[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC monitor MIB
> I have a few thoughts having read draft 3 of the IPSEC Monitoring MIB:
>
>
> 1) I feel there is room for an 'SPD' table entry to sit 'above' the IKE
> Control Channel table. The IPSEC architecture describes interface-specific
> SPD (I seem to remember) and in this case, the same IDs used to make the
> IPSEC MIB entries unique could occur many time, for example, if I want to
> define the security on a number of 'public' interfaces to 'protect
> everything' in a LAN-LAN case, then I may have multiple occurrences of the
> same simple selectors. The IPSEC MIB could then be used as an extension of
> the Interface MIB.
>
> 2) As part of an attempt to recycle resources in a security gateway, would
> it be possible to add an 'idle timer' that is used a bit like LifeTime,
> but allow user inactivity to be identified and acted on in some way
> (delete the SAs)?
>
> 3) While thinking about how to identify when a tunnel was broken, has
> anyone proposed a way to actively monitor IP tunnels? I thinking of
> something like an ICMP message poller to operate a bit like a PPP Echo
> poll which can be used to declare the tunnel 'down'.
>
> 4) There is a lot of text in this draft that suggests that IKE can be used
> to negotiate a 'protection suite' of just IPCOMP. Have I missed something?
> Does anyone support this? This option would seem to be better placed as
> an addition to IP-IP Tunnels/MIBs.
>
> 5) The IPSEC Tunnel table - given that it can contain TRANSPORT and TUNNEL
> mode types, should we use a name other than tunnel in the table name? How
> about IPSEC Connection - to go with the IKE Connection table?
>
> 6) Accounting. I guess I was going to use SA initiation/termination as a
> handle to do IPSEC Accounting. If TRAPs are not intended for transient SA
> initiation/termination, how could this be done? I suppose it could be
> done on a timer basis that simple logs deltas on IPSEC Tunnel table
> entries.
>
> 7) Under certain circumstances, I'd like to be able to use SETs to do some
> rough management. I understand there are security worries with this, but
> the SNMP flow could itself be protected with IPSEC... I'm looking to add
> things such as turning IPSEC on/off, deleting IKE-SA or IPSEC-SA.
>
> 8) What counts the Phase-2 IKE traffic? It isn't clear to me what exactly
> the IKE Control and IKE SA entries count as 'traffic'.
>
> Cheers, Steve.
>
>