idnits 2.17.1 draft-ietf-ipsec-mib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Found some kind of copyright notice around line 36 but it does not match any copyright boilerplate known by this tool. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 483: '... ESP, the new SA MUST be considered pa...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 19, 1998) is 9320 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Unexpected draft version: The latest known version of draft-ietf-ipsec-ipsec-doi is -09, but you're referring to -10. ** Downref: Normative reference to an Historic draft: draft-ietf-ipsec-ipsec-doi (ref. 'IPDOI') -- Unexpected draft version: The latest known version of draft-ietf-ipsec-arch-sec is -06, but you're referring to -07. -- Unexpected draft version: The latest known version of draft-ietf-ipsec-isakmp-oakley is -07, but you're referring to -08. ** Downref: Normative reference to an Historic draft: draft-ietf-ipsec-isakmp-oakley (ref. 'IKE') == Outdated reference: A later version (-06) exists of draft-ietf-ifmib-tunnel-mib-02 ** Obsolete normative reference: RFC 2233 (ref. 'IGMIB') (Obsoleted by RFC 2863) ** Obsolete normative reference: RFC 1902 (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 2271 (Obsoleted by RFC 2571) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1904 (Obsoleted by RFC 2580) ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2272 (Obsoleted by RFC 2572) ** Obsolete normative reference: RFC 2274 (Obsoleted by RFC 2574) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2273 (Obsoleted by RFC 2573) ** Obsolete normative reference: RFC 2275 (Obsoleted by RFC 2575) Summary: 26 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Tim Jenkins 3 IP Security Working Group TimeStep Corporation 4 Internet Draft October 19, 1998 6 IPSec Monitoring MIB 7 9 Status of this Memo 11 This document is a submission to the IETF Internet Protocol Security 12 (IPSEC) Working Group. Comments are solicited and should be addressed 13 to the working group mailing list (ipsec@tis.com) or to the editor. 15 This document is an Internet-Draft. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or made obsolete by other documents at 22 any time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 To view the entire list of current Internet-Drafts, please check the 26 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 27 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern 28 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific 29 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 31 Distribution of this memo is unlimited. 33 Copyright Notice 35 This document is a product of the IETF's IPSec Working Group. 36 Copyright (C) The Internet Society (1998). All Rights Reserved. 38 Table of Contents 40 1. Revision History 2 41 2. Introduction 3 42 3. The SNMPv2 Network Management Framework 3 43 3.1 Object Definitions 4 44 4. IPSec MIB Objects Architecture 5 45 4.1 Tunnel MIB and Interface MIB Consideration 5 46 4.2 MIB Tables 6 47 4.3 IPSec Virtual Tunnels 7 48 4.3.1 Transient Tunnels 9 49 4.3.2 Permanent Tunnels 9 50 4.4 IKE SA Tunnels 10 51 4.5 Phase 2 SA Tunnels 11 52 4.6 Phase 2 SAs 12 53 4.7 Asymmetric Use 12 54 4.8 IPSec MIB Traps 12 55 4.9 IPSec Device MIB 13 56 5. MIB Definitions 14 57 6. Security Considerations 43 58 7. Acknowledgements 43 59 8. References 44 60 9. Editor's Address 46 62 1. Revision History 64 This section will be removed before publication. 66 September 11, 1998 Initial internal release. 67 Traps not yet defined in ASN.1 format. 68 Device MIB not yet defined in ASN.1 format. 70 October 4, 1998 Added significantly more explanations on tunnel 71 concept, including picture. 72 Added packet counters for traffic. 73 Made time usage consistent. 74 Added generic error counters. 75 Added SPIs and CPIs to IPSec SA table, and 76 cookies to IKE SA tunnel table. 77 Added peer port number to IKE SA table. 78 Added peer's certificate serial number and 79 issuer to IKE SA table. 80 More information about traps. 81 Added policy enforcement errors to IPSec 82 tunnels. 84 Issues: 85 1) Do aggregate statistic values on permanent 86 tunnels restart if link goes down and comes 87 back up again? 88 2) Should the IKE SA table indicate who was the 89 initiator? 90 3) Still have not put traps into ASN.1 format. 91 4) Still have not put entity-wide statistics 92 into ASN.1 format. 94 2. Introduction 96 This document defines monitoring and status MIBs for IPSec. It does 97 not define MIBs that may be used for configuring IPSec 98 implementations or for providing low-level diagnostic or debugging 99 information. Further, it does not provide policy information. Those 100 MIBs may be defined in later versions of this document or in other 101 documents. 103 The purpose of the MIBs is to allow system administrators to 104 determine operating conditions and perform system operational level 105 monitoring of the IPSec portion of their network. Statistics are 106 provided as well. 108 The IPSec MIB definitions use a virtual tunnel model, of which there 109 can be configured permanent tunnels or transient tunnels. The virtual 110 tunnel model is used to allow the use of IPSec from a virtual private 111 networking (VPN) point of view. This allows users of IPSec based 112 products to get similar monitoring and statistical information from 113 an IPSec based VPN as they would from a VPN based on other 114 technologies, such as Frame Relay. 116 Finally, the objects defined perhaps represent a somewhat simplified 117 view of security associations. This is done for the purposes of 118 expediency and for simplification of presentation. Also, some 119 information about SAs has been intentionally left out to reduce the 120 security risk if SNMP traffic becomes compromised. 122 3. The SNMPv2 Network Management Framework 124 The SNMP Management Framework presently consists of five major 125 components: 127 o An overall architecture, described in RFC 2271 [2271]. 129 o Mechanisms for describing and naming objects and events for the 130 purpose of management. The first version of this Structure of 131 Management Information (SMI) is called SMIv1 and described in 132 RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second 133 version, called SMIv2, is described in RFC 1902 [1902], 134 RFC 1903 [1903] and RFC 1904 [1904]. 136 o Message protocols for transferring management information. The 137 first version of the SNMP message protocol is called SNMPv1 and 138 described in RFC 1157 [1157]. A second version of the SNMP message 139 protocol, which is not an Internet standards track protocol, is 140 called SNMPv2c and described in RFC 1901 [1901] and 141 RFC 1906 [1906]. The third version of the message protocol is 142 called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] 143 and RFC 2274 [2274]. 145 o Protocol operations for accessing management information. The 146 first set of protocol operations and associated PDU formats is 147 described in RFC 1157 [1157]. A second set of protocol operations 148 and associated PDU formats is described in RFC 1905 [1905]. 150 o A set of fundamental applications described in RFC 2273 [2273] and 151 the view-based access control mechanism described in 152 RFC 2275 [2275]. 154 Managed objects are accessed via a virtual information store, termed 155 the Management Information Base or MIB. Objects in the MIB are 156 defined using the mechanisms defined in the SMI. 158 This memo specifies a MIB module that is compliant to the SMIv2. A 159 MIB conforming to the SMIv1 can be produced through the appropriate 160 translations. The resulting translated MIB must be semantically 161 equivalent, except where objects or events are omitted because no 162 translation is possible (use of Counter64). Some machine readable 163 information in SMIv2 will be converted into textual descriptions in 164 SMIv1 during the translation process. However, this loss of machine 165 readable information is not considered to change the semantics of the 166 MIB. 168 3.1 Object Definitions 170 Managed objects are accessed via a virtual information store, termed 171 the Management Information Base or MIB. Objects in the MIB are 172 defined using the subset of Abstract Syntax Notation One (ASN.1) 173 defined in the SMI. In particular, each object type is named by an 174 OBJECT IDENTIFIER, an administratively assigned name. The object type 175 together with an object instance serves to uniquely identify a 176 specific instantiation of the object. For human convenience, we often 177 use a textual string, termed the descriptor, to refer to the object 178 type. 180 4. IPSec MIB Objects Architecture 182 The IPSec MIB provides information related to both phase 1 or 183 Internet Key Exchange (IKE) security associations (SAs) and phase 2 184 (or IPSec) SAs. Configuration about the SAs is provided as are 185 statistics related to the SAs themselves. 187 Since one of the uses of IPSec implementations is to provide Virtual 188 Private Network (VPN) services that other private network services 189 such as leased lines or frame relay networks, there exists a need to 190 provide the same type of monitoring capability. 192 To support this, the concept of virtual tunnels is developed. 193 Additionally, the concept of transients and permanent tunnels is also 194 developed. 196 4.1 Tunnel MIB and Interface MIB Consideration 198 It should be noted that the MIBs here are not extensions of the 199 Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach 200 was rejected for a number of reasons, including: 202 o The types of parameters required for those MIBs are not appropriate 203 for IPSec MIBs. 205 The parameters required for IPSec tunnels are related to security 206 services and statistics associated with handling those services. 207 There no parameters like that associated with the Tunnel MIB. 209 o The virtual tunnels created by IPSec SAs are independent of other 210 logical interfaces. 212 This document takes the point of view that IPSec sits on top of IP. 213 This perspective is used since IPSec adds additional protocol headers 214 before the IP header. In this case, it may be conceptually viewed as 215 a layer 4 protocol from the IP layer point of view. As such, the 216 handling of IPSec secured packets by IP is independent of how IP is 217 routed over the physical or logical layer 2 interfaces. That 218 particular mapping is part of the purpose of the Tunnel MIB, and thus 219 has no direct relationship on the IPSec virtual tunnels. 221 o The tunnel end point definitions are not the same as those used by 222 the tunnel MIB. 224 The Tunnel MIB uniquely defines tunnels by a simple source and 225 destination IP address pair. This is only a specific subset of the 226 identifiers needed for IPSec virtual tunnels. 228 4.2 MIB Tables 230 The MIB uses three tables that are linked as shown in Figure 4-1. The 231 following sections describe the use of these tables. 233 The IPSec SAs appear in the IPSec SA table. These SAs create the 234 virtual tunnels shown in the IPSec virtual tunnel table. These may 235 have been created by SAs in the IKE SA table, which is also 236 considered a virtual tunnel, and contains statistics about itself, 237 the IKE SAs used to support it, and aggregate information about IPSec 238 virtual tunnels created by it. 240 In Figure 4-1, IKE virtual tunnel number 1 has created two IPSec 241 virtual tunnels 1 and 2. Virtual tunnel 1 at this moment has SAs 242 numbered 1 and 6, while virtual tunnel 2 at this moment has SAs 243 numbered 2 and 5. IKE virtual tunnel number 2 has created IPSec 244 virtual tunnel 3, which has IPSec SAs numbered 3 and 4. 246 ipsecIkeSaTable -information and statistics on the IKE SAs 247 IKE SA1 <---+ -aggregate information about IPSec tunnels 248 IKE SA2 <-+ | 249 | |<- only if IPSec SAs are not static 250 | | 251 | | ipsecTunnelTable -information and statistics on 252 | +- IPSec Tunnel 1 <---+ the IPSec virtual tunnels 253 | +- IPSec Tunnel 2 <--+| 254 +--- IPSec Tunnel 3 <-+|| 255 ||| 256 ||| ipsecSaTable -information on 257 ||+- IPSec SA 1 specific IPSec SAs 258 |+|- IPSec SA 2 259 +||- IPSec SA 3 260 +||- IPSec SA 4 261 +|- IPSec SA 5 262 +- IPSec SA 6 264 Figure 4-1 IPSec Monitoring MIB Structure 266 A diagram that is intended to show the tunnels that exist between two 267 IPSec gateways is shown in Figure 4-2. Two host groups each are shown 268 behind the IPSec gateways. Also shown are the IKE or phase 1 virtual 269 tunnel between the gateways and four possible IPSec virtual tunnels. 270 Of these four possible virtual tunnels, one is shown with two IPSec 271 SAs in it. One of these SAs may be just about to expire, while the 272 other may have been created in anticipation of the expiration of the 273 first. These SAs are the SAs that provide the service, supporting the 274 existence of the tunnel. 276 Within each IPSec virtual tunnel are the IPSec SAs that are set up to 277 maintain the virtual tunnels. Also illustrated is the link to the 278 phase 1 SA tunnel that collects the aggregate statistics associated 279 with all IPSec virtual tunnels associated with the IKE tunnel. 281 More information on the virtual tunnels is presented in subsequent 282 sections. 284 4.3 IPSec Virtual Tunnels 286 IPSec implementations effectively create tunnels that user traffic 287 may pass through, performing various services on that traffic as it 288 passes through the tunnel. 290 Virtual IPSec tunnels are created by the existence of SAs, either 291 statically created, or created by IKE. The tunnel concept comes from 292 the effect of SAs on packets that are handled by SAs. As a packet 293 encounters an IPSec implementation, either in a security gateway or 294 as layer in a protocol stack, a policy decision causes the packet to 295 be handed to an SA for processing. 297 The SA then performs a security service (including possibly 298 compression) on the packet, then adds at least one new header and 299 sends the packet into the normal IP stream for routing. (The only 300 time no header is added is when the only service provided by the SA 301 is compression, it is a transport mode SA, and the packet is not 302 compressible.) 304 When the secured (and possibly compressed) packet arrives at its 305 destination, the peer IPSec implementation removes the added header 306 or headers and reverse processes the packet. Another policy lookup is 307 then done to make sure the packet was appropriately handled by the 308 sending peer. 310 Since the original packet is conceptually "hidden" between the two 311 IPSec implementations, it can be considered tunneled. To help 312 conceptually, if ESP could be negotiated with no encryption and no 313 authentication, it would provide services very similar to IP-in-IP. 315 +----------------------------+ 316 | IKE (control tunnel) | 317 | +---------------------+ | 318 | | IKE SA | | 319 | +---------------------+ | 320 +----------------------------+ 321 ^ ^ 322 | | <- aggregate IPSec statistics 323 | | 324 H11 -| +----+ | | +----+ |- H21 325 | | | | | | 326 |----| G1 |-------------------------| G2 |------| 327 | | | | | | 328 H12 -| +----+ | | +----+ |- H22 329 | | 330 | | 331 +-----------------------------------------+ 332 | H11 to H21 (data tunnel) | <- aggregate 333 | +-------------------------------------+ | SA statistics 334 | | IPSec SA with H11 and H21 selectors | | for H11-H21 335 | +-------------------------------------+ | 336 | +-------------------------------------+ | 337 | | IPSec SA with H11 and H21 selectors | | 338 | +-------------------------------------+ | 339 +-----------------------------------------+ 340 | | 341 +-----------------------------------------+ 342 | H11 to H22 (data tunnel) | <- aggregate 343 +-----------------------------------------+ SA statistics 344 | | for H11-H22 345 +-----------------------------------------+ 346 | H12 to H21 (data tunnel) | <- aggregate 347 +-----------------------------------------+ SA statistics 348 | | for H12-H21 349 +-----------------------------------------+ 350 | H12 to H22 (data tunnel) | <- aggregate 351 +-----------------------------------------+ SA statistics 352 | | for H12-H22 353 +--+ 355 Figure 4-2 Illustration of IPSec Tunnels 357 The specific SA chosen by the policy lookup is based on what are 358 called the selectors. The selectors are the packet's source IP 359 address, its destination IP address, its layer 4 protocol and its 360 layer 4 protocol source and destination port numbers. The policy 361 system uses this information to assign the packet to an SA for 362 handling. 364 Since it is irrelevant to the packet which specific SA provided the 365 services, and since all SAs with same selectors should provide the 366 same service, the existence of any and all SAs assigned to the 367 selector effectively creates a tunnel for the packets. 369 In other words, the tunnel created by the SAs is identified by the 370 selectors used to assign the security services to the packet. The 371 selectors are explained in detail in [SECARCH]. 373 While the virtual tunnel described so far is for packets that are 374 passed to the IPSec SAs, there exists another type of virtual tunnel. 375 This virtual tunnel carries control traffic for the management of the 376 IPSec SAs between two peers. 378 This tunnel is created by the existence of phase 1 SAs between the 379 two peers. This document assumes that there is never more than one 380 phase 1 SA between peers for the purposes of the statistics provided 381 by the phase 1, or IKE, tunnel. This allows the statistics for IKE 382 SAs and the virtual tunnel created by those SAs to be combined into 383 the same table. 385 4.3.1 Transient Tunnels 387 Transient tunnels are made up of SAs that normally go up and down, 388 such as those created by a dial-in client implementation. 389 Additionally, these SAs are prone to being torn down in an impolite 390 manner. As an example, system administrators typically do not want to 391 have alarms going off when these SAs are torn down because an end 392 user disconnected his or her modem before performing a normal dial-up 393 networking shut down. 395 By necessity, this applies to both the IKE tunnel and the IPSec 396 tunnels created by it. Static SAs can never create transient tunnels. 398 4.3.2 Permanent Tunnels 400 Permanent tunnels are made up of SAs that a system administrator 401 considers of significant importance in a VPN implementation. These 402 SAs would typically be from one IPSec gateway to another and be used 403 as the link between two corporate networks. As such, the network 404 administrator would want alarms to go off when one of these virtual 405 tunnels goes down under any circumstance. 407 How implementations specify which tunnels are permanent versus 408 transient is beyond the scope of this document. 410 To determine if a particular permanent tunnel is up, the value of 411 'ipsecTunnelCurrentSaNum' in the ASN.1 notation to follow must be 412 greater than 0. 414 4.4 IKE SA Tunnels 416 Phase 1 or IKE tunnels are defined as being made up of a series of 417 phase 1 SAs that carry secured management traffic. It is assumed that 418 only one phase 1 SA can exist between any two peers. Therefore, there 419 is no separate table of phase 1 SAs and phase 1 SA tunnels. A tunnel 420 can be considered to exist past the lifetime of a phase 1 SA if a 421 subsequent phase 1 SA can be immediately formed between the same 422 peers, and any phase 2 SAs created by previous phase 1 SAs are not 423 deleted when the original phase 1 SA expires. Stated another way, 424 successful re-keying of a phase 1 SA keeps a phase 1 tunnel alive, 425 but only if all phase 2 SAs created are kept as well. 427 Phase 1 tunnels are uniquely identified by the IP addresses and port 428 numbers of the end points. It is assumed that a peer that either 429 initiates from or responds from a port number that is not the IKE 430 default port number will continue to use the same port number. 432 IKE SAs are displayed as a table. It is assumed that there is only a 433 single SA between end points. Therefore, the table consists of all 434 active phase 1 SAs that are established between the local entity and 435 other entities. 437 Each row of the table contains configuration information such as the 438 encryption algorithm used, the key length, and the authentication 439 algorithm used. Peer information, such as the peer ID is also 440 provided. Certificate information, specifically the issuer name and 441 serial number is included, even though it is meaningless in pre- 442 shared key authentication mode. This is due to the importance of this 443 information in many VPN implementations. The distinguished name of 444 the certificate is not provided; it may be the ID used for phase 1 445 negotiation. If the ID used for phase 1 negotiation is not the 446 certificate's distinguished name, it should be one of the alternate 447 names encoded in the certificate. 449 Phase 1 tunnels may be transient or permanent. The status column has 450 no meaning for a transient phase 1 tunnel, since it indicates a 451 tunnel that is up or down. A transient tunnel disappears from the 452 table when it goes down; a permanent tunnel does not. 454 It is recommended that implementations place permanent SAs in the 455 table before all transient SAs, and that the order of permanent SAs 456 displayed in the table does not change. 458 Statistics are provided as well. There are three types of statistics 459 provided. These are the statistics associated with the current phase 460 1 SA between the peers, the aggregate statistics of phase 1 SA 461 communications between the peers and the aggregate statistics of all 462 other phase 2 SAs created by the phase 1 SA. These statistics are 463 kept based on the assumption that information is passed forward when 464 SAs are re-keyed. This allows network monitors to determine the total 465 amount of protected traffic passed between two IPSec implementations. 467 4.5 Phase 2 SA Tunnels 469 Phase 2 or IPSec tunnels are defined as being made up of an arbitrary 470 number of phase 2 or IPsec SAs with the same tunnel parameters. They 471 may be transient or permanent. Functionally, this table is very 472 similar to the IP Tunnel MIB, however the definition of IPSec SA- 473 based tunnels are not defined the same as the tunnels in that MIB. 475 Phase 2 tunnels are uniquely identified by the IP addresses (which 476 may be single IP addresses, ranges or subnets) at each end, the port 477 number at each end and the protocol, as defined in [IPDOI]. Note that 478 the protocol and port numbers may be wildcards. 480 Further, phase 2 tunnels must be considered different if the services 481 they provide changes. In other words, if an SA is created that 482 provide compression and ESP is created for the above parameters where 483 previous SAs had only ESP, the new SA MUST be considered part of a 484 different virtual tunnel than the previous SA. 486 Individual phase 2 SAs are presented in another table. Each row of 487 the IPSec tunnel table contains configuration information related to 488 phase 2 SAs and aggregate statistics related to all of those SAs. It 489 does not contain information about specific phase 2 SAs. 491 Each row in the table has a value which is an index to the row of 492 phase 1 SAs that created it if the phase 2 SA is not a static SA. 494 If the tunnel is configured as permanent, its status can be 495 determined by the number of phase 2 SAs currently active with it. If 496 that number is zero, then the tunnel must be considered down. If that 497 number greater than 0, then the tunnel is considered up. 499 4.6 Phase 2 SAs 501 Individual phase 2 SAs appear in a third table. This table contains 502 only the statistics for the individual SA and a value which is an 503 index into the phase 2 SA tunnel table. This means that each entry in 504 this table is information and statistics for the individual SAs in 505 the system that are unique to each SA. Since many SAs may share the 506 selectors, these are found in the IPSec tunnel table entry referenced 507 by each SA. 509 Bundled SAs are supported by having separate objects for each of ESP, 510 AH and IPCOMP, under the assumption that no implementation will use 511 any of those protocols more than once in the same SA bundle. While no 512 particular order of application of the three services is specified, 513 it is expected that IPCOMP will always be applied first if used and 514 AH will always be applied last if used. Further, the expiration 515 parameters specified refer to the minimum value of each security 516 service if there is more than one in the bundle. 518 4.7 Asymmetric Use 520 This MIB is defined assuming symmetric use of SAs. That is to say 521 that it assumes that an inbound SA is always set up with a 522 corresponding outbound SA that provides the same security service. 524 In cases where this MIB is required for asymmetric use, the 525 corresponding objects that describe the unused direction may be set 526 to the equivalent of the unknown or zero state. 528 4.8 IPSec MIB Traps 530 Traps are provided to let system administrators know about the 531 creation and deletion of SAs, errors related to the creation of SAs 532 and operational errors that may indicate the presence of attacks on 533 the system. 535 Specifically, the following traps are provided: 537 IKE virtual tunnel up (the first IKE SA between two peers has come 538 up) 539 IKE virtual tunnel down (the IKE SA supporting a virtual tunnel was 540 taken down, and no attempt to keep the tunnel up is happening; 541 usually administrative) 542 IKE SA Negotiation Failure (an attempt to negotiate a phase 1 SA 543 failed) 545 Invalid Cookie Problem (OAKLEY packets with invalid cookies were 546 detected; should send one trap for each peer, not one trap for 547 each packet) 548 IPSec SA Tunnel Start (the first IPSec SA for a set of selectors 549 has come up) 550 IPSec SA Tunnel End (the last IPSec SA for a set of selectors has 551 gone down and no attempt at re-keying is being done; usually 552 administrative; not sent if phase 1 tunnel is going down as 553 well) 554 IPSec SA Negotiation Failure (an attempt to negotiate an IPSec SA 555 failed) 556 IPSec SA Authentication Failure (an IPSec packet with a bad hash 557 was received; should send one trap per tunnel, not per packet) 558 IPSec SA Replay Failure (an IPSec packet with bad sequence number 559 was received; should send one trap per tunnel, not per packet) 560 Invalid SPI Problem (ESP, AH or IPCOMP packets with unknown SPIs 561 were detected; should send one trap for each SPI, not one trap 562 for each packet) 563 IPSec SA Policy Failure (a packet was received in a tunnel that 564 should not have been sent in a tunnel; should send one trap per 565 tunnel, not per packet) 567 4.9 IPSec Device MIB 569 This MIB carries statistics global to the IPSec device. 571 Statistics included are error statistics, overall statistics 572 associated with SAs, permanent tunnels and overall statistics 573 associated with transient tunnels. 575 Error statistics: 577 The total number of packets received with unknown SPIs (or CPIs). 578 The total number of general IKE protocol errors that occurred, 579 including packets received with invalid cookies. 580 The total number of packets received with authentication errors. 581 The total number of packets received with replay errors. 582 The total number of packets received with policy errors. 584 SA statistics: 586 The total number of phase 1 SAs established since boot time. 587 The total number of phase 2 SAs established since boot time. 589 Permanent tunnel statistics: 591 The current total number of permanent IKE tunnels. 592 The current total number of permanent IPSec tunnels. 594 Transient tunnel statistics: 596 The total number of transient IKE tunnels established since boot 597 time. (Includes the next value.) 598 The current number of transient IKE tunnels established since boot 599 time. 600 The total number of transient IPSec tunnels established since boot 601 time. (Includes the next value.) 602 The current number of transient IPSec tunnels established since 603 boot time. 604 The total number of inbound packets carried on transient IPSec 605 tunnels since boot time. 606 The total number of outbound packets carried on transient IPSec 607 tunnels since boot time. 608 The total amount of inbound traffic carried on transient IPSec 609 tunnels since boot time. 610 The total amount of outbound traffic carried on transient IPSec 611 tunnels since boot time. 613 More system wide statistics on transient tunnels is provided since 614 they disappear from the tables when they terminate, and aggregate 615 traffic statistics associated with individual tunnels is lost. 617 5. MIB Definitions 619 IPSEC-MIB DEFINITIONS ::= BEGIN 621 IMPORTS 622 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Counter64, 623 Integer32, mib-2, IpAddress FROM SNMPv2-SMI 624 DateAndTime, TruthValue FROM SNMPv2-TC; 626 ipsecMIB MODULE-IDENTITY 627 LAST-UPDATED "????" 628 ORGANIZATION "IETF IPSec Working Group" 629 CONTACT-INFO 630 " Tim Jenkins 631 TimeStep Corporation 632 362 Terry Fox Drive 633 Kanata, ON K0A 2H0 634 Canada 635 613-599-3610 636 tjenkins@timestep.com" 638 DESCRIPTION 639 "The MIB module to describe generic IPSec objects 640 and transient and permanent virtual tunnels created 641 by IPSec SAs." 642 REVISION "????" 643 DESCRIPTION 644 "Initial revision." 645 ::= { mib-2 ?? } 647 ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } 649 ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } 651 -- the IPSec IKE MIB-Group 652 -- 653 -- a collection of objects providing information about 654 -- IPSec's IKE SAs and the virtual phase 1 SA tunnels 656 ipsecIkeSaTable OBJECT-TYPE 657 SYNTAX SEQUENCE OF IpsecIkeSaEntry 658 MAX-ACCESS not-accessible 659 STATUS current 660 DESCRIPTION 661 "The (conceptual) table containing information on IPSec's 662 IKE SAs." 663 ::= { ipsec 1 } 665 ipsecIkeSaEntry OBJECT-TYPE 666 SYNTAX IpsecIkeSaEntry 667 MAX-ACCESS not-accessible 668 STATUS current 669 DESCRIPTION 670 "An entry (conceptual row) containing the information on 671 a particular IKE SA." 672 INDEX { ipsecIkeSaIndex } 673 ::= { ipsecIkeSaTable 1 } 675 IpsecIkeSaEntry ::= SEQUENCE { 676 ipsecIkeSaIndex Integer32, 678 -- peer information 679 ipsecIkeSaPeerIpAddress IpAddress, 680 ipsecIkeSaPeerPortNumber INTEGER, 681 ipsecIkeSaAuthMethod Integer32, 682 ipsecIkeSaPeerIdType Integer32, 683 ipsecIkeSaPeerId OCTET STRING, 684 ipsecIkeSaPeerCertSerialNum OCTET STRING, 685 ipsecIkeSaPeerCertIssuer OCTET STRING, 687 -- virtual link status 688 ipsecIkeSaType INTEGER, 689 ipsecIkeSaStatus INTEGER, 691 -- security algorithm information 692 ipsecIkeSaEncAlg INTEGER, 693 ipsecIkeSaEncLeyLength Integer32, 694 ipsecIkeSaHashAlg Integer32, 695 ipsecIkeSaDifHelGroupDesc Integer32, 696 ipsecIkeSaDifHelGroupType Integer32, 697 ipsecIkeSaDifHelFieldSize Integer32, 698 ipsecIkeSaPRF Integer32, 699 ipsecIkeSaPFS TruthValue, 701 -- identifier information 702 ipsecIkeSaInitiatorCookie OCTET STRING, 703 ipsecIkeSaResponderCookie OCTET STRING, 705 -- expiration limits, current SA 706 ipsecIkeSaTimeStart DateAndTime, 707 ipsecIkeSaTimeLimit Gauge32, -- in seconds 708 ipsecIkeSaTrafficLimit Gauge32, -- in kbytes 710 -- current SA's operating statistics 711 ipsecIkeSaInboundTraffic Counter64, -- in bytes 712 ipsecIkeSaOutboundTraffic Counter64, -- in bytes 713 ipsecIkeSaInboundPackets Counter32, 714 ipsecIkeSaOutboundPackets Counter32, 716 -- aggregate statistics (all SAs) 717 ipsecIkeSaTotalSaNum Counter32, 718 ipsecIkeSaFirstTimeStart DateAndTime, 719 ipsecIkeSaTotalInboundTraffic Counter64, -- in bytes 720 ipsecIkeSaTotalOutboundTraffic Counter64, -- in bytes 721 ipsecIkeSaTotalInboundPackets Counter32, 722 ipsecIkeSaTotalOutboundPackets Counter32, 724 -- aggregate error statistics 725 ipsecIkeSaDecryptErrors Counter32, 726 ipsecIkeSaHashErrors Counter32, 727 ipsecIkeSaOtherReceiveErrors Counter32, 728 ipsecIkeSaSendErrors Counter32, 730 -- IPSec SA (Phase 2) statistics (aggregate) 731 ipsecIkeSaIpsecInboundTraffic Counter64, 732 ipsecIkeSaIpsecOutboundTraffic Counter64, 733 ipsecIkeSaIpsecInboundPackets Counter32, 734 ipsecIkeSaIpsecOutboundPackets Counter32, 736 -- IPSec SA (Phase 2) error statistics (aggregate) 737 ipsecIkeSaIpsecDecryptErrors Counter32, 738 ipsecIkeSaIpsecAuthErrors Counter32, 739 ipsecIkeSaIpsecReplayErrors Counter32, 740 ipsecIkeSaIpsecOtherReceiveErrors Counter32, 741 ipsecIkeSaIpsecSendErrors Counter32 743 } 745 ipsecIkeSaIndex OBJECT-TYPE 746 SYNTAX Integer32 (1..2147483647) 747 MAX-ACCESS read-only 748 STATUS current 749 DESCRIPTION 750 "A unique value, greater than zero, for each tunnel 751 interface. It is recommended that values are assigned 752 contiguously starting from 1. 754 The value for each tunnel interface must remain constant 755 at least from one re-initialization of entity's network 756 management system to the next re-initialization. 758 Further, the value for tunnel interfaces that are marked 759 as permanent must remain constand across all re- 760 initializations of the network management system." 761 ::= { ipsecIkeSaEntry 1 } 763 ipsecIkeSaPeerIpAddress OBJECT-TYPE 764 SYNTAX IpAddress 765 MAX-ACCESS read-only 766 STATUS current 767 DESCRIPTION 768 "The IP address of the peer that this SA was negotiated 769 with, or 0 if unknown." 770 ::= { ipsecIkeSaEntry 2 } 772 ipsecIkeSaPeerPortNumber OBJECT-TYPE 773 SYNTAX INTEGER 774 MAX-ACCESS read-only 775 STATUS current 776 DESCRIPTION 777 "The port number of the peer that this SA was negotiated 778 with, or 0 if the default ISAKMP port number (500)." 779 ::= { ipsecIkeSaEntry 3 } 781 ipsecIkeSaAuthMethod OBJECT-TYPE 782 SYNTAX Integer32 783 MAX-ACCESS read-only 784 STATUS current 785 DESCRIPTION 786 "The authentication method used to authenticate the 787 peers. 789 Note that this does not include the specific method of 790 authentication if extended authenticated is used. 792 Specific values are used as described in the ISAKMP Class 793 Values of Authentication Method from Appendix A of 794 [IKE]." 795 ::= { ipsecIkeSaEntry 4 } 797 ipsecIkeSaPeerIdType OBJECT-TYPE 798 SYNTAX Integer32 799 MAX-ACCESS read-only 800 STATUS current 801 DESCRIPTION 802 "The type of ID used by the peer. 804 Specific values are used as described in Section 4.6.2.1 805 of [IPDOI]." 806 ::= { ipsecIkeSaEntry 5 } 808 ipsecIkeSaPeerId OBJECT-TYPE 809 SYNTAX OCTET STRING (SIZE (0..511)) 810 MAX-ACCESS read-only 811 STATUS current 812 DESCRIPTION 813 "The ID of the peer this SA was negotiated with. 815 The length may require truncation under some conditions." 816 ::= { ipsecIkeSaEntry 6 } 818 ipsecIkeSaPeerCertSerialNum OBJECT-TYPE 819 SYNTAX OCTET STRING (SIZE (0..64)) 820 MAX-ACCESS read-only 821 STATUS current 822 DESCRIPTION 824 "The serial number of the certificate of the peer this SA 825 was negotiated with. 827 This object has no meaning if a certificate was not used 828 in authenticating the peer." 829 ::= { ipsecIkeSaEntry 7 } 831 ipsecIkeSaPeerCertIssuer OBJECT-TYPE 832 SYNTAX OCTET STRING (SIZE (0..511)) 833 MAX-ACCESS read-only 834 STATUS current 835 DESCRIPTION 836 "The serial number of the certificate of the peer this SA 837 was negotiated with. 839 This object has no meaning if a certificate was not used 840 in authenticating the peer." 841 ::= { ipsecIkeSaEntry 8 } 843 ipsecIkeSaType OBJECT-TYPE 844 SYNTAX INTEGER { transient(1), permanent(2) } 845 MAX-ACCESS read-only 846 STATUS current 847 DESCRIPTION 848 "The type of virtual tunnel represented by this row. 850 A transient link will disappear from the table when 851 the SAs needed for it cannot be established. A 852 permanent link will shows its status in the 853 ipsecIkeSaStatus object." 854 ::= { ipsecIkeSaEntry 9 } 856 ipsecIkeSaStatus OBJECT-TYPE 857 SYNTAX INTEGER 858 { neverTried(0), linkUp(1), linkDown(2) } 859 MAX-ACCESS read-only 860 STATUS current 861 DESCRIPTION 862 "The status of the virtual tunnel represented by this 863 row, if the tunnel is configured as permanent. 865 'neverTried' means that no attempt to set-up the link 866 has been done. 'linkUp' means that the link is up and 867 operating normally. 'linkDown' means that the link was 868 up, but has gone down." 869 ::= { ipsecIkeSaEntry 10 } 871 ipsecIkeSaEncAlg OBJECT-TYPE 872 SYNTAX INTEGER 873 MAX-ACCESS read-only 874 STATUS current 875 DESCRIPTION 876 "A unique value representing the encryption algorithm 877 applied to traffic carried by this SA or 0 if there 878 is no encryption applied. 880 Specific values are used as described in the ISAKMP 881 Class Values of Encryption Algorithms from Appendix A 882 of [IKE]." 883 ::= { ipsecIkeSaEntry 11 } 885 ipsecIkeSaEncLeyLength OBJECT-TYPE 886 SYNTAX Integer32 887 MAX-ACCESS read-only 888 STATUS current 889 DESCRIPTION 890 "The length of the encryption key in bits used for 891 algorithm specified in the ipsecIkeSaEncAlg object or 0 892 if the key length is implicit in the specified 893 algorithm or there is no encryption specified." 894 ::= { ipsecIkeSaEntry 12 } 896 ipsecIkeSaHashAlg OBJECT-TYPE 897 SYNTAX Integer32 898 MAX-ACCESS read-only 899 STATUS current 900 DESCRIPTION 901 "A unique value representing the hash algorithm applied 902 to traffic carried by this SA or 0 if there is no 903 encryption applied. 905 Specific values are used as described in the ISAKMP Class 906 Values of Hash Algorithms from Appendix A of [IKE]." 907 ::= { ipsecIkeSaEntry 13 } 909 ipsecIkeSaDifHelGroupDesc OBJECT-TYPE 910 SYNTAX Integer32 911 MAX-ACCESS read-only 912 STATUS current 913 DESCRIPTION 914 "A unique value representing the Diffie-Hellman group 915 description used or 0 if the group is unknown. 917 Specific values are used as described in the ISAKMP Class 918 Values of Group Description from Appendix A of [IKE]." 919 ::= { ipsecIkeSaEntry 14 } 921 ipsecIkeSaDifHelGroupType OBJECT-TYPE 922 SYNTAX Integer32 923 MAX-ACCESS read-only 924 STATUS current 925 DESCRIPTION 926 "A unique value representing the Diffie-Hellman group 927 type used or 0 if the group is unknown. 929 Specific values are used as described in the ISAKMP Class 930 Values of Group Type from Appendix A of [IKE]." 931 ::= { ipsecIkeSaEntry 15 } 933 ipsecIkeSaDifHelFieldSize OBJECT-TYPE 934 SYNTAX Integer32 935 MAX-ACCESS read-only 936 STATUS current 937 DESCRIPTION 938 "The field size, in bits, of a Diffie-Hellman group." 939 ::= { ipsecIkeSaEntry 16 } 941 ipsecIkeSaPRF OBJECT-TYPE 942 SYNTAX Integer32 943 MAX-ACCESS read-only 944 STATUS current 945 DESCRIPTION 946 "The pseudo-random functions used, or 0 if not used or if 947 unknown. 949 Specific values are used as described in the ISAKMP Class 950 Values of PRF from Appendix A of [IKE]." 951 ::= { ipsecIkeSaEntry 17 } 953 ipsecIkeSaPFS OBJECT-TYPE 954 SYNTAX TruthValue 955 MAX-ACCESS read-only 956 STATUS current 957 DESCRIPTION 958 "A value that indicates that perfect forward secrecy is 959 used for all IPSec SAs created by this IKE SA." 960 ::= { ipsecIkeSaEntry 18 } 962 ipsecIkeSaInitiatorCookie OBJECT-TYPE 963 SYNTAX OCTET STRING (SIZE (16)) 964 MAX-ACCESS read-only 965 STATUS current 966 DESCRIPTION 967 "The value of the cookie used by the initiator for the 968 current phase 1 SA." 969 ::= { ipsecIkeSaEntry 19 } 971 ipsecIkeSaResponderCookie OBJECT-TYPE 972 SYNTAX OCTET STRING (SIZE (16)) 973 MAX-ACCESS read-only 974 STATUS current 975 DESCRIPTION 976 "The value of the cookie used by the responder for the 977 current phase 1 SA." 978 ::= { ipsecIkeSaEntry 20 } 980 ipsecIkeSaTimeStart OBJECT-TYPE 981 SYNTAX DateAndTime 982 MAX-ACCESS read-only 983 STATUS current 984 DESCRIPTION 985 "The date and time that the current SA within the link 986 was set up. 988 It is not the date and time that the virtual tunnel was 989 set up." 990 ::= { ipsecIkeSaEntry 21 } 992 ipsecIkeSaTimeLimit OBJECT-TYPE 993 SYNTAX Gauge32 994 MAX-ACCESS read-only 995 STATUS current 996 DESCRIPTION 997 "The maximum lifetime in seconds of the current SA 998 supporting the virtual tunnel, or 0 if there is no time 999 constraint on its expiration." 1000 ::= { ipsecIkeSaEntry 22 } 1002 ipsecIkeSaTrafficLimit OBJECT-TYPE 1003 SYNTAX Gauge32 1004 MAX-ACCESS read-only 1005 STATUS current 1006 DESCRIPTION 1007 "The maximum traffic in 1024-byte blocks that the current 1008 SA supporting the virtual tunnel is allowed to support, 1009 or 0 if there is no traffic constraint on its 1010 expiration." 1011 ::= { ipsecIkeSaEntry 23 } 1013 ipsecIkeSaInboundTraffic OBJECT-TYPE 1014 SYNTAX Counter64 1015 MAX-ACCESS read-only 1016 STATUS current 1017 DESCRIPTION 1018 "The amount traffic measured in bytes handled in the 1019 current SA in the inbound direction. " 1020 ::= { ipsecIkeSaEntry 24 } 1022 ipsecIkeSaOutboundTraffic OBJECT-TYPE 1023 SYNTAX Counter64 1024 MAX-ACCESS read-only 1025 STATUS current 1026 DESCRIPTION 1027 "The amount traffic measured in bytes handled in the 1028 current SA in the outbound direction. " 1029 ::= { ipsecIkeSaEntry 25 } 1031 ipsecIkeSaInboundPackets OBJECT-TYPE 1032 SYNTAX Counter32 1033 MAX-ACCESS read-only 1034 STATUS current 1035 DESCRIPTION 1036 "The number of packets handled in the current SA in the 1037 inbound direction. " 1038 ::= { ipsecIkeSaEntry 26 } 1040 ipsecIkeSaOutboundPackets OBJECT-TYPE 1041 SYNTAX Counter32 1042 MAX-ACCESS read-only 1043 STATUS current 1044 DESCRIPTION 1045 "The number of packets handled in the current SA in the 1046 outbound direction. " 1047 ::= { ipsecIkeSaEntry 27 } 1049 ipsecIkeSaTotalSaNum OBJECT-TYPE 1050 SYNTAX Counter32 1051 MAX-ACCESS read-only 1052 STATUS current 1053 DESCRIPTION 1054 "The total number of SAs, including the current SA, that 1055 have been set up to support this virtual tunnel." 1056 ::= { ipsecIkeSaEntry 28 } 1058 ipsecIkeSaFirstTimeStart OBJECT-TYPE 1059 SYNTAX DateAndTime 1060 MAX-ACCESS read-only 1061 STATUS current 1062 DESCRIPTION 1063 "The data and time that this virtual tunnel was 1064 originally set up. 1066 It is not the time that the current SA was set up. 1068 If this is a permanent virtual tunnel, it is reset when 1069 the tunnel goes to the 'linkUp' state." 1070 ::= { ipsecIkeSaEntry 29 } 1072 ipsecIkeSaTotalInboundTraffic OBJECT-TYPE 1073 SYNTAX Counter64 1074 MAX-ACCESS read-only 1075 STATUS current 1076 DESCRIPTION 1077 "The total amount of traffic measured in bytes handled in 1078 the tunnel in the inbound direction. In other words, it 1079 is the aggregate value of all inbound traffic carried by 1080 all SAs ever set up to support the virtual tunnel. 1082 If this is a permanent virtual tunnel, it is not reset to 1083 zero when the tunnel goes to the 'linkUp' state." 1084 ::= { ipsecIkeSaEntry 30 } 1086 ipsecIkeSaTotalOutboundTraffic OBJECT-TYPE 1087 SYNTAX Counter64 1088 MAX-ACCESS read-only 1089 STATUS current 1090 DESCRIPTION 1091 "The total amount of traffic measured in bytes handled in 1092 the tunnel in the outbound direction. In other words, it 1093 is the aggregate value of all inbound traffic carried by 1094 all SAs ever set up to support the virtual tunnel. 1096 If this is a permanent virtual tunnel, it is not reset to 1097 zero when the tunnel goes to the 'linkUp' state." 1098 ::= { ipsecIkeSaEntry 31 } 1100 ipsecIkeSaTotalInboundPackets OBJECT-TYPE 1101 SYNTAX Counter32 1102 MAX-ACCESS read-only 1103 STATUS current 1104 DESCRIPTION 1105 "The total number of packets handled by the virtual 1106 tunnel since it became active in the inbound direction. 1107 In other words, it is the aggregate value of the number 1108 of inbound packets carried by all SAs ever set up to 1109 support the virtual tunnel. 1111 If this is a permanent virtual tunnel, it is not reset to 1112 zero when the tunnel goes to the 'linkUp' state." 1113 ::= { ipsecIkeSaEntry 32 } 1115 ipsecIkeSaTotalOutboundPackets OBJECT-TYPE 1116 SYNTAX Counter32 1117 MAX-ACCESS read-only 1118 STATUS current 1119 DESCRIPTION 1120 "The total number of packets handled by the virtual 1121 tunnel since it became active in the outbound direction. 1122 In other words, it is the aggregate value of the number 1123 of outbound packets carried by all SAs ever set up to 1124 support the virtual tunnel. 1126 If this is a permanent virtual tunnel, it is not reset to 1127 zero when the tunnel goes to the 'linkUp' state." 1128 ::= { ipsecIkeSaEntry 33 } 1130 ipsecIkeSaDecryptErrors OBJECT-TYPE 1131 SYNTAX Counter32 1132 MAX-ACCESS read-only 1133 STATUS current 1134 DESCRIPTION 1135 "The total number of inbound packets to this SA discarded 1136 due to decryption errors. 1138 Note that this refers to IKE protocol packets, and not to 1139 packets carried by SAs set up by the SAs supporting this 1140 tunnel. 1142 If this is a permanent virtual tunnel, it is not reset to 1143 zero when the tunnel goes to the 'linkUp' state." 1144 ::= { ipsecIkeSaEntry 34 } 1146 ipsecIkeSaHashErrors OBJECT-TYPE 1147 SYNTAX Counter32 1148 MAX-ACCESS read-only 1149 STATUS current 1150 DESCRIPTION 1151 "The total number of inbound packets to this SA discarded 1152 due to hash errors. 1154 Note that this refers to IKE protocol packets, and not to 1155 packets carried by SAs set up by the SAs supporting this 1156 tunnel. 1158 If this is a permanent virtual tunnel, it is not reset to 1159 zero when the tunnel goes to the 'linkUp' state." 1160 ::= { ipsecIkeSaEntry 35 } 1162 ipsecIkeSaOtherReceiveErrors OBJECT-TYPE 1163 SYNTAX Counter32 1164 MAX-ACCESS read-only 1165 STATUS current 1166 DESCRIPTION 1167 "The total number of inbound packets to this SA discarded 1168 for reasons other than bad hashes or decryption errors. 1169 This may include packets dropped to a lack of receive 1170 buffer space. 1172 Note that this refers to IKE protocol packets, and not to 1173 packets carried by SAs set up by the SAs supporting this 1174 tunnel. 1176 If this is a permanent virtual tunnel, it is not reset to 1177 zero when the tunnel goes to the 'linkUp' state." 1178 ::= { ipsecIkeSaEntry 36 } 1180 ipsecIkeSaSendErrors OBJECT-TYPE 1181 SYNTAX Counter32 1182 MAX-ACCESS read-only 1183 STATUS current 1184 DESCRIPTION 1185 "The total number of outbound packets from this SA 1186 discarded for any reason. This may include packets 1187 dropped to a lack of transmit buffer space. 1189 Note that this refers to IKE protocol packets, and not to 1190 packets carried by SAs set up by the SAs supporting this 1191 tunnel. 1193 If this is a permanent virtual tunnel, it is not reset to 1194 zero when the tunnel goes to the 'linkUp' state." 1195 ::= { ipsecIkeSaEntry 37 } 1197 ipsecIkeSaIpsecInboundTraffic OBJECT-TYPE 1198 SYNTAX Counter64 1199 MAX-ACCESS read-only 1200 STATUS current 1201 DESCRIPTION 1202 "The total amount of inbound traffic measured in bytes 1203 handled by all IPSec SAs set up by phase 1 SAs supporting 1204 this tunnel. 1206 If this is a permanent virtual tunnel, it is not reset to 1207 zero when the tunnel goes to the 'linkUp' state." 1208 ::= { ipsecIkeSaEntry 38 } 1210 ipsecIkeSaIpsecOutboundTraffic OBJECT-TYPE 1211 SYNTAX Counter64 1212 MAX-ACCESS read-only 1213 STATUS current 1214 DESCRIPTION 1215 "The total amount of outbound traffic measured in bytes 1216 handled by all IPSec SAs set up by phase 1 SAs supporting 1217 this tunnel. 1219 If this is a permanent virtual tunnel, it is not reset to 1220 zero when the tunnel goes to the 'linkUp' state." 1221 ::= { ipsecIkeSaEntry 39 } 1223 ipsecIkeSaIpsecInboundPackets OBJECT-TYPE 1224 SYNTAX Counter32 1225 MAX-ACCESS read-only 1226 STATUS current 1227 DESCRIPTION 1228 "The total number of inbound packets handled by all IPSec 1229 SAs set up by phase 1 SAs supporting this tunnel. 1231 If this is a permanent virtual tunnel, it is not reset to 1232 zero when the tunnel goes to the 'linkUp' state." 1233 ::= { ipsecIkeSaEntry 40 } 1235 ipsecIkeSaIpsecOutboundPackets OBJECT-TYPE 1236 SYNTAX Counter32 1237 MAX-ACCESS read-only 1238 STATUS current 1239 DESCRIPTION 1240 "The total number of outbound packets handled by all 1241 IPSec SAs set up by phase 1 SAs supporting this tunnel. 1243 If this is a permanent virtual tunnel, it is not reset to 1244 zero when the tunnel goes to the 'linkUp' state." 1245 ::= { ipsecIkeSaEntry 41 } 1247 ipsecIkeSaIpsecDecryptErrors OBJECT-TYPE 1248 SYNTAX Counter32 1249 MAX-ACCESS read-only 1250 STATUS current 1251 DESCRIPTION 1252 "The total number of inbound packets discarded by all 1253 IPSec SAs due to decryption errors. 1255 If this is a permanent virtual tunnel, it is not reset to 1256 zero when the tunnel goes to the 'linkUp' state." 1257 ::= { ipsecIkeSaEntry 42 } 1259 ipsecIkeSaIpsecAuthErrors OBJECT-TYPE 1260 SYNTAX Counter32 1261 MAX-ACCESS read-only 1262 STATUS current 1263 DESCRIPTION 1264 "The total number of inbound packets discarded by all 1265 IPSec SAs due to authentication errors. This includes 1266 hash failures in IPSec SAs using ESP and AH. 1268 If this is a permanent virtual tunnel, it is not reset to 1269 zero when the tunnel goes to the 'linkUp' state." 1270 ::= { ipsecIkeSaEntry 43 } 1272 ipsecIkeSaIpsecReplayErrors OBJECT-TYPE 1273 SYNTAX Counter32 1274 MAX-ACCESS read-only 1275 STATUS current 1276 DESCRIPTION 1277 "The total number of inbound packets discarded by all 1278 IPSec SAs due to replay errors. 1280 If this is a permanent virtual tunnel, it is not reset to 1281 zero when the tunnel goes to the 'linkUp' state." 1282 ::= { ipsecIkeSaEntry 44 } 1284 ipsecIkeSaIpsecOtherReceiveErrors OBJECT-TYPE 1285 SYNTAX Counter32 1286 MAX-ACCESS read-only 1287 STATUS current 1288 DESCRIPTION 1289 "The total number of inbound packets discarded by all 1290 IPSec SAs due to errors other than authentication, 1291 decryption or replay errors. This may include packets 1292 dropped due to lack of receive buffers. 1294 If this is a permanent virtual tunnel, it is not reset to 1295 zero when the tunnel goes to the 'linkUp' state." 1296 ::= { ipsecIkeSaEntry 45 } 1298 ipsecIkeSaIpsecSendErrors OBJECT-TYPE 1299 SYNTAX Counter32 1300 MAX-ACCESS read-only 1301 STATUS current 1302 DESCRIPTION 1303 "The total number of outbound packets discarded by all 1304 IPSec SAs due to any error. This may include packets 1305 dropped due to lack of receive buffers. 1307 If this is a permanent virtual tunnel, it is not reset to 1308 zero when the tunnel goes to the 'linkUp' state." 1309 ::= { ipsecIkeSaEntry 46 } 1311 -- the IPSec Tunnel MIB-Group 1312 -- 1313 -- a collection of objects providing information about 1314 -- IPSec SA-based virtual tunnels 1316 ipsecTunnelTable OBJECT-TYPE 1317 SYNTAX SEQUENCE OF IpsecTunnelEntry 1318 MAX-ACCESS not-accessible 1319 STATUS current 1320 DESCRIPTION 1321 "The (conceptual) table containing information on IPSec 1322 SA-based tunnels." 1323 ::= { ipsec 2 } 1325 ipsecTunnelEntry OBJECT-TYPE 1326 SYNTAX IpsecTunnelEntry 1327 MAX-ACCESS not-accessible 1328 STATUS current 1329 DESCRIPTION 1330 "An entry (conceptual row) containing the information on 1331 a particular configured tunnel." 1332 INDEX { ipsecTunnelIndex } 1333 ::= { ipsecTunnelTable 1 } 1335 IpsecTunnelEntry ::= SEQUENCE { 1336 ipsecTunnelIndex Integer32, 1337 ipsecTunnelIkeSa Integer32, -- if not static 1338 ipsecTunnelType INTEGER, -- static, transient, permanent 1340 -- tunnel identifiers 1341 ipsecTunnelLocalAddressOrStart IpAddress, 1342 ipsecTunnelLocalAddressMaskOrEnd IpAddress, 1343 ipsecTunnelRemoteAddressOrStart IpAddress, 1344 ipsecTunnelRemoteAddressMaskOrEnd IpAddress, 1345 ipsecTunnelProtocol Integer32, 1346 ipsecTunnelLocalPort Integer32, 1347 ipsecTunnelRemotePort Integer32, 1349 -- tunnel security services description 1350 ipsecTunnelMode INTEGER, 1351 ipsecTunnelEspEncAlg Integer32, 1352 ipsecTunnelEspEncLeyLength Integer32, 1353 ipsecTunnelEspAuthAlg Integer32, 1354 ipsecTunnelAhAuthAlg Integer32, 1355 ipsecTunnelCompAlg Integer32, 1357 -- aggregate statistics 1358 ipsecTunnelStartTime DateAndTime, 1359 ipsecTunnelCurrentSaNum Gauge32, 1360 ipsecTunnelTotalSaNum Counter32, 1361 ipsecTunnelTotalInboundTraffic Counter64, 1362 ipsecTunnelTotalOutboundTraffic Counter64, 1363 ipsecTunnelTotalInboundPackets Counter32, 1364 ipsecTunnelTotalOutboundPackets Counter32, 1366 -- aggregate error statistics 1367 ipsecTunnelDecryptErrors Counter32, 1368 ipsecTunnelAuthErrors Counter32, 1369 ipsecTunnelReplayErrors Counter32, 1370 ipsecTunnelPolicyErrors Counter32, 1371 ipsecTunnelOtherReceiveErrors Counter32, 1372 ipsecTunnelSendErrors Counter32 1374 } 1376 ipsecTunnelIndex OBJECT-TYPE 1377 SYNTAX Integer32 (1..2147483647) 1378 MAX-ACCESS read-only 1379 STATUS current 1380 DESCRIPTION 1381 "A unique value, greater than zero, for each tunnel 1382 interface. It is recommended that values are assigned 1383 contiguously starting from 1. 1385 The value for each tunnel interface must remain constant 1386 at least from one re-initialization of the entity's 1387 network management system to the next re-initialization. 1389 Further, the value for tunnel interfaces that are marked 1390 as permanent must remain constant across all re- 1391 initializations of the network management system." 1392 ::= { ipsecTunnelEntry 1 } 1394 ipsecTunnelIkeSa OBJECT-TYPE 1395 SYNTAX Integer32 (0..2147483647) 1396 MAX-ACCESS read-only 1397 STATUS current 1398 DESCRIPTION 1399 "The value of the index into the IKE SA tunnel table that 1400 created this tunnel (ipsecIkeSaIndex), or 0 if the tunnel 1401 is created by a static IPSec SA." 1402 ::= { ipsecTunnelEntry 2 } 1404 ipsecTunnelType OBJECT-TYPE 1405 SYNTAX INTEGER { static(0), transient(1), permanent(2) } 1406 MAX-ACCESS read-only 1407 STATUS current 1408 DESCRIPTION 1409 "The type of the virtual tunnel represented by this row. 1411 'static' means that the tunnel is supported by a single 1412 static IPSec SA that was setup by configuration, and not 1413 by using a key exchange protocol. In this case, the value 1414 of ipsecTunnelIkeSa must be 0." 1415 ::= { ipsecTunnelEntry 3 } 1417 ipsecTunnelLocalAddressOrStart OBJECT-TYPE 1418 SYNTAX IpAddress 1419 MAX-ACCESS read-only 1420 STATUS current 1421 DESCRIPTION 1422 "The address of or the start address (if an address 1423 range) of the local endpoint of the tunnel, or 0.0.0.0 if 1424 unknown or if the SA uses transport mode encapsulation." 1425 ::= { ipsecTunnelEntry 4 } 1427 ipsecTunnelLocalAddressMaskOrEnd OBJECT-TYPE 1428 SYNTAX IpAddress 1429 MAX-ACCESS read-only 1430 STATUS current 1431 DESCRIPTION 1432 "The mask of or the end address (if an address range) of 1433 the local endpoint of the tunnel, or 0.0.0.0 if unknown 1434 or if the SA uses transport mode encapsulation." 1435 ::= { ipsecTunnelEntry 5 } 1437 ipsecTunnelRemoteAddressOrStart OBJECT-TYPE 1438 SYNTAX IpAddress 1439 MAX-ACCESS read-only 1440 STATUS current 1441 DESCRIPTION 1442 "The address of or the start address (if an address 1443 range) of the remote endpoint of the tunnel, or 0.0.0.0 1444 if unknown or if the SA uses transport mode 1445 encapsulation." 1446 ::= { ipsecTunnelEntry 6 } 1448 ipsecTunnelRemoteAddressMaskOrEnd OBJECT-TYPE 1449 SYNTAX IpAddress 1450 MAX-ACCESS read-only 1451 STATUS current 1452 DESCRIPTION 1453 "The mask of or the end address (if an address range) of 1454 the remote endpoint of the tunnel, or 0.0.0.0 if unknown 1455 or if the SA uses transport mode encapsulation." 1456 ::= { ipsecTunnelEntry 7 } 1458 ipsecTunnelProtocol OBJECT-TYPE 1459 SYNTAX Integer32 1460 MAX-ACCESS read-only 1461 STATUS current 1462 DESCRIPTION 1463 "The number of the protocol that this tunnel carries, or 1464 0 if it carries any protocol." 1465 ::= { ipsecTunnelEntry 8 } 1467 ipsecTunnelLocalPort OBJECT-TYPE 1468 SYNTAX Integer32 1469 MAX-ACCESS read-only 1470 STATUS current 1471 DESCRIPTION 1472 "The number of the local port that this tunnel carries, 1473 or 0 if it carries any port number." 1474 ::= { ipsecTunnelEntry 9 } 1476 ipsecTunnelRemotePort OBJECT-TYPE 1477 SYNTAX Integer32 1478 MAX-ACCESS read-only 1479 STATUS current 1480 DESCRIPTION 1481 "The number of the remote port that this tunnel carries, 1482 or 0 if it carries any port number." 1483 ::= { ipsecTunnelEntry 10 } 1485 ipsecTunnelMode OBJECT-TYPE 1486 SYNTAX INTEGER { transport(1), tunnel(2) } 1487 MAX-ACCESS read-only 1488 STATUS current 1489 DESCRIPTION 1490 "The type of encapsulation used by this virtual tunnel." 1491 ::= { ipsecTunnelEntry 11 } 1493 ipsecTunnelEspEncAlg OBJECT-TYPE 1494 SYNTAX Integer32 1495 MAX-ACCESS read-only 1496 STATUS current 1497 DESCRIPTION 1498 "A unique value representing the encryption algorithm 1499 applied to traffic carried by this SA if it uses ESP or 0 1500 if there is no encryption applied by ESP or if ESP is not 1501 used. 1503 Specific values are taken from section 4.4.4 of [IPDOI]." 1504 ::= { ipsecTunnelEntry 12 } 1506 ipsecTunnelEspEncLeyLength OBJECT-TYPE 1507 SYNTAX Integer32 1508 MAX-ACCESS read-only 1509 STATUS current 1510 DESCRIPTION 1511 "The length of the encryption key in bits used for the 1512 algorithm specified in the ipsecTunnelEspEncAlg object, 1513 or 0 if the key length is implicit in the specified 1514 algorithm or there is no encryption specified." 1515 ::= { ipsecTunnelEntry 13 } 1517 ipsecTunnelEspAuthAlg OBJECT-TYPE 1518 SYNTAX Integer32 1519 MAX-ACCESS read-only 1520 STATUS current 1521 DESCRIPTION 1522 "A unique value representing the hash algorithm applied 1523 to traffic carried by this SA if it uses ESP or 0 if 1524 there is no authentication applied by ESP or if ESP is 1525 not used. 1527 Specific values are taken from the Authentication 1528 Algorithm attribute values of Section 4.5 of [IPDOI]." 1529 ::= { ipsecTunnelEntry 14 } 1531 ipsecTunnelAhAuthAlg OBJECT-TYPE 1532 SYNTAX Integer32 1533 MAX-ACCESS read-only 1534 STATUS current 1535 DESCRIPTION 1536 "A unique value representing the hash algorithm applied 1537 to traffic carried by this SA if it uses AH or 0 if AH is 1538 not used. 1540 Specific values are taken from Section 4.4.3 of [IPDOI]." 1541 ::= { ipsecTunnelEntry 15 } 1543 ipsecTunnelCompAlg OBJECT-TYPE 1544 SYNTAX Integer32 1545 MAX-ACCESS read-only 1546 STATUS current 1547 DESCRIPTION 1548 "A unique value representing the compression algorithm 1549 applied to traffic carried by this SA if it uses IPCOMP. 1551 Specific values are taken from Section 4.4.5 of [IPDOI]." 1552 ::= { ipsecTunnelEntry 16 } 1554 ipsecTunnelStartTime OBJECT-TYPE 1555 SYNTAX DateAndTime 1556 MAX-ACCESS read-only 1557 STATUS current 1558 DESCRIPTION 1559 "The date and time that this virtual tunnel was set up. 1561 If this is a permanent virtual tunnel, it is reset when 1562 the number of current SAs (ipsecTunnelCurrentSaNum) 1563 changes from 0 to 1." 1564 ::= { ipsecTunnelEntry 17 } 1566 ipsecTunnelCurrentSaNum OBJECT-TYPE 1567 SYNTAX Gauge32 1568 MAX-ACCESS read-only 1569 STATUS current 1570 DESCRIPTION 1571 "The number of current SAs set up to support this virtual 1572 tunnel. 1574 If this number is 0, the tunnel must be considered down. 1575 Also if this number is 0, the tunnel must a permanent 1576 tunnel, since transient tunnels that are down do not 1577 appear in the table." 1578 ::= { ipsecTunnelEntry 18 } 1580 ipsecTunnelTotalSaNum OBJECT-TYPE 1581 SYNTAX Counter32 1582 MAX-ACCESS read-only 1583 STATUS current 1584 DESCRIPTION 1585 "The total number of SAs, including all current SAs, that 1586 have been set up to support this virtual tunnel." 1587 ::= { ipsecTunnelEntry 19 } 1589 ipsecTunnelTotalInboundTraffic OBJECT-TYPE 1590 SYNTAX Counter64 1591 MAX-ACCESS read-only 1592 STATUS current 1593 DESCRIPTION 1594 "The total amount of traffic measured in bytes handled in 1595 the tunnel in the inbound direction. In other words, it 1596 is the aggregate value of all inbound traffic carried by 1597 all IPSec SAs ever set up to support the virtual tunnel. 1599 If this is a permanent virtual tunnel, it is not reset to 1600 zero when the number of current SAs 1601 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1602 ::= { ipsecTunnelEntry 20 } 1604 ipsecTunnelTotalOutboundTraffic OBJECT-TYPE 1605 SYNTAX Counter64 1606 MAX-ACCESS read-only 1607 STATUS current 1608 DESCRIPTION 1609 "The total amount of traffic measured in bytes handled in 1610 the tunnel in the outbound direction. In other words, it 1611 is the aggregate value of all inbound traffic carried by 1612 all IPSec SAs ever set up to support the virtual tunnel. 1614 If this is a permanent virtual tunnel, it is not reset to 1615 zero when the number of current SAs 1616 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1617 ::= { ipsecTunnelEntry 21 } 1619 ipsecTunnelTotalInboundPackets OBJECT-TYPE 1620 SYNTAX Counter32 1621 MAX-ACCESS read-only 1622 STATUS current 1623 DESCRIPTION 1624 "The total number of packets handled in the tunnel in the 1625 inbound direction. In other words, it is the aggregate 1626 value of all inbound packets carried by all IPSec SAs 1627 ever set up to support the virtual tunnel. 1629 If this is a permanent virtual tunnel, it is not reset to 1630 zero when the number of current SAs 1631 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1633 ::= { ipsecTunnelEntry 22 } 1635 ipsecTunnelTotalOutboundPackets OBJECT-TYPE 1636 SYNTAX Counter32 1637 MAX-ACCESS read-only 1638 STATUS current 1639 DESCRIPTION 1640 "The total number of packets handled in the tunnel in the 1641 outbound direction. In other words, it is the aggregate 1642 value of all outbound packets carried by all IPSec SAs 1643 ever set up to support the virtual tunnel. 1645 If this is a permanent virtual tunnel, it is not reset to 1646 zero when the number of current SAs 1647 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1648 ::= { ipsecTunnelEntry 23 } 1650 ipsecTunnelDecryptErrors OBJECT-TYPE 1651 SYNTAX Counter32 1652 MAX-ACCESS read-only 1653 STATUS current 1654 DESCRIPTION 1655 "The total number of inbound packets discarded by this 1656 virtual tunnel due to decryption errors in ESP. 1658 If this is a permanent virtual tunnel, it is not reset to 1659 zero when the number of current SAs 1660 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1661 ::= { ipsecTunnelEntry 24 } 1663 ipsecTunnelAuthErrors OBJECT-TYPE 1664 SYNTAX Counter32 1665 MAX-ACCESS read-only 1666 STATUS current 1667 DESCRIPTION 1668 "The total number of inbound packets discarded by this 1669 virtual tunnel due to authentication errors. This 1670 includes hash failures in IPSec SA bundles using both ESP 1671 and AH. 1673 If this is a permanent virtual tunnel, it is not resetto 1674 zero when the number of current SAs 1675 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1676 ::= { ipsecTunnelEntry 25 } 1678 ipsecTunnelReplayErrors OBJECT-TYPE 1679 SYNTAX Counter32 1680 MAX-ACCESS read-only 1681 STATUS current 1682 DESCRIPTION 1683 "The total number of inbound packets discarded by this 1684 virtual tunnel due to replay errors. This includes replay 1685 failures in IPSec SA bundles using both ESP and AH. 1687 If this is a permanent virtual tunnel, it is not reset to 1688 zero when the number of current SAs 1689 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1690 ::= { ipsecTunnelEntry 26 } 1692 ipsecTunnelPolicyErrors OBJECT-TYPE 1693 SYNTAX Counter32 1694 MAX-ACCESS read-only 1695 STATUS current 1696 DESCRIPTION 1697 "The total number of inbound packets discarded by this 1698 virtual tunnel due to policy errors. This includes errors 1699 in all transforms if SA bundles are used. 1701 Policy errors are due to the detection of a packet that 1702 was inappropriately sent into this tunnel. 1704 If this is a permanent virtual tunnel, it is not reset to 1705 zero when the number of current SAs 1706 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1707 ::= { ipsecTunnelEntry 27 } 1709 ipsecTunnelOtherReceiveErrors OBJECT-TYPE 1710 SYNTAX Counter32 1711 MAX-ACCESS read-only 1712 STATUS current 1713 DESCRIPTION 1714 "The total number of inbound packets discarded by this 1715 virtual tunnel due to errors other than decryption, 1716 authentication or replay errors. This may include packets 1717 dropped due to a lack of receive buffers. 1719 If this is a permanent virtual tunnel, it is not reset to 1720 zero when the number of current SAs 1721 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1722 ::= { ipsecTunnelEntry 28 } 1724 ipsecTunnelSendErrors OBJECT-TYPE 1725 SYNTAX Counter32 1726 MAX-ACCESS read-only 1727 STATUS current 1728 DESCRIPTION 1729 "The total number of outbound packets discarded by this 1730 virtual tunnel due to any error. This may include packets 1731 dropped due to a lack of transmit buffers. 1733 If this is a permanent virtual tunnel, it is not reset to 1734 zero when the number of current SAs 1735 (ipsecTunnelCurrentSaNum) changes from 0 to 1." 1736 ::= { ipsecTunnelEntry 29 } 1738 -- the IPSec SA MIB-Group 1739 -- 1740 -- a collection of objects providing information about 1741 -- IPSec SAs 1743 ipsecSaTable OBJECT-TYPE 1744 SYNTAX SEQUENCE OF IpsecSaEntry 1745 MAX-ACCESS not-accessible 1746 STATUS current 1747 DESCRIPTION 1748 "The (conceptual) table containing information on IPSec 1749 SAs." 1750 ::= { ipsec 3 } 1752 ipsecSaEntry OBJECT-TYPE 1753 SYNTAX IpsecSaEntry 1754 MAX-ACCESS not-accessible 1755 STATUS current 1756 DESCRIPTION 1757 "An entry (conceptual row) containing the information on 1758 a particular IPSec SA." 1759 INDEX { ipsecSaIndex } 1760 ::= { ipsecSaTable 1 } 1762 IpsecSaEntry ::= SEQUENCE { 1763 ipsecSaIndex Integer32, 1764 ipsecSaTunnel Integer32, -- index from ipsecTunnelTable 1766 -- identification 1767 ipsecSaInboundEspSpi INTEGER, 1768 ipsecSaOutboundEspSpi INTEGER, 1769 ipsecSaInboundAhSpi INTEGER, 1770 ipsecSaOutboundAhSpi INTEGER, 1771 ipsecSaInboundCompCpi INTEGER, 1772 ipsecSaOutboundCompCpi INTEGER, 1774 -- expiration limits 1775 ipsecSaCreationTime DateAndTime, 1776 ipsecSaTimeLimit Gauge32, -- seconds, 0 if none 1777 ipsecSaTrafficLimit Gauge32, -- bytes, 0 if none 1779 -- current operating statistics 1780 ipsecSaInboundTraffic Counter64, 1781 ipsecSaOutboundTraffic Counter64, 1782 ipsecSaInboundPackets Counter32, 1783 ipsecSaOutboundPackets Counter32, 1785 -- error statistics 1786 ipsecSaDecryptErrors Counter32, 1787 ipsecSaAuthErrors Counter32, 1788 ipsecSaReplayErrors Counter32, 1789 ipsecSaOtherReceiveErrors Counter32, 1790 ipsecSaSendErrors Counter32 1791 } 1793 ipsecSaIndex OBJECT-TYPE 1794 SYNTAX Integer32 (1..2147483647) 1795 MAX-ACCESS read-only 1796 STATUS current 1797 DESCRIPTION 1798 "A unique value, greater than zero, for each IPSec SA. It 1799 is recommended that values are assigned contiguously 1800 starting from 1." 1801 ::= { ipsecSaEntry 1 } 1803 ipsecSaTunnel OBJECT-TYPE 1804 SYNTAX Integer32 (1..2147483647) 1805 MAX-ACCESS read-only 1806 STATUS current 1807 DESCRIPTION 1808 "The value of the index into the IPSec SA tunnel table 1809 that this SA supports (ipsecTunnelIndex)." 1810 ::= { ipsecSaEntry 2 } 1812 ipsecSaInboundEspSpi OBJECT-TYPE 1813 SYNTAX INTEGER 1814 MAX-ACCESS read-only 1815 STATUS current 1816 DESCRIPTION 1817 "The value of the SPI for the inbound SA that provides 1818 the ESP security service, or zero if ESP is not used." 1819 ::= { ipsecSaEntry 3 } 1821 ipsecSaOutboundEspSpi OBJECT-TYPE 1822 SYNTAX INTEGER 1823 MAX-ACCESS read-only 1824 STATUS current 1825 DESCRIPTION 1826 "The value of the SPI for the outbound SA that provides 1827 the ESP security service, or zero if ESP is not used." 1828 ::= { ipsecSaEntry 4 } 1830 ipsecSaInboundAhSpi OBJECT-TYPE 1831 SYNTAX INTEGER 1832 MAX-ACCESS read-only 1833 STATUS current 1834 DESCRIPTION 1835 "The value of the SPI for the inbound SA that provides 1836 the AH security service, or zero if AH is not used." 1837 ::= { ipsecSaEntry 5 } 1839 ipsecSaOutboundAhSpi OBJECT-TYPE 1840 SYNTAX INTEGER 1841 MAX-ACCESS read-only 1842 STATUS current 1843 DESCRIPTION 1844 "The value of the SPI for the outbound SA that provides 1845 the AH security service, or zero if AH is not used." 1846 ::= { ipsecSaEntry 6 } 1848 ipsecSaInboundCompCpi OBJECT-TYPE 1849 SYNTAX INTEGER 1850 MAX-ACCESS read-only 1851 STATUS current 1852 DESCRIPTION 1853 "The value of the CPI for the inbound SA that provides IP 1854 compression, or zero if IPCOMP is not used." 1855 ::= { ipsecSaEntry 7 } 1857 ipsecSaOutboundCompCpi OBJECT-TYPE 1858 SYNTAX INTEGER 1859 MAX-ACCESS read-only 1860 STATUS current 1861 DESCRIPTION 1862 "The value of the SPI for the outbound SA that provides 1863 IP compression, or zero if IPCOMP is not used." 1864 ::= { ipsecSaEntry 8 } 1866 ipsecSaCreationTime OBJECT-TYPE 1867 SYNTAX DateAndTime 1868 MAX-ACCESS read-only 1869 STATUS current 1870 DESCRIPTION 1871 "The date and time that the current SA was set up." 1872 ::= { ipsecSaEntry 9 } 1874 ipsecSaTimeLimit OBJECT-TYPE 1875 SYNTAX Gauge32 1876 MAX-ACCESS read-only 1877 STATUS current 1878 DESCRIPTION 1879 "The maximum lifetime in seconds of the SA, or 0 if there 1880 is no time constraint on its expiration." 1881 ::= { ipsecSaEntry 10 } 1883 ipsecSaTrafficLimit OBJECT-TYPE 1884 SYNTAX Gauge32 1885 MAX-ACCESS read-only 1886 STATUS current 1887 DESCRIPTION 1888 "The maximum traffic in 1024-byte blocks that the SA is 1889 allowed to support, or 0 if there is no traffic 1890 constraint on its expiration." 1891 ::= { ipsecSaEntry 11 } 1893 ipsecSaInboundTraffic OBJECT-TYPE 1894 SYNTAX Counter64 1895 MAX-ACCESS read-only 1896 STATUS current 1897 DESCRIPTION 1898 "The amount traffic measured in bytes handled by the SA 1899 in the inbound direction." 1900 ::= { ipsecSaEntry 12 } 1902 ipsecSaOutboundTraffic OBJECT-TYPE 1903 SYNTAX Counter64 1904 MAX-ACCESS read-only 1905 STATUS current 1906 DESCRIPTION 1907 "The amount traffic measured in bytes handled by the SA 1908 in the outbound direction." 1909 ::= { ipsecSaEntry 13 } 1911 ipsecSaInboundPackets OBJECT-TYPE 1912 SYNTAX Counter32 1913 MAX-ACCESS read-only 1914 STATUS current 1915 DESCRIPTION 1916 "The number of packets handled by the SA in the inbound 1917 direction." 1918 ::= { ipsecSaEntry 14 } 1920 ipsecSaOutboundPackets OBJECT-TYPE 1921 SYNTAX Counter32 1922 MAX-ACCESS read-only 1923 STATUS current 1924 DESCRIPTION 1925 "The number of packets handled by the SA in the outbound 1926 direction." 1927 ::= { ipsecSaEntry 15 } 1929 ipsecSaDecryptErrors OBJECT-TYPE 1930 SYNTAX Counter32 1931 MAX-ACCESS read-only 1932 STATUS current 1933 DESCRIPTION 1934 "The number of inbound packets discarded by the SA due to 1935 decryption errors." 1936 ::= { ipsecSaEntry 16 } 1938 ipsecSaAuthErrors OBJECT-TYPE 1939 SYNTAX Counter32 1940 MAX-ACCESS read-only 1941 STATUS current 1942 DESCRIPTION 1943 "The number of inbound packets discarded by the SA due to 1944 authentication errors. This includes hash failures in 1945 both ESP and AH." 1946 ::= { ipsecSaEntry 17 } 1948 ipsecSaReplayErrors OBJECT-TYPE 1949 SYNTAX Counter32 1950 MAX-ACCESS read-only 1951 STATUS current 1952 DESCRIPTION 1953 "The number of inbound packets discarded by the SA due to 1954 replay errors. This includes replay failures both ESP and 1955 AH." 1956 ::= { ipsecSaEntry 18 } 1958 ipsecSaOtherReceiveErrors OBJECT-TYPE 1959 SYNTAX Counter32 1960 MAX-ACCESS read-only 1961 STATUS current 1962 DESCRIPTION 1963 "The number of inbound packets discarded by the SA due to 1964 errors other than decryption, authentication or replay 1965 errors. This may include decompression errors or errors 1966 due to a lack of receive buffers." 1967 ::= { ipsecSaEntry 19 } 1969 ipsecSaSendErrors OBJECT-TYPE 1970 SYNTAX Counter32 1971 MAX-ACCESS read-only 1972 STATUS current 1973 DESCRIPTION 1974 "The number of outbound packets discarded by the SA due 1975 to any error. This may include compression errors or 1976 errors due to a lack of transmit buffers." 1977 ::= { ipsecSaEntry 20 } 1979 END 1981 6. Security Considerations 1983 This MIB contains readable objects whose values provide information 1984 related to IPSec virtual tunnels. There are no objects with 1985 MAX-ACCESS clauses of read-write or read-create. 1987 While unauthorized access to the readable objects is relatively 1988 innocuous, unauthorized access to those objects through an insecure 1989 channel can provide attackers with more information about a system 1990 than an administrator may desire. 1992 7. Acknowledgements 1994 Portions of this document's origins are based on the working paper 1995 "IP Security Management Information Base" by R. Thayer and U. 1996 Blumenthal. 1998 Contributions to this document are the result of input from J. 1999 Walker, S. Kelly and M. Richardson. Significant contribution comes 2000 from Charles Brooks of GTW Internetworking. 2002 Additionally, thanks are extended to Gabriella Dinescu for assistance 2003 in the preparation of the MIB structures. 2005 8. References 2007 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation 2008 for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in 2009 progress. 2011 [SECARCH] Kent, S., Atkinson, R., _Security Architecture for the 2012 Internet Protocol_, draft-ietf-ipsec-arch-sec-07.txt, work in 2013 progress. 2015 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)," 2016 draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress. 2018 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., 2019 "Internet Security Association and Key Management Protocol 2020 (ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in 2021 progress. 2023 [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib- 2024 02.txt, work in progress. 2026 [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB 2027 using SMIv2", RFC2233 2029 [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2030 "Structure of Management Information for version 2 of the 2031 Simple Network Management Protocol (SNMPv2)", RFC 1902, 2032 January 1996. 2034 [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 2035 for Describing SNMP Management Frameworks", RFC 2271, January 2036 1998 2038 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of 2039 Management Information for TCP/IP-based Internets", RFC 1155, 2040 May 1990 2042 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 2043 1212, March 1991 2045 [1215] M. Rose, "A Convention for Defining Traps for use with the 2046 SNMP", RFC 1215, March 1991 2048 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2049 S. Waldbusser, "Textual Conventions for Version 2 of the 2050 Simple Network Management Protocol (SNMPv2)", RFC 1903, 2051 January 1996. 2053 [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2054 S. Waldbusser, "Conformance Statements for Version 2 of the 2055 Simple Network Management Protocol (SNMPv2)", RFC 1904, 2056 January 1996. 2058 [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 2059 Network Management Protocol", RFC 1157, May 1990. 2061 [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2062 S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 2063 1901, January 1996. 2065 [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2066 S. Waldbusser, "Transport Mappings for Version 2 of the 2067 Simple Network Management Protocol (SNMPv2)", RFC 1906, 2068 January 1996. 2070 [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 2071 Processing and Dispatching for the Simple Network Management 2072 Protocol (SNMP)", RFC 2272, January 1998. 2074 [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model 2075 (USM) for version 3 of the Simple Network Management Protocol 2076 (SNMPv3)", RFC 2274, January 1998. 2078 [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2079 S. Waldbusser, "Protocol Operations for Version 2 of the 2080 Simple Network Management Protocol (SNMPv2)", RFC 1905, 2081 January 1996. 2083 [2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC 2084 2273, SNMP Research, Inc., Secure Computing Corporation, 2085 Cisco Systems, January 1998. 2087 [2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 2088 Access Control Model (VACM) for the Simple Network Management 2089 Protocol (SNMP)", RFC 2275, January 1998. 2091 9. Editor's Address 2093 Tim Jenkins 2094 tjenkins@timestep.com 2095 TimeStep Corporation 2096 362 Terry Fox Drive 2097 Kanata, ON 2098 Canada 2099 K2K 2P5 2100 +1 (613) 599-3610 2102 The IPSec working group can be contacted via the IPSec working 2103 group's mailing list (ipsec@tis.com) or through its chairs: 2105 Robert Moskowitz 2106 rgm@icsa.net 2107 International Computer Security Association 2109 Theodore Y. Ts'o 2110 tytso@MIT.EDU 2111 Massachusetts Institute of Technology