[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: IPSec Monitoring MIB works for IPv4 only?

To: tjenkins@TimeStep.com
Subject: Re: FW: IPSec Monitoring MIB works for IPv4 only?
From: John Shriver <jas@shiva.com>
Date: Wed, 18 Nov 1998 12:52:39 -0500
CC: ipsec@tis.com
In-reply-to: <319A1C5F94C8D11192DE00805FBBADDF595464@exchange> (message fromTim Jenkins on Wed, 18 Nov 1998 11:02:56 -0500)
Sender: owner-ipsec@ex.tis.com

I suppose that we are running into the problems that IKE is far more
generous in what it allows compared to what people expect to do.  What
do we define the MIB to correspond with: IKE, or expected common
practice? 

There's no question that my proprietary MIB also has "tunnels".  There
are plenty of useful things there.  But there really ought to also be
a fast way to find your way into the MIB if the only thing you know is
the destination IP address and SPI.

I think my customer is looking at the "troubleshooting" part of
management, and your customer is looking at the "performance
monitoring" part of management.  Both are valid, and both should be
represented in the MIB.  (See Perkins' book.)

This brings up another issue.  I think "tunnel" is not the word to use
here.  In your own response, you flip between "tunnel" and "bundle".
Since "bundle" is what is used in the IPSec Architecture document, I
think it would be a better-chosen word to use for what the
ipsecSaTable contains.  Thus, I'd propose we call it the
ipsecBundleTable...

I will admit that what I want to call the ipsecBundleTable is really
very hard to index by anything other than an arbitrary index.  It
really should be indexed by the Desc and SPD rules that lead to using
that bundle, but that's probably exceedingly unwieldy!

As for ipsecSaInboutTraffic, what exactly does it count?  Does it
count the bytes including AH, ESP, and IPCOMP headers?  Well, really
it has to count exactly what is supposed to be counted against the
lifetime in kbytes.  (The comment on ipsecSaTrafficLimit in
IpsecSaEntry is wrong, should be -- 1024 byte units, 0 if none.)


As for IPv6, I think it should be in a seperate MIB.  That is, what
you are presently working on is really IPSEC-IPV4-MIB.  There will be
a seperate IPSEC-IPV6-MIB.  This will prevent RFC publication of
IPSEC-IPV4-MIB from being held up because IPV6-TC isn't published as
an RFC yet.  (You cannot publish an RFC with a reference to an
Internet-Draft...)

Further, as conformance statements are developed for IPSEC-IPV4-MIB,
perhaps they should be carefully constructed so as not to require IPv4
specific variables unless the IPsec implementation implements IPv4.
Someday, there may be IPv6-only hosts...

References:

RE: FW: IPSec Monitoring MIB works for IPv4 only?

From: Tim Jenkins <tjenkins@TimeStep.com>

Prev by Date: Re: IPSECond
Next by Date: Bundle or not in negotiation
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread