[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MIB Issues (long)



In attempt to move this along, I'm going to post a shell structure.
It's not been filled in, since it seems like we still have to work
on the overall architecture. So, I am presenting here a portion of
the next proposed draft for comments.

Some accompanying notes.

Where possible, the MIB will use John Shriver's textual conventions
draft.

All addresses are duplicated, one for V4 and one for V6. The one
that's not used is set to 0. This allows proper presentation of each
address type, and still makes them usable as members of an index.
(Thanks to John Shriver for this suggestion.)

Some specific issues that need comments:

1) Is this architecture the right one?
2) Is the IPv4 /IPv6 address issue handled sufficiently?
3) Do we worry about sensitive data, i.e., do we provide separate
tables for sensitive information such as identities? If so, what
other information do we treat as sensitive?

Once the structure is decided upon, then we can decide what goes
into the individual tables.

I will probably be presenting this or something modified depending
on the comments I receive at the IETF meeting next week, so get those
comments in today!


==>

3. IPSec MIB Objects Architecture

   The IPSec MIB consists of three separate MIB groups. An IPSec MIB
   provides monitoring for raw uni-directional security associations
   (SAs). An Internet Security Association and Key Management Protocol
   (ISAKMP) MIB provides a base for the Domain Of Interpretation (DOI)-
   independent portion of phase 1 SAs created using ISAKMP. Finally, an
   Internet Key Exchange (IKE) MIB provides the IKE DOI-specific phase 1
   SAs, and also the protection suite object to link the raw IPSec SAs
   to the IKE SAs that created them.

   Note that there is no attempt at this time to define complete ISAKMP
   (DOI of 0) SAs.

   Configuration about the SAs is provided as are statistics related to
   the SAs themselves. Additionally, the MIBs provide a number of entity
   level aggregate totals for the SAs.

   There are also traps defined. These may be used by system
   administrators to help detect mis-configurations or possible attacks.


3.1 MIB Tables

   The MIBs use a number of tables to show IKE SAs and phase 2 SAs, in
   order to get the most flexibility for the different possible uses of
   IPSec and IKE.

   A general picture of the relationship of the tables is shown in
   Figure 1. The raw SAs provided by the IPSec MIB are standalone, and
   may be used by themselves. The ISAKMP MIB is also standalone. The IKE
   MIBs require both the IPSec tables and the ISAKMP tables.



        ISAKMP

              +--------------------------------------------+
              | ISAKMP DOI-independent part of Phase 1 SAs |
              +--------------------------------------------+
                ^
        IKE     |
                |
                | +----------------------------------------+
                +-| IKE DOI-dependent part of Phase 1 SAs  |
                  +----------------------------------------+
                    ^
                    | +-----------------------+
                    +-| Protection Suites     |
                      +-----------------------+
                        |   |   |   |   |   |
                       \ / \ / \ / \ / \ / \ /
        IPSEC
                          +--------------------+
                          | ESP Inbound SAs    |
                          +--------------------+

                          +--------------------+
                          | AH Inbound SAs     |
                          +--------------------+

                          +--------------------+
                          | IPCOMP Inbound SAs |
                          +--------------------+

                          +--------------------+
                          | ESP Outbound SAs   |
                          +--------------------+

                          +--------------------+
                          | AH Outbound SAs    |
                          +--------------------+

                          +---------------------+
                          | IPCOMP Outbound SAs |
                          +---------------------+

                    Figure 1 Relationship of Tables


3.2 ISAKMP Security Association Table

   The ISAKMP MIB consists of tables related to ISAKMP SAs.

   As such, one of the tables consists of information about phase 1 SAs
   that is independent of the DOI used. Its purpose is to provide a base
   for all protocols that use ISAKMP as the basis for their SA
   negotiation.

   This table includes the identifiers for phase 1 SAs, some version
   information, some communications information and some basic status
   information.

   Additional tables would be generated that would be specific to the
   ISAKMP DOI, however, as stated earlier, there is no attempt at this
   time to define these tables.


3.3 IKE Security Association Table

   IKE SAs presented in the table contain information about their
   services provided, lifetime, end point authentication and some
   aggregate performance statistics.

   They build on the ISAKMP DOI-independent table.


3.4 IKE Protection Suite Table

   IPSec protection suites are as defined by [ISAKMP]. In ISAKMP, an SA
   is effectively a protection suite that provides only a single
   security service. Since the protection suite is defined by ISAKMP,
   this table is part of the same MIB tree as the IKE SA table.

   In ISAKMP (and therefore IKE), SAs are considered a subset of
   protection suites, since both protection suites and SAs are
   negotiated within IKE using a single proposal payload during a single
   quick mode.

   [ISAKMP] also requires that attributes negotiated within a protection
   suite apply to all SAs. Therefore, the protection suite table
   provides expiration values and selectors for all SAs in a protection
   suite. In order to get the statistics for the SAs, however, the
   protection suite provides the ability to get to the individual SAs
   themselves.

   ISAKMP assumes that protection suites have only a single occurrence
   of any one of the three defined security services. (IP compression is
   considered a security service for the purposes of this MIB.) It also
   assumes that the order of these services within the protection suite
   is compression before ESP before AH (in the encrypting/hashing
   direction) as also stated in [ISAKMP] and [SECARCH]. However, the MIB
   as defined here allows up to three protocols, with no restrictions on
   their order or occurrence.

   Entries in the protection suite table are uniquely identified by the
   local and remote IP addresses and the security protocol and SPI (or
   CPI) pairs in each direction.

   Note that both statically keyed SAs and SAs created by a key exchange
   protocol may be shown in the table, even though this is an ISAKMP
   concept.

   Further, in order to link the creation of protection suite (and
   thereby SAs) to specific endpoints, the protection suite also
   contains entries for the identities of the endpoints that negotiated
   the SAs.


3.5 IPSec Security Association Tables

   Individual IPSec phase 2 SAs are separated by both direction and
   (security) protocol, resulting in the creation of six separate
   tables.

   Separate inbound tables are used for ESP, AH and IPCOMP. Each table
   shares common information, such as the selectors and expiration
   limits in addition to protocol and specific information. Similarly,
   there is a set of outbound tables for each protocol.

   These tables are presented in a MIB tree separate from the IKE SA
   table to allow the use of these tables by implementations that
   support static SAs, or SAs created by key exchange protocols other
   than IKE.


3.6 Security Association Bundles

   This MIB does not explicitly show SA bundles or any combination of
   layered SAs that do not meet the protection suite definition as
   defined in [ISAKMP]. However, these may be represented in these MIBs
   by separate protections suites or SAs with the appropriate set of
   selectors.


3.7 Notify Messages

   Notify messages sent from peer to peer are not necessarily sent as
   traps. However, they are collected as they occur and accumulated in a
   parse table structure.

   A notify message object is defined. This object is used as the index
   into the table of accumulated notify messages. This helps system
   administrators determine if there are potential configuration
   problems or attacks on their network.


3.8 IPSec MIB Traps

   Traps are provided to let system administrators know about the
   existence of error conditions occurring in the entity. Errors are
   associated with the creation and deletion of SAs, and also
   operational errors that may indicate the presence of attacks on the
   system.

   Traps are not provided when SAs come up or go down, unless they
   cannot be negotiated or go down due to error conditions.

   The causes of SA negotiation failure are indicated by a notify
   message object.


3.9 IPSec Entity Level Objects

   This part of the MIB carries statistics global to the IPSec device.

   Statistics included are aggregate usage and aggregate errors for both
   phase 1 SAs and phase 2 protection suites. The statistics are
   provided as objects in a tree below these groups.


4. MIB Definitions

 IPSEC-MIB DEFINITIONS ::= BEGIN

     IMPORTS
         MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
         Integer32, Unsigned32,
         experimental, NOTIFICATION-TYPE          FROM SNMPv2-SMI
         DateAndTime, TruthValue                  FROM SNMPv2-TC;

     ipsecMIB MODULE-IDENTITY
         LAST-UPDATED "9903051200Z"
         ORGANIZATION "IETF IPSec Working Group"
         CONTACT-INFO
                 "   Tim Jenkins
                     TimeStep Corporation
                     362 Terry Fox Drive
                     Kanata, ON  K0A 2H0
                     Canada

                     613-599-3610
                     tjenkins@timestep.com"

         DESCRIPTION
               "The MIB module to describe generic ISAKMP objects, IKE
               objects, IPSec objects, and entity level objects and
               events for those types."
         REVISION      "9903051200Z"
         DESCRIPTION
                 "Initial revision."
   -- replace xxx in next line before release, uncomment before release
   --     ::= { mib-2 xxx }
   -- delete next line before release
          ::= { experimental 500 } -- invalid!


     ipsecMIBObjects OBJECT IDENTIFIER ::= { ipsecMIB 1 }

     ipsec      OBJECT IDENTIFIER ::= { ipsecMIBObjects 1 }
     isakmp     OBJECT IDENTIFIER ::= { ipsecMIBObjects 2 }
     ike        OBJECT IDENTIFIER ::= { ipsecMIBObjects 3 }



  -- the ISAKMP DOI-independent SA MIB-Group
  --
  -- a collection of objects providing information about the
  -- DOI-independent portion of SAs generated using ISAKMP


  isakmpSaTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IsakmpSaEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing the DO-independent
               portion of ISAKMP SAs."
      ::= { isakmp 1 }

  isakmpSaEntry OBJECT-TYPE
      SYNTAX     IsakmpSaEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IKE SA."
      INDEX      { ipsecIkeSaIndex }
      ::= { ipsecIkeSaTable 1 }

   IsakmpSaEntry::= SEQUENCE {

   -- identification
     isakmpSaInitiatorCookie     OCTET STRING (SIZE (16)),
     isakmpSaResponderCookie     OCTET STRING (SIZE (16)),
     isakmpSaLocalIpV4Address    IpAddress,
     isakmpSaLocalIpV6Address    OCTET STRING (SIZE (16)),
     isakmpSaRemoteIpV4Address   IpAddress,
     isakmpSaRemoteIpV6Address   OCTET STRING (SIZE (16)),

  -- communication information
     isakmpSaLocalUdpPort        INTEGER (0..65535),
     isakmpSaRemoteUdpPort       INTEGER (0..65535),

  -- peer version information
     isakmpSaPeerMajorVersion    INTEGER (0..15),
     isakmpSaPeerMinorVersion    INTEGER (0..15),

  -- creation/status/type
     isakmpSaDoi                 Unsigned32,
      isakmpSaLocallyInitiated    TruthValue,
     isakmpSaStatus              INTEGER {
                                    negotiating(1),
                                    established(2)
                                 },
     isakmpSaMode                INTEGER {
                                    base(1),
                                    identityProtection(2),
                                    authOnly(3),
                                    agressive(4)
                                 },

  }


  -- the ISAKMP Entity MIB-Group
  --
  -- a collection of objects providing information about overall ISAKMP
  -- status in the entity


     --
     --      Definitions of significant branches
     --
     isakmpTrapsA         OBJECT IDENTIFIER  ::= { isakmp 2 }
     isakmpTraps          OBJECT IDENTIFIER  ::= { isakmpTrapsA 0 }
     isakmpStats          OBJECT IDENTIFIER  ::= { isakmp 3 }


  -- the IKE SA MIB-Group
  --
  -- a collection of objects providing information about
  -- IKE SAs


  ikeSaTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IkeSaEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IKE
               SAs."
      ::= { ike 1 }

  ikeSaEntry OBJECT-TYPE
      SYNTAX     IkeSaEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IKE SA."
      INDEX      { ikeSaInitiatorCookie, ikeSaResponderCookie,
                   ikeSaLocalIpV4Address, ikeSaLocalIpV6Address,
                   ikeSaRemoteIpV4Address, ikeSaRemoteIpV6Address }


      ::= { ikeSaTable 1 }


   IpsecIkeSaEntry ::= SEQUENCE {

  -- identifier information
     ikeSaInitiatorCookie             isakmpSaInitiatorCookie,
     ikeSaResponderCookie             isakmpSaResponderCookie,
     ikeSaLocalIpV4Address            isakmpSaLocalIpV4Address,
     ikeSaLocalIpV6Address            isakmpSaLocalIpV6Address,
     ikeSaRemoteIpV4Address           isakmpSaRemoteIpV4Address,
     ikeSaRemoteIpV6Address           isakmpSaRemoteIpV6Address,

  -- ID and authentication information
     ikeSaAuthMethod             Integer32,
     ikeSaPeerIdType             Integer32,
     ikeSaPeerId                 OCTET STRING,
     ikeSaPeerCertSerialNum      OCTET STRING,
     ikeSaPeerCertIssuer         OCTET STRING,
     ikeSaLocalIdType            Integer32,
     ikeSaLocalId                OCTET STRING,

  -- security algorithm information
     ikeSaEncAlg                 INTEGER,
     ikeSaEncKeyLength           Integer32,
     ikeSaHashAlg                Integer32,
     ikeSaDifHelGroupDesc        Integer32,
     ikeSaDifHelGroupType        Integer32,
     ikeSaDifHelFieldSize        Integer32,
     ikeSaPRF                    Integer32,
     ikeSaPFS                    TruthValue,

  -- expiration limits
     ikeSaTimeLimit              Counter64,  -- in seconds
     ikeSaTrafficLimit           Counter64,  -- in bytes

  -- operating statistics
     ikeSaTimeCount              Counter64,  -- in seconds
     ikeSaInboundTraffic         Counter64,  -- in bytes
     ikeSaOutboundTraffic        Counter64,  -- in bytes
     ikeSaInboundPackets         Counter32,
     ikeSaOutboundPackets        Counter32,
     ikeProtSuitesCreated        Counter32,
     ikeProtSuitesDeleted        Counter32,

   -- error statistics
     ikeSaDecryptErrors          Counter32,
     ikeSaAuthErrors             Counter32,
     ikeSaOtherReceiveErrors     Counter32,
     ikeSaSendErrors             Counter32
  }


  -- the IKE Entity MIB-Group
  --
  -- a collection of objects providing information about overall IKE
  -- status in the entity


     --
     --      Definitions of significant branches
     --
     ikeTrapsA              OBJECT IDENTIFIER  ::= { ike 2 }
     ikeTraps               OBJECT IDENTIFIER  ::= { ikeTrapsA 0 }
     ikeStats               OBJECT IDENTIFIER  ::= { ike 3 }
     ikeSaErrorStats        OBJECT IDENTIFIER  ::= { ike 4 }
     ikeProtSuiteStats      OBJECT IDENTIFIER  ::= { ike 5 }
     ikeProtSuiteErrorStats OBJECT IDENTIFIER  ::= { ike 6 }



  --
   -- entity IKE statistics
   --

  ikeTotalProtSuites OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of IKE protection suites successfully
               established by the entity since boot time."
      ::= { ikeStats 1 }

  ikeNegFailures OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of IKE protection suite negotiations
               that failed in the entity since boot time."
      ::= { ikeStats 2 }

   ikeTotalInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of inbound packets carried on IKE SAs
               since boot time."
      ::= { ikeStats 3 }

  ikeTotalTransOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets carried on IKE SAs
               since boot time."
      ::= { ikeStats 4 }

  ikeTotalTransInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "Kbytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of inbound traffic carried on IKE SAs
               since boot time, measured in 1024-octet blocks."
      ::= { ikeStats 5 }

  ikeTotalTransOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "Kbytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of outbound traffic carried on IKE SAs
               since boot time, measured in 1024-octet blocks."
      ::= { ikeStats 6 }

  --
  -- IKE SA error counts
  --

  ikeProtocolErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of packets received by the entity since
               boot time with IKE protocol errors.

               This includes packets with invalid cookies, but does not
               include errors that are associated with specific IKE
               SAs."
      ::= { ikeSaErrorStats 1 }

  ikeDecryptionErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
              "The total number of packets received by the entity in
               IKE SAs since boot time with decryption errors."
      ::= { ikeSaErrorStats 2 }

   ikeAuthenticationErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of packets received by the entity in
               IKE SAs since boot time with authentication errors.

               This includes all packets in which the hash value is
               determined to be invalid."
      ::= { ikeSaErrorStats 3 }

   ikeOtherReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of packets received by the entity in
               IKE SAs since boot time and discarded due to errors not
               due to decryption or authentication."
      ::= { ikeSaErrorStats 4 }

   ikeSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of packets to be sent by the entity in
               IKE SAs since boot time and discarded due to errors."
      ::= { ikeSaErrorStats 5 }

  --
   -- entity protection suite statistics
   --

   ikeProtSuiteTotalInboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of inbound packets carried on all
               protection suites since boot time."
      ::= { ikeProtSuiteStats 1 }

  ikeProtSuiteTotalOutboundPackets OBJECT-TYPE
      SYNTAX      Counter64
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total number of outbound packets carried on all
               protection suites since boot time."
      ::= { ikeProtSuiteStats 2 }

  ikeProtSuiteTotalInboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "Kbytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of inbound traffic carried on all
               protection suites since boot time, measured in 1024-octet
               blocks."
      ::= { ikeProtSuiteStats 3 }

  ikeProtSuiteTotalOutboundTraffic OBJECT-TYPE
      SYNTAX      Counter64
      UNITS       "Kbytes"
      MAX-ACCESS  read-only
      STATUS      current
      DESCRIPTION
              "The total amount of outbound traffic carried on all
               protection suites since boot time, measured in 1024-octet
               blocks."
      ::= { ikeProtSuiteStats 4 }

  --
  -- IKE protection suite error counts
  --

   ipsecProtSuiteReceiveErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of packets received by the entity in
               protection suites since boot time and discarded due to
               errors of any kind."
      ::= { ikeProtSuiteErrorStats 1 }

   ipsecIkeSendErrors OBJECT-TYPE
      SYNTAX      Counter32
      MAX-ACCESS  read-only
      STATUS      current
       DESCRIPTION
               "The total number of packets to be sent by the entity in
               protection suites since boot time and discarded due to
               errors of any kind."
      ::= { ikeProtSuiteErrorStats 2 }




   -- the IPSec Inbound ESP MIB-Group
   --
   -- a collection of objects providing information about
  -- IPSec Inbound ESP SAs


  ipsecSaEspInTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecSaEspInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               inbound ESP SAs."
      ::= { ipsec 1 }

  ipsecSaEspInEntry OBJECT-TYPE
      SYNTAX     IpsecSaEspInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec inbound ESP SA."
      INDEX      { ipsecSaEspInV4Address, ipsecSaEspInV6Address,
                   ipsecSaEspInSpi }
      ::= { ipsecSaEspInTable 1 }


  IpsecSaEspInEntry::= SEQUENCE {

  -- identification
     ipsecSaEspInV4Address         IpAddress,
     ipsecSaEspInV6Address         OCTET STRING (SIZE (16)),
     ipsecSaEspInSpi               Unsigned32,

  -- SA selectors
     ipsecSaEspInDestId            OCTET STRING,
     ipsecSaEspInDestIdType        Unsigned32,
     ipsecSaEspInSourceId          OCTET STRING,
     ipsecSaEspInSourceIdType      Unsigned32,
     ipsecSaEspInProtocol          Integer32,
     ipsecSaEspInDestPort          Integer32,
     ipsecSaEspInSourcePort        Integer32,

   -- security services description
     ipsecSaEspInEncapsulation     INTEGER,
     ipsecSaEspInEncAlg            Integer32,
     ipsecSaEspInEncKeyLength      Unsigned32,
     ipsecSaEspInAuthAlg           Integer32,

  -- expiration limits
     ipsecSaEspInTimeLimit         Counter64, -- sec., 0 if none
     ipsecSaEspInTrafficLimit      Counter64, -- 0 if none

   -- current operating statistics
     ipsecSaEspInTimeCount         Counter64,
     ipsecSaEspInTrafficCount      Counter64,
     ipsecSaEspInTraffic           Counter64,
     ipsecSaEspInPackets           Counter64,

   -- error statistics
     ipsecSaEspInDecryptErrors     Counter32,
     ipsecSaEspInAuthErrors        Counter32,
     ipsecSaEspInReplayErrors      Counter32,
     ipsecSaEspInPolicyErrors      Counter32,
     ipsecSaEspInOtherReceiveErrors Counter32,
  }

  -- the IPSec Inbound AH MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec Inbound AH SAs


  ipsecSaAhInTable OBJECT-TYPE

      SYNTAX     SEQUENCE OF IpsecSaAhInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               inbound AH SAs."
      ::= { ipsec 2 }

  ipsecSaAhInEntry OBJECT-TYPE
      SYNTAX     IpsecSaAhInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec inbound AH SA."
      INDEX      { ipsecSaAhInV4Address, ipsecSaAhInV6Address,
                   ipsecSaAhInSpi }
      ::= { ipsecSaAhInTable 1 }

  IpsecSaAhInEntry::= SEQUENCE {

  -- identification
     ipsecSaAhInV4Address         IpAddress,
     ipsecSaAhInV6Address         OCTET STRING (SIZE (16)),
     ipsecSaAhInSpi               Unsigned32,

  -- SA selectors
     ipsecSaAhInDestId            OCTET STRING,
     ipsecSaAhInDestIdType        Unsigned32,
     ipsecSaAhInSourceId          OCTET STRING,
     ipsecSaAhInSourceIdType      Unsigned32,
     ipsecSaAhInProtocol          Integer32,
     ipsecSaAhInDestPort          Integer32,
     ipsecSaAhInSourcePort        Integer32,

   -- security services description
     ipsecSaAhInEncapsulation     INTEGER,
     ipsecSaAhInAuthAlg           Integer32,

  -- expiration limits
     ipsecSaAhInTimeLimit         Counter64, -- sec., 0 if none
     ipsecSaAhInTrafficLimit      Counter64, -- 0 if none

   -- current operating statistics
     ipsecSaAhInTimeCount         Counter64,
     ipsecSaAhInTrafficCount      Counter64,
     ipsecSaAhInTraffic           Counter64,
     ipsecSaAhInPackets           Counter64,

   -- error statistics
     ipsecSaAhInAuthErrors        Counter32,
     ipsecSaAhInReplayErrors      Counter32,
     ipsecSaAhInPolicyErrors      Counter32,
     ipsecSaAhInOtherReceiveErrors Counter32,
  }

  -- the IPSec Inbound IPCOMP MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec Inbound IPCOMP SAs


  ipsecSaIpcompInTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecSaIpcompInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               inbound IPCOMP SAs."
      ::= { ipsec 3 }

  ipsecSaIpcompInEntry OBJECT-TYPE
      SYNTAX     IpsecSaIpcompInEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec inbound IPCOMP SA."
      INDEX      { ipsecSaIpcompInV4Address, ipsecSaIpcompInV6Address,
                   ipsecSaIpcompInCpi }
      ::= { ipsecSaIpcompInTable 1 }

  IpsecSaIpcompInEntry::= SEQUENCE {

  -- identification
     ipsecSaIpcompInV4Address         IpAddress,
     ipsecSaIpcompInV6Address         OCTET STRING (SIZE (16)),
     ipsecSaIpcompInCpi               Unsigned32,

  -- SA selectors (if needed)
     ipsecSaIpcompInDestId            OCTET STRING,
     ipsecSaIpcompInDestIdType        Unsigned32,
     ipsecSaIpcompInSourceId          OCTET STRING,
     ipsecSaIpcompInSourceIdType      Unsigned32,
     ipsecSaIpcompInProtocol          Integer32,
     ipsecSaIpcompInDestPort          Integer32,
     ipsecSaIpcompInSourcePort        Integer32,

   -- security services description
     ipsecSaIpcompInEncapsulation     INTEGER,
     ipsecSaIpcompInCompAlg           Integer32,

   -- current operating statistics
     ipsecSaIpcompInTraffic           Counter64,
     ipsecSaIpcompInPackets           Counter64,

   -- error statistics
     ipsecSaIpcompInDecompErrors      Counter32,
     ipsecSaIpcompInOtherReceiveErrors Counter32,
  }

  -- IPCOMP assumptions:

    1) Don't care about policy errors.
    2) Don't care about expiration.
    3) Selectors can be empty if IPCOMP is shared across multiple
      protection suites.




  -- the IPSec Outbound ESP MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec Outbound ESP SAs


  ipsecSaEspOutTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecSaEspOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               Outbound ESP SAs."
      ::= { ipsec 4 }

   ipsecSaEspOutEntry OBJECT-TYPE
      SYNTAX     IpsecSaEspOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec Outbound ESP SA."
      INDEX      { ipsecSaEspOutV4Address, ipsecSaEspOutV6Address,
                   ipsecSaEspOutSpi }
      ::= { ipsecSaEspOutTable 1 }

  IpsecSaEspOutEntry::= SEQUENCE {

  -- identification
     ipsecSaEspOutV4Address         IpAddress,
     ipsecSaEspOutV6Address         OCTET STRING (SIZE (16)),
     ipsecSaEspOutSpi               Unsigned32,

  -- SA selectors
     ipsecSaEspOutSourceId          OCTET STRING,
     ipsecSaEspOutSourceIdType      Unsigned32,
     ipsecSaEspOutDestId            OCTET STRING,
     ipsecSaEspOutDestIdType        Unsigned32,
     ipsecSaEspOutProtocol          Integer32,
     ipsecSaEspOutSourcePort        Integer32,
     ipsecSaEspOutDestPort          Integer32,

   -- security services description
     ipsecSaEspOutEncapsulation     INTEGER,
     ipsecSaEspOutEncAlg            Integer32,
     ipsecSaEspOutEncKeyLength      Unsigned32,
     ipsecSaEspOutAuthAlg           Integer32,

  -- expiration limits
     ipsecSaEspOutTimeLimit         Counter64, -- sec., 0 if none
     ipsecSaEspOutTrafficLimit      Counter64, -- 0 if none

   -- current operating statistics
     ipsecSaEspOutTraffic           Counter64,
     ipsecSaEspOutPackets           Counter64,
     ipsecSaEspOutTimeCount         Counter64,
     ipsecSaEspOutTrafficCount      Counter64,

   -- error statistics
     ipsecSaEspOutSendErrors        Counter32,
  }

  -- the IPSec Outbound AH MIB-Group
  --
  -- a collection of objects providing information about
  -- IPSec Outbound AH SAs


  ipsecSaAhOutTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecSaAhOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               Outbound AH SAs."
      ::= { ipsec 5 }

  ipsecSaAhOutEntry OBJECT-TYPE
      SYNTAX     IpsecSaAhOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec Outbound AH SA."
      INDEX      { ipsecSaAhOutV4Address, ipsecSaAhOutV6Address,
                   ipsecSaAhOutSpi }
      ::= { ipsecSaAhOutTable 1 }

  IpsecSaAhOutEntry::= SEQUENCE {

  -- identification
     ipsecSaAhOutV4Address         IpAddress,
     ipsecSaAhOutV6Address         OCTET STRING (SIZE (16)),
     ipsecSaAhOutSpi               Unsigned32,

  -- SA selectors
     ipsecSaAhOutSourceId          OCTET STRING,
     ipsecSaAhOutSourceIdType      Unsigned32,
     ipsecSaAhOutDestId            OCTET STRING,
     ipsecSaAhOutDestIdType        Unsigned32,
     ipsecSaAhOutProtocol          Integer32,
     ipsecSaAhOutSourcePort        Integer32,
     ipsecSaAhOutDestPort          Integer32,

   -- security services description
     ipsecSaAhOutEncapsulation     INTEGER,
     ipsecSaAhOutAuthAlg           Integer32,

  -- expiration limits
     ipsecSaAhOutTimeLimit         Counter64, -- sec., 0 if none
     ipsecSaAhOutTrafficLimit      Counter64, -- 0 if none

   -- current operating statistics
     ipsecSaAhOutTraffic           Counter64,
     ipsecSaAhOutPackets           Counter64,
     ipsecSaAhOutTimeCount         Counter64,
     ipsecSaAhOutTrafficCount      Counter64,

   -- error statistics
     ipsecSaAhOutSendErrors        Counter32,
  }

   -- the IPSec Outbound IPCOMP MIB-Group
   --
   -- a collection of objects providing information about
  -- IPSec Outbound IPCOMP SAs


  ipsecSaIpcompOutTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IpsecSaIpcompOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IPSec
               Outbound IPCOMP SAs."
      ::= { ipsec 6 }

  ipsecSaIpcompOutEntry OBJECT-TYPE
      SYNTAX     IpsecSaIpcompOutEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular IPSec Outbound IPCOMP SA."
      INDEX      { ipsecSaIpcompOutV4Address,
                   ipsecSaIpcompOutV6Address,
                   ipsecSaIpcompOutCpi }
      ::= { ipsecSaIpcompOutTable 1 }

  IpsecSaIpcompOutEntry::= SEQUENCE {

  -- identification
     ipsecSaIpcompOutV4Address         IpAddress,
     ipsecSaIpcompOutV6Address         OCTET STRING (SIZE (16)),
     ipsecSaIpcompOutCpi               Unsigned32,

  -- SA selectors
     ipsecSaIpcompOutSourceId          OCTET STRING,
     ipsecSaIpcompOutSourceIdType      Unsigned32,
     ipsecSaIpcompOutDestId            OCTET STRING,
     ipsecSaIpcompOutDestIdType        Unsigned32,
     ipsecSaIpcompOutProtocol          Integer32,
     ipsecSaIpcompOutSourcePort        Integer32,
     ipsecSaIpcompOutDestPort          Integer32,
   -- security services description
     ipsecSaIpcompOutEncapsulation     INTEGER,
     ipsecSaIpcompOutCompAlg           Integer32,

   -- current operating statistics
     ipsecSaIpcompOutTraffic           Counter64,
     ipsecSaIpcompOutPackets           Counter64,
  }

  -- IPCOMP assumptions:

    1) Don't care about policy errors.
    2) Don't care about expiration.
    3) Selectors can be empty if IPCOMP is shared across multiple
      protection suites.
    4) There are no send errors; will send uncompressed if can't
      compress.





  -- the IKE Protection Suites MIB-Group
  --
  -- a collection of objects providing information about
  -- protection suites


  ikeProtSuiteTable OBJECT-TYPE
      SYNTAX     SEQUENCE OF IkeProtSuiteEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "The (conceptual) table containing information on IKE
               protection suites."
      ::= { ike 2 }

  ikeProtSuiteEntry OBJECT-TYPE
      SYNTAX     IkeProtSuiteEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
              "An entry (conceptual row) containing the information on
               a particular protection suite."
      INDEX      { ikeProtSuiteIndex }
      ::= { ikeProtSuiteTable 1 }

   IkeProtSuiteEntry ::= SEQUENCE {
     ikeProtSuiteIndex             Integer32,

  -- identification
     ikeProtSuiteLocalV4Address    IpAddress,
     ikeProtSuiteLocalV6Address    OCTET STRING (SIZE (16)),
     ikeProtSuiteRemoteV4Address   IpAddress,
     ikeProtSuiteRemoteV6Address   OCTET STRING (SIZE (16)),
     ikeProtSuiteSa1Protocol       Unsigned32,
     ikeProtSuiteInSa1Spi          Unsigned32,
     ikeProtSuiteOutSa1Spi         Unsigned32,
     ikeProtSuiteSa2Protocol       Unsigned32,
     ikeProtSuiteInSa2Spi          Unsigned32,
     ikeProtSuiteOutSa2Spi         Unsigned32,
     ikeProtSuiteSa3Protocol       Unsigned32,
     ikeProtSuiteInSa3Spi          Unsigned32,
     ikeProtSuiteOutSa3Spi         Unsigned32,

  -- created by (need to make this optional for protection?)
     ikeProtSuiteLocalOwnerId      OCTET STRING,
     ikeProtSuiteLocalOwnerIdType  Unsigned32,
     ikeProtSuiteRemoteOwnerId     OCTET STRING,
     ikeProtSuiteRemoteOwnerIdType Unsigned32,

  -- protection suite selectors
     ikeProtSuiteLocalId           OCTET STRING,
     ikeProtSuiteLocalIdType       Unsigned32,
     ikeProtSuiteRemoteId          OCTET STRING,
     ikeProtSuiteRemoteIdType      Unsigned32,
     ikeProtSuiteProtocol          Integer32,
     ikeProtSuiteLocalPort         Integer32,
     ikeProtSuiteRemotePort        Integer32,

   -- creation mechanism
      ikeProtSuiteLocallyInitiated  TruthValue,
     ikeProtSuiteDifHelGroupDesc   Integer32,
     ikeProtSuiteDifHelGroupType   Integer32,
     ikeProtSuitePFS               TruthValue,

  -- expiration limits
     ikeProtSuiteTimeLimit         Counter64, -- sec., 0 if none
     ikeProtSuiteTrafficLimit      Counter64, -- 0 if none

   -- current operating statistics
     ikeProtSuiteInTraffic         Counter64,
     ikeProtSuiteInPackets         Counter64,
     ikeProtSuiteOutTraffic        Counter64,
     ikeProtSuiteOutPackets        Counter64,
     ikeProtSuiteTimeCount         Counter64,
     ikeProtSuiteInTrafficCount    Counter64,
     ikeProtSuiteOutTrafficCount   Counter64,

   -- current operating statistics
     ikeProtSuiteInboundTraffic    Counter64,
     ikeProtSuiteOutboundTraffic   Counter64,
     ikeProtSuiteInboundPackets    Counter64,
     ikeProtSuiteOutboundPackets   Counter64,

   -- error statistics
     ikeProtSuiteReceiveErrors     Counter32,
     ikeProtSuiteSendErrors        Counter32
  }


<==

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617