903 } 2904 STATUS current 2905 DESCRIPTION 2906 "IPsec packets carrying packets with invalid selectors for 2907 the specified ESP SA were found. The total number of policy 2908 errors accumulated is sent for the specific row of the 2909 ipsecSaEspInTable table for the SA; this provides the 2910 identity of the SA in which the error occurred. 2912 Implementations SHOULD send one trap per SA (within a 2913 reasonable time period), rather than sending one trap per 2914 packet." 2915 ::= { saTraps 0 5 } 2917 ahPolicyFailureTrap NOTIFICATION-TYPE 2918 OBJECTS { 2919 ipsecSaAhInPolicyErrors 2920 } 2921 STATUS current 2922 DESCRIPTION 2923 "IPsec packets carrying packets with invalid selectors for 2924 the specified AH SA were found. The total number of policy 2925 errors accumulated is sent for the specific row of the 2926 ipsecSaAhInTable table for the SA; this provides the 2927 identity of the SA in which the error occurred. 2929 Implementations SHOULD send one trap per SA (within a 2930 reasonable time period), rather than sending one trap per 2931 packet." 2932 ::= { saTraps 0 6 } 2934 espInvalidSpiTrap NOTIFICATION-TYPE 2935 OBJECTS { 2936 ipsecLocalAddress, 2937 ipsecSecurityProtocol, 2938 ipsecPeerAddress, 2939 ipsecSPI, 2940 ifIndex 2941 } 2942 STATUS current 2943 DESCRIPTION 2944 "A packet with an unknown SPI was detected from the 2945 specified peer with the specified SPI using the specified 2946 protocol. The destination address of the received packet is 2947 specified by ipsecLocalAddress. 2949 The value ifIndex may be 0 if this optional linkage is 2950 unsupported. 2952 If the object ipsecSecurityProtocol has the value for 2953 IPcomp, then the ipsecSPI object is the CPI of the packet. 2955 Implementations SHOULD send one trap per peer (within a 2956 reasonable time period), rather than sending one trap per 2957 packet." 2958 ::= { saTraps 0 7 } 2960 otherPolicyFailureTrap NOTIFICATION-TYPE 2961 OBJECTS { 2962 ipsecPolicyErrors, 2963 ipsecPeerAddress, 2964 ipsecLocalAddress 2965 } 2966 STATUS current 2967 DESCRIPTION 2968 "Clear packets were found that should not have been sent to 2969 the entity in the clear. The total number of policy errors 2970 accumulated by the entity is sent, along with the source and 2971 destination addresses of the packet that triggered the trap. 2973 Implementations SHOULD send one trap per source address pair 2974 (within a reasonable time period), rather than sending one 2975 trap per packet." 2976 ::= { saTraps 0 8 } 2978 -- 2979 -- Units of Conformance (Object Groups) 2980 -- 2982 -- 2983 -- Authors' note: Index objects are commented out, since the current 2984 -- SMI does not allow objects with a MAX-ACCESS clause of 2985 -- 'not-accessible' to be put in groups. 2986 -- 2988 selectorGroup OBJECT-GROUP 2989 OBJECTS 2990 { 2991 -- selectorIndex, 2992 selectorLocalId, selectorLocalIdType, selectorRemoteId, 2993 selectorRemoteIdType, selectorProtocol, selectorLocalPort, 2994 selectorRemotePort 2995 } 2996 STATUS current 2997 DESCRIPTION 2998 "A collection of objects that describe IKE phase 2 2999 selectors." 3000 ::= { saGroups 1 } 3002 ipsecSaEspGroup OBJECT-GROUP 3003 OBJECTS { 3004 -- ipsecSaEspInAddressType, ipsecSaEspInAddress, 3005 -- ipsecSaEspInSpi, 3006 ipsecSaEspInSelector, ipsecSaEspInCreator, 3007 ipsecSaEspInEncapsulation, ipsecSaEspInEncAlg, 3008 ipsecSaEspInEncKeyLength, ipsecSaEspInAuthAlg, 3009 ipsecSaEspInAuthKeyLength, ipsecSaEspInRepWinSize, 3010 ipsecSaEspInLimitSeconds, ipsecSaEspInLimitKbytes, 3011 ipsecSaEspInAccSeconds, ipsecSaEspInAccKbytes, 3012 ipsecSaEspInUserOctets, ipsecSaEspInPackets, 3013 ipsecSaEspInDecryptErrors, ipsecSaEspInAuthErrors, 3014 ipsecSaEspInReplayErrors, ipsecSaEspInPolicyErrors, 3015 ipsecSaEspInPadErrors, ipsecSaEspInOtherReceiveErrors, 3016 -- ipsecSaEspOutAddressType, ipsecSaEspOutAddress, 3017 -- ipsecSaEspOutSpi, 3018 ipsecSaEspOutSelector, ipsecSaEspOutCreator, 3019 ipsecSaEspOutEncapsulation, ipsecSaEspOutEncAlg, 3020 ipsecSaEspOutAuthKeyLength, ipsecSaEspOutEncKeyLength, 3021 ipsecSaEspOutAuthAlg, ipsecSaEspOutLimitSeconds, 3022 ipsecSaEspOutLimitKbytes, ipsecSaEspOutAccSeconds, 3023 ipsecSaEspOutAccKbytes, ipsecSaEspOutUserOctets, 3024 ipsecSaEspOutPackets, ipsecSaEspOutSendErrors, 3025 ipsecEspCurrentInboundSAs, ipsecEspTotalInboundSAs, 3026 ipsecEspCurrentOutboundSAs, ipsecEspTotalOutboundSAs 3027 } 3028 STATUS current 3029 DESCRIPTION 3030 "A collection of objects that describe the state of the 3031 security associations of the ESP protocol." 3032 ::= { saGroups 2 } 3034 ipsecSaAhGroup OBJECT-GROUP 3035 OBJECTS { 3036 -- ipsecSaAhInAddressType, ipsecSaAhInAddress, 3037 -- ipsecSaAhInSpi, 3038 ipsecSaAhInSelector, ipsecSaAhInCreator, 3039 ipsecSaAhInEncapsulation, ipsecSaAhInAuthAlg, 3040 ipsecSaAhInAuthKeyLength, ipsecSaAhInRepWinSize, 3041 ipsecSaAhInLimitSeconds, ipsecSaAhInLimitKbytes, 3042 ipsecSaAhInAccSeconds, ipsecSaAhInAccKbytes, 3043 ipsecSaAhInUserOctets, ipsecSaAhInPackets, 3044 ipsecSaAhInAuthErrors, ipsecSaAhInReplayErrors, 3045 ipsecSaAhInPolicyErrors, ipsecSaAhInOtherReceiveErrors, 3046 -- ipsecSaAhOutAddressType, ipsecSaAhOutAddress, 3047 -- ipsecSaAhOutSpi, 3048 ipsecSaAhOutSelector, ipsecSaAhOutCreator, 3049 ipsecSaAhOutEncapsulation, ipsecSaAhOutAuthAlg, 3050 ipsecSaAhOutAuthKeyLength, ipsecSaAhOutLimitSeconds, 3051 ipsecSaAhOutLimitKbytes, ipsecSaAhOutAccSeconds, 3052 ipsecSaAhOutAccKbytes, ipsecSaAhOutUserOctets, 3053 ipsecSaAhOutPackets, ipsecSaAhOutSendErrors, 3054 ipsecAhCurrentInboundSAs, ipsecAhTotalInboundSAs, 3055 ipsecAhCurrentOutboundSAs, ipsecAhTotalOutboundSAs 3056 } 3057 STATUS current 3059 DESCRIPTION 3060 "A collection of objects that describe the state of the 3061 security associations of the AH protocol." 3062 ::= { saGroups 3 } 3064 ipsecSaIpcompGroup OBJECT-GROUP 3065 OBJECTS { 3066 -- ipsecSaIpcompInAddressType, ipsecSaIpcompInAddress, 3067 -- ipsecSaIpcompInCpi, 3068 ipsecSaIpcompInSelector, ipsecSaIpcompInCreator, 3069 ipsecSaIpcompInEncapsulation, ipsecSaIpcompInDecompAlg, 3070 ipsecSaIpcompInSeconds, ipsecSaIpcompInInputOctets, 3071 ipsecSaIpcompInUserOctets, ipsecSaIpcompInUserPackets, 3072 ipsecSaIpcompInCompressedPackets, 3073 ipsecSaIpcompInCompressedOctets, 3074 ipsecSaIpcompInDecompErrors, 3075 ipsecSaIpcompInOtherReceiveErrors, 3076 -- ipsecSaIpcompOutAddressType, ipsecSaIpcompOutAddress, 3077 -- ipsecSaIpcompOutCpi, 3078 ipsecSaIpcompOutSelector, ipsecSaIpcompOutCreator, 3079 ipsecSaIpcompOutEncapsulation, ipsecSaIpcompOutCompAlg, 3080 ipsecSaIpcompOutSeconds, ipsecSaIpcompOutUserOctets, 3081 ipsecSaIpcompOutOutputOctets, ipsecSaIpcompOutUserPackets, 3082 ipsecSaIpcompOutCompressedPackets, 3083 ipsecSaIpcompOutCompressedOctets, 3084 ipsecIpcompCurrentInboundSAs, ipsecIpcompTotalInboundSAs, 3085 ipsecIpcompCurrentOutboundSAs, ipsecIpcompTotalOutboundSAs 3086 } 3087 STATUS current 3088 DESCRIPTION 3089 "A collection of objects that describe the state of the 3090 security associations of the IPcomp protocol." 3091 ::= { saGroups 4 } 3093 ipsecSaErrorsGroup OBJECT-GROUP 3094 OBJECTS { 3095 ipsecDecryptionErrors, ipsecAuthenticationErrors, 3096 ipsecReplayErrors, ipsecPolicyErrors, 3097 ipsecOtherReceiveErrors, ipsecUnknownSpiErrors, 3098 ipsecSendErrors 3099 } 3100 STATUS current 3101 DESCRIPTION 3102 "A collection of objects providing global IPsec error 3103 counters." 3104 ::= { saGroups 5 } 3106 ipsecSaFailureTrapEnableGroup OBJECT-GROUP 3107 OBJECTS { 3108 espAuthFailureTrapEnable, ahAuthFailureTrapEnable, 3109 espReplayFailureTrapEnable, ahReplayFailureTrapEnable, 3110 espPolicyFailureTrapEnable, ahPolicyFailureTrapEnable, 3111 invalidSpiTrapEnable, otherPolicyFailureTrapEnable 3112 } 3113 STATUS current 3114 DESCRIPTION 3115 "A collection of objects providing control over trap 3116 generation." 3117 ::= { saGroups 6 } 3119 ipsecSaTrapArgumentGroup OBJECT-GROUP 3120 OBJECTS { 3121 ipsecSecurityProtocol, ipsecSPI, ipsecLocalAddressType, 3122 ipsecLocalAddress, ipsecPeerAddressType, ipsecPeerAddress 3123 } 3124 STATUS current 3125 DESCRIPTION 3126 "A collection of objects used only as arguments in traps." 3127 ::= { saGroups 7 } 3129 ipsecSaEspReplayGroup OBJECT-GROUP 3130 OBJECTS { 3131 ipsecSaEspReplaysBeyondWindow, ipsecSaEspReplaysOutOfOrder, 3132 ipsecSaEspReplaysBeforeWindow, ipsecSaEspReplaysDuplicate, 3133 ipsecSaEspReplaysZero 3134 } 3135 STATUS current 3136 DESCRIPTION 3137 "A collection of objects used to monitor anti-replay events 3138 on inbound ESP SAs." 3139 ::= { saGroups 8 } 3141 ipsecSaAhReplayGroup OBJECT-GROUP 3142 OBJECTS { 3143 ipsecSaAhReplaysBeyondWindow, ipsecSaAhReplaysOutOfOrder, 3144 ipsecSaAhReplaysBeforeWindow, ipsecSaAhReplaysDuplicate, 3145 ipsecSaAhReplaysZero 3146 } 3147 STATUS current 3148 DESCRIPTION 3149 "A collection of objects used to monitor anti-replay events 3150 on inbound AH SAs." 3151 ::= { saGroups 9 } 3153 ipsecSaFailureTrapGroup NOTIFICATION-GROUP 3154 NOTIFICATIONS { 3155 espAuthFailureTrap, ahAuthFailureTrap, espReplayFailureTrap, 3156 ahReplayFailureTrap, espPolicyFailureTrap, 3157 ahPolicyFailureTrap, espInvalidSpiTrap, 3158 otherPolicyFailureTrap 3159 } 3160 STATUS current 3161 DESCRIPTION 3162 "A collection of traps." 3163 ::= { saGroups 10 } 3165 -- 3166 -- Compliance statements 3167 -- 3169 ipsecSaMonitorCompliance MODULE-COMPLIANCE 3170 STATUS current 3171 DESCRIPTION 3172 "The compliance statement for SNMPv2 entities which 3173 implement the IPsec Monitoring MIB." 3174 MODULE -- this module 3175 MANDATORY-GROUPS { 3176 selectorGroup, ipsecSaEspGroup, ipsecSaAhGroup, 3177 ipsecSaErrorsGroup, ipsecSaFailureTrapEnableGroup, 3178 ipsecSaTrapArgumentGroup, ipsecSaFailureTrapGroup 3179 } 3181 -- Anti-replay monitoring tables are optional 3183 GROUP ipsecSaEspReplayGroup 3184 DESCRIPTION 3185 "This group is optional, to be implemented on those 3186 systems which want to provide detailed counters for 3187 specific unusual and error events in the anti-replay 3188 monitoring function for ESP SAs." 3190 GROUP ipsecSaAhReplayGroup 3191 DESCRIPTION 3192 "This group is optional, to be implemented on those 3193 systems which want to provide detailed counters for 3194 specific unusual and error events in the anti-replay 3195 monitoring function for AH SAs." 3197 GROUP ipsecSaIpcompGroup 3198 DESCRIPTION 3199 "This group is mandatory only for those systems that 3200 implement the IPcomp protocol as a part of the IPsec 3201 suite." 3203 -- DNS names support is not required 3205 -- Authors' note: The following statements are commented out, 3206 -- since the current SMI does not allow objects with a 3207 -- MAX-ACCESS clause of not-accessible to be put in groups, 3208 -- and objects that are not in groups cannot be in 3209 -- compliance statements. 3211 -- OBJECT ipsecSaEspInAddressType 3212 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3213 -- DESCRIPTION 3214 -- "An implementation is only required to support IPv4 3215 -- and IPv6 addresses." 3217 -- OBJECT ipsecSaAhInAddressType 3218 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3219 -- DESCRIPTION 3220 -- "An implementation is only required to support IPv4 3221 -- and IPv6 addresses." 3223 -- OBJECT ipsecSaIpcompInAddressType 3224 -- SYNTAX INTEGER { unknown(0), ipv4(1), ipv6(2) } 3225 -- DESCRIPTION 3226 -- "An implementation is only required to support IPv4 3227 -- and IPv6 addresses. Also, if it supports IPcomp SAs, 3228 -- it must be able to support an unknown address type 3229 -- for IPcomp SAs that may be shared across security 3230 -- association suites." 3232 -- OBJECT ipsecSaEspOutAddressType 3233 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3234 -- DESCRIPTION 3235 -- "An implementation is only required to support IPv4 3236 -- and IPv6 addresses." 3238 -- OBJECT ipsecSaAhOutAddressType 3239 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3240 -- DESCRIPTION 3241 -- "An implementation is only required to support IPv4 3242 -- and IPv6 addresses." 3244 -- OBJECT ipsecSaIpcompOutAddressType 3245 -- SYNTAX INTEGER { unknown(0), ipv4(1), ipv6(2) } 3246 -- DESCRIPTION 3247 -- "An implementation is only required to support IPv4 3248 -- and IPv6 addresses. Also, if it supports IPcomp SAs, 3249 -- it must be able to support an unknown address type 3250 -- for IPcomp SAs that may be shared across security 3251 -- association suites." 3253 -- OBJECT ipsecLocalAddressType 3254 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3255 -- DESCRIPTION 3256 -- "An implementation is only required to support IPv4 3257 -- and IPv6 addresses." 3259 -- OBJECT ipsecPeerAddressType 3260 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 3261 -- DESCRIPTION 3262 -- "An implementation is only required to support IPv4 3263 -- and IPv6 addresses." 3265 -- Allow all the trap controls to be read-only 3267 OBJECT espAuthFailureTrapEnable 3268 MIN-ACCESS read-only 3269 DESCRIPTION 3270 "If an implementation cannot properly secure this 3271 variable against unauthorized write access, it 3272 SHOULD implement it as read-only, to prevent the 3273 security risk of enabling the traps. Of course, 3274 there must be other means of controlling the 3275 generation of the associated trap." 3277 OBJECT ahAuthFailureTrapEnable 3278 MIN-ACCESS read-only 3279 DESCRIPTION 3280 "If an implementation cannot properly secure this 3281 variable against unauthorized write access, it 3282 SHOULD implement it as read-only, to prevent the 3283 security risk of enabling the traps. Of course, 3284 there must be other means of controlling the 3285 generation of the associated trap." 3287 OBJECT espReplayFailureTrapEnable 3288 MIN-ACCESS read-only 3289 DESCRIPTION 3290 "If an implementation cannot properly secure this 3291 variable against unauthorized write access, it 3292 SHOULD implement it as read-only, to prevent the 3293 security risk of enabling the traps. Of course, 3294 there must be other means of controlling the 3295 generation of the associated trap." 3297 OBJECT ahReplayFailureTrapEnable 3298 MIN-ACCESS read-only 3299 DESCRIPTION 3300 "If an implementation cannot properly secure this 3301 variable against unauthorized write access, it 3302 SHOULD implement it as read-only, to prevent the 3303 security risk of enabling the traps. Of course, 3304 there must be other means of controlling the 3305 generation of the associated trap." 3307 OBJECT espPolicyFailureTrapEnable 3308 MIN-ACCESS read-only 3309 DESCRIPTION 3310 "If an implementation cannot properly secure this 3311 variable against unauthorized write access, it 3312 SHOULD implement it as read-only, to prevent the 3313 security risk of enabling the traps. Of course, 3314 there must be other means of controlling the 3315 generation of the associated trap." 3317 OBJECT ahPolicyFailureTrapEnable 3318 MIN-ACCESS read-only 3319 DESCRIPTION 3320 "If an implementation cannot properly secure this 3321 variable against unauthorized write access, it 3322 SHOULD implement it as read-only, to prevent the 3323 security risk of enabling the traps. Of course, 3324 there must be other means of controlling the 3325 generation of the associated trap." 3327 OBJECT invalidSpiTrapEnable 3328 MIN-ACCESS read-only 3329 DESCRIPTION 3330 "If an implementation cannot properly secure this 3331 variable against unauthorized write access, it 3332 SHOULD implement it as read-only, to prevent the 3333 security risk of enabling the traps. Of course, 3334 there must be other means of controlling the 3335 generation of the associated trap." 3337 OBJECT otherPolicyFailureTrapEnable 3338 MIN-ACCESS read-only 3339 DESCRIPTION 3341 "If an implementation cannot properly secure this 3342 variable against unauthorized write access, it 3343 SHOULD implement it as read-only, to prevent the 3344 security risk of enabling the traps. Of course, 3345 there must be other means of controlling the 3346 generation of the associated trap." 3348 ::= { saConformance 1 } 3350 END 3352 6. Security Considerations 3354 This MIB contains readable objects whose values provide information 3355 related to IPsec SAs. While some of the information is readily 3356 available by monitoring the traffic into an entity, other information 3357 may provide attackers with more information than an administrator may 3358 desire. 3360 Some of the specific concerns are related to the display of the 3361 algorithms and key lengths associated with encryption, and the 3362 feedback of error counters and traps that enable an attacker to 3363 quickly determine the effect of his or her attacks. 3365 Specific examples of this include, but are not limited to: 3367 o Replay counts that tell attackers that replay values are being 3368 checked, and what the current window is. 3370 o Specific algorithms and key lengths are displayed, giving 3371 attackers a better idea of how to attack. 3373 o Specific traffic counts, giving attackers more information for 3374 traffic analysis. 3376 Of particular concern is the ability to disable the transmission of 3377 traps. The traps defined in this MIB may appear due to badly 3378 configured systems and transient error conditions, but they may also 3379 appear due to attacks. If an attacker can disable these traps, they 3380 reduce some of the warnings that may be provided to system 3381 administrators. 3383 It is thus important to control even GET access to these objects and 3384 possibly to even encrypt the values of these object when sending them 3385 over the network via SNMP. Not all versions of SNMP provide features 3386 for such a secure environment. 3388 SNMPv1 by itself is not a secure environment. Even if the network 3389 itself is secure (for example by using IPsec), even then, there is no 3390 control as to who on the secure network is allowed to access and 3391 GET/SET (read/change/create/delete) the objects in this MIB. 3393 It is recommended that the implementers consider the security 3394 features as provided by the SNMPv3 framework. Specifically, the use 3395 of the User-based Security Model RFC 2574 [RFC2574] and the View- 3396 based Access Control Model RFC 2575 [RFC2575] is recommended. 3398 It is then a customer/user responsibility to ensure that the SNMP 3399 entity giving access to an instance of this MIB, is properly 3400 configured to give access to the objects only to those principals 3401 (users) that have legitimate rights to indeed GET or SET 3402 (change/create/delete) them. 3404 7. Acknowledgments 3406 This document was begun and mostly developed by Tim Jenkins and John 3407 Shriver. The editor listed for this document (Paul Hoffman) only 3408 sheparded the last steps before final publication. 3410 This document is based in part on an earlier proposal titled "draft- 3411 ietf-ipsec-mib-xx.txt". That series was abandoned, since it included 3412 application specific constructs in addition to the IPsec only 3413 objects. 3415 Portions of the original document's origins were based on the working 3416 paper "IP Security Management Information Base" by R. Thayer and U. 3417 Blumenthal. 3419 Contribution to the IPsec MIB series of documents comes from D. 3420 McDonald, M. Baugher, C. Brooks, C. Powell, M. Daniele, T. Kivinen, 3421 J. Walker, S. Kelly, J. Leonard, M. Richardson, R. Charlet, S. 3422 Waters, M. Zallocco, R. Murphy and others participating in the IPsec 3423 WG. 3425 8. References 3427 8.1 Normative references 3429 [ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., 3430 "Textual Conventions for Internet Network Addresses", 3431 RFC 2851, June, 2000 3433 [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB 3434 using SMIv2", RFC2233 3436 [IPSECTC] Shriver, J., "IPsec DOI Textual Conventions MIB, 3437 draft-ietf-ipsec-doi-tc-mib-05, work in progress 3439 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification 3440 of Management Information for TCP/IP-based Internets", STD 3441 16, RFC 1155, May 1990 3443 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 3444 Network Management Protocol", STD 15, RFC 1157, May 1990. 3446 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 3447 16, RFC 1212, March 1991 3449 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 3450 SNMP", RFC 1215, March 1991 3452 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 3453 "Introduction to Community-based SNMPv2", RFC 1901, January 3454 1996. 3456 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 3457 "Protocol Operations for Version 2 of the Simple Network 3458 Management Protocol (SNMPv2)", RFC 1905, January 1996. 3460 [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 3461 "Transport Mappings for Version 2 of the Simple Network 3462 Management Protocol (SNMPv2)", RFC 1906, January 1996. 3464 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, 3465 "Introduction to Version 3 of the Internet-standard Network 3466 Management Framework", RFC 2570, April 1999 3468 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An 3469 Architecture for Describing SNMP Management Frameworks", 3470 RFC 2571, April 1999 3472 [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, 3473 "Message Processing and Dispatching for the Simple Network 3474 Management Protocol (SNMP)", RFC 2572, April 1999 3476 [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", 3477 RFC 2573, April 1999 3479 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model 3480 (USM) for version 3 of the Simple Network Management Protocol 3481 (SNMPv3)", RFC 2574, April 1999 3483 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3484 Access Control Model (VACM) for the Simple Network Management 3485 Protocol (SNMP)", RFC 2575, April 1999 3487 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 3488 Rose, M., and S. Waldbusser, "Structure of Management 3489 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 3491 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 3492 Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", 3493 STD 58, RFC 2579, April 1999 3495 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 3496 Rose, M., and S. Waldbusser, "Conformance Statements for 3497 SMIv2", STD 58, RFC 2580, April 1999 3499 8.2 Non-normative references 3501 [AH] Kent, S., Atkinson, R., "IP Authentication Header", RFC 2402, 3502 November 1998 3504 [ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload 3505 (ESP)", RFC 2406, November 1998 3507 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)", 3508 RFC 2409, November 1998 3510 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP 3511 Payload Compression Protocol (IPcomp)", RFC 3173, September 3512 2001 3514 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation 3515 for ISAKMP", RFC 2407, November 1998 3517 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., 3518 "Internet Security Association and Key Management Protocol 3519 (ISAKMP)", RFC 2408, November 1998 3521 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the 3522 Internet Protocol", RFC 2401, November 1998 3524 A. Changes from -05 to -06 3526 [[ To be removed when published as an RFC ]] 3528 - Changed the authors' names to the editor's name. 3530 - Added acknowledgement for the original authors. 3532 - Minor formatting changes. 3534 - Split the references into normative and non-normative. 3536 NOTE: There are still lines that talk about things that need to be 3537 changed before release of the RFC (search for "release").