idnits 2.17.1 draft-ietf-ipsec-isakmp-di-mon-mib-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 1239 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 497: '... that this value MAY be 0, as allowed ...' RFC 2119 keyword, line 914: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 1014: '...write access, it SHOULD implement it a...' Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 15, 2003) is 7679 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'ADDRMIB' is defined on line 1124, but no explicit reference was found in the text == Unused Reference: 'IPSECTC' is defined on line 1128, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2851 (ref. 'ADDRMIB') (Obsoleted by RFC 3291) ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2570 (Obsoleted by RFC 3410) Summary: 18 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Editor: Paul Hoffman 2 draft-ietf-ipsec-isakmp-di-mon-mib-05.txt VPN Consortium 3 April 15, 2003 4 Expires in six months 6 ISAKMP DOI-Independent Monitoring MIB 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other groups 15 may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Table of Contents 30 [[ Needs to be generated in the RFC publication step ]] 32 Introduction 34 This document defines a DOI (domain of interpretation) independent 35 monitoring MIB for ISAKMP. 37 The purpose of this MIB is to be used as the basis for protocol 38 specific MIBs that use ISAKMP as the basis for key exchanges or 39 security association negotiation. 41 As such, it has no DOI-dependent objects. 43 1. The SNMP Management Framework 45 The SNMP Management Framework presently consists of five major 46 components: 48 o An overall architecture, described in RFC 2571 [RFC2571]. 50 o Mechanisms for describing and naming objects and events for the 51 purpose of management. The first version of this Structure of 52 Management Information (SMI) is called SMIv1 and described in STD 53 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 54 [RFC1215]. The second version, called SMIv2, is described in STD 55 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 56 [RFC2580]. 58 o Message protocols for transferring management information. The 59 first version of the SNMP message protocol is called SNMPv1 and 60 described in STD 15, RFC 1157 [RFC1157]. A second version of the 61 SNMP message protocol, which is not an Internet standards track 62 protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] 63 and RFC 1906 [RFC1906]. The third version of the message protocol 64 is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 65 [RFC2572] and RFC 2574 [RFC2574]. 67 o Protocol operations for accessing management information. The 68 first set of protocol operations and associated PDU formats is 69 described in STD 15, RFC 1157 [RFC1157]. A second set of protocol 70 operations and associated PDU formats is described in RFC 1905 71 [RFC1905]. 73 o A set of fundamental applications described in RFC 2573 [RFC2573] 74 and the view-based access control mechanism described in RFC 2575 75 [RFC2575]. 77 A more detailed introduction to the current SNMP Management Framework 78 can be found in RFC 2570 [RFC2570]. 80 Managed objects are accessed via a virtual information store, termed 81 the Management Information Base or MIB. Objects in the MIB are 82 defined using the mechanisms defined in the SMI. 84 This memo specifies a MIB module that is compliant to the SMIv2. A 85 MIB conforming to the SMIv1 can be produced through the appropriate 86 translations. The resulting translated MIB must be semantically 87 equivalent, except where objects or events are omitted because no 88 translation is possible (use of Counter64). Some machine readable 89 information in SMIv2 will be converted into textual descriptions in 90 SMIv1 during the translation process. However, this loss of machine 91 readable information is not considered to change the semantics of the 92 MIB. 94 1.1 Object Definitions 96 Managed objects are accessed via a virtual information store, termed 97 the Management Information Base or MIB. Objects in the MIB are 98 defined using the subset of Abstract Syntax Notation One (ASN.1) 99 defined in the SMI. In particular, each object type is named by an 100 OBJECT IDENTIFIER, an administratively assigned name. The object type 101 together with an object instance serves to uniquely identify a 102 specific instantiation of the object. For human convenience, we often 103 use a textual string, termed the descriptor, to refer to the object 104 type. 106 2. ISAKMP DOI-independent MIB Objects Architecture 108 The ISAKMP DOI-independent MIB consists of a table of security 109 associations (SAs), providing the DOI-independent portion of all SAs 110 that use ISAKMP as the basis of their negotiations. 112 There are also provided entity statistics related to generic ISAKMP 113 SA usage. The traffic statistics collected include re-transmissions 114 and both encrypted and unencrypted traffic to allow network 115 administrators determine how much of their total traffic is related 116 to ISAKMP, and thus management of security associations in general. 118 There is a single trap defined. The reason for this is that the DOI- 119 independent portion of ISAKMP makes no assumptions about the use of 120 ISAKMP, aside from the aggregate statistics assumption stated above. 121 The single trap defined is the invalid cookie trap; it is provided 122 since repeated detection of this error can indicate systems that have 123 become badly out of sync or are subject to denial-of-service attacks. 125 There is no count of notifications sent or received. The reason for 126 this is that the usage of notifications is associated with specific 127 DOIs (even though there are ISAKMP defined notification types), and 128 this is a DOI-independent MIB. Protocols that use the notifications 129 must be designed to allow counting of the notification types from DOI 130 of 0 if they use the ISAKMP notification types in addition to their 131 own. 133 2.1 Phase 1 Security Associations Table 135 This table includes the uniqueness identifiers for those SAs, some 136 version information, some communications information and some basic 137 status information. Also included are aggregate statistics based on 138 the assumption that DOI-specific usage of ISAKMP is for the purpose 139 of negotiating SAs. 141 Additional tables could be generated that are specific to the ISAKMP 142 DOI, however, there is no attempt to define these tables as part of 143 this MIB. These tables are intended to be part of a separate MIB. 145 3. MIB Definitions 147 ISAKMP-DOI-IND-MON-MIB DEFINITIONS ::= BEGIN 149 IMPORTS 150 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, 151 Integer32, Counter64, NOTIFICATION-TYPE, OBJECT-IDENTITY 152 -- delete this and next line before release 153 , experimental 154 FROM SNMPv2-SMI 155 TEXTUAL-CONVENTION, TruthValue 156 FROM SNMPv2-TC 157 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 158 FROM SNMPv2-CONF 159 InetAddressType, InetAddress 160 FROM INET-ADDRESS-MIB 161 IsakmpDOI, IsakmpExchangeType 162 FROM IPSEC-ISAKMP-IKE-DOI-TC; 164 isakmpDoiIndMonModule MODULE-IDENTITY 165 LAST-UPDATED "0110031200Z" 166 ORGANIZATION "IETF IPsec Working Group" 167 CONTACT-INFO 168 " Tim Jenkins 169 Catena Networks 170 307 Legget Drive 171 Kanata, ON 172 Canada 173 K2K 3C8 174 +1 (613) 599-6430 175 tjenkins@catena.com 177 John Shriver 178 Intel Corporation 179 28 Crosby Drive Bedford, MA 180 01730 181 +1 (781) 687-1329 182 John.Shriver@intel.com 183 " 185 DESCRIPTION 186 "The MIB module to describe the DOI-independent part of 187 ISAKMP objects; to be used for monitoring purposes." 188 REVISION "9906031200Z" 189 DESCRIPTION 190 "Initial revision." 191 REVISION "9910211200Z" 192 DESCRIPTION 193 "Compliances and groups added. 194 OID value under experimental tree added. 195 Removed SA expiration objects. 196 Added invalid cookie count and trap." 197 REVISION "0007101200Z" 199 DESCRIPTION 200 "Change addresses to use format from INET-ADDRESS-MIB. 201 Add explicit trap objects. 202 Other minor changes." 203 REVISION "0102071200Z" 204 DESCRIPTION 205 "Change MAX-ACCESS clause of index objects to 206 not-accessible. This lead to other changes due to 207 restrictions on the use of objects with MAX-ACCESS clause 208 values of not-accessible." 209 REVISION "0110031200Z" 210 DESCRIPTION 211 "A number of typo errors corrected. Also: 212 - isakmpInvalidCookieCount changed to isakmpInvalidCookies 213 - add (SIZE(4|16|20)) to localIpAddress 214 - explain why first six members of isakmpSaGroup are 215 commented out 216 - allow localIpAddressType and remoteIpAddressType to be 217 only IPv4 and Ipv6 addresses" 219 -- replace xxx in next line before release, uncomment before release 220 -- ::= { mib-2 xxx } 221 -- delete this and next line before release 222 ::= { experimental 99 } 224 isakmpDoiIndMIBObjects OBJECT-IDENTITY 225 STATUS current 226 DESCRIPTION 227 "This is the base object identifier for all ISAKMP 228 branches." 229 ::= { isakmpDoiIndMonModule 1 } 231 -- 232 -- significant branches 233 -- 235 isakmpSaTable OBJECT-IDENTITY 236 STATUS current 237 DESCRIPTION 238 "This is the base object identifier for the security 239 associations table." 240 ::= { isakmpDoiIndMIBObjects 1 } 242 isakmpGlobals OBJECT-IDENTITY 243 STATUS current 245 DESCRIPTION 246 "This is the base object identifier for all objects which 247 are global values for ISAKMP." 248 ::= { isakmpDoiIndMIBObjects 2 } 250 isakmpNegStats OBJECT-IDENTITY 251 STATUS current 252 DESCRIPTION 253 "This is the base object identifier for all objects which 254 are global counters for ISAKMP negotiation statistics." 255 ::= { isakmpDoiIndMIBObjects 3 } 257 isakmpTrafStats OBJECT-IDENTITY 258 STATUS current 259 DESCRIPTION 260 "This is the base object identifier for all objects which 261 are global counters for ISAKMP security association traffic 262 statistics." 263 ::= { isakmpDoiIndMIBObjects 4 } 265 isakmpErrors OBJECT-IDENTITY 266 STATUS current 267 DESCRIPTION 268 "This is the base object identifier for all objects which 269 are global error counters for ISAKMP." 270 ::= { isakmpDoiIndMIBObjects 5 } 272 isakmpGroups OBJECT-IDENTITY 273 STATUS current 274 DESCRIPTION 275 "This is the base object identifier for all objects which 276 describe the groups in this MIB." 277 ::= { isakmpDoiIndMIBObjects 6 } 279 isakmpConformance OBJECT-IDENTITY 280 STATUS current 281 DESCRIPTION 282 "This is the base object identifier for all objects which 283 describe the conformance for this MIB." 284 ::= { isakmpDoiIndMIBObjects 7 } 286 isakmpTrapControl OBJECT-IDENTITY 287 STATUS current 288 DESCRIPTION 289 "This is the base object identifier for all trap controls 290 for this MIB." 291 ::= { isakmpDoiIndMIBObjects 8 } 293 isakmpTraps OBJECT-IDENTITY 294 STATUS current 295 DESCRIPTION 296 "This is the base object identifier for all traps for this 297 MIB." 298 ::= { isakmpDoiIndMIBObjects 9 } 300 isakmpTrapObjects OBJECT-IDENTITY 301 STATUS current 302 DESCRIPTION 303 "This is the base object identifier for all objects used by 304 traps for this MIB." 305 ::= { isakmpDoiIndMIBObjects 10 } 307 -- 308 -- textual conventions 309 -- 311 IsakmpCookie ::= TEXTUAL-CONVENTION 312 DISPLAY-HINT "x" 313 STATUS current 314 DESCRIPTION 315 "This data type is used to model ISAKMP cookies. This is a 316 binary string of 8 octets in network byte-order." 317 SYNTAX OCTET STRING (SIZE (8)) 319 -- the ISAKMP DOI-independent SA MIB-Group 320 -- 321 -- a collection of objects providing information about the 322 -- DOI-independent portion of SAs generated using ISAKMP 323 -- 325 saTable OBJECT-TYPE 326 SYNTAX SEQUENCE OF SaEntry 327 MAX-ACCESS not-accessible 328 STATUS current 329 DESCRIPTION 330 "The (conceptual) table containing the DOI-independent 331 portion of ISAKMP SAs. 333 There should be one row for every phase 1 security 334 association that exists in the entity that uses ISAKMP. The 335 maximum number of rows is implementation dependent." 336 ::= { isakmpSaTable 1 } 338 saEntry OBJECT-TYPE 339 SYNTAX SaEntry 340 MAX-ACCESS not-accessible 341 STATUS current 342 DESCRIPTION 343 "An entry (conceptual row) containing the DOI-independent 344 information on a particular ISAKMP SA. 346 A row in this table cannot be created or deleted by SNMP 347 operations on columns of the table." 348 INDEX { 349 saLocalIpAddressType, 350 saLocalIpAddress, 351 saRemoteIpAddressType, 352 saRemoteIpAddress, 353 saInitiatorCookie, 354 saResponderCookie } 355 ::= { saTable 1 } 357 SaEntry::= SEQUENCE { 359 -- identification 360 saLocalIpAddressType InetAddressType, 361 saLocalIpAddress InetAddress, 362 saRemoteIpAddressType InetAddressType, 363 saRemoteIpAddress InetAddress, 364 saInitiatorCookie IsakmpCookie, 365 saResponderCookie IsakmpCookie, 367 -- communication information 368 saLocalUdpPort Integer32, 369 saRemoteUdpPort Integer32, 371 -- peer version information 372 saPeerMajorVersion Integer32, 373 saPeerMinorVersion Integer32, 375 -- creation/status/type 376 saDoi IsakmpDOI, 377 saLocallyInitiated TruthValue, 378 saStatus INTEGER, 379 saExchangeType IsakmpExchangeType, 381 -- statistics 382 saTimeSeconds Counter32, 383 saInPackets Counter32, 384 saOutPackets Counter32, 385 saInOctets Counter32, 386 saOutOctets Counter32 387 } 389 saLocalIpAddressType OBJECT-TYPE 390 SYNTAX InetAddressType 391 MAX-ACCESS not-accessible 392 STATUS current 393 DESCRIPTION 394 "The type of the local address used to negotiate the ISAKMP 395 phase 1 SA." 396 ::= { saEntry 1 } 398 saLocalIpAddress OBJECT-TYPE 399 SYNTAX InetAddress (SIZE(4|16|20)) 400 MAX-ACCESS not-accessible 401 STATUS current 402 DESCRIPTION 403 "The local address used to negotiate the ISAKMP phase 1 SA." 404 ::= { saEntry 2 } 406 saRemoteIpAddressType OBJECT-TYPE 407 SYNTAX InetAddressType 408 MAX-ACCESS not-accessible 409 STATUS current 410 DESCRIPTION 411 "The type of the remote address used to negotiate the ISAKMP 412 phase 1 SA." 413 ::= { saEntry 3 } 415 saRemoteIpAddress OBJECT-TYPE 416 SYNTAX InetAddress (SIZE(4|16|20)) 417 MAX-ACCESS not-accessible 418 STATUS current 419 DESCRIPTION 420 "The remote address used to negotiate the ISAKMP phase 1 421 SA." 422 ::= { saEntry 4 } 424 saInitiatorCookie OBJECT-TYPE 425 SYNTAX IsakmpCookie 426 MAX-ACCESS not-accessible 427 STATUS current 428 DESCRIPTION 429 "The value of the cookie used by the initiator for the 430 ISAKMP phase 1 SA." 431 ::= { saEntry 5 } 433 saResponderCookie OBJECT-TYPE 434 SYNTAX IsakmpCookie 435 MAX-ACCESS not-accessible 436 STATUS current 437 DESCRIPTION 438 "The value of the cookie used by the responder for the 439 ISAKMP phase 1 SA. 441 Note that this value may be 0 if the ISAKMP phase 1 SA has 442 been initiated but not responded to by the peer entity. 444 It must never be 0 if this entry represents an ISAKMP phase 445 1 SA establishment attempt that has been initiated by the 446 peer. This rule prevents index collisions in the (unlikely) 447 event that two peers simultaneously initiate with the same 448 cookie at the same time." 449 ::= { saEntry 6 } 451 saLocalUdpPort OBJECT-TYPE 452 SYNTAX Integer32 (0..65535) 453 MAX-ACCESS read-only 454 STATUS current 455 DESCRIPTION 456 "The local UDP port number that this ISAKMP phase 1 SA was 457 negotiated with." 458 ::= { saEntry 7 } 460 saRemoteUdpPort OBJECT-TYPE 461 SYNTAX Integer32 (0..65535) 462 MAX-ACCESS read-only 463 STATUS current 464 DESCRIPTION 465 "The remote UDP port number that this ISAKMP phase 1 SA was 466 negotiated with." 467 ::= { saEntry 8 } 469 saPeerMajorVersion OBJECT-TYPE 470 SYNTAX Integer32 (0..15) 471 MAX-ACCESS read-only 472 STATUS current 473 DESCRIPTION 474 "The major version number from the ISAKMP packet header used 475 by the peer." 476 REFERENCE "Section 3.1 of RFC 2408" 477 ::= { saEntry 9 } 479 saPeerMinorVersion OBJECT-TYPE 480 SYNTAX Integer32 (0..15) 481 MAX-ACCESS read-only 482 STATUS current 484 DESCRIPTION 485 "The minor version number from the ISAKMP packet header used 486 by the peer." 487 REFERENCE "Section 3.1 of RFC 2408" 488 ::= { saEntry 10 } 490 saDoi OBJECT-TYPE 491 SYNTAX IsakmpDOI 492 MAX-ACCESS read-only 493 STATUS current 494 DESCRIPTION 495 "The specific DOI value that this ISAKMP SA is using. 497 Note that this value MAY be 0, as allowed by Section 3.4 of 498 RFC 2408" 499 REFERENCE "Section 3.3 of RFC 2408" 500 ::= { saEntry 11 } 502 saLocallyInitiated OBJECT-TYPE 503 SYNTAX TruthValue 504 MAX-ACCESS read-only 505 STATUS current 506 DESCRIPTION 507 "This value is 'true' if the ISAKMP phase 1 SA was initiated 508 by the local entity, and 'false' if initiated by the remote 509 entity." 510 ::= { saEntry 12 } 512 saStatus OBJECT-TYPE 513 SYNTAX INTEGER { negotiating(1), established(2) } 514 MAX-ACCESS read-only 515 STATUS current 516 DESCRIPTION 517 "The status of the ISAKMP phase 1 SA. 519 If the state is 'negotiating', it means that processing of 520 the final packet of the phase 1 exchange is not yet 521 complete. 523 If the state is 'established', it means that processing of 524 all packets associated with ISAKMP phase 1 SA negotation is 525 complete, and the entities involved in the ISAKMP phase 1 SA 526 are authenticated." 527 ::= { saEntry 13 } 529 saExchangeType OBJECT-TYPE 530 SYNTAX IsakmpExchangeType 531 MAX-ACCESS read-only 532 STATUS current 533 DESCRIPTION 534 "The exchange type used to negotiate the ISAKMP phase 1 SA." 535 REFERENCE "Section 3.1 of RFC 2408" 536 ::= { saEntry 14 } 538 saTimeSeconds OBJECT-TYPE 539 SYNTAX Counter32 540 UNITS "seconds" 541 MAX-ACCESS read-only 542 STATUS current 543 DESCRIPTION 544 "The number of seconds the SA has existed. In other words, 545 how old the SA is." 546 ::= { saEntry 15 } 548 saInPackets OBJECT-TYPE 549 SYNTAX Counter32 550 UNITS "packets" 551 MAX-ACCESS read-only 552 STATUS current 553 DESCRIPTION 554 "The total number of packets received by the ISAKMP phase 1 555 SA, including un-encrypted packets used to negotiate the 556 ISAKMP phase 1 SA, and any re-transmissions." 557 ::= { saEntry 16 } 559 saOutPackets OBJECT-TYPE 560 SYNTAX Counter32 561 UNITS "packets" 562 MAX-ACCESS read-only 563 STATUS current 564 DESCRIPTION 565 "The total number of packets sent by the ISAKMP phase 1 SA, 566 including un-encrypted packets used to negotiate the ISAKMP 567 phase 1 SA, and any re-transmissions sent." 568 ::= { saEntry 17 } 570 saInOctets OBJECT-TYPE 571 SYNTAX Counter32 572 UNITS "bytes" 573 MAX-ACCESS read-only 574 STATUS current 576 DESCRIPTION 577 "The amount of traffic measured in bytes received by the 578 ISAKMP phase 1 SA. This includes encrypted and un-encrypted 579 traffic used to negotiate the ISAKMP phase 1 SA, and any re- 580 transmissions received." 581 ::= { saEntry 18 } 583 saOutOctets OBJECT-TYPE 584 SYNTAX Counter32 585 UNITS "bytes" 586 MAX-ACCESS read-only 587 STATUS current 588 DESCRIPTION 589 "The amount of traffic measured in bytes sent by the ISAKMP 590 phase 1 SA. This includes encrypted and un-encrypted traffic 591 used to negotiate the ISAKMP phase 1 SA, and any re- 592 transmissions." 593 ::= { saEntry 19 } 595 -- 596 -- the ISAKMP Entity MIB-Group 597 -- 599 isakmpMajorVersion OBJECT-TYPE 600 SYNTAX Integer32 ( 0..15 ) 601 MAX-ACCESS read-only 602 STATUS current 603 DESCRIPTION 604 "The maximum major version number value capable of being 605 supported by the entity." 606 ::= { isakmpGlobals 1 } 608 isakmpMinorVersion OBJECT-TYPE 609 SYNTAX Integer32 ( 0..15 ) 610 MAX-ACCESS read-only 611 STATUS current 612 DESCRIPTION 613 "The maximum minor version number value capable of being 614 supported by the entity." 615 ::= { isakmpGlobals 2 } 617 -- 618 -- ISAKMP phase 1 SA statistics 619 -- 621 isakmpCurrentSAs OBJECT-TYPE 622 SYNTAX Gauge32 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "The current number of ISAKMP SAs in the entity." 627 ::= { isakmpNegStats 1 } 629 isakmpCurrentInitiatedSAs OBJECT-TYPE 630 SYNTAX Gauge32 631 MAX-ACCESS read-only 632 STATUS current 633 DESCRIPTION 634 "The current number of ISAKMP SAs successfully negotiated in 635 the entity that were initiated by the entity." 636 ::= { isakmpNegStats 2 } 638 isakmpCurrentRespondedSAs OBJECT-TYPE 639 SYNTAX Gauge32 640 MAX-ACCESS read-only 641 STATUS current 642 DESCRIPTION 643 "The current number of ISAKMP SAs successfully negotiated in 644 the entity that were initiated by the peer entity." 645 ::= { isakmpNegStats 3 } 647 isakmpTotalSAs OBJECT-TYPE 648 SYNTAX Counter32 649 MAX-ACCESS read-only 650 STATUS current 651 DESCRIPTION 652 "The total number of ISAKMP SAs successfully negotiated in 653 the entity since boot time." 654 ::= { isakmpNegStats 4 } 656 isakmpTotalInitiatedSAs OBJECT-TYPE 657 SYNTAX Counter32 658 MAX-ACCESS read-only 659 STATUS current 660 DESCRIPTION 661 "The total number of ISAKMP SAs successfully negotiated in 662 the entity since boot time that were initiated by the 663 entity." 664 ::= { isakmpNegStats 5 } 666 isakmpTotalRespondedSAs OBJECT-TYPE 667 SYNTAX Counter32 668 MAX-ACCESS read-only 669 STATUS current 670 DESCRIPTION 671 "The total number of ISAKMP SAs successfully negotiated in 672 the entity since boot time that were initiated by the peer 673 entity." 674 ::= { isakmpNegStats 6 } 676 isakmpTotalAttempts OBJECT-TYPE 677 SYNTAX Counter32 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 "The total number of ISAKMP SAs negotiation attempts made 682 since boot time. This includes successful negotiations." 683 ::= { isakmpNegStats 7 } 685 isakmpTotalAsInitAttempts OBJECT-TYPE 686 SYNTAX Counter32 687 MAX-ACCESS read-only 688 STATUS current 689 DESCRIPTION 690 "The total number of ISAKMP SAs negotiation attempts made 691 where the entity was the initiator since boot time. This 692 includes successful negotiations." 693 ::= { isakmpNegStats 8 } 695 isakmpTotalAsRespAttempts OBJECT-TYPE 696 SYNTAX Counter32 697 MAX-ACCESS read-only 698 STATUS current 699 DESCRIPTION 700 "The total number of ISAKMP SAs negotiation attempts made 701 where the entity was the responder since boot time. This 702 includes successful negotiations." 703 ::= { isakmpNegStats 9 } 705 -- 706 -- traffic statistics 707 -- 709 isakmpTotalInPackets OBJECT-TYPE 710 SYNTAX Counter32 711 UNITS "packets" 712 MAX-ACCESS read-only 713 STATUS current 715 DESCRIPTION 716 "The total number of ISAKMP packets received by the entity 717 since boot time, including re-transmissions and un-encrypted 718 packets." 719 ::= { isakmpTrafStats 1 } 721 isakmpTotalOutPackets OBJECT-TYPE 722 SYNTAX Counter32 723 UNITS "packets" 724 MAX-ACCESS read-only 725 STATUS current 726 DESCRIPTION 727 "The total number of ISAKMP packets sent by the entity since 728 boot time, including re-transmissions and un-encrypted 729 packets." 730 ::= { isakmpTrafStats 2 } 732 isakmpTotalInOctets OBJECT-TYPE 733 SYNTAX Counter64 734 UNITS "bytes" 735 MAX-ACCESS read-only 736 STATUS current 737 DESCRIPTION 738 "The total amount of ISAKMP traffic received by the entity 739 since boot time, measured in bytes, including any re- 740 transmitted packets received, and including encrypted and 741 un-encrypted packets." 742 ::= { isakmpTrafStats 3 } 744 isakmpTotalOutOctets OBJECT-TYPE 745 SYNTAX Counter64 746 UNITS "bytes" 747 MAX-ACCESS read-only 748 STATUS current 749 DESCRIPTION 750 "The total amount of ISAKMP traffic sent by the entity since 751 boot time, measured in bytes, including any re-transmissions 752 and including encrypted and un-encrypted packets." 753 ::= { isakmpTrafStats 4 } 755 -- 756 -- global error counts 757 -- 759 isakmpTotalInitFailures OBJECT-TYPE 760 SYNTAX Counter32 761 MAX-ACCESS read-only 762 STATUS current 763 DESCRIPTION 764 "The total number of attempts to initiate an ISAKMP phase 1 765 SA that failed since boot time, when there was a response 766 from the peer entity. 768 This value may be used to detect clogging or denial-of- 769 service attacks." 770 ::= { isakmpErrors 1 } 772 isakmpTotalInitNoResponses OBJECT-TYPE 773 SYNTAX Counter32 774 MAX-ACCESS read-only 775 STATUS current 776 DESCRIPTION 777 "The total number of attempts to initiate an ISAKMP phase 1 778 SA that failed since boot time, when there was no response 779 from the peer entity. 780 This should only be incremented if the peer does not repond 781 to the first packet of attempted negotiations." 782 ::= { isakmpErrors 2 } 784 isakmpTotalRespFailures OBJECT-TYPE 785 SYNTAX Counter32 786 MAX-ACCESS read-only 787 STATUS current 788 DESCRIPTION 789 "The total number of attempts to initiate an ISAKMP phase 1 790 SA that failed since boot time, when the initiation attempt 791 came for the peer entity." 792 ::= { isakmpErrors 3 } 794 isakmpInvalidCookies OBJECT-TYPE 795 SYNTAX Counter32 796 UNITS "packets" 797 MAX-ACCESS read-only 798 STATUS current 799 DESCRIPTION 800 "The total number of ISAKMP packets with invalid cookies 801 received by the entity since boot time." 802 ::= { isakmpErrors 4 } 804 -- 805 -- ISAKMP Traps and Control 806 -- 808 invalidCookieTrapEnable OBJECT-TYPE 809 SYNTAX TruthValue 810 MAX-ACCESS read-write 811 STATUS current 812 DESCRIPTION 813 "Indicates whether invalidCookieTrap traps should be 814 generated." 815 DEFVAL { false } 816 ::= { isakmpTrapControl 1 } 818 localIpAddressType OBJECT-TYPE 819 SYNTAX InetAddressType 820 MAX-ACCESS accessible-for-notify 821 STATUS current 822 DESCRIPTION 823 "The type of the local IP address used in an ISAKMP message, 824 to be associated with a trap." 825 ::= { isakmpTrapObjects 1 } 827 localIpAddress OBJECT-TYPE 828 SYNTAX InetAddress (SIZE(4|16|20)) 829 MAX-ACCESS accessible-for-notify 830 STATUS current 831 DESCRIPTION 832 "The local IP address used in an ISAKMP message, to be 833 associated with a trap." 834 ::= { isakmpTrapObjects 2 } 836 localUdpPort OBJECT-TYPE 837 SYNTAX Integer32 (0..65535) 838 MAX-ACCESS accessible-for-notify 839 STATUS current 840 DESCRIPTION 841 "The local port UDP number used in an ISAKMP message, to be 842 associated with a trap." 843 ::= { isakmpTrapObjects 3 } 845 remoteIpAddressType OBJECT-TYPE 846 SYNTAX InetAddressType 847 MAX-ACCESS accessible-for-notify 848 STATUS current 849 DESCRIPTION 850 "The type of the remote IP used in an ISAKMP message, to be 851 associated with a trap." 852 ::= { isakmpTrapObjects 4 } 854 remoteIpAddress OBJECT-TYPE 855 SYNTAX InetAddress (SIZE(4|16|20)) 856 MAX-ACCESS accessible-for-notify 857 STATUS current 858 DESCRIPTION 859 "The remote IPaddress used in an ISAKMP message, to be 860 associated with a trap." 861 ::= { isakmpTrapObjects 5 } 863 remoteUdpPort OBJECT-TYPE 864 SYNTAX Integer32 (0..65535) 865 MAX-ACCESS accessible-for-notify 866 STATUS current 867 DESCRIPTION 868 "The remote UDP port number used in an ISAKMP message, to be 869 associated with a trap." 870 ::= { isakmpTrapObjects 6 } 872 initiatorCookie OBJECT-TYPE 873 SYNTAX IsakmpCookie 874 MAX-ACCESS accessible-for-notify 875 STATUS current 876 DESCRIPTION 877 "The initiator cookie used in an ISAKMP message, to be 878 associated with a trap." 879 ::= { isakmpTrapObjects 7 } 881 responderCookie OBJECT-TYPE 882 SYNTAX IsakmpCookie 883 MAX-ACCESS accessible-for-notify 884 STATUS current 885 DESCRIPTION 886 "The responder cookie used in an ISAKMP message, to be 887 associated with a trap." 888 ::= { isakmpTrapObjects 8 } 890 invalidCookieTrap NOTIFICATION-TYPE 891 OBJECTS { 892 localIpAddressType, 893 localIpAddress, 894 localUdpPort, 895 remoteIpAddressType, 896 remoteIpAddress, 897 remoteUdpPort, 898 initiatorCookie, 899 responderCookie, 900 isakmpInvalidCookies 901 } 902 STATUS current 904 DESCRIPTION 905 "ISAKMP packets with invalid cookies were detected from the 906 specified source, intended for the specified destination. 908 The initiator and responder cookies are also sent with the 909 trap. 911 The current count is sent to allow the trap to accurately 912 relfect dropped and throttled traps. 914 Implementations SHOULD send one trap per peer (within a 915 reasonable time period, rather than sending one trap per 916 packet." 917 ::= { isakmpTraps 0 1 } 919 -- 920 -- Units of Conformance (Object Groups) 921 -- 923 isakmpSaGroup OBJECT-GROUP 924 OBJECTS { 925 -- 926 -- Authors' note: The first six objects are commented 927 -- out, since the current SMI does not allow objects with 928 -- a MAX-ACCESS clause of not-accessible to be put in 929 -- groups. 930 -- 931 -- saLocalIpAddressType, saLocalIpAddress, 932 -- saRemoteIpAddressType, saRemoteIpAddress, 933 -- saInitiatorCookie, saResponderCookie, 934 saLocalUdpPort, saRemoteUdpPort, saPeerMajorVersion, 935 saPeerMinorVersion, saDoi, saLocallyInitiated, saStatus, 936 saExchangeType, saTimeSeconds, saInPackets, saOutPackets, 937 saInOctets, saOutOctets 938 } 939 STATUS current 940 DESCRIPTION 941 "A collection of objects that describe the state of the 942 security associations of the ISAKMP protocol." 943 ::= { isakmpGroups 1 } 945 isakmpGlobalsGroup OBJECT-GROUP 946 OBJECTS { 947 isakmpMajorVersion, isakmpMinorVersion, isakmpCurrentSAs, 948 isakmpCurrentInitiatedSAs, isakmpCurrentRespondedSAs, 949 isakmpTotalSAs, isakmpTotalInitiatedSAs, 950 isakmpTotalRespondedSAs, isakmpTotalAttempts, 951 isakmpTotalAsInitAttempts, isakmpTotalAsRespAttempts, 952 isakmpTotalInPackets, isakmpTotalOutPackets, 953 isakmpTotalInOctets, isakmpTotalOutOctets, 954 isakmpTotalInitFailures, isakmpTotalInitNoResponses, 955 isakmpTotalRespFailures, isakmpInvalidCookies 956 } 957 STATUS current 958 DESCRIPTION 959 "A collections of objects that describe the global state of 960 the ISAKMP protocol." 961 ::= { isakmpGroups 2 } 963 isakmpTrapControlGroup OBJECT-GROUP 964 OBJECTS { 965 invalidCookieTrapEnable 966 } 967 STATUS current 968 DESCRIPTION 969 "Trap control for the ISAKMP protocol." 970 ::= { isakmpGroups 3 } 972 isakmpTrapDataGroup OBJECT-GROUP 973 OBJECTS { 974 localIpAddressType, localIpAddress, localUdpPort, 975 remoteIpAddressType, remoteIpAddress, remoteUdpPort, 976 initiatorCookie, responderCookie 977 } 978 STATUS current 979 DESCRIPTION 980 "Trap data for the ISAKMP protocol." 981 ::= { isakmpGroups 4 } 983 isakmpTrapGroup NOTIFICATION-GROUP 984 NOTIFICATIONS { 985 invalidCookieTrap 986 } 987 STATUS current 988 DESCRIPTION 989 "The traps for the ISAKMP protocol." 990 ::= { isakmpGroups 5 } 992 -- 993 -- Compliance Statements 994 -- 996 isakmpDoiIndependentMonitorCompliance MODULE-COMPLIANCE 997 STATUS current 999 DESCRIPTION 1000 "The compliance statement for the SNMPv3 entities which 1001 implement the ISAKMP DOI-Indpendent Monitoring MIB." 1002 MODULE -- this module 1003 MANDATORY-GROUPS { 1004 isakmpSaGroup, isakmpGlobalsGroup, isakmpTrapControlGroup, 1005 isakmpTrapDataGroup, isakmpTrapGroup 1006 } 1008 -- Allows the trap control to be read-only. 1010 OBJECT invalidCookieTrapEnable 1011 MIN-ACCESS read-only 1012 DESCRIPTION 1013 "If an implementation cannot properly secure this variable 1014 against unauthorized write access, it SHOULD implement it as 1015 read-only, to prevent the security risk of enabling the 1016 traps. Of course, there must be other means of controlling 1017 the generation of the associated trap." 1019 -- Don't require support for dns(16) address type 1021 OBJECT localIpAddressType 1022 SYNTAX INTEGER { ipv4(1), ipv6(2) } 1023 DESCRIPTION 1024 "An implementation is only required to support IPv4 and IPv6 1025 addresses." 1027 OBJECT remoteIpAddressType 1028 SYNTAX INTEGER { ipv4(1), ipv6(2) } 1029 DESCRIPTION 1030 "An implementation is only required to support IPv4 and IPv6 1031 addresses." 1033 -- Authors' note: The following statements are commented out, 1034 -- since the current SMI does not allow objects with a 1035 -- MAX-ACCESS clause of not-accessible to be put in groups, 1036 -- and objects that are not in groups cannot be in 1037 -- compliance statements. 1039 -- OBJECT saLocalIpAddressType 1040 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 1041 -- DESCRIPTION 1042 -- "An implementation is only required to support IPv4 and IPv6 1043 -- addresses." 1045 -- OBJECT saRemoteIpAddressType 1046 -- SYNTAX INTEGER { ipv4(1), ipv6(2) } 1047 -- DESCRIPTION 1048 -- "An implementation is only required to support IPv4 and IPv6 1049 -- addresses." 1051 ::= { isakmpConformance 1 } 1053 END 1055 4. Security Considerations 1057 This MIB contains readable objects whose values provide information 1058 related to IPsec SAs. While some of the information is readily 1059 available by monitoring the traffic into an entity, other information 1060 may provide attackers with more information than an administrator may 1061 desire. 1063 Of particular concern is the ability to disable the transmission of 1064 traps. The traps defined in this MIB may appear due to badly 1065 configured systems and transient error conditions, but they may also 1066 appear due to attacks. If an attacker can disable these traps, they 1067 reduce some of the warnings that may be provided to system 1068 administrators. 1070 While unauthorized access to the readable objects is relatively 1071 innocuous, unauthorized access to those objects through an insecure 1072 channel can provide attackers with more information about a system 1073 than an administrator may desire. 1075 A specific example of this includes, but is not limited to, the 1076 monitoring of global statistic counts by attackers that provides 1077 feedback on the progress of an attack. 1079 It is thus important to control even GET access to these objects and 1080 possibly to even encrypt the values of these object when sending them 1081 over the network via SNMP. Not all versions of SNMP provide features 1082 for such a secure environment. 1084 SNMPv1 by itself is not a secure environment. Even if the network 1085 itself is secure (for example by using IPsec), even then, there is no 1086 control as to who on the secure network is allowed to access and 1087 GET/SET (read/change/create/delete) the objects in this MIB. 1089 It is recommended that the implementers consider the security 1090 features as provided by the SNMPv3 framework. Specifically, the use 1091 of the User-based Security Model RFC 2574 [RFC2574] and the View- 1092 based Access Control Model RFC 2575 [RFC2575] is recommended. 1093 It is then a customer/user responsibility to ensure that the SNMP 1094 entity giving access to an instance of this MIB, is properly 1095 configured to give access to the objects only to those principals 1096 (users) that have legitimate rights to indeed GET or SET 1097 (change/create/delete) them. 1099 5. Acknowledgments 1101 This document was begun and mostly developed by Tim Jenkins and John 1102 Shriver. The editor listed for this document (Paul Hoffman) only 1103 sheparded the last steps before final publication. 1105 This document is based in part on an earlier proposal titled "draft- 1106 ietf-ipsec-mib-xx.txt". That series was abandoned, since it included 1107 application specific constructs in addition to the IPsec only 1108 objects. 1110 Portions of the original document's origins were based on the working 1111 paper "IP Security Management Information Base" by R. Thayer and 1112 U. Blumenthal. 1114 Contribution to the IPsec MIB series of documents comes from 1115 D. McDonald, M. Baugher, C. Brooks, C. Powell, M. Daniele, 1116 T. Kivinen, J. Walker, S. Kelly, J. Leonard, M. Richardson and 1117 R. Charlet, M. Zallocco, and others participating in the IPsec 1118 working group. 1120 6. References 1122 6.1 Normative references 1124 [ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., 1125 "Textual Conventions for Internet Network Addresses", 1126 RFC 2851, June, 2000 1128 [IPSECTC] Shriver, J., "IPSec DOI Textual Conventions MIB, draft- 1129 ietf-ipsec-doi-tc-mib, work in progress 1131 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An 1132 Architecture for Describing SNMP Management Frameworks", 1133 RFC 2571, April 1999 1135 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification 1136 of Management Information for TCP/IP-based Internets", STD 1137 16, RFC 1155, May 1990 1139 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 1140 16, RFC 1212, March 1991 1142 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 1143 SNMP", RFC 1215, March 1991 1145 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1146 Rose, M., and S. Waldbusser, "Structure of Management 1147 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 1149 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1150 Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", 1151 STD 58, RFC 2579, April 1999 1153 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1154 Rose, M., and S. Waldbusser, "Conformance Statements for 1155 SMIv2", STD 58, RFC 2580, April 1999 1157 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 1158 Network Management Protocol", STD 15, RFC 1157, May 1990. 1160 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1161 "Introduction to Community-based SNMPv2", RFC 1901, January 1162 1996. 1164 [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1165 "Transport Mappings for Version 2 of the Simple Network 1166 Management Protocol (SNMPv2)", RFC 1906, January 1996. 1168 [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, 1169 "Message Processing and Dispatching for the Simple Network 1170 Management Protocol (SNMP)", RFC 2572, April 1999 1172 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model 1173 (USM) for version 3 of the Simple Network Management Protocol 1174 (SNMPv3)", RFC 2574, April 1999 1176 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1177 "Protocol Operations for Version 2 of the Simple Network 1178 Management Protocol (SNMPv2)", RFC 1905, January 1996. 1180 [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", 1181 RFC 2573, April 1999 1183 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 1184 Access Control Model (VACM) for the Simple Network Management 1185 Protocol (SNMP)", RFC 2575, April 1999 1187 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, 1188 "Introduction to Version 3 of the Internet-standard Network 1189 Management Framework", RFC 2570, April 1999 1191 6.2 Non-normative references 1193 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., 1194 "Internet Security Association and Key Management Protocol 1195 (ISAKMP)", RFC 2408, November 1998 1197 A. Changes from -05 to -06 1199 [[ To be removed when published as an RFC ]] 1201 - Changed the authors' names to the editor's name. 1203 - Added acknowledgement for the original authors. 1205 - Minor formatting changes. 1207 - Split the references into normative and non-normative. 1209 NOTE: There are still lines that talk about things that need to be 1210 changed before release of the RFC (search for "release").