[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MIB Issues (long)
In attempt to move this along, I'm going to post a shell structure.
It's not been filled in, since it seems like we still have to work
on the overall architecture. So, I am presenting here a portion of
the next proposed draft for comments.
Some accompanying notes.
Where possible, the MIB will use John Shriver's textual conventions
draft.
All addresses are duplicated, one for V4 and one for V6. The one
that's not used is set to 0. This allows proper presentation of each
address type, and still makes them usable as members of an index.
(Thanks to John Shriver for this suggestion.)
Some specific issues that need comments:
1) Is this architecture the right one?
2) Is the IPv4 /IPv6 address issue handled sufficiently?
3) Do we worry about sensitive data, i.e., do we provide separate
tables for sensitive information such as identities? If so, what
other information do we treat as sensitive?
Once the structure is decided upon, then we can decide what goes
into the individual tables.
I will probably be presenting this or something modified depending
on the comments I receive at the IETF meeting next week, so get those
comments in today!
==>
3. IPSec MIB Objects Architecture
The IPSec MIB consists of three separate MIB groups. An IPSec MIB
provides monitoring for raw uni-directional security associations
(SAs). An Internet Security Association and Key Management Protocol
(ISAKMP) MIB provides a base for the Domain Of Interpretation (DOI)-
independent portion of phase 1 SAs created using ISAKMP. Finally, an
Internet Key Exchange (IKE) MIB provides the IKE DOI-specific phase 1
SAs, and also the protection suite object to link the raw IPSec SAs
to the IKE SAs that created them.
Note that there is no attempt at this time to define complete ISAKMP
(DOI of 0) SAs.
Configuration about the SAs is provided as are statistics related to
the SAs themselves. Additionally, the MIBs provide a number of entity
level aggregate totals for the SAs.
There are also traps defined. These may be used by system
administrators to help detect mis-configurations or possible attacks.
3.1 MIB Tables
The MIBs use a number of tables to show IKE SAs and phase 2 SAs, in
order to get the most flexibility for the different possible uses of
IPSec and IKE.
A general picture of the relationship of the tables is shown in
Figure 1. The raw SAs provided by the IPSec MIB are standalone, and
may be used by themselves. The ISAKMP MIB is also standalone. The IKE
MIBs require both the IPSec tables and the ISAKMP tables.
ISAKMP
+--------------------------------------------+
| ISAKMP DOI-independent part of Phase 1 SAs |
+--------------------------------------------+
^
IKE |
|
| +----------------------------------------+
+-| IKE DOI-dependent part of Phase 1 SAs |
+----------------------------------------+
^
| +-----------------------+
+-| Protection Suites |
+-----------------------+
| | | | | |
\ / \ / \ / \ / \ / \ /
IPSEC
+--------------------+
| ESP Inbound SAs |
+--------------------+
+--------------------+
| AH Inbound SAs |
+--------------------+
+--------------------+
| IPCOMP Inbound SAs |
+--------------------+
+--------------------+
| ESP Outbound SAs |
+--------------------+
+--------------------+
| AH Outbound SAs |
+--------------------+
+---------------------+
| IPCOMP Outbound SAs |
+---------------------+
Figure 1 Relationship of Tables
3.2 ISAKMP Security Association Table
The ISAKMP MIB consists of tables related to ISAKMP SAs.
As such, one of the tables consists of information about phase 1 SAs
that is independent of the DOI used. Its purpose is to provide a base
for all protocols that use ISAKMP as the basis for their SA
negotiation.
This table includes the identifiers for phase 1 SAs, some version
information, some communications information and some basic status
information.
Additional tables would be generated that would be specific to the
ISAKMP DOI, however, as stated earlier, there is no attempt at this
time to define these tables.
3.3 IKE Security Association Table
IKE SAs presented in the table contain information about their
services provided, lifetime, end point authentication and some
aggregate performance statistics.
They build on the ISAKMP DOI-independent table.
3.4 IKE Protection Suite Table
IPSec protection suites are as defined by [ISAKMP]. In ISAKMP, an SA
is effectively a protection suite that provides only a single
security service. Since the protection suite is defined by ISAKMP,
this table is part of the same MIB tree as the IKE SA table.
In ISAKMP (and therefore IKE), SAs are considered a subset of
protection suites, since both protection suites and SAs are
negotiated within IKE using a single proposal payload during a single
quick mode.
[ISAKMP] also requires that attributes negotiated within a protection
suite apply to all SAs. Therefore, the protection suite table
provides expiration values and selectors for all SAs in a protection
suite. In order to get the statistics for the SAs, however, the
protection suite provides the ability to get to the individual SAs
themselves.
ISAKMP assumes that protection suites have only a single occurrence
of any one of the three defined security services. (IP compression is
considered a security service for the purposes of this MIB.) It also
assumes that the order of these services within the protection suite
is compression before ESP before AH (in the encrypting/hashing
direction) as also stated in [ISAKMP] and [SECARCH]. However, the MIB
as defined here allows up to three protocols, with no restrictions on
their order or occurrence.
Entries in the protection suite table are uniquely identified by the
local and remote IP addresses and the security protocol and SPI (or
CPI) pairs in each direction.
Note that both statically keyed SAs and SAs created by a key exchange
protocol may be shown in the table, even though this is an ISAKMP
concept.
Further, in order to link the creation of protection suite (and
thereby SAs) to specific endpoints, the protection suite also
contains entries for the identities of the endpoints that negotiated
the SAs.
3.5 IPSec Security Association Tables
Individual IPSec phase 2 SAs are separated by both direction and
(security) protocol, resulting in the creation of six separate
tables.
Separate inbound tables are used for ESP, AH and IPCOMP. Each table
shares common information, such as the selectors and expiration
limits in addition to protocol and specific information. Similarly,
there is a set of outbound tables for each protocol.
These tables are presented in a MIB tree separate from the IKE SA
table to allow the use of these tables by implementations that
support static SAs, or SAs created by key exchange protocols other
than IKE.
3.6 Security Association Bundles
This MIB does not explicitly show SA bundles or any combination of
layered SAs that do not meet the protection suite definition as
defined in [ISAKMP]. However, these may be represented in these MIBs
by separate protections suites or SAs with the appropriate set of
selectors.
3.7 Notify Messages
Notify messages sent from peer to peer are not necessarily sent as
traps. However, they are collected as they occur and accumulated in a
parse table structure.
A notify message object is defined. This object is used as the index
into the table of accumulated notify messages. This helps system
administrators determine if there are potential configuration
problems or attacks on their network.
3.8 IPSec MIB Traps
Traps are provided to let system administrators know about the
existence of error conditions occurring in the entity. Errors are
associated with the creation and deletion of SAs, and also
operational errors that may indicate the presence of attacks on the
system.
Traps are not provided when SAs come up or go down, unless they
cannot be negotiated or go down due to error conditions.
The causes of SA negotiation failure are indicated by a notify
message object.
3.9 IPSec Entity Level Objects
This part of the MIB carries statistics global to the IPSec device.
Statistics included are aggregate usage and aggregate errors for both
phase 1 SAs and phase 2 protection suites. The statistics are
provided as objects in a tree below these groups.
4. MIB Definitions
IPSEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
Integer32, Unsigned32,
experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI
DateAndTime, TruthValue FROM SNMPv2-TC;
ipsecMIB MODULE-IDENTITY
LAST-UPDATED "9903051200Z"
ORGANIZATION "IETF IPSec Working Group"
CONTACT-INFO
" Tim Jenkins
TimeStep Corporation
362 Terry Fox Drive
Kanata, ON K0A 2H0
Canada
613-599-3610
tjenkins@timestep.com"
DESCRIPTION
"The MIB module to describe generic ISAKMP objects, IKE
objects, IPSec objects, and entity level objects and
events for those types."
REVISION "9903051200Z"
DESCRIPTION
"Initial revision."
-- replace xxx in next line before release, uncomment before release
-- ::= { mib-2 xxx }
-- delete next line before release
::= { experimental 500 } -- invalid!
ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }
ipsec OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }
isakmp OBJECT IDENTIFIER ::= { ipsecMIBObjects 2 }
ike OBJECT IDENTIFIER ::= { ipsecMIBObjects 3 }
-- the ISAKMP DOI-independent SA MIB-Group
--
-- a collection of objects providing information about the
-- DOI-independent portion of SAs generated using ISAKMP
isakmpSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IsakmpSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing the DO-independent
portion of ISAKMP SAs."
::= { isakmp 1 }
isakmpSaEntry OBJECT-TYPE
SYNTAX IsakmpSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE SA."
INDEX { ipsecIkeSaIndex }
::= { ipsecIkeSaTable 1 }
IsakmpSaEntry::= SEQUENCE {
-- identification
isakmpSaInitiatorCookie OCTET STRING (SIZE (16)),
isakmpSaResponderCookie OCTET STRING (SIZE (16)),
isakmpSaLocalIpV4Address IpAddress,
isakmpSaLocalIpV6Address OCTET STRING (SIZE (16)),
isakmpSaRemoteIpV4Address IpAddress,
isakmpSaRemoteIpV6Address OCTET STRING (SIZE (16)),
-- communication information
isakmpSaLocalUdpPort INTEGER (0..65535),
isakmpSaRemoteUdpPort INTEGER (0..65535),
-- peer version information
isakmpSaPeerMajorVersion INTEGER (0..15),
isakmpSaPeerMinorVersion INTEGER (0..15),
-- creation/status/type
isakmpSaDoi Unsigned32,
isakmpSaLocallyInitiated TruthValue,
isakmpSaStatus INTEGER {
negotiating(1),
established(2)
},
isakmpSaMode INTEGER {
base(1),
identityProtection(2),
authOnly(3),
agressive(4)
},
}
-- the ISAKMP Entity MIB-Group
--
-- a collection of objects providing information about overall ISAKMP
-- status in the entity
--
-- Definitions of significant branches
--
isakmpTrapsA OBJECT IDENTIFIER ::= { isakmp 2 }
isakmpTraps OBJECT IDENTIFIER ::= { isakmpTrapsA 0 }
isakmpStats OBJECT IDENTIFIER ::= { isakmp 3 }
-- the IKE SA MIB-Group
--
-- a collection of objects providing information about
-- IKE SAs
ikeSaTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IKE
SAs."
::= { ike 1 }
ikeSaEntry OBJECT-TYPE
SYNTAX IkeSaEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IKE SA."
INDEX { ikeSaInitiatorCookie, ikeSaResponderCookie,
ikeSaLocalIpV4Address, ikeSaLocalIpV6Address,
ikeSaRemoteIpV4Address, ikeSaRemoteIpV6Address }
::= { ikeSaTable 1 }
IpsecIkeSaEntry ::= SEQUENCE {
-- identifier information
ikeSaInitiatorCookie isakmpSaInitiatorCookie,
ikeSaResponderCookie isakmpSaResponderCookie,
ikeSaLocalIpV4Address isakmpSaLocalIpV4Address,
ikeSaLocalIpV6Address isakmpSaLocalIpV6Address,
ikeSaRemoteIpV4Address isakmpSaRemoteIpV4Address,
ikeSaRemoteIpV6Address isakmpSaRemoteIpV6Address,
-- ID and authentication information
ikeSaAuthMethod Integer32,
ikeSaPeerIdType Integer32,
ikeSaPeerId OCTET STRING,
ikeSaPeerCertSerialNum OCTET STRING,
ikeSaPeerCertIssuer OCTET STRING,
ikeSaLocalIdType Integer32,
ikeSaLocalId OCTET STRING,
-- security algorithm information
ikeSaEncAlg INTEGER,
ikeSaEncKeyLength Integer32,
ikeSaHashAlg Integer32,
ikeSaDifHelGroupDesc Integer32,
ikeSaDifHelGroupType Integer32,
ikeSaDifHelFieldSize Integer32,
ikeSaPRF Integer32,
ikeSaPFS TruthValue,
-- expiration limits
ikeSaTimeLimit Counter64, -- in seconds
ikeSaTrafficLimit Counter64, -- in bytes
-- operating statistics
ikeSaTimeCount Counter64, -- in seconds
ikeSaInboundTraffic Counter64, -- in bytes
ikeSaOutboundTraffic Counter64, -- in bytes
ikeSaInboundPackets Counter32,
ikeSaOutboundPackets Counter32,
ikeProtSuitesCreated Counter32,
ikeProtSuitesDeleted Counter32,
-- error statistics
ikeSaDecryptErrors Counter32,
ikeSaAuthErrors Counter32,
ikeSaOtherReceiveErrors Counter32,
ikeSaSendErrors Counter32
}
-- the IKE Entity MIB-Group
--
-- a collection of objects providing information about overall IKE
-- status in the entity
--
-- Definitions of significant branches
--
ikeTrapsA OBJECT IDENTIFIER ::= { ike 2 }
ikeTraps OBJECT IDENTIFIER ::= { ikeTrapsA 0 }
ikeStats OBJECT IDENTIFIER ::= { ike 3 }
ikeSaErrorStats OBJECT IDENTIFIER ::= { ike 4 }
ikeProtSuiteStats OBJECT IDENTIFIER ::= { ike 5 }
ikeProtSuiteErrorStats OBJECT IDENTIFIER ::= { ike 6 }
--
-- entity IKE statistics
--
ikeTotalProtSuites OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IKE protection suites successfully
established by the entity since boot time."
::= { ikeStats 1 }
ikeNegFailures OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of IKE protection suite negotiations
that failed in the entity since boot time."
::= { ikeStats 2 }
ikeTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on IKE SAs
since boot time."
::= { ikeStats 3 }
ikeTotalTransOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on IKE SAs
since boot time."
::= { ikeStats 4 }
ikeTotalTransInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on IKE SAs
since boot time, measured in 1024-octet blocks."
::= { ikeStats 5 }
ikeTotalTransOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on IKE SAs
since boot time, measured in 1024-octet blocks."
::= { ikeStats 6 }
--
-- IKE SA error counts
--
ikeProtocolErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity since
boot time with IKE protocol errors.
This includes packets with invalid cookies, but does not
include errors that are associated with specific IKE
SAs."
::= { ikeSaErrorStats 1 }
ikeDecryptionErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
IKE SAs since boot time with decryption errors."
::= { ikeSaErrorStats 2 }
ikeAuthenticationErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
IKE SAs since boot time with authentication errors.
This includes all packets in which the hash value is
determined to be invalid."
::= { ikeSaErrorStats 3 }
ikeOtherReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
IKE SAs since boot time and discarded due to errors not
due to decryption or authentication."
::= { ikeSaErrorStats 4 }
ikeSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets to be sent by the entity in
IKE SAs since boot time and discarded due to errors."
::= { ikeSaErrorStats 5 }
--
-- entity protection suite statistics
--
ikeProtSuiteTotalInboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of inbound packets carried on all
protection suites since boot time."
::= { ikeProtSuiteStats 1 }
ikeProtSuiteTotalOutboundPackets OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of outbound packets carried on all
protection suites since boot time."
::= { ikeProtSuiteStats 2 }
ikeProtSuiteTotalInboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of inbound traffic carried on all
protection suites since boot time, measured in 1024-octet
blocks."
::= { ikeProtSuiteStats 3 }
ikeProtSuiteTotalOutboundTraffic OBJECT-TYPE
SYNTAX Counter64
UNITS "Kbytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total amount of outbound traffic carried on all
protection suites since boot time, measured in 1024-octet
blocks."
::= { ikeProtSuiteStats 4 }
--
-- IKE protection suite error counts
--
ipsecProtSuiteReceiveErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets received by the entity in
protection suites since boot time and discarded due to
errors of any kind."
::= { ikeProtSuiteErrorStats 1 }
ipsecIkeSendErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of packets to be sent by the entity in
protection suites since boot time and discarded due to
errors of any kind."
::= { ikeProtSuiteErrorStats 2 }
-- the IPSec Inbound ESP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound ESP SAs
ipsecSaEspInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEspInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound ESP SAs."
::= { ipsec 1 }
ipsecSaEspInEntry OBJECT-TYPE
SYNTAX IpsecSaEspInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec inbound ESP SA."
INDEX { ipsecSaEspInV4Address, ipsecSaEspInV6Address,
ipsecSaEspInSpi }
::= { ipsecSaEspInTable 1 }
IpsecSaEspInEntry::= SEQUENCE {
-- identification
ipsecSaEspInV4Address IpAddress,
ipsecSaEspInV6Address OCTET STRING (SIZE (16)),
ipsecSaEspInSpi Unsigned32,
-- SA selectors
ipsecSaEspInDestId OCTET STRING,
ipsecSaEspInDestIdType Unsigned32,
ipsecSaEspInSourceId OCTET STRING,
ipsecSaEspInSourceIdType Unsigned32,
ipsecSaEspInProtocol Integer32,
ipsecSaEspInDestPort Integer32,
ipsecSaEspInSourcePort Integer32,
-- security services description
ipsecSaEspInEncapsulation INTEGER,
ipsecSaEspInEncAlg Integer32,
ipsecSaEspInEncKeyLength Unsigned32,
ipsecSaEspInAuthAlg Integer32,
-- expiration limits
ipsecSaEspInTimeLimit Counter64, -- sec., 0 if none
ipsecSaEspInTrafficLimit Counter64, -- 0 if none
-- current operating statistics
ipsecSaEspInTimeCount Counter64,
ipsecSaEspInTrafficCount Counter64,
ipsecSaEspInTraffic Counter64,
ipsecSaEspInPackets Counter64,
-- error statistics
ipsecSaEspInDecryptErrors Counter32,
ipsecSaEspInAuthErrors Counter32,
ipsecSaEspInReplayErrors Counter32,
ipsecSaEspInPolicyErrors Counter32,
ipsecSaEspInOtherReceiveErrors Counter32,
}
-- the IPSec Inbound AH MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound AH SAs
ipsecSaAhInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaAhInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound AH SAs."
::= { ipsec 2 }
ipsecSaAhInEntry OBJECT-TYPE
SYNTAX IpsecSaAhInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec inbound AH SA."
INDEX { ipsecSaAhInV4Address, ipsecSaAhInV6Address,
ipsecSaAhInSpi }
::= { ipsecSaAhInTable 1 }
IpsecSaAhInEntry::= SEQUENCE {
-- identification
ipsecSaAhInV4Address IpAddress,
ipsecSaAhInV6Address OCTET STRING (SIZE (16)),
ipsecSaAhInSpi Unsigned32,
-- SA selectors
ipsecSaAhInDestId OCTET STRING,
ipsecSaAhInDestIdType Unsigned32,
ipsecSaAhInSourceId OCTET STRING,
ipsecSaAhInSourceIdType Unsigned32,
ipsecSaAhInProtocol Integer32,
ipsecSaAhInDestPort Integer32,
ipsecSaAhInSourcePort Integer32,
-- security services description
ipsecSaAhInEncapsulation INTEGER,
ipsecSaAhInAuthAlg Integer32,
-- expiration limits
ipsecSaAhInTimeLimit Counter64, -- sec., 0 if none
ipsecSaAhInTrafficLimit Counter64, -- 0 if none
-- current operating statistics
ipsecSaAhInTimeCount Counter64,
ipsecSaAhInTrafficCount Counter64,
ipsecSaAhInTraffic Counter64,
ipsecSaAhInPackets Counter64,
-- error statistics
ipsecSaAhInAuthErrors Counter32,
ipsecSaAhInReplayErrors Counter32,
ipsecSaAhInPolicyErrors Counter32,
ipsecSaAhInOtherReceiveErrors Counter32,
}
-- the IPSec Inbound IPCOMP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Inbound IPCOMP SAs
ipsecSaIpcompInTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaIpcompInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
inbound IPCOMP SAs."
::= { ipsec 3 }
ipsecSaIpcompInEntry OBJECT-TYPE
SYNTAX IpsecSaIpcompInEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec inbound IPCOMP SA."
INDEX { ipsecSaIpcompInV4Address, ipsecSaIpcompInV6Address,
ipsecSaIpcompInCpi }
::= { ipsecSaIpcompInTable 1 }
IpsecSaIpcompInEntry::= SEQUENCE {
-- identification
ipsecSaIpcompInV4Address IpAddress,
ipsecSaIpcompInV6Address OCTET STRING (SIZE (16)),
ipsecSaIpcompInCpi Unsigned32,
-- SA selectors (if needed)
ipsecSaIpcompInDestId OCTET STRING,
ipsecSaIpcompInDestIdType Unsigned32,
ipsecSaIpcompInSourceId OCTET STRING,
ipsecSaIpcompInSourceIdType Unsigned32,
ipsecSaIpcompInProtocol Integer32,
ipsecSaIpcompInDestPort Integer32,
ipsecSaIpcompInSourcePort Integer32,
-- security services description
ipsecSaIpcompInEncapsulation INTEGER,
ipsecSaIpcompInCompAlg Integer32,
-- current operating statistics
ipsecSaIpcompInTraffic Counter64,
ipsecSaIpcompInPackets Counter64,
-- error statistics
ipsecSaIpcompInDecompErrors Counter32,
ipsecSaIpcompInOtherReceiveErrors Counter32,
}
-- IPCOMP assumptions:
1) Don't care about policy errors.
2) Don't care about expiration.
3) Selectors can be empty if IPCOMP is shared across multiple
protection suites.
-- the IPSec Outbound ESP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound ESP SAs
ipsecSaEspOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaEspOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound ESP SAs."
::= { ipsec 4 }
ipsecSaEspOutEntry OBJECT-TYPE
SYNTAX IpsecSaEspOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec Outbound ESP SA."
INDEX { ipsecSaEspOutV4Address, ipsecSaEspOutV6Address,
ipsecSaEspOutSpi }
::= { ipsecSaEspOutTable 1 }
IpsecSaEspOutEntry::= SEQUENCE {
-- identification
ipsecSaEspOutV4Address IpAddress,
ipsecSaEspOutV6Address OCTET STRING (SIZE (16)),
ipsecSaEspOutSpi Unsigned32,
-- SA selectors
ipsecSaEspOutSourceId OCTET STRING,
ipsecSaEspOutSourceIdType Unsigned32,
ipsecSaEspOutDestId OCTET STRING,
ipsecSaEspOutDestIdType Unsigned32,
ipsecSaEspOutProtocol Integer32,
ipsecSaEspOutSourcePort Integer32,
ipsecSaEspOutDestPort Integer32,
-- security services description
ipsecSaEspOutEncapsulation INTEGER,
ipsecSaEspOutEncAlg Integer32,
ipsecSaEspOutEncKeyLength Unsigned32,
ipsecSaEspOutAuthAlg Integer32,
-- expiration limits
ipsecSaEspOutTimeLimit Counter64, -- sec., 0 if none
ipsecSaEspOutTrafficLimit Counter64, -- 0 if none
-- current operating statistics
ipsecSaEspOutTraffic Counter64,
ipsecSaEspOutPackets Counter64,
ipsecSaEspOutTimeCount Counter64,
ipsecSaEspOutTrafficCount Counter64,
-- error statistics
ipsecSaEspOutSendErrors Counter32,
}
-- the IPSec Outbound AH MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound AH SAs
ipsecSaAhOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaAhOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound AH SAs."
::= { ipsec 5 }
ipsecSaAhOutEntry OBJECT-TYPE
SYNTAX IpsecSaAhOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec Outbound AH SA."
INDEX { ipsecSaAhOutV4Address, ipsecSaAhOutV6Address,
ipsecSaAhOutSpi }
::= { ipsecSaAhOutTable 1 }
IpsecSaAhOutEntry::= SEQUENCE {
-- identification
ipsecSaAhOutV4Address IpAddress,
ipsecSaAhOutV6Address OCTET STRING (SIZE (16)),
ipsecSaAhOutSpi Unsigned32,
-- SA selectors
ipsecSaAhOutSourceId OCTET STRING,
ipsecSaAhOutSourceIdType Unsigned32,
ipsecSaAhOutDestId OCTET STRING,
ipsecSaAhOutDestIdType Unsigned32,
ipsecSaAhOutProtocol Integer32,
ipsecSaAhOutSourcePort Integer32,
ipsecSaAhOutDestPort Integer32,
-- security services description
ipsecSaAhOutEncapsulation INTEGER,
ipsecSaAhOutAuthAlg Integer32,
-- expiration limits
ipsecSaAhOutTimeLimit Counter64, -- sec., 0 if none
ipsecSaAhOutTrafficLimit Counter64, -- 0 if none
-- current operating statistics
ipsecSaAhOutTraffic Counter64,
ipsecSaAhOutPackets Counter64,
ipsecSaAhOutTimeCount Counter64,
ipsecSaAhOutTrafficCount Counter64,
-- error statistics
ipsecSaAhOutSendErrors Counter32,
}
-- the IPSec Outbound IPCOMP MIB-Group
--
-- a collection of objects providing information about
-- IPSec Outbound IPCOMP SAs
ipsecSaIpcompOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsecSaIpcompOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IPSec
Outbound IPCOMP SAs."
::= { ipsec 6 }
ipsecSaIpcompOutEntry OBJECT-TYPE
SYNTAX IpsecSaIpcompOutEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular IPSec Outbound IPCOMP SA."
INDEX { ipsecSaIpcompOutV4Address,
ipsecSaIpcompOutV6Address,
ipsecSaIpcompOutCpi }
::= { ipsecSaIpcompOutTable 1 }
IpsecSaIpcompOutEntry::= SEQUENCE {
-- identification
ipsecSaIpcompOutV4Address IpAddress,
ipsecSaIpcompOutV6Address OCTET STRING (SIZE (16)),
ipsecSaIpcompOutCpi Unsigned32,
-- SA selectors
ipsecSaIpcompOutSourceId OCTET STRING,
ipsecSaIpcompOutSourceIdType Unsigned32,
ipsecSaIpcompOutDestId OCTET STRING,
ipsecSaIpcompOutDestIdType Unsigned32,
ipsecSaIpcompOutProtocol Integer32,
ipsecSaIpcompOutSourcePort Integer32,
ipsecSaIpcompOutDestPort Integer32,
-- security services description
ipsecSaIpcompOutEncapsulation INTEGER,
ipsecSaIpcompOutCompAlg Integer32,
-- current operating statistics
ipsecSaIpcompOutTraffic Counter64,
ipsecSaIpcompOutPackets Counter64,
}
-- IPCOMP assumptions:
1) Don't care about policy errors.
2) Don't care about expiration.
3) Selectors can be empty if IPCOMP is shared across multiple
protection suites.
4) There are no send errors; will send uncompressed if can't
compress.
-- the IKE Protection Suites MIB-Group
--
-- a collection of objects providing information about
-- protection suites
ikeProtSuiteTable OBJECT-TYPE
SYNTAX SEQUENCE OF IkeProtSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing information on IKE
protection suites."
::= { ike 2 }
ikeProtSuiteEntry OBJECT-TYPE
SYNTAX IkeProtSuiteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing the information on
a particular protection suite."
INDEX { ikeProtSuiteIndex }
::= { ikeProtSuiteTable 1 }
IkeProtSuiteEntry ::= SEQUENCE {
ikeProtSuiteIndex Integer32,
-- identification
ikeProtSuiteLocalV4Address IpAddress,
ikeProtSuiteLocalV6Address OCTET STRING (SIZE (16)),
ikeProtSuiteRemoteV4Address IpAddress,
ikeProtSuiteRemoteV6Address OCTET STRING (SIZE (16)),
ikeProtSuiteSa1Protocol Unsigned32,
ikeProtSuiteInSa1Spi Unsigned32,
ikeProtSuiteOutSa1Spi Unsigned32,
ikeProtSuiteSa2Protocol Unsigned32,
ikeProtSuiteInSa2Spi Unsigned32,
ikeProtSuiteOutSa2Spi Unsigned32,
ikeProtSuiteSa3Protocol Unsigned32,
ikeProtSuiteInSa3Spi Unsigned32,
ikeProtSuiteOutSa3Spi Unsigned32,
-- created by (need to make this optional for protection?)
ikeProtSuiteLocalOwnerId OCTET STRING,
ikeProtSuiteLocalOwnerIdType Unsigned32,
ikeProtSuiteRemoteOwnerId OCTET STRING,
ikeProtSuiteRemoteOwnerIdType Unsigned32,
-- protection suite selectors
ikeProtSuiteLocalId OCTET STRING,
ikeProtSuiteLocalIdType Unsigned32,
ikeProtSuiteRemoteId OCTET STRING,
ikeProtSuiteRemoteIdType Unsigned32,
ikeProtSuiteProtocol Integer32,
ikeProtSuiteLocalPort Integer32,
ikeProtSuiteRemotePort Integer32,
-- creation mechanism
ikeProtSuiteLocallyInitiated TruthValue,
ikeProtSuiteDifHelGroupDesc Integer32,
ikeProtSuiteDifHelGroupType Integer32,
ikeProtSuitePFS TruthValue,
-- expiration limits
ikeProtSuiteTimeLimit Counter64, -- sec., 0 if none
ikeProtSuiteTrafficLimit Counter64, -- 0 if none
-- current operating statistics
ikeProtSuiteInTraffic Counter64,
ikeProtSuiteInPackets Counter64,
ikeProtSuiteOutTraffic Counter64,
ikeProtSuiteOutPackets Counter64,
ikeProtSuiteTimeCount Counter64,
ikeProtSuiteInTrafficCount Counter64,
ikeProtSuiteOutTrafficCount Counter64,
-- current operating statistics
ikeProtSuiteInboundTraffic Counter64,
ikeProtSuiteOutboundTraffic Counter64,
ikeProtSuiteInboundPackets Counter64,
ikeProtSuiteOutboundPackets Counter64,
-- error statistics
ikeProtSuiteReceiveErrors Counter32,
ikeProtSuiteSendErrors Counter32
}
<==
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
(613) 599-3610 x4304 Fax: (613) 599-3617