Internet Engineering Task Force Tim Jenkins IP Security Working Group TimeStep Corporation Internet Draft September 14, 1998 IPSec MIB Status of this Memo This document is a submission to the IETF Internet Protocol Security (IPSEC) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@tis.com) or to the editor. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts draft documents are valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Copyright Notice This document is a product of the IETF's IPSec Working Group. Copyright (C) The Internet Society (1998). All Rights Reserved. IPSec Working Group [Page 1] Internet Draft IPSec MIB September, 98 Table of Contents 1. Revision History...............................................2 2. Introduction...................................................2 3. The SNMPv2 Network Management Framework........................3 3.1 Object Definitions............................................4 4. IPSec MIB Objects Architecture.................................4 4.1 IPSec Virtual Tunnels.........................................5 4.1.1 Transient Tunnels...........................................5 4.1.2 Permanent Tunnels...........................................5 4.2 IKE SA Tunnels................................................5 4.3 Phase 2 SA Tunnels............................................7 4.4 Phase 2 SAs...................................................7 4.5 IPSec MIB Traps...............................................8 4.6 IPSec Device MIB..............................................8 5. MIB Definitions................................................8 6. Security Considerations.......................................29 7. Acknowledgements..............................................30 8. References....................................................30 9. Editor's Address..............................................32 1. Revision History This section will be removed before publication. September 11, 1998 Initial internal release. Traps not yet defined in ASN.1 format. Device MIB not yet defined in ASN.1 format. 2. Introduction This document defines monitoring and status MIBs for IPSec. It does not define MIBs that may be used for configuring IPSec implementations or for providing low-level diagnostic or debugging information. Those MIBs may be defined in later versions of this document or in other documents. The purpose of the MIBs is to allow system administrators to determine operating conditions and perform system operational level monitoring of the IPSec portion of their network. Statistics are provided as well. The IPSec MIB definitions use a virtual tunnel model, of which there can be configured permanent tunnels or transient tunnels. The virtual tunnel model is used to allow the use of IPSec from a virtual private networking (VPN) point of view. This allows users IPSec Working Group [Page 2] Internet Draft IPSec MIB September, 98 of IPSec based products to get similar monitoring and statistical information from an IPSec based VPN as they would from a VPN based on other technologies, such as Frame Relay. Finally, the objects defined perhaps represent a somewhat simplified view of security associations. This is done for the purposes of expediency and for simplification of presentation. Also, some information about SAs has been intentionally left out to reduce the security risk if SNMP traffic becomes compromised. 3. The SNMPv2 Network Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2271 [2271]. O Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [1155], RFC 1212 [1212] and RFC 1215 [1215]. The second version, called SMIv2, is described in RFC 1902 [1902], RFC 1903 [1903] and RFC 1904 [1904]. O Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [1901] and RFC 1906 [1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [1906], RFC 2272 [2272] and RFC 2274 [2274]. O Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [1905]. O A set of fundamental applications described in RFC 2273 [2273] and the view-based access control mechanism described in RFC 2275 [2275]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. IPSec Working Group [Page 3] Internet Draft IPSec MIB September, 98 This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 3.1 Object Definitions Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) defined in the SMI. In particular, each object type is named by an OBJECT IDENTIFIER, an administratively assigned name. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the descriptor, to refer to the object type. 4. IPSec MIB Objects Architecture The IPSec MIB provides information related to both phase 1 or Internet Key Exchange (IKE) security associations (SAs) and phase 2 (or IPSec) SAs. Configuration about the SAs is provided as are statistics related to the SAs themselves. Since one of the uses of IPSec implementations is to provide Virtual Private Network (VPN) services that other private network services such as leased lines or frame relay networks, there exists a need to provide the same type of monitoring capability. To support this, the concept of virtual tunnels is developed. Additionally, the concept of transients and permanent tunnels is also developed. It should be noted that the MIBs here are not extensions of the Tunnel MIB [IPTun] or the Interface Group MIB [IGMIB]. That approach was rejected for a number of reasons, including: 1) The types of parameters required for those MIBs are not appropriate for IPSec MIBs. IPSec Working Group [Page 4] Internet Draft IPSec MIB September, 98 2) The virtual tunnels created by IPSec SAs are independent of other logical interfaces. 3) The tunnel end point definitions are not the same as those used by the tunnel MIB. 4.1 IPSec Virtual Tunnels IPSec implementations effectively create tunnels that user traffic may pass through, performing various services on that traffic as it passes through the tunnel. 4.1.1 Transient Tunnels Transient tunnels are made up of SAs that normally go up and down, such as those created by a dial-in client implementation. Additionally, these SAs are prone to being torn down in an impolite manner. As an example, system administrators typically do not want to have alarms going off when these SAs are torn down because an end user disconnected his or her modem before performing a normal dial-up networking shut down. 4.1.2 Permanent Tunnels Transient tunnels are made up of SAs that a system administrator considers of significant importance in a VPN implementation. These SAs would typically be from one IPSec gateway to another and be used as the link between two corporate networks. As such, the network administrator would want alarms to go off when one of these virtual tunnels goes down under any circumstances. How implementations specify which tunnels are permanent versus transient is beyond the scope of this document. To determine if a particular permanent tunnel is up, the value of 'ipsecTunnelCurrentSaNum' must be greater than 0. 4.2 IKE SA Tunnels Phase 1 or IKE tunnels are defined as being made up of a series of phase 1 SAs that carry secured management traffic. It is assumed that only one phase 1 SA can exist between any two peers. Therefore, there is no separate table of phase 1 SAs and phase 1 SA tunnels. A tunnel can be considered to exist past the lifetime of IPSec Working Group [Page 5] Internet Draft IPSec MIB September, 98 a phase 1 SA if a subsequent phase 1 SA can be immediately formed between the same peers, and any phase 2 SAs created by previous phase 1 SAs are not deleted when the original phase 1 SA expires. Stated another way, successful re-keying of a phase 1 SA keeps a phase 1 tunnel alive, but only if all phase 2 SAs created are kept as well. Phase 1 tunnels are uniquely identified by the IP addresses of the end points. [Question: Should port number be added to this definition and to the MIB? If so, a responder port number change from 500 to a user port number should not create a new tunnel.] IKE SAs are displayed as a table. It is assumed that there is only a single SA between end points. Therefore, the table consists of all active phase 1 SAs that are established between the local entity and other entities. Each row of the table contains configuration information such as the encryption algorithm used, the key length, and the authentication algorithm used. Peer information, such as the peer ID is also provided. [Question: Should certificate information, such as subject name, issuer name and serial number also be part of the row, even though it is meaningless in pre-shared key mode?] Phase 1 tunnels may be transient or permanent. The status column has no meaning for a transient phase 1 tunnel, since it indicates a tunnel that is up or down. A transient tunnel disappears from the table when it goes down; a permanent tunnel does not. It is recommended that implementations place permanent SAs in the table before all transient SAs, and that the order of permanent SAs displayed in the table does not change. Statistics are provided as well. There are three types of statistics provided. These are the statistics associated with the current phase 1 SA between the peers, the aggregate statistics of phase 1 SA communications between the peers and the aggregate statistics of all other phase 2 SAs created by the phase 1 SA. These statistics are kept based on the assumption that information is passed forward when SAs are re-keyed. This allows network monitors to determine the total amount of protected traffic passed between two IPSec implementations. Note that the cookies are not part of each row to reduce the security risk if SNMP traffic becomes compromised. These can be added by augmenting the existing phase 1 SA table and phase 2 SA table. IPSec Working Group [Page 6] Internet Draft IPSec MIB September, 98 4.3 Phase 2 SA Tunnels Phase 2 or IPSec tunnels are defined as being made up of an arbitrary number of phase 2 or IPsec SAs with the same tunnel parameters. They may be transient or permanent. Functionally, this table is very similar to the IP Tunnel MIB, however the definition of IPSec SA-based tunnels are not defined the same as the tunnels in that MIB. Phase 2 tunnels are uniquely identified by IPSec SA mode (transport or tunnel), the IP address ranges (which may be single IP addresses or subnets) at each end, the port number at each end and the protocol, as defined in [IPDOI]. Note that the protocol and port numbers may be wildcards. Further, phase 2 tunnels must be considered different if the services they provide changes. In other words, if an SA is created that provide compression and ESP is created for the above parameters where previous SAs had only ESP, the new SA MUST be considered part of a different virtual tunnel than the previous SA. Individual phase 2 SAs are presented in another table. This table contains aggregate information related to phase 2 SAs operating in the IPsec implementation. Each row of the table contains configuration information related to phase 2 SAs and aggregate statistics related to all of those SAs. It does not contain information about specific phase 2 SAs. Each row in the table has a value which is an index to the row of phase 1 SAs that created it if the phase 2 SA is not a static SA. If the tunnel is configured as permanent, its status can be determined by the number of phase 2 SAs currently active with it. If that number is zero, then the tunnel must be considered down. If that number greater than 0, then the tunnel is considered up. 4.4 Phase 2 SAs Individual phase 2 SAs appear in a third table. This table contains only the statistics for the individual SA and a value which is an index into the phase 2 SA tunnel table. Bundled SAs are supported by having separate objects for each of ESP, AH and IPCOMP, under the assumption that no implementation will use any of those protocols more than once in the same SA bundle. Further, the expiration parameters specified refer to the IPSec Working Group [Page 7] Internet Draft IPSec MIB September, 98 minimum value of each security service if there is more than one in the bundle. Note that the SPIs (CPIs for compression) are not part of each row to reduce the security risk if SNMP traffic becomes compromised. 4.5 IPSec MIB Traps Traps are provided to let system administrators know about the creation and deletion of SAs, errors related to the creation of SAs and operational errors that may indicate the presence of attacks on the system. Specifically, the following traps are provided: IKE SA Start IKE SA End IKE SA Negotiation Failure Invalid Cookie Problem IPSec SA Tunnel Start IPSec SA Tunnel End IPSec SA Negotiation Failure IPSec SA Authentication Failure IPSec SA Replay Failure Invalid SPI Problem 4.6 IPSec Device MIB This MIB carries statistics global to the IPSec device. Statistics included are: The number of packets received with unknown SPIs (or CPIs). The number of general IKE protocol errors that occurred, including packets received with invalid cookies. The total number of phase 1 SAs established since boot time. The total number of phase 2 SAs established since boot time. 5. MIB Definitions IPSEC-MIB DEFINITIONS :: BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Counter64, Integer32, mib-2, NOTIFICATION-TYPE FROM SNMPv2-SMI TEXTUAL-CONVENTION, DateAndTime, IPSec Working Group [Page 8] Internet Draft IPSec MIB September, 98 TruthValue FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF snmpTraps FROM SNMPv2-MIB IANAifType FROM IANAifType- MIB; ipsecMIB MODULE-IDENTITY LAST-UPDATED "????" ORGANIZATION "IETF IPSec Working Group" CONTACT-INFO " Tim Jenkins TimeStep Corporation 362 Terry Fox Drive Kanata, ON K0A 2H0 Canada 613-599-3610 tjenkins@timestep.com" DESCRIPTION "The MIB module to describe generic IPSec objects and transient and permanent virtual tunnels created by IPSec SAs." REVISION "????" DESCRIPTION "Initial revision." :: { mib-2 ?? } ipsecMIBObjects OBJECT IDENTIFIER :: { ipsecMIB 1 } ipsec OBJECT IDENTIFIER :: { ipsecMIBObjects 1 } -- the IPSec IKE MIB-Group -- -- a collection of objects providing information about -- IPSec's IKE SAs ipsecIkeSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec Working Group [Page 9] Internet Draft IPSec MIB September, 98 IPSec's IKE SAs." :: { ipsec 1 } ipsecIkeSaEntry OBJECT-TYPE SYNTAX IpsecIkeSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IKE SA." INDEX { ipsecIkeSaIndex } :: { ipsecIkeSaTable 1 } IpsecIkeSaEntry :: SEQUENCE { ipsecIkeSaIndex Integer32, -- security algorithm information ipsecIkeSaEncAlg INTEGER, ipsecIkeSaEncLeyLength Integer32, ipsecIkeSaHashAlg Integer32, ipsecIkeSaDifHelGroupDesc Integer32, ipsecIkeSaDifHelGroupType Integer32, ipsecIkeSaDifHelFieldSize Integer32, ipsecIkeSaPRF Integer32, ipsecIkeSaPFS TruthValue, -- peer information ipsecIkeSaPeerIpAddress IpAddress, ipsecIkeSaAuthMethod Integer32, ipsecIkeSaPeerIdType Integer32, ipsecIkeSaPeerId OCTET STRING, -- virtual link status ipsecIkeSaType INTEGER, ipsecIkeSaStatus INTEGER, -- expiration limits, current SA ipsecIkeSaTimeStart DateAndTime, ipsecIkeSaTimeLimit Counter32, ipsecIkeSaTrafficLimit Counter32, -- current operating statistics ipsecIkeSaInboundTraffic Counter64, -- in bytes ipsecIkeSaOutboundTraffic Counter64, -- in bytes -- aggregate statistics ipsecIkeSaTotalSaNum Counter32 ipsecIkeSaTotalTime Counter32, IPSec Working Group [Page 10] Internet Draft IPSec MIB September, 98 ipsecIkeSaTotalInboundTraffic Counter64, -- in bytes ipsecIkeSaTotalOutboundTraffic Counter64, -- in bytes -- aggregate error statistics ipsecIkeSaDecryptErrors Counter32, ipsecIkeSaHashErrors Counter32, -- IPSec SA (Phase 2) statistics (aggregate) ipsecIkeSaIpsecInboundTraffic Counter64, ipsecIkeSaIpsecOutboundTraffic Counter64, -- IPSec SA (Phase 2) error statistics (aggregate) ipsecIkeSaIpsecDecryptErrors Counter32, ipsecIkeSaIpsecAuthErrors Counter32, ipsecIkeSaIpsecReplayErrors Counter32, } ipsecIkeSaIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each tunnel interface must remain constant at least from one re-initialization of the entity's network management system to the next re- initialization. Further, the value for tunnel interfaces that are marked as permanent must remain constand across all re-initializations of the network management system." :: { ipsecIkeSaEntry 1 } ipsecIkeSaEncAlg OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this SA or 0 if there is no encryption applied. Specific values are used as described in the ISAKMP Class Values of Encryption Algorithms from Appendix A IPSec Working Group [Page 11] Internet Draft IPSec MIB September, 98 of [IKE]." :: { ipsecIkeSaEntry 2 } ipsecIkeSaEncLeyLength OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the ipsecIkeSaEncAlg object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." :: { ipsecIkeSaEntry 3 } ipsecIkeSaHashAlg OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA or 0 if there is no encryption applied. Specific values are used as described in the ISAKMP Class Values of Hash Algorithms from Appendix A of [IKE]." :: { ipsecIkeSaEntry 4 } ipsecIkeSaDifHelGroupDesc OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group description used or 0 if the group is unknown. Specific values are used as described in the ISAKMP Class Values of Group Description from Appendix A of [IKE]." :: { ipsecIkeSaEntry 5 } ipsecIkeSaDifHelGroupType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the Diffie-Hellman group type used or 0 if the group is unknown. IPSec Working Group [Page 12] Internet Draft IPSec MIB September, 98 Specific values are used as described in the ISAKMP Class Values of Group Type from Appendix A of [IKE]." :: { ipsecIkeSaEntry 6 } ipsecIkeSaDifHelFieldSize OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The field size, in bits, of a Diffie-Hellman group." :: { ipsecIkeSaEntry 7 } ipsecIkeSaPRF OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The pseudo-random functions used, or 0 if not used or if unknown. Specific values are used as described in the ISAKMP Class Values of PRF from Appendix A of [IKE]." :: { ipsecIkeSaEntry 8 } ipsecIkeSaPFS OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "A value that indicates that perfect forward secrecy is used for all protocol SAs created by this IKE SA." :: { ipsecIkeSaEntry 9 } ipsecIkeSaPeerIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the peer that this SA was negotiated with, or 0 if unknown." :: { ipsecIkeSaEntry 10 } ipsecIkeSaAuthMethod OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 13] Internet Draft IPSec MIB September, 98 "The authentication method used to authenticate the peers. Note that this does not include the specific method of authentication if extended authenticated is used. Specific values are used as described in the ISAKMP Class Values of Authentication Method from Appendix A of [IKE]." :: { ipsecIkeSaEntry 11 } ipsecIkeSaPeerIdType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The type of ID used by the peer. Specific values are used as described in Section 4.6.2.1 of [IPDOI]." :: { ipsecIkeSaEntry 12 } ipsecIkeSaPeerId OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..511)), MAX-ACCESS read-only STATUS current DESCRIPTION "The ID of the peer this SA was negotiated with. The length may require truncation under some conditions." :: { ipsecIkeSaEntry 13 } ipsecIkeSaType OBJECT-TYPE SYNTAX INTEGER { transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of virtual tunnel represented by this row. A transient link will disappear from the table when the SAs needed for it cannot be established. A permanent link will shows its status in the ipsecIkeSaStatus object." :: { ipsecIkeSaEntry 14 } IPSec Working Group [Page 14] Internet Draft IPSec MIB September, 98 ipsecIkeSaStatus OBJECT-TYPE SYNTAX INTEGER { never_tried(0), link_up(1), link_down(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the virtual tunnel represented by this row, if the tunnel is configured as permanent. never_tried means that no attempt to set-up the link has been done. link_up means that the link is up and operating normally. link_down means that the link was up, but has gone down." :: { ipsecIkeSaEntry 15 } ipsecIkeSaTimeStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current SA within the link was set up. It is not the date and time that the virtual tunnel was set up." :: { ipsecIkeSaEntry 16 } ipsecIkeSaTimeLimit OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the current SA supporting the virtual tunnel, or 0 if there is no time constraint on its expiration." :: { ipsecIkeSaEntry 17 } ipsecIkeSaTrafficLimit OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the current SA supporting the virtual tunnel is allowd to support, or 0 if there is no traffic constraint on its expiration." :: { ipsecIkeSaEntry 18 } IPSec Working Group [Page 15] Internet Draft IPSec MIB September, 98 ipsecIkeSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the current SA in the inbound direction." :: { ipsecIkeSaEntry 19 } ipsecIkeSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the current SA in the outbound direction." :: { ipsecIkeSaEntry 20 } ipsecIkeSaTotalSaNum OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SAs, including the current SA, that have been set up to support this virtual tunnel." :: { ipsecIkeSaEntry 21 } ipsecIkeSaTotalTime OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total time in minutes that this virtual tunnel has been up. If this is a permanent virtual tunnel, it is reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 22 } ipsecIkeSaTotalInboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all SAs ever set up to support the IPSec Working Group [Page 16] Internet Draft IPSec MIB September, 98 virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 23 } ipsecIkeSaTotalOutboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all inbound traffic carried by all SAs ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 24 } ipsecIkeSaDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to decryption errors. Note that this refers to IKE protocol packets, and not to packets carried by SAs set up by the SAs supporting this tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 25 } ipsecIkeSaHashErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets to this SA discarded due to hash errors. Note that this refers to IKE protocol packets, and not to packets carried by SAs set up by the SAs supporting this tunnel. IPSec Working Group [Page 17] Internet Draft IPSec MIB September, 98 If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 26 } ipsecIkeSaIpsecInboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of inbound traffic measured in bytes handled by all protocol SAs set up by phase 1 SAs supporting this tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 27 } ipsecIkeSaIpsecOutboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of outbound traffic measured in bytes handled by all protocol SAs set up by phase 1 SAs supporting this tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 28 } ipsecIkeSaIpsecDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all protocol SAs due to decryption errors. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 29 } ipsecIkeSaIpsecAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current IPSec Working Group [Page 18] Internet Draft IPSec MIB September, 98 DESCRIPTION "The total number of inbound packets discarded by all protocol SAs due to authentication errors. This includes hash failures in IPSec SAs using ESP and AH. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 30 } ipsecIkeSaIpsecReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by all protocol SAs due to replay errors. If this is a permanent virtual tunnel, it is not reset to zero when the tunnel goes to the link_up state." :: { ipsecIkeSaEntry 30 } -- the IPSec Tunnel MIB-Group -- -- a collection of objects providing information about -- IPSec SA-based Tunnels ipsecTunnelIfTable OBJECT-TYPE SYNTAX SEQUENCE OF ipsecTunnelIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec SA-based tunnels." :: { ipsec 2 } ipsecTunnelIfEntry OBJECT-TYPE SYNTAX IpsecTunnelIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular configured tunnel." INDEX { ipsecTunnelIfIndex } :: { ipsecTunnelIfTable 1 } IpsecTunnelIfEntry :: SEQUENCE { ipsecTunnelIfIndex Integer32, IPSec Working Group [Page 19] Internet Draft IPSec MIB September, 98 ipsecTunnelIkeSa Integer32, -- if not static ipsecTunnelType INTEGER, -- static, transient, permanent -- tunnel identifiers ipsecTunnelIfLocalAddressOrStart IpAddress, ipsecTunnelIfLocalAddressMaskOrEnd IpAddress, ipsecTunnelIfRemoteAddressOrStart IpAddress, ipsecTunnelIfRemoteAddressMaskOrEnd IpAddress, ipsecTunnelIfProtocol Integer32, ipsecTunnelIfLocalPort Integer32, ipsecTunnelIfRemotePort Integer32, -- tunnel security ipsecTunnelMode INTEGER, ipsecTunnelEspEncAlg Integer32, ipsecTunnelEspEncLeyLength Integer32, ipsecTunnelEspAuthAlg Integer32, ipsecTunnelAhAuthAlg Integer32, ipsecTunnelCompAlg Integer32 -- aggregate statistics ipsecTunnelCurrentSaNum Counter32 ipsecTunnelTotalSaNum Counter32 ipsecTunnelTotalTimeUp Counter32, ipsecTunnelTotalInboundTraffic Counter64, ipsecTunnelTotalOutboundTraffic Counter64, -- aggregate error statistics ipsecTunnelDecryptErrors Counter32, ipsecTunnelAuthErrors Counter32, ipsecTunnelReplayErrors Counter32, } ipsecTunnelIfIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each tunnel interface. It is recommended that values are assigned contiguously starting from 1. The value for each tunnel interface must remain constant at least from one re-initialization of the entity's network management system to the next IPSec Working Group [Page 20] Internet Draft IPSec MIB September, 98 re-initialization. Further, the value for tunnel interfaces that are marked as permanent must remain constant across all re-initializations of the network management system." :: { ipsecTunnelIfEntry 1 } ipsecTunnelIkeSa OBJECT-TYPE SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the index into the IKE SA tunnel table that created this tunnel (ipsecIkeSaIndex), or 0 if the tunnel is created by a static IPSec SA." :: { ipsecTunnelIfEntry 2 } ipsecTunnelType OBJECT-TYPE SYNTAX INTEGER { static(0), transient(1), permanent(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the virtual tunnel represented by this row. static means that the tunnel is supported by a single static IPSec SA that was setup by configuration, and not by using a key exchange protocol. In this case, the value of ipsecTunnelIkeSa must be 0." :: { ipsecTunnelIfEntry 3 } ipsecTunnelIfLocalAddressOrStart OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The address of or the start address (if an address range) of the local endpoint of the tunnel, or 0.0.0.0 if unknown or transport mode." :: { ipsecTunnelIfTable 4 } ipsecTunnelIfLocalAddressMaskOrEnd OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The mask of or the end address (if an address range) of the local endpoint of the tunnel, or 0.0.0.0 IPSec Working Group [Page 21] Internet Draft IPSec MIB September, 98 if unknown or transport mode." :: { ipsecTunnelIfTable 5 } ipsecTunnelIfRemoteAddressOrStart OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The address of or the start address (if an address range) of the remote endpoint of the tunnel, or 0.0.0.0 if unknown or transport mode." :: { ipsecTunnelIfTable 6 } ipsecTunnelIfRemoteAddressMaskOrEnd OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The mask of or the end address (if an address range) of the remote endpoint of the tunnel, or 0.0.0.0 if unknown or transport mode." :: { ipsecTunnelIfTable 7 } ipsecTunnelIfProtocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the protocol that this tunnel carries, or 0 if it carries any protocol." :: { ipsecTunnelIfTable 8 } ipsecTunnelIfLocalPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the local port that this tunnel carries, or 0 if it carries any port number." :: { ipsecTunnelIfTable 9 } ipsecTunnelIfRemotePort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of the remote port that this tunnel carries, or 0 if it carries any port number." IPSec Working Group [Page 22] Internet Draft IPSec MIB September, 98 :: { ipsecTunnelIfTable 10 } ipsecTunnelMode OBJECT-TYPE SYNTAX INTEGER { transport(1), tunnel(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of encapulation used by this tunnel." :: { ipsecTunnelIfTable 11 } ipsecTunnelEspEncAlg OBJECT-TYPE SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the encryption algorithm applied to traffic carried by this SA if it uses ESP or 0 if there is no encryption applied by ESP or if ESP is not used. Specific values are taken from section 4.4.4 of [IPDOI]." :: { ipsecTunnelIfTable 12 } ipsecTunnelEspEncLeyLength OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The length of the encryption key in bits used for the algorithm specified in the ipsecTunnelEspEncAlg object, or 0 if the key length is implicit in the specified algorithm or there is no encryption specified." :: { ipsecTunnelIfTable 13 } ipsecTunnelEspAuthAlg OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA if it uses ESP or 0 if there is no authentication applied by ESP or if ESP is not used. Specific values are taken from the Authentication Algorithm attribute values of Section 4.5 of [IPDOI]." IPSec Working Group [Page 23] Internet Draft IPSec MIB September, 98 :: { ipsecTunnelIfTable 14 } ipsecTunnelAhAuthAlg OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the hash algorithm applied to traffic carried by this SA if it uses AH or 0 if AH is not used. Specific values are taken from Section 4.4.3 of [IPDOI]." :: { ipsecTunnelIfTable 15 } ipsecTunnelCompAlg OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value representing the compression algorithm applied to traffic carried by this SA if it uses IPCOMP. Specific values are taken from Section 4.4.5 of [IPDOI]." :: { ipsecTunnelIfTable 16 } ipsecTunnelCurrentSaNum OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of current SAs set up to support this virtual tunnel." :: { ipsecTunnelIfTable 17 } ipsecTunnelTotalSaNum OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of SAs, including all current SAs, that have been set up to support this virtual tunnel." :: { ipsecTunnelIfTable 18 } ipsecTunnelTotalTimeUp OBJECT-TYPE SYNTAX Counter32 IPSec Working Group [Page 24] Internet Draft IPSec MIB September, 98 MAX-ACCESS read-only STATUS current DESCRIPTION "The total time in minutes that this virtual tunnel has been up. If this is a permanent virtual tunnel, it is reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 19 } ipsecTunnelTotalInboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the inbound direction. In other words, it is the aggregate value of all inbound traffic carried by all protocol SAs ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 20 } ipsecTunnelTotalOutboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The total amount of traffic measured in bytes handled in the tunnel in the outbound direction. In other words, it is the aggregate value of all inbound traffic carried by all protocol SAs ever set up to support the virtual tunnel. If this is a permanent virtual tunnel, it is not reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 21 } ipsecTunnelDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION IPSec Working Group [Page 25] Internet Draft IPSec MIB September, 98 "The total number of inbound packets discarded by this virtual tunnel due to decryption errors in ESP. If this is a permanent virtual tunnel, it is not reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 22 } ipsecTunnelAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to authentication errors. This includes hash failures in IPSec SA bundles using both ESP and AH. If this is a permanent virtual tunnel, it is not reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 30 } ipsecTunnelReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of inbound packets discarded by this virtual tunnel due to replay errors. This includes replay failures in IPSec SA bundles using both ESP and AH. If this is a permanent virtual tunnel, it is not reset to zero when the number of current SAs (ipsecTunnelCurrentSaNum) changes from 0 to 1." :: { ipsecTunnelIfTable 30 } -- the IPSec SA MIB-Group -- -- a collection of objects providing information about -- IPSec SAs ipsecSaTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecSaEntry MAX-ACCESS not-accessible IPSec Working Group [Page 26] Internet Draft IPSec MIB September, 98 STATUS current DESCRIPTION "The (conceptual) table containing information on IPSec SAs." :: { ipsec 3 } ipsecSaEntry OBJECT-TYPE SYNTAX IpsecSaEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) containing the information on a particular IPSec SA." INDEX { ipsecSaIndex } :: { ipsecSaTable 1 } IpsecSaEntry :: SEQUENCE { ipsecSaIndex Integer32, ipsecSaTunnel Integer32, -- index from ipsecTunnelIfTable -- expiration limits ipsecSaCreationTime DateAndTime, ipsecSaTimeLimit Counter32, -- seconds, 0 if none ipsecSaTrafficLimit Counter64, -- bytes, 0 if none -- current operating statistics ipsecSaInboundTraffic Counter64, ipsecSaOutboundTraffic Counter64, -- error statistics ipsecSaDecryptErrors Counter32, ipsecSaAuthErrors Counter32, ipsecSaReplayErrors Counter32, } ipsecSaIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "A unique value, greater than zero, for each IPSec SA. It is recommended that values are assigned contiguously starting from 1." :: { ipsecSaEntry 1 } ipsecSaTunnel OBJECT-TYPE IPSec Working Group [Page 27] Internet Draft IPSec MIB September, 98 SYNTAX Integer32 (1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "The value of the index into the IPSec SA tunnel table that this SA supports (ipsecTunnelIfIndex)." :: { ipsecSaEntry 2 } ipsecSaCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The date and time that the current SA was set up." :: { ipsecSaEntry 3 } ipsecSaTimeLimit OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum lifetime in seconds of the SA, or 0 if there is no time constraint on its expiration." :: { ipsecSaEntry 4 } ipsecSaTrafficLimit OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum traffic in 1024-byte blocks that the SA is allowed to support, or 0 if there is no traffic constraint on its expiration." :: { ipsecSaEntry 5 } ipsecSaInboundTraffic OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the inbound direction." :: { ipsecSaEntry 6 } ipsecSaOutboundTraffic OBJECT-TYPE SYNTAX Counter64 IPSec Working Group [Page 28] Internet Draft IPSec MIB September, 98 MAX-ACCESS read-only STATUS current DESCRIPTION "The amount traffic measured in bytes handled in the SA in the outbound direction." :: { ipsecSaEntry 7 } ipsecSaDecryptErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the SA due to decryption errors." :: { ipsecSaEntry 8 } ipsecSaAuthErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the SA due to authentication errors. This includes hash failures in both ESP and AH." :: { ipsecSaEntry 9 } ipsecSaReplayErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of inbound packets discarded by the SA due to replay errors. This includes replay failures both ESP and AH." :: { ipsecSaEntry 10 } END 6. Security Considerations This MIB contains readable objects whose values provide information related to IPSec virtual tunnels. There are no objects with MAX=ADACCESS clauses of read-write or read-create. While unauthorized access to the readable objects is relatively innocuous, unauthorized access to those objects through an insecure channel can provide attackers with more information about a system than an administrator may desire. IPSec Working Group [Page 29] Internet Draft IPSec MIB September, 98 7. Acknowledgements Portions of this document's origins are based on "IP Security Management Information Base" by R. Thayer and U. Blumenthal, hence this document's numbering starting at one. Additionally, thanks are extended to Gabriella Dinescu for assistance in the preparation of the MIB structures. 8. References [IPDOI] Derrell Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", draft-ietf-ipsec-ipsec-doi- 10.txt, work in progress. [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)," draft-ietf-ipsec-isakmp-oakley-08.txt, work in progress. [ISAKMP]Maughan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)," draft-ietf-ipsec-isakmp-10.{ps,txt}, work in progress. [IPTun] Thaler, D., "IP Tunnel MIB", draft-ietf-ifmib-tunnel-mib- 02.txt, work in progress. [IGMIB] McCloghrie, K., Kastenholz, F., "The Interfaces Group MIB using SMIv2", RFC2233 [1902] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure of Management Information for version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996. [2271] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998 [1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", RFC 1155, May 1990 [1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, March 1991 IPSec Working Group [Page 30] Internet Draft IPSec MIB September, 98 [1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [1903] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, January 1996. [1904] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance Statements for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1904, January 1996. [1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1157, May 1990. [1901] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [1906] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [2272] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [2274] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2274, January 1998. [1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [2273] Levi, D., Meyer, P., and B. Stewart, MPv3 Applications", RFC 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco Systems, January 1998. [2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998. IPSec Working Group [Page 31] Internet Draft IPSec MIB September, 98 9. Editor's Address Tim Jenkins tjenkins@timestep.com TimeStep Corporation 362 Terry Fox Drive Kanata, ON Canada K2K 2P5 +1 (613) 599-3610 The IPSec working group can be contacted via the IPSec working group's mailing list (ipsec@tis.com) or through its chairs: Robert Moskowitz rgm@icsa.net International Computer Security Association Theodore Y. Ts'o tytso@MIT.EDU Massachusetts Institute of Technology IPSec Working Group [Page 32]