idnits 2.17.1 draft-ietf-ipsec-mib-03.txt: -(284): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Found some kind of copyright notice around line 36 but it does not match any copyright boilerplate known by this tool. Expected boilerplate is as follows today (2024-04-23) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == There are 2 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 2486: '... This table MAY be sparsely popul...' RFC 2119 keyword, line 2580: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2605: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2619: '... Implementations SHOULD send one trap ...' RFC 2119 keyword, line 2633: '... Implementations SHOULD send one trap ...' (1 more instance...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 30, 1998) is 9276 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ISAKMP' is mentioned on line 2833, but not defined == Missing Reference: 'ARCH' is mentioned on line 324, but not defined == Missing Reference: 'IPCOMP' is mentioned on line 324, but not defined == Missing Reference: 'P' is mentioned on line 2880, but not defined -- Unexpected draft version: The latest known version of draft-ietf-ipsec-ipsec-doi is -09, but you're referring to -10. ** Downref: Normative reference to an Historic draft: draft-ietf-ipsec-ipsec-doi (ref. 'IPDOI') -- Unexpected draft version: The latest known version of draft-ietf-ipsec-arch-sec is -06, but you're referring to -07. -- Unexpected draft version: The latest known version of draft-ietf-ipsec-isakmp-oakley is -07, but you're referring to -08. ** Downref: Normative reference to an Historic draft: draft-ietf-ipsec-isakmp-oakley (ref. 'IKE') == Outdated reference: A later version (-06) exists of draft-ietf-ifmib-tunnel-mib-02 ** Obsolete normative reference: RFC 2233 (ref. 'IGMIB') (Obsoleted by RFC 2863) ** Obsolete normative reference: RFC 1902 (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 2271 (Obsoleted by RFC 2571) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1904 (Obsoleted by RFC 2580) ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2272 (Obsoleted by RFC 2572) ** Obsolete normative reference: RFC 2274 (Obsoleted by RFC 2574) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2273 (Obsoleted by RFC 2573) ** Obsolete normative reference: RFC 2275 (Obsoleted by RFC 2575) Summary: 26 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Tim Jenkins 3 IP Security Working Group TimeStep Corporation 4 Internet Draft November 30, 1998 6 IPSec Monitoring MIB 7 9 Status of this Memo 11 This document is a submission to the IETF Internet Protocol Security 12 (IPSEC) Working Group. Comments are solicited and should be addressed 13 to the working group mailing list (ipsec@tis.com) or to the editor. 15 This document is an Internet-Draft. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or made obsolete by other documents at 22 any time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 To view the entire list of current Internet-Drafts, please check the 26 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 27 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern 28 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific 29 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 31 Distribution of this memo is unlimited. 33 Copyright Notice 35 This document is a product of the IETF's IPSec Working Group. 36 Copyright (C) The Internet Society (1998). All Rights Reserved. 38 Table of Contents 40 1. Introduction 2 41 2. The SNMPv2 Network Management Framework 3 42 2.1 Object Definitions 4 43 3. IPSec MIB Objects Architecture 4 44 3.1 Tunnel MIB and Interface MIB Consideration 5 45 3.2 MIB Concepts 5 46 3.2.1 Transient Channels and Tunnels 5 47 3.2.2 Permanent Channels and Tunnels 6 48 3.2.3 IKE SAs and Control Channels 6 49 3.2.4 IPSec SAs and IPSec Virtual Tunnels 7 50 3.3 MIB Tables 9 51 3.4 Static IPSec SA and Protection Suite Use 10 52 3.5 Asymmetric Use 10 53 3.6 Notify Messages 12 54 3.7 IPSec MIB Traps 12 55 3.8 IPSec Entity Level Objects 12 56 4. MIB Definitions 13 57 5. Security Considerations 57 58 6. Acknowledgements 58 59 7. References 58 60 8. Revision History 60 61 9. Appendix A 61 63 1. Introduction 65 This document defines monitoring and status MIBs for IPSec. It does 66 not define MIBs that may be used for configuring IPSec 67 implementations or for providing low-level diagnostic or debugging 68 information. Further, it does not provide policy information. Those 69 MIBs may be defined in later versions of this document or in other 70 documents. 72 The purpose of the MIBs is to allow system administrators to 73 determine operating conditions and perform system operational level 74 monitoring of the IPSec portion of their network. Statistics are 75 provided as well. 77 The IPSec MIB definitions use a virtual tunnel model, of which there 78 can be configured permanent tunnels or transient tunnels. The virtual 79 tunnel model is used to allow the use of IPSec from a virtual private 80 networking (VPN) point of view. This allows users of IPSec based 81 products to get similar monitoring and statistical information from 82 an IPSec based VPN as they would from a VPN based on other 83 technologies, such as Frame Relay. 85 Finally, the objects defined perhaps represent a somewhat simplified 86 view of security associations. This is done for the purposes of 87 expediency and for simplification of presentation. Also, some 88 information about SAs has been intentionally left out to reduce the 89 security risk if SNMP traffic becomes compromised. 91 2. The SNMPv2 Network Management Framework 93 The SNMP Management Framework presently consists of five major 94 components: 96 o An overall architecture, described in RFC 2271 [2271]. 98 o Mechanisms for describing and naming objects and events for the 99 purpose of management. The first version of this Structure of 100 Management Information (SMI) is called SMIv1 and described in 101 RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second 102 version, called SMIv2, is described in RFC 1902 [1902], 103 RFC 1903 [1903] and RFC 1904 [1904]. 105 o Message protocols for transferring management information. The 106 first version of the SNMP message protocol is called SNMPv1 and 107 described in RFC 1157 [1157]. A second version of the SNMP message 108 protocol, which is not an Internet standards track protocol, is 109 called SNMPv2c and described in RFC 1901 [1901] and 110 RFC 1906 [1906]. The third version of the message protocol is 111 called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] 112 and RFC 2274 [2274]. 114 o Protocol operations for accessing management information. The 115 first set of protocol operations and associated PDU formats is 116 described in RFC 1157 [1157]. A second set of protocol operations 117 and associated PDU formats is described in RFC 1905 [1905]. 119 o A set of fundamental applications described in RFC 2273 [2273] 120 and the view-based access control mechanism described in 121 RFC 2275 [2275]. 123 Managed objects are accessed via a virtual information store, termed 124 the Management Information Base or MIB. Objects in the MIB are 125 defined using the mechanisms defined in the SMI. 127 This memo specifies a MIB module that is compliant to the SMIv2. A 128 MIB conforming to the SMIv1 can be produced through the appropriate 129 translations. The resulting translated MIB must be semantically 130 equivalent, except where objects or events are omitted because no 131 translation is possible (use of Counter64). Some machine readable 132 information in SMIv2 will be converted into textual descriptions in 133 SMIv1 during the translation process. However, this loss of machine 134 readable information is not considered to change the semantics of the 135 MIB. 137 2.1 Object Definitions 139 Managed objects are accessed via a virtual information store, termed 140 the Management Information Base or MIB. Objects in the MIB are 141 defined using the subset of Abstract Syntax Notation One (ASN.1) 142 defined in the SMI. In particular, each object type is named by an 143 OBJECT IDENTIFIER, an administratively assigned name. The object type 144 together with an object instance serves to uniquely identify a 145 specific instantiation of the object. For human convenience, we often 146 use a textual string, termed the descriptor, to refer to the object 147 type. 149 3. IPSec MIB Objects Architecture 151 The IPSec MIB provides information related to both phase 1 or 152 Internet Key Exchange (IKE) security associations (SAs) and phase 2 153 (or IPSec) SAs. Configuration about the SAs is provided as are 154 statistics related to the SAs themselves. 156 Since one of the uses of IPSec implementations is to provide Virtual 157 Private Network (VPN) services that other private network services 158 such as leased lines or frame relay networks, there exists a need to 159 provide the same type of monitoring capability. 161 To support this, the concept of virtual tunnels is developed. 162 Additionally, the concept of transients and permanent tunnels is also 163 developed. 165 Additionally, since IPSec itself has many structures, and because VPN 166 service providers may be interested in different kinds of statistics, 167 the MIB provides a number of aggregate totals. These totals are 168 provided to allow system administrators to take snapshots of system 169 behaviour without excessive SNMP traffic on the network. 171 3.1 Tunnel MIB and Interface MIB Consideration 173 It should be noted that the MIBs here are not extensions of the 174 Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach 175 was rejected for a number of reasons, including: 177 o The types of parameters required for those MIBs are not 178 appropriate for IPSec MIBs. 180 The parameters required for IPSec tunnels are related to security 181 services and statistics associated with handling those services. 182 There no parameters like that associated with the Tunnel MIB. 184 o The virtual tunnels created by IPSec SAs may be independent of 185 other logical interfaces; this is an implementation issue. 187 The IPSec layer may be placed in a number of locations on the host 188 implementation. These locations may be above the IP layer, within the 189 IP layer, or just below it. Therefore, the mapping of the IPSec 190 virtual tunnels to tunnels described by the tunnel MIB is 191 implementation dependent. 193 o The tunnel end point definitions are not the same as those used by 194 the tunnel MIB. 196 The Tunnel MIB uniquely defines tunnels by a simple source and 197 destination IP address pair. This is only a specific subset of the 198 identifiers needed for IPSec virtual tunnels. 200 3.2 MIB Concepts 202 There are four concepts needed to describe the structure of the MIB. 203 These concepts are the IKE control channel, the IKE SAs, the IPSec 204 virtual tunnel and the IPSec protection suite. IPSec SAs are 205 considered a subset of protection suites. 207 Also important in this document are the concepts of permanence and 208 transience. 210 3.2.1 Transient Channels and Tunnels 212 Transient channels and tunnels are made up of SAs and protection 213 suites that normally go up and down, such as those created by a dial- 214 in client implementation. Additionally, these SAs and protection 215 suites are prone to being torn down in an impolite manner. As an 216 example, system administrators typically do not want to have alarms 217 going off when these SAs and protection suites are torn down because 218 an end user disconnected his or her modem before performing a normal 219 dial-up networking shut down. 221 By necessity, this applies to both the IKE control channels and the 222 IPSec tunnels created by them. 224 3.2.2 Permanent Channels and Tunnels 226 Permanent channels and tunnels are made up of SAs and protection 227 suites that a system administrator considers of significant 228 importance in a VPN implementation. These SAs and protection suites 229 would typically be from one IPSec gateway to another and be used as 230 the link between two corporate networks. As such, the network 231 administrator would want alarms to go off when one of these virtual 232 tunnels goes down under any circumstance. 234 How implementations specify which tunnels are permanent versus 235 transient is implementation dependent, and therefore beyond the scope 236 of this document. 238 3.2.3 IKE SAs and Control Channels 240 Phase 1 or IKE SAs as negotiated by IKE are presented in a table. 241 Individual SAs are represented in part by a row from the IKE SA 242 table. 244 Each row is uniquely identified by its cookies. Also included is SA 245 state information, connection information, security information, 246 expiration information and traffic statistics. 248 Other information, such as the security provided by the SAs, is 249 included in a control channel table row. 251 An explanation of the use of control channels follows. 253 The primary use of phase 1 SAs is to allow host implementations to 254 exchange keying material for phase 2 negotiations and to perform 255 IPSec SA and protection suite management. Additionally, 256 implementations may also use this channel to perform other functions, 257 such as peer configuration. Since the host implementation, at a high 258 level, does not necessarily care which particular phase 1 SA it uses 259 to perform these functions, the concept of an IKE control channel is 260 introduced as a logical entity to indicate the virtual channel 261 created by the existence of phase 1 SAs established between two 262 peers. 264 The need for this abstraction is also in part due to the ability of 265 IPSec SAs and protection suites to exist beyond the expiration of the 266 IKE SA that created them. 268 Control channels appear in their own table, and each row describes a 269 single control channel, to which multiple phase 1 SAs may be 270 logically attached. 272 The IKE control channel is uniquely identified by the IDs at each 273 end, since it is a logical peer to peer communications channel. It 274 contains information common to all phase 1 SAs that create it, and 275 aggregate statistics for those phase 1 SAs. Additionally, it contains 276 aggregate statistics for all phase 2 SAs created by it. Finally, it 277 contains the information related to the authentication of the peer 278 that negotiated the phase 1 SAs with it. This includes certificate 279 information, specifically the issuer name and serial, even though it 280 is meaningless in pre-shared key authentication mode. This is due to 281 the importance of this information in many VPN implementations. The 282 distinguished name of the certificate is not provided; it may be the 283 ID used for phase 1 negotiation. If the ID used for phase 1 284 negotiation is not the certificate�s distinguished name, it should be 285 one of the alternate names encoded in the certificate. 287 Note that since the security service provided by the phase 1 SAs 288 appears in the IKE SA table, implementations may allow a single 289 control channel to provide multiple security services. There is no 290 requirement that implementations support this. 292 Phase 1 control channels may be transient or permanent. A transient 293 control channel disappears from the table when it goes down; a 294 permanent control channel does not. The status of a permanent control 295 channel can be determined by the number of active phase 1 SAs 296 attached to it. 298 It is recommended that implementations place permanent control 299 channels in the table before all transient control channels, and that 300 the order of permanent control channels displayed in the table does 301 not change. 303 3.2.4 IPSec SAs and IPSec Virtual Tunnels 305 IPSec SAs created between peers are identified by the peer IP 306 address, the SPI (CPI for IPCOMP) and the service provided by the SA. 307 In this document, the term service refers to one of IPCOMP, ESP and 308 AH. These are often referred to as security services; the concept is 309 generalized somewhat in this document since IPCOMP is not technically 310 a "security" service. 312 Further, in this document, IPSec SAs are considered a subset of 313 protection suites, and as such, appear in the IPSec protection suite 314 table. IPSec protection suites are as defined by [ISAKMP]. These are 315 multiple services that are negotiated in a single quick mode 316 exchange. Of the result, [ISAKMP] states: "All of the protections in 317 a suite must be treated as a single unit." For this reason, the 318 protection suites as presented in the MIB all assume that all 319 services in the protection suite live and die at the same time. Also 320 in this document, an IPSec SA is effectively a protection suite that 321 provides only a single service. 323 When multiple services are provided in a protection suite, the order 324 is implicit, based on statements found in [ARCH] and [IPCOMP]. The 325 order assumed is IPCOMP before ESP before AH. However, since the 326 order is implicit, implementation are free to choose different 327 orders, however, this cannot be shown in the MIB. 329 Some implementations may create SA bundles by the separate 330 negotiation of different services. In these cases, the separately 331 negotiates SAs or suites should appear on separate lines of the 332 protection suite table. In these cases, the MIB does not show the 333 order of application of the services in the bundle. 335 Virtual IPSec tunnels are created by the existence of IPSec SAs and 336 protection suites, either statically created, or created by IKE. The 337 tunnel concept comes from the effect of services on packets that are 338 handled by protection suites. As a packet encounters an IPSec 339 implementation, either in a security gateway or as layer in a 340 protocol stack, a policy decision causes the packet to be handed to a 341 protection suite for processing. 343 The protection suite then performs a service (including possibly 344 compression) on the packet, then adds at least one new header and 345 sends the packet into the normal IP stream for routing. (The only 346 time no header is added is when the only service provided by the 347 protection suite is compression, it is a transport mode protection 348 suite, and the packet is not compressible.) 350 When the secured (and possibly compressed) packet arrives at its 351 destination, the peer IPSec implementation removes the added header 352 or headers and reverse processes the packet. Another policy lookup is 353 then done to make sure the packet was appropriately handled by the 354 sending peer. 356 Since the original packet is conceptually "hidden" between the two 357 IPSec implementations, it can be considered tunneled. To help 358 conceptually, if ESP could be negotiated with no encryption and no 359 authentication, it would provide services very similar to IP-in-IP. 361 The specific protection suite chosen by the policy lookup is based on 362 what are called the selectors. The selectors are the packet's source 363 IP address, its destination IP address, its layer 4 protocol and its 364 layer 4 protocol source and destination port numbers. The policy 365 system uses this information to assign the packet to an protection 366 suite for handling. 368 Since it is irrelevant to the packet which specific protection suite 369 provided the services, and since all protection suites with same 370 selectors normally provide the same service, the existence of any and 371 all protection suites assigned to the selector effectively creates a 372 tunnel for the packets. 374 In other words, the tunnel created by the protection suites is 375 identified by the selectors used to assign the security services to 376 the packet. The selectors are explained in detail in [SECARCH]. 378 3.3 MIB Tables 380 The MIB uses four tables that are linked as shown as an example in 381 Figure 3-1. Here, the four tables are the IKE control channel table, 382 the IKE SA table, the IPSec virtual tunnel table and the IPSec 383 protection suite table. 385 The IKE control channel table is shown with two entries. Both have 386 two active phase 1 SAs that support each of them. The first also has 387 created two IPSec tunnels, each supported by two IPSec protection 388 suites numbered 1 and 6, and 2 and 5 respectively. The second IKE 389 channel has a single IPSec tunnel, which is supported by two IPSec 390 protection suites, numbered 3 and 4. 392 A different diagram that is intended to show the tunnels that exist 393 between two IPSec gateways is shown in Figure 3-2. Two host groups 394 each are shown behind the IPSec gateways. Shown are the IKE control 395 channel between the gateways and four possible IPSec virtual tunnels. 396 The control channel has two active phase 1 SAs. Of the four possible 397 virtual tunnels, one is shown with two IPSec SAs in it. One of these 398 SAs may be just about to expire, while the other may have been 399 created in anticipation of the expiration of the first. These SAs are 400 the SAs that provide the service, supporting the existence of the 401 tunnel. 403 ipsecIkeContChanTable -information and statistics on the IKE 404 Con. Chan. 1 <---+ control channel 405 Con. Chan. 2 <-+ | -aggregate information about IKE SAs 406 | | -aggregate information about IPSec tunnels 407 | | 408 | | ipsecIkeSaTable -information on specific 409 | +-- IKE SA 1 phase 1 SAs 410 +-|-- IKE SA 2 411 +-|-- IKE SA 3 412 | +-- IKE SA 4 413 / / 414 | | 415 | |<- only if IPSec protection suites are not static 416 | | 417 | | ipsecTunnelTable -information and statistics on 418 | +- IPSec Tunnel 1 <---+ the IPSec virtual tunnels 419 | +- IPSec Tunnel 2 <--+| 420 +--- IPSec Tunnel 3 <-+|| 421 ||| 422 ||| ipsecSaTable -information on 423 ||+- IPSec PS 1 specific IPSec 424 |+|- IPSec PS 2 protection suites 425 +||- IPSec PS 3 426 +||- IPSec PS 4 427 +|- IPSec PS 5 428 +- IPSec PS 6 429 PS - Protection Suite 431 Figure 3-1 IPSec Monitoring MIB Structure 433 3.4 Static IPSec SA and Protection Suite Use 435 IPSec protection suites and SAs that are statically keyed do not 436 point back to IKE control channel table entries. 438 Implementations that do not use IKE at all will create empty phase 1 439 tables. 441 3.5 Asymmetric Use 443 This MIB is defined assuming symmetric use of SAs and protection 444 suites. That is to say that it assumes that an inbound SA is always 445 set up with a corresponding outbound SA that provides the same 446 security service. 448 +----------------------------+ 449 | IKE (control channel) | 450 | +---------------------+ | 451 | | IKE SA 1 | | 452 | +---------------------+ | 453 | +---------------------+ | 454 | | IKE SA 2 | | 455 | +---------------------+ | 456 +----------------------------+ 457 ^ ^ 458 | | <- aggregate IPSec statistics 459 | | 460 H11 -| +----+ | | +----+ |- H21 461 | | | | | | 462 |----| G1 |-------------------------| G2 |------| 463 | | | | | | 464 H12 -| +----+ | | +----+ |- H22 465 | | 466 | | 467 +-----------------------------------------+ 468 | H11 to H21 (data tunnel) | <- aggregate 469 | +-------------------------------------+ | PS statistics 470 | | IPSec PS with H11 and H21 selectors | | for H11-H21 471 | +-------------------------------------+ | 472 | +-------------------------------------+ | 473 | | IPSec PS with H11 and H21 selectors | | 474 | +-------------------------------------+ | 475 +-----------------------------------------+ 476 | | 477 +-----------------------------------------+ 478 | H11 to H22 (data tunnel) | <- aggregate 479 +-----------------------------------------+ PS statistics 480 | | for H11-H22 481 +-----------------------------------------+ 482 | H12 to H21 (data tunnel) | <- aggregate 483 +-----------------------------------------+ PS statistics 484 | | for H12-H21 485 +-----------------------------------------+ 486 | H12 to H22 (data tunnel) | <- aggregate 487 +-----------------------------------------+ PS statistics 488 | | for H12-H22 489 +--+ 490 PS - Protection Suite 492 Figure 3-2 Illustration of IPSec Tunnels 494 In cases where this MIB is required for asymmetric use, the 495 corresponding objects that describe the unused direction may be set 496 to the equivalent of the unknown or zero state. 498 3.6 Notify Messages 500 Notify messages sent from peer to peer are not necessarily sent as 501 traps. However, they are collected as they occur and accumulated in a 502 parse table structure. 504 A notify message object is defined. This object is used as the index 505 into the table of accumulated notify messages. This helps system 506 administrators determine if there are potential configuration 507 problems or attacks on their network. 509 3.7 IPSec MIB Traps 511 Traps are provided to let system administrators know about the 512 existence of error conditions occurring in the entity. Errors are 513 associated with the creation and deletion of protection suites, and 514 also operational errors that may indicate the presence of attacks on 515 the system. 517 Traps are not provided when protection suites and tunnels come up or 518 go down, unless they go down due to error conditions. It should be 519 noted that the termination of a permanent tunnel is normally 520 considered an error condition, while the termination of a transient 521 tunnel is not normally considered an error. 523 The causes of protection suite negotiation failure are indicated by a 524 notify message object. 526 3.8 IPSec Entity Level Objects 528 This part of the MIB carries statistics global to the IPSec device. 530 Statistics included are aggregate errors, aggregate numbers 531 associated with protection suites, permanent tunnels and transient 532 tunnels. The statistics are provided as objects in a tree below these 533 groups. 535 More system wide statistics on transient tunnels is provided since 536 they disappear from the tables when they terminate, and aggregate 537 traffic statistics associated with individual tunnels is lost. 539 4. MIB Definitions 541 IPSEC-MIB DEFINITIONS ::= BEGIN 543 IMPORTS 544 MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, 545 Integer32, Unsigned32, 546 experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI 547 DateAndTime, TruthValue FROM SNMPv2-TC; 549 ipsecMIB MODULE-IDENTITY 550 LAST-UPDATED "9811301200Z" 551 ORGANIZATION "IETF IPSec Working Group" 552 CONTACT-INFO 553 " Tim Jenkins 554 TimeStep Corporation 555 362 Terry Fox Drive 556 Kanata, ON K0A 2H0 557 Canada 559 613-599-3610 560 tjenkins@timestep.com" 562 DESCRIPTION 563 "The MIB module to describe generic IPSec objects, 564 transient and permanent virtual tunnels created by IPSec 565 SAs, and entity level IPSec objects and events." 566 REVISION "9811301200Z" 567 DESCRIPTION 568 "Initial revision." 569 -- ::= { mib-2 ?? } 570 -- need correct value here 571 ::= { experimental 500 } 573 ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 } 575 ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 } 577 -- the IPSec IKE Control Channel MIB-Group 578 -- 579 -- a collection of objects providing information about 580 -- IPSec's IKE virtual IKE control channel 582 ipsecIkeConChanTable OBJECT-TYPE 583 SYNTAX SEQUENCE OF IpsecIkeConChanEntry 584 MAX-ACCESS not-accessible 585 STATUS current 586 DESCRIPTION 587 "The (conceptual) table containing information on IPSec's 588 IKE control channels." 589 ::= { ipsec 1 } 591 ipsecIkeConChanEntry OBJECT-TYPE 592 SYNTAX IpsecIkeConChanEntry 593 MAX-ACCESS not-accessible 594 STATUS current 595 DESCRIPTION 596 "An entry (conceptual row) containing the information on 597 a particular IKE control channel." 598 INDEX { ipsecIkeConChanIndex } 599 ::= { ipsecIkeConChanTable 1 } 601 IpsecIkeConChanEntry ::= SEQUENCE { 602 ipsecIkeConChanIndex Integer32, 604 -- the real identifiers for the control channel 605 ipsecIkeConChanLocalIdType Integer32, 606 ipsecIkeConChanLocalId OCTET STRING, 607 ipsecIkeConChanPeerIdType Integer32, 608 ipsecIkeConChanPeerId OCTET STRING, 609 ipsecIkeConChanAuthMethod Integer32, 610 ipsecIkeConChanPeerCertSerialNum OCTET STRING, 611 ipsecIkeConChanPeerCertIssuer OCTET STRING, 613 -- virtual channel status 614 ipsecIkeConChanType INTEGER, 615 ipsecIkeConChanCurrentSaNum Unsigned32, 616 ipsecIkeConChanTotalSaNum Counter64, 618 -- aggregate statistics (all SAs) 619 ipsecIkeConChanTimeStart DateAndTime, 620 ipsecIkeConChanInboundTraffic Counter64, -- in bytes 621 ipsecIkeConChanOutboundTraffic Counter64, -- in bytes 622 ipsecIkeConChanInboundPackets Counter64, 623 ipsecIkeConChanOutboundPackets Counter64, 625 -- aggregate error statistics 626 ipsecIkeConChanDecryptErrors Counter32, 627 ipsecIkeConChanHashErrors Counter32, 628 ipsecIkeConChanOtherReceiveErrors Counter32, 629 ipsecIkeConChanSendErrors Counter32, 631 -- IPSec SA (Phase 2) statistics (aggregate) 632 ipsecIkeConChanIpsecInboundTraffic Counter64, 633 ipsecIkeConChanIpsecOutboundTraffic Counter64, 634 ipsecIkeConChanIpsecInboundPackets Counter64, 635 ipsecIkeConChanIpsecOutboundPackets Counter64, 637 -- IPSec SA (Phase 2) error statistics (aggregate) 638 ipsecIkeConChanIpsecDecryptErrors Counter32, 639 ipsecIkeConChanIpsecAuthErrors Counter32, 640 ipsecIkeConChanIpsecReplayErrors Counter32, 641 ipsecIkeConChanIpsecOtherReceiveErrors Counter32, 642 ipsecIkeConChanIpsecSendErrors Counter32 644 } 646 ipsecIkeConChanIndex OBJECT-TYPE 647 SYNTAX Integer32 (1..16777215) 648 MAX-ACCESS read-only 649 STATUS current 650 DESCRIPTION 651 "A unique value, greater than zero, for each tunnel 652 interface. It is recommended that values are assigned 653 contiguously starting from 1. 655 The value for each channel interface must remain constant 656 at least from one re-initialization of entity's network 657 management system to the next re-initialization. 659 Further, the value for channel interfaces that are marked 660 as permanent must remain constant across all re- 661 initializations of the network management system." 662 ::= { ipsecIkeConChanEntry 1 } 664 ipsecIkeConChanLocalIdType OBJECT-TYPE 665 SYNTAX Integer32 (0..256) 666 MAX-ACCESS read-only 667 STATUS current 668 DESCRIPTION 669 "The type of ID used by the local end of the control 670 channel. 672 Specific values are used as described in Section 4.6.2.1 673 of [IPDOI]." 674 ::= { ipsecIkeConChanEntry 2 } 676 ipsecIkeConChanLocalId OBJECT-TYPE 677 SYNTAX OCTET STRING (SIZE (0..511)) 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 "The ID of the local host that negotiated this control 682 channel. 684 The length may require truncation under some conditions." 685 ::= { ipsecIkeConChanEntry 3 } 687 ipsecIkeConChanPeerIdType OBJECT-TYPE 688 SYNTAX Integer32 (0..256) 689 MAX-ACCESS read-only 690 STATUS current 691 DESCRIPTION 692 "The type of ID used by the peer. 694 Specific values are used as described in Section 4.6.2.1 695 of [IPDOI]." 696 ::= { ipsecIkeConChanEntry 4 } 698 ipsecIkeConChanPeerId OBJECT-TYPE 699 SYNTAX OCTET STRING (SIZE (0..511)) 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The ID of the peer host that negotiated this control 704 channel. 706 The length may require truncation under some conditions." 707 ::= { ipsecIkeConChanEntry 5 } 709 ipsecIkeConChanAuthMethod OBJECT-TYPE 710 SYNTAX Integer32 (0..65535) 711 MAX-ACCESS read-only 712 STATUS current 713 DESCRIPTION 714 "The authentication method used to authenticate the 715 peers. 717 Note that this does not include the specific method of 718 authentication if extended authenticated is used. 720 Specific values are used as described in the ISAKMP Class 721 Values of Authentication Method from Appendix A of 722 [IKE]." 723 ::= { ipsecIkeConChanEntry 6 } 725 ipsecIkeConChanPeerCertSerialNum OBJECT-TYPE 726 SYNTAX OCTET STRING (SIZE (0..63)) 727 MAX-ACCESS read-only 728 STATUS current 729 DESCRIPTION 730 "The serial number of the certificate of the peer this 731 control channel was negotiated with. 733 This object has no meaning if a certificate was not used 734 in authenticating the peer." 735 ::= { ipsecIkeConChanEntry 7 } 737 ipsecIkeConChanPeerCertIssuer OBJECT-TYPE 738 SYNTAX OCTET STRING (SIZE (0..511)) 739 MAX-ACCESS read-only 740 STATUS current 741 DESCRIPTION 742 "The serial number of the certificate of the peer this 743 control channel was negotiated with. 745 This object has no meaning if a certificate was not used 746 in authenticating the peer." 747 ::= { ipsecIkeConChanEntry 8 } 749 ipsecIkeConChanType OBJECT-TYPE 750 SYNTAX INTEGER { transient(1), permanent(2) } 751 MAX-ACCESS read-only 752 STATUS current 753 DESCRIPTION 754 "The type of control channel represented by this row. 756 A transient link will disappear from the table when 757 the SAs needed for it cannot be established. A 758 permanent link will shows its status in the 759 ipsecIkeConChanStatus object." 760 ::= { ipsecIkeConChanEntry 9 } 762 ipsecIkeConChanCurrentSaNum OBJECT-TYPE 763 SYNTAX Unsigned32 764 MAX-ACCESS read-only 765 STATUS current 766 DESCRIPTION 767 "The number of currently active SAs that are available 768 for use by this control channel. 770 If the control channel is permanent, a 0 value in this 771 object indicates the channel is either never tried or 772 down. 774 If the control channel is transient, this object can 775 never be 0 valued." 776 ::= { ipsecIkeConChanEntry 10 } 778 ipsecIkeConChanTotalSaNum OBJECT-TYPE 779 SYNTAX Counter64 780 MAX-ACCESS read-only 781 STATUS current 782 DESCRIPTION 783 "The total number of SAs, including all expired and 784 active SAs, that have been set up to support this control 785 channel." 786 ::= { ipsecIkeConChanEntry 11 } 788 ipsecIkeConChanTimeStart OBJECT-TYPE 789 SYNTAX DateAndTime 790 MAX-ACCESS read-only 791 STATUS current 792 DESCRIPTION 793 "The date and time that the first SA within the control 794 channel was set up." 795 ::= { ipsecIkeConChanEntry 12 } 797 ipsecIkeConChanInboundTraffic OBJECT-TYPE 798 SYNTAX Counter64 799 UNITS "bytes" 800 MAX-ACCESS read-only 801 STATUS current 802 DESCRIPTION 803 "The total amount of traffic measured in bytes handled in 804 the control channel in the inbound direction. In other 805 words, it is the aggregate value of all inbound traffic 806 carried by all phase 1 SAs ever set up to support the 807 control channel. 809 If this is a permanent control channel, it is not reset 810 to zero when the number of phase 1 SAs changes from 0." 811 ::= { ipsecIkeConChanEntry 13 } 813 ipsecIkeConChanOutboundTraffic OBJECT-TYPE 814 SYNTAX Counter64 815 UNITS "bytes" 816 MAX-ACCESS read-only 817 STATUS current 818 DESCRIPTION 819 "The total amount of traffic measured in bytes handled in 820 the control channel in the outbound direction. In other 821 words, it is the aggregate value of all outbound traffic 822 carried by all phase 1 SAs ever set up to support the 823 control channel. 825 If this is a permanent control channel, it is not reset 826 to zero when the number of phase 1 SAs changes from 0." 827 ::= { ipsecIkeConChanEntry 14 } 829 ipsecIkeConChanInboundPackets OBJECT-TYPE 830 SYNTAX Counter64 831 MAX-ACCESS read-only 832 STATUS current 833 DESCRIPTION 834 "The total number of packets handled by the control 835 channel since it became active in the inbound direction. 836 In other words, it is the aggregate value of the number 837 of inbound packets carried by all phase 1 SAs ever set up 838 to support the control channel. 840 If this is a permanent control channel, it is not reset 841 to zero when the number of phase 1 SAs changes from 0." 842 ::= { ipsecIkeConChanEntry 15 } 844 ipsecIkeConChanOutboundPackets OBJECT-TYPE 845 SYNTAX Counter64 846 MAX-ACCESS read-only 847 STATUS current 848 DESCRIPTION 849 "The total number of packets handled by the control 850 channel since it became active in the outbound direction. 851 In other words, it is the aggregate value of the number 852 of outbound packets carried by all phase 1 SAs ever set 853 up to support the control channel. 855 If this is a permanent control channel, it is not reset 856 to zero when the number of phase 1 SAs changes from 0." 857 ::= { ipsecIkeConChanEntry 16 } 859 ipsecIkeConChanDecryptErrors OBJECT-TYPE 860 SYNTAX Counter32 861 MAX-ACCESS read-only 862 STATUS current 863 DESCRIPTION 864 "The total number of inbound packets to this control 865 channel discarded due to decryption errors. 867 Note that this refers to IKE protocol packets, and not to 868 packets carried by IPSec protection suites set up by the 869 SAs supporting this control channel. 871 If this is a permanent control channel, it is not reset 872 to zero when the number of phase 1 SAs changes from 0." 873 ::= { ipsecIkeConChanEntry 17 } 875 ipsecIkeConChanHashErrors OBJECT-TYPE 876 SYNTAX Counter32 877 MAX-ACCESS read-only 878 STATUS current 879 DESCRIPTION 880 "The total number of inbound packets to this control 881 channel discarded due to hash errors. 883 Note that this refers to IKE protocol packets, and not to 884 packets carried by IPSec protection suites set up by the 885 SAs supporting this control channel. 887 If this is a permanent control channel, it is not reset 888 to zero when the number of phase 1 SAs changes from 0." 889 ::= { ipsecIkeConChanEntry 18 } 891 ipsecIkeConChanOtherReceiveErrors OBJECT-TYPE 892 SYNTAX Counter32 893 MAX-ACCESS read-only 894 STATUS current 895 DESCRIPTION 896 "The total number of inbound packets to this control 897 channel discarded for reasons other than bad hashes or 898 decryption errors. This may include packets dropped to a 899 lack of receive buffer space. 901 Note that this refers to IKE protocol packets, and not to 902 packets carried by IPSec protection suites set up by the 903 SAs supporting this control channel. 905 If this is a permanent control channel, it is not reset 906 to zero when the number of phase 1 SAs changes from 0." 907 ::= { ipsecIkeConChanEntry 19 } 909 ipsecIkeConChanSendErrors OBJECT-TYPE 910 SYNTAX Counter32 911 MAX-ACCESS read-only 912 STATUS current 913 DESCRIPTION 914 "The total number of outbound packets from this control 915 channel discarded for any reason. This may include 916 packets dropped to a lack of transmit buffer space. 918 Note that this refers to IKE protocol packets, and not to 919 packets carried by IPSec protection suites set up by the 920 SAs supporting this control channel. 922 If this is a permanent control channel, it is not reset 923 to zero when the number of phase 1 SAs changes from 0." 924 ::= { ipsecIkeConChanEntry 20 } 926 ipsecIkeConChanIpsecInboundTraffic OBJECT-TYPE 927 SYNTAX Counter64 928 UNITS "bytes" 929 MAX-ACCESS read-only 930 STATUS current 931 DESCRIPTION 932 "The total amount of inbound traffic measured in bytes 933 handled by all IPSec SAs set up by phase 1 SAs supporting 934 this control channel. 936 If this is a permanent control channel, it is not reset 937 to zero when the number of phase 1 SAs changes from 0." 938 ::= { ipsecIkeConChanEntry 21 } 940 ipsecIkeConChanIpsecOutboundTraffic OBJECT-TYPE 941 SYNTAX Counter64 942 UNITS "bytes" 943 MAX-ACCESS read-only 944 STATUS current 945 DESCRIPTION 946 "The total amount of outbound traffic measured in bytes 947 handled by all IPSec protection suites set up by all 948 phase 1 SAs supporting this control channel. 950 If this is a permanent control channel, it is not reset 951 to zero when the number of phase 1 SAs changes from 0." 952 ::= { ipsecIkeConChanEntry 22 } 954 ipsecIkeConChanIpsecInboundPackets OBJECT-TYPE 955 SYNTAX Counter64 956 MAX-ACCESS read-only 957 STATUS current 958 DESCRIPTION 959 "The total number of inbound packets handled by all IPSec 960 protection suites set up by phase 1 SAs supporting this 961 control channel. 963 If this is a permanent control channel, it is not reset 964 to zero when the number of phase 1 SAs changes from 0." 966 ::= { ipsecIkeConChanEntry 23 } 968 ipsecIkeConChanIpsecOutboundPackets OBJECT-TYPE 969 SYNTAX Counter64 970 MAX-ACCESS read-only 971 STATUS current 972 DESCRIPTION 973 "The total number of outbound packets handled by all 974 IPSec protection suites set up by phase 1 SAs supporting 975 this control channel. 977 If this is a permanent control channel, it is not reset 978 to zero when the number of phase 1 SAs changes from 0." 979 ::= { ipsecIkeConChanEntry 24 } 981 ipsecIkeConChanIpsecDecryptErrors OBJECT-TYPE 982 SYNTAX Counter32 983 MAX-ACCESS read-only 984 STATUS current 985 DESCRIPTION 986 "The total number of inbound packets discarded by all 987 IPSec protection suites set up by all phase 1 SAs in this 988 control channel due to decryption errors. 990 If this is a permanent control channel, it is not reset 991 to zero when the number of phase 1 SAs changes from 0." 992 ::= { ipsecIkeConChanEntry 25 } 994 ipsecIkeConChanIpsecAuthErrors OBJECT-TYPE 995 SYNTAX Counter32 996 MAX-ACCESS read-only 997 STATUS current 998 DESCRIPTION 999 "The total number of inbound packets discarded by all 1000 IPSec protection suites set up by all phase 1 SAs in this 1001 control channel due to authentication errors. This 1002 includes hash failures in IPSec SAs using ESP and AH. 1004 If this is a permanent control channel, it is not reset 1005 to zero when the number of phase 1 SAs changes from 0." 1006 ::= { ipsecIkeConChanEntry 26 } 1008 ipsecIkeConChanIpsecReplayErrors OBJECT-TYPE 1009 SYNTAX Counter32 1010 MAX-ACCESS read-only 1011 STATUS current 1012 DESCRIPTION 1013 "The total number of inbound packets discarded by all 1014 IPSec protection suites set up by all phase 1 SAs in this 1015 control channel due to replay errors. 1017 If this is a permanent control channel, it is not reset 1018 to zero when the number of phase 1 SAs changes from 0." 1019 ::= { ipsecIkeConChanEntry 27 } 1021 ipsecIkeConChanIpsecOtherReceiveErrors OBJECT-TYPE 1022 SYNTAX Counter32 1023 MAX-ACCESS read-only 1024 STATUS current 1025 DESCRIPTION 1026 "The total number of inbound packets discarded by all 1027 IPSec protection suites set up by all phase 1 SAs in this 1028 control channel due to errors other than authentication, 1029 decryption or replay errors. This may include packets 1030 dropped due to lack of receive buffers. 1032 If this is a permanent control channel, it is not reset 1033 to zero when the number of phase 1 SAs changes from 0." 1034 ::= { ipsecIkeConChanEntry 34 } 1036 ipsecIkeConChanIpsecSendErrors OBJECT-TYPE 1037 SYNTAX Counter32 1038 MAX-ACCESS read-only 1039 STATUS current 1040 DESCRIPTION 1041 "The total number of outbound packets discarded by all 1042 IPSec protection suites set up by all phase 1 SAs in this 1043 control channel due to any error. This may include 1044 packets dropped due to lack of receive buffers. 1046 If this is a permanent control channel, it is not reset 1047 to zero when the number of phase 1 SAs changes from 0." 1048 ::= { ipsecIkeConChanEntry 28 } 1050 -- the IPSec IKE MIB-Group 1051 -- 1052 -- a collection of objects providing information about 1053 -- IPSec's IKE SAs and the virtual phase 1 SA tunnels 1055 ipsecIkeSaTable OBJECT-TYPE 1056 SYNTAX SEQUENCE OF IpsecIkeSaEntry 1057 MAX-ACCESS not-accessible 1058 STATUS current 1059 DESCRIPTION 1060 "The (conceptual) table containing information on IPSec's 1061 IKE SAs." 1062 ::= { ipsec 2 } 1064 ipsecIkeSaEntry OBJECT-TYPE 1065 SYNTAX IpsecIkeSaEntry 1066 MAX-ACCESS not-accessible 1067 STATUS current 1068 DESCRIPTION 1069 "An entry (conceptual row) containing the information on 1070 a particular IKE SA." 1071 INDEX { ipsecIkeSaIndex } 1072 ::= { ipsecIkeSaTable 1 } 1074 IpsecIkeSaEntry ::= SEQUENCE { 1075 ipsecIkeSaIndex Integer32, 1076 ipsecIkeSaConChanIndex Integer32, 1078 -- identifier information 1079 ipsecIkeSaInitiatorCookie OCTET STRING, 1080 ipsecIkeSaResponderCookie OCTET STRING, 1081 ipsecIkeSaState INTEGER, 1083 -- connection information 1084 ipsecIkeSaLocalIpAddress OCTET STRING, 1085 ipsecIkeSaLocalPortNumber INTEGER, 1086 ipsecIkeSaPeerIpAddress OCTET STRING, 1087 ipsecIkeSaPeerPortNumber INTEGER, 1089 -- security algorithm information 1090 ipsecIkeSaEncAlg INTEGER, 1091 ipsecIkeSaEncKeyLength Unsigned32, 1092 ipsecIkeSaHashAlg Integer32, 1093 ipsecIkeSaDifHelGroupDesc Integer32, 1094 ipsecIkeSaDifHelGroupType Integer32, 1095 ipsecIkeSaPRF Integer32, 1097 -- expiration limits, current SA 1098 ipsecIkeSaTimeStart DateAndTime, 1099 ipsecIkeSaTimeLimit OCTET STRING, -- in seconds 1100 ipsecIkeSaTrafficLimit OCTET STRING, 1101 ipsecIkeSaTrafficCount OCTET STRING, 1103 -- this SA's operating statistics 1104 ipsecIkeSaInboundTraffic Counter64, -- in bytes 1105 ipsecIkeSaOutboundTraffic Counter64, -- in bytes 1106 ipsecIkeSaInboundPackets Counter64, 1107 ipsecIkeSaOutboundPackets Counter64, 1109 -- this SA's error statistics 1110 ipsecIkeSaDecryptErrors Counter32, 1111 ipsecIkeSaHashErrors Counter32, 1112 ipsecIkeSaOtherReceiveErrors Counter32, 1113 ipsecIkeSaSendErrors Counter32 1114 } 1116 ipsecIkeSaIndex OBJECT-TYPE 1117 SYNTAX Integer32 (1..16777215) 1118 MAX-ACCESS read-only 1119 STATUS current 1120 DESCRIPTION 1121 "A unique value, greater than zero, for each IKE SA. 1122 Values are assigned contiguously starting from 1." 1123 ::= { ipsecIkeSaEntry 1 } 1125 ipsecIkeSaConChanIndex OBJECT-TYPE 1126 SYNTAX Integer32 (1..16777215) 1127 MAX-ACCESS read-only 1128 STATUS current 1129 DESCRIPTION 1130 "A reference to the IKE control channel that this SA 1131 supports. It is the value of 1132 'ipsecIkeConChanLocalIdType'." 1133 ::= { ipsecIkeSaEntry 2 } 1135 ipsecIkeSaInitiatorCookie OBJECT-TYPE 1136 SYNTAX OCTET STRING (SIZE (16)) 1137 MAX-ACCESS read-only 1138 STATUS current 1139 DESCRIPTION 1140 "The value of the cookie used by the initiator for the 1141 current phase 1 SA." 1142 ::= { ipsecIkeSaEntry 3 } 1144 ipsecIkeSaResponderCookie OBJECT-TYPE 1145 SYNTAX OCTET STRING (SIZE (16)) 1146 MAX-ACCESS read-only 1147 STATUS current 1148 DESCRIPTION 1149 "The value of the cookie used by the responder for the 1150 current phase 1 SA." 1151 ::= { ipsecIkeSaEntry 4 } 1153 ipsecIkeSaState OBJECT-TYPE 1154 SYNTAX INTEGER { 1155 tryingInitiator(0), 1156 tryingInitiatorIDProt(1), 1157 tryingResponder(2), 1158 tryingResponderIDProt(3), 1159 upInitiator(4), 1160 upInitiatorIDProt(5), 1161 upResponder(6), 1162 upResponderIDProt(7) } 1163 MAX-ACCESS read-only 1164 STATUS current 1165 DESCRIPTION 1166 "The current state of the SA. 1168 'tryingInitiator' means this end is attempting to 1169 negotiate the SA using aggressive mode and is the 1170 initiator. 'tryingInitiatorIDProt' means this end is 1171 attempting to negotiate the SA using main mode and is the 1172 initiator. 1174 'tryingResponder' means the peer is attempting to 1175 negotiate the SA using aggressive mode as initiator. 1176 'tryingResponderIDProt' means the peer is attempting to 1177 negotiate the SA using main mode as initiator. 1179 'upInitiator' means the SA is up, and this end is the 1180 initiator. 'upResponder' means the the SA is up and the 1181 peer is the initiator. On the latter two, the suffix 1182 'IDProt' means main mode was used to negotiate the SA." 1183 ::= { ipsecIkeSaEntry 5 } 1185 ipsecIkeSaLocalIpAddress OBJECT-TYPE 1186 SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) 1187 MAX-ACCESS read-only 1188 STATUS current 1189 DESCRIPTION 1190 "The local IP address that this SA was negotiated with, 1191 or 0 if unknown. 1193 The size of this object is 4 if the IP address is a IPv4 1194 address. The size is 8 of the IP address is an IPv6 1195 address." 1196 ::= { ipsecIkeSaEntry 6 } 1198 ipsecIkeSaLocalPortNumber OBJECT-TYPE 1199 SYNTAX INTEGER (0..65535) 1200 MAX-ACCESS read-only 1201 STATUS current 1202 DESCRIPTION 1203 "The local UDP port number that this SA was negotiated 1204 with." 1205 DEFVAL { 500 } 1206 ::= { ipsecIkeSaEntry 7 } 1208 ipsecIkeSaPeerIpAddress OBJECT-TYPE 1209 SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) 1210 MAX-ACCESS read-only 1211 STATUS current 1212 DESCRIPTION 1213 "The IP address of the peer that this SA was negotiated 1214 with, or 0 if unknown. 1216 The size of this object is 4 if the IP address is a IPv4 1217 address. The size is 8 of the IP address is an IPv6 1218 address." 1219 ::= { ipsecIkeSaEntry 8 } 1221 ipsecIkeSaPeerPortNumber OBJECT-TYPE 1222 SYNTAX INTEGER (0..65535) 1223 MAX-ACCESS read-only 1224 STATUS current 1225 DESCRIPTION 1226 "The peer UDP port number of the peer that this SA was 1227 negotiated with." 1228 DEFVAL { 500 } 1229 ::= { ipsecIkeSaEntry 9 } 1231 ipsecIkeSaEncAlg OBJECT-TYPE 1232 SYNTAX INTEGER (0..65535) 1233 MAX-ACCESS read-only 1234 STATUS current 1235 DESCRIPTION 1236 "A unique value representing the encryption algorithm 1237 applied to traffic carried on this SA. 1239 Specific values are used as described in the ISAKMP 1240 Class Values of Encryption Algorithms from Appendix A 1241 of [IKE]." 1242 ::= { ipsecIkeSaEntry 10 } 1244 ipsecIkeSaEncKeyLength OBJECT-TYPE 1245 SYNTAX Unsigned32 1246 MAX-ACCESS read-only 1247 STATUS current 1248 DESCRIPTION 1249 "The length of the encryption key in bits used for 1250 algorithm specified in the 'ipsecIkeSaEncAlg' object or 0 1251 if the key length is implicit in the specified 1252 algorithm." 1253 ::= { ipsecIkeSaEntry 11 } 1255 ipsecIkeSaHashAlg OBJECT-TYPE 1256 SYNTAX Integer32 (0..65535) 1257 MAX-ACCESS read-only 1258 STATUS current 1259 DESCRIPTION 1260 "A unique value representing the hash algorithm applied 1261 to traffic carried on this SA. 1263 Specific values are used as described in the ISAKMP Class 1264 Values of Hash Algorithms from Appendix A of [IKE]." 1265 ::= { ipsecIkeSaEntry 12 } 1267 ipsecIkeSaDifHelGroupDesc OBJECT-TYPE 1268 SYNTAX Integer32 (0..65535) 1269 MAX-ACCESS read-only 1270 STATUS current 1271 DESCRIPTION 1272 "A unique value representing the Diffie-Hellman group 1273 description used or 0 if the group is unknown. 1275 Specific values are used as described in the ISAKMP Class 1276 Values of Group Description from Appendix A of [IKE]." 1277 ::= { ipsecIkeSaEntry 13 } 1279 ipsecIkeSaDifHelGroupType OBJECT-TYPE 1280 SYNTAX Integer32 (0..65535) 1281 MAX-ACCESS read-only 1282 STATUS current 1283 DESCRIPTION 1284 "A unique value representing the Diffie-Hellman group 1285 type used or 0 if the group is unknown. 1287 Specific values are used as described in the ISAKMP Class 1288 Values of Group Type from Appendix A of [IKE]." 1289 ::= { ipsecIkeSaEntry 14 } 1291 ipsecIkeSaPRF OBJECT-TYPE 1292 SYNTAX Integer32 (0..65535) 1293 MAX-ACCESS read-only 1294 STATUS current 1295 DESCRIPTION 1296 "The pseudo-random functions used, or 0 if not used or if 1297 unknown. 1299 Specific values are used as described in the ISAKMP Class 1300 Values of PRF from Appendix A of [IKE] (which specifies 1301 none at the present time)." 1302 ::= { ipsecIkeSaEntry 15 } 1304 ipsecIkeSaTimeStart OBJECT-TYPE 1305 SYNTAX DateAndTime 1306 MAX-ACCESS read-only 1307 STATUS current 1308 DESCRIPTION 1309 "The date and time that the current SA within the link 1310 was set up. 1312 It is not the date and time that the virtual tunnel was 1313 set up." 1314 ::= { ipsecIkeSaEntry 16 } 1316 ipsecIkeSaTimeLimit OBJECT-TYPE 1317 SYNTAX OCTET STRING (SIZE (4..255)) 1318 MAX-ACCESS read-only 1319 STATUS current 1320 DESCRIPTION 1321 "The maximum lifetime in seconds of the current SA 1322 supporting the virtual tunnel, or 0 if there is no time 1323 constraint on its expiration." 1324 ::= { ipsecIkeSaEntry 17 } 1326 ipsecIkeSaTrafficLimit OBJECT-TYPE 1327 SYNTAX OCTET STRING (SIZE (4..255)) 1328 UNITS "1024-byte blocks" 1329 MAX-ACCESS read-only 1330 STATUS current 1331 DESCRIPTION 1332 "The maximum traffic in 1024-byte blocks that the current 1333 SA supporting the virtual tunnel is allowed to support, 1334 or 0 if there is no traffic constraint on its 1335 expiration." 1336 ::= { ipsecIkeSaEntry 18} 1338 ipsecIkeSaTrafficCount OBJECT-TYPE 1339 SYNTAX OCTET STRING (SIZE (4..255)) 1340 UNITS "1024-byte blocks" 1341 MAX-ACCESS read-only 1342 STATUS current 1343 DESCRIPTION 1344 "The amount of traffic that this SA has processed that 1345 contributes against it expiration by traffic limit, 1346 measured in 1024-byte blocks. It includes traffic in both 1347 directions. 1349 It may be 0 if there is no traffic constraint on the SA's 1350 expiration." 1351 ::= { ipsecIkeSaEntry 19 } 1353 ipsecIkeSaInboundTraffic OBJECT-TYPE 1354 SYNTAX Counter64 1355 UNITS "bytes" 1356 MAX-ACCESS read-only 1357 STATUS current 1358 DESCRIPTION 1359 "The amount of traffic measured in bytes handled in the 1360 current SA in the inbound direction." 1361 ::= { ipsecIkeSaEntry 20 } 1363 ipsecIkeSaOutboundTraffic OBJECT-TYPE 1364 SYNTAX Counter64 1365 UNITS "bytes" 1366 MAX-ACCESS read-only 1367 STATUS current 1368 DESCRIPTION 1369 "The amount of traffic measured in bytes handled in the 1370 current SA in the outbound direction." 1371 ::= { ipsecIkeSaEntry 21 } 1373 ipsecIkeSaInboundPackets OBJECT-TYPE 1374 SYNTAX Counter64 1375 MAX-ACCESS read-only 1376 STATUS current 1377 DESCRIPTION 1378 "The number of packets handled in the current SA in the 1379 inbound direction." 1380 ::= { ipsecIkeSaEntry 22 } 1382 ipsecIkeSaOutboundPackets OBJECT-TYPE 1383 SYNTAX Counter64 1384 MAX-ACCESS read-only 1385 STATUS current 1386 DESCRIPTION 1387 "The number of packets handled in the current SA in the 1388 outbound direction." 1389 ::= { ipsecIkeSaEntry 23 } 1391 ipsecIkeSaDecryptErrors OBJECT-TYPE 1392 SYNTAX Counter32 1393 MAX-ACCESS read-only 1394 STATUS current 1395 DESCRIPTION 1396 "The total number of inbound packets to this SA discarded 1397 due to decryption errors. 1399 The following may used as a guideline to distinguish 1400 decryption errors from protocol negotiation errors: 1402 If there are any errors in the packet's generic payload 1403 structures (next payload field, reserved, payload 1404 length), then this is considered a decryption error. 1406 If an error happens inside the payload structure, then it 1407 is not assumed to be a decryption error, and is 1408 considered a protocol negotiation error." 1409 ::= { ipsecIkeSaEntry 24 } 1411 ipsecIkeSaHashErrors OBJECT-TYPE 1412 SYNTAX Counter32 1413 MAX-ACCESS read-only 1414 STATUS current 1415 DESCRIPTION 1416 "The total number of inbound packets to this SA discarded 1417 due to hash errors. These errors are considered packet 1418 errors, and not protocol negotation errors. 1420 The case of hash failures when the hash is generated by 1421 authentication data is considered an authentication 1422 failure, and not a hash failure." 1423 ::= { ipsecIkeSaEntry 25 } 1425 ipsecIkeSaOtherReceiveErrors OBJECT-TYPE 1426 SYNTAX Counter32 1427 MAX-ACCESS read-only 1428 STATUS current 1429 DESCRIPTION 1430 "The total number of inbound packets to this SA discarded 1431 for reasons other than bad hashes or decryption errors. 1432 This may include packets dropped to a lack of receive 1433 buffer space. 1435 Packets that contain protocol negotation errors are not 1436 considered dropped packets." 1437 ::= { ipsecIkeSaEntry 26 } 1439 ipsecIkeSaSendErrors OBJECT-TYPE 1440 SYNTAX Counter32 1441 MAX-ACCESS read-only 1442 STATUS current 1443 DESCRIPTION 1444 "The total number of outbound packets from this SA 1445 discarded for any reason. This may include packets 1446 dropped to a lack of transmit buffer space." 1447 ::= { ipsecIkeSaEntry 27 } 1449 -- the IPSec Tunnel MIB-Group 1450 -- 1451 -- a collection of objects providing information about 1452 -- IPSec protection suite-based virtual tunnels 1454 ipsecTunnelTable OBJECT-TYPE 1455 SYNTAX SEQUENCE OF IpsecTunnelEntry 1456 MAX-ACCESS not-accessible 1457 STATUS current 1458 DESCRIPTION 1459 "The (conceptual) table containing information on IPSec 1460 protection suite-based tunnels." 1461 ::= { ipsec 3 } 1463 ipsecTunnelEntry OBJECT-TYPE 1464 SYNTAX IpsecTunnelEntry 1465 MAX-ACCESS not-accessible 1466 STATUS current 1467 DESCRIPTION 1468 "An entry (conceptual row) containing the information on 1469 a particular configured tunnel." 1470 INDEX { ipsecTunnelIndex } 1471 ::= { ipsecTunnelTable 1 } 1473 IpsecTunnelEntry ::= SEQUENCE { 1474 ipsecTunnelIndex Integer32, 1475 ipsecTunnelIkeConChan Integer32, -- if not static 1476 ipsecTunnelType INTEGER, -- static, transient, permanent 1478 -- tunnel identifiers 1479 ipsecTunnelLocalIdentifier OCTET STRING, 1480 ipsecTunnelLocalIdentifierType INTEGER, 1481 ipsecTunnelRemoteIdentifier OCTET STRING, 1482 ipsecTunnelRemoteIdentifierType INTEGER, 1483 ipsecTunnelProtocol Integer32, 1484 ipsecTunnelLocalPort Integer32, 1485 ipsecTunnelRemotePort Integer32, 1487 -- tunnel creation mechanism 1488 ipsecTunnelDifHelGroupDesc Integer32, 1489 ipsecTunnelDifHelGroupType Integer32, 1490 ipsecTunnelPFS TruthValue, 1492 -- tunnel security services description 1493 ipsecTunnelEncapsulation INTEGER, 1494 ipsecTunnelEspEncAlg Integer32, 1495 ipsecTunnelEspEncKeyLength Unsigned32, 1496 ipsecTunnelEspAuthAlg Integer32, 1497 ipsecTunnelAhAuthAlg Integer32, 1498 ipsecTunnelCompAlg Integer32, 1500 -- aggregate statistics 1501 ipsecTunnelStartTime DateAndTime, 1502 ipsecTunnelCurrentProtSuitesNum Unsigned32, 1503 ipsecTunnelTotalProtSuitesNum Counter32, 1504 ipsecTunnelTotalInboundTraffic Counter64, 1505 ipsecTunnelTotalOutboundTraffic Counter64, 1506 ipsecTunnelTotalInboundPackets Counter64, 1507 ipsecTunnelTotalOutboundPackets Counter64, 1509 -- aggregate error statistics 1510 ipsecTunnelDecryptErrors Counter32, 1511 ipsecTunnelAuthErrors Counter32, 1512 ipsecTunnelReplayErrors Counter32, 1513 ipsecTunnelPolicyErrors Counter32, 1514 ipsecTunnelOtherReceiveErrors Counter32, 1515 ipsecTunnelSendErrors Counter32 1517 } 1519 ipsecTunnelIndex OBJECT-TYPE 1520 SYNTAX Integer32 (1..16777215) 1521 MAX-ACCESS read-only 1522 STATUS current 1523 DESCRIPTION 1524 "A unique value, greater than zero, for each tunnel 1525 interface. It is recommended that values are assigned 1526 contiguously starting from 1. 1528 The value for each tunnel interface must remain constant 1529 at least from one re-initialization of the entity's 1530 network management system to the next re-initialization. 1532 Further, the value for tunnel interfaces that are marked 1533 as permanent must remain constant across all re- 1534 initializations of the network management system." 1535 ::= { ipsecTunnelEntry 1 } 1537 ipsecTunnelIkeConChan OBJECT-TYPE 1538 SYNTAX Integer32 (0..2147483647) 1539 MAX-ACCESS read-only 1540 STATUS current 1541 DESCRIPTION 1542 "The value of the index into the IKE control channel 1543 table that created this tunnel (ipsecIkeConChanIndex), or 1544 0 if the tunnel is created by a static IPSec protection 1545 suite." 1546 ::= { ipsecTunnelEntry 2 } 1548 ipsecTunnelType OBJECT-TYPE 1549 SYNTAX INTEGER { static(0), transient(1), permanent(2) } 1550 MAX-ACCESS read-only 1551 STATUS current 1552 DESCRIPTION 1553 "The type of the virtual tunnel represented by this row. 1555 'static' means that the tunnel is supported by a single 1556 static IPSec protection suite that was setup by 1557 configuration, and not by using a key exchange protocol. 1558 In this case, the value of ipsecTunnelIkeSa must be 0." 1559 ::= { ipsecTunnelEntry 3 } 1561 ipsecTunnelLocalIdentifier OBJECT-TYPE 1562 SYNTAX OCTET STRING (SIZE (4..255)) 1563 MAX-ACCESS read-only 1564 STATUS current 1565 DESCRIPTION 1566 "The local identifier of the virtual tunnel, or 0 if 1567 unknown or if the protection suite uses transport mode 1568 encapsulation. 1570 This value is taken directly from the optional ID 1571 payloads that are exchange during phase 2 negotiations." 1572 ::= { ipsecTunnelEntry 4 } 1574 ipsecTunnelLocalIdentifierType OBJECT-TYPE 1575 SYNTAX INTEGER 1576 MAX-ACCESS read-only 1577 STATUS current 1578 DESCRIPTION 1579 "The type of identifier presented by 1580 'ipsecTunnelLocalIdentifier', or 0 if unknown or if the 1581 protection suite uses transport mode encapsulation. 1583 This value is taken directly from the optional ID 1584 payloads that are exchange during phase 2 negotiations." 1585 ::= { ipsecTunnelEntry 5 } 1587 ipsecTunnelRemoteIdentifier OBJECT-TYPE 1588 SYNTAX OCTET STRING (SIZE (4..255)) 1589 MAX-ACCESS read-only 1590 STATUS current 1591 DESCRIPTION 1592 "The remote identifier of the virtual tunnel, or 0 if 1593 unknown or if the protection suite uses transport mode 1594 encapsulation. 1596 This value is taken directly from the optional ID 1597 payloads that are exchange during phase 2 negotiations." 1598 ::= { ipsecTunnelEntry 6 } 1600 ipsecTunnelRemoteIdentifierType OBJECT-TYPE 1601 SYNTAX INTEGER 1602 MAX-ACCESS read-only 1603 STATUS current 1604 DESCRIPTION 1605 "The type of identifier presented by 1606 'ipsecTunnelRemoteIdentifier', or 0 if unknown or if the 1607 protection suite uses transport mode encapsulation. 1609 This value is taken directly from the optional ID 1610 payloads that are exchange during phase 2 negotiations." 1611 ::= { ipsecTunnelEntry 7 } 1613 ipsecTunnelProtocol OBJECT-TYPE 1614 SYNTAX Integer32 (0..255) 1615 MAX-ACCESS read-only 1616 STATUS current 1617 DESCRIPTION 1618 "The number of the protocol that this tunnel carries, or 1619 0 if it carries any protocol." 1620 ::= { ipsecTunnelEntry 8 } 1622 ipsecTunnelLocalPort OBJECT-TYPE 1623 SYNTAX Integer32 (0.. 65535) 1624 MAX-ACCESS read-only 1625 STATUS current 1626 DESCRIPTION 1627 "The number of the local port that this tunnel carries, 1628 or 0 if it carries any port number." 1630 ::= { ipsecTunnelEntry 9 } 1632 ipsecTunnelRemotePort OBJECT-TYPE 1633 SYNTAX Integer32 (0.. 65535) 1634 MAX-ACCESS read-only 1635 STATUS current 1636 DESCRIPTION 1637 "The number of the remote port that this tunnel carries, 1638 or 0 if it carries any port number." 1639 ::= { ipsecTunnelEntry 10 } 1641 ipsecTunnelDifHelGroupDesc OBJECT-TYPE 1642 SYNTAX Integer32 1643 MAX-ACCESS read-only 1644 STATUS current 1645 DESCRIPTION 1646 "A unique value representing the Diffie-Hellman group 1647 description used to set up protection suites for this 1648 tunnel or 0 if the group is unknown. 1650 Specific values are used as described in the ISAKMP Class 1651 Values of Group Description from Appendix A of [IKE]." 1652 ::= { ipsecTunnelEntry 11 } 1654 ipsecTunnelDifHelGroupType OBJECT-TYPE 1655 SYNTAX Integer32 1656 MAX-ACCESS read-only 1657 STATUS current 1658 DESCRIPTION 1659 " A unique value representing the Diffie-Hellman group 1660 type used to set up protection suites for this tunnel or 1661 0 if the group is unknown. 1663 Specific values are used as described in the ISAKMP Class 1664 Values of Group Type from Appendix A of [IKE]." 1665 ::= { ipsecTunnelEntry 12 } 1667 ipsecTunnelPFS OBJECT-TYPE 1668 SYNTAX TruthValue 1669 MAX-ACCESS read-only 1670 STATUS current 1671 DESCRIPTION 1672 "'true' if protection suites setup for this tunnel were 1673 created using perfect forward secrect." 1674 ::= { ipsecTunnelEntry 13 } 1676 ipsecTunnelEncapsulation OBJECT-TYPE 1677 SYNTAX INTEGER { transport(1), tunnel(2) } 1678 MAX-ACCESS read-only 1679 STATUS current 1680 DESCRIPTION 1681 "The type of encapsulation used by protection suites 1682 created for this virtual tunnel." 1683 ::= { ipsecTunnelEntry 14 } 1685 ipsecTunnelEspEncAlg OBJECT-TYPE 1686 SYNTAX Integer32 (0..255) 1687 MAX-ACCESS read-only 1688 STATUS current 1689 DESCRIPTION 1690 "A unique value representing the encryption algorithm 1691 applied to traffic carried by this tunnel if it uses ESP 1692 or 0 if there is no encryption applied by ESP or if ESP 1693 is not used. 1695 Specific values are taken from section 4.4.4 of [IPDOI]." 1696 ::= { ipsecTunnelEntry 15 } 1698 ipsecTunnelEspEncKeyLength OBJECT-TYPE 1699 SYNTAX Unsigned32 1700 MAX-ACCESS read-only 1701 STATUS current 1702 DESCRIPTION 1703 "The length of the encryption key in bits used for the 1704 algorithm specified in the 'ipsecTunnelEspEncAlg' object, 1705 or 0 if the key length is implicit in the specified 1706 algorithm or there is no encryption specified." 1707 ::= { ipsecTunnelEntry 16 } 1709 ipsecTunnelEspAuthAlg OBJECT-TYPE 1710 SYNTAX Integer32 (0..255) 1711 MAX-ACCESS read-only 1712 STATUS current 1713 DESCRIPTION 1714 "A unique value representing the hash algorithm applied 1715 to traffic carried by this tunnel if it uses ESP or 0 if 1716 there is no authentication applied by ESP or if ESP is 1717 not used. 1719 Specific values are taken from the Authentication 1720 Algorithm attribute values of Section 4.5 of [IPDOI]." 1721 ::= { ipsecTunnelEntry 17 } 1723 ipsecTunnelAhAuthAlg OBJECT-TYPE 1724 SYNTAX Integer32 (0..255) 1725 MAX-ACCESS read-only 1726 STATUS current 1727 DESCRIPTION 1728 "A unique value representing the hash algorithm applied 1729 to traffic carried by this tunnel if it uses AH or 0 if 1730 AH is not used. 1732 Specific values are taken from Section 4.4.3 of [IPDOI]." 1733 ::= { ipsecTunnelEntry 18 } 1735 ipsecTunnelCompAlg OBJECT-TYPE 1736 SYNTAX Integer32 (0..255) 1737 MAX-ACCESS read-only 1738 STATUS current 1739 DESCRIPTION 1740 "A unique value representing the compression algorithm 1741 applied to traffic carried by this tunnel if it uses 1742 IPCOMP. 1744 Specific values are taken from Section 4.4.5 of [IPDOI]." 1745 ::= { ipsecTunnelEntry 19 } 1747 ipsecTunnelStartTime OBJECT-TYPE 1748 SYNTAX DateAndTime 1749 MAX-ACCESS read-only 1750 STATUS current 1751 DESCRIPTION 1752 "The date and time that this virtual tunnel was set up. 1754 If this is a permanent virtual tunnel, it is not reset 1755 when the number of current protection suites 1756 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1757 ::= { ipsecTunnelEntry 20 } 1759 ipsecTunnelCurrentProtSuitesNum OBJECT-TYPE 1760 SYNTAX Unsigned32 1761 MAX-ACCESS read-only 1762 STATUS current 1763 DESCRIPTION 1764 "The number of protection suites currently active 1765 supporting this virtual tunnel. 1767 If this number is 0, the tunnel must be considered down. 1768 Also if this number is 0, the tunnel must a permanent 1769 tunnel, since transient tunnels that are down do not 1770 appear in the table." 1771 ::= { ipsecTunnelEntry 21 } 1773 ipsecTunnelTotalProtSuitesNum OBJECT-TYPE 1774 SYNTAX Counter32 1775 MAX-ACCESS read-only 1776 STATUS current 1777 DESCRIPTION 1778 "The total number of protection suites, including all 1779 current protection suites, that have been set up to 1780 support this virtual tunnel." 1781 ::= { ipsecTunnelEntry 22 } 1783 ipsecTunnelTotalInboundTraffic OBJECT-TYPE 1784 SYNTAX Counter64 1785 UNITS "bytes" 1786 MAX-ACCESS read-only 1787 STATUS current 1788 DESCRIPTION 1789 "The total amount of traffic measured in bytes handled in 1790 the tunnel in the inbound direction. In other words, it 1791 is the aggregate value of all inbound traffic carried by 1792 all IPSec protection suites ever set up to support the 1793 virtual tunnel. 1795 If this is a permanent virtual tunnel, it is not reset to 1796 zero when the number of current protection suites 1797 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1798 ::= { ipsecTunnelEntry 23 } 1800 ipsecTunnelTotalOutboundTraffic OBJECT-TYPE 1801 SYNTAX Counter64 1802 UNITS "bytes" 1803 MAX-ACCESS read-only 1804 STATUS current 1805 DESCRIPTION 1806 "The total amount of traffic measured in bytes handled in 1807 the tunnel in the outbound direction. In other words, it 1808 is the aggregate value of all inbound traffic carried by 1809 all IPSec protection suites ever set up to support the 1810 virtual tunnel. 1812 If this is a permanent virtual tunnel, it is not reset to 1813 zero when the number of current protection suites 1814 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1815 ::= { ipsecTunnelEntry 24 } 1817 ipsecTunnelTotalInboundPackets OBJECT-TYPE 1818 SYNTAX Counter64 1819 MAX-ACCESS read-only 1820 STATUS current 1821 DESCRIPTION 1822 "The total number of packets handled in the tunnel in the 1823 inbound direction. In other words, it is the aggregate 1824 value of all inbound packets carried by all IPSec 1825 protection suites ever set up to support the virtual 1826 tunnel. 1828 If this is a permanent virtual tunnel, it is not reset to 1829 zero when the number of current protection suites 1830 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1831 ::= { ipsecTunnelEntry 25 } 1833 ipsecTunnelTotalOutboundPackets OBJECT-TYPE 1834 SYNTAX Counter64 1835 MAX-ACCESS read-only 1836 STATUS current 1837 DESCRIPTION 1838 "The total number of packets handled in the tunnel in the 1839 outbound direction. In other words, it is the aggregate 1840 value of all outbound packets carried by all IPSec SAs 1841 ever set up to support the virtual tunnel. 1843 If this is a permanent virtual tunnel, it is not reset to 1844 zero when the number of current protection suites 1845 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1846 ::= { ipsecTunnelEntry 26 } 1848 ipsecTunnelDecryptErrors OBJECT-TYPE 1849 SYNTAX Counter32 1850 MAX-ACCESS read-only 1851 STATUS current 1852 DESCRIPTION 1853 "The total number of inbound packets discarded by this 1854 virtual tunnel due to decryption errors in ESP. 1856 If this is a permanent virtual tunnel, it is not reset to 1857 zero when the number of current protection suites 1858 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1859 ::= { ipsecTunnelEntry 27 } 1861 ipsecTunnelAuthErrors OBJECT-TYPE 1862 SYNTAX Counter32 1863 MAX-ACCESS read-only 1864 STATUS current 1865 DESCRIPTION 1866 "The total number of inbound packets discarded by this 1867 virtual tunnel due to authentication errors. This 1868 includes hash failures in IPSec protection suites using 1869 both ESP and AH. 1871 If this is a permanent virtual tunnel, it is not resetto 1872 zero when the number of current protection suites 1873 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1874 ::= { ipsecTunnelEntry 28 } 1876 ipsecTunnelReplayErrors OBJECT-TYPE 1877 SYNTAX Counter32 1878 MAX-ACCESS read-only 1879 STATUS current 1880 DESCRIPTION 1881 "The total number of inbound packets discarded by this 1882 virtual tunnel due to replay errors. This includes replay 1883 failures in IPSec protection suites using both ESP and 1884 AH. 1886 If this is a permanent virtual tunnel, it is not reset to 1887 zero when the number of current protection suites 1888 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1889 ::= { ipsecTunnelEntry 29 } 1891 ipsecTunnelPolicyErrors OBJECT-TYPE 1892 SYNTAX Counter32 1893 MAX-ACCESS read-only 1894 STATUS current 1895 DESCRIPTION 1896 "The total number of inbound packets discarded by this 1897 virtual tunnel due to policy errors. This includes errors 1898 in all transforms if protection suites are used. 1900 Policy errors are due to the detection of a packet that 1901 was inappropriately sent into this tunnel. 1903 If this is a permanent virtual tunnel, it is not reset to 1904 zero when the number of current protection suites 1905 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1906 ::= { ipsecTunnelEntry 30 } 1908 ipsecTunnelOtherReceiveErrors OBJECT-TYPE 1909 SYNTAX Counter32 1910 MAX-ACCESS read-only 1911 STATUS current 1912 DESCRIPTION 1913 "The total number of inbound packets discarded by this 1914 virtual tunnel due to errors other than decryption, 1915 authentication or replay errors. This may include packets 1916 dropped due to a lack of receive buffers. 1918 If this is a permanent virtual tunnel, it is not reset to 1919 zero when the number of current protection suites 1920 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1921 ::= { ipsecTunnelEntry 31 } 1923 ipsecTunnelSendErrors OBJECT-TYPE 1924 SYNTAX Counter32 1925 MAX-ACCESS read-only 1926 STATUS current 1927 DESCRIPTION 1928 "The total number of outbound packets discarded by this 1929 virtual tunnel due to any error. This may include packets 1930 dropped due to a lack of transmit buffers. 1932 If this is a permanent virtual tunnel, it is not reset to 1933 zero when the number of current protection suites 1934 (ipsecTunnelCurrentProtSuitesNum) changes from 0 to 1." 1935 ::= { ipsecTunnelEntry 32 } 1937 -- the IPSec Protection Suites MIB-Group 1938 -- 1939 -- a collection of objects providing information about 1940 -- IPSec protection suites 1942 ipsecProtSuiteTable OBJECT-TYPE 1943 SYNTAX SEQUENCE OF IpsecProtSuiteEntry 1944 MAX-ACCESS not-accessible 1945 STATUS current 1946 DESCRIPTION 1947 "The (conceptual) table containing information on IPSec 1948 protection suites." 1949 ::= { ipsec 4 } 1951 ipsecProtSuiteEntry OBJECT-TYPE 1952 SYNTAX IpsecProtSuiteEntry 1953 MAX-ACCESS not-accessible 1954 STATUS current 1955 DESCRIPTION 1956 "An entry (conceptual row) containing the information on 1957 a particular IPSec SA." 1958 INDEX { ipsecProtSuiteIndex } 1959 ::= { ipsecProtSuiteTable 1 } 1961 IpsecProtSuiteEntry ::= SEQUENCE { 1962 ipsecProtSuiteIndex Integer32, 1963 ipsecProtSuiteTunnel Integer32, -- from ipsecTunnelTable 1965 -- identification 1966 ipsecProtSuitePeerAddress OCTET STRING, 1967 ipsecProtSuiteInboundEspSpi Unsigned32, 1968 ipsecProtSuiteOutboundEspSpi Unsigned32, 1969 ipsecProtSuiteInboundAhSpi Unsigned32, 1970 ipsecProtSuiteOutboundAhSpi Unsigned32, 1971 ipsecProtSuiteInboundCompCpi INTEGER, 1972 ipsecProtSuiteOutboundCompCpi INTEGER, 1974 -- expiration limits 1975 ipsecProtSuiteCreationTime DateAndTime, 1976 ipsecProtSuiteTimeLimit OCTET STRING, -- sec., 0 if none 1977 ipsecProtSuiteTrafficLimit OCTET STRING, -- 0 if none 1978 ipsecProtSuiteTrafficCount OCTET STRING, 1980 -- current operating statistics 1981 ipsecProtSuiteInboundTraffic Counter64, 1982 ipsecProtSuiteOutboundTraffic Counter64, 1983 ipsecProtSuiteInboundPackets Counter64, 1984 ipsecProtSuiteOutboundPackets Counter64, 1986 -- error statistics 1987 ipsecProtSuiteDecryptErrors Counter32, 1988 ipsecProtSuiteAuthErrors Counter32, 1989 ipsecProtSuiteReplayErrors Counter32, 1990 ipsecProtSuitePolicyErrors Counter32, 1991 ipsecProtSuiteOtherReceiveErrors Counter32, 1992 ipsecProtSuiteSendErrors Counter32 1993 } 1995 ipsecProtSuiteIndex OBJECT-TYPE 1996 SYNTAX Integer32 (1..2147483647) 1997 MAX-ACCESS read-only 1998 STATUS current 1999 DESCRIPTION 2000 "A unique value, greater than zero, for each IPSec 2001 protection suite. It is recommended that values are 2002 assigned contiguously starting from 1." 2003 ::= { ipsecProtSuiteEntry 1 } 2005 ipsecProtSuiteTunnel OBJECT-TYPE 2006 SYNTAX Integer32 (1..2147483647) 2007 MAX-ACCESS read-only 2008 STATUS current 2009 DESCRIPTION 2010 "The value of the index into the IPSec tunnel table that 2011 this protection suite supports (ipsecTunnelIndex)." 2012 ::= { ipsecProtSuiteEntry 2 } 2014 ipsecProtSuitePeerAddress OBJECT-TYPE 2015 SYNTAX OCTET STRING ( SIZE( 4 | 8 ) ) 2016 MAX-ACCESS read-only 2017 STATUS current 2018 DESCRIPTION 2019 "The peer IP address used by the protection suite. 2021 The size of this object is 4 if the address is an IPv4 2022 address, or 8 if the address is an IPv6 address." 2023 ::= { ipsecProtSuiteEntry 3 } 2025 ipsecProtSuiteInboundEspSpi OBJECT-TYPE 2026 SYNTAX Unsigned32(1..4294967295) 2027 MAX-ACCESS read-only 2028 STATUS current 2029 DESCRIPTION 2030 "The value of the SPI for the inbound protection suite 2031 that provides the ESP security service, or zero if ESP is 2032 not used." 2033 ::= { ipsecProtSuiteEntry 4 } 2035 ipsecProtSuiteOutboundEspSpi OBJECT-TYPE 2036 SYNTAX Unsigned32(1..4294967295) 2037 MAX-ACCESS read-only 2038 STATUS current 2039 DESCRIPTION 2040 "The value of the SPI for the outbound protection suite 2041 that provides the ESP security service, or zero if ESP is 2042 not used." 2043 ::= { ipsecProtSuiteEntry 5 } 2045 ipsecProtSuiteInboundAhSpi OBJECT-TYPE 2046 SYNTAX Unsigned32(1..4294967295) 2047 MAX-ACCESS read-only 2048 STATUS current 2049 DESCRIPTION 2050 "The value of the SPI for the inbound protection suite 2051 that provides the AH security service, or zero if AH is 2052 not used." 2053 ::= { ipsecProtSuiteEntry 6 } 2055 ipsecProtSuiteOutboundAhSpi OBJECT-TYPE 2056 SYNTAX Unsigned32(1..4294967295) 2057 MAX-ACCESS read-only 2058 STATUS current 2059 DESCRIPTION 2060 "The value of the SPI for the outbound protection suite 2061 that provides the AH security service, or zero if AH is 2062 not used." 2063 ::= { ipsecProtSuiteEntry 7 } 2065 ipsecProtSuiteInboundCompCpi OBJECT-TYPE 2066 SYNTAX INTEGER (0..65535) 2067 MAX-ACCESS read-only 2068 STATUS current 2069 DESCRIPTION 2070 "The value of the CPI for the inbound protection suite 2071 that provides IP compression, or zero if IPCOMP is not 2072 used." 2073 ::= { ipsecProtSuiteEntry 8 } 2075 ipsecProtSuiteOutboundCompCpi OBJECT-TYPE 2076 SYNTAX INTEGER (0..65535) 2077 MAX-ACCESS read-only 2078 STATUS current 2079 DESCRIPTION 2080 "The value of the CPI for the outbound protection suite 2081 that provides IP compression, or zero if IPCOMP is not 2082 used." 2083 ::= { ipsecProtSuiteEntry 9 } 2085 ipsecProtSuiteCreationTime OBJECT-TYPE 2086 SYNTAX DateAndTime 2087 MAX-ACCESS read-only 2088 STATUS current 2089 DESCRIPTION 2090 "The date and time that the current protection suite was 2091 set up." 2092 ::= { ipsecProtSuiteEntry 10 } 2094 ipsecProtSuiteTimeLimit OBJECT-TYPE 2095 SYNTAX OCTET STRING (SIZE (4..255)) 2096 MAX-ACCESS read-only 2097 STATUS current 2098 DESCRIPTION 2099 "The maximum lifetime in seconds of the protection suite, 2100 or 0 if there is no time constraint on its expiration." 2101 ::= { ipsecProtSuiteEntry 11 } 2103 ipsecProtSuiteTrafficLimit OBJECT-TYPE 2104 SYNTAX OCTET STRING (SIZE (4..255)) 2105 UNITS "1024-byte blocks" 2106 MAX-ACCESS read-only 2107 STATUS current 2108 DESCRIPTION 2109 "The maximum traffic in 1024-byte blocks that the 2110 protection suite is allowed to support, or 0 if there is 2111 no traffic constraint on its expiration." 2112 ::= { ipsecProtSuiteEntry 12 } 2114 ipsecProtSuiteTrafficCount OBJECT-TYPE 2115 SYNTAX OCTET STRING (SIZE (4..255)) 2116 UNITS "1024-byte blocks" 2117 MAX-ACCESS read-only 2118 STATUS current 2119 DESCRIPTION 2120 "The amount of traffic accumulated that counts against 2121 the protection suite's expiration by traffic limitation, 2122 measured in 1024-byte blocks." 2123 ::= { ipsecProtSuiteEntry 13 } 2125 ipsecProtSuiteInboundTraffic OBJECT-TYPE 2126 SYNTAX Counter64 2127 UNITS "bytes" 2128 MAX-ACCESS read-only 2129 STATUS current 2130 DESCRIPTION 2131 "The amount of user level traffic measured in bytes 2132 handled by the protection suite in the inbound direction. 2134 This is not necessarily the same as the amount of traffic 2135 applied against the traffic expiration limit." 2136 ::= { ipsecProtSuiteEntry 14 } 2138 ipsecProtSuiteOutboundTraffic OBJECT-TYPE 2139 SYNTAX Counter64 2140 UNITS "bytes" 2141 MAX-ACCESS read-only 2142 STATUS current 2143 DESCRIPTION 2144 "The amount of user level traffic measured in bytes 2145 handled by the protection suite in the outbound 2146 direction. 2148 This is not necessarily the same as the amount of traffic 2149 applied against the traffic expiration limit." 2150 ::= { ipsecProtSuiteEntry 15 } 2152 ipsecProtSuiteInboundPackets OBJECT-TYPE 2153 SYNTAX Counter64 2154 MAX-ACCESS read-only 2155 STATUS current 2156 DESCRIPTION 2157 "The number of packets handled by the protection suite in 2158 the inbound direction." 2159 ::= { ipsecProtSuiteEntry 16 } 2161 ipsecProtSuiteOutboundPackets OBJECT-TYPE 2162 SYNTAX Counter64 2163 MAX-ACCESS read-only 2164 STATUS current 2165 DESCRIPTION 2166 "The number of packets handled by the protection suite in 2167 the outbound direction." 2168 ::= { ipsecProtSuiteEntry 17 } 2170 ipsecProtSuiteDecryptErrors OBJECT-TYPE 2171 SYNTAX Counter32 2172 MAX-ACCESS read-only 2173 STATUS current 2174 DESCRIPTION 2175 "The number of inbound packets discarded by the 2176 protection suite due to decryption errors." 2177 ::= { ipsecProtSuiteEntry 18 } 2179 ipsecProtSuiteAuthErrors OBJECT-TYPE 2180 SYNTAX Counter32 2181 MAX-ACCESS read-only 2182 STATUS current 2183 DESCRIPTION 2184 "The number of inbound packets discarded by the 2185 protection suite due to authentication errors. This 2186 includes hash failures in both ESP and AH." 2187 ::= { ipsecProtSuiteEntry 19 } 2189 ipsecProtSuiteReplayErrors OBJECT-TYPE 2190 SYNTAX Counter32 2191 MAX-ACCESS read-only 2192 STATUS current 2193 DESCRIPTION 2194 "The number of inbound packets discarded by the 2195 protection suite due to replay errors. This includes 2196 replay failures both ESP and AH." 2197 ::= { ipsecProtSuiteEntry 20 } 2199 ipsecProtSuitePolicyErrors OBJECT-TYPE 2200 SYNTAX Counter32 2201 MAX-ACCESS read-only 2202 STATUS current 2203 DESCRIPTION 2204 "The number of inbound packets discarded by the 2205 protection suite due to policy errors." 2206 ::= { ipsecProtSuiteEntry 21 } 2208 ipsecProtSuiteOtherReceiveErrors OBJECT-TYPE 2209 SYNTAX Counter32 2210 MAX-ACCESS read-only 2211 STATUS current 2212 DESCRIPTION 2213 "The number of inbound packets discarded by the 2214 protection suite due to errors other than decryption, 2215 authentication or replay errors. This may include 2216 decompression errors or errors due to a lack of receive 2217 buffers." 2218 ::= { ipsecProtSuiteEntry 22 } 2220 ipsecProtSuiteSendErrors OBJECT-TYPE 2221 SYNTAX Counter32 2222 MAX-ACCESS read-only 2223 STATUS current 2224 DESCRIPTION 2225 "The number of outbound packets discarded by the 2226 protection suite due to any error. This may include 2227 compression errors or errors due to a lack of transmit 2228 buffers." 2229 ::= { ipsecProtSuiteEntry 23 } 2231 -- the IPSec Entity MIB-Group 2232 -- 2233 -- a collection of objects providing information about overall IPSec 2234 -- status in the entity 2236 -- 2237 -- Definitions of significant branches 2238 -- 2239 ipsecTrapsA OBJECT IDENTIFIER ::= { ipsec 5 } 2240 ipsecTraps OBJECT IDENTIFIER ::= { ipsecTrapsA 0 } 2241 ipsecProtSuiteCounts OBJECT IDENTIFIER ::= { ipsec 6 } 2242 ipsecPermChanTunStats OBJECT IDENTIFIER ::= { ipsec 7 } 2243 ipsecTransChanTunStats OBJECT IDENTIFIER ::= { ipsec 8 } 2244 ipsecNotifications OBJECT IDENTIFIER ::= { ipsec 9 } 2245 ipsecErrorStats OBJECT IDENTIFIER ::= { ipsec 10 } 2247 -- 2248 -- SA and protection suite counts 2249 -- 2251 ipsecTotalIkeSAs OBJECT-TYPE 2252 SYNTAX Counter32 2253 MAX-ACCESS read-only 2254 STATUS current 2255 DESCRIPTION 2256 "The total number of phase 1 SAs established by the 2257 entity since boot time. It is not the total number of 2258 channels established by the entity since boot time. It 2259 includes SAs established to support both permanent and 2260 transient channels." 2261 ::= { ipsecProtSuiteCounts 1 } 2263 ipsecTotalIpsecProtSuites OBJECT-TYPE 2264 SYNTAX Counter32 2265 MAX-ACCESS read-only 2266 STATUS current 2267 DESCRIPTION 2268 "The total number of protection suites established by the 2269 entity since boot time. It is not the total number of 2270 IPSec virtual tunnels established by the entity since 2271 boot time. It includes protection suites established to 2272 support both permanent and transient tunnels." 2273 ::= { ipsecProtSuiteCounts 2 } 2275 -- 2276 -- permanent channel and tunnel statistics 2277 -- 2279 ipsecCnfgPermIkeChannels OBJECT-TYPE 2280 SYNTAX Unsigned32 2281 MAX-ACCESS read-only 2282 STATUS current 2283 DESCRIPTION 2284 "The total number of phase 1 control channels in the 2285 entity that are configured as permanent." 2286 ::= { ipsecPermChanTunStats 1 } 2288 ipsecUpPermIkeChannels OBJECT-TYPE 2289 SYNTAX Unsigned32 2290 MAX-ACCESS read-only 2291 STATUS current 2292 DESCRIPTION 2293 "The total number of phase 1 control channels in the 2294 entity that are configured as permanent and are up and 2295 available for use." 2296 ::= { ipsecPermChanTunStats 2 } 2298 ipsecCnfgPermIpsecTunnels OBJECT-TYPE 2299 SYNTAX Unsigned32 2300 MAX-ACCESS read-only 2301 STATUS current 2302 DESCRIPTION 2303 "The total number of phase 2 tunnels in the entity that 2304 are configured as permanent." 2305 ::= { ipsecPermChanTunStats 3 } 2307 ipsecUpPermIpsecTunnels OBJECT-TYPE 2308 SYNTAX Unsigned32 2309 MAX-ACCESS read-only 2310 STATUS current 2311 DESCRIPTION 2312 "The total number of phase 2 tunnels in the entity that 2313 are configured as permanent and are up and available for 2314 use." 2315 ::= { ipsecPermChanTunStats 4 } 2317 -- 2318 -- transient tunnel counts 2319 -- 2321 ipsecTotalTransIkeTunnels OBJECT-TYPE 2322 SYNTAX Counter32 2323 MAX-ACCESS read-only 2324 STATUS current 2325 DESCRIPTION 2326 "The total number of transient phase 1 tunnels 2327 established by the entity since boot time." 2328 ::= { ipsecTransChanTunStats 1 } 2330 ipsecCurrentTransIkeTunnels OBJECT-TYPE 2331 SYNTAX Unsigned32 2332 MAX-ACCESS read-only 2333 STATUS current 2334 DESCRIPTION 2335 "The number of transient phase 1 tunnels in the entity 2336 that are up and available for use at this moment in 2337 time." 2338 ::= { ipsecTransChanTunStats 2 } 2340 ipsecTotalTransIpsecTunnels OBJECT-TYPE 2341 SYNTAX Counter32 2342 MAX-ACCESS read-only 2343 STATUS current 2344 DESCRIPTION 2345 "The total number of transient phase 2 tunnels 2346 established by the entity since boot time." 2347 ::= { ipsecTransChanTunStats 3 } 2349 ipsecCurrentTransIpsecTunnels OBJECT-TYPE 2350 SYNTAX Unsigned32 2351 MAX-ACCESS read-only 2352 STATUS current 2353 DESCRIPTION 2354 "The number of phase 2 tunnels in the entity that are up 2355 and available for use at this moment in time." 2356 ::= { ipsecTransChanTunStats 4 } 2358 -- 2359 -- transient protection suite traffic statistics 2360 -- 2362 ipsecTotalTransInboundPackets OBJECT-TYPE 2363 SYNTAX Counter64 2364 MAX-ACCESS read-only 2365 STATUS current 2366 DESCRIPTION 2367 "The total number of inbound packets carried on transient 2368 IPSec tunnels since boot time." 2369 ::= { ipsecTransChanTunStats 5 } 2371 ipsecTotalTransOutboundPackets OBJECT-TYPE 2372 SYNTAX Counter64 2373 MAX-ACCESS read-only 2374 STATUS current 2375 DESCRIPTION 2376 "The total number of outbound packets carried on 2377 transient IPSec tunnels since boot time." 2378 ::= { ipsecTransChanTunStats 6 } 2380 ipsecTotalTransInboundTraffic OBJECT-TYPE 2381 SYNTAX Counter64 2382 UNITS "1024-byte blocks" 2383 MAX-ACCESS read-only 2384 STATUS current 2385 DESCRIPTION 2386 "The total amount of inbound traffic carried on transient 2387 IPSec tunnels since boot time, measured in 1024-octet 2388 blocks." 2390 ::= { ipsecTransChanTunStats 7 } 2392 ipsecTotalTransOutboundTraffic OBJECT-TYPE 2393 SYNTAX Counter64 2394 UNITS "1024-byte blocks" 2395 MAX-ACCESS read-only 2396 STATUS current 2397 DESCRIPTION 2398 "The total amount of outbound traffic carried on 2399 transient IPSec tunnels since boot time, measured in 2400 1024-octet blocks." 2401 ::= { ipsecTransChanTunStats 8 } 2403 -- 2404 -- error counts 2405 -- 2407 ipsecUnknownSpiErrors OBJECT-TYPE 2408 SYNTAX Counter32 2409 MAX-ACCESS read-only 2410 STATUS current 2411 DESCRIPTION 2412 "The total number of packets received by the entity since 2413 boot time with SPIs or CPIs that were not valid." 2414 ::= { ipsecErrorStats 1 } 2416 ipsecIkeProtocolErrors OBJECT-TYPE 2417 SYNTAX Counter32 2418 MAX-ACCESS read-only 2419 STATUS current 2420 DESCRIPTION 2421 "The total number of packets received by the entity since 2422 boot time with IKE protocol errors. 2424 This includes packets with invalid cookies, but does not 2425 include errors that could be associated with specific IKE 2426 SAs." 2427 ::= { ipsecErrorStats 2 } 2429 ipsecIpsecAuthenticationErrors OBJECT-TYPE 2430 SYNTAX Counter32 2431 MAX-ACCESS read-only 2432 STATUS current 2433 DESCRIPTION 2434 "The total number of packets received by the entity since 2435 boot time with authentication errors in the IPSec SAs. 2437 This includes all packets in which the hash value is 2438 determined to be invalid." 2439 ::= { ipsecErrorStats 3 } 2441 ipsecIpsecReplayErrors OBJECT-TYPE 2442 SYNTAX Counter32 2443 MAX-ACCESS read-only 2444 STATUS current 2445 DESCRIPTION 2446 "The total number of packets received by the entity since 2447 boot time with replay errors in the IPSec SAs." 2448 ::= { ipsecErrorStats 4 } 2450 ipsecIpsecPolicyErrors OBJECT-TYPE 2451 SYNTAX Counter32 2452 MAX-ACCESS read-only 2453 STATUS current 2454 DESCRIPTION 2455 "The total number of packets received by the entity since 2456 boot time and discarded due to policy errors. This 2457 includes packets that had selectors that were invalid for 2458 the SA that carried them." 2459 ::= { ipsecErrorStats 5 } 2461 -- the IPSec Notify Message MIB-Group 2462 -- 2463 -- a collection of objects providing information about 2464 -- the occurrences of notify messages 2466 ipsecNotifyMessageTotalCount OBJECT-TYPE 2467 SYNTAX Counter64 2468 MAX-ACCESS read-only 2469 STATUS current 2470 DESCRIPTION 2471 "The total number of all types of notify messages sent or 2472 received by the entity since boot time. 2474 It is the sum of all occurrences in the 2475 'ipsecNotifyCountTable'." 2476 ::= { ipsecNotifications 1 } 2478 ipsecNotifyCountTable OBJECT-TYPE 2479 SYNTAX SEQUENCE OF IpsecNotifyCountEntry 2480 MAX-ACCESS not-accessible 2481 STATUS current 2482 DESCRIPTION 2483 "The (conceptual) table containing information on IPSec 2484 notify message counts. 2486 This table MAY be sparsely populated; that is, rows for 2487 which the count is 0 may be absent." 2488 ::= { ipsecNotifications 2 } 2490 ipsecNotifyCountEntry OBJECT-TYPE 2491 SYNTAX IpsecNotifyCountEntry 2492 MAX-ACCESS not-accessible 2493 STATUS current 2494 DESCRIPTION 2495 "An entry (conceptual row) containing the total number of 2496 occurrences of a notify message." 2497 INDEX { ipsecNotifyMessage } 2498 ::= { ipsecNotifyCountTable 1 } 2500 IpsecNotifyCountEntry::= SEQUENCE { 2501 ipsecNotifyMessage INTEGER, 2502 ipsecNotifyMessageCount Counter32 2503 } 2505 ipsecNotifyMessage OBJECT-TYPE 2506 SYNTAX INTEGER (0..65535) 2507 MAX-ACCESS read-only 2508 STATUS current 2509 DESCRIPTION 2510 "The value representing a specific IPSec notify message, 2511 or 0 if unknown. 2513 Values are assigned from the set of notify message types 2514 as defined in Section 3.14.1 of [ISAKMP]. In addition, 2515 the value 0 may be used for this object when the object 2516 is used as a trap cause, and the cause is unknown." 2517 ::= { ipsecNotifyCountEntry 1 } 2519 ipsecNotifyMessageCount OBJECT-TYPE 2520 SYNTAX Counter32 2521 MAX-ACCESS read-only 2522 STATUS current 2523 DESCRIPTION 2524 "The total number of times the specific notify message 2525 has been received or sent by the entity since system 2526 boot." 2527 ::= { ipsecNotifyCountEntry 2 } 2529 -- 2530 -- traps 2531 -- 2533 ipsecTrapPermIkeNegFailure NOTIFICATION-TYPE 2534 OBJECTS { 2535 ipsecIkeConChanIndex, 2536 ipsecNotifyMessage 2537 } 2538 STATUS current 2539 DESCRIPTION 2540 "An attempt to negotiate a phase 1 SA for the specified 2541 permanent IKE tunnel failed." 2542 ::= { ipsecTraps 1 } 2544 ipsecTrapTransIkeNegFailure NOTIFICATION-TYPE 2545 OBJECTS { 2546 ipsecIkeConChanLocalIdType, 2547 ipsecIkeConChanLocalId, 2548 ipsecIkeConChanPeerIdType, 2549 ipsecIkeConChanPeerId, 2550 ipsecIkeSaLocalIpAddress, 2551 ipsecIkeSaLocalPortNumber, 2552 ipsecIkeSaLocalIpAddress, 2553 ipsecIkeSaLocalPortNumber, 2554 ipsecIkeConChanAuthMethod, 2555 ipsecIkeConChanPeerCertSerialNum, 2556 ipsecIkeConChanPeerCertIssuer, 2557 ipsecNotifyMessage 2558 } 2559 STATUS current 2560 DESCRIPTION 2561 "An attempt to negotiate a phase 1 SA for a transient IKE 2562 tunnel failed. 2564 This trap is different from the 2565 'ipsecTrapPermIkeNegFailure' trap, since this one will 2566 likely result in the removal of this entry from the IKE 2567 control channel table." 2568 ::= { ipsecTraps 2 } 2570 ipsecTrapInvalidCookie NOTIFICATION-TYPE 2571 OBJECTS { 2572 ipsecIkeSaPeerIpAddress, 2573 ipsecIkeSaPeerPortNumber 2574 } 2575 STATUS current 2576 DESCRIPTION 2577 "IKE packets with invalid cookies were detected from the 2578 specified peer. 2580 Implementations SHOULD send one trap per peer (within a 2581 reasonable time period, rather than sending one trap per 2582 packet." 2583 ::= { ipsecTraps 3 } 2585 ipsecTrapIpsecNegFailure NOTIFICATION-TYPE 2586 OBJECTS { 2587 ipsecIkeConChanIndex, 2588 ipsecNotifyMessage 2589 } 2590 STATUS current 2591 DESCRIPTION 2592 "An attempt to negotiate a phase 2 protection suite 2593 within the specified IKE tunnel failed." 2594 ::= { ipsecTraps 4 } 2596 ipsecTrapIpsecAuthFailure NOTIFICATION-TYPE 2597 OBJECTS { 2598 ipsecProtSuiteIndex 2599 } 2600 STATUS current 2601 DESCRIPTION 2602 "IPSec packets with invalid hashes were found in the 2603 specified protection suite. 2605 Implementations SHOULD send one trap per protection suite 2606 (within a reasonable time period), rather than sending 2607 one trap per packet." 2608 ::= { ipsecTraps 5 } 2610 ipsecTrapIpsecReplayFailure NOTIFICATION-TYPE 2611 OBJECTS { 2612 ipsecProtSuiteIndex 2613 } 2614 STATUS current 2615 DESCRIPTION 2616 "IPSec packets with invalid sequence numbers were found 2617 in the specified protection suite. 2619 Implementations SHOULD send one trap per protection suite 2620 (within a reasonable time period), rather than sending 2621 one trap per packet." 2622 ::= { ipsecTraps 6 } 2624 ipsecTrapIpsecPolicyFailure NOTIFICATION-TYPE 2625 OBJECTS { 2626 ipsecProtSuiteIndex 2627 } 2628 STATUS current 2629 DESCRIPTION 2630 "IPSec packets carrying packets with invalid selectors 2631 for the specified protection suite were found. 2633 Implementations SHOULD send one trap per protection suite 2634 (within a reasonable time period), rather than sending 2635 one trap per packet." 2636 ::= { ipsecTraps 7 } 2638 ipsecTrapInvalidSpi NOTIFICATION-TYPE 2639 OBJECTS { 2640 ipsecIkeSaPeerIpAddress 2641 } 2642 STATUS current 2643 DESCRIPTION 2644 "ESP, AH or IPCOMP packets with unknown SPIs (or CPIs) 2645 were detected from the specified peer. 2647 Implementations SHOULD send one trap per peer (within a 2648 reasonable time period), rather than sending one trap per 2649 packet." 2650 ::= { ipsecTraps 8 } 2652 END 2654 5. Security Considerations 2656 This MIB contains readable objects whose values provide information 2657 related to IPSec virtual tunnels. There are no objects with 2658 MAX�ACCESS clauses of read-write or read-create. 2660 While unauthorized access to the readable objects is relatively 2661 innocuous, unauthorized access to those objects through an insecure 2662 channel can provide attackers with more information about a system 2663 than an administrator may desire. 2665 6. Acknowledgements 2667 Portions of this document's origins are based on the working paper 2668 "IP Security Management Information Base" by R. Thayer and U. 2669 Blumenthal. 2671 Significant contribution to this document comes from Charles Brooks 2672 and Carl Powell, both of GTE Internetworking. Obviously, the IPSec 2673 working group made signification contributions, specifically 2674 including M. Daniele, T. Kivinen, J. Shriver, J. Walker, S. Kelly and 2675 M. Richardson. 2677 Additionally, thanks are extended to Gabriella Dinescu for assistance 2678 in the preparation of the MIB structures. 2680 7. References 2682 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation 2683 for ISAKMP", draft-ietf-ipsec-ipsec-doi-10.txt, work in 2684 progress. 2686 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the 2687 Internet Protocol", draft-ietf-ipsec-arch-sec-07.txt, work in 2688 progress. 2690 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)," 2691 draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress. 2693 [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., 2694 "Internet Security Association and Key Management Protocol 2695 (ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in 2696 progress. 2698 [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib- 2699 02.txt, work in progress. 2701 [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB 2702 using SMIv2", RFC2233 2704 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "draft- 2705 ietf-ippcp-protocol-06.txt", work in progress 2707 [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2708 "Structure of Management Information for version 2 of the 2709 Simple Network Management Protocol (SNMPv2)", RFC 1902, 2710 January 1996. 2712 [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 2713 for Describing SNMP Management Frameworks", RFC 2271, January 2714 1998 2716 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of 2717 Management Information for TCP/IP-based Internets", RFC 1155, 2718 May 1990 2720 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 2721 1212, March 1991 2723 [1215] M. Rose, "A Convention for Defining Traps for use with the 2724 SNMP", RFC 1215, March 1991 2726 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2727 S. Waldbusser, "Textual Conventions for Version 2 of the 2728 Simple Network Management Protocol (SNMPv2)", RFC 1903, 2729 January 1996. 2731 [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2732 S. Waldbusser, "Conformance Statements for Version 2 of the 2733 Simple Network Management Protocol (SNMPv2)", RFC 1904, 2734 January 1996. 2736 [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 2737 Network Management Protocol", RFC 1157, May 1990. 2739 [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2740 S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 2741 1901, January 1996. 2743 [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2744 S. Waldbusser, "Transport Mappings for Version 2 of the 2745 Simple Network Management Protocol (SNMPv2)", RFC 1906, 2746 January 1996. 2748 [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 2749 Processing and Dispatching for the Simple Network Management 2750 Protocol (SNMP)", RFC 2272, January 1998. 2752 [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model 2753 (USM) for version 3 of the Simple Network Management Protocol 2754 (SNMPv3)", RFC 2274, January 1998. 2756 [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 2757 S. Waldbusser, "Protocol Operations for Version 2 of the 2758 Simple Network Management Protocol (SNMPv2)", RFC 1905, 2759 January 1996. 2761 [2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC 2762 2273, SNMP Research, Inc., Secure Computing Corporation, 2763 Cisco Systems, January 1998. 2765 [2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 2766 Access Control Model (VACM) for the Simple Network Management 2767 Protocol (SNMP)", RFC 2275, January 1998. 2769 8. Revision History 2771 This section will be removed before publication. 2773 September 11, 1998 Initial internal release. 2774 Traps not yet defined in ASN.1 format. 2775 Device MIB not yet defined in ASN.1 format. 2777 October 4, 1998 Added significantly more explanations on 2778 tunnel concept, including picture. 2779 Added packet counters for traffic. 2780 Made time usage consistent. 2781 Added generic error counters. 2782 Added SPIs and CPIs to IPSec SA table, and 2783 cookies to IKE SA tunnel table. 2784 Added peer port number to IKE SA table. 2785 Added peer's certificate serial number and 2786 issuer to IKE SA table. 2787 More information about traps. 2788 Added policy enforcement errors to IPSec 2789 tunnels. 2791 Issues: 2792 1) Do aggregate statistic values on permanent 2793 tunnels restart if link goes down and comes 2794 back up again? 2795 2) Should the IKE SA table indicate who was the 2796 initiator? 2797 3) Still have not put traps into ASN.1 format. 2798 4) Still have not put entity-wide statistics 2799 into ASN.1 format. 2801 November 2,1998 Add ASN.1 for entity level objects. 2802 Add ASN.1 for traps. 2803 Non-error event traps removed. 2804 Added appendix to duplicate assigned numbers 2805 from current drafts. 2806 Issues: 2807 1) Do aggregate statistic values on permanent 2808 tunnels restart if link goes down and comes 2809 back up again? 2810 2) Group and Compliance statements? 2811 3) Sub-identifier under the experimental tree? 2813 November 24, 1998 Major changes; most too numerous to mention. 2814 Single largest change is splitting IKE SAs from 2815 what was the IKE tunnel table (now the control 2816 channel table). 2817 Issues: 2818 1) Should aggregate statistic values on 2819 permanent tunnels restart if link goes down and 2820 comes back up again? 2821 2) Group and Compliance statements? 2822 3) Sub-identifier under the experimental tree? 2823 4) Is existing address object implementation 2824 okay for both IPv4 and IPv6? 2826 9. Appendix A 2828 This appendix reproduces the assigned numbers from the referenced 2829 IPSec documents that are used in the MIB. They are to be used as a 2830 reference only and are not part of this specification. As the IPSec 2831 protocol evolves, this list is almost certain to become incomplete. 2833 Portions are blatantly copied from [IKE],[IPDOI] and [ISAKMP]. 2835 ipsecIkeSaEncAlg - Encryption Algorithm 2836 DES-CBC 1 2837 IDEA-CBC 2 2838 Blowfish-CBC 3 2839 RC5-R16-B64-CBC 4 2840 3DES-CBC 5 2841 CAST-CBC 6 2843 ipsecIkeSaPeerIdType 2845 ID Type Value 2846 ------- ----- 2847 RESERVED 0 2848 ID_IPV4_ADDR 1 2849 ID_FQDN 2 2850 ID_USER_FQDN 3 2851 ID_IPV4_ADDR_SUBNET 4 2852 ID_IPV6_ADDR 5 2853 ID_IPV6_ADDR_SUBNET 6 2854 ID_IPV4_ADDR_RANGE 7 2855 ID_IPV6_ADDR_RANGE 8 2856 ID_DER_ASN1_DN 9 2857 ID_DER_ASN1_GN 10 2858 ID_KEY_ID 11 2860 ipsecIkeSaHashAlg - Hash Algorithm 2861 MD5 1 2862 SHA 2 2863 Tiger 3 2865 ipsecIkeSaAuthMethod - Authentication Method 2866 pre-shared key 1 2867 DSS signatures 2 2868 RSA signatures 3 2869 Encryption with RSA 4 2870 Revised encryption with RSA 5 2872 ipsecIkeSaDifHelGroupDesc - Group Description 2873 default 768-bit MODP group 1 2874 alternate 1024-bit MODP group 2 2875 EC2N group on GP[2^155] 3 2876 EC2N group on GP[2^185] 4 2878 ipsecIkeSaDifHelGroupType - Group Type 2879 MODP (modular exponentiation group) 1 2880 ECP (elliptic curve group over GF[P]) 2 2881 EC2N (elliptic curve group over GF[2^N]) 3 2883 ipsecTunnelEspEncAlg 2885 Transform ID Value 2886 ------------ ----- 2887 RESERVED 0 2888 ESP_DES_IV64 1 2889 ESP_DES 2 2890 ESP_3DES 3 2891 ESP_RC5 4 2892 ESP_IDEA 5 2893 ESP_CAST 6 2894 ESP_BLOWFISH 7 2895 ESP_3IDEA 8 2896 ESP_DES_IV32 9 2897 ESP_RC4 10 2898 ESP_NULL 11 2900 ipsecTunnelEspAuthAlg - Authentication Algorithm 2901 RESERVED 0 2902 HMAC-MD5 1 2903 HMAC-SHA 2 2904 DES-MAC 3 2905 KPDK 4 2907 ipsecTunnelAhAuthAlg 2909 Transform ID Value 2910 ------------ ----- 2911 RESERVED 0-1 2912 AH_MD5 2 2913 AH_SHA 3 2914 AH_DES 4 2916 ipsecTunnelCompAlg 2918 Transform ID Value 2919 ------------ ----- 2921 RESERVED 0 2922 IPCOMP_OUI 1 2923 IPCOMP_DEFLATE 2 2924 IPCOMP_LZS 3 2925 IPCOMP_V42BIS 4 2927 NOTIFY MESSAGES - ERROR TYPES 2929 ___________Errors______________Value_____ 2930 INVALID-PAYLOAD-TYPE 1 2931 DOI-NOT-SUPPORTED 2 2932 SITUATION-NOT-SUPPORTED 3 2933 INVALID-COOKIE 4 2934 INVALID-MAJOR-VERSION 5 2935 INVALID-MINOR-VERSION 6 2936 INVALID-EXCHANGE-TYPE 7 2937 INVALID-FLAGS 8 2938 INVALID-MESSAGE-ID 9 2939 INVALID-PROTOCOL-ID 10 2940 INVALID-SPI 11 2941 INVALID-TRANSFORM-ID 12 2942 ATTRIBUTES-NOT-SUPPORTED 13 2943 NO-PROPOSAL-CHOSEN 14 2944 BAD-PROPOSAL-SYNTAX 15 2945 PAYLOAD-MALFORMED 16 2946 INVALID-KEY-INFORMATION 17 2947 INVALID-ID-INFORMATION 18 2948 INVALID-CERT-ENCODING 19 2949 INVALID-CERTIFICATE 20 2950 CERT-TYPE-UNSUPPORTED 21 2951 INVALID-CERT-AUTHORITY 22 2952 INVALID-HASH-INFORMATION 23 2953 AUTHENTICATION-FAILED 24 2954 INVALID-SIGNATURE 25 2955 ADDRESS-NOTIFICATION 26 2956 NOTIFY-SA-LIFETIME 27 2957 CERTIFICATE-UNAVAILABLE 28 2958 UNSUPPORTED-EXCHANGE-TYPE 29 2959 UNEQUAL-PAYLOAD-LENGTHS 30 2960 RESERVED (Future Use) 31 - 8191 2961 Private Use 8192 - 16383 2963 NOTIFY MESSAGES - STATUS TYPES 2964 _________Status_____________Value______ 2965 CONNECTED 16384 2966 RESERVED (Future Use) 16385 - 24575 2967 DOI-specific codes 24576 - 32767 2968 Private Use 32768 - 40959 2969 RESERVED (Future Use) 40960 - 65535 2971 Notify Messages - Status Types Value 2972 ------------------------------ ----- 2973 RESPONDER-LIFETIME 24576 2974 REPLAY-STATUS 24577 2975 INITIAL-CONTACT 24578 2977 Editor's Address 2979 Tim Jenkins 2980 tjenkins@timestep.com 2981 TimeStep Corporation 2982 362 Terry Fox Drive 2983 Kanata, ON 2984 Canada 2985 K2K 2P5 2986 +1 (613) 599-3610 2988 The IPSec working group can be contacted via the IPSec working 2989 group's mailing list (ipsec@tis.com) or through its chairs: 2991 Robert Moskowitz 2992 rgm@icsa.net 2993 International Computer Security Association 2995 Theodore Y. Ts'o 2996 tytso@MIT.EDU 2997 Massachusetts Institute of Technology