Internet Engineering Task Force Tim Jenkins IP Security Working Group TimeStep Corporation Internet Draft November 30, 1998 IPSec Monitoring MIB Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPSEC) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@tis.com) or to the editor. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Copyright Notice This document is a product of the IETF's IPSec Working Group. Copyright (C) The Internet Society (1998). All Rights Reserved. IPSec Working Group [Page 1] Internet Draft IPSec Monitoring MIB November 1998 Table of Contents 1. Introduction 2 2. The SNMPv2 Network Management Framework 3 2.1 Object Definitions 4 3. IPSec MIB Objects Architecture 4 3.1 Tunnel MIB and Interface MIB Consideration 5 3.2 MIB Concepts 5 3.2.1 Transient Channels and Tunnels 5 3.2.2 Permanent Channels and Tunnels 6 3.2.3 IKE SAs and Control Channels 6 3.2.4 IPSec SAs and IPSec Virtual Tunnels 7 3.3 MIB Tables 9 3.4 Static IPSec SA and Protection Suite Use 10 3.5 Asymmetric Use 10 3.6 Notify Messages 12 3.7 IPSec MIB Traps 12 3.8 IPSec Entity Level Objects 12 4. MIB Definitions 13 5. Security Considerations 57 6. Acknowledgements 58 7. References 58 8. Revision History 60 9. Appendix A 61 1. Introduction This document defines monitoring and status MIBs for IPSec. It does not define MIBs that may be used for configuring IPSec implementations or for providing low-level diagnostic or debugging information. Further, it does not provide policy information. Those MIBs may be defined in later versions of this document or in other documents. The purpose of the MIBs is to allow system administrators to determine operating conditions and perform system operational level monitoring of the IPSec portion of their network. Statistics are provided as well. The IPSec MIB definitions use a virtual tunnel model, of which there can be configured permanent tunnels or transient tunnels. The virtual tunnel model is used to allow the use of IPSec from a virtual private networking (VPN) point of view. This allows users of IPSec based products to get similar monitoring and statistical information from IPSec Working Group [Page 2] Internet Draft IPSec Monitoring MIB November 1998 an IPSec based VPN as they would from a VPN based on other technologies, such as Frame Relay. Finally, the objects defined perhaps represent a somewhat simplified view of security associations. This is done for the purposes of expediency and for simplification of presentation. Also, some information about SAs has been intentionally left out to reduce the security risk if SNMP traffic becomes compromised. 2. The SNMPv2 Network Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2271 [2271]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second version, called SMIv2, is described in RFC 1902 [1902], RFC 1903 [1903] and RFC 1904 [1904]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 [1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274 [2274]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [1905]. o A set of fundamental applications described in RFC 2273 [2273] and the view-based access control mechanism described in RFC 2275 [2275]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate IPSec Working Group [Page 3] Internet Draft IPSec Monitoring MIB November 1998 translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. 3. IPSec MIB Objects Architecture The IPSec MIB provides information related to both phase 1 or Internet Key Exchange (IKE) security associations (SAs) and phase 2 (or IPSec) SAs. Configuration about the SAs is provided as are statistics related to the SAs themselves. Since one of the uses of IPSec implementations is to provide Virtual Private Network (VPN) services that other private network services such as leased lines or frame relay networks, there exists a need to provide the same type of monitoring capability. To support this, the concept of virtual tunnels is developed. Additionally, the concept of transients and permanent tunnels is also developed. Additionally, since IPSec itself has many structures, and because VPN service providers may be interested in different kinds of statistics, the MIB provides a number of aggregate totals. These totals are provided to allow system administrators to take snapshots of system behaviour without excessive SNMP traffic on the network. IPSec Working Group [Page 4] Internet Draft IPSec Monitoring MIB November 1998 3.1 Tunnel MIB and Interface MIB Consideration It should be noted that the MIBs here are not extensions of the Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach was rejected for a number of reasons, including: o The types of parameters required for those MIBs are not appropriate for IPSec MIBs. The parameters required for IPSec tunnels are related to security services and statistics associated with handling those services. There no parameters like that associated with the Tunnel MIB. o The virtual tunnels created by IPSec SAs may be independent of other logical interfaces; this is an implementation issue. The IPSec layer may be placed in a number of locations on the host implementation. These locations may be above the IP layer, within the IP layer, or just below it. Therefore, the mapping of the IPSec virtual tunnels to tunnels described by the tunnel MIB is implementation dependent. o The tunnel end point definitions are not the same as those used by the tunnel MIB. The Tunnel MIB uniquely defines tunnels by a simple source and destination IP address pair. This is only a specific subset of the identifiers needed for IPSec virtual tunnels. 3.2 MIB Concepts There are four concepts needed to describe the structure of the MIB. These concepts are the IKE control channel, the IKE SAs, the IPSec virtual tunnel and the IPSec protection suite. IPSec SAs are considered a subset of protection suites. Also important in this document are the concepts of permanence and transience. 3.2.1 Transient Channels and Tunnels Transient channels and tunnels are made up of SAs and protection suites that normally go up and down, such as those created by a dial- in client implementation. Additionally, these SAs and protection suites are prone to being torn down in an impolite manner. As an example, system administrators typically do not want to have alarms IPSec Working Group [Page 5] Internet Draft IPSec Monitoring MIB November 1998 going off when these SAs and protection suites are torn down because an end user disconnected his or her modem before performing a normal dial-up networking shut down. By necessity, this applies to both the IKE control channels and the IPSec tunnels created by them. 3.2.2 Permanent Channels and Tunnels Permanent channels and tunnels are made up of SAs and protection suites that a system administrator considers of significant importance in a VPN implementation. These SAs and protection suites would typically be from one IPSec gateway to another and be used as the link between two corporate networks. As such, the network administrator would want alarms to go off when one of these virtual tunnels goes down under any circumstance. How implementations specify which tunnels are permanent versus transient is implementation dependent, and therefore beyond the scope of this document. 3.2.3 IKE SAs and Control Channels Phase 1 or IKE SAs as negotiated by IKE are presented in a table. Individual SAs are represented in part by a row from the IKE SA table. Each row is uniquely identified by its cookies. Also included is SA state information, connection information, security information, expiration information and traffic statistics. Other information, such as the security provided by the SAs, is included in a control channel table row. An explanation of the use of control channels follows. The primary use of phase 1 SAs is to allow host implementations to exchange keying material for phase 2 negotiations and to perform IPSec SA and protection suite management. Additionally, implementations may also use this channel to perform other functions, such as peer configuration. Since the host implementation, at a high level, does not necessarily care which particular phase 1 SA it uses to perform these functions, the concept of an IKE control channel is introduced as a logical entity to indicate the virtual channel created by the existence of phase 1 SAs established between two peers. IPSec Working Group [Page 6] Internet Draft IPSec Monitoring MIB November 1998 The need for this abstraction is also in part due to the ability of IPSec SAs and protection suites to exist beyond the expiration of the IKE SA that created them. Control channels appear in their own table, and each row describes a single control channel, to which multiple phase 1 SAs may be logically attached. The IKE control channel is uniquely identified by the IDs at each end, since it is a logical peer to peer communications channel. It contains information common to all phase 1 SAs that create it, and aggregate statistics for those phase 1 SAs. Additionally, it contains aggregate statistics for all phase 2 SAs created by it. Finally, it contains the information related to the authentication of the peer that negotiated the phase 1 SAs with it. This includes certificate information, specifically the issuer name and serial, even though it is meaningless in pre-shared key authentication mode. This is due to the importance of this information in many VPN implementations. The distinguished name of the certificate is not provided; it may be the ID used for phase 1 negotiation. If the ID used for phase 1 negotiation is not the certificate’s distinguished name, it should be one of the alternate names encoded in the certificate. Note that since the security service provided by the phase 1 SAs appears in the IKE SA table, implementations may allow a single control channel to provide multiple security services. There is no requirement that implementations support this. Phase 1 control channels may be transient or permanent. A transient control channel disappears from the table when it goes down; a permanent control channel does not. The status of a permanent control channel can be determined by the number of active phase 1 SAs attached to it. It is recommended that implementations place permanent control channels in the table before all transient control channels, and that the order of permanent control channels displayed in the table does not change. 3.2.4 IPSec SAs and IPSec Virtual Tunnels IPSec SAs created between peers are identified by the peer IP address, the SPI (CPI for IPCOMP) and the service provided by the SA. In this document, the term service refers to one of IPCOMP, ESP and AH. These are often referred to as security services; the concept is generalized somewhat in this document since IPCOMP is not technically a "security" service. IPSec Working Group [Page 7] Internet Draft IPSec Monitoring MIB November 1998 Further, in this document, IPSec SAs are considered a subset of protection suites, and as such, appear in the IPSec protection suite table. IPSec protection suites are as defined by [ISAKMP]. These are multiple services that are negotiated in a single quick mode exchange. Of the result, [ISAKMP] states: "All of the protections in a suite must be treated as a single unit." For this reason, the protection suites as presented in the MIB all assume that all services in the protection suite live and die at the same time. Also in this document, an IPSec SA is effectively a protection suite that provides only a single service. When multiple services are provided in a protection suite, the order is implicit, based on statements found in [ARCH] and [IPCOMP]. The order assumed is IPCOMP before ESP before AH. However, since the order is implicit, implementation are free to choose different orders, however, this cannot be shown in the MIB. Some implementations may create SA bundles by the separate negotiation of different services. In these cases, the separately negotiates SAs or suites should appear on separate lines of the protection suite table. In these cases, the MIB does not show the order of application of the services in the bundle. Virtual IPSec tunnels are created by the existence of IPSec SAs and protection suites, either statically created, or created by IKE. The tunnel concept comes from the effect of services on packets that are handled by protection suites. As a packet encounters an IPSec implementation, either in a security gateway or as layer in a protocol stack, a policy decision causes the packet to be handed to a protection suite for processing. The protection suite then performs a service (including possibly compression) on the packet, then adds at least one new header and sends the packet into the normal IP stream for routing. (The only time no header is added is when the only service provided by the protection suite is compression, it is a transport mode protection suite, and the packet is not compressible.) When the secured (and possibly compressed) packet arrives at its destination, the peer IPSec implementation removes the added header or headers and reverse processes the packet. Another policy lookup is then done to make sure the packet was appropriately handled by the sending peer. Since the original packet is conceptually "hidden" between the two IPSec implementations, it can be considered tunneled. To help conceptually, if ESP could be negotiated with no encryption and no authentication, it would provide services very similar to IP-in-IP. IPSec Working Group [Page 8] Internet Draft IPSec Monitoring MIB November 1998 The specific protection suite chosen by the policy lookup is based on what are called the selectors. The selectors are the packet's source IP address, its destination IP address, its layer 4 protocol and its layer 4 protocol source and destination port numbers. The policy system uses this information to assign the packet to an protection suite for handling. Since it is irrelevant to the packet which specific protection suite provided the services, and since all protection suites with same selectors normally provide the same service, the existence of any and all protection suites assigned to the selector effectively creates a tunnel for the packets. In other words, the tunnel created by the protection suites is identified by the selectors used to assign the security services to the packet. The selectors are explained in detail in [SECARCH]. 3.3 MIB Tables The MIB uses four tables that are linked as shown as an example in Figure 3-1. Here, the four tables are the IKE control channel table, the IKE SA table, the IPSec virtual tunnel table and the IPSec protection suite table. The IKE control channel table is shown with two entries. Both have two active phase 1 SAs that support each of them. The first also has created two IPSec tunnels, each supported by two IPSec protection suites numbered 1 and 6, and 2 and 5 respectively. The second IKE channel has a single IPSec tunnel, which is supported by two IPSec protection suites, numbered 3 and 4. A different diagram that is intended to show the tunnels that exist between two IPSec gateways is shown in Figure 3-2. Two host groups each are shown behind the IPSec gateways. Shown are the IKE control channel between the gateways and four possible IPSec virtual tunnels. The control channel has two active phase 1 SAs. Of the four possible virtual tunnels, one is shown with two IPSec SAs in it. One of these SAs may be just about to expire, while the other may have been created in anticipation of the expiration of the first. These SAs are the SAs that provide the service, supporting the existence of the tunnel. IPSec Working Group [Page 9] Internet Draft IPSec Monitoring MIB November 1998 ipsecIkeContChanTable -information and statistics on the IKE Con. Chan. 1 <---+ control channel Con. Chan. 2 <-+ | -aggregate information about IKE SAs | | -aggregate information about IPSec tunnels | | | | ipsecIkeSaTable -information on specific | +-- IKE SA 1 phase 1 SAs +-|-- IKE SA 2 +-|-- IKE SA 3 | +-- IKE SA 4 / / | | | |<- only if IPSec protection suites are not static | | | | ipsecTunnelTable -information and statistics on | +- IPSec Tunnel 1 <---+ the IPSec virtual tunnels | +- IPSec Tunnel 2 <--+| +--- IPSec Tunnel 3 <-+|| ||| ||| ipsecSaTable -information on ||+- IPSec PS 1 specific IPSec |+|- IPSec PS 2 protection suites +||- IPSec PS 3 +||- IPSec PS 4 +|- IPSec PS 5 +- IPSec PS 6 PS - Protection Suite Figure 3-1 IPSec Monitoring MIB Structure 3.4 Static IPSec SA and Protection Suite Use IPSec protection suites and SAs that are statically keyed do not point back to IKE control channel table entries. Implementations that do not use IKE at all will create empty phase 1 tables. 3.5 Asymmetric Use This MIB is defined assuming symmetric use of SAs and protection suites. That is to say that it assumes that an inbound SA is always set up with a corresponding outbound SA that provides the same security service. IPSec Working Group [Page 10] Internet Draft IPSec Monitoring MIB November 1998 +----------------------------+ | IKE (control channel) | | +---------------------+ | | | IKE SA 1 | | | +---------------------+ | | +---------------------+ | | | IKE SA 2 | | | +---------------------+ | +----------------------------+ ^ ^ | | <- aggregate IPSec statistics | | H11 -| +----+ | | +----+ |- H21 | | | | | | |----| G1 |-------------------------| G2 |------| | | | | | | H12 -| +----+ | | +----+ |- H22 | | | | +-----------------------------------------+ | H11 to H21 (data tunnel) | <- aggregate | +-------------------------------------+ | PS statistics | | IPSec PS with H11 and H21 selectors | | for H11-H21 | +-------------------------------------+ | | +-------------------------------------+ | | | IPSec PS with H11 and H21 selectors | | | +-------------------------------------+ | +-----------------------------------------+ | | +-----------------------------------------+ | H11 to H22 (data tunnel) | <- aggregate +-----------------------------------------+ PS statistics | | for H11-H22 +-----------------------------------------+ | H12 to H21 (data tunnel) | <- aggregate +-----------------------------------------+ PS statistics | | for H12-H21 +-----------------------------------------+ | H12 to H22 (data tunnel) | <- aggregate +-----------------------------------------+ PS statistics | | for H12-H22 +--+ PS - Protection Suite Figure 3-2 Illustration of IPSec Tunnels IPSec Working Group [Page 11] Internet Draft IPSec Monitoring MIB November 1998 In cases where this MIB is required for asymmetric use, the corresponding objects that describe the unused direction may be set to the equivalent of the unknown or zero state. 3.6 Notify Messages Notify messages sent from peer to peer are not necessarily sent as traps. However, they are collected as they occur and accumulated in a parse table structure. A notify message object is defined. This object is used as the index into the table of accumulated notify messages. This helps system administrators determine if there are potential configuration problems or attacks on their network. 3.7 IPSec MIB Traps Traps are provided to let system administrators know about the existence of error conditions occurring in the entity. Errors are associated with the creation and deletion of protection suites, and also operational errors that may indicate the presence of attacks on the system. Traps are not provided when protection suites and tunnels come up or go down, unless they go down due to error conditions. It should be noted that the termination of a permanent tunnel is normally considered an error condition, while the termination of a transient tunnel is not normally considered an error. The causes of protection suite negotiation failure are indicated by a notify message object. 3.8 IPSec Entity Level Objects This part of the MIB carries statistics global to the IPSec device. Statistics included are aggregate errors, aggregate numbers associated with protection suites, permanent tunnels and transient tunnels. The statistics are provided as objects in a tree below these groups. More system wide statistics on transient tunnels is provided since they disappear from the tables when they terminate, and aggregate traffic statistics associated with individual tunnels is lost. IPSec Working Group [Page 12] Internet Draft IPSec Monitoring MIB November 1998 4. MIB Definitions IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Integer32, Unsigned32, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI DateAndTime, TruthValue FROM SNMPv2-TC; ipsecMIB MODULE-IDENTITY LAST-UPDATED "9811301200Z" ORGANIZATION "IETF IPSec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada 613-599-3610 tjenkins@timestep.com" DESCRIPTION "The MIB module to describe generic IPSec objects, transient and permanent virtual tunnels created by IPSec SAs, and entity level IPSec objects and events." REVISION "9811301200Z" DESCRIPTION "Initial revision." -- ::= { mib-2 ?? } -- need correct value here ::= { experimental 500 } ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } -- the IPSec IKE Control Channel MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE virtual IKE control channel ipsecIkeConChanTable OBJECT-TYPE IPSec Working Group [Page 13] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX SEQUENCE OF IpsecIkeConChanEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE control channels." ::= { ipsec 1 } ipsecIkeConChanEntry OBJECT-TYPE SYNTAX IpsecIkeConChanEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE control channel." INDEX { ipsecIkeConChanIndex } ::= { ipsecIkeConChanTable 1 } IpsecIkeConChanEntry ::= SEQUENCE { ipsecIkeConChanIndex Integer32, -- the real identifiers for the control channel ipsecIkeConChanLocalIdType Integer32, ipsecIkeConChanLocalId OCTET STRING, ipsecIkeConChanPeerIdType Integer32, ipsecIkeConChanPeerId OCTET STRING, ipsecIkeConChanAuthMethod Integer32, ipsecIkeConChanPeerCertSerialNum OCTET STRING, ipsecIkeConChanPeerCertIssuer OCTET STRING, -- virtual channel status ipsecIkeConChanType INTEGER, ipsecIkeConChanCurrentSaNum Unsigned32, ipsecIkeConChanTotalSaNum Counter64, -- aggregate statistics (all SAs) ipsecIkeConChanTimeStart DateAndTime, ipsecIkeConChanInboundTraffic Counter64, -- in bytes ipsecIkeConChanOutboundTraffic Counter64, -- in bytes ipsecIkeConChanInboundPackets Counter64, ipsecIkeConChanOutboundPackets Counter64, -- aggregate error statistics ipsecIkeConChanDecryptErrors Counter32, ipsecIkeConChanHashErrors Counter32, ipsecIkeConChanOtherReceiveErrors Counter32, ipsecIkeConChanSendErrors Counter32, IPSec Working Group [Page 14] Internet Draft IPSec Monitoring MIB November 1998 -- IPSec SA (Phase 2) statistics (aggregate) ipsecIkeConChanIpsecInboundTraffic Counter64, ipsecIkeConChanIpsecOutboundTraffic Counter64, ipsecIkeConChanIpsecInboundPackets Counter64, ipsecIkeConChanIpsecOutboundPackets Counter64, -- IPSec SA (Phase 2) error statistics (aggregate) ipsecIkeConChanIpsecDecryptErrors Counter32, ipsecIkeConChanIpsecAuthErrors Counter32, ipsecIkeConChanIpsecReplayErrors Counter32, ipsecIkeConChanIpsecOtherReceiveErrors Counter32, ipsecIkeConChanIpsecSendErrors Counter32 } ipsecIkeConChanIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each channel interface must remain constant at least from one re-initialization of entity's network management system to the next re-initialization. Further, the value for channel interfaces that are marked as permanent must remain constant across all re- initializations of the network management system." ::= { ipsecIkeConChanEntry 1 } ipsecIkeConChanLocalIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the local end of the control channel. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeConChanEntry 2 } ipsecIkeConChanLocalId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) IPSec Working Group [Page 15] Internet Draft IPSec Monitoring MIB November 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the local host that negotiated this control channel. The length may require truncation under some conditions." ::= { ipsecIkeConChanEntry 3 } ipsecIkeConChanPeerIdType OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the peer. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." ::= { ipsecIkeConChanEntry 4 } ipsecIkeConChanPeerId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the peer host that negotiated this control channel. The length may require truncation under some conditions." ::= { ipsecIkeConChanEntry 5 } ipsecIkeConChanAuthMethod OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peers. Note that this does not include the specific method of authentication if extended authenticated is used. Specific values are used as described in the ISAKMP Class Values of Authentication Method from Appendix A of [IKE]." ::= { ipsecIkeConChanEntry 6 } IPSec Working Group [Page 16] Internet Draft IPSec Monitoring MIB November 1998 ipsecIkeConChanPeerCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this control channel was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeConChanEntry 7 } ipsecIkeConChanPeerCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate of the peer this control channel was negotiated with. This object has no meaning if a certificate was not used in authenticating the peer." ::= { ipsecIkeConChanEntry 8 } ipsecIkeConChanType OBJECT-TYPE SYNTAX INTEGER { transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of control channel represented by this row. A transient link will disappear from the table when the SAs needed for it cannot be established. A permanent link will shows its status in the ipsecIkeConChanStatus object." ::= { ipsecIkeConChanEntry 9 } ipsecIkeConChanCurrentSaNum OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active SAs that are available for use by this control channel. If the control channel is permanent, a 0 value in this object indicates the channel is either never tried or down. IPSec Working Group [Page 17] Internet Draft IPSec Monitoring MIB November 1998 If the control channel is transient, this object can never be 0 valued." ::= { ipsecIkeConChanEntry 10 } ipsecIkeConChanTotalSaNum OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SAs, including all expired and active SAs, that have been set up to support this control channel." ::= { ipsecIkeConChanEntry 11 } ipsecIkeConChanTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the first SA within the control channel was set up." ::= { ipsecIkeConChanEntry 12 } ipsecIkeConChanInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the control channel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 13 } ipsecIkeConChanOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the control channel in the outbound direction. In other IPSec Working Group [Page 18] Internet Draft IPSec Monitoring MIB November 1998 words, it is the aggregate value of all outbound traffic carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 14 } ipsecIkeConChanInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled by the control channel since it became active in the inbound direction. In other words, it is the aggregate value of the number of inbound packets carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 15 } ipsecIkeConChanOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled by the control channel since it became active in the outbound direction. In other words, it is the aggregate value of the number of outbound packets carried by all phase 1 SAs ever set up to support the control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 16 } ipsecIkeConChanDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded due to decryption errors. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the IPSec Working Group [Page 19] Internet Draft IPSec Monitoring MIB November 1998 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 17 } ipsecIkeConChanHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded due to hash errors. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 18 } ipsecIkeConChanOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this control channel discarded for reasons other than bad hashes or decryption errors. This may include packets dropped to a lack of receive buffer space. Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 19 } ipsecIkeConChanSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets from this control channel discarded for any reason. This may include packets dropped to a lack of transmit buffer space. IPSec Working Group [Page 20] Internet Draft IPSec Monitoring MIB November 1998 Note that this refers to IKE protocol packets, and not to packets carried by IPSec protection suites set up by the SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 20 } ipsecIkeConChanIpsecInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic measured in bytes handled by all IPSec SAs set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 21 } ipsecIkeConChanIpsecOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic measured in bytes handled by all IPSec protection suites set up by all phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 22 } ipsecIkeConChanIpsecInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets handled by all IPSec protection suites set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." IPSec Working Group [Page 21] Internet Draft IPSec Monitoring MIB November 1998 ::= { ipsecIkeConChanEntry 23 } ipsecIkeConChanIpsecOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets handled by all IPSec protection suites set up by phase 1 SAs supporting this control channel. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 24 } ipsecIkeConChanIpsecDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to decryption errors. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 25 } ipsecIkeConChanIpsecAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to authentication errors. This includes hash failures in IPSec SAs using ESP and AH. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 26 } ipsecIkeConChanIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 22] Internet Draft IPSec Monitoring MIB November 1998 "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to replay errors. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 27 } ipsecIkeConChanIpsecOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to errors other than authentication, decryption or replay errors. This may include packets dropped due to lack of receive buffers. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 34 } ipsecIkeConChanIpsecSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets discarded by all IPSec protection suites set up by all phase 1 SAs in this control channel due to any error. This may include packets dropped due to lack of receive buffers. If this is a permanent control channel, it is not reset to zero when the number of phase 1 SAs changes from 0." ::= { ipsecIkeConChanEntry 28 } -- the IPSec IKE MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE SAs and the virtual phase 1 SA tunnels ipsecIkeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeSaEntry MAX-ACCESS not-accessible IPSec Working Group [Page 23] Internet Draft IPSec Monitoring MIB November 1998 STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec's IKE SAs." ::= { ipsec 2 } ipsecIkeSaEntry OBJECT-TYPE SYNTAX IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecIkeSaIndex } ::= { ipsecIkeSaTable 1 } IpsecIkeSaEntry ::= SEQUENCE { ipsecIkeSaIndex Integer32, ipsecIkeSaConChanIndex Integer32, -- identifier information ipsecIkeSaInitiatorCookie OCTET STRING, ipsecIkeSaResponderCookie OCTET STRING, ipsecIkeSaState INTEGER, -- connection information ipsecIkeSaLocalIpAddress OCTET STRING, ipsecIkeSaLocalPortNumber INTEGER, ipsecIkeSaPeerIpAddress OCTET STRING, ipsecIkeSaPeerPortNumber INTEGER, -- security algorithm information ipsecIkeSaEncAlg INTEGER, ipsecIkeSaEncKeyLength Unsigned32, ipsecIkeSaHashAlg Integer32, ipsecIkeSaDifHelGroupDesc Integer32, ipsecIkeSaDifHelGroupType Integer32, ipsecIkeSaPRF Integer32, -- expiration limits, current SA ipsecIkeSaTimeStart DateAndTime, ipsecIkeSaTimeLimit OCTET STRING, -- in seconds ipsecIkeSaTrafficLimit OCTET STRING, ipsecIkeSaTrafficCount OCTET STRING, -- this SA's operating statistics ipsecIkeSaInboundTraffic Counter64, -- in bytes ipsecIkeSaOutboundTraffic Counter64, -- in bytes IPSec Working Group [Page 24] Internet Draft IPSec Monitoring MIB November 1998 ipsecIkeSaInboundPackets Counter64, ipsecIkeSaOutboundPackets Counter64, -- this SA's error statistics ipsecIkeSaDecryptErrors Counter32, ipsecIkeSaHashErrors Counter32, ipsecIkeSaOtherReceiveErrors Counter32, ipsecIkeSaSendErrors Counter32 } ipsecIkeSaIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IKE SA. Values are assigned contiguously starting from 1." ::= { ipsecIkeSaEntry 1 } ipsecIkeSaConChanIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A reference to the IKE control channel that this SA supports. It is the value of 'ipsecIkeConChanLocalIdType'." ::= { ipsecIkeSaEntry 2 } ipsecIkeSaInitiatorCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the initiator for the current phase 1 SA." ::= { ipsecIkeSaEntry 3 } ipsecIkeSaResponderCookie OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the responder for the current phase 1 SA." ::= { ipsecIkeSaEntry 4 } ipsecIkeSaState OBJECT-TYPE IPSec Working Group [Page 25] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX INTEGER { tryingInitiator(0), tryingInitiatorIDProt(1), tryingResponder(2), tryingResponderIDProt(3), upInitiator(4), upInitiatorIDProt(5), upResponder(6), upResponderIDProt(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The current state of the SA. 'tryingInitiator' means this end is attempting to negotiate the SA using aggressive mode and is the initiator. 'tryingInitiatorIDProt' means this end is attempting to negotiate the SA using main mode and is the initiator. 'tryingResponder' means the peer is attempting to negotiate the SA using aggressive mode as initiator. 'tryingResponderIDProt' means the peer is attempting to negotiate the SA using main mode as initiator. 'upInitiator' means the SA is up, and this end is the initiator. 'upResponder' means the the SA is up and the peer is the initiator. On the latter two, the suffix 'IDProt' means main mode was used to negotiate the SA." ::= { ipsecIkeSaEntry 5 } ipsecIkeSaLocalIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The local IP address that this SA was negotiated with, or 0 if unknown. The size of this object is 4 if the IP address is a IPv4 address. The size is 8 of the IP address is an IPv6 address." ::= { ipsecIkeSaEntry 6 } ipsecIkeSaLocalPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current IPSec Working Group [Page 26] Internet Draft IPSec Monitoring MIB November 1998 DESCRIPTION "The local UDP port number that this SA was negotiated with." DEFVAL { 500 } ::= { ipsecIkeSaEntry 7 } ipsecIkeSaPeerIpAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the peer that this SA was negotiated with, or 0 if unknown. The size of this object is 4 if the IP address is a IPv4 address. The size is 8 of the IP address is an IPv6 address." ::= { ipsecIkeSaEntry 8 } ipsecIkeSaPeerPortNumber OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The peer UDP port number of the peer that this SA was negotiated with." DEFVAL { 500 } ::= { ipsecIkeSaEntry 9 } ipsecIkeSaEncAlg OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried on this SA. Specific values are used as described in the ISAKMP Class Values of Encryption Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 10 } ipsecIkeSaEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current IPSec Working Group [Page 27] Internet Draft IPSec Monitoring MIB November 1998 DESCRIPTION "The length of the encryption key in bits used for algorithm specified in the 'ipsecIkeSaEncAlg' object or 0 if the key length is implicit in the specified algorithm." ::= { ipsecIkeSaEntry 11 } ipsecIkeSaHashAlg OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried on this SA. Specific values are used as described in the ISAKMP Class Values of Hash Algorithms from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 12 } ipsecIkeSaDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 13 } ipsecIkeSaDifHelGroupType OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecIkeSaEntry 14 } ipsecIkeSaPRF OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 28] Internet Draft IPSec Monitoring MIB November 1998 "The pseudo-random functions used, or 0 if not used or if unknown. Specific values are used as described in the ISAKMP Class Values of PRF from Appendix A of [IKE] (which specifies none at the present time)." ::= { ipsecIkeSaEntry 15 } ipsecIkeSaTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current SA within the link was set up. It is not the date and time that the virtual tunnel was set up." ::= { ipsecIkeSaEntry 16 } ipsecIkeSaTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the current SA supporting the virtual tunnel, or 0 if there is no time constraint on its expiration." ::= { ipsecIkeSaEntry 17 } ipsecIkeSaTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the current SA supporting the virtual tunnel is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecIkeSaEntry 18} ipsecIkeSaTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 29] Internet Draft IPSec Monitoring MIB November 1998 "The amount of traffic that this SA has processed that contributes against it expiration by traffic limit, measured in 1024-byte blocks. It includes traffic in both directions. It may be 0 if there is no traffic constraint on the SA's expiration." ::= { ipsecIkeSaEntry 19 } ipsecIkeSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes handled in the current SA in the inbound direction." ::= { ipsecIkeSaEntry 20 } ipsecIkeSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes handled in the current SA in the outbound direction." ::= { ipsecIkeSaEntry 21 } ipsecIkeSaInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the current SA in the inbound direction." ::= { ipsecIkeSaEntry 22 } ipsecIkeSaOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled in the current SA in the outbound direction." ::= { ipsecIkeSaEntry 23 } ipsecIkeSaDecryptErrors OBJECT-TYPE IPSec Working Group [Page 30] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to decryption errors. The following may used as a guideline to distinguish decryption errors from protocol negotiation errors: If there are any errors in the packet's generic payload structures (next payload field, reserved, payload length), then this is considered a decryption error. If an error happens inside the payload structure, then it is not assumed to be a decryption error, and is considered a protocol negotiation error." ::= { ipsecIkeSaEntry 24 } ipsecIkeSaHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to hash errors. These errors are considered packet errors, and not protocol negotation errors. The case of hash failures when the hash is generated by authentication data is considered an authentication failure, and not a hash failure." ::= { ipsecIkeSaEntry 25 } ipsecIkeSaOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded for reasons other than bad hashes or decryption errors. This may include packets dropped to a lack of receive buffer space. Packets that contain protocol negotation errors are not considered dropped packets." ::= { ipsecIkeSaEntry 26 } ipsecIkeSaSendErrors OBJECT-TYPE IPSec Working Group [Page 31] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets from this SA discarded for any reason. This may include packets dropped to a lack of transmit buffer space." ::= { ipsecIkeSaEntry 27 } -- the IPSec Tunnel MIB-Group -- -- a collection of objects providing information about -- IPSec protection suite-based virtual tunnels ipsecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suite-based tunnels." ::= { ipsec 3 } ipsecTunnelEntry OBJECT-TYPE SYNTAX IpsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular configured tunnel." INDEX { ipsecTunnelIndex } ::= { ipsecTunnelTable 1 } IpsecTunnelEntry ::= SEQUENCE { ipsecTunnelIndex Integer32, ipsecTunnelIkeConChan Integer32, -- if not static ipsecTunnelType INTEGER, -- static, transient, permanent -- tunnel identifiers ipsecTunnelLocalIdentifier OCTET STRING, ipsecTunnelLocalIdentifierType INTEGER, ipsecTunnelRemoteIdentifier OCTET STRING, ipsecTunnelRemoteIdentifierType INTEGER, ipsecTunnelProtocol Integer32, ipsecTunnelLocalPort Integer32, ipsecTunnelRemotePort Integer32, IPSec Working Group [Page 32] Internet Draft IPSec Monitoring MIB November 1998 -- tunnel creation mechanism ipsecTunnelDifHelGroupDesc Integer32, ipsecTunnelDifHelGroupType Integer32, ipsecTunnelPFS TruthValue, -- tunnel security services description ipsecTunnelEncapsulation INTEGER, ipsecTunnelEspEncAlg Integer32, ipsecTunnelEspEncKeyLength Unsigned32, ipsecTunnelEspAuthAlg Integer32, ipsecTunnelAhAuthAlg Integer32, ipsecTunnelCompAlg Integer32, -- aggregate statistics ipsecTunnelStartTime DateAndTime, ipsecTunnelCurrentProtSuitesNum Unsigned32, ipsecTunnelTotalProtSuitesNum Counter32, ipsecTunnelTotalInboundTraffic Counter64, ipsecTunnelTotalOutboundTraffic Counter64, ipsecTunnelTotalInboundPackets Counter64, ipsecTunnelTotalOutboundPackets Counter64, -- aggregate error statistics ipsecTunnelDecryptErrors Counter32, ipsecTunnelAuthErrors Counter32, ipsecTunnelReplayErrors Counter32, ipsecTunnelPolicyErrors Counter32, ipsecTunnelOtherReceiveErrors Counter32, ipsecTunnelSendErrors Counter32 } ipsecTunnelIndex OBJECT-TYPE SYNTAX Integer32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each tunnel interface must remain constant at least from one re-initialization of the entity's network management system to the next re-initialization. Further, the value for tunnel interfaces that are marked IPSec Working Group [Page 33] Internet Draft IPSec Monitoring MIB November 1998 as permanent must remain constant across all re- initializations of the network management system." ::= { ipsecTunnelEntry 1 } ipsecTunnelIkeConChan OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the index into the IKE control channel table that created this tunnel (ipsecIkeConChanIndex), or 0 if the tunnel is created by a static IPSec protection suite." ::= { ipsecTunnelEntry 2 } ipsecTunnelType OBJECT-TYPE SYNTAX INTEGER { static(0), transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the virtual tunnel represented by this row. 'static' means that the tunnel is supported by a single static IPSec protection suite that was setup by configuration, and not by using a key exchange protocol. In this case, the value of ipsecTunnelIkeSa must be 0." ::= { ipsecTunnelEntry 3 } ipsecTunnelLocalIdentifier OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local identifier of the virtual tunnel, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 4 } ipsecTunnelLocalIdentifierType OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelLocalIdentifier', or 0 if unknown or if the IPSec Working Group [Page 34] Internet Draft IPSec Monitoring MIB November 1998 protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 5 } ipsecTunnelRemoteIdentifier OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote identifier of the virtual tunnel, or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 6 } ipsecTunnelRemoteIdentifierType OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identifier presented by 'ipsecTunnelRemoteIdentifier', or 0 if unknown or if the protection suite uses transport mode encapsulation. This value is taken directly from the optional ID payloads that are exchange during phase 2 negotiations." ::= { ipsecTunnelEntry 7 } ipsecTunnelProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the protocol that this tunnel carries, or 0 if it carries any protocol." ::= { ipsecTunnelEntry 8 } ipsecTunnelLocalPort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the local port that this tunnel carries, or 0 if it carries any port number." IPSec Working Group [Page 35] Internet Draft IPSec Monitoring MIB November 1998 ::= { ipsecTunnelEntry 9 } ipsecTunnelRemotePort OBJECT-TYPE SYNTAX Integer32 (0.. 65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the remote port that this tunnel carries, or 0 if it carries any port number." ::= { ipsecTunnelEntry 10 } ipsecTunnelDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used to set up protection suites for this tunnel or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." ::= { ipsecTunnelEntry 11 } ipsecTunnelDifHelGroupType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " A unique value representing the Diffie-Hellman group type used to set up protection suites for this tunnel or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." ::= { ipsecTunnelEntry 12 } ipsecTunnelPFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "'true' if protection suites setup for this tunnel were created using perfect forward secrect." ::= { ipsecTunnelEntry 13 } ipsecTunnelEncapsulation OBJECT-TYPE IPSec Working Group [Page 36] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX INTEGER { transport(1), tunnel(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapsulation used by protection suites created for this virtual tunnel." ::= { ipsecTunnelEntry 14 } ipsecTunnelEspEncAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this tunnel if it uses ESP or 0 if there is no encryption applied by ESP or if ESP is not used. Specific values are taken from section 4.4.4 of [IPDOI]." ::= { ipsecTunnelEntry 15 } ipsecTunnelEspEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'ipsecTunnelEspEncAlg' object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." ::= { ipsecTunnelEntry 16 } ipsecTunnelEspAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this tunnel if it uses ESP or 0 if there is no authentication applied by ESP or if ESP is not used. Specific values are taken from the Authentication Algorithm attribute values of Section 4.5 of [IPDOI]." ::= { ipsecTunnelEntry 17 } ipsecTunnelAhAuthAlg OBJECT-TYPE SYNTAX Integer32 (0..255) IPSec Working Group [Page 37] Internet Draft IPSec Monitoring MIB November 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this tunnel if it uses AH or 0 if AH is not used. Specific values are taken from Section 4.4.3 of [IPDOI]." ::= { ipsecTunnelEntry 18 } ipsecTunnelCompAlg OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic carried by this tunnel if it uses IPCOMP. Specific values are taken from Section 4.4.5 of [IPDOI]." ::= { ipsecTunnelEntry 19 } ipsecTunnelStartTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that this virtual tunnel was set up. If this is a permanent virtual tunnel, it is not reset when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 20 } ipsecTunnelCurrentProtSuitesNum OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of protection suites currently active supporting this virtual tunnel. If this number is 0, the tunnel must be considered down. Also if this number is 0, the tunnel must a permanent tunnel, since transient tunnels that are down do not appear in the table." ::= { ipsecTunnelEntry 21 } IPSec Working Group [Page 38] Internet Draft IPSec Monitoring MIB November 1998 ipsecTunnelTotalProtSuitesNum OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protection suites, including all current protection suites, that have been set up to support this virtual tunnel." ::= { ipsecTunnelEntry 22 } ipsecTunnelTotalInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 23 } ipsecTunnelTotalOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all inbound traffic carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 24 } ipsecTunnelTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current IPSec Working Group [Page 39] Internet Draft IPSec Monitoring MIB November 1998 DESCRIPTION "The total number of packets handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound packets carried by all IPSec protection suites ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 25 } ipsecTunnelTotalOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all outbound packets carried by all IPSec SAs ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 26 } ipsecTunnelDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to decryption errors in ESP. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 27 } ipsecTunnelAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to authentication errors. This includes hash failures in IPSec protection suites using IPSec Working Group [Page 40] Internet Draft IPSec Monitoring MIB November 1998 both ESP and AH. If this is a permanent virtual tunnel, it is not resetto zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 28 } ipsecTunnelReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to replay errors. This includes replay failures in IPSec protection suites using both ESP and AH. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 29 } ipsecTunnelPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to policy errors. This includes errors in all transforms if protection suites are used. Policy errors are due to the detection of a packet that was inappropriately sent into this tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 30 } ipsecTunnelOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to errors other than decryption, authentication or replay errors. This may include packets dropped due to a lack of receive buffers. IPSec Working Group [Page 41] Internet Draft IPSec Monitoring MIB November 1998 If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 31 } ipsecTunnelSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets discarded by this virtual tunnel due to any error. This may include packets dropped due to a lack of transmit buffers. If this is a permanent virtual tunnel, it is not reset to zero when the number of current protection suites (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." ::= { ipsecTunnelEntry 32 } -- the IPSec Protection Suites MIB-Group -- -- a collection of objects providing information about -- IPSec protection suites ipsecProtSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec protection suites." ::= { ipsec 4 } ipsecProtSuiteEntry OBJECT-TYPE SYNTAX IpsecProtSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPSec SA." INDEX { ipsecProtSuiteIndex } ::= { ipsecProtSuiteTable 1 } IpsecProtSuiteEntry ::= SEQUENCE { ipsecProtSuiteIndex Integer32, IPSec Working Group [Page 42] Internet Draft IPSec Monitoring MIB November 1998 ipsecProtSuiteTunnel Integer32, -- from ipsecTunnelTable -- identification ipsecProtSuitePeerAddress OCTET STRING, ipsecProtSuiteInboundEspSpi Unsigned32, ipsecProtSuiteOutboundEspSpi Unsigned32, ipsecProtSuiteInboundAhSpi Unsigned32, ipsecProtSuiteOutboundAhSpi Unsigned32, ipsecProtSuiteInboundCompCpi INTEGER, ipsecProtSuiteOutboundCompCpi INTEGER, -- expiration limits ipsecProtSuiteCreationTime DateAndTime, ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none ipsecProtSuiteTrafficCount OCTET STRING, -- current operating statistics ipsecProtSuiteInboundTraffic Counter64, ipsecProtSuiteOutboundTraffic Counter64, ipsecProtSuiteInboundPackets Counter64, ipsecProtSuiteOutboundPackets Counter64, -- error statistics ipsecProtSuiteDecryptErrors Counter32, ipsecProtSuiteAuthErrors Counter32, ipsecProtSuiteReplayErrors Counter32, ipsecProtSuitePolicyErrors Counter32, ipsecProtSuiteOtherReceiveErrors Counter32, ipsecProtSuiteSendErrors Counter32 } ipsecProtSuiteIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IPSec protection suite. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecProtSuiteEntry 1 } ipsecProtSuiteTunnel OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 43] Internet Draft IPSec Monitoring MIB November 1998 "The value of the index into the IPSec tunnel table that this protection suite supports (ipsecTunnelIndex)." ::= { ipsecProtSuiteEntry 2 } ipsecProtSuitePeerAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) MAX-ACCESS read-only STATUS current DESCRIPTION "The peer IP address used by the protection suite. The size of this object is 4 if the address is an IPv4 address, or 8 if the address is an IPv6 address." ::= { ipsecProtSuiteEntry 3 } ipsecProtSuiteInboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 4 } ipsecProtSuiteOutboundEspSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the ESP security service, or zero if ESP is not used." ::= { ipsecProtSuiteEntry 5 } ipsecProtSuiteInboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI for the inbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 6 } ipsecProtSuiteOutboundAhSpi OBJECT-TYPE SYNTAX Unsigned32(1..4294967295) MAX-ACCESS read-only IPSec Working Group [Page 44] Internet Draft IPSec Monitoring MIB November 1998 STATUS current DESCRIPTION "The value of the SPI for the outbound protection suite that provides the AH security service, or zero if AH is not used." ::= { ipsecProtSuiteEntry 7 } ipsecProtSuiteInboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the inbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 8 } ipsecProtSuiteOutboundCompCpi OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the CPI for the outbound protection suite that provides IP compression, or zero if IPCOMP is not used." ::= { ipsecProtSuiteEntry 9 } ipsecProtSuiteCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current protection suite was set up." ::= { ipsecProtSuiteEntry 10 } ipsecProtSuiteTimeLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the protection suite, or 0 if there is no time constraint on its expiration." ::= { ipsecProtSuiteEntry 11 } ipsecProtSuiteTrafficLimit OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" IPSec Working Group [Page 45] Internet Draft IPSec Monitoring MIB November 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the protection suite is allowed to support, or 0 if there is no traffic constraint on its expiration." ::= { ipsecProtSuiteEntry 12 } ipsecProtSuiteTrafficCount OBJECT-TYPE SYNTAX OCTET STRING (SIZE (4..255)) UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic accumulated that counts against the protection suite's expiration by traffic limitation, measured in 1024-byte blocks." ::= { ipsecProtSuiteEntry 13 } ipsecProtSuiteInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the inbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 14 } ipsecProtSuiteOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the protection suite in the outbound direction. This is not necessarily the same as the amount of traffic applied against the traffic expiration limit." ::= { ipsecProtSuiteEntry 15 } ipsecProtSuiteInboundPackets OBJECT-TYPE SYNTAX Counter64 IPSec Working Group [Page 46] Internet Draft IPSec Monitoring MIB November 1998 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the inbound direction." ::= { ipsecProtSuiteEntry 16 } ipsecProtSuiteOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets handled by the protection suite in the outbound direction." ::= { ipsecProtSuiteEntry 17 } ipsecProtSuiteDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to decryption errors." ::= { ipsecProtSuiteEntry 18 } ipsecProtSuiteAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to authentication errors. This includes hash failures in both ESP and AH." ::= { ipsecProtSuiteEntry 19 } ipsecProtSuiteReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to replay errors. This includes replay failures both ESP and AH." ::= { ipsecProtSuiteEntry 20 } ipsecProtSuitePolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only IPSec Working Group [Page 47] Internet Draft IPSec Monitoring MIB November 1998 STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to policy errors." ::= { ipsecProtSuiteEntry 21 } ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the protection suite due to errors other than decryption, authentication or replay errors. This may include decompression errors or errors due to a lack of receive buffers." ::= { ipsecProtSuiteEntry 22 } ipsecProtSuiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the protection suite due to any error. This may include compression errors or errors due to a lack of transmit buffers." ::= { ipsecProtSuiteEntry 23 } -- the IPSec Entity MIB-Group -- -- a collection of objects providing information about overall IPSec -- status in the entity -- -- Definitions of significant branches -- ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 5 } ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 } ipsecProtSuiteCounts OBJECT IDENTIFIER ::= { ipsec 6 } ipsecPermChanTunStats OBJECT IDENTIFIER ::= { ipsec 7 } ipsecTransChanTunStats OBJECT IDENTIFIER ::= { ipsec 8 } ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 9 } ipsecErrorStats OBJECT IDENTIFIER ::= { ipsec 10 } IPSec Working Group [Page 48] Internet Draft IPSec Monitoring MIB November 1998 -- -- SA and protection suite counts -- ipsecTotalIkeSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 SAs established by the entity since boot time. It is not the total number of channels established by the entity since boot time. It includes SAs established to support both permanent and transient channels." ::= { ipsecProtSuiteCounts 1 } ipsecTotalIpsecProtSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protection suites established by the entity since boot time. It is not the total number of IPSec virtual tunnels established by the entity since boot time. It includes protection suites established to support both permanent and transient tunnels." ::= { ipsecProtSuiteCounts 2 } -- -- permanent channel and tunnel statistics -- ipsecCnfgPermIkeChannels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 1 control channels in the entity that are configured as permanent." ::= { ipsecPermChanTunStats 1 } ipsecUpPermIkeChannels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 49] Internet Draft IPSec Monitoring MIB November 1998 "The total number of phase 1 control channels in the entity that are configured as permanent and are up and available for use." ::= { ipsecPermChanTunStats 2 } ipsecCnfgPermIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 tunnels in the entity that are configured as permanent." ::= { ipsecPermChanTunStats 3 } ipsecUpPermIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 tunnels in the entity that are configured as permanent and are up and available for use." ::= { ipsecPermChanTunStats 4 } -- -- transient tunnel counts -- ipsecTotalTransIkeTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of transient phase 1 tunnels established by the entity since boot time." ::= { ipsecTransChanTunStats 1 } ipsecCurrentTransIkeTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of transient phase 1 tunnels in the entity that are up and available for use at this moment in time." ::= { ipsecTransChanTunStats 2 } ipsecTotalTransIpsecTunnels OBJECT-TYPE IPSec Working Group [Page 50] Internet Draft IPSec Monitoring MIB November 1998 SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of transient phase 2 tunnels established by the entity since boot time." ::= { ipsecTransChanTunStats 3 } ipsecCurrentTransIpsecTunnels OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of phase 2 tunnels in the entity that are up and available for use at this moment in time." ::= { ipsecTransChanTunStats 4 } -- -- transient protection suite traffic statistics -- ipsecTotalTransInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets carried on transient IPSec tunnels since boot time." ::= { ipsecTransChanTunStats 5 } ipsecTotalTransOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound packets carried on transient IPSec tunnels since boot time." ::= { ipsecTransChanTunStats 6 } ipsecTotalTransInboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic carried on transient IPSec tunnels since boot time, measured in 1024-octet blocks." IPSec Working Group [Page 51] Internet Draft IPSec Monitoring MIB November 1998 ::= { ipsecTransChanTunStats 7 } ipsecTotalTransOutboundTraffic OBJECT-TYPE SYNTAX Counter64 UNITS "1024-byte blocks" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic carried on transient IPSec tunnels since boot time, measured in 1024-octet blocks." ::= { ipsecTransChanTunStats 8 } -- -- error counts -- ipsecUnknownSpiErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with SPIs or CPIs that were not valid." ::= { ipsecErrorStats 1 } ipsecIkeProtocolErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with IKE protocol errors. This includes packets with invalid cookies, but does not include errors that could be associated with specific IKE SAs." ::= { ipsecErrorStats 2 } ipsecIpsecAuthenticationErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with authentication errors in the IPSec SAs. IPSec Working Group [Page 52] Internet Draft IPSec Monitoring MIB November 1998 This includes all packets in which the hash value is determined to be invalid." ::= { ipsecErrorStats 3 } ipsecIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time with replay errors in the IPSec SAs." ::= { ipsecErrorStats 4 } ipsecIpsecPolicyErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the entity since boot time and discarded due to policy errors. This includes packets that had selectors that were invalid for the SA that carried them." ::= { ipsecErrorStats 5 } -- the IPSec Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages ipsecNotifyMessageTotalCount OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of all types of notify messages sent or received by the entity since boot time. It is the sum of all occurrences in the 'ipsecNotifyCountTable'." ::= { ipsecNotifications 1 } ipsecNotifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current IPSec Working Group [Page 53] Internet Draft IPSec Monitoring MIB November 1998 DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ipsecNotifications 2 } ipsecNotifyCountEntry OBJECT-TYPE SYNTAX IpsecNotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message." INDEX { ipsecNotifyMessage } ::= { ipsecNotifyCountTable 1 } IpsecNotifyCountEntry::= SEQUENCE { ipsecNotifyMessage INTEGER, ipsecNotifyMessageCount Counter32 } ipsecNotifyMessage OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific IPSec notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP]. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." ::= { ipsecNotifyCountEntry 1 } ipsecNotifyMessageCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received or sent by the entity since system boot." ::= { ipsecNotifyCountEntry 2 } IPSec Working Group [Page 54] Internet Draft IPSec Monitoring MIB November 1998 -- -- traps -- ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA for the specified permanent IKE tunnel failed." ::= { ipsecTraps 1 } ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanLocalIdType, ipsecIkeConChanLocalId, ipsecIkeConChanPeerIdType, ipsecIkeConChanPeerId, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeSaLocalIpAddress, ipsecIkeSaLocalPortNumber, ipsecIkeConChanAuthMethod, ipsecIkeConChanPeerCertSerialNum, ipsecIkeConChanPeerCertIssuer, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 SA for a transient IKE tunnel failed. This trap is different from the 'ipsecTrapPermIkeNegFailure' trap, since this one will likely result in the removal of this entry from the IKE control channel table." ::= { ipsecTraps 2 } ipsecTrapInvalidCookie NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress, ipsecIkeSaPeerPortNumber } STATUS current DESCRIPTION IPSec Working Group [Page 55] Internet Draft IPSec Monitoring MIB November 1998 "IKE packets with invalid cookies were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period, rather than sending one trap per packet." ::= { ipsecTraps 3 } ipsecTrapIpsecNegFailure NOTIFICATION-TYPE OBJECTS { ipsecIkeConChanIndex, ipsecNotifyMessage } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 protection suite within the specified IKE tunnel failed." ::= { ipsecTraps 4 } ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid hashes were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 5 } ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets with invalid sequence numbers were found in the specified protection suite. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 6 } IPSec Working Group [Page 56] Internet Draft IPSec Monitoring MIB November 1998 ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE OBJECTS { ipsecProtSuiteIndex } STATUS current DESCRIPTION "IPSec packets carrying packets with invalid selectors for the specified protection suite were found. Implementations SHOULD send one trap per protection suite (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 7 } ipsecTrapInvalidSpi NOTIFICATION-TYPE OBJECTS { ipsecIkeSaPeerIpAddress } STATUS current DESCRIPTION "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs) were detected from the specified peer. Implementations SHOULD send one trap per peer (within a reasonable time period), rather than sending one trap per packet." ::= { ipsecTraps 8 } END 5. Security Considerations This MIB contains readable objects whose values provide information related to IPSec virtual tunnels. There are no objects with MAX­ACCESS clauses of read-write or read-create. While unauthorized access to the readable objects is relatively innocuous, unauthorized access to those objects through an insecure channel can provide attackers with more information about a system than an administrator may desire. IPSec Working Group [Page 57] Internet Draft IPSec Monitoring MIB November 1998 6. Acknowledgements Portions of this document's origins are based on the working paper "IP Security Management Information Base" by R. Thayer and U. Blumenthal. Significant contribution to this document comes from Charles Brooks and Carl Powell, both of GTE Internetworking. Obviously, the IPSec working group made signification contributions, specifically including M. Daniele, T. Kivinen, J. Shriver, J. Walker, S. Kelly and M. Richardson. Additionally, thanks are extended to Gabriella Dinescu for assistance in the preparation of the MIB structures. 7. References [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in progress. [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", draft-ietf-ipsec-arch-sec-07.txt, work in progress. [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)," draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress. [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in progress. [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib- 02.txt, work in progress. [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft- ietf-ippcp-protocol-06.txt", work in progress [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. IPSec Working Group [Page 58] Internet Draft IPSec Monitoring MIB November 1998 [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", RFC 1155, May 1990 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, March 1991 [1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, January 1996. [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, January 1996. [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May 1990. [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. IPSec Working Group [Page 59] Internet Draft IPSec Monitoring MIB November 1998 [2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco Systems, January 1998. [2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998. 8. Revision History This section will be removed before publication. September 11, 1998 Initial internal release. Traps not yet defined in ASN.1 format. Device MIB not yet defined in ASN.1 format. October 4, 1998 Added significantly more explanations on tunnel concept, including picture. Added packet counters for traffic. Made time usage consistent. Added generic error counters. Added SPIs and CPIs to IPSec SA table, and cookies to IKE SA tunnel table. Added peer port number to IKE SA table. Added peer's certificate serial number and issuer to IKE SA table. More information about traps. Added policy enforcement errors to IPSec tunnels. Issues: 1) Do aggregate statistic values on permanent tunnels restart if link goes down and comes back up again? 2) Should the IKE SA table indicate who was the initiator? 3) Still have not put traps into ASN.1 format. 4) Still have not put entity-wide statistics into ASN.1 format. November 2,1998 Add ASN.1 for entity level objects. Add ASN.1 for traps. Non-error event traps removed. Added appendix to duplicate assigned numbers from current drafts. Issues: 1) Do aggregate statistic values on permanent IPSec Working Group [Page 60] Internet Draft IPSec Monitoring MIB November 1998 tunnels restart if link goes down and comes back up again? 2) Group and Compliance statements? 3) Sub-identifier under the experimental tree? November 24, 1998 Major changes; most too numerous to mention. Single largest change is splitting IKE SAs from what was the IKE tunnel table (now the control channel table). Issues: 1) Should aggregate statistic values on permanent tunnels restart if link goes down and comes back up again? 2) Group and Compliance statements? 3) Sub-identifier under the experimental tree? 4) Is existing address object implementation okay for both IPv4 and IPv6? 9. Appendix A This appendix reproduces the assigned numbers from the referenced IPSec documents that are used in the MIB. They are to be used as a reference only and are not part of this specification. As the IPSec protocol evolves, this list is almost certain to become incomplete. Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP]. ipsecIkeSaEncAlg - Encryption Algorithm DES-CBC 1 IDEA-CBC 2 Blowfish-CBC 3 RC5-R16-B64-CBC 4 3DES-CBC 5 CAST-CBC 6 ipsecIkeSaPeerIdType ID Type Value ------- ----- RESERVED 0 ID_IPV4_ADDR 1 ID_FQDN 2 ID_USER_FQDN 3 ID_IPV4_ADDR_SUBNET 4 ID_IPV6_ADDR 5 ID_IPV6_ADDR_SUBNET 6 IPSec Working Group [Page 61] Internet Draft IPSec Monitoring MIB November 1998 ID_IPV4_ADDR_RANGE 7 ID_IPV6_ADDR_RANGE 8 ID_DER_ASN1_DN 9 ID_DER_ASN1_GN 10 ID_KEY_ID 11 ipsecIkeSaHashAlg - Hash Algorithm MD5 1 SHA 2 Tiger 3 ipsecIkeSaAuthMethod - Authentication Method pre-shared key 1 DSS signatures 2 RSA signatures 3 Encryption with RSA 4 Revised encryption with RSA 5 ipsecIkeSaDifHelGroupDesc - Group Description default 768-bit MODP group 1 alternate 1024-bit MODP group 2 EC2N group on GP[2^155] 3 EC2N group on GP[2^185] 4 ipsecIkeSaDifHelGroupType - Group Type MODP (modular exponentiation group) 1 ECP (elliptic curve group over GF[P]) 2 EC2N (elliptic curve group over GF[2^N]) 3 ipsecTunnelEspEncAlg Transform ID Value ------------ ----- RESERVED 0 ESP_DES_IV64 1 ESP_DES 2 ESP_3DES 3 ESP_RC5 4 ESP_IDEA 5 ESP_CAST 6 ESP_BLOWFISH 7 ESP_3IDEA 8 ESP_DES_IV32 9 IPSec Working Group [Page 62] Internet Draft IPSec Monitoring MIB November 1998 ESP_RC4 10 ESP_NULL 11 ipsecTunnelEspAuthAlg - Authentication Algorithm RESERVED 0 HMAC-MD5 1 HMAC-SHA 2 DES-MAC 3 KPDK 4 ipsecTunnelAhAuthAlg Transform ID Value ------------ ----- RESERVED 0-1 AH_MD5 2 AH_SHA 3 AH_DES 4 ipsecTunnelCompAlg Transform ID Value ------------ ----- RESERVED 0 IPCOMP_OUI 1 IPCOMP_DEFLATE 2 IPCOMP_LZS 3 IPCOMP_V42BIS 4 NOTIFY MESSAGES - ERROR TYPES ___________Errors______________Value_____ INVALID-PAYLOAD-TYPE 1 DOI-NOT-SUPPORTED 2 SITUATION-NOT-SUPPORTED 3 INVALID-COOKIE 4 INVALID-MAJOR-VERSION 5 INVALID-MINOR-VERSION 6 INVALID-EXCHANGE-TYPE 7 INVALID-FLAGS 8 INVALID-MESSAGE-ID 9 INVALID-PROTOCOL-ID 10 INVALID-SPI 11 IPSec Working Group [Page 63] Internet Draft IPSec Monitoring MIB November 1998 INVALID-TRANSFORM-ID 12 ATTRIBUTES-NOT-SUPPORTED 13 NO-PROPOSAL-CHOSEN 14 BAD-PROPOSAL-SYNTAX 15 PAYLOAD-MALFORMED 16 INVALID-KEY-INFORMATION 17 INVALID-ID-INFORMATION 18 INVALID-CERT-ENCODING 19 INVALID-CERTIFICATE 20 CERT-TYPE-UNSUPPORTED 21 INVALID-CERT-AUTHORITY 22 INVALID-HASH-INFORMATION 23 AUTHENTICATION-FAILED 24 INVALID-SIGNATURE 25 ADDRESS-NOTIFICATION 26 NOTIFY-SA-LIFETIME 27 CERTIFICATE-UNAVAILABLE 28 UNSUPPORTED-EXCHANGE-TYPE 29 UNEQUAL-PAYLOAD-LENGTHS 30 RESERVED (Future Use) 31 - 8191 Private Use 8192 - 16383 NOTIFY MESSAGES - STATUS TYPES _________Status_____________Value______ CONNECTED 16384 RESERVED (Future Use) 16385 - 24575 DOI-specific codes 24576 - 32767 Private Use 32768 - 40959 RESERVED (Future Use) 40960 - 65535 Notify Messages - Status Types Value ------------------------------ ----- RESPONDER-LIFETIME 24576 REPLAY-STATUS 24577 INITIAL-CONTACT 24578 IPSec Working Group [Page 64] Internet Draft IPSec Monitoring MIB November 1998 Editor's Address Tim Jenkins tjenkins@timestep.com TimeStep Corporation 362 Terry Fox Drive Kanata, ON Canada K2K 2P5 +1 (613) 599-3610 The IPSec working group can be contacted via the IPSec working group's mailing list (ipsec@tis.com) or through its chairs: Robert Moskowitz rgm@icsa.net International Computer Security Association Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology IPSec Working Group [Page 65]