[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec MIB

To: uri@watson.ibm.com
Subject: Re: IPSec MIB
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Wed, 09 Apr 1997 22:10:59 +0000
cc: ipsec@tis.com
In-reply-to: Your message of "Wed, 09 Apr 1997 17:48:09 -0400." <199704092148.RAA00302@alisan.ibm.net>
Sender: owner-ipsec@ex.tis.com

In message <199704092148.RAA00302@alisan.ibm.net>, Uri Blumenthal writes:
>
>	- a list of SPIs with the parameter values
>	  might be helpful;

Absolutely. Three implementations right now use the kernfs/procfs
interface for this.

>	- a list of the hashes of the keys in use
>	  might assist in debugging;

I'll point out that this allows for exhaustive search.

>	- some counters (number of rekeys, number of
>	  bad auth, garbled crypto, etc.) could be
>	  of some use;

Yes. Two implementations use the netstat mechanism to display such
information.

>Knobs/buttons:
>	- enforce rekey now;
>	- control of various windows and timeouts (make
>	  'em narrower or wider);
>	- enabling/disabling certain algorithms (that
>	  could be then used in the negotiations);
>	- enabling/disabling certain modes (i.e. from now
>	  on only encrypting SA can be negotiated);
>	- set certain parameters (length of something...?);
>	- again, anything else?

I'd argue against *setting* anything. This is best done through the
key management daemon and policy engine. SNMP would complicate matters.

>If this MIB is to be useful and not just a placeholder
>(like too many of the existing MIBs) - please give us
>your input.

This however is a very critical MIB. I'm not sure whether setting
IPsec related SNMP variables makes any sense, since most of the
decisions are taken at a user level process (the KMP).
My $.02 + tax.
-Angelos

References:

IPSec MIB

From: Uri Blumenthal <NOSPAM!uri@ibm.net>

Prev by Date: IPSec MIB
Next by Date: slicing and dicing
Prev by thread: IPSec MIB
Next by thread: Re: IPSec MIB
Index(es):
- Main
- Thread