Internet Engineering Task Force Tim Jenkins IP Security Working Group Catena Networks Internet Draft October 5, 2001 IPsec Tunnel Monitoring MIB Status of this Memo Informational This document provides information for the Internet community. This document does not specify an Internet standard of any kind, nor is it intended to specify an Internet standard. Future considerations related to Internet standards are the opinions of the author, and not the IPsec working group. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) Tim Jenkins (2001) Jenkins Expires April 5, 2001 [Page 1] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 Table of Contents 1. Introduction..................................................2 2. The SNMP Management Framework.................................3 2.1 Object Definitions..........................................4 3. IPsec MIB Objects Architecture................................4 3.1 Control Channels............................................4 3.2 IPsec Virtual Tunnels.......................................5 3.3 Tunnel MIB and Interface MIB Consideration..................6 3.4 Channel and Tunnel Types....................................7 3.5 MIB Tables..................................................7 3.5.1 Control Channel Table.....................................8 3.5.2 IKE SA Table.............................................10 3.5.3 Tunnel Table.............................................10 3.5.4 SA Suite Table...........................................10 3.6 IPsec MIB Traps............................................11 3.7 IPsec Entity Level Objects.................................11 4. MIB Definitions..............................................12 5. Security Considerations......................................48 6. Acknowledgements.............................................49 7. References...................................................49 8. Revision History.............................................51 1. Introduction This document defines monitoring and status MIBs for specific applications of IPsec's security associations (SAs). The specific applications are for the purposes of virtual private networking (VPN) and secure remote access (SRA) applications. The MIB allows system administrators to determine operating conditions and perform system operational level monitoring of the VPN and SRA part of the network. Statistics and traps are provided as well. It builds upon the lower level IPsec MIBs that monitor specific phase 1 (IKE) and phase 2 (IPsec) SAs. It does not define MIBs that may be used for configuring IPsec implementations or for examination of configuration. It does not provide low-level diagnostic or debugging information. Further, it does not provide policy information. The IPsec tunnel MIB definitions use a virtual tunnel model for phase 2 SAs, and a virtual channel model for phase 1 SAs. The virtual tunnel model is used to allow the use of IPsec from a virtual private networking (VPN) point of view. This allows users of IPsec based products to get similar monitoring and statistical information from Jenkins Expires April 4, 2001 [Page 2] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 an IPsec based VPN as they would from a VPN based on other technologies, such as Frame Relay. The virtual channel model is used to model the logical control channel that exists due to the presence of (actual or potential) phase 1 SAs. Finally, it is intended to illustrate how high level MIBs can be built on top of the IPsec MIBs ([IPSECTC], [IDIMIB], [IKEMIB], [IMMIB]). 2. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [RFC2571]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 [RFC1215]. The second version, called SMIv2, is described in STD 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 [RFC2580]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905]. o A set of fundamental applications described in RFC 2573 [RFC2573] and the view-based access control mechanism described in RFC 2575 [RFC2575]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [RFC2570]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. Jenkins Expires April 4, 2001 [Page 3] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine-readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine- readable information is not considered to change the semantics of the MIB. 2.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. 3. IPsec MIB Objects Architecture This MIB consists of two separate groups of objects. The two groups are the tunnel group and the channel group. Channels and tunnels are defined below. Within the tunnel group, there is a tunnel table, a table to get to the suites in the tunnel, a set of aggregate statistics on the tunnels, and tunnel related traps. The channel group is similar in that there is a channel table, a table to get to the IKE SAs in the channel, a set of aggregate statistics on the channels, and channel related traps. 3.1 Control Channels The primary use of phase 1 SAs is to allow host implementations to exchange keying material for phase 2 negotiations and to perform IPsec SA management. Since the host implementation, at a high level, does not necessarily care which particular phase 1 SA it uses to perform these functions, the concept of an IKE control channel is introduced as a logical entity. The control channel is the virtual control channel created by the existence of phase 1 SAs established Jenkins Expires April 4, 2001 [Page 4] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 or that may be established between two peers. This will often be abbreviated to channel in this document. The need for this abstraction is also in part due to the ability of IPsec SAs suites to exist beyond the expiration of the IKE SA that created them. Further, since there is no requirement that an IKE phase 1 SA exist continuously between peers that have IPsec SAs between them, is it possible that the channel may have no valid IKE SAs supporting it. In these cases, it is assumed that an IKE SA could be created on demand. Control channels appear in their own table, and each row describes a single control channel. The IDs at each end uniquely identify the IKE control channel, since it is a logical peer to peer communications channel. It contains information common to all phase 1 SAs that are part of it, and aggregate statistics for the same phase 1 SAs. Additionally, it contains aggregate statistics for all phase 2 SAs created by it. 3.2 IPsec Tunnels IPsec tunnels are created by the existence of SA suites (as defined by the IKE Monitoring MIB [IKEMIB]). The tunnel concept comes from the effect of services on packets that are handled by SA suites. As a packet encounters an IPsec implementation, either in a security gateway or as a layer in a protocol stack, a policy decision causes the packet to be handed to an SA suite for processing. The SA suite then performs a service (including possibly compression) on the packet, then adds at least one new header and ultimately sends the packet into the normal IP stream for routing. (The only time no header is added is when the only service provided by the SA suite is compression, it is a transport mode SA suite, and the packet is not compressible. It is arguable that this particular case is outside IPsec!) When the secured (and possibly compressed) packet arrives at its destination, the peer IPsec implementation removes the added header or headers and reverse processes the packet. Another policy lookup is then done to make sure the sending peer appropriately handled the packet. Since the original packet is conceptually "hidden" between the two IPsec implementations, it can be considered tunneled. To help conceptually, if ESP could be negotiated with no encryption and no authentication, it would provide services very similar to IP-in-IP. Jenkins Expires April 4, 2001 [Page 5] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 The specific SA suite chosen by the policy lookup is based on what are called the selectors. The selectors are the packet's source IP address, its destination IP address, its layer 4 protocol and its layer 4 protocol source and destination port numbers. (Additional selectors are also possible.) The policy system uses this information to assign the packet to an SA suite for handling. Since it is irrelevant to the packet which specific SA suite provided the services, and since all SA suites with same selectors normally provide the same service, the existence of any and all SA suites assigned to the selector effectively creates a tunnel for the packets. In other words, the selectors used to assign the security services to the packet identify the tunnel created by the SA suites. The selectors are explained in detail in [SECARCH]. 3.3 Tunnel MIB and Interface MIB Consideration It should be noted that the MIBs here are not extensions of the Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach was rejected for a number of reasons, including: o The types of parameters required for those MIBs are not appropriate for IPsec MIBs. The parameters required for IPsec tunnels are related to security services and statistics associated with handling those services. There no parameters like that associated with the Tunnel MIB. o The virtual tunnels created by IPsec SAs may be independent of other logical interfaces; this is an implementation issue. The IPsec layer may be placed in a number of locations on the host implementation. These locations may be above the IP layer, within the IP layer, or just below it. Therefore, the mapping of the IPsec virtual tunnels to tunnels described by the tunnel MIB is implementation dependent. o The tunnel end point definitions are not the same as those used by the tunnel MIB. The Tunnel MIB uniquely defines tunnels by a simple source and destination IP address pair. This is only a specific subset of the identifiers needed for IPsec virtual tunnels. Note that implementations may still augment the tables in this MIB to link them to tables in other MIBs if they so desire. Jenkins Expires April 4, 2001 [Page 6] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 3.4 Channel and Tunnel Types Implementations may need to configure certain channels and tunnels with sets of characteristics. While the sets of characteristics are implementation dependent, this MIB provides the ability to assign an arbitrary type to the channels and tunnels. Each type will have an implementation dependent set of characteristics. However, the MIB will be able to use this type value to allow the monitoring of the channel and tunnel types as individual groups. How the implementation assigns the types is outside the scope of this monitoring MIB. An example of this might be to assign a value of one to the type object for permanent channels, a value of two for transient entries and a value of three for management channels. This causes permanent channels to appear together in the table, and before the transient entries. Finally, management channels would then appear as a group at the end of the table. Also, it allows the ability to collect statistics based on types. 3.5 MIB Tables The MIB uses four tables that are linked as shown in Figure 3-1. The control channel table has an augmenting table that provides links to the specific IKE SAs that are used to support it. The tunnel table depends on the selector table from the IPsec monitoring MIB. There is also an augmenting table that provides links to the SA suites that are used to support it. The tunnel table itself indirectly links to the channel table by providing pointers to the endpoints used to create it. Jenkins Expires April 4, 2001 [Page 7] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 dependent +---------------------+ +------------------+ expansion | | | channel table |---------->| IKE SA table | +------------------+ | | / \ +---------------------+ | | | -uses endpoint table from IKE MIB | | | | | | dependent +----------------+ | +--------------+ expansion | | | | tunnel table |---------->| SA suite table | | +--------------+ | | | ^ +----------------+ | | dependent | | - - - - - - - - | - - - - - - - - - - | - - - - - | - - - | \ / | Other Monitoring | +---------------+ | MIB Tables | | suite table | | | +---------------+ | +----------+ \ / | selector | +----------------+ | table | | IKE SA table | +----------+ +----------------+ Figure 3-1 IPsec Tunnel Monitoring MIB Tables A different diagram that is intended to show the tunnels that exist between two IPsec gateways is shown in Figure 3-2. Two host groups each are shown behind the IPsec gateways. Shown are the IKE control channel between the gateways and four possible IPsec virtual tunnels. The control channel has two active phase 1 SAs. Of the four possible virtual tunnels, one is shown with two IPsec SAs in it. One of these SAs may be just about to expire, while the other may have been created in anticipation of the expiration of the first. These SAs are the SAs that provide the service, supporting the existence of the tunnel. Two tables not shown in the figures are the optional tables that hold aggregates statistics based on the implementation dependent channel and tunnel type. Jenkins Expires April 4, 2001 [Page 8] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 +----------------------------+ | IKE (control channel) | | +---------------------+ | | | IKE SA 1 | | | +---------------------+ | | +---------------------+ | | | IKE SA 2 | | | +---------------------+ | +----------------------------+ ^ ^ | | <- aggregate tunnel statistics | | H11 -| +----+ | | +----+ |- H21 | | | | | | |----| G1 |-------------------------| G2 |------| | | | | | | H12 -| +----+ | | +----+ |- H22 | | | | +-----------------------------------------+ | H11 to H21 (data tunnel) | <- aggregate | +-------------------------------------+ | SS statistics | | IPsec SS with H11 and H21 selectors | | for H11-H21 | +-------------------------------------+ | | +-------------------------------------+ | | | IPsec SS with H11 and H21 selectors | | | +-------------------------------------+ | +-----------------------------------------+ | | +-----------------------------------------+ | H11 to H22 (data tunnel) | <- aggregate +-----------------------------------------+ SS statistics | | for H11-H22 +-----------------------------------------+ | H12 to H21 (data tunnel) | <- aggregate +-----------------------------------------+ SS statistics | | for H12-H21 +-----------------------------------------+ | H12 to H22 (data tunnel) | <- aggregate +-----------------------------------------+ SS statistics | | for H12-H22 +--+ SS - SA Suite Figure 3-2 Illustration of IPsec Tunnels Jenkins Expires April 4, 2001 [Page 9] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 3.5.1 Control Channel Table Each row in the control channel table corresponds to a logical control channel. Rows in this table do not have to have any real IKE SAs in order for them to appear in the table. There are two reasons for this. The first is that there is no requirement that IKE SAs continually exist between peers that are using IPsec. The second is that implementations may want to designate some channels between peers as permanent (as opposed to transient), and want them to appear in the table even if no SAs exist or have existed. Rows in the table are effectively indexed by the endpoints of the peers. In addition, an integer is added as a prefix to the index and is the arbitrary type described earlier. 3.5.2 IKE SA Table This table's purpose to allow administrators to get to the specific IKE SAs that make up a channel. This augments the control channel table, by using the same indices and adding an arbitrary integer for each of its own rows. Each row contains the identifier of the specific IKE SA used. The identifier comes from the IKE monitoring MIB's IKE SA table, and specifies the index of the specific row required. Note that rows in this table do not exist for channels that have no active IKE SAs. 3.5.3 Tunnel Table Each row in the tunnel table corresponds to a logical tunnel between entities. Rows in this table do not have to have any real phase 2 SA suites in order for them to appear in the table. However, since selectors identify tunnels in this MIB, a selector that is the tunnel identifier must exist in the selector table of the IPsec Monitoring MIB. As with channels, implementations may want to designate some channels between peers as permanent (as opposed to transient), and want them to appear in the table even if no SA suites exist or have existed. The SA suite selectors uniquely identify tunnels. However, since this may require considerable sorting overhead on agent implementations, and would make the number of indices be large (with large sub- Jenkins Expires April 4, 2001 [Page 10] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 identifiers as well), an arbitrary integer is used along with the tunnel type to perform tunnel indexing. A helper table is provided to search tunnels by selectors. 3.5.4 SA Suite Table This table's purpose to allow administrators to get to the specific phase 2 SA suites that make up a tunnel. This augments the tunnel table, by using the same indices and adding an arbitrary integer for each of its own rows. Each row contains the object identifier of the specific phase 2 SA suite used. The object identifier comes from the IKE monitoring MIB's suite table, and specifies the row of that table. Note that rows in this table do not exist for tunnels that have no active SA suites. 3.6 IPsec MIB Traps Traps are provided to let system administrators know about the existence of tunnel and channel related events occurring in the entity. Traps are provided only for channel up, channel down, tunnel up and tunnel down events. Negotiation failures are assumed to be covered by a lower level MIB. Traps may be disabled on a global basis for channels and tunnels independently. 3.7 IPsec Entity Level Objects This part of the MIB carries statistics global to the IPsec device. Statistics included are aggregate numbers of channels and tunnels, and aggregate errors. Jenkins Expires April 4, 2001 [Page 11] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 4. MIB Definitions IPSEC-TUN-MON-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Unsigned32, Gauge32, OBJECT-IDENTITY, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC InetAddressType, InetAddress FROM INET-ADDRESS-MIB IsakmpCookie FROM ISAKMP-DOI-IND-MON-MIB ; ipsecTunMonModule MODULE-IDENTITY LAST-UPDATED "0010041200Z" ORGANIZATION "IETF IPsec Working Group" CONTACT-INFO "Tim Jenkins Catena Networks 307 Legget Drive Kanata, ON Canada K2K 3C8 +1 (613) 599-6430 tjenkins@catena.com " DESCRIPTION "The MIB module to describe logical IPsec channel and tunnel objects, and entity level objects and events associated with these objects." REVISION "0010041200Z" DESCRIPTION "Initial revision." -- ::= { ? } -- bogus value currently in use ::= { experimental 1010 } -- -- textual conventions -- IpsecChanOrTunType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A value indicating an implementation specific type for channels and tunnels. Jenkins Expires April 4, 2001 [Page 12] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 The values below are defined as examples only, and are not intended to imply any specific support or capability." SYNTAX INTEGER { unknown(0), permanent(1), transient(2), management(3) } -- -- MIB root (trunk?) -- ipsecTunnelMonitorMIB OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all branches." ::= { ipsecTunMonModule 1 } -- first level branches channelObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all channel related objects." ::= { ipsecTunnelMonitorMIB 1 } tunnelObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all tunnel related objects." ::= { ipsecTunnelMonitorMIB 2 } -- second level branches channelTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are tables for channels." ::= { channelObjects 1 } channelStats OBJECT-IDENTITY STATUS current Jenkins Expires April 4, 2001 [Page 13] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "This is the base object identifier for all objects which are global (non-error) counters for channels." ::= { channelObjects 2 } channelErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global error counters for channels." ::= { channelObjects 3 } channelTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are traps for channels." ::= { channelObjects 4 } channelTrapObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for objects which are used as part of traps for channels." ::= { channelObjects 5 } channelTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are trap controls for channel traps." ::= { channelObjects 6 } channelGroups OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the groups in the channel part of this MIB." ::= { channelObjects 7 } channelConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the conformance in the channel part of this MIB." ::= { channelObjects 8 } Jenkins Expires April 4, 2001 [Page 14] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 tunnelTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are tables for tunnels." ::= { tunnelObjects 1 } tunnelStats OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global (non-error) counters for tunnels." ::= { tunnelObjects 2 } tunnelErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global error counters for tunnels." ::= { tunnelObjects 3 } tunnelTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are traps for tunnels." ::= { tunnelObjects 4 } tunnelTrapObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for objects which are used as part of traps for tunnels." ::= { tunnelObjects 5 } tunnelTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are trap controls for tunnel traps." ::= { tunnelObjects 6 } tunnelGroups OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the groups in the tunnel part of this MIB." ::= { tunnelObjects 7 } Jenkins Expires April 4, 2001 [Page 15] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 tunnelConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the conformance in the tunnel part of this MIB." ::= { tunnelObjects 8 } -- the IPsec Channel statistics group -- -- a collection of object providing information about channels -- created using IKE SAs currentChannels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of channels currently in existence in the entity. This is the same as the number of rows in the channel table, whether there are IKE SAs for each row or not." ::= { channelStats 1 } totalChannels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of channels created by the entity since system boot. Channel creation is defined as the addition of a row to the channel table, whether an IKE SA was created at the same time or not." ::= { channelStats 2 } deletedChannels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of channels deleted by the entity. Channel deletion is defined as the removal of a row from the channel table, independent of the existence of the IKE SAs that may have supported it. Jenkins Expires April 4, 2001 [Page 16] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 Note that the sum of 'currentChannels' and 'deletedChannels' is equal to 'totalChannels'." ::= { channelStats 3 } -- the IPsec Tunnel statistics group -- -- a collection of objects providing information about tunnels -- created using IPsec SA suites currentTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of tunnels currently in existence in the entity. This is the same as the number of rows in the tunnel table, whether there are IPsec SA suites for each row or not." ::= { tunnelStats 1 } totalTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of tunnels created by the entity since system boot. Tunnel creation is defined as the addition of a row to the tunnel table, whether an IPsec SA was created at the same time or not." ::= { tunnelStats 2 } deletedTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of tunnels deleted by the entity. Tunnel deletion is defined as the removal of a row from the tunnel table, independent of the existence of the phase 2 SA suites that may have supported it. Note that the sum of 'currentTunnels' and 'deletedTunnels' should is to 'totalTunnels'." ::= { tunnelStats 3 } Jenkins Expires April 4, 2001 [Page 17] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 -- the IPsec Control Channel MIB-Group -- -- a collection of objects providing information about -- IPsec's control channels ipsecChannelTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecChannelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on control channels. The number of rows in this table is, at a minimum, the same as the number of IKE SAs that have the same phase 1 ID pairs. Additional rows for channels without active phase 1 SAs may also appear in the table. The maximum number of rows is implementation dependent." ::= { channelTables 1 } ipsecChannelEntry OBJECT-TYPE SYNTAX IpsecChannelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular control channel. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecChannelType, ipsecChannelLocalEndpoint, ipsecChannelRemoteEndpoint } ::= { ipsecChannelTable 1 } IpsecChannelEntry ::= SEQUENCE { -- indices ipsecChannelType IpsecChanOrTunType, ipsecChannelLocalEndpoint Unsigned32, ipsecChannelRemoteEndpoint Unsigned32, -- virtual channel status ipsecChannelCurrentSAs Gauge32, Jenkins Expires April 4, 2001 [Page 18] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecChannelTotalSAs Counter32, ipsecChannelDeletedSAs Counter32, ipsecChannelTimeUpSeconds Counter32, -- since SAs > 0 ipsecChannelTimeDownSeconds Counter32, -- since SAs = 0 -- aggregate statistics (all SAs) ipsecChannelInboundOctets Counter32, ipsecChannelOutboundOctets Counter32, ipsecChannelInboundPackets Counter32, ipsecChannelOutboundPackets Counter32, -- aggregate error statistics ipsecChannelReceiveErrors Counter32, ipsecChannelSendErrors Counter32, -- IPsec tunnel (Phase 2) statistics ipsecChannelCurrentTunnels Gauge32, ipsecChannelTotalTunnels Counter32, ipsecChannelDeletedTunnels Counter32, -- IPsec tunnel (Phase 2) statistics (aggregate) ipsecChannelTunnelInboundOctets Counter64, ipsecChannelTunnelOutboundOctets Counter64, ipsecChannelTunnelInboundPackets Counter64, ipsecChannelTunnelOutboundPackets Counter64, -- IPsec SA (Phase 2) error statistics (aggregate) ipsecChannelTunnelReceiveErrors Counter32, ipsecChannelTunnelSendErrors Counter32 } ipsecChannelType OBJECT-TYPE SYNTAX IpsecChanOrTunType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of control channel represented by this row. This is an implementation dependent value, used to assist in controlling how channels are sorted." ::= { ipsecChannelEntry 1 } ipsecChannelLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current Jenkins Expires April 4, 2001 [Page 19] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The index value of the row of the IKE Monitoring MIB's endpoint table corresponding to the local endpoint." ::= { ipsecChannelEntry 2 } ipsecChannelRemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index value of the row of the IKE Monitoring MIB's endpoint table corresponding to the remote endpoint." ::= { ipsecChannelEntry 3 } ipsecChannelCurrentSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of IKE SAs that are currently active that make up this channel. This value may be 0 if the channel has not yet been set up, or the implementation does not require the existence of IKE SAs for the channel to exist, or if the channel is considered a permanent entry in the table by the implementation. This value should not include SA establishment attempts in progress." ::= { ipsecChannelEntry 4 } ipsecChannelTotalSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs that are part of this channel that have been created in the entity since boot time. This value should not include failed SA establishment attempts." ::= { ipsecChannelEntry 5 } ipsecChannelDeletedSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 20] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The total number of IKE SAs that are part of this channel that have been deleted in the entity since boot time. The sum of 'ipsecChannelCurrentSAs' and this value should equal ipsecChannelTotalSAs." ::= { ipsecChannelEntry 6 } ipsecChannelTimeUpSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of seconds since there has been at least one valid IKE SA supporting the channel. In other words, the number of seconds since the value of 'ipsecChannelCurrentSAs' changed from 0 to any other value." ::= { ipsecChannelEntry 7 } ipsecChannelTimeDownSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of seconds since the last valid IKE SA supporting the channel was deleted. In other words, the number of seconds since the value of 'ipsecChannelCurrentSAs' changed to 0 from any other value." ::= { ipsecChannelEntry 8 } ipsecChannelInboundOctets OBJECT-TYPE SYNTAX Counter32 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes received by the channel. This is the sum of 'saInOctets' from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 9 } ipsecChannelOutboundOctets OBJECT-TYPE SYNTAX Counter32 UNITS "bytes" MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 21] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The amount of traffic measured in bytes sent by the channel. This is the sum of 'saOutOctets' from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 10 } ipsecChannelInboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the channel. This is the sum of 'saInPackets' from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 11 } ipsecChannelOutboundPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by the channel. This is the sum of 'saOutPackets' from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 12 } ipsecChannelReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of receive errors incurred in the channel. This is the sum of all receive errors from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 13 } ipsecChannelSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of send errors incurred in the channel. This is the sum of all send errors from the 'saEntry' of each IKE SA in 'saTable' that is part of this channel." ::= { ipsecChannelEntry 14 } ipsecChannelCurrentTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only Jenkins Expires April 4, 2001 [Page 22] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 STATUS current DESCRIPTION "The number of IPsec tunnels that are currently active that were created by this channel. This value should not include tunnel establishment attempts that are in progress." ::= { ipsecChannelEntry 15 } ipsecChannelTotalTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec tunnels that have been created in the entity by this channel since boot time. This value should not include failed tunnel establishment attempts." ::= { ipsecChannelEntry 16 } ipsecChannelDeletedTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec tunnels that have been deleted by this channel in the entity since boot time. The sum of 'ipsecChannelCurrentTunnels' and this value should equal 'ipsecChannelTotalTunnels'." ::= { ipsecChannelEntry 17 } ipsecChannelTunnelInboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes received by all tunnels created by the channel." ::= { ipsecChannelEntry 18 } ipsecChannelTunnelOutboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 23] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The amount of traffic measured in bytes sent by all tunnels created by the channel." ::= { ipsecChannelEntry 19 } ipsecChannelTunnelInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all tunnels created by the channel." ::= { ipsecChannelEntry 20 } ipsecChannelTunnelOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all tunnels created by the channel." ::= { ipsecChannelEntry 21 } ipsecChannelTunnelReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of receive errors incurred in all tunnels created by the channel." ::= { ipsecChannelEntry 22 } ipsecChannelTunnelSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of send errors incurred in all tunnels created the channel." ::= { ipsecChannelEntry 23 } -- the IPsec channel SA table -- -- a table providing a reference to specific IKE SAs as used by -- IPsec channels Jenkins Expires April 4, 2001 [Page 24] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecChannelSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecChannelSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on which IKE SAs are used in channels. The number of rows is the same as the number of IKE SAs in the entity. The maximum number of rows is implementation dependent." ::= { channelTables 2 } ipsecChannelSaEntry OBJECT-TYPE SYNTAX IpsecChannelSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the identifiers of a specific IKE SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecChannelType, ipsecChannelLocalEndpoint, ipsecChannelRemoteEndpoint, ipsecChannelSaIndex } ::= { ipsecChannelSaTable 1 } IpsecChannelSaEntry ::= SEQUENCE { -- additional index to augment channel table ipsecChannelSaIndex Unsigned32, -- the SA specifiers ipsecChannelSaLocalIpAddrType InetAddressType, ipsecChannelSaLocalIpAddress InetAddress, ipsecChannelSaRemoteIpAddrType InetAddressType, ipsecChannelSaRemoteIpAddress InetAddress, ipsecChannelSaInitiatorCookie IsakmpCookie, ipsecChannelSaResponderCookie IsakmpCookie } ipsecChannelSaIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) Jenkins Expires April 4, 2001 [Page 25] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each IKE SA in the channel. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecChannelSaEntry 1 } ipsecChannelSaLocalIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the local address used to negotiate the IKE SA in the channel. (The value of 'saIkeLocalIpAddressType' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 2 } ipsecChannelSaLocalIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The local address used to negotiate the IKE SA in the channel. (The value of 'saIkeLocalIpAddress' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 3 } ipsecChannelSaRemoteIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the remote address used to negotiate the IKE SA in the channel. (The value of 'saIkeRemoteIpAddressType' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 4 } ipsecChannelSaRemoteIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The remote address used to negotiate the IKE SA in the channel. (The value of 'saIkeRemoteIpAddress' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 5 } Jenkins Expires April 4, 2001 [Page 26] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecChannelSaInitiatorCookie OBJECT-TYPE SYNTAX IsakmpCookie MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the initiator for the IKE SA in the channel. (The value of 'saIkeInitiatorCookie' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 6 } ipsecChannelSaResponderCookie OBJECT-TYPE SYNTAX IsakmpCookie MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the cookie used by the responder for the IKE SA in the channel. (The value of 'saIkeResponderCookie' from 'ikeMonModule' for this row.)" ::= { ipsecChannelSaEntry 7 } -- the IPsec channel SA aggregates table -- -- a table providing aggregate statistics for the user-defined -- channel types ipsecChanAggTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecChanAggEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The optional (conceptual) table containing information on aggregate statistics for the channel types. The number of rows is the same as the number of channel types supported by the entity. The maximum number of rows is implementation dependent." ::= { channelTables 3 } ipsecChanAggEntry OBJECT-TYPE SYNTAX IpsecChanAggEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the aggregate statistics for a specific channel type. Jenkins Expires April 4, 2001 [Page 27] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecChanAggType } ::= { ipsecChanAggTable 1 } IpsecChanAggEntry ::= SEQUENCE { -- index ipsecChanAggType IpsecChanOrTunType, -- channel counts ipsecChanAggCurrentChannels Gauge32, ipsecChanAggTotalChannels Counter32, ipsecChanAggDeletedChannels Counter32, -- aggregate statistics (all SAs) ipsecChanAggInboundOctets Counter64, ipsecChanAggOutboundOctets Counter64, ipsecChanAggInboundPackets Counter64, ipsecChanAggOutboundPackets Counter64, -- aggregate error statistics ipsecChanAggReceiveErrors Counter32, ipsecChanAggSendErrors Counter32, -- IPsec tunnel (Phase 2) statistics ipsecChanAggCurrentTunnels Gauge32, ipsecChanAggTotalTunnels Counter32, ipsecChanAggDeletedTunnels Counter32, -- IPsec tunnel (Phase 2) statistics (aggregate) ipsecChanAggTnlInboundOctets Counter64, ipsecChanAggTnlOutboundOctets Counter64, ipsecChanAggTnlInboundPackets Counter64, ipsecChanAggTnlOutboundPackets Counter64, -- IPsec SA (Phase 2) error statistics (aggregate) ipsecChanAggTnlReceiveErrors Counter32, ipsecChanAggTnlSendErrors Counter32 } ipsecChanAggType OBJECT-TYPE SYNTAX IpsecChanOrTunType MAX-ACCESS not-accessible STATUS current Jenkins Expires April 4, 2001 [Page 28] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The type of control channel for which this row aggregrates statistics." ::= { ipsecChanAggEntry 1 } ipsecChanAggCurrentChannels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of channels that are currently active that are of the specified type. This value should not include channel establishment attempts in progress." ::= { ipsecChanAggEntry 2 } ipsecChanAggTotalChannels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of channels of this type that have been created in the entity since boot time. This value should not include failed channel establishment attempts." ::= { ipsecChanAggEntry 3 } ipsecChanAggDeletedChannels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of channels of this type that have been deleted in the entity since boot time. The sum of 'ipsecChanAggCurrentChannels' and this value should equal 'ipsecChanAggTotalChannels'." ::= { ipsecChanAggEntry 4 } ipsecChanAggInboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes received by all channels of this type. This is the sum of Jenkins Expires April 4, 2001 [Page 29] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 'ipsecChannelInboundOctets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 5 } ipsecChanAggOutboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes sent by all channels of this type. This is the sum of 'ipsecChannelOutboundOctets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 6 } ipsecChanAggInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all channels of this type. This is the sum of 'ipsecChannelInboundPackets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 7 } ipsecChanAggOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all channels of this type. This is the sum of 'ipsecChannelOutboundPackets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 8 } ipsecChanAggReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of receive errors incurred by all channels of this type. This is the sum of 'ipsecChannelReceiveErrors' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 9 } Jenkins Expires April 4, 2001 [Page 30] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecChanAggSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of send errors incurred by all channels of this type. This is the sum of 'ipsecChannelSendErrors' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 10 } ipsecChanAggCurrentTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of active IPsec tunnels that have been created by all channels of this type. This is the sum of 'ipsecChannelCurrentTunnels' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 11 } ipsecChanAggTotalTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec tunnels that have been created by all channels of this type. This is the sum of 'ipsecChannelTotalTunnels' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 12 } ipsecChanAggDeletedTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec tunnels that have been deleted by all channels of this type. This is the sum of 'ipsecChannelDeletedTunnels' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type. The sum of 'ipsecChanAggCurrentTunnels' and this value should equal 'ipsecChanAggTotalTunnels'." ::= { ipsecChanAggEntry 13 } ipsecChanAggTnlInboundOctets OBJECT-TYPE SYNTAX Counter64 Jenkins Expires April 4, 2001 [Page 31] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes received by all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelInboundOctets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 14 } ipsecChanAggTnlOutboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of traffic measured in bytes sent by all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelOutboundOctets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 15 } ipsecChanAggTnlInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelInboundPackets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 16 } ipsecChanAggTnlOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelOutboundPackets' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 17 } Jenkins Expires April 4, 2001 [Page 32] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecChanAggTnlReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of receive errors incurred in all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelReceiveErrors' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 18 } ipsecChanAggTnlSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of send errors incurred in all tunnels created by all channels of this type. This is the sum of 'ipsecChannelTunnelSendErrors' from the 'ipsecChannelEntry' of each channel in 'ipsecChannelTable' that is of this type." ::= { ipsecChanAggEntry 19 } -- the IPsec Tunnel MIB-Group -- -- a collection of objects providing information about -- IPsec SA suite-based virtual tunnels ipsecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec SA suite-based tunnels. The number of rows is, at a minimum, the same as the number of IPsec SA suites in the entity that have identical selectors. Additional rows for tunnels without active IPsec SA suites may also appear in the table. The maximum number of rows is implementation dependent." ::= { tunnelTables 1 } ipsecTunnelEntry OBJECT-TYPE SYNTAX IpsecTunnelEntry MAX-ACCESS not-accessible Jenkins Expires April 4, 2001 [Page 33] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular tunnel. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecTunnelType, ipsecTunnelId } ::= { ipsecTunnelTable 1 } IpsecTunnelEntry ::= SEQUENCE { ipsecTunnelType IpsecChanOrTunType, ipsecTunnelId Unsigned32, -- tunnel endpoints ipsecTunnelLocalIpAddrType InetAddressType, ipsecTunnelLocalIpAddress InetAddress, ipsecTunnelRemoteIpAddrType InetAddressType, ipsecTunnelRemoteIpAddress InetAddress, -- creator identifiers ipsecTunnelRemoteEndpoint Unsigned32, ipsecTunnelLocalEndpoint Unsigned32, -- operational statistics ipsecTunnelCurrentSaSuites Gauge32, ipsecTunnelTotalSaSuites Counter32, ipsecTunnelDeletedSaSuites Counter32, ipsecTunnelTimeUpSeconds Counter32, -- since suites > 0 ipsecTunnelTimeDownSeconds Counter32, -- since suites = 0 -- aggregate statistics ipsecTunnelTotalInboundOctets Counter64, ipsecTunnelTotalOutboundOctets Counter64, ipsecTunnelTotalInboundPackets Counter64, ipsecTunnelTotalOutboundPackets Counter64, -- aggregate error statistics ipsecTunnelSendErrors Counter32, ipsecTunnelReceiveErrors Counter32 } ipsecTunnelType OBJECT-TYPE SYNTAX IpsecChanOrTunType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of tunnel represented by this row. Jenkins Expires April 4, 2001 [Page 34] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 This is an implementation dependent value, used to assist in controlling how tunnels are sorted." ::= { ipsecTunnelEntry 1 } ipsecTunnelId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index value of the selector table row that contains the selectors that are the identity of this tunnel. Specifically, this is the value of 'selectorIndex' from the appropriate row ('selectorEntry') from the table 'selectorTable' from the MIB 'ipsecMonModule'. (NOTE: Should this be an OBJECT IDENTIFIER instead?)" ::= { ipsecTunnelEntry 2 } ipsecTunnelLocalIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of address used by the local endpoint of the tunnel." ::= { ipsecTunnelEntry 3 } ipsecTunnelLocalIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The address used by the local endpoint of the tunnel." ::= { ipsecTunnelEntry 4 } ipsecTunnelRemoteIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of address used by the remote endpoint of the tunnel." ::= { ipsecTunnelEntry 5 } ipsecTunnelRemoteIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 35] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The address used by the remote endpoint of the tunnel." ::= { ipsecTunnelEntry 6 } ipsecTunnelLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the local endpoint that negotiated this tunnel. It is the value of 'endpointIndex' from the correct row ('IkeEndpointEntry') of the 'ikeEndpointTable' from 'ikeMonModule'. (NOTE: Should this be an OBJECT IDENTIFIER instead?)" ::= { ipsecTunnelEntry 7 } ipsecTunnelRemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the remote endpoint that negotiated this tunnel. It is the value of 'endpointIndex' from the correct row ('IkeEndpointEntry') of the 'ikeEndpointTable' from 'ikeMonModule'." ::= { ipsecTunnelEntry 8 } ipsecTunnelCurrentSaSuites OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of phase 2 SA suites that are currently active that make up this tunnel. This value may be 0 if the tunnel has not yet been set up, or the implementation does not require the existence of phase 2 SA suites for the tunnel to exist, or if the tunnel is considered a permanent entry in the table by the implementation. This value should not include phase 2 SA suite establishment attempts in progress." ::= { ipsecTunnelEntry 9 } Jenkins Expires April 4, 2001 [Page 36] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecTunnelTotalSaSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 SA suites that are part of this tunnel that have been created in the entity since boot time. This value should not include failed phase 2 SA suite establishment attempts." ::= { ipsecTunnelEntry 10 } ipsecTunnelDeletedSaSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of phase 2 SA suites that are part of this channel that have been deleted in the entity since boot time. The sum of 'ipsecTunnelCurrentSaSuites' and this value should equal 'ipsecTunnelTotalSaSuites'." ::= { ipsecTunnelEntry 11 } ipsecTunnelTimeUpSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of seconds since there has been at least one valid phase 2 SA suite supporting the channel. In other words, the number of seconds since the value of 'ipsecTunnelCurrentSaSuites' changed from 0 to any other value." ::= { ipsecTunnelEntry 12 } ipsecTunnelTimeDownSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of seconds since the last valid phase 2 SA suite supporting the channel was deleted. In other words, the number of seconds since the value of 'ipsecTunnelCurrentSaSuites' changed to 0 from any other value." ::= { ipsecTunnelEntry 13 } Jenkins Expires April 4, 2001 [Page 37] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 ipsecTunnelTotalInboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes received by the tunnel. This is the sum of 'suiteInUserOctets' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 14 } ipsecTunnelTotalOutboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes sent by the tunnel. This is the sum of 'suiteOutUserOctets' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 15 } ipsecTunnelTotalInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by the tunnel. This is the sum of 'suiteInPackets' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 16 } ipsecTunnelTotalOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by the tunnel. This is the sum of 'suiteOutPackets' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 17 } ipsecTunnelSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only Jenkins Expires April 4, 2001 [Page 38] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 STATUS current DESCRIPTION "The total number of send errors in the tunnel. This is the sum of 'suiteSendErrors' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 18 } ipsecTunnelReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of receive errors in the tunnel. This is the sum of 'suiteReceiveErrors' from the 'suiteEntry' of each phase 2 SA suite in 'suiteTable' that is part of this tunnel." ::= { ipsecTunnelEntry 19 } -- the IPsec SA Suite MIB-Group -- -- a collection of objects providing information about -- IPsec SA suites used in virtual tunnels ipsecTunnelSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTunnelSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPsec SA suites. The number of rows is the same as the number of IPsec SA suites in the entity. The maximum number of rows is implementation dependent." ::= { tunnelTables 2 } ipsecTunnelSuiteEntry OBJECT-TYPE SYNTAX IpsecTunnelSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the identifiers to a particular SA suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." Jenkins Expires April 4, 2001 [Page 39] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 INDEX { ipsecTunnelType, ipsecTunnelId, ipsecTunnelSuiteIndex } ::= { ipsecTunnelSuiteTable 1 } IpsecTunnelSuiteEntry ::= SEQUENCE { -- additional index ipsecTunnelSuiteIndex Unsigned32, -- identifier of suite ipsecTunnelSuiteReference OBJECT IDENTIFIER } ipsecTunnelSuiteIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite in the tunnel. It is recommended that values are assigned contiguously starting from 1." ::= { ipsecTunnelSuiteEntry 1 } ipsecTunnelSuiteReference OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The object identifier of the IPsec SA suite row that represents the IPsec SA suite in the tunnel. Specifically, the value of this object is the object identifier of 'suiteIndex' of the appropriate row ('SuiteEntry') in 'suiteTable' from 'ikeMonModule'." ::= { ipsecTunnelSuiteEntry 2 } -- the IPsec tunnel aggregates table -- -- a table providing aggregate statistics for the user-defined -- tunnel types ipsecTunAggTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecTunAggEntry Jenkins Expires April 4, 2001 [Page 40] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The optional (conceptual) table containing information on aggregate statistics for the tunnel types. The number of rows is the same as the number of tunnel types supported by the entity. The maximum number of rows is implementation dependent." ::= { tunnelTables 3 } ipsecTunAggEntry OBJECT-TYPE SYNTAX IpsecTunAggEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the aggregate statistics for a specific tunnel type. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecTunnelType } ::= { ipsecTunAggTable 1 } IpsecTunAggEntry ::= SEQUENCE { -- tunnel counts of this type ipsecTunAggCurrentTunnels Gauge32, ipsecTunAggTotalTunnels Counter32, ipsecTunAggDeletedTunnels Counter32, -- aggregate statistics ipsecTunAggInboundOctets Counter64, ipsecTunAggOutboundOctets Counter64, ipsecTunAggInboundPackets Counter64, ipsecTunAggOutboundPackets Counter64, -- aggregate error statistics ipsecTunAggSendErrors Counter32, ipsecTunAggReceiveErrors Counter32 } ipsecTunAggCurrentTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 41] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The number of tunnels that are currently active that are of the specified type. This value should not include tunnel establishment attempts in progress." ::= { ipsecTunAggEntry 1 } ipsecTunAggTotalTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of tunnels of this type that have been created in the entity since boot time. This value should not include failed tunnel establishment attempts." ::= { ipsecTunAggEntry 2 } ipsecTunAggDeletedTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of tunnels of this type that have been deleted in the entity since boot time. The sum of 'ipsecTunAggCurrentTunnels' and this value should equal 'ipsecTunAggTotalTunnels'." ::= { ipsecTunAggEntry 3 } ipsecTunAggInboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes received by all tunnels of this type. This is the sum of 'ipsecTunnelInboundOctets' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 4 } ipsecTunAggOutboundOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 42] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The total amount of traffic measured in bytes sent by all tunnels of this type. This is the sum of 'ipsecTunnelOutboundOctets' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 5 } ipsecTunAggInboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all tunnels of this type. This is the sum of 'ipsecTunnelInboundPackets' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 6 } ipsecTunAggOutboundPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all tunnels of this type. This is the sum of 'ipsecTunnelOutboundPackets' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 7 } ipsecTunAggSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of send errors incurred by all tunnels of this type. This is the sum of 'ipsecTunnelSendErrors' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 8 } ipsecTunAggReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 43] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The total number of receive errors incurred by all tunnels of this type. This is the sum of 'ipsecTunnelReceiveErrors' from the 'ipsecTunnelEntry' of each tunnel in 'ipsecTunnelTable' that is of this type." ::= { ipsecTunAggEntry 9 } -- -- table to find tunnels based on the tunnel identifiers -- tunnelBySelectorsTable OBJECT-TYPE SYNTAX SEQUENCE OF TunnelBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the tunnels by the selectors. The number of rows in this table is the same as the number of tunnels in the entity." ::= { tunnelTables 4 } tunnelBySelectorsEntry OBJECT-TYPE SYNTAX TunnelBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular tunnel. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { tunnelBySelectorsHash, tunnelBySelectorsIndex } ::= { tunnelBySelectorsTable 1 } TunnelBySelectorsEntry ::= SEQUENCE { -- index tunnelBySelectorsHash OCTET STRING, tunnelBySelectorsIndex Unsigned32, -- real tunnel identifiers tunnelBySelectorsId Unsigned32, Jenkins Expires April 4, 2001 [Page 44] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 -- tunnel reference tunnelBySelectorsType IpsecChanOrTunType, tunnelBySelectorsRef OBJECT IDENTIFIER } tunnelBySelectorsHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(4)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The hash result of the full identifer of the tunnel. Precise definition to be completed." ::= { tunnelBySelectorsEntry 1 } tunnelBySelectorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel in the table where the hash results of the tunnel identifiers collide. It is recommended that values are assigned contiguously starting from 1." ::= { tunnelBySelectorsEntry 2 } tunnelBySelectorsId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The identifier of the tunnel. The value of this object is the index of the selector ('selectorIndex') row ('SelectorEntry') from the 'selectorTable' that identifies this tunnel." ::= { tunnelBySelectorsEntry 3 } tunnelBySelectorsType OBJECT-TYPE SYNTAX IpsecChanOrTunType MAX-ACCESS read-only STATUS current DESCRIPTION "The type assigned to the tunnel for which this row refers." ::= { tunnelBySelectorsEntry 4 } tunnelBySelectorsRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current Jenkins Expires April 4, 2001 [Page 45] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "The object identifier of 'tunnelIndex' in the row ('tunnelEntry') of the 'tunnelTable' to which this row refers." ::= { tunnelBySelectorsEntry 5 } -- -- trap parameters, traps and control -- channelTrapLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The index to an endpoint that is the local endpoint of a channel in a trap." ::= { channelTrapObjects 1 } channelTrapRemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The index to an endpoint that is the remote endpoint of a channel in a trap." ::= { channelTrapObjects 2 } tunnelTrapIdentifier OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The index to a selector that is the identifier of a tunnel in a trap." ::= { tunnelTrapObjects 1 } channelUpTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether channelUp traps should be generated." DEFVAL { false } ::= { channelTrapControl 1 } Jenkins Expires April 4, 2001 [Page 46] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 channelDownTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether channelDown traps should be generated." DEFVAL { false } ::= { channelTrapControl 2 } channelUp NOTIFICATION-TYPE OBJECTS { channelTrapLocalEndpoint, channelTrapRemoteEndpoint } STATUS current DESCRIPTION "The specified channel is now up. (In other words, the number of current IKE SAs supporting the channel has changed from zero to a non-zero value.)" ::= { channelTraps 1 } channelDown NOTIFICATION-TYPE OBJECTS { channelTrapLocalEndpoint, channelTrapRemoteEndpoint } STATUS current DESCRIPTION "The specified channel is now down. (In other words, the number of current IKE SAs supporting the channel has changed to zero from a non-zero value.)" ::= { channelTraps 2 } tunnelUpTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether tunnelUp traps should be generated." DEFVAL { false } ::= { tunnelTrapControl 1 } tunnelDownTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current Jenkins Expires April 4, 2001 [Page 47] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 DESCRIPTION "Indicates whether tunnelDown traps should be generated." DEFVAL { false } ::= { tunnelTrapControl 2 } tunnelUp NOTIFICATION-TYPE OBJECTS { tunnelTrapIdentifier } STATUS current DESCRIPTION "The specified tunnel is now up. (In other words, the number of current phase 2 SA suites supporting the tunnel has changed from zero to a non-zero value.)" ::= { tunnelTraps 1 } tunnelDown NOTIFICATION-TYPE OBJECTS { tunnelTrapIdentifier } STATUS current DESCRIPTION "The specified tunnel is now down. (In other words, the number of current phase 2 SA suites supporting the tunnel has changed to zero from a non-zero value.)" ::= { tunnelTraps 2 } END 5. Security Considerations This MIB contains readable objects whose values provide information related to IPsec virtual tunnels. There are no objects with MAX¡ACCESS clauses of read-write or read-create, other than trap control objects. While unauthorized access to the readable objects is relatively innocuous, unauthorized access to those objects through an insecure channel can provide attackers with more information about a system than an administrator may desire. Of particular concern is the ability to disable the transmission of traps. The traps defined in this MIB may appear due to badly configured systems and transient error conditions, but they may also appear due to attacks. If an attacker can disable these traps, they Jenkins Expires April 4, 2001 [Page 48] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 reduce some of the warnings that may be provided to system administrators. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2574 [RFC2574] and the View- based Access Control Model RFC 2575 [RFC2575] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 6. Acknowledgements This document is based on an earlier series of MIBs documents titled . Contributors to that series effectively contributed to this document. 7. References [ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., "Textual Conventions for Internet Network Addresses", RFC 2851, June, 2000 [IDIMIB]Jenkins, T., Shriver, J., "ISAKMP DOI-Independent Monitoring MIB", draft-ietf-ipsec-isakmp-di-mon-mib-04.txt, October 3, 2001, work in progress [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)", RFC 2409, November 1998 [IKEMIB]Jenkins, T., Shriver, J., "IKE Monitoring MIB", draft-ietf- ipsec-ike-mon-mib-03.txt, October 3, 2001, work in progress Jenkins Expires April 4, 2001 [Page 49] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 [IMMIB] Jenkins, T., Shriver, J., "IPsec Monitoring MIB", draft-ietf- ipsec-monitor-mib-05.txt, October 3, 2001, work in progress [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP Payload Compression Protocol (IPcomp), RFC 3173, September 2001 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998 [IPSECTC] Shriver, J., "IPsec DOI Textual Conventions MIB", draft- ietf-ipsec-doi-tc-mib-05.txt, October 3, 2001, work in progress [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998 [OAKLEY]Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November 1998 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. Jenkins Expires April 4, 2001 [Page 50] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998 8. Revision History This section will be removed before publication. October 4, 2001 Initial release. No IANA number. No groups or compliance statements. Hash definitions for tunnel IDs not done. Jenkins Expires April 4, 2001 [Page 51] Internet Draft IPsec Tunnel Monitoring MIB October 5, 2001 Author's Address Tim Jenkins Catena Networks 307 Legget Drive Kanata, ON Canada K2K 3C8 +1 (613) 599-6430 tjenkins@catena.com The IPsec working group can be contacted via the IPsec working group's mailing list (ipsec@lists.tislabs.com) or through its chair: Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology Barbara Fraser byfraser@cisco.com Cisco Systems, Inc. This document expires April 5, 2001. Jenkins Expires April 4, 2001 [Page 52]