[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC monitor MIB

To: ipsec@lists.tislabs.com
Subject: IPSEC monitor MIB
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Mon, 12 Apr 1999 19:53:18 +0100
Sender: owner-ipsec@lists.tislabs.com



> I have a few thoughts having read draft 3 of the IPSEC Monitoring MIB:
> 
> 
> 1) I feel there is room for an 'SPD' table entry to sit 'above' the IKE
> Control Channel table. The IPSEC architecture describes interface-specific
> SPD (I seem to remember) and in this case, the same IDs used to make the
> IPSEC MIB entries unique could occur many time, for example, if I want to
> define the security on a number of 'public' interfaces to 'protect
> everything' in a LAN-LAN case, then I may have multiple occurrences of the
> same simple selectors. The IPSEC MIB could then be used as an extension of
> the Interface MIB.
> 
> 2) As part of an attempt to recycle resources in a security gateway, would
> it be possible to add an 'idle timer' that is used a bit like LifeTime,
> but allow user inactivity to be identified and acted on in some way
> (delete the SAs)?
> 
> 3) While thinking about how to identify when a tunnel was broken, has
> anyone proposed a way to actively monitor IP tunnels? I thinking of
> something like an ICMP message poller to operate a bit like a PPP Echo
> poll which can be used to declare the tunnel 'down'.
> 
> 4) There is a lot of text in this draft that suggests that IKE can be used
> to negotiate a 'protection suite' of just IPCOMP. Have I missed something?
> Does anyone support this?  This option would seem to be better placed as
> an addition to IP-IP Tunnels/MIBs.
> 
> 5) The IPSEC Tunnel table - given that it can contain TRANSPORT and TUNNEL
> mode types, should we use a name other than tunnel in the table name?  How
> about IPSEC Connection - to go with the IKE Connection table?
> 
> 6) Accounting.  I guess I was going to use SA initiation/termination as a
> handle to do IPSEC Accounting. If TRAPs are not intended for transient SA
> initiation/termination, how could this be done?  I suppose it could be
> done on a timer basis that simple logs deltas on IPSEC Tunnel table
> entries.
> 
> 7) Under certain circumstances, I'd like to be able to use SETs to do some
> rough management.  I understand there are security worries with this, but
> the SNMP flow could itself be protected with IPSEC...   I'm looking to add
> things such as turning IPSEC on/off, deleting IKE-SA or IPSEC-SA.
> 
> 8) What counts the Phase-2 IKE traffic?  It isn't clear to me what exactly
> the IKE Control and IKE SA entries count as 'traffic'.
> 
> Cheers, Steve.
> 
>

Prev by Date: RE: ipsec error codes
Next by Date: RE: IPSEC monitor MIB
Prev by thread: RE: Mismatching PFS
Next by thread: RE: IPSEC monitor MIB
Index(es):
- Main
- Thread