[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: IPSec Monitoring MIB works for IPv4 only?

To: Richard Draves <richdr@microsoft.com>
Subject: RE: FW: IPSec Monitoring MIB works for IPv4 only?
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Fri, 20 Nov 1998 08:16:06 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com



---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617


> -----Original Message-----
> From: Richard Draves [mailto:richdr@microsoft.com]
> Sent: Thursday, November 19, 1998 2:29 PM
> To: 'Tim Jenkins'
> Cc: ipsec@tis.com
> Subject: RE: FW: IPSec Monitoring MIB works for IPv4 only?
> 
> 
> >Yes, but protection suites don't. The real mistake I made on this 
> >issue was using the more generic term "SA bundle" when I should 
> >have said "protection suite" as defined in ISAKMP, and further 
> >compounding it by calling the phase 2 protection suite table 
> >an SA table. 
> >
> >So, the ipsecSaTable should really be called 
> ipsecProtectionSuiteTable. 
> >Is that any better? 
> 
> I thought this is supposed to be an IPsec MIB, not an ISAKMP 
> MIB. What about
> implementations that aren't using ISAKMP?

I don't understand why this changes the use by IPSec only implementations,
so the following may not answer the question.

Static SA usage is mentioned in the MIB text.
They don't produce a phase 1 virtual tunnel table, and the index
to the phase 1 table in the phase 2 tunnel doesn't point to a
phase 1 table entry.

If your concern is how to express all the protocols, you put
0 for the cipher/hash/compression alg to indicate the protocol
is not being used.

I'm not even sure that you can't generate the equivalent of ISAKMP's
protection suite with statically defined SAs. It would appear to me
to be an implementation issue, not a protocol issue.

Also: (from the MIB)

==>

ipsecTunnelType OBJECT-TYPE
    SYNTAX      INTEGER { static(0), transient(1), permanent(2) }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The type of the virtual tunnel represented by this row.

'static' means that the tunnel is supported by a single static IPSec SA that
was setup by configuration, and not by using a key exchange protocol. In
this case, the value of ipsecTunnelIkeSa must be 0."
    ::= { ipsecTunnelEntry 3 }

<==

Does this help?

Prev by Date: Re: Bundle or not in negotiation
Next by Date: RE: FW: IPSec Monitoring MIB works for IPv4 only?
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread