Internet Draft IPsec Flow Monitoring MIB November, 99 Internet Engineering Task Force C. Madson, Cisco Systems. IP Security Working Group L. Temoshenko, Tivoli. Internet Draft C.Pellacuru, Cisco Systems. Expires in six months N Timms, Cisco Systems. Rk Somasundaram, Cisco Systems. November 3rd 1999 IPsec Flow Monitoring MIB Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is a submission to the IETF Internet Protocol Security Working Group. Comments are solicited and should be addressed to the working group mailing list (IPsec@lists.tislabs.com) or to the editor(s). This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts draft documents are valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. To learn the current status of any Internet-Draft, please check the "1id- abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract Madson, Temoshenko, Timms, Pellacuru [Page 1] Internet Draft IPsec Flow Monitoring MIB November, 99 This document describes a high-level MIB for monitoring, accounting and error detection for IPsec. Table of Contents 1. Introduction ..............................................2 2. The SNMPV2 Network Management Framework ...................3 3. MIB Object Definitions and Architectural Overview .........3 3.1 IPsec Levels Group ........................................4 3.2 IPsec Phase-1 Group .......................................4 3.3 IPsec Phase-2 Group .......................................5 3.4 IPsec History Group .......................................5 3.5 IPsec Failure Group .......................................6 3.6 IPsec Trap Control Group ..................................6 4. MIB Definitions ...........................................6 5. Security Considerations .................................104 6. References ..............................................104 7. Acknowledgments .........................................105 8. Editors' Addresses ......................................106 9. Expiration ..............................................106 10. Full Copyright Statement ................................107 1. Introduction As VPN technology in the shape of IPsec is deployed, customers, particularly large enterprise and Service Providers, are requiring a standard way to monitor their tunnels. Service Providers in particular are often required to maintain service level agreements (SLAs) that guarantee quality and performance to their customers. In addition to this the provider must be able to accurately bill customers. Both enterprises and providers also have a need to collect usage statistics for capacity planning purposes, insuring sufficient resources are available for redundancy and high availability. The definition presented in this MIB is driven by customer requirements for statistics collection that may be used for accounting purposes, as well as status monitoring, error notification and real-time alerting via traps. This document defines a high level MIB for monitoring and troubleshooting IPsec traffic flows. The troubleshooting functionality is in the form of traps sent as a result of operational failures during the setting up, tearing down and normal lifetime of IPsec tunnels. It is meant as an indicator of failure to the personnel of a Network Operation Center. This MIB does not present in-depth low level debugging and diagnostic support that may be used by implementers of IPsec, although it does provide support for low-level troubleshooting from an administrator's perspective. This MIB does not provide support for the configuration of IPsec capable devices. Madson, Temoshenko, Timms, Pellacuru [Page 2] Internet Draft IPsec Flow Monitoring MIB November, 99 The main goals of this MIB are: i. to enable the administrator to manage IPsec devices based on traffic flows ii. to enable trend tracking iii. to enable failure tracking iv. to allow correlation between: 1.traffic flows and IPsec tunnels 2.IKE tunnels and IPsec tunnels 3.IPsec tunnels and security associations The history and failure components are optional and need not be implemented to be compliant with this MIB. 2. The SNMPv2 Network Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2271 [2271]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second version, called SMIv2, is described in RFC 1902 [1902],RFC 1903 [1903] and RFC 1904 [1904]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 [1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274 [2274]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [1905]. o A set of fundamental applications described in RFC 2273 [2273] and the view-based access control mechanism described in RFC 2275 [2275]. Madson, Temoshenko, Timms, Pellacuru [Page 3] Internet Draft IPsec Flow Monitoring MIB November, 99 3. MIB Objects and Architectural Overview This section provides a view of the overall architecture, and outlines the major MIB groups and table definitions. The MIB covers both phase 1 or Internet key Exchange (IKE) security associations (SAs) and phase 2 or IPsec SAs. One of the key components of this MIB is the monitoring of large numbers of dynamic tunnels. In the case of clients initiating connections to a gateway, it is not usually possible to for the gateway to have knowledge of all the attributes of the client, in particular the identity of the client, before the start of the session. The MIB must support these dynamic connections in addition to static tunnels that usually exist between gateway devices. The information provided in the MIB includes statistics on individual SAs as well as global totals which allows the provider to report on individual customer SLAs as well as monitoring the overall health of the VPN service. Statistics are provided on packet counts and drops, notify messages, failures, deletes and exchanges between peers. This information is presented in the form of groups that cover specific aspects of the VPN to facilitate accurate evaluation of performance and the generation of meaningful reports. 3.1 IPsec Levels Group The Levels Group consists of global single instance objects accessed using an index of zero. Currently, the MIB Level object is the only object contained in this group. Initially the value of this object will be one (1) and incremented as changes are made to the MIB. 3.2 IPsec Phase-1 Group Provides global statistics for all phase 1 tunnels, active and previous. The Internet Key Exchange Peer Table defines the peers involved in any phase 1 tunnel associated with active phase 2 tunnels. Statistics for each active phase 1 tunnel (including policy attributes) are contained in the IKE Tunnel table, and the IKE Peer Association to Phase 2 Tunnel Correlation Table provides a link between each Phase 1 peer entry and any associated active Phase-2 tunnels. ikeGlobalStats All Phase 1 Tunnel Stats Madson, Temoshenko, Timms, Pellacuru [Page 4] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunnelTable IkeTunnelEntry -----> ikePeerEntryTable IkePeerEntry -----> ikePeerCorrTable IkePeerCorrEntry -----> IPsecTunnelTable IPsecTunnelEntry 3.3 IPsec Phase-2 Group This group defines four tables. The first is a Global Statistics table that accumulates statistics from all active and previous phase 2 tunnels. Active phase 2 tunnels are defined in the Tunnel Table where each entry includes the algorithms used and counts of activities such as number of packets successfully encrypted or number of encryption failures. The peers involved in a phase 2 tunnel are described in the Tunnel Endpoint table, the format of which describes the criteria used to determine which data IPsec services are applied to. Security Parameter Index related information is presented in the Security Protection Index Table. IPsecGlobalStats All Phase 2 Tunnel Stats IPsecTunnelTable IPsecTunnelEntry -----> IPsecEndptTable IPsecEntptEntry -----> IPsecSpiTable IPsecSpiEntry (Inbound) IPsecSpiEntry (Outbound) Madson, Temoshenko, Timms, Pellacuru [Page 5] Internet Draft IPsec Flow Monitoring MIB November, 99 3.4 IPsec History Group Includes tables for Phase-1 Tunnel History, Phase-2 Tunnel History, and Phase-2 Endpoint History. The number of entries in each table defined by the value of IPsecHistTablSize. The tables cover phase 1 and phase 2 statistics based on accumulating packet and octet counts and failures based on security policy parameters and tunnel lifetimes. Examples are a count of the total number of octets encrypted using 3DES, or the number of authentication failures when the algorithm used was MD5. 3.5 IPsec Failure Group This group includes tables for phase 1 and phase 2 failures. The size of each table is dependent on the value of the IPsecFailTableSize object. Each failure entry for either phase 1 or 2 includes the specific reason for the failure, for example a CRL failure, and the time of the failure. 3.6 IPsec TRAP Control Group This group controls the sending of IPsec traps. Traps are considered to include both error conditions, and any events that cause a change in state on the device. Events that trigger traps include tunnel starts and stops, early tunnel terminations, unavailability of SAs, system errors, failure to establish tunnels, certificate failures and protocol errors. 4. MIB Definitions IPsecT1-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Counter64, Gauge32, Integer32, enterprises FROM SNMPv2-SMI TEXTUAL-CONVENTION, DisplayString, TimeStamp, TimeInterval, TruthValue FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF; Madson, Temoshenko, Timms, Pellacuru [Page 6] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecMIB MODULE-IDENTITY LAST-UPDATED "9911040000Z" ORGANIZATION "Tivoli Systems and Cisco Systems" CONTACT-INFO "Tivoli Systems Research Triangle Park, NC Cisco Systems San Jose, CA" DESCRIPTION "This is the MIB Module for objects to manage the IP Security Protocol." ::= { enterprises ibm(2) ibmProd(6) tivoliNma(168) IPsecMgmt(1) IPsecMgmtT1(1) 1 } -- ---------------------------------------------------------------------------- -- Local Textual Conventions -- ---------------------------------------------------------------------------- IPSIpAddress ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An IP V4 or V6 Address." SYNTAX OCTET STRING(SIZE(4 | 16)) -- IP V4 or V6 Address IkePeerType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The type of IPsec Phase-1 IKE peer identity. The IKE peer may be indentified by: 1. an IP address, or 2. a host name." SYNTAX INTEGER { ipAddrPeer(1), namePeer(2) } IkeNegoMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IPsec Phase-1 IKE negotiation mode." SYNTAX INTEGER { main(1), aggressive(2) } IkeHashAlgo ::= TEXTUAL-CONVENTION Madson, Temoshenko, Timms, Pellacuru [Page 7] Internet Draft IPsec Flow Monitoring MIB November, 99 STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." SYNTAX INTEGER { none(1), md5(2), sha(3) } IkeAuthMethod ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." SYNTAX INTEGER { none(1), preSharedKey(2), rsaSig(3), rsaEncrypt(4), revPublicKey(5) } DiffHellmanGrp ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The Diffie Hellman Group used in negotiations." SYNTAX INTEGER { none(1), dhGroup1(2), dhGroup2(3) } KeyType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The type of key used by an IPsec Phase-2 Tunnel." SYNTAX INTEGER{ ike(1), manual(2) } EncapMode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The encapsulation mode used by an IPsec Phase-2 Tunnel." SYNTAX INTEGER{ tunnel(1), transport(2) Madson, Temoshenko, Timms, Pellacuru [Page 8] Internet Draft IPsec Flow Monitoring MIB November, 99 } EncryptAlgo ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The encryption algorithm used in negotiations." SYNTAX INTEGER { none(1), des(2), des3(3) } AuthAlgo ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The authentication algorithm used by a security association of an IPsec Phase-2 Tunnel." SYNTAX INTEGER{ none(1), hmacMd5(2), hmacSha(3) } CompAlgo ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The compression algorithm used by a security association of an IPsec Phase-2 Tunnel." SYNTAX INTEGER{ none(1), ldf(2) } EndPtType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The type of identity use to specify an IPsec End Point." SYNTAX INTEGER { singleIpAddr(1), ipAddrRange(2), ipSubnet(3) } TunnelStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The status of a Tunnel. Objects of this type may be used to bring the tunnel down by setting Madson, Temoshenko, Timms, Pellacuru [Page 9] Internet Draft IPsec Flow Monitoring MIB November, 99 value of this object to destroy(2). Objects of this type cannot be used to create a Tunnel." SYNTAX INTEGER { active(1), destroy(2) } TrapStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The administrative status for sending a TRAP." SYNTAX INTEGER { enabled(1), disabled(2) } -- ---------------------------------------------------------------------------- -- IPsec MIB Object Groups -- -- This MIB module contains the following groups: -- 1) IPsec Levels Group -- 2) IPsec Phase-1 Group -- 3) IPsec Phase-2 Group -- 4) IPsec History Group -- 5) IPsec Failure Group -- 6) IPsec TRAP Control Group -- ---------------------------------------------------------------------------- IPsecMIBObjects OBJECT IDENTIFIER ::= {IPsecMIB 1} IPsecLevels OBJECT IDENTIFIER ::= { IPsecMIBObjects 1 } IPsecPhaseOne OBJECT IDENTIFIER ::= { IPsecMIBObjects 2 } IPsecPhaseTwo OBJECT IDENTIFIER ::= { IPsecMIBObjects 3 } IPsecHistory OBJECT IDENTIFIER ::= { IPsecMIBObjects 4 } IPsecFailures OBJECT IDENTIFIER ::= { IPsecMIBObjects 5 } IPsecTrapCntl OBJECT IDENTIFIER ::= { IPsecMIBObjects 6 } -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- IPsec Levels Group -- -- This group consists of a: -- 1) IPsec MIB Level -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- Madson, Temoshenko, Timms, Pellacuru [Page 10] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecMibLevel OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The level of the IPsec MIB." ::= { IPsecLevels 1 } -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Internet Key Exchange (IKE) Group -- -- This group consists of: -- 1) IPsec Phase-1 Global Statistics -- 2) IPsec Phase-1 Peer Table -- 3) IPsec Phase-1 Tunnel Table -- 4) IPsec Phase-1 Correlation Table -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Global Statistics -- ---------------------------------------------------------------------------- ikeGlobalStats OBJECT IDENTIFIER ::= { IPsecPhaseOne 1 } ikeGlobalActiveTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of currently active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 1 } ikeGlobalPreviousTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 2 } ikeGlobalInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 11] Internet Draft IPsec Flow Monitoring MIB November, 99 "The total number of octets received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 3 } ikeGlobalInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 4 } ikeGlobalInDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets which were dropped during receive processing by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 5 } ikeGlobalInNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 6 } ikeGlobalInP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 7 } ikeGlobalInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were Madson, Temoshenko, Timms, Pellacuru [Page 12] Internet Draft IPsec Flow Monitoring MIB November, 99 received and found to be invalid by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 8 } ikeGlobalInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were received and rejected by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 9 } ikeGlobalInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 10 } ikeGlobalOutOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 11 } ikeGlobalOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 12 } ikeGlobalOutDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets which were dropped during Madson, Temoshenko, Timms, Pellacuru [Page 13] Internet Draft IPsec Flow Monitoring MIB November, 99 send processing by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 13 } ikeGlobalOutNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys sent by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 14 } ikeGlobalOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent by all currently and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 15 } ikeGlobalOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent and found to be invalid by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 16 } ikeGlobalOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges which were sent and rejected by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 17 } ikeGlobalOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 14] Internet Draft IPsec Flow Monitoring MIB November, 99 "The total number of IPsec Phase-2 security association delete requests sent by all currently and previously active IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 18 } ikeGlobalInitTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were locally initiated." ::= { ikeGlobalStats 19 } ikeGlobalInitTunnelFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were locally initiated and failed to activate." ::= { ikeGlobalStats 20 } ikeGlobalRespTunnelFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-1 IKE Tunnels which were remotely initiated and failed to activate." ::= { ikeGlobalStats 21 } ikeGlobalSysCapFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of system capcity failures which occurred during processing of all current and previously active and IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 22 } ikeGlobalAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of authentications which ended Madson, Temoshenko, Timms, Pellacuru [Page 15] Internet Draft IPsec Flow Monitoring MIB November, 99 in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 23 } ikeGlobalDecryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decryptions which ended in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 24 } ikeGlobalHashValidFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of hash validations which ended in failure by all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 25 } ikeGlobalNoSaFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of non-existent Security Assocication in failures which occurred during processing of all current and previous IPsec Phase-1 IKE Tunnels." ::= { ikeGlobalStats 26 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Internet Key Exchange Peer Table -- ---------------------------------------------------------------------------- ikePeerTable OBJECT-TYPE SYNTAX SEQUENCE OF IkePeerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Peer Table. There is one entry in this table for each IPsec Phase-1 IKE peer association which is currently associated with an active IPsec Phase-2 Tunnel. The IPsec Phase-1 IKE Tunnel associated with this IPsec Phase-1 IKE peer association may or may not Madson, Temoshenko, Timms, Pellacuru [Page 16] Internet Draft IPsec Flow Monitoring MIB November, 99 be currently active." ::= { IPsecPhaseOne 2 } ikePeerEntry OBJECT-TYPE SYNTAX IkePeerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 IKE peer association." INDEX { ikePeerLocalType, ikePeerLocalValue, ikePeerRemoteType, ikePeerRemoteValue, ikePeerIntIndex } ::= { ikePeerTable 1} IkePeerEntry ::= SEQUENCE { ikePeerLocalType IkePeerType, ikePeerLocalValue DisplayString, ikePeerRemoteType IkePeerType, ikePeerRemoteValue DisplayString, ikePeerIntIndex Integer32, ikePeerLocalAddr IPSIpAddress, ikePeerRemoteAddr IPSIpAddress, ikePeerActiveTime TimeInterval,, ikePeerActiveTunnelIndex Integer32 } ikePeerLocalType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikePeerEntry 1 } ikePeerLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this Madson, Temoshenko, Timms, Pellacuru [Page 17] Internet Draft IPsec Flow Monitoring MIB November, 99 is the IP Address used to identify the local peer. If the local peer type is a host name, then this is the host name used to identify the local peer." ::= { ikePeerEntry 2 } ikePeerRemoteType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikePeerEntry 3 } ikePeerRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer." ::= { ikePeerEntry 4 } ikePeerIntIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { ikePeerEntry 5 } ikePeerLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local peer." ::= { ikePeerEntry 6 } Madson, Temoshenko, Timms, Pellacuru [Page 18] Internet Draft IPsec Flow Monitoring MIB November, 99 ikePeerRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote peer." ::= { ikePeerEntry 7 } ikePeerActiveTime OBJECT-TYPE SYNTAX TimeInterval, MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time that the peer association has existed in hundredths of a second." ::= { ikePeerEntry 8 } ikePeerActiveTunnelIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the active IPsec Phase-1 IKE Tunnel (ikeTunIndex in the ikeTunnelTable) for this peer association. If an IPsec Phase-1 IKE Tunnel is not currently active, then the value of this object will be zero." ::= { ikePeerEntry 9 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Internet Key Exchange Tunnel Table -- ---------------------------------------------------------------------------- ikeTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Tunnel Table. There is one entry in this table for each active IPsec Phase-1 IKE Tunnel." ::= { IPsecPhaseOne 3 } ikeTunnelEntry OBJECT-TYPE SYNTAX IkeTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 19] Internet Draft IPsec Flow Monitoring MIB November, 99 "Each entry contains the attributes associated with an active IPsec Phase-1 IKE Tunnel." INDEX { ikeTunIndex } ::= { ikeTunnelTable 1} IkeTunnelEntry ::= SEQUENCE { ikeTunIndex Integer32, ikeTunLocalType IkePeerType, ikeTunLocalValue DisplayString, ikeTunLocalAddr IPSIpAddress, ikeTunLocalName DisplayString, ikeTunRemoteType IkePeerType, ikeTunRemoteValue DisplayString, ikeTunRemoteAddr IPSIpAddress, ikeTunRemoteName DisplayString, ikeTunNegoMode IkeNegoMode, ikeTunDiffHellmanGrp DiffHellmanGrp, ikeTunEncryptAlgo EncryptAlgo, ikeTunHashAlgo IkeHashAlgo, ikeTunAuthMethod IkeAuthMethod, ikeTunLifeTime Integer32, ikeTunActiveTime TimeInterval,, ikeTunSaRefreshThreshold Integer32, ikeTunTotalRefreshes Counter32, ikeTunInOctets Counter32, ikeTunInPkts Counter32, ikeTunInDropPkts Counter32, ikeTunInNotifys Counter32, ikeTunInP2Exchgs Counter32, ikeTunInP2ExchgInvalids Counter32, ikeTunInP2ExchgRejects Counter32, ikeTunInP2SaDelRequests Counter32, ikeTunOutOctets Counter32, ikeTunOutPkts Counter32, ikeTunOutDropPkts Counter32, ikeTunOutNotifys Counter32, ikeTunOutP2Exchgs Counter32, ikeTunOutP2ExchgInvalids Counter32, ikeTunOutP2ExchgRejects Counter32, ikeTunOutP2SaDelRequests Counter32, ikeTunStatus TunnelStatus } ikeTunIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 20] Internet Draft IPsec Flow Monitoring MIB November, 99 "The index of the IPsec Phase-1 IKE Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647." ::= { ikeTunnelEntry 1 } ikeTunLocalType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeTunnelEntry 2 } ikeTunLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is a host name, then this is the host name used to identify the local peer." ::= { ikeTunnelEntry 3 } ikeTunLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 4 } ikeTunLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local IP address for the IPsec Phase-1 IKE Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this Madson, Temoshenko, Timms, Pellacuru [Page 21] Internet Draft IPsec Flow Monitoring MIB November, 99 object will be a NULL string." ::= { ikeTunnelEntry 5 } ikeTunRemoteType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeTunnelEntry 6 } ikeTunRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer." ::= { ikeTunnelEntry 7 } ikeTunRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 8 } ikeTunRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote IP address of IPsec Phase-1 IKE Tunnel. If the DNS name associated with the remote tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelEntry 9 } Madson, Temoshenko, Timms, Pellacuru [Page 22] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunNegoMode OBJECT-TYPE SYNTAX IkeNegoMode MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiation mode of the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 10 } ikeTunDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 11 } ikeTunEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 12 } ikeTunHashAlgo OBJECT-TYPE SYNTAX IkeHashAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 13 } ikeTunAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelEntry 14 } ikeTunLifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 23] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel in seconds." ::= { ikeTunnelEntry 15 } ikeTunActiveTime OBJECT-TYPE SYNTAX TimeInterval, MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-1 IKE tunnel has been active in hundredths of seconds." ::= { ikeTunnelEntry 16 } ikeTunSaRefreshThreshold OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security assoication refresh threshold in seconds." ::= { ikeTunnelEntry 17 } ikeTunTotalRefreshes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations refreshes performed." ::= { ikeTunnelEntry 18 } ikeTunInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 19 } ikeTunInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 20 } Madson, Temoshenko, Timms, Pellacuru [Page 24] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunInDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during receive processing." ::= { ikeTunnelEntry 21 } ikeTunInNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 22 } ikeTunInP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 23 } ikeTunInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received and found to be invalid by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 24 } ikeTunInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received and rejected by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 25 } ikeTunInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only Madson, Temoshenko, Timms, Pellacuru [Page 25] Internet Draft IPsec Flow Monitoring MIB November, 99 STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 26 } ikeTunOutOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 27 } ikeTunOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 28 } ikeTunOutDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during send processing." ::= { ikeTunnelEntry 29 } ikeTunOutNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 30 } ikeTunOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent by Madson, Temoshenko, Timms, Pellacuru [Page 26] Internet Draft IPsec Flow Monitoring MIB November, 99 this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 31 } ikeTunOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent and found to be invalid by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 32 } ikeTunOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent and rejected by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 33 } ikeTunOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelEntry 34 } ikeTunStatus OBJECT-TYPE SYNTAX TunnelStatus MAX-ACCESS read-write STATUS current DESCRIPTION "The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row." ::= { ikeTunnelEntry 35 } -- ---------------------------------------------------------------------------- -- The Internet Key Exchange Peer Association to Phase-2 Tunnel -- Correlation Table -- ---------------------------------------------------------------------------- ikePeerCorrTable OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 27] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX SEQUENCE OF IkePeerCorrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Peer Association to IPsec Phase-2 Tunnel Correlation Table. There is one entry in this table for each active IPsec Phase-2 Tunnel." ::= { IPsecPhaseOne 4 } ikePeerCorrEntry OBJECT-TYPE SYNTAX IkePeerCorrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes of an an IPsec Phase-1 IKE Peer Association to IPsec Phase-2 Tunnel Correlation." INDEX { ikePeerCorrLocalType, ikePeerCorrLocalValue, ikePeerCorrRemoteType, ikePeerCorrRemoteValue, ikePeerCorrIntIndex, ikePeerCorrSeqNum } ::= { ikePeerCorrTable 1} IkePeerCorrEntry ::= SEQUENCE { ikePeerCorrLocalType IkePeerType, ikePeerCorrLocalValue DisplayString, ikePeerCorrRemoteType IkePeerType, ikePeerCorrRemoteValue DisplayString, ikePeerCorrIntIndex Integer32, ikePeerCorrSeqNum Integer32, ikePeerCorrIPsecTunIndex Integer32 } ikePeerCorrLocalType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikePeerCorrEntry 1 } ikePeerCorrLocalValue OBJECT-TYPE SYNTAX DisplayString Madson, Temoshenko, Timms, Pellacuru [Page 28] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is a host name, then this is the host name used to identify the local peer." ::= { ikePeerCorrEntry 2 } ikePeerCorrRemoteType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikePeerCorrEntry 3 } ikePeerCorrRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer." ::= { ikePeerCorrEntry 4 } ikePeerCorrIntIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { ikePeerCorrEntry 5 } ikePeerCorrSeqNum OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 29] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The sequence number of the local-remote peer association. This sequence number is used to uniquely identify multiple instances of an unique association between the local and remote peer." ::= { ikePeerCorrEntry 6 } ikePeerCorrIPsecTunIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the active IPsec Phase-2 Tunnel (IPsecTunIndex in the IPsecTunnelTable) for this IPsec Phase-1 IKE Peer Association." ::= { ikePeerCorrEntry 7 } -- ------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- IPsec Phase-2 Group -- -- This group consists of: -- 1) IPsec Phase-2 Global Statistics -- 2) IPsec Phase-2 Tunnel Table -- 3) IPsec Phase-2 Endpoint Table -- 4) IPsec Phase-2 Security Protection Index Table -- 4) IPsec Phase-2 Security Protection Index Objects -- ------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Global Tunnel Statistics -- ---------------------------------------------------------------------------- IPsecGlobalStats OBJECT IDENTIFIER ::= { IPsecPhaseTwo 1 } IPsecGlobalActiveTunnels OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of currently active IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 1 } Madson, Temoshenko, Timms, Pellacuru [Page 30] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecGlobalPreviousTunnels OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of previously active IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 2 } IPsecGlobalInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also IPsecGlobalInOctWraps for the number of times this counter has wrapped." ::= { IPsecGlobalStats 3 } IPsecGlobalHcInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { IPsecGlobalStats 4 } IPsecGlobalInOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global octets received counter (IPsecGlobalInOctets) has wrapped." ::= { IPsecGlobalStats 5 } IPsecGlobalInDecompOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER the packet is decompressed. If compression Madson, Temoshenko, Timms, Pellacuru [Page 31] Internet Draft IPsec Flow Monitoring MIB November, 99 is not being used, this value will match the value of IPsecGlobalInOctets. See also IPsecGlobalInDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecGlobalStats 6 } IPsecGlobalHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of IPsecGlobalHcInOctets." ::= { IPsecGlobalStats 7 } IPsecGlobalInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global decompressed octets received counter (IPsecGlobalInDecompOctets) has wrapped." ::= { IPsecGlobalStats 8 } IPsecGlobalInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 9 } IPsecGlobalInDrops OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by all current and previous IPsec Phase-2 Tunnels. This count does NOT include packets dropped due to Anti-Replay processing." ::= { IPsecGlobalStats 10 } IPsecGlobalInReplayDrops OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only Madson, Temoshenko, Timms, Pellacuru [Page 32] Internet Draft IPsec Flow Monitoring MIB November, 99 STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 11 } IPsecGlobalInAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 12 } IPsecGlobalInAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 13 } IPsecGlobalInDecrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 14 } IPsecGlobalInDecryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 15 } IPsecGlobalOutOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 33] Internet Draft IPsec Flow Monitoring MIB November, 99 "The total number of octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER determining whether or not the packet should be compressed. See also IPsecGlobalOutOctWraps for the number of times this counter has wrapped." ::= { IPsecGlobalStats 16 } IPsecGlobalHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { IPsecGlobalStats 17 } IPsecGlobalOutOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global octets sent counter (IPsecGlobalOutOctets) has wrapped." ::= { IPsecGlobalStats 18 } IPsecGlobalOutUncompOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of IPsecGlobalOutOctets. See also IPsecGlobalOutDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecGlobalStats 19 } IPsecGlobalHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by all current and previous IPsec Phase-2 Tunnels. This value is accumulated BEFORE the packet is compressed. Madson, Temoshenko, Timms, Pellacuru [Page 34] Internet Draft IPsec Flow Monitoring MIB November, 99 If compression is not being used, this value will match the value of IPsecGlobalHcOutOctets." ::= { IPsecGlobalStats 20 } IPsecGlobalOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the global uncompressed octets sent counter (IPsecGlobalInUncompOctets) has wrapped." ::= { IPsecGlobalStats 21 } IPsecGlobalOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 22 } IPsecGlobalOutDrops OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 23 } IPsecGlobalOutAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 24 } IPsecGlobalOutAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 25 } Madson, Temoshenko, Timms, Pellacuru [Page 35] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecGlobalOutEncrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 26 } IPsecGlobalOutEncryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by all current and previous IPsec Phase-2 Tunnels." ::= { IPsecGlobalStats 27 } IPsecGlobalProtocolUseFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of protocol use failures which occurred during processing of all current and previously active and IPsec Phase-2 Tunnels." ::= { ikeGlobalStats 28 } IPsecGlobalNoSaFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of non-existent Security Assocication in failures which occurred during processing of all current and previous IPsec Phase-2 Tunnels." ::= { ikeGlobalStats 29 } IPsecGlobalSysCapFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of system capcity failures which occurred during processing of all current and previously active and IPsec Phase-2 Tunnels." ::= { ikeGlobalStats 30 } Madson, Temoshenko, Timms, Pellacuru [Page 36] Internet Draft IPsec Flow Monitoring MIB November, 99 -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Tunnel Table -- ---------------------------------------------------------------------------- IPsecTunnelTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Table. There is one entry in this table for each active IPsec Phase-2 Tunnel." ::= { IPsecPhaseTwo 2 } IPsecTunnelEntry OBJECT-TYPE SYNTAX IPsecTunnelEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an active IPsec Phase-2 Tunnel." INDEX { IPsecTunIndex } ::= { IPsecTunnelTable 1 } IPsecTunnelEntry ::= SEQUENCE { IPsecTunIndex Integer32, IPsecTunIkeTunnelIndex Integer32, IPsecTunIkeTunnelAlive TruthValue, IPsecTunLocalAddr IPSIpAddress, IPsecTunRemoteAddr IPSIpAddress, IPsecTunKeyType KeyType, IPsecTunEncapMode EncapMode, IPsecTunLifeSize Integer32, IPsecTunLifeTime Integer32, IPsecTunActiveTime TimeInterval,, IPsecTunSaLifeSizeThreshold Integer32, IPsecTunSaLifeTimeThreshold Integer32, IPsecTunTotalRefreshes Counter32, IPsecTunExpiredSaInstances Counter32, IPsecTunCurrentSaInstances Gauge32, IPsecTunInSaDiffHellmanGrp DiffHellmanGrp, IPsecTunInSaEncryptAlgo EncryptAlgo, IPsecTunInSaAhAuthAlgo AuthAlgo, IPsecTunInSaEspAuthAlgo AuthAlgo, IPsecTunInSaDecompAlgo CompAlgo, IPsecTunOutSaDiffHellmanGrp DiffHellmanGrp, IPsecTunOutSaEncryptAlgo EncryptAlgo, IPsecTunOutSaAhAuthAlgo AuthAlgo, IPsecTunOutSaEspAuthAlgo AuthAlgo, Madson, Temoshenko, Timms, Pellacuru [Page 37] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunOutSaCompAlgo CompAlgo, IPsecTunInOctets Counter32, IPsecTunHcInOctets Counter64, IPsecTunInOctWraps Counter32, IPsecTunInDecompOctets Counter32, IPsecTunHcInDecompOctets Counter64, IPsecTunInDecompOctWraps Counter32, IPsecTunInPkts Counter32, IPsecTunInDropPkts Counter32, IPsecTunInReplayDropPkts Counter32, IPsecTunInAuths Counter32, IPsecTunInAuthFails Counter32, IPsecTunInDecrypts Counter32, IPsecTunInDecryptFails Counter32, IPsecTunOutOctets Counter32, IPsecTunHcOutOctets Counter64, IPsecTunOutOctWraps Counter32, IPsecTunOutUncompOctets Counter32, IPsecTunHcOutUncompOctets Counter64, IPsecTunOutUncompOctWraps Counter32, IPsecTunOutPkts Counter32, IPsecTunOutDropPkts Counter32, IPsecTunOutAuths Counter32, IPsecTunOutAuthFails Counter32, IPsecTunOutEncrypts Counter32, IPsecTunOutEncryptFails Counter32, IPsecTunStatus TunnelStatus } IPsecTunIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel Table. The value of the index is a number which begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647." ::= { IPsecTunnelEntry 1 } IPsecTunIkeTunnelIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the associated IPsec Phase-1 IKE Tunnel. (ikeTunIndex in the ikeTunnelTable)" ::= { IPsecTunnelEntry 2 } Madson, Temoshenko, Timms, Pellacuru [Page 38] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunIkeTunnelAlive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "An indicator which specifies whether or not the IPsec Phase-1 IKE Tunnel currently exists." ::= { IPsecTunnelEntry 3 } IPsecTunLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 4 } IPsecTunRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 5 } IPsecTunKeyType OBJECT-TYPE SYNTAX KeyType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of key used by the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 6 } IPsecTunEncapMode OBJECT-TYPE SYNTAX EncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 7 } IPsecTunLifeSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 39] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in kilobytes." ::= { IPsecTunnelEntry 8 } IPsecTunLifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds." ::= { IPsecTunnelEntry 9 } IPsecTunActiveTime OBJECT-TYPE SYNTAX TimeInterval, MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { IPsecTunnelEntry 10 } IPsecTunSaLifeSizeThreshold OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security association LifeSize refresh threshold in kilobytes." ::= { IPsecTunnelEntry 11 } IPsecTunSaLifeTimeThreshold OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security association LifeTime refresh threshold in seconds." ::= { IPsecTunnelEntry 12 } IPsecTunTotalRefreshes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { IPsecTunnelEntry 13 } IPsecTunExpiredSaInstances OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 40] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations which have expired." ::= { IPsecTunnelEntry 14 } IPsecTunCurrentSaInstances OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of security associations which are currently active or expiring." ::= { IPsecTunnelEntry 15 } IPsecTunInSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 16 } IPsecTunInSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 17 } IPsecTunInSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 18 } IPsecTunInSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 41] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 19 } IPsecTunInSaDecompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 20 } IPsecTunOutSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 21 } IPsecTunOutSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 22 } IPsecTunOutSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 23 } IPsecTunOutSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 42] Internet Draft IPsec Flow Monitoring MIB November, 99 "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 24 } IPsecTunOutSaCompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 25 } IPsecTunInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also IPsecTunInOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelEntry 26 } IPsecTunHcInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { IPsecTunnelEntry 27 } IPsecTunInOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets received counter (IPsecTunInOctets) has wrapped." ::= { IPsecTunnelEntry 28 } IPsecTunInDecompOctets OBJECT-TYPE SYNTAX Counter32 Madson, Temoshenko, Timms, Pellacuru [Page 43] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of IPsecTunInOctets. See also IPsecTunInDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelEntry 29 } IPsecTunHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of IPsecTunHcInOctets." ::= { IPsecTunnelEntry 30 } IPsecTunInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the decompressed octets received counter (IPsecTunInDecompOctets) has wrapped." ::= { IPsecTunnelEntry 31 } IPsecTunInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 32 } IPsecTunInDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." Madson, Temoshenko, Timms, Pellacuru [Page 44] Internet Draft IPsec Flow Monitoring MIB November, 99 ::= { IPsecTunnelEntry 33 } IPsecTunInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 34 } IPsecTunInAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 35 } IPsecTunInAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { IPsecTunnelEntry 36 } IPsecTunInDecrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 37 } IPsecTunInDecryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 38 } IPsecTunOutOctets OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 45] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. See also IPsecTunOutOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelEntry 39 } IPsecTunHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { IPsecTunnelEntry 40 } IPsecTunOutOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets sent counter (IPsecTunOutOctets) has wrapped." ::= { IPsecTunnelEntry 41 } IPsecTunOutUncompOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of IPsecTunOutOctets. See also IPsecTunOutDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelEntry 42 } IPsecTunHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 46] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of IPsecTunHcOutOctets." ::= { IPsecTunnelEntry 43 } IPsecTunOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the uncompressed octets sent counter (IPsecTunInUncompOctets) has wrapped." ::= { IPsecTunnelEntry 44 } IPsecTunOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 45 } IPsecTunOutDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 46 } IPsecTunOutAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 47 } IPsecTunOutAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 47] Internet Draft IPsec Flow Monitoring MIB November, 99 "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 48 } IPsecTunOutEncrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 49 } IPsecTunOutEncryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelEntry 50 } IPsecTunStatus OBJECT-TYPE SYNTAX TunnelStatus MAX-ACCESS read-write STATUS current DESCRIPTION "The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row." ::= { IPsecTunnelEntry 51 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Tunnel Endpoint Table -- ---------------------------------------------------------------------------- IPsecEndPtTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint Table. This table contains an entry for each active endpoint associated with an IPsec Phase-2 Tunnel." ::= { IPsecPhaseTwo 3 } Madson, Temoshenko, Timms, Pellacuru [Page 48] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecEndPtEntry OBJECT-TYPE SYNTAX IPsecEndPtEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An IPsec Phase-2 Tunnel Endpoint entry." INDEX { IPsecTunIndex, -- from IPsecTunnelTable IPsecEndPtIndex } ::= { IPsecEndPtTable 1 } IPsecEndPtEntry ::= SEQUENCE { IPsecEndPtIndex Integer32, IPsecEndPtLocalName DisplayString, IPsecEndPtLocalType EndPtType, IPsecEndPtLocalAddr1 IPSIpAddress, IPsecEndPtLocalAddr2 IPSIpAddress, IPsecEndPtLocalProtocol Integer32, IPsecEndPtLocalPort Integer32, IPsecEndPtRemoteName DisplayString, IPsecEndPtRemoteType EndPtType, IPsecEndPtRemoteAddr1 IPSIpAddress, IPsecEndPtRemoteAddr2 IPSIpAddress, IPsecEndPtRemoteProtocol Integer32, IPsecEndPtRemotePort Integer32 } IPsecEndPtIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the Endpoint associated with the IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { IPsecEndPtEntry 1 } IPsecEndPtLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { IPsecEndPtEntry 2 } IPsecEndPtLocalType OBJECT-TYPE SYNTAX EndPtType Madson, Temoshenko, Timms, Pellacuru [Page 49] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { IPsecEndPtEntry 3 } IPsecEndPtLocalAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { IPsecEndPtEntry 4 } IPsecEndPtLocalAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { IPsecEndPtEntry 5 } IPsecEndPtLocalProtocol OBJECT-TYPE SYNTAX Integer32(1..255) MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 50] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { IPsecEndPtEntry 6 } IPsecEndPtLocalPort OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { IPsecEndPtEntry 7 } IPsecEndPtRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { IPsecEndPtEntry 8 } IPsecEndPtRemoteType OBJECT-TYPE SYNTAX EndPtType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { IPsecEndPtEntry 9 } IPsecEndPtRemoteAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { IPsecEndPtEntry 10 } Madson, Temoshenko, Timms, Pellacuru [Page 51] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecEndPtRemoteAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { IPsecEndPtEntry 11 } IPsecEndPtRemoteProtocol OBJECT-TYPE SYNTAX Integer32(1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { IPsecEndPtEntry 12 } IPsecEndPtRemotePort OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { IPsecEndPtEntry 13 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Security Protection Index Table -- ---------------------------------------------------------------------------- IPsecSpiTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecSpiEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Security Protection Index Table. This table contains an entry for each active and expiring security association." ::= { IPsecPhaseTwo 4 } IPsecSpiEntry OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 52] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX IPsecSpiEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with active and expiring IPsec Phase-2 security associations." INDEX { IPsecTunIndex, -- from IPsecTunnelTable IPsecSpiIndex } ::= { IPsecSpiTable 1 } IPsecSpiEntry ::= SEQUENCE { IPsecSpiIndex Integer32, IPsecSpiDirection INTEGER, IPsecSpiValue Integer32, IPsecSpiProtocol INTEGER, IPsecSpiStatus INTEGER } IPsecSpiIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the SPI associated with the Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each SPI associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { IPsecSpiEntry 1 } IPsecSpiDirection OBJECT-TYPE SYNTAX INTEGER{ in(1), out(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The direction of the SPI." ::= { IPsecSpiEntry 2 } IPsecSpiValue OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the SPI." ::= { IPsecSpiEntry 3 } Madson, Temoshenko, Timms, Pellacuru [Page 53] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecSpiProtocol OBJECT-TYPE SYNTAX INTEGER{ ah(1), esp(2), ipcomp(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol of the SPI." ::= { IPsecSpiEntry 4 } IPsecSpiStatus OBJECT-TYPE SYNTAX INTEGER{ active(1), expiring(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the SPI." ::= { IPsecSpiEntry 5 } -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- The IPsec History Group -- -- This group consists of a: -- 1) IPsec History Global Objects -- 2) IPsec Phase-1 History Objects -- 3) IPsec Phase-2 History Objects -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- -- ---------------------------------------------------------------------------- IPsecHistGlobal OBJECT IDENTIFIER ::= { IPsecHistory 1 } IPsecHistPhaseOne OBJECT IDENTIFIER ::= { IPsecHistory 2 } IPsecHistPhaseTwo OBJECT IDENTIFIER ::= { IPsecHistory 3 } -- ---------------------------------------------------------------------------- -- IPsec History Global Control Objects -- ---------------------------------------------------------------------------- IPsecHistGlobalCntl OBJECT IDENTIFIER ::= { IPsecHistGlobal 1 } IPsecHistTableSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 54] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The window size of the IPsec Phase-1 and Phase-2 History Tables. The IPsec Phase-1 and Phase-2 History Tables are implemented as a sliding window in which only the last n entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-1 and Phase-2 History Tables. When modified by an SNMP SET request, the device will set the value of this object as close as possible to the requested value based on the implementation and available resources." ::= { IPsecHistGlobalCntl 1 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Tunnel History Table -- ---------------------------------------------------------------------------- ikeTunnelHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Internet Key Exchange Tunnel History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the IPsecHistTableSize object." ::= { IPsecHistPhaseOne 1 } ikeTunnelHistEntry OBJECT-TYPE SYNTAX IkeTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-1 IKE Tunnel." INDEX { ikeTunHistIndex } ::= { ikeTunnelHistTable 1} IkeTunnelHistEntry ::= SEQUENCE { ikeTunHistIndex Integer32, ikeTunHistTermReason INTEGER, ikeTunHistActiveIndex Integer32, ikeTunHistPeerLocalType IkePeerType, ikeTunHistPeerLocalValue DisplayString, ikeTunHistPeerIntIndex Integer32, ikeTunHistPeerRemoteType IkePeerType, Madson, Temoshenko, Timms, Pellacuru [Page 55] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunHistPeerRemoteValue DisplayString, ikeTunHistLocalAddr IPSIpAddress, ikeTunHistLocalName DisplayString, ikeTunHistRemoteAddr IPSIpAddress, ikeTunHistRemoteName DisplayString, ikeTunHistNegoMode IkeNegoMode, ikeTunHistDiffHellmanGrp DiffHellmanGrp, ikeTunHistEncryptAlgo EncryptAlgo, ikeTunHistHashAlgo IkeHashAlgo, ikeTunHistAuthMethod IkeAuthMethod, ikeTunHistLifeTime Integer32, ikeTunHistStartTime TimeStamp, ikeTunHistActiveTime TimeInterval,, ikeTunHistTotalRefreshes Counter32, ikeTunHistTotalSas Counter32, ikeTunHistInOctets Counter32, ikeTunHistInPkts Counter32, ikeTunHistInDropPkts Counter32, ikeTunHistInNotifys Counter32, ikeTunHistInP2Exchgs Counter32, ikeTunHistInP2ExchgInvalids Counter32, ikeTunHistInP2ExchgRejects Counter32, ikeTunHistInP2SaDelRequests Counter32, ikeTunHistOutOctets Counter32, ikeTunHistOutPkts Counter32, ikeTunHistOutDropPkts Counter32, ikeTunHistOutNotifys Counter32, ikeTunHistOutP2Exchgs Counter32, ikeTunHistOutP2ExchgInvalids Counter32, ikeTunHistOutP2ExchgRejects Counter32, ikeTunHistOutP2SaDelRequests Counter32 } ikeTunHistIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-1 IKE Tunnel History Table. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 2,147,483,647." ::= { ikeTunnelHistEntry 1 } ikeTunHistTermReason OBJECT-TYPE SYNTAX INTEGER { other(1), normal(2), Madson, Temoshenko, Timms, Pellacuru [Page 56] Internet Draft IPsec Flow Monitoring MIB November, 99 operRequest(3), peerDelRequest(4), peerLost(5), seqNumRollOver(6), localFailure(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason the IPsec Phase-1 IKE Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = sequence number rolled over 7 = local failure occurred." ::= { ikeTunnelHistEntry 2 } ikeTunHistActiveIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 3 } ikeTunHistPeerLocalType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeTunnelHistEntry 4 } ikeTunHistPeerLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. Madson, Temoshenko, Timms, Pellacuru [Page 57] Internet Draft IPsec Flow Monitoring MIB November, 99 If the local peer type is a host name, then this is the host name used to identify the local peer." ::= { ikeTunnelHistEntry 5 } ikeTunHistPeerIntIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The internal index of the local-remote peer association. This internal index is used to uniquely identify multiple associations between the local and remote peer." ::= { ikeTunnelHistEntry 6 } ikeTunHistPeerRemoteType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeTunnelHistEntry 7 } ikeTunHistPeerRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer." ::= { ikeTunnelHistEntry 8 } ikeTunHistLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 9 } Madson, Temoshenko, Timms, Pellacuru [Page 58] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunHistLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local IP address for the IPsec Phase-1 IKE Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelHistEntry 10 } ikeTunHistRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 11 } ikeTunHistRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote IP address of IPsec Phase-1 IKE Tunnel. If the DNS name associated with the remote tunnel endpoint is not known, then the value of this object will be a NULL string." ::= { ikeTunnelHistEntry 12 } ikeTunHistNegoMode OBJECT-TYPE SYNTAX IkeNegoMode MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiation mode of the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 13 } ikeTunHistDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 14 } Madson, Temoshenko, Timms, Pellacuru [Page 59] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunHistEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 15 } ikeTunHistHashAlgo OBJECT-TYPE SYNTAX IkeHashAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The hash algorithm used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 16 } ikeTunHistAuthMethod OBJECT-TYPE SYNTAX IkeAuthMethod MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used in IPsec Phase-1 IKE negotiations." ::= { ikeTunnelHistEntry 17 } ikeTunHistLifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-1 IKE Tunnel in seconds." ::= { ikeTunnelHistEntry 18 } ikeTunHistStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time when the IPsec Phase-1 IKE tunnel was started in hundredths of seconds." ::= { ikeTunnelHistEntry 19 } ikeTunHistActiveTime OBJECT-TYPE SYNTAX TimeInterval, Madson, Temoshenko, Timms, Pellacuru [Page 60] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-1 IKE tunnel was been active in hundredths of seconds." ::= { ikeTunnelHistEntry 20 } ikeTunHistTotalRefreshes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations refreshes performed." ::= { ikeTunnelHistEntry 21 } ikeTunHistTotalSas OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations used during the life of the IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 22 } ikeTunHistInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 23 } ikeTunHistInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 24 } ikeTunHistInDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 61] Internet Draft IPsec Flow Monitoring MIB November, 99 "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during receive processing." ::= { ikeTunnelHistEntry 25 } ikeTunHistInNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 26 } ikeTunHistInP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 27 } ikeTunHistInP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received and found to be invalid by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 28 } ikeTunHistInP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges received and rejected by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 29 } ikeTunHistInP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests received by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 30 } Madson, Temoshenko, Timms, Pellacuru [Page 62] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunHistOutOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 31 } ikeTunHistOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 32 } ikeTunHistOutDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped by this IPsec Phase-1 IKE Tunnel during send processing." ::= { ikeTunnelHistEntry 33 } ikeTunHistOutNotifys OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of notifys sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 34 } ikeTunHistOutP2Exchgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 35 } ikeTunHistOutP2ExchgInvalids OBJECT-TYPE SYNTAX Counter32 Madson, Temoshenko, Timms, Pellacuru [Page 63] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent and found to be invalid by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 36 } ikeTunHistOutP2ExchgRejects OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 exchanges sent and rejected by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 37 } ikeTunHistOutP2SaDelRequests OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of IPsec Phase-2 security association delete requests sent by this IPsec Phase-1 IKE Tunnel." ::= { ikeTunnelHistEntry 38 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Tunnel History Table -- ---------------------------------------------------------------------------- IPsecTunnelHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the IPsecHistTableSize object." ::= { IPsecHistPhaseTwo 1 } IPsecTunnelHistEntry OBJECT-TYPE SYNTAX IPsecTunnelHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel." INDEX { IPsecTunHistIndex } ::= { IPsecTunnelHistTable 1 } Madson, Temoshenko, Timms, Pellacuru [Page 64] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunnelHistEntry ::= SEQUENCE { IPsecTunHistIndex Integer32, IPsecTunHistTermReason INTEGER, IPsecTunHistActiveIndex Integer32, IPsecTunHistIkeTunnelIndex Integer32, IPsecTunHistLocalAddr IPSIpAddress, IPsecTunHistRemoteAddr IPSIpAddress, IPsecTunHistKeyType KeyType, IPsecTunHistEncapMode EncapMode, IPsecTunHistLifeSize Integer32, IPsecTunHistLifeTime Integer32, IPsecTunHistStartTime TimeStamp, IPsecTunHistActiveTime TimeInterval,, IPsecTunHistTotalRefreshes Counter32, IPsecTunHistTotalSas Counter32, IPsecTunHistInSaDiffHellmanGrp DiffHellmanGrp, IPsecTunHistInSaEncryptAlgo EncryptAlgo, IPsecTunHistInSaAhAuthAlgo AuthAlgo, IPsecTunHistInSaEspAuthAlgo AuthAlgo, IPsecTunHistInSaDecompAlgo CompAlgo, IPsecTunHistOutSaDiffHellmanGrp DiffHellmanGrp, IPsecTunHistOutSaEncryptAlgo EncryptAlgo, IPsecTunHistOutSaAhAuthAlgo AuthAlgo, IPsecTunHistOutSaEspAuthAlgo AuthAlgo, IPsecTunHistOutSaCompAlgo CompAlgo, IPsecTunHistInOctets Counter32, IPsecTunHistHcInOctets Counter64, IPsecTunHistInOctWraps Counter32, IPsecTunHistInDecompOctets Counter32, IPsecTunHistHcInDecompOctets Counter64, IPsecTunHistInDecompOctWraps Counter32, IPsecTunHistInPkts Counter32, IPsecTunHistInReplayDropPkts Counter32, IPsecTunHistInDropPkts Counter32, IPsecTunHistInAuths Counter32, IPsecTunHistInAuthFails Counter32, IPsecTunHistInDecrypts Counter32, IPsecTunHistInDecryptFails Counter32, IPsecTunHistOutOctets Counter32, IPsecTunHistHcOutOctets Counter64, IPsecTunHistOutOctWraps Counter32, IPsecTunHistOutUncompOctets Counter32, IPsecTunHistHcOutUncompOctets Counter64, IPsecTunHistOutUncompOctWraps Counter32, IPsecTunHistOutPkts Counter32, IPsecTunHistOutDropPkts Counter32, IPsecTunHistOutAuths Counter32, Madson, Temoshenko, Timms, Pellacuru [Page 65] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunHistOutAuthFails Counter32, IPsecTunHistOutEncrypts Counter32, IPsecTunHistOutEncryptFails Counter32 } IPsecTunHistIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of the IPsec Phase-2 Tunnel History Table. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 2,147,483,647." ::= { IPsecTunnelHistEntry 1 } IPsecTunHistTermReason OBJECT-TYPE SYNTAX INTEGER { other(1), normal(2), operRequest(3), peerDelRequest(4), peerLost(5), seqNumRollOver(6) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason the IPsec Phase-2 Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = local failure occurred 7 = sequence number rolled over." ::= { IPsecTunnelHistEntry 2 } IPsecTunHistActiveIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 3 } IPsecTunHistIkeTunnelIndex OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 66] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the associated IPsec Phase-1 Tunnel (ikeTunIndex in the ikeTunnelTable)." ::= { IPsecTunnelHistEntry 4 } IPsecTunHistLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local endpoint for the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 5 } IPsecTunHistRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote endpoint for the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 6 } IPsecTunHistKeyType OBJECT-TYPE SYNTAX KeyType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of key used by the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 7 } IPsecTunHistEncapMode OBJECT-TYPE SYNTAX EncapMode MAX-ACCESS read-only STATUS current DESCRIPTION "The encapsulation mode used by the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 8 } IPsecTunHistLifeSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeSize of the IPsec Phase-2 Tunnel in Madson, Temoshenko, Timms, Pellacuru [Page 67] Internet Draft IPsec Flow Monitoring MIB November, 99 kilobytes." ::= { IPsecTunnelHistEntry 9 } IPsecTunHistLifeTime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The negotiated LifeTime of the IPsec Phase-2 Tunnel in seconds." ::= { IPsecTunnelHistEntry 10 } IPsecTunHistStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time when the IPsec Phase-2 Tunnel was started in hundredths of seconds." ::= { IPsecTunnelHistEntry 11 } IPsecTunHistActiveTime OBJECT-TYPE SYNTAX TimeInterval, MAX-ACCESS read-only STATUS current DESCRIPTION "The length of time the IPsec Phase-2 Tunnel has been active in hundredths of seconds." ::= { IPsecTunnelHistEntry 12 } IPsecTunHistTotalRefreshes OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security association refreshes performed." ::= { IPsecTunnelHistEntry 13 } IPsecTunHistTotalSas OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of security associations used during the life of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 14 } IPsecTunHistInSaDiffHellmanGrp OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 68] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX DiffHellmanGrp MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 15 } IPsecTunHistInSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 16 } IPsecTunHistInSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 17 } IPsecTunHistInSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 18 } IPsecTunHistInSaDecompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The decompression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 19 } IPsecTunHistOutSaDiffHellmanGrp OBJECT-TYPE SYNTAX DiffHellmanGrp Madson, Temoshenko, Timms, Pellacuru [Page 69] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The Diffie Hellman Group used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 20 } IPsecTunHistOutSaEncryptAlgo OBJECT-TYPE SYNTAX EncryptAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The encryption algorithm used by the outbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 21 } IPsecTunHistOutSaAhAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the outbound authentication header (AH) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 22 } IPsecTunHistOutSaEspAuthAlgo OBJECT-TYPE SYNTAX AuthAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication algorithm used by the inbound ecapsulation security protocol (ESP) security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 23 } IPsecTunHistOutSaCompAlgo OBJECT-TYPE SYNTAX CompAlgo MAX-ACCESS read-only STATUS current DESCRIPTION "The compression algorithm used by the inbound security association of the IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 24 } IPsecTunHistInOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only Madson, Temoshenko, Timms, Pellacuru [Page 70] Internet Draft IPsec Flow Monitoring MIB November, 99 STATUS current DESCRIPTION "The total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also IPsecTunInOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelHistEntry 25 } IPsecTunHistHcInOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed." ::= { IPsecTunnelHistEntry 26 } IPsecTunHistInOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets received counter (IPsecTunInOctets) has wrapped." ::= { IPsecTunnelHistEntry 27 } IPsecTunHistInDecompOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of decompressed octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of IPsecTunInOctets. See also IPsecTunInDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelHistEntry 28 } IPsecTunHistHcInDecompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of decompressed Madson, Temoshenko, Timms, Pellacuru [Page 71] Internet Draft IPsec Flow Monitoring MIB November, 99 octets received by this IPsec Phase-2 Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of IPsecTunHcInOctets." ::= { IPsecTunnelHistEntry 29 } IPsecTunHistInDecompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the decompressed octets received counter (IPsecTunInDecompOctets) has wrapped." ::= { IPsecTunnelHistEntry 30 } IPsecTunHistInPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets received by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 31 } IPsecTunHistInDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing by this IPsec Phase-2 Tunnel. This count does NOT include packets dropped due to Anti-Replay processing." ::= { IPsecTunnelHistEntry 32 } IPsecTunHistInReplayDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during receive processing due to Anti-Replay processing by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 33 } IPsecTunHistInAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's performed Madson, Temoshenko, Timms, Pellacuru [Page 72] Internet Draft IPsec Flow Monitoring MIB November, 99 by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 34 } IPsecTunHistInAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound authentication's which ended in failure by this IPsec Phase-2 Tunnel ." ::= { IPsecTunnelHistEntry 35 } IPsecTunHistInDecrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 36 } IPsecTunHistInDecryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound decryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 37 } IPsecTunHistOutOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. See also IPsecTunOutOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelHistEntry 38 } IPsecTunHistHcOutOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of octets Madson, Temoshenko, Timms, Pellacuru [Page 73] Internet Draft IPsec Flow Monitoring MIB November, 99 sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed." ::= { IPsecTunnelHistEntry 39 } IPsecTunHistOutOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the octets sent counter (IPsecTunOutOctets) has wrapped." ::= { IPsecTunnelHistEntry 40 } IPsecTunHistOutUncompOctets OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of IPsecTunOutOctets. See also IPsecTunOutDecompOctWraps for the number of times this counter has wrapped." ::= { IPsecTunnelHistEntry 41 } IPsecTunHistHcOutUncompOctets OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "A high capacity count of the total number of uncompressed octets sent by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of IPsecTunHcOutOctets." ::= { IPsecTunnelHistEntry 42 } IPsecTunHistOutUncompOctWraps OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times the uncompressed octets sent counter (IPsecTunInUncompOctets) has wrapped." ::= { IPsecTunnelHistEntry 43 } Madson, Temoshenko, Timms, Pellacuru [Page 74] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunHistOutPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets sent by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 44 } IPsecTunHistOutDropPkts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of packets dropped during send processing by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 45 } IPsecTunHistOutAuths OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 46 } IPsecTunHistOutAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound authentication's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 47 } IPsecTunHistOutEncrypts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of outbound encryption's performed by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 48 } IPsecTunHistOutEncryptFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 75] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "The total number of outbound encryption's which ended in failure by this IPsec Phase-2 Tunnel." ::= { IPsecTunnelHistEntry 49 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Tunnel Endpoint History Table -- ---------------------------------------------------------------------------- IPsecEndPtHistTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Tunnel Endpoint History Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the IPsecHistTableSize object." ::= { IPsecHistPhaseTwo 2 } IPsecEndPtHistEntry OBJECT-TYPE SYNTAX IPsecEndPtHistEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with a previously active IPsec Phase-2 Tunnel Endpoint." INDEX { IPsecEndPtHistIndex } ::= { IPsecEndPtHistTable 1 } IPsecEndPtHistEntry ::= SEQUENCE { IPsecEndPtHistIndex Integer32, IPsecEndPtHistTunIndex Integer32, IPsecEndPtHistActiveIndex Integer32, IPsecEndPtHistLocalName DisplayString, IPsecEndPtHistLocalType EndPtType, IPsecEndPtHistLocalAddr1 IPSIpAddress, IPsecEndPtHistLocalAddr2 IPSIpAddress, IPsecEndPtHistLocalProtocol Integer32, IPsecEndPtHistLocalPort Integer32, IPsecEndPtHistRemoteName DisplayString, IPsecEndPtHistRemoteType EndPtType, IPsecEndPtHistRemoteAddr1 IPSIpAddress, IPsecEndPtHistRemoteAddr2 IPSIpAddress, IPsecEndPtHistRemoteProtocol Integer32, IPsecEndPtHistRemotePort Integer32 } IPsecEndPtHistIndex OBJECT-TYPE Madson, Temoshenko, Timms, Pellacuru [Page 76] Internet Draft IPsec Flow Monitoring MIB November, 99 SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The number of the previously active Endpoint associated with a IPsec Phase-2 Tunnel Table. The value of this index is a number which begins at one and is incremented with each Endpoint associated with an IPsec Phase-2 Tunnel. The value of this object will wrap at 2,147,483,647." ::= { IPsecEndPtHistEntry 1 } IPsecEndPtHistTunIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active IPsec Phase-2 Tunnel Table." ::= { IPsecEndPtHistEntry 2 } IPsecEndPtHistActiveIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The index of the previously active Endpoint." ::= { IPsecEndPtHistEntry 3 } IPsecEndPtHistLocalName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the local Endpoint." ::= { IPsecEndPtHistEntry 4 } IPsecEndPtHistLocalType OBJECT-TYPE SYNTAX INTEGER { singleIpAddr(1), ipAddrRange(2), ipSubnet(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the local Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or Madson, Temoshenko, Timms, Pellacuru [Page 77] Internet Draft IPsec Flow Monitoring MIB November, 99 3) an IP subnet." ::= { IPsecEndPtHistEntry 5 } IPsecEndPtHistLocalAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's first IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet. If the local Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { IPsecEndPtHistEntry 6 } IPsecEndPtHistLocalAddr2 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The local Endpoint's second IP address specification. If the local Endpoint type is single IP address, then this is the value of the IP address. If the local Endpoint type is IP subnet, then this is the value of the subnet mask. If the local Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { IPsecEndPtHistEntry 7 } IPsecEndPtHistLocalProtocol OBJECT-TYPE SYNTAX Integer32(1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the local Endpoint's traffic." ::= { IPsecEndPtHistEntry 8 } IPsecEndPtHistLocalPort OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-only Madson, Temoshenko, Timms, Pellacuru [Page 78] Internet Draft IPsec Flow Monitoring MIB November, 99 STATUS current DESCRIPTION "The port number of the local Endpoint's traffic." ::= { IPsecEndPtHistEntry 9 } IPsecEndPtHistRemoteName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The DNS name of the remote Endpoint." ::= { IPsecEndPtHistEntry 10 } IPsecEndPtHistRemoteType OBJECT-TYPE SYNTAX INTEGER { singleIpAddr(1), ipAddrRange(2), ipSubnet(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of identity for the remote Endpoint. Possible values are: 1) a single IP address, or 2) an IP address range, or 3) an IP subnet." ::= { IPsecEndPtHistEntry 11 } IPsecEndPtHistRemoteAddr1 OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's first IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet. If the remote Endpoint type is IP address range, then this is the value of beginning IP address of the range." ::= { IPsecEndPtHistEntry 12 } IPsecEndPtHistRemoteAddr2 OBJECT-TYPE SYNTAX IPSIpAddress Madson, Temoshenko, Timms, Pellacuru [Page 79] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS read-only STATUS current DESCRIPTION "The remote Endpoint's second IP address specification. If the remote Endpoint type is single IP address, then this is the value of the IP address. If the remote Endpoint type is IP subnet, then this is the value of the subnet mask. If the remote Endpoint type is IP address range, then this is the value of ending IP address of the range." ::= { IPsecEndPtHistEntry 13 } IPsecEndPtHistRemoteProtocol OBJECT-TYPE SYNTAX Integer32(1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol number of the remote Endpoint's traffic." ::= { IPsecEndPtHistEntry 14 } IPsecEndPtHistRemotePort OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The port number of the remote Endpoint's traffic." ::= { IPsecEndPtHistEntry 15 } -- start here -- ------------------------------------------------------------------------- -- The IPsec Failure Group -- -- This group consists of a: -- 1) IPsec Failure Global Objects -- 2) IPsec Phase-1 Tunnel Failure Table -- 3) IPsec Phase-2 Tunnel Failure Table -- ------------------------------------------------------------------------- IPsecFailGlobal OBJECT IDENTIFIER ::= { IPsecFailures 1 } IPsecFailPhaseOne OBJECT IDENTIFIER ::= { IPsecFailures 2 } IPsecFailPhaseTwo OBJECT IDENTIFIER ::= { IPsecFailures 3 } -- ---------------------------------------------------------------------------- -- The IPsec Failure Global Control Objects -- ---------------------------------------------------------------------------- IPsecFailGlobalCntl OBJECT IDENTIFIER ::= { IPsecFailGlobal 1 } Madson, Temoshenko, Timms, Pellacuru [Page 80] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecFailTableSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "The window size of the IPsec Phase-1 and Phase-2 Failure Tables. The IPsec Phase-1 and Phase-2 Failure Tables are implemented as a sliding window in which only the last n entries are maintained. This object is used specify the number of entries which will be maintained in the IPsec Phase-1 and Phase-2 Failure Tables. When modified by an SNMP SET request, the device will set the value of this object as close as possible to the requested value based on the implementation and available resources." ::= { IPsecFailGlobalCntl 1 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-1 Failure Table -- ---------------------------------------------------------------------------- ikeFailTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Failure Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the IPsecFailTableSize object." ::= { IPsecFailPhaseOne 1 } ikeFailEntry OBJECT-TYPE SYNTAX IkeFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 failure." INDEX { ikeFailIndex } ::= { ikeFailTable 1 } IkeFailEntry ::= SEQUENCE { ikeFailIndex Integer32, ikeFailReason INTEGER, Madson, Temoshenko, Timms, Pellacuru [Page 81] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeFailTime TimeStamp, ikeFailLocalType IkePeerType, ikeFailLocalValue DisplayString, ikeFailRemoteType IkePeerType, ikeFailRemoteValue DisplayString, ikeFailLocalAddr IPSIpAddress, ikeFailRemoteAddr IPSIpAddress } ikeFailIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-1 Failure Table index. The value of the index is a number which begins at one and is incremented with each IPsec Phase-1 failure. The value of this object will wrap at 2,147,483,647." ::= { ikeFailEntry 1 } ikeFailReason OBJECT-TYPE SYNTAX INTEGER{ other(1), peerDelRequest(2), peerLost(3), localFailure(4), seqNumRollOver(5), authFailure(6), hashValidation(7), encryptFailure(8), internalError(9), sysCapExceeded(10), proposalFailure(11), peerCertUnavailable(12), peerCertNotValid(13), localCertExpired(14), crlFailure(15), peerEncodingError(16), nonExistentSa(17), operRequest(18) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the failure. Possible reasons include: 1 = other 2 = peer delete request was received 3 = contact with peer was lost Madson, Temoshenko, Timms, Pellacuru [Page 82] Internet Draft IPsec Flow Monitoring MIB November, 99 4 = local failure occurred 5 = sequence number rolled over 6 = authentication failure 7 = hash validation failure 8 = encryption failure 9 = internal error occurred 10 = system capacity failure 11 = proposal failure 12 = peer's certificate is unavailable 13 = peer's certificate was found invalid 14 = local certificate expired 15 = certificate revoke list (crl) failure 16 = peer encoding error 17 = non-existent security association 18 = operator requested termination." ::= { ikeFailEntry 2 } ikeFailTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time of the failure in hundredths of seconds." ::= { ikeFailEntry 3 } ikeFailLocalType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of local peer identity. The local peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeFailEntry 4 } ikeFailLocalValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is a host name, then this is the host name used to identify the local peer." Madson, Temoshenko, Timms, Pellacuru [Page 83] Internet Draft IPsec Flow Monitoring MIB November, 99 ::= { ikeFailEntry 5 } ikeFailRemoteType OBJECT-TYPE SYNTAX IkePeerType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of remote peer identity. The remote peer may be indentified by: 1. an IP address, or 2. a host name." ::= { ikeFailEntry 6 } ikeFailRemoteValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer." ::= { ikeFailEntry 7 } ikeFailLocalAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the local peer." ::= { ikeFailEntry 8 } ikeFailRemoteAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the remote peer." ::= { ikeFailEntry 9 } -- ---------------------------------------------------------------------------- -- The IPsec Phase-2 Failure Table -- ---------------------------------------------------------------------------- IPsecFailTable OBJECT-TYPE SYNTAX SEQUENCE OF IPsecFailEntry Madson, Temoshenko, Timms, Pellacuru [Page 84] Internet Draft IPsec Flow Monitoring MIB November, 99 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table. This table is implemented as a sliding window in which only the last n entries are maintained. The maximum number of entries is specified by the IPsecFailTableSize object." ::= { IPsecFailPhaseTwo 1 } IPsecFailEntry OBJECT-TYPE SYNTAX IPsecFailEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the attributes associated with an IPsec Phase-1 failure." INDEX { IPsecFailIndex } ::= { IPsecFailTable 1 } IPsecFailEntry ::= SEQUENCE { IPsecFailIndex Integer32, IPsecFailReason INTEGER, IPsecFailTime TimeStamp, IPsecFailTunnelIndex Integer32, IPsecFailSaSpi Integer32, IPsecFailPktSrcAddr IPSIpAddress, IPsecFailPktDstAddr IPSIpAddress } IPsecFailIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IPsec Phase-2 Failure Table index. The value of the index is a number which begins at one and is incremented with each IPsec Phase-1 failure. The value of this object will wrap at 2,147,483,647." ::= { IPsecFailEntry 1 } IPsecFailReason OBJECT-TYPE SYNTAX INTEGER{ other(1), internalError(2), peerEncodingError(3), proposalFailure(4), protocolUseFail(5), nonExistentSa(6), Madson, Temoshenko, Timms, Pellacuru [Page 85] Internet Draft IPsec Flow Monitoring MIB November, 99 decryptFailure(7), encryptFailure(8), inAuthFailure(9), outAuthFailure(10), compression(11), sysCapExceeded(12), peerDelRequest(13), peerLost(14), seqNumRollOver(15), operRequest(16) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the failure. Possible reasons include: 1 = other 2 = internal error occurred 3 = peer encoding error 4 = proposal failure 5 = protocol use failure 6 = non-existent security association 7 = decryption failure 8 = encryption failure 9 = inbound authentication failure 10 = outbound authentication failure 11 = compression failure 12 = system capacity failure 13 = peer delete request was received 14 = contact with peer was lost 15 = sequence number rolled over 16 = operator requested termination." ::= { IPsecFailEntry 2 } IPsecFailTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time of the failure in hundredths of seconds." ::= { IPsecFailEntry 3 } IPsecFailTunnelIndex OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The Phase-2 Tunnel index (IPsecTunIndex)." ::= { IPsecFailEntry 4 } Madson, Temoshenko, Timms, Pellacuru [Page 86] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecFailSaSpi OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The security association SPI value." ::= { IPsecFailEntry 5 } IPsecFailPktSrcAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's source IP address." ::= { IPsecFailEntry 6 } IPsecFailPktDstAddr OBJECT-TYPE SYNTAX IPSIpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The packet's destination IP address." ::= { IPsecFailEntry 7 } -- ---------------------------------------------------------------------------- -- The IPsec TRAP Control Group -- -- This group of objects controls the sending of IPsec TRAPs. -- ---------------------------------------------------------------------------- IPsecTrapCntlIkeTunnelStart OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Tunnel Start TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 1 } IPsecTrapCntlIkeTunnelStop OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Tunnel Stop TRAP " DEFVAL { disabled } Madson, Temoshenko, Timms, Pellacuru [Page 87] Internet Draft IPsec Flow Monitoring MIB November, 99 ::= { IPsecTrapCntl 2 } IPsecTrapCntlIkeSysFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 System Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 3 } IPsecTrapCntlIkeCertCrlFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Certificate/CRL Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 4 } IPsecTrapCntlIkeProtocolFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 Protocol Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 5 } IPsecTrapCntlIkeNoSa OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec IKE Phase-1 No Security Association TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 6 } IPsecTrapCntlIPsecTunnelStart OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Madson, Temoshenko, Timms, Pellacuru [Page 88] Internet Draft IPsec Flow Monitoring MIB November, 99 Phase-2 Tunnel Start TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 7 } IPsecTrapCntlIPsecTunnelStop OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Tunnel Stop TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 8 } IPsecTrapCntlIPsecSysFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 System Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 9 } IPsecTrapCntlIPsecSetUpFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Set Up Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 10 } IPsecTrapCntlIPsecEarlyTunTerm OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Earily Tunnel Termination TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 11 } IPsecTrapCntlIPsecProtocolFailure OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 89] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 Protocol Failure TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 12 } IPsecTrapCntlIPsecNoSa OBJECT-TYPE SYNTAX TrapStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object defines the administrative state of sending the IPsec Phase-2 No Security Association TRAP " DEFVAL { disabled } ::= { IPsecTrapCntl 13 } -- ---------------------------------------------------------------------------- -- IPsec Notifications - TRAPs -- ---------------------------------------------------------------------------- IPsecMIBNotifications OBJECT IDENTIFIER ::= {IPsecMIB 0} ikeTunnelStart NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex, ikeTunIndex } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-1 IKE Tunnel becomes active." ::= { IPsecMIBNotifications 1 } ikeTunnelStop NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex, Madson, Temoshenko, Timms, Pellacuru [Page 90] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunIndex } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-1 IKE Tunnel becomes inactive." ::= { IPsecMIBNotifications 2 } ikeSysFailure NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences an internal or system capacity error." ::= { IPsecMIBNotifications 3 } ikeCertCrlFailure NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences a Certificate or a Certificate Revoke List (CRL) related error." ::= { IPsecMIBNotifications 4 } ikeProtocolFailure NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, Madson, Temoshenko, Timms, Pellacuru [Page 91] Internet Draft IPsec Flow Monitoring MIB November, 99 ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences a protocol related error." ::= { IPsecMIBNotifications 5 } ikeNoSa NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-1 IKE Tunnel experiences a non-existent security association error." ::= { IPsecMIBNotifications 6 } IPsecTunnelStart NOTIFICATION-TYPE OBJECTS { IPsecTunIndex } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes active." ::= { IPsecMIBNotifications 7 } IPsecTunnelStop NOTIFICATION-TYPE OBJECTS { IPsecTunIndex } STATUS current DESCRIPTION "This notification is generated when an IPsec Phase-2 Tunnel becomes inactive." ::= { IPsecMIBNotifications 8 } Madson, Temoshenko, Timms, Pellacuru [Page 92] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecSysFailure NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex, IPsecTunIndex, IPsecSpiIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences an internal or system capacity error." ::= { IPsecMIBNotifications 9 } IPsecSetUpFailure NOTIFICATION-TYPE OBJECTS { ikePeerLocalType, ikePeerLocalValue, ikePeerLocalAddr, ikePeerRemoteType, ikePeerRemoteValue, ikePeerRemoteAddr, ikePeerIntIndex } STATUS current DESCRIPTION "This notification is generated when the setup for an IPsec Phase-2 Tunnel fails." ::= { IPsecMIBNotifications 10 } IPsecEarilyTunnelTerm NOTIFICATION-TYPE OBJECTS { IPsecTunIndex, IPsecSpiIndex } STATUS current DESCRIPTION "This notification is generated when an an IPsec Phase-2 Tunnel is terminated earily or before expected." ::= { IPsecMIBNotifications 11 } IPsecProtocolFailure NOTIFICATION-TYPE OBJECTS { Madson, Temoshenko, Timms, Pellacuru [Page 93] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunIndex, IPsecSpiIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences a protocol related error." ::= { IPsecMIBNotifications 12 } IPsecNoSa NOTIFICATION-TYPE OBJECTS { IPsecTunIndex, IPsecSpiIndex } STATUS current DESCRIPTION "This notification is generated when the processing for an IPsec Phase-2 Tunnel experiences a non-existent security association error." ::= { IPsecMIBNotifications 13 } -- ---------------------------------------------------------------------------- -- Conformance Information -- ---------------------------------------------------------------------------- IPsecMIBConformance OBJECT IDENTIFIER ::= { IPsecMIB 2 } IPsecMIBGroups OBJECT IDENTIFIER ::= { IPsecMIBConformance 1 } IPsecMIBCompliances OBJECT IDENTIFIER ::= { IPsecMIBConformance 2 } -- ---------------------------------------------------------------------------- -- Compliance Statements -- ---------------------------------------------------------------------------- IPsecMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities the IP Security Protocol." MODULE -- this module MANDATORY-GROUPS { IPsecLevelsGroup, IPsecPhaseOneGroup, IPsecPhaseTwoGroup } OBJECT ikeTunStatus MIN-ACCESS read-only DESCRIPTION Madson, Temoshenko, Timms, Pellacuru [Page 94] Internet Draft IPsec Flow Monitoring MIB November, 99 "Write access is not required." OBJECT IPsecTunStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { IPsecMIBCompliances 1 } -- ---------------------------------------------------------------------------- -- Units of Conformance -- ---------------------------------------------------------------------------- IPsecLevelsGroup OBJECT-GROUP OBJECTS { IPsecMibLevel } STATUS current DESCRIPTION "This group consists of a: 1) IPsec MIB Level" ::= { IPsecMIBGroups 1 } IPsecPhaseOneGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-1 Global Statistics ikeGlobalActiveTunnels, ikeGlobalPreviousTunnels, ikeGlobalInOctets, ikeGlobalInPkts, ikeGlobalInDropPkts, ikeGlobalInNotifys, ikeGlobalInP2Exchgs, ikeGlobalInP2ExchgInvalids, ikeGlobalInP2ExchgRejects, ikeGlobalInP2SaDelRequests, ikeGlobalOutOctets, ikeGlobalOutPkts, ikeGlobalOutDropPkts, ikeGlobalOutNotifys, ikeGlobalOutP2Exchgs, ikeGlobalOutP2ExchgInvalids, ikeGlobalOutP2ExchgRejects, ikeGlobalOutP2SaDelRequests, ikeGlobalInitTunnels, ikeGlobalInitTunnelFails, ikeGlobalRespTunnelFails, ikeGlobalSysCapFails, ikeGlobalAuthFails, Madson, Temoshenko, Timms, Pellacuru [Page 95] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeGlobalDecryptFails, ikeGlobalHashValidFails, ikeGlobalNoSaFails, -- The IPsec Phase-1 Internet Key Exchange Peer Table -- ikePeerLocalType, -- ikePeerLocalValue, -- ikePeerRemoteType, -- ikePeerRemoteValue, -- ikePeerIntIndex, ikePeerLocalAddr, ikePeerRemoteAddr, ikePeerActiveTime, ikePeerActiveTunnelIndex, -- The IPsec Phase-1 Internet Key Exchange Tunnel Table -- ikeTunIndex, ikeTunLocalType, ikeTunLocalValue, ikeTunLocalAddr, ikeTunLocalName, ikeTunRemoteType, ikeTunRemoteValue, ikeTunRemoteAddr, ikeTunRemoteName, ikeTunNegoMode, ikeTunDiffHellmanGrp, ikeTunEncryptAlgo, ikeTunHashAlgo, ikeTunAuthMethod, ikeTunLifeTime, ikeTunActiveTime, ikeTunSaRefreshThreshold, ikeTunTotalRefreshes, ikeTunInOctets, ikeTunInPkts, ikeTunInDropPkts, ikeTunInNotifys, ikeTunInP2Exchgs, ikeTunInP2ExchgInvalids, ikeTunInP2ExchgRejects, ikeTunInP2SaDelRequests, ikeTunOutOctets, ikeTunOutPkts, ikeTunOutDropPkts, ikeTunOutNotifys, ikeTunOutP2Exchgs, ikeTunOutP2ExchgInvalids, Madson, Temoshenko, Timms, Pellacuru [Page 96] Internet Draft IPsec Flow Monitoring MIB November, 99 ikeTunOutP2ExchgRejects, ikeTunOutP2SaDelRequests, ikeTunStatus, -- The Internet Key Exchange Peer Association to Phase-2 Tunnel -- Correlation Table -- ikePeerCorrLocalType, -- ikePeerCorrLocalValue, -- ikePeerCorrRemoteType, -- ikePeerCorrRemoteValue, -- ikePeerCorrIntIndex, -- ikePeerCorrSeqNum, ikePeerCorrIPsecTunIndex } STATUS current DESCRIPTION "This group consists of: 1) IPsec Phase-1 Global Objects 2) IPsec Phase-1 Peer Table 3) IPsec Phase-1 Tunnel Table 4) IPsec Phase-1 Correlation Table" ::= { IPsecMIBGroups 2 } IPsecPhaseTwoGroup OBJECT-GROUP OBJECTS { -- The IPsec Phase-2 Global Tunnel Statistics IPsecGlobalActiveTunnels, IPsecGlobalPreviousTunnels, IPsecGlobalInOctets, IPsecGlobalHcInOctets, IPsecGlobalInOctWraps, IPsecGlobalInDecompOctets, IPsecGlobalHcInDecompOctets, IPsecGlobalInDecompOctWraps, IPsecGlobalInPkts, IPsecGlobalInDrops, IPsecGlobalInReplayDrops, IPsecGlobalInAuths, IPsecGlobalInAuthFails, IPsecGlobalInDecrypts, IPsecGlobalInDecryptFails, IPsecGlobalOutOctets, IPsecGlobalHcOutOctets, IPsecGlobalOutOctWraps, IPsecGlobalOutUncompOctets, IPsecGlobalHcOutUncompOctets, IPsecGlobalOutUncompOctWraps, IPsecGlobalOutPkts, Madson, Temoshenko, Timms, Pellacuru [Page 97] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecGlobalOutDrops, IPsecGlobalOutAuths, IPsecGlobalOutAuthFails, IPsecGlobalOutEncrypts, IPsecGlobalOutEncryptFails, IPsecGlobalProtocolUseFails, IPsecGlobalNoSaFails, IPsecGlobalSysCapFails, -- The IPsec Phase-2 Tunnel Table -- IPsecTunIndex, IPsecTunIkeTunnelIndex, IPsecTunIkeTunnelAlive, IPsecTunLocalAddr, IPsecTunRemoteAddr, IPsecTunKeyType, IPsecTunEncapMode, IPsecTunLifeSize, IPsecTunLifeTime, IPsecTunActiveTime, IPsecTunSaLifeSizeThreshold, IPsecTunSaLifeTimeThreshold, IPsecTunTotalRefreshes, IPsecTunExpiredSaInstances, IPsecTunCurrentSaInstances, IPsecTunInSaDiffHellmanGrp, IPsecTunInSaEncryptAlgo, IPsecTunInSaAhAuthAlgo, IPsecTunInSaEspAuthAlgo, IPsecTunInSaDecompAlgo, IPsecTunOutSaDiffHellmanGrp, IPsecTunOutSaEncryptAlgo, IPsecTunOutSaAhAuthAlgo, IPsecTunOutSaEspAuthAlgo, IPsecTunOutSaCompAlgo, IPsecTunInOctets, IPsecTunHcInOctets, IPsecTunInOctWraps, IPsecTunInDecompOctets, IPsecTunHcInDecompOctets, IPsecTunInDecompOctWraps, IPsecTunInPkts, IPsecTunInDropPkts, IPsecTunInReplayDropPkts, IPsecTunInAuths, IPsecTunInAuthFails, IPsecTunInDecrypts, IPsecTunInDecryptFails, Madson, Temoshenko, Timms, Pellacuru [Page 98] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunOutOctets, IPsecTunHcOutOctets, IPsecTunOutOctWraps, IPsecTunOutUncompOctets, IPsecTunHcOutUncompOctets, IPsecTunOutUncompOctWraps, IPsecTunOutPkts, IPsecTunOutDropPkts, IPsecTunOutAuths, IPsecTunOutAuthFails, IPsecTunOutEncrypts, IPsecTunOutEncryptFails, IPsecTunStatus, -- The IPsec Phase-2 Tunnel Endpoint Table -- IPsecEndPtIndex, IPsecEndPtLocalName, IPsecEndPtLocalType, IPsecEndPtLocalAddr1, IPsecEndPtLocalAddr2, IPsecEndPtLocalProtocol, IPsecEndPtLocalPort, IPsecEndPtRemoteName, IPsecEndPtRemoteType, IPsecEndPtRemoteAddr1, IPsecEndPtRemoteAddr2, IPsecEndPtRemoteProtocol, IPsecEndPtRemotePort, -- The IPsec Phase-2 Security Protection Index Table -- IPsecSpiIndex, IPsecSpiDirection, IPsecSpiValue, IPsecSpiProtocol, IPsecSpiStatus } STATUS current DESCRIPTION "This group consists of: 1) IPsec Phase-2 Global Statistics 2) IPsec Phase-2 Tunnel Table 3) IPsec Phase-2 Endpoint Table 4) IPsec Phase-2 Security Protection Index Table" ::= { IPsecMIBGroups 3 } IPsecHistoryGroup OBJECT-GROUP OBJECTS { -- IPsec History Global Control Objects Madson, Temoshenko, Timms, Pellacuru [Page 99] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecHistTableSize, -- The IPsec Phase-1 Tunnel History Table -- ikeTunHistIndex, ikeTunHistTermReason, ikeTunHistActiveIndex, ikeTunHistPeerLocalType, ikeTunHistPeerLocalValue, ikeTunHistPeerIntIndex, ikeTunHistPeerRemoteType, ikeTunHistPeerRemoteValue, ikeTunHistLocalAddr, ikeTunHistLocalName, ikeTunHistRemoteAddr, ikeTunHistRemoteName, ikeTunHistNegoMode, ikeTunHistDiffHellmanGrp, ikeTunHistEncryptAlgo, ikeTunHistHashAlgo, ikeTunHistAuthMethod, ikeTunHistLifeTime, ikeTunHistStartTime, ikeTunHistActiveTime, ikeTunHistTotalRefreshes, ikeTunHistTotalSas, ikeTunHistInOctets, ikeTunHistInPkts, ikeTunHistInDropPkts, ikeTunHistInNotifys, ikeTunHistInP2Exchgs, ikeTunHistInP2ExchgInvalids, ikeTunHistInP2ExchgRejects, ikeTunHistInP2SaDelRequests, ikeTunHistOutOctets, ikeTunHistOutPkts, ikeTunHistOutDropPkts, ikeTunHistOutNotifys, ikeTunHistOutP2Exchgs, ikeTunHistOutP2ExchgInvalids, ikeTunHistOutP2ExchgRejects, ikeTunHistOutP2SaDelRequests, -- The IPsec Phase-2 Tunnel History Table -- IPsecTunHistIndex, IPsecTunHistTermReason, IPsecTunHistActiveIndex, IPsecTunHistIkeTunnelIndex, IPsecTunHistLocalAddr, Madson, Temoshenko, Timms, Pellacuru [Page 100] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecTunHistRemoteAddr, IPsecTunHistKeyType, IPsecTunHistEncapMode, IPsecTunHistLifeSize, IPsecTunHistLifeTime, IPsecTunHistStartTime, IPsecTunHistActiveTime, IPsecTunHistTotalRefreshes, IPsecTunHistTotalSas, IPsecTunHistInSaDiffHellmanGrp, IPsecTunHistInSaEncryptAlgo, IPsecTunHistInSaAhAuthAlgo, IPsecTunHistInSaEspAuthAlgo, IPsecTunHistInSaDecompAlgo, IPsecTunHistOutSaDiffHellmanGrp, IPsecTunHistOutSaEncryptAlgo, IPsecTunHistOutSaAhAuthAlgo, IPsecTunHistOutSaEspAuthAlgo, IPsecTunHistOutSaCompAlgo, IPsecTunHistInOctets, IPsecTunHistHcInOctets, IPsecTunHistInOctWraps, IPsecTunHistInDecompOctets, IPsecTunHistHcInDecompOctets, IPsecTunHistInDecompOctWraps, IPsecTunHistInPkts, IPsecTunHistInDropPkts, IPsecTunHistInReplayDropPkts, IPsecTunHistInAuths, IPsecTunHistInAuthFails, IPsecTunHistInDecrypts, IPsecTunHistInDecryptFails, IPsecTunHistOutOctets, IPsecTunHistHcOutOctets, IPsecTunHistOutOctWraps, IPsecTunHistOutUncompOctets, IPsecTunHistHcOutUncompOctets, IPsecTunHistOutUncompOctWraps, IPsecTunHistOutPkts, IPsecTunHistOutDropPkts, IPsecTunHistOutAuths, IPsecTunHistOutAuthFails, IPsecTunHistOutEncrypts, IPsecTunHistOutEncryptFails, -- The IPsec Phase-2 End Point History Table -- IPsecEndPtHistIndex, IPsecEndPtHistTunIndex, Madson, Temoshenko, Timms, Pellacuru [Page 101] Internet Draft IPsec Flow Monitoring MIB November, 99 IPsecEndPtHistActiveIndex, IPsecEndPtHistLocalName, IPsecEndPtHistLocalType, IPsecEndPtHistLocalAddr1, IPsecEndPtHistLocalAddr2, IPsecEndPtHistLocalProtocol, IPsecEndPtHistLocalPort, IPsecEndPtHistRemoteName, IPsecEndPtHistRemoteType, IPsecEndPtHistRemoteAddr1, IPsecEndPtHistRemoteAddr2, IPsecEndPtHistRemoteProtocol, IPsecEndPtHistRemotePort } STATUS current DESCRIPTION "This group consists of: 1) IPsec History Global Objects 2) IPsec Phase-1 History Objects 3) IPsec Phase-2 History Objects" ::= { IPsecMIBGroups 4 } IPsecFailuresGroup OBJECT-GROUP OBJECTS { -- The IPsec Failure Global Control Objects IPsecFailTableSize, -- The IPsec Phase-1 Failure Table -- ikeFailIndex, ikeFailReason, ikeFailTime, ikeFailLocalType, ikeFailLocalValue, ikeFailRemoteType, ikeFailRemoteValue, ikeFailLocalAddr, ikeFailRemoteAddr, -- The IPsec Phase-2 Failure Table -- IPsecFailIndex, IPsecFailReason, IPsecFailTime, IPsecFailTunnelIndex, IPsecFailSaSpi, IPsecFailPktSrcAddr, IPsecFailPktDstAddr } STATUS current Madson, Temoshenko, Timms, Pellacuru [Page 102] Internet Draft IPsec Flow Monitoring MIB November, 99 DESCRIPTION "This group consists of: 1) IPsec Failure Global Objects 2) IPsec Phase-1 Tunnel Failure Table 3) IPsec Phase-2 Tunnel Failure Table" ::= { IPsecMIBGroups 5 } IPsecTrapCntlGroup OBJECT-GROUP OBJECTS { IPsecTrapCntlIkeTunnelStart, IPsecTrapCntlIkeTunnelStop, IPsecTrapCntlIkeSysFailure, IPsecTrapCntlIkeCertCrlFailure, IPsecTrapCntlIkeProtocolFailure, IPsecTrapCntlIkeNoSa, IPsecTrapCntlIPsecTunnelStart, IPsecTrapCntlIPsecTunnelStop, IPsecTrapCntlIPsecSysFailure, IPsecTrapCntlIPsecSetUpFailure, IPsecTrapCntlIPsecEarlyTunTerm, IPsecTrapCntlIPsecProtocolFailure, IPsecTrapCntlIPsecNoSa } STATUS current DESCRIPTION "This group of objects controls the sending of IPsec TRAPs." ::= { IPsecMIBGroups 6 } IPsecNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { ikeTunnelStart, ikeTunnelStop, ikeSysFailure, ikeCertCrlFailure, ikeProtocolFailure, ikeNoSa, IPsecTunnelStart, IPsecTunnelStop, IPsecSysFailure, IPsecSetUpFailure, IPsecEarilyTunTerm, IPsecProtocolFailure, IPsecNoSa } STATUS current DESCRIPTION "This group contains the notifications for the IPsec MIB." ::= { IPsecMIBGroups 7 } Madson, Temoshenko, Timms, Pellacuru [Page 103] Internet Draft IPsec Flow Monitoring MIB November, 99 END 5. Security Considerations The information contained in this MIB describes a VPN service whose variables may be read and in some cases set. It is important that access to the MIB is limited to the appropriate users, and that information exchanges between users, management stations, agents and any other devices is provided via a secure mechanism such as an encrypted session. 6. References [2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [2401] Kent, S., Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [2409] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)_, RFC 2409 , November 1998. [2408] Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)_,RFC 2408, November 1998. [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998 Madson, Temoshenko, Timms, Pellacuru [Page 104] Internet Draft IPsec Flow Monitoring MIB November, 99 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", RFC 1155 May 1990 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, March 1991 [1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903,January 1996. [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904,January 1996. [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May 1990. [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906,January 1996. [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. 7. Acknowledgments The editors would like to thank: Ajay Dankar, Jamal Mohamed, Mayank Jain, Roy Pereira, David McGrew. Madson, Temoshenko, Timms, Pellacuru [Page 105] Internet Draft IPsec Flow Monitoring MIB November, 99 8. Editors' Addresses Cheryl Madson cmadson@cisco.com Cisco Systems +1 (408) 527 2817 Rk Somasundaram rks@cisco.com Cisco Systems +1 (408) 527 7309 Natalie Timms ntimms@cisco.com Cisco Systems +1 (425) 468 0851 Chinna Narasimha Reddy Pellacuru pcn@cisco.com Cisco Systems +1 (408) 468 527 3109 Leo Temoshenko Leo_Temoshenko@tivoli.com Tivoli The IPsec working group can be contacted via the IPsec working group's mailing list (IPsec@tis.com) or through its chairs: Robert Moskowitz rgm@icsa.net International Computer Security Association Theodore Y. Ts'o tytso@mit.edu Massachusetts Institute of Technology 9. Expiration This draft expires April 21, 2000. Madson, Temoshenko, Timms, Pellacuru [Page 106] Internet Draft IPsec Flow Monitoring MIB November, 99 10. Full Copyright Statement Copyright (C) The Internet Society (1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Madson, Temoshenko, Timms, Pellacuru [Page 107]