Internet Engineering Task Force Tim Jenkins IP Security Working Group Catena Networks Internet Draft John Shriver Intel Corporation July 13, 2000 IKE Monitoring MIB Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPsec) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@lists.tislabs.com) or to the editor. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at . The list of Internet-Draft Shadow Directories can be accessed at . Copyright Notice This document is a product of the IETF's IPsec Working Group. Copyright (C) The Internet Society (2000). All Rights Reserved. Jenkins & Shriver Expires January 13, 2001 [Page 1] Internet Draft IKE Monitoring MIB July 13, 2000 Table of Contents 1. Introduction...................................................2 2. The SNMP Management Framework..................................3 2.1 Object Definitions............................................4 3. Definitions....................................................4 3.1 Security Association, Inbound and Outbound....................4 3.2 Phase 2 Security Association Suite............................4 4. IPsec MIB Objects Architecture.................................5 4.1 Endpoint Table................................................7 4.1.1 Peer Certificate Information...............................7 4.2 IKE Security Association Table................................7 4.2.1 Phase 1 SA Helper Tables...................................8 4.3 Phase 2 Security Association Suite Table......................8 4.3.1 Suite Helper Tables........................................9 4.3.2 Phase 2 SA Table..........................................10 4.4 Security Association Bundles.................................11 4.5 Uni-directional Suites.......................................11 4.6 Oakley Group Tables..........................................11 4.7 Exchange Table...............................................11 4.8 Notify Messages..............................................12 4.9 Traps........................................................12 4.10Entity Level Objects.........................................12 5. MIB Definitions...............................................13 6. Security Considerations.......................................69 7. Acknowledgments...............................................70 8. References....................................................71 1. Introduction This document defines monitoring and status MIBs for use when the (Internet Key Exchange) IKE protocol [IKE] is used to create IPsec security associations (SAs). As such, the MIBs provide the linkage between IKE (phase 1) SAs and the IPsec (phase 2) SAs created by those SAs. It does not define MIBs that may be used for configuring IPsec implementations or for providing low-level diagnostic or debugging information. It assumes no specific use of IPsec SAs, except that they were created using IKE. Further, it does not provide policy information. The purpose of the MIBs is to allow system administrators to determine operating conditions and perform system operational level monitoring of the IPsec portion of their network. Statistics are Jenkins & Shriver [Page 2] Internet Draft IKE Monitoring MIB July 13, 2000 provided as well. Additionally, it may be used as the basis for application specific MIBs for specific uses of IPsec. 2. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [RFC2571]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 [RFC1215]. The second version, called SMIv2, is described in STD 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580 [RFC2580]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905]. o A set of fundamental applications described in RFC 2573 [RFC2573] and the view-based access control mechanism described in RFC 2575 [RFC2575]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [RFC2570]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no Jenkins & Shriver [Page 3] Internet Draft IKE Monitoring MIB July 13, 2000 translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. 3. Definitions 3.1 Security Association, Inbound and Outbound This document uses the same definitions of "security association", "inbound" and "outbound" as [IMMIB]. 3.2 Phase 2 Security Association Suite This MIB uses a concept of a phase 2 security association suite. A phase 2 security association suite is defined as the set of SAs that result from each SA payload in a successful IKE Quick Mode exchange. This entity is called a suite for the remainder of this document to reduce the usage of the ambiguous term "security association". Phrased another way, a suite is the set of IPsec phase 2 SAs created when negotiated using IKE, and the phase 2 SAs were negotiated as part of the same SA payload. As such, a suite is a subset of an SA bundle as defined in RFC 2401. In RFC 2401, the SA pairs in the bundle may be negotiated separately and independently. Jenkins & Shriver [Page 4] Internet Draft IKE Monitoring MIB July 13, 2000 4. IPsec MIB Objects Architecture The IPsec MIB consists of a number of separate tables. First, there is an IKE SA table that provides monitoring for phase 1 security associations (SAs). This table is a DOI-specific table that uses the base ISAKMP SA table from the ISAKMP DOI-independent MIB as its base. Specifically, the IKE SA table has a sparse dependent relationship to the ISAKMP SA table. Secondly, there is an endpoint table. This table is used to store the identities of all endpoints that have been (or may be) involved in IKE SA negotiation with the local entity. This includes any identities that the local entity itself may use. Additionally, this table also has some endpoint specific information. Additionally, there are a number of tables associated with the phase 2 SAs. One of these tables contains suites. Each row of this table contains common and general objects that are part of the suite. Another table allows determination of the specific phase 2 SAs that are the components of each suite. This table augments the suite table. This table, called the phase 2 SA table, has a dependent expansion relationship to the suite table. Note that this table should not be confused with the collection of phase 2 SA tables found in [IMMIB]. However, this table indirectly refers to those tables. Configuration about the phase 1 IKE SAs and the suites is provided as are statistics related to the phase 1 IKE SAs and the suites themselves. Additionally, the MIBs provide a number of entity level aggregate totals for the phase 1 SAs and suites. A general picture of the relationship of the tables is shown in Figure 1. The individual phase 2 SA tables and the selector table are from [IMMIB] and the phase 1 DOI-independent SA table is from [IDIMIB]. The tables from this MIB require both the IPsec tables and the ISAKMP table. Both the phase 1 SA and suite tables refer to the endpoint table to subsequently refer to the peers that negotiated the SAs and suites. Additional tables, such as the Oakley groups, the exchange table and helper tables are not shown in Figure 1. Jenkins & Shriver [Page 5] Internet Draft IKE Monitoring MIB July 13, 2000 +-------------------------+ +----------------------------+ | | sparse | | | ISAKMP DOI-independent | dependent | IKE SA table "ikeSaTable" | | part of Phase 1 SAs |---------->| | | "saTable" | +----------------------------+ +-------------------------+ | \ / +--------------------+ | | --->| endpoint table | / | "ikeEndpointTable" | | +--------------------+ | | | +---------------+ +-------------+ dependent| | | | expansion| phase 2 | -------->| suite table |--------->| SA table | / |"suiteTable" | |"phase2SaTable"| dependent / +-------------+ | | expansion / +---------------+ | | | -------------------------/ | / -indirect reference; IPsec SA tables | | uses protocol and SPIs | \ / +-----------------+ +-------------------------------------+ | selector table |---->| ESP Inbound SAs "ipsecSaEspInTable" | | "selectorTable" | \ +-------------------------------------+ +-----------------+ \ +-------------------------------------+ ->| AH Inbound SAs "ipsecSaAhInTable" | etc. +-------------------------------------+ +-------------------------------------------+ | IPcomp Inbound SAs "ipsecSaIpcompInTable" | +-------------------------------------------+ +---------------------------------------+ | ESP Outbound SAs "ipsecSaEspOutTable" | +---------------------------------------+ +-------------------------------------+ | AH Outbound SAs "ipsecSaAhInTable" | +-------------------------------------+ +---------------------------------------------+ | IPcomp Outbound SAs "ipsecSaIpcompOutTable" | +---------------------------------------------+ Figure 1. Relationship of MIB Tables Jenkins & Shriver [Page 6] Internet Draft IKE Monitoring MIB July 13, 2000 4.1 Endpoint Table This table is used to allow the endpoints involved in the IKE negotiations to be identified. It provides the ID type and value used by both ends during phase 1 negotiations, as well as certificate information. (See next section.) Additionally, it indicates if the endpoint is local or remote, and provides basic statistics for the endpoints with respect to the number of IKE SAs and phase 2 SA suites the endpoints have created. Implementations could also use this as a base table for more detailed per endpoint statistics, such as error counts or traffic counts. However, these are not specified in this MIB. 4.1.1 Peer Certificate Information The MIB provides certificate information related to the authentication of the peer entity. This information is the ID used in phase 1, and the certificate's serial number and issuer. It is intended that this information be sufficient to determine the certificate that was used for peer authentication. No certificate chain information is provided. The reasons for this are that the chain may not be available to the entity and the chain is not necessarily exchanged in phase 1. A more appropriate place for this type of information might be in a PKI MIB; as such, it is beyond the scope of this document. 4.2 IKE Security Association Table IKE SAs presented in the table contain information about the services provided, their lifetime, endpoint authentication and some aggregate performance statistics. This table extends the ISAKMP DOI-independent phase 1 SA table, so is indexed by the same indices. It does not use the AUGMENTS capability of SNMP, since all ISAKMP SAs are not necessarily IKE SAs. As stated earlier, it has a sparse dependent relationship to the ISAKMP SA table. In addition to the information already provided by the DOI- independent phase 1 SA table, the IKE SA table adds to information related to the identities of the two endpoint entities, the security information of the IKE SA, some expiration limits and some additional operating statistics. Jenkins & Shriver [Page 7] Internet Draft IKE Monitoring MIB July 13, 2000 4.2.1 Phase 1 SA Helper Tables The MIB provides one helper table to modify the search order for phase 1 SAs. This table uses the endpoints along with an arbitrary value as its index. The rows of this table contain the endpoint addresses and cookies of the individual SAs that exist between the endpoints. This allows look up of the specific phase 1 SAs from these values. +-------------------------+ +----------------------------+ | find IKE SA by endpoint | | | | "saByCreatorsTable" |---------->| IKE SA table "ikeSaTable" | | local | remote | index | | | +-------------------------+ +----------------------------+ ^ ^ | | +--------------------+ | | | endpoint table | | "ikeEndpointTable" | +--------------------+ Figure 2. IKE SA Table Helper Table 4.3 Phase 2 Security Association Suite Table Suites are as defined above (in Section 3). This MIB makes no assumptions about the order or protocol of the individual SAs within the suite. Individual bi-directional SAs that are negotiated using IKE's quick mode are treated as a suite that uses only a single security protocol. [ISAKMP] requires that common attributes negotiated within a suite apply to all SAs. Therefore, the suite table provides expiration values and selectors for the suite. In order to get the statistics for the individual SAs, the phase 2 SA table provides the ability to get to the SAs themselves. The suite table is indexed by an arbitrary integer. This was done to ease implementation, since the number of objects that are required to uniquely identify individual suites is very high. (For a suite with three inbound/outbound SA pairs, there would be 11 indices required.) Jenkins & Shriver [Page 8] Internet Draft IKE Monitoring MIB July 13, 2000 This also allows the suite table to be independent of the number and order of SAs as used within the suite. Helper tables may be used to provide a list of suites in the desired order; a number of these are provided for what are expected to be desirable sorting orders. In order to link the creation of suites (and thereby SAs) to specific endpoints, the suite table also contains references to the endpoints that negotiated the SAs. No direct link is possible since there is no requirement that any phase 1 SA exists after creation of a suite. Many of the objects of each suite are duplicates of objects found in the SAs' entries in their respective tables. This is done to allow a faster lookup of the SA information as the SAs are being used by IKE. As part of this, some statistical aggregation is done as well. As stated earlier, the suite table itself does not provide knowledge of which specific SAs make up the suite. This information is obtained from the phase 2 SA table. 4.3.1 Suite Helper Tables There are three helper tables provided to allow searching of suites in a non-arbitrary order. These tables are ordered by endpoints, by SA selector and phase 2 SA identifiers, respectively. The first table is indexed in the same way as the IKE SA helper table, but provides a reference to a specific suite index value. It can be used to look up suites based on a specific set of entity IDs. SA selectors index the second table, by augmenting the selectors table from IPsec Monitoring MIB. Since duplicates of suites with the same selector is permitted, and is normal during re-keying, the additional index is an arbitrary integer. Each row provides a reference to a specific suite index value. The third helper table is provided to allow the determination of which suite a particular SA is being used in. This table is indexed by a destination address, a protocol and an SPI (CPI if the protocol is IPcomp). These are the objects that make an SA unique. Each row then provides a reference to a specific suite in which the SA is being used. Jenkins & Shriver [Page 9] Internet Draft IKE Monitoring MIB July 13, 2000 +-----------------+ | selector table | | "selectorTable" | +-----------------+ | \ / +------------+-------------+ | selector | index | | "suiteBySelectorsTable" |------\ | find suite by selector | \ +--------------------------+ | | +--------------------------+ \ +----------------------------+ | find suite by endpoint | -->| | | "suiteByCreatorsTable" |---------->| suite table "suiteTable" | | local | remote | index | -->| | +-------+--------+---------+ / +----------------------------+ ^ ^ | | | | +--------------------+ | | | | | endpoint table | | | "ikeEndpointTable" | | +--------------------+ | | +--------------------------+ | | find suite by SA | / | "ipsecSaInSuiteTable" |------/ | address | protocol | SPI | +---------+----------+-----+ Figure 3. Suite Table Helper Tables 4.3.2 Phase 2 SA Table This table allows the determination of which SAs from the IPsec monitoring MIB are in the SA suites. It is indexed by the suite table's index with an additional integer object added. This effectively causes expansion of the suite table for suites that have more than one SA. As stated earlier, it has a dependent expansion relationship to the suite table, and is shown in Figure 1. The value of the additional index object is the position of the particular SA in the suite. The value one is used to indicate the outer most SA; that is, the SA whose header appears as the outer most after application of all the SA's headers. (In the case of IPcomp, Jenkins & Shriver [Page 10] Internet Draft IKE Monitoring MIB July 13, 2000 the header may be missing for specific packets if the packet was not considered compressible; for the purposes of this definition, it is assumed the IPcomp header is always applied.) The other row elements in this table are the security protocol and the SPIs of the inbound and outbound SAs. This information, along with the addresses of the suite, can be used to form a lookup into the IPsec monitoring MIB's SA table for specific SAs. 4.4 Security Association Bundles This MIB does not explicitly show SA bundles or any combination of layered SAs that do not meet the suite definition as defined in this document. However, these may be represented in these MIBs by separate protection suites with the appropriate set of selectors. 4.5 Uni-directional Suites This MIB does not explicitly support suites that are uni-directional. However, this can be supported by the suite to SA table using a value of 0 for the SPI in the particular direction that is not used. 4.6 Oakley Group Tables These tables are used to allow an entity to describe the Oakley groups that it knows about. Each table contains a row for each of the Oakley groups of a specific type. This table does not contain the well-known groups. The structure of each table is taken directly from Appendix A of [OAKLEY]. The tables are used to allow both phase 1 SAs and suites to indicate how their source keying material was generated if they did not use one of the well-known groups. Additionally in the case of suites, this method is used if the phase 2 keying material was not derived from the phase 1 SA's keying material. 4.7 Exchange Table This table provides the number of IPsec DOI exchanges tried that were used in a phase 1 IKE SA, the number successfully responded to in a phase 1 IKE SA and the total number successfully completed in a phase 1 IKE SA. Jenkins & Shriver [Page 11] Internet Draft IKE Monitoring MIB July 13, 2000 This table augments the phase 1 security associations table (but again, not using the AUGMENTS clause of SNMP). 4.8 Notify Messages Notify messages sent from peer to peer are collected as they occur and accumulated in a parse table structure. A notify message object is defined. This object is used as the index into the table of accumulated notify messages. This helps system administrators determine if there are potential configuration problems or attacks on their network. 4.9 Traps Traps are provided to let system administrators know about the existence of error conditions occurring in the entity. Errors are associated with the creation and deletion of SAs, and also operational errors that may indicate the presence of attacks on the system. Traps are not provided when SAs come up or go down, unless they cannot be negotiated or go down due to error conditions. The causes of SA negotiation failure are indicated by a notify message object. The transmission of traps may be controlled as well. 4.10 Entity Level Objects This part of the MIB carries statistics global to the device. Statistics included are aggregate usage and aggregate errors for both phase 1 SAs and phase 2 suites. The statistics are provided as objects in a tree below these groups. Jenkins & Shriver [Page 12] Internet Draft IKE Monitoring MIB July 13, 2000 5. MIB Definitions IKE-MON-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Unsigned32, Gauge32, OBJECT-IDENTITY, experimental, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue FROM SNMPv2-TC InetAddressType, InetAddress FROM INET-ADDRESS-MIB IpsecRawId, selectorIndex FROM IPSEC-SA-MON-MIB saLocalIpAddressType, saLocalIpAddress, saRemoteIpAddressType, saRemoteIpAddress, saInitiatorCookie, saResponderCookie, IsakmpCookie, localIpAddressType, localIpAddress, localUdpPort, remoteIpAddressType, remoteIpAddress, remoteUdpPort FROM ISAKMP-DOI-IND-MON-MIB IpsecDoiIdentType, IkeAuthMethod, IkeEncryptionAlgorithm, IkeGroupDescription, IkePrf, IkeNotifyMessageType, IkeHashAlgorithm, IpsecDoiTransformIdent, IkeExchangeType, IpsecDoiSecProtocolId FROM IPSEC-ISAKMP-IKE-DOI-TC OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF; ikeMonModule MODULE-IDENTITY LAST-UPDATED "0007101200Z" ORGANIZATION "IETF IPsec Working Group" CONTACT-INFO " Tim Jenkins Catena Networks Suite 300 320 March Road Kanata, ON K2K 2E3 Canada +1 (613) 599-6430 tjenkins@catenanet.com John Shriver Intel Corporation 28 Crosby Drive Bedford, MA 01730 +1 (781) 687-1329 John.Shriver@intel.com " Jenkins & Shriver [Page 13] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The MIB module to describe IKE phase 1 SAs, security association suites, and entity level objects and events for those types." REVISION "9910211200Z" DESCRIPTION "Initial revision." REVISION "0007101200Z" DESCRIPTION "Group and compliance statements added. Endpoint table added and used in place of explicit phase 1 IDs. Selector table from IPsec Monitoring MIB used in place of explicit selectors. Replaced addresses with types from INET-ADDRESS-MIB. Added IANA assigned experimental number of 106. Changes to notify parameters. More text pictures." -- replace xxx in next line before release, uncomment before release -- ::= { mib-2 xxx } -- delete next line before release ::= { experimental 106 } ikeMonMIBObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all IKE monitoring MIB branches." ::= { ikeMonModule 1 } -- -- significant branches -- ikePhase1Objects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for IKE phase 1 objects." ::= { ikeMonMIBObjects 1 } ikePhase2Objects OBJECT-IDENTITY STATUS current Jenkins & Shriver [Page 14] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "This is the base object identifier for IKE phase 2 objects, including the suite and phase 2 SA tables." ::= { ikeMonMIBObjects 2 } oakleyObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for Oakley groups." ::= { ikeMonMIBObjects 3 } ikeGroups OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the groups in this MIB." ::= { ikeMonMIBObjects 4 } ikeConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which describe the conformance for this MIB." ::= { ikeMonMIBObjects 5 } -- -- significant IKE phase 1 SA branches -- ikeTables OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for the IKE phase 1 security associations table." ::= { ikePhase1Objects 1 } ikeGlobals OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 2 } ikeTrafStats OBJECT-IDENTITY STATUS current Jenkins & Shriver [Page 15] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 3 } ikeErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for IKE." ::= { ikePhase1Objects 4 } ikeTrapObjects OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all trap objects for the IKE phase 1 SA portion of this MIB." ::= { ikePhase1Objects 5 } ikeTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all trap controls for the IKE phase 1 SA portion of this MIB." ::= { ikePhase1Objects 6 } ikeTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all traps for the IKE phase 1 SA portion of this MIB." ::= { ikePhase1Objects 7 } ikeNotifications OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all notification objects of this MIB." ::= { ikePhase1Objects 8 } -- -- significant SA suite branches -- suiteTables OBJECT-IDENTITY STATUS current Jenkins & Shriver [Page 16] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "This is the base object identifier for the suite table." ::= { ikePhase2Objects 1 } suiteGlobals OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global values for suites." ::= { ikePhase2Objects 2 } suiteTrafStats OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global counters for suite traffic statistics." ::= { ikePhase2Objects 3 } suiteErrors OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all objects which are global error counters for suites." ::= { ikePhase2Objects 4 } suiteTrapControl OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all trap controls for the suite portion of this MIB." ::= { ikePhase2Objects 5 } suiteTraps OBJECT-IDENTITY STATUS current DESCRIPTION "This is the base object identifier for all traps for the suite portion of this MIB." ::= { ikePhase2Objects 6 } -- -- the Oakley Group MIB-Group -- -- a collection of objects providing information about the -- Oakley Groups that the entity knows about that are not well known -- -- A table is defined for each type of Oakley group -- (each value in 'IkeGroupDescription'). -- Jenkins & Shriver [Page 17] Internet Draft IKE Monitoring MIB July 13, 2000 -- This MIB has tables for groups of type MODP, ECP, or EC2N. -- For groups that are not MODP, ECP, or EC2N, a new table should be -- defined in a MIB for that group. The table should have one -- integer index, which should be the first column. The columns -- should be the IKE attributes used by that new type of group. -- modpGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF ModpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley MODP groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley MODP group negotiated or supported by the entity that is not a well- known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 1 } modpGroupEntry OBJECT-TYPE SYNTAX ModpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley MODP group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { modpGroupIndex } ::= { modpGroupTable 1 } ModpGroupEntry ::= SEQUENCE { modpGroupIndex Unsigned32, -- component parts modpFieldSize Unsigned32, modpPrime OCTET STRING, modpGenerator OCTET STRING, modpLPF OCTET STRING, modpStrength Unsigned32 } Jenkins & Shriver [Page 18] Internet Draft IKE Monitoring MIB July 13, 2000 modpGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley MODP group. It is recommended that values are assigned contiguously starting from 1. The value for each MODP group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { modpGroupEntry 1 } modpFieldSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of a field element, in bits." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 2 } modpPrime OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime of the MODP group." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 3 } modpGenerator OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The generator value of the MODP group." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 4 } modpLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 19] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 5 } modpStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { modpGroupEntry 6 } ecpGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF EcpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley ECP groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley ECP group negotiated or supported by the entity that is not a well- known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 2 } ecpGroupEntry OBJECT-TYPE SYNTAX EcpGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley ECP group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ecpGroupIndex } ::= { ecpGroupTable 1 } EcpGroupEntry ::= SEQUENCE { ecpGroupIndex Unsigned32, Jenkins & Shriver [Page 20] Internet Draft IKE Monitoring MIB July 13, 2000 -- component parts ecpFieldSize Unsigned32, ecpPrime OCTET STRING, ecpGeneratorOne OCTET STRING, ecpGeneratorTwo OCTET STRING, ecpParameterOne OCTET STRING, ecpParameterTwo OCTET STRING, ecpLPF OCTET STRING, ecpOrder OCTET STRING, ecpStrength Unsigned32 } ecpGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley ECP group. It is recommended that values are assigned contiguously starting from 1. The value for each ECP group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ecpGroupEntry 1 } ecpFieldSize OBJECT-TYPE SYNTAX Unsigned32 UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The size of a field element, in bits." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 2 } ecpPrime OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime of the ECP group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 3 } ecpGeneratorOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only Jenkins & Shriver [Page 21] Internet Draft IKE Monitoring MIB July 13, 2000 STATUS current DESCRIPTION "The first generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 4 } ecpGeneratorTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 5 } ecpParameterOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 6 } ecpParameterTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 7 } ecpLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 8 } ecpOrder OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 22] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The order of the group, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 9 } ecpStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected." REFERENCE "RFC 2412 Appendix A" ::= { ecpGroupEntry 10 } ec2nGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF Ec2nGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing Oakley EC2N groups that are not well known that the entity has negotiated or knows about. There should be one row for every Oakley group negotiated or supported by the entity that is not a well-known group. The maximum number of rows is implementation dependent." ::= { oakleyObjects 3 } ec2nGroupEntry OBJECT-TYPE SYNTAX Ec2nGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular Oakley EC2N group. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ec2nGroupIndex } ::= { ec2nGroupTable 1 } Ec2nGroupEntry ::= SEQUENCE { ec2nGroupIndex Unsigned32, -- component parts ec2nDegree Unsigned32, Jenkins & Shriver [Page 23] Internet Draft IKE Monitoring MIB July 13, 2000 ec2nIrrPoly OCTET STRING, ec2nGeneratorOne OCTET STRING, ec2nGeneratorTwo OCTET STRING, ec2nParameterOne OCTET STRING, ec2nParameterTwo OCTET STRING, ec2nLPF OCTET STRING, ec2nOrder OCTET STRING, ec2nStrength Unsigned32 } ec2nGroupIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each Oakley EC2N group. It is recommended that values are assigned contiguously starting from 1. The value for each EC2N group must remain constant at least from one re-initialization of entity's network management system to the next re-initialization." ::= { ec2nGroupEntry 1 } ec2nDegree OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The degree of the irreducible polynomial." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 2 } ec2nIrrPoly OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The prime or the irreducible field polynomial." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 3 } ec2nGeneratorOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first generator value of the group." Jenkins & Shriver [Page 24] Internet Draft IKE Monitoring MIB July 13, 2000 REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 4 } ec2nGeneratorTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second generator value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 5 } ec2nParameterOne OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The first elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 6 } ec2nParameterTwo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The second elliptic curve parameter value of the group." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 7 } ec2nLPF OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The largest prime factor of the group size, or 0 if unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 8 } ec2nOrder OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The order of the group, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 9 } Jenkins & Shriver [Page 25] Internet Draft IKE Monitoring MIB July 13, 2000 ec2nStrength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The strength of the group, which is approximately the number of key-bits protected, or 0 if it is unspecified." REFERENCE "RFC 2412 Appendix A" ::= { ec2nGroupEntry 10 } -- -- the IKE Endpoint Table -- -- a collection of objects providing information about -- the endpoints involved with IKE in this entity -- ikeEndpointTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeEndpointEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information about the endpoints involved IKE in this entity. There is one row for each endpoint that is active in or with the entity, including remote endpoints and local endpoints. The maximum number of rows is implementation dependent." ::= { ikeTables 1 } ikeEndpointEntry OBJECT-TYPE SYNTAX IkeEndpointEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing an IKE ID. A row in this table cannot be created or deleted by SNMP operations on columns of the table. It is not necessary to delete rows for endpoints that are no longer active; this is implementation dependent." INDEX { endpointIndex } ::= { ikeEndpointTable 1 } Jenkins & Shriver [Page 26] Internet Draft IKE Monitoring MIB July 13, 2000 IkeEndpointEntry ::= SEQUENCE { -- index endpointIndex Unsigned32, -- ID and authentication information endpointIdType IpsecDoiIdentType, endpointIdValue IpsecRawId, endpointCertSerialNum OCTET STRING, endpointCertIssuer OCTET STRING, -- other info about the ID, including statistics endpointIsLocal TruthValue, endpointCurrentIkeSAs Gauge32, endpointTotalIkeSAs Counter32, endpointCurrentSuites Gauge32, endpointTotalSuites Counter32 } endpointIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each endpoint associated with the entity, whether local or remote. It is recommended that values are assigned contiguously starting from 1." ::= { ikeEndpointEntry 1 } endpointIdType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the endpoint. This is the type of the ID that is used by the endpoint during phase 1 negotiations If this is not a local endpoint, then this value is taken directly from the phase 1 exchange with the remote endpoint." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeEndpointEntry 2 } endpointIdValue OBJECT-TYPE SYNTAX IpsecRawId MAX-ACCESS read-only Jenkins & Shriver [Page 27] Internet Draft IKE Monitoring MIB July 13, 2000 STATUS current DESCRIPTION "The ID of the endpoint. This is the ID value that is used by the endpoint during phase 1 negotiations. If this is not a local endpoint, then this value is taken directly from the phase 1 exchange with the remote endpoint." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ikeEndpointEntry 3 } endpointCertSerialNum OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..63)) MAX-ACCESS read-only STATUS current DESCRIPTION "The serial number of the certificate used by the endpoint. This object has no meaning if a certificate was not used in authenticating the endpoint." ::= { ikeEndpointEntry 4 } endpointCertIssuer OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)) MAX-ACCESS read-only STATUS current DESCRIPTION "The issuer name of the certificate used by the endpoint. This object has no meaning if a certificate was not used in authenticating the endpoint." ::= { ikeEndpointEntry 5 } endpointIsLocal OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "True if this row represents a local endpoint (the entity uses this endpoint)." ::= { ikeEndpointEntry 6 } endpointCurrentIkeSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 28] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The number of current IKE SAs in the entity for which this endpoint is found at one end." ::= { ikeEndpointEntry 7 } endpointTotalIkeSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs in the entity for which this endpoint is or was found at one end." ::= { ikeEndpointEntry 8 } endpointCurrentSuites OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current phase 2 SA suites in the entity that this endpoint was involved in the creation of." ::= { ikeEndpointEntry 9 } endpointTotalSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The total number of phase 2 SA suites in the entity that this endpoint was involved in the creation of." ::= { ikeEndpointEntry 10 } -- -- the IKE Phase 1 SA MIB-Group -- -- a collection of objects providing information about -- the IKE phase 1 SAs -- ikeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the IKE SAs. Jenkins & Shriver [Page 29] Internet Draft IKE Monitoring MIB July 13, 2000 The number of rows is the same as the number of IKE phase 2 SAs that are in the process of being negotiated or are negotiated in the entity. Phrased another way, there is a row in this table for each row in 'saTable' for which 'saDoi' is 'ipsecDOI(1)'. The maximum number of rows is implementation dependent." ::= { ikeTables 2 } ikeSaEntry OBJECT-TYPE SYNTAX IkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA. There is an entry in this table for each 'saEntry' in which which 'saDoi' is 'ipsecDOI(1)'. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saLocalIpAddressType, saLocalIpAddress, saRemoteIpAddressType, saRemoteIpAddress, saInitiatorCookie, saResponderCookie } ::= { ikeSaTable 1 } IkeSaEntry ::= SEQUENCE { -- ID and authentication information saAuthMethod IkeAuthMethod, saPeerEndpoint Unsigned32, saLocalEndpoint Unsigned32, -- security algorithm information saEncAlg IkeEncryptionAlgorithm, saEncKeyLength Unsigned32, saHashAlg IkeHashAlgorithm, saHashKeyLength Unsigned32, saPRF IkePrf, saOakleyGroupDesc IkeGroupDescription, saOakleyGroup OBJECT IDENTIFIER, -- expiration limits saLimitSeconds Unsigned32, -- 0 if none Jenkins & Shriver [Page 30] Internet Draft IKE Monitoring MIB July 13, 2000 saLimitKbytes Unsigned32, -- 0 if none saLimitKeyUses Unsigned32, -- 0 if none -- current operating statistics saAccKbytes Counter32, saKeyUses Counter32, saCreatedSuites Counter32, saDeletedSuites Counter32, -- error counts saDecryptErrors Counter32, saHashErrors Counter32, saOtherReceiveErrors Counter32, saSendErrors Counter32 } saAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to authenticate the peers. Note that this does not include the specific method of extended authentication if extended authentication is used." ::= { ikeSaEntry 1 } saPeerEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for the peer endpoint that negotiated this SA. In other words, the value of 'endpointIndex' for the appropriate row ('ikeEndpointEntry') from the 'ikeEndpointTable'." ::= { ikeSaEntry 2 } saLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for the local endpoint that negotiated this SA. In other words, the value of 'endpointIndex' for the appropriate row ('ikeEndpointEntry') from the 'ikeEndpointTable'." ::= { ikeSaEntry 3 } Jenkins & Shriver [Page 31] Internet Draft IKE Monitoring MIB July 13, 2000 saEncAlg OBJECT-TYPE SYNTAX IkeEncryptionAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used to protect this SA." ::= { ikeSaEntry 4 } saEncKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'saEncAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ikeSaEntry 5 } saHashAlg OBJECT-TYPE SYNTAX IkeHashAlgorithm MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used to protect this SA." ::= { ikeSaEntry 6 } saHashKeyLength OBJECT-TYPE SYNTAX Unsigned32 (0..65531) UNITS "bits" MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the 'saHashAlg' object. It may be 0 if the key length is implicit in the specified algorithm." ::= { ikeSaEntry 7 } saPRF OBJECT-TYPE SYNTAX IkePrf MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random function used by this SA, or 0 if the HMAC version of the negotiated hash algorithm is used as a pseudo-random function." Jenkins & Shriver [Page 32] Internet Draft IKE Monitoring MIB July 13, 2000 REFERENCE "RFC 2409 Appendix A" ::= { ikeSaEntry 8 } saOakleyGroupDesc OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-only STATUS current DESCRIPTION "The group number used to generate the Diffie-Hellman key pair when setting up the SA, or 0 if none of the defined groups was used. If this value is 0, the 'saOakleyGroup' must not also be OBJECT IDENTIFIER { 0 0 }." REFERENCE "RFC 2409 Section 6." ::= { ikeSaEntry 9 } saOakleyGroup OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The object identifier of the Oakley group row that was used if a well-known group was not used to generate the Diffie- Hellman key pair for this SA. If a well-known group was used, the value should be set to the OBJECT IDENTIFIER { 0 0 }. For example, if the group is a MODP group, the value of this object is the object identifier of 'modpGroupIndex' of the appropriate row ('modpGroupEntry') in 'modpGroupTable'." REFERENCE "RFC 2409 Section 6" ::= { ikeSaEntry 10 } saLimitSeconds OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of seconds the SA is allowed to exist, or 0 if there is no time-based limit on the existence of the SA. Jenkins & Shriver [Page 33] Internet Draft IKE Monitoring MIB July 13, 2000 The display value is limited to 4,294,967,295 seconds (more than 136 years); values greater than that value will be truncated." ::= { ikeSaEntry 11 } saLimitKbytes OBJECT-TYPE SYNTAX Unsigned32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of kilobytes the SA is allowed to encrypt before it expires, or 0 if there is no traffic-by- byte-based limit on the existence of the SA. The display value is limited to 4,294,967,295 kilobytes (more than 4,194,304 Mbyte); values greater than that value will be truncated." ::= { ikeSaEntry 12 } saLimitKeyUses OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum number of times the SA is allowed to provide keying material from its own Diffie-Hellman exchange before it expires, or 0 if there is no keying material-based limit on the existence of the SA." ::= { ikeSaEntry 13 } saAccKbytes OBJECT-TYPE SYNTAX Counter32 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of kilobytes the SA has encrypted that count against any lifetime restriction based on traffic. This value may be 0 if there is no such restriction." ::= { ikeSaEntry 14 } saKeyUses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 34] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The number of times the SA is has provided keying material derived from its own original Diffie-Hellman exchange." ::= { ikeSaEntry 15 } saCreatedSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SA suites that this SA has successfully created. In other words, the total number of successful quick mode exchanges multiplied by the number of SA payloads in each of those exchanges." ::= { ikeSaEntry 16 } saDeletedSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SA suites that this SA has sent or received SA suite delete notifications for. When delete notifications are sent or received for more than one SA in an SA suite, this number shall be decremented by one, and not by the number SAs in the suite that were deleted." ::= { ikeSaEntry 17 } saDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets inbound to this SA that were discarded due to decryption errors." ::= { ikeSaEntry 18 } saHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets inbound to this SA that were discarded due to hash result errors." ::= { ikeSaEntry 19 } saOtherReceiveErrors OBJECT-TYPE SYNTAX Counter32 Jenkins & Shriver [Page 35] Internet Draft IKE Monitoring MIB July 13, 2000 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets inbound to this SA that were discarded due to errors other than decryption or hash result errors. This may include packets dropped to a lack of receive buffer space." ::= { ikeSaEntry 20 } saSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets outbound from this SA that were discarded due to errors. This may include packets dropped to a lack of transmit buffer space." ::= { ikeSaEntry 21 } -- -- the IKE SA By Creators Table -- saByCreatorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SaByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the IKE phase 1 SAs by the endpoint identifiers. The number of rows in this table is the same as the number of IKE phase 1 SAs in the entity." ::= { ikeTables 3 } saByCreatorsEntry OBJECT-TYPE SYNTAX SaByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular IKE phase 1 SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saByCreatorsLocalEndpoint, Jenkins & Shriver [Page 36] Internet Draft IKE Monitoring MIB July 13, 2000 saByCreatorsRemoteEndpoint, saByCreatorsIndex } ::= { saByCreatorsTable 1 } SaByCreatorsEntry ::= SEQUENCE { -- index saByCreatorsLocalEndpoint Unsigned32, saByCreatorsRemoteEndpoint Unsigned32, saByCreatorsIndex Unsigned32, -- phase 1 SA reference saIkeLocalIpAddressType InetAddressType, saIkeLocalIpAddress InetAddress, saIkeRemoteIpAddressType InetAddressType, saIkeRemoteIpAddress InetAddress, saIkeInitiatorCookie IsakmpCookie, saIkeResponderCookie IsakmpCookie } saByCreatorsLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for the local endpoint." ::= { saByCreatorsEntry 1 } saByCreatorsRemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for the remote endpoint." ::= { saByCreatorsEntry 2 } saByCreatorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IKE phase 1 SA that exists between the two endpoints. It is recommended that values are assigned contiguously starting from 1." ::= { saByCreatorsEntry 3 } Jenkins & Shriver [Page 37] Internet Draft IKE Monitoring MIB July 13, 2000 saIkeLocalIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'saLocalIpAddressType' of the phase 1 SA for this row." ::= { saByCreatorsEntry 4 } saIkeLocalIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'saLocalIpAddress' of the phase 1 SA for this row." ::= { saByCreatorsEntry 5 } saIkeRemoteIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'saRemoteIpAddressType' of the phase 1 SA for this row." ::= { saByCreatorsEntry 6 } saIkeRemoteIpAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'saRemoteIpAddress' of the phase 1 SA for this row." ::= { saByCreatorsEntry 7 } saIkeInitiatorCookie OBJECT-TYPE SYNTAX IsakmpCookie MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'saInitiatorCookie' of the phase 1 SA for this row." ::= { saByCreatorsEntry 8 } saIkeResponderCookie OBJECT-TYPE SYNTAX IsakmpCookie MAX-ACCESS read-only Jenkins & Shriver [Page 38] Internet Draft IKE Monitoring MIB July 13, 2000 STATUS current DESCRIPTION "The value of 'saResponderCookie' of the phase 1 SA for this row." ::= { saByCreatorsEntry 9 } -- the Exchange Count MIB-Group -- -- a collection of objects providing information about the -- number of exchanges performed using ISAKMP-based SAs -- exchangeTable OBJECT-TYPE SYNTAX SEQUENCE OF ExchangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the exchanges used. There should be one row for every exchange attempt that has occurred using a phase 1 security association that exists in the entity. The maximum number of rows is implementation dependent." ::= { ikeTables 4 } exchangeEntry OBJECT-TYPE SYNTAX ExchangeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular exchange used in an SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { saLocalIpAddressType, saLocalIpAddress, saRemoteIpAddressType, saRemoteIpAddress, saInitiatorCookie, saResponderCookie, exchangeType } ::= { exchangeTable 1 } Jenkins & Shriver [Page 39] Internet Draft IKE Monitoring MIB July 13, 2000 ExchangeEntry::= SEQUENCE { -- identification exchangeType IkeExchangeType, -- the statistics exchangeTotalCount Counter32, exchangeInitiatedCount Counter32, exchangeRespondedCount Counter32 } exchangeType OBJECT-TYPE SYNTAX IkeExchangeType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the exchange for which the statistics of this row apply." ::= { exchangeEntry 1 } exchangeTotalCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of complete exchanges of the type performed using the SA, as either initiator or as responder. If there were failed attempts to initiate exchanges, this value is not equal to the sum of 'exchangeInitiatedCount' and 'exchangeRespondedCount'." ::= { exchangeEntry 2 } exchangeInitiatedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of exchanges of the type attempted using the SA as initiator. This includes exchange that failed or were incomplete" ::= { exchangeEntry 3 } exchangeRespondedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 40] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The total number of complete exchanges of the type performed using the SA as responder." ::= { exchangeEntry 4 } -- -- the Suite MIB-Group -- -- a collection of objects providing information about -- the phase 2 SA suites -- suiteTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing the phase 2 suites. The number of rows in this table is the same as the number of suites in the entity. The maximum number of rows is implementation dependent." ::= { suiteTables 1 } suiteEntry OBJECT-TYPE SYNTAX SuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular phase 2 SA suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteIndex } ::= { suiteTable 1 } SuiteEntry ::= SEQUENCE { -- index suiteIndex Unsigned32, -- end points suiteLocalAddressType InetAddressType, suiteLocalAddress InetAddress, suiteRemoteAddressType InetAddressType, suiteRemoteAddress InetAddress, Jenkins & Shriver [Page 41] Internet Draft IKE Monitoring MIB July 13, 2000 -- creator ID information suitePhase1RemoteEndpoint Unsigned32, suitePhase1LocalEndpoint Unsigned32, -- selector suiteSelector Unsigned32, -- keying material source information suiteOakleyGroupDesc IkeGroupDescription, suiteOakleyGroup OBJECT IDENTIFIER, -- operating statistics suiteLifeSeconds Counter32, suiteInUserOctets Counter64, suiteInPackets Counter64, suiteOutUserOctets Counter64, suiteOutPackets Counter64, -- error statistics suiteSendErrors Counter32, suiteReceiveErrors Counter32 } suiteIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite. It is recommended that values are assigned contiguously starting from 1." ::= { suiteEntry 1 } suiteLocalAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of address used by the local entity that negotiated the SA suite. " ::= { suiteEntry 2 } suiteLocalAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 42] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The address used by the local entity that negotiated the SA suite. " ::= { suiteEntry 3 } suiteRemoteAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of address used by the remote entity that negotiated the SA suite." ::= { suiteEntry 4 } suiteRemoteAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The address used by the remote entity that negotiated the SA suite." ::= { suiteEntry 5 } suitePhase1RemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for remote entity that negotiated this suite. In other words, the value of 'endpointIndex' for the appropriate row ('ikeEndpointEntry') from the 'ikeEndpointTable'." ::= { suiteEntry 6 } suitePhase1LocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for local entity that negotiated this suite. In other words, the value of 'endpointIndex' for the appropriate row ('ikeEndpointEntry') from the 'ikeEndpointTable'" ::= { suiteEntry 7 } suiteSelector OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only Jenkins & Shriver [Page 43] Internet Draft IKE Monitoring MIB July 13, 2000 STATUS current DESCRIPTION "The index of the selector table row for this suite. In other words, the value of 'selectorIndex' for the appropriate row ('SelectorEntry') from the 'selectorTable'" ::= { suiteEntry 8 } suiteOakleyGroupDesc OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-only STATUS current DESCRIPTION "The group number used to generate the Diffie-Hellman key pair when setting up the SA, or 0 if none of the well known groups was used, or if perfect forward secrecy was not used." ::= { suiteEntry 9 } suiteOakleyGroup OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The table index value of the Oakley group row that was used if a well-known group was not used to generate the Diffie- Hellman key pair for this SA. If a well-known group was used, or if perfect forward secrecy was not used, the value should be set to the OBJECT IDENTIFIER { 0 0 }." ::= { suiteEntry 10 } suiteLifeSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of seconds that the SA has existed." ::= { suiteEntry 11 } suiteInUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 44] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The amount of user level traffic measured in bytes handled by the suite in the inbound direction. This is the same as the user level traffic of the inner most inbound SA in the suite. Note that if the inner-most SA is a shared IPcomp SA, then this value may be difficult to calculate." ::= { suiteEntry 12 } suiteInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets handled by the suite. This is the same as the number of packets handled by any one of the inbound SAs in the suite." ::= { suiteEntry 13 } suiteOutUserOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of user level traffic measured in bytes handled by the suite in the outbound direction. This is the same as the user level traffic of the inner most outbound SA in the suite. Note that if the inner most SA is a shared IPcomp SA, then this value may be difficult to calculate." ::= { suiteEntry 14 } suiteOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets handled by the suite. This is the same as the number of packets handled by any one of the outbound SAs in the suite." ::= { suiteEntry 15 } Jenkins & Shriver [Page 45] Internet Draft IKE Monitoring MIB July 13, 2000 suiteSendErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outbound packets discarded by the suite due to any error. This is the same as the sum of all errors of all outbound SAs in the suite." ::= { suiteEntry 16 } suiteReceiveErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the suite due to any error. This is the same as the sum of all errors of all inbound SAs in the suite." ::= { suiteEntry 17 } -- -- the Phase 2 SA MIB-Group -- -- a collection of objects providing information about -- the phase 2 SAs in SA suites -- phase2SaTable OBJECT-TYPE SYNTAX SEQUENCE OF Phase2SaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing ID information for the phase 2 SAs that are part of suites. The number of rows in this table is the same as the number of phase 2 IPsec SA pairs that are created as part of suites. The maximum number of rows is implementation dependent." ::= { suiteTables 3 } phase2SaEntry OBJECT-TYPE SYNTAX Phase2SaEntry Jenkins & Shriver [Page 46] Internet Draft IKE Monitoring MIB July 13, 2000 MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular phase 2 SA within a suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteIndex, saOrder } ::= { phase2SaTable 1 } Phase2SaEntry ::= SEQUENCE { -- additional indexing objects saOrder Unsigned32, -- SA identifiers saProtocol IpsecDoiTransformIdent, saInSpi Unsigned32, saOutSpi Unsigned32 } saOrder OBJECT-TYPE SYNTAX Unsigned32 (1..15) MAX-ACCESS read-only STATUS current DESCRIPTION "The position within the suite of the pair of SAs indicated by this row. A value of 1 is used to represent the outer-most SA pair. The outer-most SA of any given packet has its header next to the outer IP header of the processed packet, while the inner-most SA has its header nearest the data of the unprocessed packet. (Note that the IPcomp header may be missing in actual usage if a particular packet was not compressed.) This value should be monotonically increasing for every SA pair in a suite. The maximum value is implementation dependent, but will generally not exceed three." ::= { phase2SaEntry 1 } saProtocol OBJECT-TYPE SYNTAX IpsecDoiTransformIdent MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 47] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The protocol of the inbound/outbound SA pair indicated by this row of the table." ::= { phase2SaEntry 2 } saInSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the inbound SA of the inbound/outbound SA pair. If the protocol of the SA pair is IPcomp, this value is the CPI. This value is used with the value of 'suiteLocalAddress' from the row indexed by 'suiteIndex' to create a SPI/address pair that uniquely identifies the inbound SA used in this SA suite. This can then be used to look up the SA in the appropriate inbound SA table, based on 'saProtocol'." REFERENCE "RFC 2406 Section 2.1" ::= { phase2SaEntry 3 } saOutSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security parameters index of the outbound SA of the inbound/outbound SA pair. If the protocol of the SA pair is IPcomp, this value is the CPI. This value is used with the value of 'suiteLocalAddress' from the row indexed by 'suiteIndex' to create a SPI/address pair that uniquely identifies the outbound SA used in this SA suite. This can then be used to look up the SA in the appropriate outbound SA table, based on 'saProtocol'." REFERENCE "RFC 2406 Section 2.1" ::= { phase2SaEntry 4 } -- -- the Phase 2 Suite By Creators Table -- suiteByCreatorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteByCreatorsEntry MAX-ACCESS not-accessible STATUS current Jenkins & Shriver [Page 48] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The (conceptual) table that sorts the SA suites by the endpoint identifiers. The number of rows in this table is the same as the number of suites in the entity." ::= { suiteTables 4 } suiteByCreatorsEntry OBJECT-TYPE SYNTAX SuiteByCreatorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { suiteByCreatorsP1LocalEndpoint, suiteByCreatorsP1RemoteEndpoint, suiteByCreatorsIndex } ::= { suiteByCreatorsTable 1 } SuiteByCreatorsEntry ::= SEQUENCE { -- index suiteByCreatorsP1LocalEndpoint Unsigned32, suiteByCreatorsP1RemoteEndpoint Unsigned32, suiteByCreatorsIndex Unsigned32, -- suite reference suiteByCreatorsRef OBJECT IDENTIFIER } suiteByCreatorsP1LocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the endpoint table row for the local endpoint." ::= { suiteByCreatorsEntry 1 } suiteByCreatorsP1RemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 49] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The index of the endpoint table row for the remote endpoint." ::= { suiteByCreatorsEntry 2 } suiteByCreatorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite that is between the two endpoints. It is recommended that values are assigned contiguously starting from 1 for each SA suite between the two endpoints. Note that duplicate entries for the saByCreatorsHash value may also arise due to hash result collisions." ::= { suiteByCreatorsEntry 3 } suiteByCreatorsRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers." ::= { suiteByCreatorsEntry 4 } -- -- the Phase 2 Suite By Selector Table -- suiteBySelectorsTable OBJECT-TYPE SYNTAX SEQUENCE OF SuiteBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that sorts the suites by the selectors. The number of rows in this table is the same as the number of suites in the entity. The maximum number of rows in this table is implementation dependent." ::= { suiteTables 5 } Jenkins & Shriver [Page 50] Internet Draft IKE Monitoring MIB July 13, 2000 suiteBySelectorsEntry OBJECT-TYPE SYNTAX SuiteBySelectorsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular suite. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { selectorIndex, suiteBySelectorsIndex } ::= { suiteBySelectorsTable 1 } SuiteBySelectorsEntry ::= SEQUENCE { -- additional index suiteBySelectorsIndex Unsigned32, -- suite reference suiteBySelectorsRef OBJECT IDENTIFIER } suiteBySelectorsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..16777215) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each SA suite that has the same selectors. It is recommended that values are assigned contiguously starting from 1." ::= { suiteBySelectorsEntry 1 } suiteBySelectorsRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers." ::= { suiteBySelectorsEntry 2 } -- -- the Phase 2 SA to Suite Table -- Jenkins & Shriver [Page 51] Internet Draft IKE Monitoring MIB July 13, 2000 ipsecSaInSuiteTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaInSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table that allows determination of which suite a particular phase 2 SA is in. The number of rows in this table is the same as the number of phase 2 SAs in the entity." ::= { suiteTables 6 } ipsecSaInSuiteEntry OBJECT-TYPE SYNTAX IpsecSaInSuiteEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) referencing a particular phase 2 SA. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { ipsecSaInSuiteDestAddrType, ipsecSaInSuiteDestAddress, ipsecSaInSuiteProtocol, ipsecSaInSuiteSpi } ::= { ipsecSaInSuiteTable 1 } IpsecSaInSuiteEntry::= SEQUENCE { -- index ipsecSaInSuiteDestAddrType InetAddressType, ipsecSaInSuiteDestAddress InetAddress, ipsecSaInSuiteProtocol IpsecDoiSecProtocolId, ipsecSaInSuiteSpi Unsigned32, -- SA reference ipsecSaInSuiteRef OBJECT IDENTIFIER } ipsecSaInSuiteDestAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 52] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The type of the destination address of the IPsec phase 2 SA to which this row refers." ::= { ipsecSaInSuiteEntry 1 } ipsecSaInSuiteDestAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(4|16|20)) MAX-ACCESS read-only STATUS current DESCRIPTION "The destination address of the IPsec phase 2 SA to which this row refers." ::= { ipsecSaInSuiteEntry 2 } ipsecSaInSuiteProtocol OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS read-only STATUS current DESCRIPTION "The security protocol of the IPsec phase 2 SA to which this row refers." ::= { ipsecSaInSuiteEntry 3 } ipsecSaInSuiteSpi OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The SPI value of the IPsec phase 2 SA to which this row refers. If the value of 'ipsecSaInSuiteProtocol' is 'protoIpcomp(4)', then this is the CPI of the SA." REFERENCE "RFC 2407 Section 4.6.2.1" ::= { ipsecSaInSuiteEntry 4 } ipsecSaInSuiteRef OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The value of 'suiteIndex' in the row ('suiteEntry') of the 'suiteTable' to which this row refers. This is the suite that uses this SA." ::= { ipsecSaInSuiteEntry 5 } Jenkins & Shriver [Page 53] Internet Draft IKE Monitoring MIB July 13, 2000 -- the Notify Message MIB-Group -- -- a collection of objects providing information about -- the occurrences of notify messages notifyCountTable OBJECT-TYPE SYNTAX SEQUENCE OF NotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec notify message counts. Rows are created in this table for every notification type that has been sent or received by the entity. This table MAY be sparsely populated; that is, rows for which the count is 0 may be absent." ::= { ikeNotifications 1 } notifyCountEntry OBJECT-TYPE SYNTAX NotifyCountEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the total number of occurrences of a notify message. A row in this table cannot be created or deleted by SNMP operations on columns of the table." INDEX { notifyProtocol, notifyType } ::= { notifyCountTable 1 } NotifyCountEntry ::= SEQUENCE { -- identification notifyProtocol IpsecDoiSecProtocolId, notifyType IkeNotifyMessageType, -- ocurrences notifySentCount Counter32, notifyReceivedCount Counter32 } notifyProtocol OBJECT-TYPE SYNTAX IpsecDoiSecProtocolId MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 54] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The value representing a protocol for which the notify was used." REFERENCE "RFC 2408 Section 3.14" ::= { notifyCountEntry 1 } notifyType OBJECT-TYPE SYNTAX IkeNotifyMessageType MAX-ACCESS read-only STATUS current DESCRIPTION "The value representing a specific ISAKMP notify message, or 0 if unknown. Values are assigned from the set of notify message types as defined in Section 3.14.1 of [ISAKMP], and enhanced by the IPsec DOI. In addition, the value 0 may be used for this object when the object is used as a trap cause, and the cause is unknown." REFERENCE "RFC 2408 Section 3.14.1" ::= { notifyCountEntry 2 } notifySentCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been sent by the entity since system boot." ::= { notifyCountEntry 3 } notifyReceivedCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of times the specific notify message has been received by the entity since system boot." ::= { notifyCountEntry 4 } -- -- the IKE Entity MIB-Group -- -- a collection of objects providing information about overall IKE -- status in the entity Jenkins & Shriver [Page 55] Internet Draft IKE Monitoring MIB July 13, 2000 -- -- IKE phase 1 SA statistics -- ikeCurrentSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs in the entity." ::= { ikeGlobals 1 } ikeCurrentInitiatedSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs successfully negotiated in the entity that were initiated by the entity." ::= { ikeGlobals 2 } ikeCurrentRespondedSAs OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The current number of IKE SAs successfully negotiated in the entity that were initiated by the peer entity." ::= { ikeGlobals 3 } ikeTotalSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time." ::= { ikeGlobals 4 } ikeTotalInitiatedSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time that were initiated by the entity." ::= { ikeGlobals 5 } Jenkins & Shriver [Page 56] Internet Draft IKE Monitoring MIB July 13, 2000 ikeTotalRespondedSAs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs successfully negotiated in the entity since boot time that were initiated by the peer entity." ::= { ikeGlobals 6 } ikeTotalAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made since boot time. This includes successful negotiations." ::= { ikeGlobals 7 } ikeTotalSaInitAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made where the entity was the initiator since boot time. This includes successful negotiations." ::= { ikeGlobals 8 } ikeTotalSaRespAttempts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE SAs negotiation attempts made where the entity was the responder since boot time. This includes successful negotiations." ::= { ikeGlobals 9 } -- -- IKE Aggregate Traffic Statistics -- ikeTotalInPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 57] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The total number of IKE packets received by the entity since boot time, including re-transmissions and un-encrypted packets." ::= { ikeTrafStats 1 } ikeTotalOutPackets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IKE packets sent by the entity since boot time, including re-transmissions and un-encrypted packets." ::= { ikeTrafStats 2 } ikeTotalInOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of IKE traffic received by the entity since boot time, measured in bytes, including any re- transmitted packets received, and including encrypted and un-encrypted packets." ::= { ikeTrafStats 3 } ikeTotalOutOctets OBJECT-TYPE SYNTAX Counter64 UNITS "bytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of IKE traffic sent by the entity since boot time, measured in bytes, including any re-transmissions and including encrypted and un-encrypted packets." ::= { ikeTrafStats 4 } -- -- IKE Phase 1 SA Aggregate Errors -- ikeTotalInitFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Jenkins & Shriver [Page 58] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when there was a response from the peer entity. This value may be used to detect clogging or denial-of- service attacks." ::= { ikeErrors 1 } ikeTotalInitNoResponses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when there was no response from the peer entity. This should only be incremented if the peer does not repond to the first packet of attempted negotiations." ::= { ikeErrors 2 } ikeTotalRespFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an IKE phase 1 SA that failed since boot time, when the initiation attempt came for the peer entity." ::= { ikeErrors 3 } -- -- Suite Global Objects -- totalSuites OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of suites created by the entity since system boot." ::= { suiteGlobals 1 } currentSuites OBJECT-TYPE SYNTAX Gauge32 Jenkins & Shriver [Page 59] Internet Draft IKE Monitoring MIB July 13, 2000 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of suites currently in existence in the entity." ::= { suiteGlobals 2 } -- -- Suite Aggregate Traffic Statistics -- suiteTotalInUserKbytes OBJECT-TYPE SYNTAX Counter64 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of user level traffic carried by all suites in the entity since boot time, measured in kilobytes, in the inbound direction. This is the sum of the 'suiteInUserOctets' column for all suite rows created since boot time." ::= { suiteTrafStats 1 } suiteTotalInPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets carried by all suites in the entity since boot time in the inbound direction. This is the sum of the 'suiteInPackets' column for all suite rows created since boot time." ::= { suiteTrafStats 2 } suiteTotalOutUserKbytes OBJECT-TYPE SYNTAX Counter64 UNITS "kilobytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of user level traffic carried by all suites in the entity since boot time, measured in kilobytes, in the outbound direction. Jenkins & Shriver [Page 60] Internet Draft IKE Monitoring MIB July 13, 2000 This is the sum of the 'suiteOutUserOctets' column for all suite rows created since boot time." ::= { suiteTrafStats 3 } suiteTotalOutPackets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets carried by all suites in the entity since boot time, in the outbound direction. This is the sum of the 'suiteOutPackets' column for all suite rows created since boot time." ::= { suiteTrafStats 4 } -- -- Suite Aggregate Error Counts -- suiteInitFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an suite that failed since boot time, when the attempt was initiated locally." ::= { suiteErrors 1 } suiteRespondFailures OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of attempts to initiate an suite that failed since boot time, when the attempt was initiated by the peer entity." ::= { suiteErrors 2 } -- -- Trap Objects, Traps and Trap Control -- ikeLocalEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify Jenkins & Shriver [Page 61] Internet Draft IKE Monitoring MIB July 13, 2000 STATUS current DESCRIPTION "The index to an endpoint that is the local endpoint in a trap." ::= { ikeTrapObjects 1 } ikeRemoteEndpoint OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The index to an endpoint that is the remote endpoint in a trap." ::= { ikeTrapObjects 2 } ikeSelector OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The index to a selector that is involved in a trap." ::= { ikeTrapObjects 3 } ikeAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "An authentication method that was used in a trap." ::= { ikeTrapObjects 4 } ikeNegFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether ikeNegFailure traps should be generated." DEFVAL { false } ::= { ikeTrapControl 1 } ikeNegFailure NOTIFICATION-TYPE OBJECTS { ikeLocalEndpoint, ikeRemoteEndpoint, localIpAddressType, localIpAddress, localUdpPort, remoteIpAddressType, remoteIpAddress, Jenkins & Shriver [Page 62] Internet Draft IKE Monitoring MIB July 13, 2000 remoteUdpPort, ikeAuthMethod, ikeTotalInitFailures, ikeTotalInitNoResponses, ikeTotalRespFailures, notifySentCount, notifyReceivedCount } STATUS current DESCRIPTION "An attempt to negotiate a phase 1 IKE SA failed. The notification counts are also sent as part of the trap, along with the current value of the total negotiation error counters for ISAKMP." ::= { ikeTraps 1 } suiteNegFailureTrapEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates whether 'suiteNegFailure' traps should be generated." DEFVAL { false } ::= { suiteTrapControl 1 } suiteNegFailure NOTIFICATION-TYPE OBJECTS { ikeSelector, suiteInitFailures, suiteRespondFailures, notifySentCount, notifyReceivedCount } STATUS current DESCRIPTION "An attempt to negotiate a phase 2 SA suite for the specified selector failed. The current total failure counts are passed as well as the notification type counts for the notify involved in the failure." ::= { suiteTraps 1 } Jenkins & Shriver [Page 63] Internet Draft IKE Monitoring MIB July 13, 2000 -- -- Units of conformance (Object Groups) -- oakleyGroup OBJECT-GROUP OBJECTS { modpGroupIndex, modpFieldSize, modpPrime, modpGenerator, modpLPF, modpStrength, ecpGroupIndex, ecpFieldSize, ecpPrime, ecpGeneratorOne, ecpGeneratorTwo, ecpParameterOne, ecpParameterTwo, ecpLPF, ecpOrder, ecpStrength, ec2nGroupIndex, ec2nDegree, ec2nIrrPoly, ec2nGeneratorOne, ec2nGeneratorTwo, ec2nParameterOne, ec2nParameterTwo, ec2nLPF, ec2nOrder, ec2nStrength } STATUS current DESCRIPTION "A collection of objects that describe the Oakley Groups used or known by the entity." REFERENCE "RFC 2412" ::= { ikeGroups 1 } endpointGroup OBJECT-GROUP OBJECTS { endpointIndex, endpointIdType, endpointIdValue, endpointCertSerialNum, endpointCertIssuer, endpointIsLocal, endpointCurrentIkeSAs, endpointTotalIkeSAs, endpointCurrentSuites, endpointTotalSuites } STATUS current DESCRIPTION "A collection of objects that describe IKE endpoints." ::= { ikeGroups 2 } ikeSaGroup OBJECT-GROUP OBJECTS { saAuthMethod, saPeerEndpoint, saLocalEndpoint, saEncAlg, saEncKeyLength, saHashAlg, saHashKeyLength, saPRF, saOakleyGroupDesc, saOakleyGroup, saLimitSeconds, saLimitKbytes, saLimitKeyUses, saAccKbytes, saKeyUses, saCreatedSuites, saDeletedSuites, saDecryptErrors, saHashErrors, saOtherReceiveErrors, saSendErrors } STATUS current Jenkins & Shriver [Page 64] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "A collection of objects that describe IKE phase 1 SAs." ::= { ikeGroups 3 } ikeHelpersGroup OBJECT-GROUP OBJECTS { saByCreatorsLocalEndpoint, saByCreatorsRemoteEndpoint, saByCreatorsIndex, saIkeLocalIpAddressType, saIkeLocalIpAddress, saIkeRemoteIpAddressType, saIkeRemoteIpAddress, saIkeInitiatorCookie, saIkeResponderCookie } STATUS current DESCRIPTION "A collection of objects that help look up IKE phase 1 SAs." ::= { ikeGroups 4 } exchangeGroup OBJECT-GROUP OBJECTS { exchangeType, exchangeTotalCount, exchangeInitiatedCount, exchangeRespondedCount } STATUS current DESCRIPTION "A collection of objects that count exchanges." ::= { ikeGroups 5 } suiteGroup OBJECT-GROUP OBJECTS { suiteIndex, suiteLocalAddressType, suiteLocalAddress, suiteRemoteAddressType, suiteRemoteAddress, suitePhase1RemoteEndpoint, suitePhase1LocalEndpoint, suiteSelector, suiteOakleyGroupDesc, suiteOakleyGroup, suiteLifeSeconds, suiteInUserOctets, suiteInPackets, suiteOutUserOctets, suiteOutPackets, suiteSendErrors, suiteReceiveErrors } STATUS current DESCRIPTION "A collection of objects that describe phase 2 SA suites." ::= { ikeGroups 7 } phase2SaGroup OBJECT-GROUP OBJECTS { Jenkins & Shriver [Page 65] Internet Draft IKE Monitoring MIB July 13, 2000 saOrder, saProtocol, saInSpi, saOutSpi, ipsecSaInSuiteDestAddrType, ipsecSaInSuiteDestAddress, ipsecSaInSuiteProtocol, ipsecSaInSuiteSpi, ipsecSaInSuiteRef } STATUS current DESCRIPTION "A collection of objects that relate phase 2 SAs to phase 2 SA suites." ::= { ikeGroups 8 } suiteHelperGroup OBJECT-GROUP OBJECTS { suiteByCreatorsP1LocalEndpoint, suiteByCreatorsP1RemoteEndpoint, suiteByCreatorsIndex, suiteByCreatorsRef, suiteBySelectorsIndex, suiteBySelectorsRef } STATUS current DESCRIPTION "A collection of objects that help look up phase 2 SA suites." ::= { ikeGroups 9 } notifyGroup OBJECT-GROUP OBJECTS { notifyProtocol, notifyType, notifySentCount, notifyReceivedCount } STATUS current DESCRIPTION "A collection of objects that take statistics for notify messages in IKE." ::= { ikeGroups 10 } ikeGlobalsGroup OBJECT-GROUP OBJECTS { ikeCurrentSAs, ikeCurrentInitiatedSAs, ikeCurrentRespondedSAs, ikeTotalSAs, ikeTotalInitiatedSAs, ikeTotalRespondedSAs, ikeTotalAttempts, ikeTotalSaInitAttempts, ikeTotalSaRespAttempts, ikeTotalInPackets, ikeTotalOutPackets, ikeTotalInOctets, ikeTotalOutOctets, ikeTotalInitFailures, ikeTotalInitNoResponses, ikeTotalRespFailures } STATUS current Jenkins & Shriver [Page 66] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "A collection of objects providing global IKE phase 1 SA statistics." ::= { ikeGroups 11 } suiteGlobalsGroup OBJECT-GROUP OBJECTS { totalSuites, currentSuites, suiteTotalInUserKbytes, suiteTotalInPackets, suiteTotalOutUserKbytes, suiteTotalOutPackets, suiteInitFailures, suiteRespondFailures } STATUS current DESCRIPTION "A collection of objects providing global phase 2 SA suite statistics." ::= { ikeGroups 12 } ikeTrapArgumentGroup OBJECT-GROUP OBJECTS { ikeLocalEndpoint, ikeRemoteEndpoint, ikeSelector, ikeAuthMethod } STATUS current DESCRIPTION "A collection of objects used only as arguments in traps." ::= { ikeGroups 13 } ikeTrapEnableGroup OBJECT-GROUP OBJECTS { ikeNegFailureTrapEnable, suiteNegFailureTrapEnable } STATUS current DESCRIPTION "A collection of objects providing control over trap generation." ::= { ikeGroups 14 } ikeTrapGroup NOTIFICATION-GROUP NOTIFICATIONS { ikeNegFailure, suiteNegFailure } STATUS current Jenkins & Shriver [Page 67] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "A collection of traps." ::= { ikeGroups 15 } -- -- Compliance statements -- ikeMonitorCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMPv2 entities which implement the IKE Monitoring MIB." MODULE -- this module MANDATORY-GROUPS { endpointGroup, ikeSaGroup, ikeHelpersGroup, exchangeGroup, suiteGroup, phase2SaGroup, suiteHelperGroup, notifyGroup, ikeGlobalsGroup, suiteGlobalsGroup, ikeTrapArgumentGroup, ikeTrapEnableGroup, ikeTrapGroup } -- Allow the trap controls to be read-only OBJECT ikeNegFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." OBJECT suiteNegFailureTrapEnable MIN-ACCESS read-only DESCRIPTION "If an implementation cannot properly secure this variable against unauthorized write access, it SHOULD implement it as read-only, to prevent the security risk of enabling the traps. Of course, there must be other means of controlling the generation of the associated trap." -- don't require support for dns(16) address type OBJECT saIkeLocalIpAddressType SYNTAX INTEGER { ipv4(1), ipv6(2) } Jenkins & Shriver [Page 68] Internet Draft IKE Monitoring MIB July 13, 2000 DESCRIPTION "An implementation is only required to support IPv4 and IPv6 addresses." OBJECT saIkeRemoteIpAddressType SYNTAX INTEGER { ipv4(1), ipv6(2) } DESCRIPTION "An implementation is only required to support IPv4 and IPv6 addresses." OBJECT suiteLocalAddressType SYNTAX INTEGER { ipv4(1), ipv6(2) } DESCRIPTION "An implementation is only required to support IPv4 and IPv6 addresses." OBJECT suiteRemoteAddressType SYNTAX INTEGER { ipv4(1), ipv6(2) } DESCRIPTION "An implementation is only required to support IPv4 and IPv6 addresses." OBJECT ipsecSaInSuiteDestAddrType SYNTAX INTEGER { ipv4(1), ipv6(2) } DESCRIPTION "An implementation is only required to support IPv4 and IPv6 addresses." ::= { ikeConformance 1 } END 6. Security Considerations This MIB contains readable objects whose values provide information related to IPsec SAs. While some of the information is readily available by monitoring the traffic into an entity, other information may provide attackers with more information than an administrator may desire. Some of the specific concerns are related to the display of the algorithms and key lengths associated with encryption, and the feedback of error counters and traps that enable an attacker to quickly determine the effect of his or her attacks. Specific examples of this include, but are not limited to: Jenkins & Shriver [Page 69] Internet Draft IKE Monitoring MIB July 13, 2000 o Replay counts that tell attackers that replay values are being checked, and what the current window is. o Specific algorithms and key lengths are displayed, giving attackers a better idea of how to attack. o Specific traffic counts, giving attackers more information for traffic analysis. Of particular concern is the ability to disable the transmission of traps. The traps defined in this MIB may appear due to badly configured systems and transient error conditions, but they may also appear due to attacks. If an attacker can disable these traps, they reduce some of the warnings that may be provided to system administrators. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2574 [RFC2574] and the View- based Access Control Model RFC 2575 [RFC2575] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 7. Acknowledgments This document is based in part on an earlier proposal titled "draft- ietf-ipsec-mib-xx.txt". That series was abandoned, since it included application specific constructs in addition to the IPsec only objects. Portions of the original document's origins were based on the working paper "IP Security Management Information Base" by R. Thayer and U. Blumenthal. Jenkins & Shriver [Page 70] Internet Draft IKE Monitoring MIB July 13, 2000 Significant contribution to the IPsec MIB series of documents comes from Charles Brooks and Carl Powell, both of GTE Internetworking. Obviously, the IPsec working group made signification contributions, including M. Daniele, T. Kivinen, J. Walker, S. Kelly, J. Leonard, S. Waters and M. Richardson. Thanks also to J. Schoenwaelder and M. Baugher for comments related to indexing of the tables. 8. References [ADDRMIB] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J., "Textual Conventions for Internet Network Addresses", RFC 2851, June, 2000 [IDIMIB]Jenkins, T., Shriver, J., "ISAKMP DOI-Independent Monitoring MIB", draft-ietf-ipsec-isakmp-di-mon-mib-02.txt, work in progress, May, 2000 [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)", RFC2409, November 1998 [IMMIB] Jenkins, T., Shriver, J., "IPsec Monitoring MIB", draft-ietf- ipsec-monitor-mib-03.txt, work in progress, May, 2000 [IPCOMP]Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP Payload Compression Protocol (IPComp)", RFC2393, December 1998 [IPDOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC2407, November 1998 [IPSECTC] Shriver, J., "IPSec DOI Textual Conventions MIB", draft- ietf-ipsec-doi-tc-mib-01.txt, October 15, 1999, work in progress [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", RFC2408, November 1998 [OAKLEY]Orman, H., "The OAKLEY Key Determination Protocol", RFC2412, November 1998 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999 Jenkins & Shriver [Page 71] Internet Draft IKE Monitoring MIB July 13, 2000 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999 Jenkins & Shriver [Page 72] Internet Draft IKE Monitoring MIB July 13, 2000 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999 [SECARCH] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC2401, November 1998 Authors' Addresses Tim Jenkins Catena Networks Suite 300 320 March Road Kanata, ON Canada K2K 2E3 +1 (613) 599-6430 tjenkins@catenanet.com John Shriver Intel Corporation 28 Crosby Drive Bedford, MA 01730 +1 (781) 687-1329 John.Shriver@intel.com The IPsec working group can be contacted via the IPsec working group's mailing list (ipsec@lists.tislabs.com) or through its chair: Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology Expiration This document expires January 13, 2001. Jenkins & Shriver [Page 73]